Security proofs for the MD6 hash function mode of operation

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2008.Includes bibliographical references (p. 79-82).In recent years there have been a series of serious and alarming cryptanalytic attacks on several commonly-used hash functions, such as MD4, MD5, SHA-0, and SHA1 [13, 38]. These culminated with the celebrated work of Wang, Yin, and Yu from 2005, which demonstrated relatively efficient methods for finding collisions in the SHA-1 hash function [37]. Although there are several cryptographic hash functions - such as the SHA-2 family [28] - that have not yet succumbed to such attacks, the U.S. National Institute of Standards and Technology (NIST) put out a call in 2007 for candidate proposals for a new cryptographic hash function family, to be dubbed SHA-3 [29]. Hash functions are algorithms for converting an arbitrarily large input into a fixed-length message digest. They are typically composed of a compression function or block cipher that operate on fixed-length pieces of the input and a mode of operation that governs how apply the compression function or block cipher repeatedly on these pieces in order to allow for arbitrary-length inputs. Cryptographic hash functions are furthermore required to have several important and stringent security properties including (but not limited to) first-preimage resistance, second-preimage resistance, collision resistance, and for keyed hash functions, pseudorandomness. This work presents proofs of security for the mode of operation of the MD6 cryptographic hash function [32] - a candidate for the SHA-3 competition - which differs greatly from the modes of operation of many commonly-used hash functions today (MD4, MD5, as well as the SHA family of hash functions.) In particular, we demonstrate provably that the mode of operation used in MD6 preserves some cryptographic properties of the compression function - that is, assuming some ideal conditions about the compression function used, the overall MD6 hash function is secure as well.by Christopher Yale Crutchfield.S.M