Cryptography Reference
In-Depth Information
successful attacks against the hash functions are known. On the other hand, due to
its more limited deployment, there has been less scrutiny by the research community
with respect to RIPEMD-160.
It is important to point out that in addition to the MD4 family, numerous other al-
gorithms have been proposed over the years including, for instance, Whirlpool [12],
which is related to AES. Most of them did not gain widespread adoption, however.
Entirely different from the MD4 family are hash functions which are based on al-
gebraic structures such as MASH-1 and MASH-2 [96]. Many of these algorithms
were found to be insecure.
SHA-3
Due to the serious attacks against SHA-1, NIST held two public workshops
to assess the status of SHA and to solicit public input on its cryptographic hash
function policy and standard. As a consequence, NIST decided to develop additional
hash functions, to be named SHA-3, through a public competition. This approach
is quite similar to the selection process of AES. In the fall of 2008, 64 algorithms
had been submitted to NIST. At the time of writing, 33 of those hash functions are
still in the competition. The final decision is expected in 2012. In the meantime the
SHA-2 algorithm, against which no attacks are known to date, appears to be the
safest choice when selecting a hash function.
Hash Functions from Block Ciphers
The four block cipher based hash functions
introduced in the chapter are all provable secure. This means, the best possible
preimage and second preimage attacks have a complexity of 2
b
, where
b
is the mes-
sage digest length, and the best possible collision attack requires 2
b
/
2
steps. The
security proof only holds if the block cipher is being treated as a black box, i.e,
no (possible) specific weaknesses of the cipher are being exploited. In addition to
the four methods of building hash functions from block ciphers introduced in this
chapter, there are several other constructions [136]. In Problem 11.3, 12 variants are
treated in more detail.
The Hirose construction is relatively new [92]. It can also be realized with AES
with a 192-bit key and message blocks
x
i
of length 64 bit. However, the efficiency is
roughly half of that of the construction presented in this chapter (AES256 with 128-
bit message blocks). There are also various other methods to build hash functions
with twice the output size of the block ciphers used. A prominent one is MDC-
2, which was originally designed for DES but works with any block cipher [137].
MDC-2 is standardized in ISO/IEC 10118-2.
11.6 Lessons Learned
Hash functions are keyless. The two most important applications of hash func-
tions are their use in digital signatures and in message authentication codes such
as HMAC.
The three security requirements for hash functions are one-wayness, second
preimage resistance and collision resistance.
