Salvaging Merkle-Damgård for Practical Applications

Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) Merkle-Damgård transform applied to a corresponding compression function. Moreover, it is well known that the resulting “structured” hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (Merkle-Damgård based) hash functions, there is no security guarantee either, even by idealizing the compression function. Motivated by this question, we initiate a rigorous and modular study of developing new notions of (still idealized) hash functions which would be (a) natural and elegant; (b) sufficient for arguing security of important applications; and (c) provably met by the (strengthened) Merkle-Damgård transform, applied to a “strong enough” compression function. In particular, we show that a fixed-length compressing random oracle, as well as the currently used Davies-Meyer compression function (the latter analyzed in the ideal cipher model) are “strong enough” for the two specific weakenings of the random oracle that we develop. These weaker notions, described below, are quite natural and should be interesting in their own right: • Preimage Aware Functions. Roughly, if an attacker found a “later useful” output y of the function, then it must “already know” the corresponding preimage x. We show that this notion works well with the Merkle-Damgård transform (unlike fixed-length random oracles), and has many applications. Most notably, it yields a variable-length random oracle, when composed with a fixed-length random oracle. Additionally, (compressing) preimage aware functions considerably generalize collision-resistant hash functions. Moreover, we show that existing block-cipherbased hash functions, originally only shown collision-resistant in the ideal cipher model, are in fact preimage aware. • Public-Use Random Oracles. Roughly, these objects are indifferentiable from ordinary random oracles, but only when they are never evaluated on secret inputs. We show that such public-use oracles are enough to argue security of most hash-based signature schemes, including Full Domain Hash and Fiat-Shamir signatures. Moreover, the MerkleDamgård transform preserves this notion. As a result, all “public-use” applications of random oracles are still secure with existing hash functions (assuming a strong enough compression function, such as a fixed-length random oracle or the Davies-Meyer function).