1. Better Than Advertised: Improved Collision-Resistance Guarantees for MD-Based Hash Functions 2017 CCS Hashing
    Mihir Bellare, Joseph Jaeger, and Julia Len
    [View PDF on acmccs.github.io]
    [Show BibTex Citation]

    @inproceedings{10.1145/3133956.3134087,
    author = {Bellare, Mihir and Jaeger, Joseph and Len, Julia},
    title = {Better Than Advertised: Improved Collision-Resistance Guarantees for MD-Based Hash Functions},
    year = {2017},
    isbn = {9781450349468},
    publisher = {Association for Computing Machinery},
    address = {New York, NY, USA},
    url = {https://doi.org/10.1145/3133956.3134087},
    doi = {10.1145/3133956.3134087},
    booktitle = {Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security},
    pages = {891–906},
    numpages = {16},
    keywords = {hash functions, collision-resistance},
    location = {Dallas, Texas, USA},
    series = {CCS ’17}
    }

The MD transform that underlies the MD and SHA families iterates a compression function h to get a hash function H. The question we ask is, what property X of h guarantees collision resistance (CR) of H? The classical answer is that X itself be CR. We show that weaker conditions X, in particular forms of what we call constrained-CR, suffice. This reduces demands on compression functions, to the benefit of security, and also, forensically, explains why collision-finding attacks on compression functions have not, historically, lead to immediate breaks of the corresponding hash functions. We obtain our results via a definitional framework called RS security, and a parameterized treatment of MD, that also serve to unify prior work and variants of the transform.

  1.