11

In a 2006 paper Bellare showed that HMAC remains secure even if collision resistance for MD5/SHA-1 is broken as long they are still PRFs.

The Wikipedia article on cryptographic hash functions mentions that

In practice, collision resistance is insufficient for many practical uses. In addition to collision resistance, it should be impossible for an adversary to find two messages with substantially similar digests; or to infer any useful information about the data, given only its digest. In particular, should behave as much as possible like a random function (often called a random oracle in proofs of security) while still being deterministic and efficiently computable.

It seems to me that in practice hash functions are usually considered to be PRFs. Is this valid and are commonly used compression functions all PRFs?

Note: The Bellare paper states

(There are to date no attacks that compromise the pseudorandomness of the compression functions of MD5 or SHA-1.)

Has this changed since then?

An interesting related paper by Kim et al., also from 2006, gives distinguishers for HMAC based on SHA-0 and HAVAL to distinguish it from HMAC with a random function. Which at least hints that it might be hard to determine if a compression function is a PRF.

Elias
  • 4,933
  • 1
  • 16
  • 32

1 Answers1

1

(There are to date no attacks that compromise the pseudorandomness of the compression functions of MD5 or SHA-1.)

Has this changed since then?

Not as far as I know.

It seems to me that in practice hash functions are usually considered to be PRFs. Is this valid and are commonly used compression functions all PRFs?

Note that there are two ways to define the PRFness of a hash function. A compression function is a function $f(x_1, x_2)$, where $x_1$ is the state input (either the IV or the previous block output) and $x_2$ is the current data block. You can take either $g_k(x) = f(k, x)$ of $g'_k(x) = f(x, k)$ when you consider whether it is PRF.

For SHA-1 and SHA-2 $f(x, k)$ is relied on when using the SHACAL ciphers. (Or actually, SHACAL relies on them being pseudorandom permutations, PRP.) However, for HMAC the opposite, $f(k, x)$, matters (as well, see comments).

E.g. since there are no known attacks on full SHACAL-2, you could assume that SHA-256 is PRF up to around $2^{128}$ calls (birthday bound for distinguishing PRP from PRF). However, that would not necessarily apply to the way it is used in HMAC... but there is no known attack on that either.

SHA-3 has more explicit security claims regarding its pseudorandomness, but it does not use a compression function in the normal sense, but a sponge function instead.

TL;DR: the compression function of the currently secure hash functions, like SHA-256, seems likely to be PRF, though it is not a property that the designers claimed. The compression function of the weak MD5 or SHA-1 might still be PRF, but I would not rely on it if I did not have to, since their use is deprecated. And if you want something with security claims regarding this, you could look into SHA-3 instead.

otus
  • 32,462
  • 5
  • 75
  • 167