Randomized hashing (was: digest-algo SHA256, SHA-1 attacks)

Peter Lebbing peter at digitalbrains.com
Thu Nov 27 11:28:18 CET 2014

Perhaps I should add that it takes real research and formal proof to show that
this randomized hashing doesn't add attack vectors, and I have been glossing
over that. But that is because at a glance it looks like such research has been
done. That doesn't mean it's a fact that there are no significant attack
vectors, but it does give the scheme credibility.

Here's the abstract of the first paper on [1], by the way:

> We propose randomized hashing as a mode of operation for cryptographic hash
> functions intended for use with standard digital signatures and without
> necessitating of any changes in the internals of the underlying hash function
> (e.g., the SHA family) or in the signature algorithms (e.g., RSA or DSA). The
> goal is to free practical digital signature schemes from their current
> reliance on strong collision resistance by basing the security of these
> schemes on significantly weaker properties of the underlying hash function,
> thus providing a safety net in case the (current or future) hash functions in
> use turn out to be less resilient to collision search than initially
> thought. We design a specific mode of operation that takes into account
> engineering considerations (such as simplicity, efficiency and compatibility
> with existing implementations) as well as an- alytical soundness.
> Specifically, the scheme entails unmodified use of the hash function with 
> randomization applied only to the message before it is input to the hash
> function. We formally show the sufficiency of an assumption significantly
> weaker than collision-resistance for proving the security of the scheme. We
> also contribute to the standardization of a randomized hashing mode by
> providing a full and detailed spec that instantiates our scheme, provides the
> full benefits guaranteed by our results, and is ready for implementation and
> integration with existing applications.


[1] http://webee.technion.ac.il/~hugo/rhash/

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list