Design And Security Analysis On Several Cryptography Hash Functions

Cryptography hash functions are used to map messages of arbitrary length to fixed-length message digests which are also called hash values. Collision resistance, preimage resistance and second-preimage resistance are the three classical requirements for security of keyless hash functions. Hash functions play important roles in modern cryptography and are widely used in data integrity and entity authentication. Hash functions also guarantee securities of cryptographic schemes and protocols, such as digital signature and message authentication code. Cryptography hash functions can be divided into keyless hash functions and key hash functions, the later are also called message authentication code. Most of hash functions are constructed by iterating compression function via Merkle-Damgard construction. We analyze the general attack method and the improved schemes on MD hash functions, and propose a domain extension scheme for MD hash functions and a suffix-free message padding method for MD construction hash functions. We provide MPMAC scheme by improving PMAC mode of operation, and analyze its security. By using the collision resistance of hash function, we propose an authenticated encryption scheme with associated data. The main contributions of this paper are as follows.(1) The research actuality on design and security analysis of hash functions is reviewed. The security requirements, analysis method and applications of cryptographic hash functions are described. The design and security analysis on keyless hash functions is introduced from three types of constructions:constructions based on block ciphers, based on modular arithmetic and dedicated hash functions. Three types of constructions for MAC algorithms are introduced:constructions based on block ciphers, based on hash functions and based on universal hash functions.(2) We have discussed the collision attacks on some dedicated hash functions such as M5, SHA-0and DHA-256. We research the impact of message pre-processing on the resistibility of collision attacks on MD5and propose an improved method for the step function of MD5. We analyze the process of collision attack of SHA-0and find the flaw of message extension of SHA-0. For DHA-256, we correct a9-step local collision mode.(3) Merkle-Damgard construction is widely used to design hash functions. We analyze the general attack method and the corresponding improved schemes on Merkle-Damgard construction hash functions occur recently. Duing to the message extension attack on Merkle-Damgard construction, Coron etal. proposed four constructions that provably satisfy random oracle preserving to improve Merkle-Damgard construction. However, Mihir Bellare etal. prove by an example that they are not collision resistant even if the compression function is collision resistant. So, we modify the construction of prefix-free encoding and give a new domain extension construction. We apply the prefix-free encoding and padding with length strengthening to the Merkle-Damgard construction so that the result hash function is collision-resistance preserving, pseudorandom function preserving and pseudorandom oracle preserving.(4) Hash functions can be used to compress messages of arbitrary length to fixed-length message digests. In order to create a hash function that accepts messages of variable lengths, messages are padded such that the length of padded message is multiple of the length of input message of compress function. We research the padding rules of Merkle-Damgard hash functions and provide a suffix-free length encoding padding rule to the iterated construction hash function to present an efficient new hash transform. It makes sure that every block input to the compression function has at least μ bits of a message which is proposed by Yasuda. We modify the method of padding a bits binary representation of message length so as to save the size of padded bits and as a result the hash function may be faster than usual padding rule owing to the reduction of cost of invocations of the underlying compression function.(5) PMAC is a parallelizable block-cipher mode of operation for message authentication which does not need a random value. According to the forgery attack on PMAC with random message proposed by Lee Changhoon et al. the weakness of mode of operation is found. A modified parallelizable message authentication code (MPMAC) is proposed. The mode to process the last block of message is improved to avoid the forgery attack with random message by using the fact that the block cipher has same output with the same input using one key. We process the last block with different method according to whether or not it need to be padded and avoid the fact that when the length of message is multiple of block length the mode need to call an additional block cipher. Its security is proved with game playing technique by quantifying the advantage of distinguishing message authentication code from the random function in terms of the quality of the block cipher as a pseudo-random permutation.(6) OCB is believed to provide extremely high protection with encryption and message authentication in a most efficient way. However, when OCB mode of operation is used to handle large amount of data, it is easy to find collision so that the mode will lose the authenticity capability with probability one. The adversary can modify ciphertexts and the plaintexts; however the result of xor operation of plaintexts is not changed, so the checksum is the same as before. We modify the checksum by mixing the value of offset and the index of messages. By introducing the random element the exchangeability of messages in checksum is destroyed and the authentication capability is preserved once collision occurs. We propose a scheme of authenticated encryption with associated data (AEAD) by combining a collision resistant hash function with an authenticated encryption scheme. Hash function is used to compress an arbitrary length associated data which need to be authenticated but not to be encrypted to a new fixed length nonce in AEAD scheme. The authenticated encryption scheme is designed by improving OCB mode of operation. Since the collision resistant hash function has no secret key the provided AEAD scheme uses only one key and provides authentication and privacy.