Boosting Merkle-Damgård hashing for message authentication

Abstract

This paper presents a novel mode of operation of compression functions, intended for dedicated use as a message authentication code (MAC.) The new approach is faster than the well-known Merkle-Damgård iteration; more precisely, it is (1 + c/b)-times as fast as the classical Merkle-Damgård hashing when applied to a compression function h : {0, 1}c+b → {0, 1}c. Our construction provides a single-key MAC with provable security; we show that the proposed scheme yields a PRF(pseudo-random function)-based MAC on the assumption that the underlying compression function h satisfies certain PRF properties. Thus our method offers a way to process data more efficiently than the conventional HMAC without losing formal proofs of security. Our design also takes into account usage with prospective compression functions; that is, those compression functions h with relatively weighty load and relatively large c (i.e., "wide-pipe") greatly benefit from the improved performance by our mode of operation. © International Association for Cryptology Research 2007.