New constructions for secure hash functions (Extended abstract)

We present new, efficient and practical schemes for construction of collision-resistant hash functions, and analyze some simple methods for combining existing hash-function designs so as to enhance their security. In our new constructions, we first map the input to a slightly longer string using a primitive we introduce called secure stretch functions. These are length-increasing almost surely injective one-way functions that sufficiently randomize their inputs so that it is hard for an adversary to force the outputs to fall into a target set. Then we apply a compression function to the output of the stretch function. We analyze the security of these constructions under different types of assumptions on both stretch and compression functions. These assumptions combine random-function models, intractability of certain "biasing" tasks, and the degeneracy structure of compression functions. The use of stretching seems to allow reduced requirements on the compression function, and may be of independent interest. These constructions allow one to use popular and efficient primitives such as MD5, SHA-1, and RIPEMD that may exhibit weaknesses as collision-resistant functions. But no attacks are currently known on their one-way and randomizing properties, when they are used as stretch functions as in our constructions. There are several collision-resistant hash functions based on DEs for which there are no known effective attacks, but which are too slow for most practical applications. Our use of stretch functions enable us to base our compression function on DEs so that the resulting hash function achieves practical speeds: a test implementation runs at 40% of the speed of MD5. We also suggest some imperfect random-oracle models, showing how to build better primitives from given imperfect ones. In this vein, we also analyze how to defend against a collision-finding adversary for a given primitive by building "independent" primitives.