The Design Principle of Hash Function with Merkle-DamgºardConstruction Duo Lei1, Feng Guozhu2, Li Chao1, Feng Keqin2, and Longjiang Qu1 1 Department of Science, National University of Defense Technology, Changsha, China [email protected] 2 Department of Math, Tsinghua University, Beijing, China Abstract. The paper discusses the security of compression function and hash function with Merkle-Damgºardconstruction and provides the com- plexity bound of ¯nding a collision and primage of hash function based on the condition probability of compression function y = F (x; k). we make a conclusion that in Merkle-Dammaºardconstruction, the require- ment of free start collision resistant and free start collision resistant on compression function is not necessary and it is enough if the compres- sion function with properties of ¯x start collision resistant and ¯x start preimage resistant. However, the condition probability PY jX=x(y) and PY jK=k(y) of compression function y = F (x; k) have much influence on the security of the hash function. The best design of compression func- tion should have properties of that y is uniformly distributed for all x and k. KeyWord: Hash Function, Block Cipher, Merkle-DamgºardConstruction 1 Introduction Most of hash functions are iterated hash function and most of compression func- tion are iterated by Merkle-Damgºardstructure with constant IV[3]. Since the MD5 and SHA1 are attacked by [8][14][16], more and more attentions have been paid on hash function, the discussion about hash function mainly include secu- rity of compression function, attacking methods on hash function and security of iterated structure. · n n n Let the compression function F : f0; 1g £ f0; 1g ! f0; 1g , xh 2 f0; 1g , · n xm 2 f0; 1g , y 2 f0; 1g , where y = F (xm; xh), in hash iteration xh is chain- ing value. The compression function of iterated hash function has four way to build[3]: based on block cipher, based on Modular Arithmetic, based on knapsack problem and dedicate hash function. No matter what way be used to design a compression function, the basic requirement on compression func- tion is not invertible, or else we can build a collision on compression function, 2 Duo Lei, Feng Guozhu, Li Chao, Feng Keqin, and Longjiang Qu since the one way permutation is di±cult to build, the condition probability 1 of all known compression function has properties of max PY jX =x (y) > n y h h 2 1 and max PY jX =x (y) > · . In this paper, we get conclusion of that if the y m m 2 compression function is collision resistant and preimage resistant for ¯x start xh, then the hash function is secure, the requirement of free start collision re- sistant and free start preimage resistant are not required. But the condition probability PY jXh=xh (y) and PY jXm=xm (y) are the most important character which we have to consider in design of hash function and the best value are 1 1 max PY jX =x (y) = n and max PY jX =x (y) = · . y h h 2 y m m 2 The attacking methods on hash function are aimed at ¯nding collision, m 6= m0 getting H(m) = H(m0), if we can ¯nd the collision then we can build forgery to replace the original message. If for any given hi¡1; hi we can ¯nd preimage mi satisfying hi = F (hi¡1; mi) then we can build a collision in following way, 0 0 0 00 selecting an mi randomly, compute hi = F (hi¡1; mi), ¯nd mi+1 and satisfy 0 00 hi = F (hi; mi+1), which implies ¯nding collision of two message mik ::: km1 00 0 and mi+1kmikmi¡1k ::: km1. Finding a second preimage also means ¯nding a collision, so hash function should be immune to collision attack, preimage attack and second preimage attack. The original discussion about immune to attacks on hash function are de¯ned as 'hard' to ¯nd the attacks, but the 'hard' is hard to evaluate the security of the hash function, for if n is very small then no 'hard' way to ¯nding the collision no matter how nice the compression function be de- signed and when n is very large a failure design of hash also means hard to ¯nd the collision. The paper make a de¯nition of that if the best way of ¯nding the preimage and collision are exhaustive search, then it is immune against those attack. And also the complexity bounds are given based on condition probabil- ity of compression function PY jXh=xh (y) and PY jXm=xm (y). Our complexity is de¯ned as the times needed for computing the compression function. The most famous iterated structure is M-D structure, which is not immune to extend attack, ¯x point attack and multi-collision attack, moreover, some slight weakness in compression (like some special plaintexts can make collision) may result in failure of hash function, so some revised structures have been given, include wide-pipe hash and double-pipe hash. Commonly, the security of structure was discussed on condition of compression function be random or- acle model, in this paper the security of those structures are given based on discussion about condition probability PZjX=x(z) and PZjM=m(z) of hash func- tion H, where H : f0; 1g·¢¤ £ f0; 1gn ! f0; 1gn, x 2 f0; 1gn, m 2 f0; 1g·¢¤, z 2 f0; 1gn, and z = H(m; x). We ¯nd if the compression function is designed 1 with max PY jX =x (y) > n , then maxz PZjM=m(z) may increased dramatically, y h h 2 1 but in random oracle model max PY jX =x (y) = n , so reanalysis the structure y h h 2 of wide-pipe hash and double-pipe hash, and give some new hash structure which can vanish the increase of maxz PZjM=m(z). The padding is adding zero to end of message, so we assume the message length is multiple of block length. The Design Principle of Hash Function with Merkle-DamgºardConstruction 3 2 De¯nition A discrete random variable X is a mapping from the sample space ­ to an alphabed X . X assigns a value x 2 X to each elementary event in the ­ and the probability distribution of X is the function[5] X PX : X ! < : x 7! PX (x) = P [X = x] = P [!]: !2­:X(!)=x If the conditioning event involves another random variable Y de¯ned on the same sample space, the conditional probability distribution of X given that Y takes on a value y is: PXY (x; y) PXjY =y(x) = PY (y) whenever PY (y) is positive . Two random variables X and Y are called indepen- dent if for all x 2 X and y 2 Y: PXY (x; y) = PX (x) ¢ PY (y): De¯nition 1 (Perfect Secrecy[6]). A cryptosystem has perfect secrecy if PXjY =y(x) = PX (x) for all x 2 f0; 1gn; y 2 f0; 1gn. De¯nition 2 (Perfect Key Distribution). A cryptosystem has perfect key distribution if PKjY =y(k) = PK (k) for all x 2 f0; 1gn; y 2 f0; 1gn. In fact, PXY (xy) = PXjY =yPY (y) = PY jXh=xh (y)PX (x), since PXjY =y(x) = PX (x), we get PY jXh=xh (y) = PY (y). De¯nition 3 (Random Oracles[12]). A ¯xed-size random oracle is a func- tion f : f0; 1gn ! f0; 1gn, chosen uniformly at random from the set of all such functions. For interesting sizes a and b, it is infeasible to implement such a func- tion, or to store its truth table. Thus, we assume a public oracle which, given x 2 f0; 1gn, computes y = f(x) 2 f0; 1gn. · n n n Let the compression function F : f0; 1g £ f0; 1g ! f0; 1g , xh 2 f0; 1g , · n xm 2 f0; 1g , y 2 f0; 1g , where y = F (xm; xh), in hash iteration, xh is chaining value. Let H : f0; 1g·¢¤ £ f0; 1gn ! f0; 1gn, x 2 f0; 1gn, m 2 f0; 1g·¢¤, z 2 f0; 1gn, and z = H(m; x). De¯nition 4. Let F : f0; 1g· £ f0; 1gn ! f0; 1gn, H : f0; 1g·¢¤ £ f0; 1gn ! n n F 4 F 4 n f0; 1g , ¤ ½ f0; 1g . Let ­ = f(xm; xh; y)g = f(xm; xh; y)jxh 2 f0; 1g ; xm 2 · n H 4 H 4 f0; 1g ; y 2 f0; 1g ; y = F (xm; xh)g. Let ­ = f(m; x; z)g = f(m; x; z)jx 2 f0; 1gn; m 2 f0; 1g·¢¤; z 2 f0; 1gn; z = H(m; x)g. The σ-algebra F is the subsets of ­, !F 2 ­F . 4 Duo Lei, Feng Guozhu, Li Chao, Feng Keqin, and Longjiang Qu The examples of restriction E on ­ are as followings: F 4 F { f(xh0 ; xm; y)g = f(xh0 ; xm; y)j(xh0 ; xm; y) 2 ­ g; F 4 F { f(xh; xm; y)jxh 2 ¤g = f(xh; xm; y)j(xh; xm; y) 2 ­ ; xh 2 ¤g F 4 S F { ff(xh; xm; y)g gxh2¤ = ff(xh; xm; y)g g xh2¤ De¯nition 5 (Finding Preimage). Finding Preimage of F or H is for given F F H H y0 or z0 ¯nding ! 2 f(xm; xh; y0)g or ! 2 f(m; x; z0)g . De¯nition 6 (Finding Collision). Finding Collision of F or H is ¯nding F 0F F H 0H n ! ;! 2 A and A 2 ff(xm; xh; y0)g gy02f0;1g or ¯nding ! ;! 2 A and H n A 2 ff(m; x; z0)g gz02f0;1g .