On randomizing hash functions to strengthen the security of digital signatures

Praveen Gauravaram; Lars Ramkilde Knudsen

On randomizing hash functions to strengthen the security of digital signatures

Praveen Gauravaram
, Lars Ramkilde Knudsen

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

Abstract

Halevi and Krawczyk proposed a message randomization algorithm called RMX as a front-end tool to the hash-then-sign digital signature schemes such as DSS and RSA in order to free their reliance on the collision resistance property of the hash functions. They have shown that to forge a RMX-hash-then-sign signature scheme, one has to solve a cryptanalytical task which is related to finding second preimages for the hash function. In this article, we will show how to use Dean's method of finding expandable messages for finding a second preimage in the Merkle-Damg{\aa}rd hash function to existentially forge a signature scheme based on a $t$-bit RMX-hash function which uses the Davies-Meyer compression functions (e.g., MD4, MD5, SHA family) in $2^{t/2}$ chosen messages plus $2^{t/2+1}$ off-line operations of the compression function and similar amount of memory. This forgery attack also works on the signature schemes that use Davies-Meyer schemes and a variant of RMX published by NIST in its Draft Special Publication (SP) 800-106. We discuss some important applications of our attack.

Original language	English
Title of host publication	Proceedings of Eurocrypt-2009
Editors	Antoine Joux
Number of pages	609
Volume	5479
Place of Publication	Berlin Heidelberg New York
Publisher	Springer
Publication date	2009
Pages	88-105
ISBN (Print)	978-3-642-01000-2
Publication status	Published - 2009
Event	Advances in Cryptology - EUROCRYPT 2009: 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques - Cologne, Germany Duration: 26 Apr 2009 → 30 Apr 2009 Conference number: 28

Conference

Conference	Advances in Cryptology - EUROCRYPT 2009
Number	28
Country/Territory	Germany
City	Cologne
Period	26/04/2009 → 30/04/2009

Series	Lecture Notes in Computer Science
Number	5479
ISSN	0302-9743

Bibliographical note

One of the (out of three) candidate papers for the best paper award.

Keywords

Davies-Meyer
Hash functions
Randomized Hashing
Digital signatures

Access to Document

http://www.springer.com/computer/security+and+cryptology/book/978-3-642-01000-2

OpenUrl availability

Full text

Cite this

@inproceedings{7bc659ceeae24458be2320a9e39bb112,

title = "On randomizing hash functions to strengthen the security of digital signatures",

abstract = "Halevi and Krawczyk proposed a message randomization algorithm called RMX as a front-end tool to the hash-then-sign digital signature schemes such as DSS and RSA in order to free their reliance on the collision resistance property of the hash functions. They have shown that to forge a RMX-hash-then-sign signature scheme, one has to solve a cryptanalytical task which is related to finding second preimages for the hash function. In this article, we will show how to use Dean's method of finding expandable messages for finding a second preimage in the Merkle-Damg\{\textbackslash{}aa\}rd hash function to existentially forge a signature scheme based on a \$t\$-bit RMX-hash function which uses the Davies-Meyer compression functions (e.g., MD4, MD5, SHA family) in \$2\textasciicircum{}\{t/2\}\$ chosen messages plus \$2\textasciicircum{}\{t/2+1\}\$ off-line operations of the compression function and similar amount of memory. This forgery attack also works on the signature schemes that use Davies-Meyer schemes and a variant of RMX published by NIST in its Draft Special Publication (SP) 800-106. We discuss some important applications of our attack.",

keywords = "Davies-Meyer, Hash functions, Randomized Hashing, Digital signatures",

author = "Praveen Gauravaram and Knudsen, \{Lars Ramkilde\}",

note = "One of the (out of three) candidate papers for the best paper award.; Advances in Cryptology - EUROCRYPT 2009 : 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques ; Conference date: 26-04-2009 Through 30-04-2009",

year = "2009",

language = "English",

isbn = "978-3-642-01000-2",

volume = "5479",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

number = "5479",

pages = "88--105",

editor = "Antoine Joux",

booktitle = "Proceedings of Eurocrypt-2009",

}

Gauravaram, P & Knudsen, LR 2009, On randomizing hash functions to strengthen the security of digital signatures. in A Joux (ed.), Proceedings of Eurocrypt-2009. vol. 5479, Springer, Berlin Heidelberg New York, Lecture Notes in Computer Science, no. 5479, pp. 88-105, Advances in Cryptology - EUROCRYPT 2009, Cologne, North Rhine-Westphalia, Germany, 26/04/2009. <http://www.springer.com/computer/security+and+cryptology/book/978-3-642-01000-2>

On randomizing hash functions to strengthen the security of digital signatures. / Gauravaram, Praveen; Knudsen, Lars Ramkilde.
Proceedings of Eurocrypt-2009. ed. / Antoine Joux. Vol. 5479 Berlin Heidelberg New York: Springer, 2009. p. 88-105 (Lecture Notes in Computer Science; No. 5479).

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

TY - GEN

T1 - On randomizing hash functions to strengthen the security of digital signatures

AU - Gauravaram, Praveen

AU - Knudsen, Lars Ramkilde

N1 - Conference code: 28

PY - 2009

Y1 - 2009

N2 - Halevi and Krawczyk proposed a message randomization algorithm called RMX as a front-end tool to the hash-then-sign digital signature schemes such as DSS and RSA in order to free their reliance on the collision resistance property of the hash functions. They have shown that to forge a RMX-hash-then-sign signature scheme, one has to solve a cryptanalytical task which is related to finding second preimages for the hash function. In this article, we will show how to use Dean's method of finding expandable messages for finding a second preimage in the Merkle-Damg{\aa}rd hash function to existentially forge a signature scheme based on a $t$-bit RMX-hash function which uses the Davies-Meyer compression functions (e.g., MD4, MD5, SHA family) in $2^{t/2}$ chosen messages plus $2^{t/2+1}$ off-line operations of the compression function and similar amount of memory. This forgery attack also works on the signature schemes that use Davies-Meyer schemes and a variant of RMX published by NIST in its Draft Special Publication (SP) 800-106. We discuss some important applications of our attack.

AB - Halevi and Krawczyk proposed a message randomization algorithm called RMX as a front-end tool to the hash-then-sign digital signature schemes such as DSS and RSA in order to free their reliance on the collision resistance property of the hash functions. They have shown that to forge a RMX-hash-then-sign signature scheme, one has to solve a cryptanalytical task which is related to finding second preimages for the hash function. In this article, we will show how to use Dean's method of finding expandable messages for finding a second preimage in the Merkle-Damg{\aa}rd hash function to existentially forge a signature scheme based on a $t$-bit RMX-hash function which uses the Davies-Meyer compression functions (e.g., MD4, MD5, SHA family) in $2^{t/2}$ chosen messages plus $2^{t/2+1}$ off-line operations of the compression function and similar amount of memory. This forgery attack also works on the signature schemes that use Davies-Meyer schemes and a variant of RMX published by NIST in its Draft Special Publication (SP) 800-106. We discuss some important applications of our attack.

KW - Davies-Meyer

KW - Hash functions

KW - Randomized Hashing

KW - Digital signatures

M3 - Article in proceedings

SN - 978-3-642-01000-2

VL - 5479

T3 - Lecture Notes in Computer Science

SP - 88

EP - 105

BT - Proceedings of Eurocrypt-2009

A2 - Joux, Antoine

PB - Springer

CY - Berlin Heidelberg New York

T2 - Advances in Cryptology - EUROCRYPT 2009

Y2 - 26 April 2009 through 30 April 2009

ER -

On randomizing hash functions to strengthen the security of digital signatures

Abstract

Conference

Bibliographical note

Keywords

Access to Document

OpenUrl availability

Fingerprint

Cite this