Abstract
Preneel, Govaerts, and Vandewalle (1993) considered the 64 most basic ways to construct a hash function \(H{:\;\:}\{0,1\}^{*}\rightarrow \{0,1\}^{n}\) from a blockcipher \(E{:\;\:}\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\). They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. Here we provide a proof-based treatment of the PGV schemes. We show that, in the ideal-cipher model, the 12 schemes considered secure by PGV really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the Merkle–Damgård approach to analysis, we show that an additional 8 of the PGV schemes are just as collision resistant (up to a constant). Nonetheless, we are able to differentiate among the 20 collision-resistant schemes by considering their preimage resistance: only the 12 initial schemes enjoy optimal preimage resistance. Our work demonstrates that proving ideal-cipher-model bounds is a feasible and useful step for understanding the security of blockcipher-based hash-function constructions.
Article PDF
Similar content being viewed by others
References
M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Advances in Cryptology—Proceedings of EUROCRYPT 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 409–426
M. Bellare, J. Kilian, P. Rogaway, The security of cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)
G. Bertoni, J. Daemen, M. Peeters, G. Assche, On the indifferentiability of the sponge construction, in Advances in Cryptology—Proceedings of EUROCRYPT 2008. Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 181–197
A. Biryukov, D. Khovratovich, I. Nikolić, Distinguisher and related-key attack on the full AES-256, in Advances in Cryptology—Proceedings of CRYPTO 2009. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 229–247
J. Black, The ideal-cipher model, revisited: an uninstantiable blockcipher-based hash function, in Fast Software Encryption, 13th International Workshop, FSE 2006. Lecture Notes in Computer Science, vol. 4047 (Springer, Berlin, 2006), pp. 328–340
J. Black, P. Rogaway, T. Shrimpton, Black-box analysis of the block-cipher-based hash-function constructions from PGV, in Advances in Cryptology—CRYPTO 2002. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 320–335. Proceedings version of this paper
J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly efficient blockcipher-based hash functions, in Advances in Cryptology—EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 526–541
J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly-efficient blockcipher-based hash functions. J. Cryptol. 22(3), 311–329 (2009)
J. Coron, Y. Dodis, C. Malinaud, P. Puniya, Merkle-Damgård revisited: how to construct a hash function, in Advances in Cryptology—CRYPTO 2005. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 430–448
I. Damgård, A design principle for hash functions, in Advances in Cryptology—CRYPTO 1989. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 416–427
Y. Dodis, J. Steinberger, Message authentication codes from unpredictable block ciphers, in Advances in Cryptology—Proceedings of CRYPTO 2009. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 267–285
Y. Dodis, T. Ristenpart, T. Shrimpton, Salvaging Merkle–Damgård for practical applications, in Advances in Cryptology—Proceedings of EUROCRYPT 2009. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 371–388
L. Duo, C. Li, Improved collision and preimage resistance bounds on PGV schemes. Technical Report 2006/462, IACR’s ePrint Archive, 2006
S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation, in Advances in Cryptology—ASIACRYPT 1991. Lecture Notes in Computer Science, vol. 739 (Springer, Berlin, 1992), pp. 210–224
E. Fleischmann, M. Gorski, S. Lucks, On the security of tandem-DM, in Fast Software Encryption, 16th International Workshop, FSE 2009. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), pp. 84–103
E. Fleischmann, M. Gorski, S. Lucks, Security of cyclic double block length hash functions, in Cryptography and Coding, 12th IMA International Conference, Cryptography and Coding 2009. Lecture Notes in Computer Science, vol. 5921 (Springer, Berlin, 2009), pp. 153–175
S. Hirose, Secure block ciphers are not sufficient for one-way hash functions in the Preneel-Govaerts-Vandewalle model, in Selected Areas in Cryptography 2002. Lecture Notes in Computer Science, vol. 2595 (Springer, Berlin, 2003), pp. 339–352
S. Hirose, Provably secure double-block-length hash functions in a black-box model, in Information Security and Cryptology—ICISC 2004. Lecture Notes in Computer Science, vol. 3506 (Springer, Berlin, 2005), pp. 330–342
ISO/IEC 10118-2. Information technology—Security techniques—Hash functions—Hash functions using an n-bit block cipher algorithm. International Organization for Standardization, Geneva, Switzerland, 1994
J. Kilian, P. Rogaway, How to protect DES against exhaustive key search. J. Cryptol. 14(1), 17–35 (2001). Earlier version in CRYPTO 1996
X. Lai, J. Massey, Hash function based on block ciphers, in Advances in Cryptology—Proceedings of EUROCRYPT 1992. Lecture Notes in Computer Science, vol. 658 (Springer, Berlin, 1992), pp. 55–70
J. Lee, J. Steinberger, Multi-property-preserving domain extension using polynomial-based modes of operation, in Advances in Cryptology—Proceedings of EUROCRYPT 2010. Lecture Notes in Computer Science (Springer, Berlin, 2010)
S. Lucks, A collision-resistant rate-1 double-block-length hash function, in Symmetric Cryptography, Dagstuhl Seminar Proceedings, no. 07021, Dagstuhl, Germany, 2007. Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany
S. Matyas, C. Meyer, J. Oseas, Generating strong one-way functions with cryptographic algorithms. IBM Tech. Dis. Bull. 27(10a), 5658–5659 (1985)
U. Maurer, R. Renner, C. Holenstein, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, in Theory of Cryptography Conference (TCC ’04). Lecture Notes in Computer Science, vol. 2951 (Springer, Berlin, 2004), pp. 21–39
A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1996)
R. Merkle, One way hash functions and DES, in Advances in Cryptology—CRYPTO 1989. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 428–446
O. Özen, M. Stam, Another glance at double-length hashing, in Cryptography and Coding, 12th IMA International Conference, Cryptography and Coding 2009. Lecture Notes in Computer Science, vol. 5921 (Springer, Berlin, 2009), pp. 176–201
B. Preneel, Analysis and design of hash functions. PhD thesis, Katholike Universiteit Leuven (Belgium), 1993. Available from Preneel’s homepage
B. Preneel, R. Govaerts, J. Vandewalle, Hash functions based on block ciphers: a synthetic approach, in Advances in Cryptology—Proceedings of CRYPTO 1993. Lecture Notes in Computer Science, vol. 773 (Springer, Berlin, 1994), pp. 368–378
M. Rabin, Digitalized signatures, in Foundations of Secure Computation (Academic Press, New York, 1978), pp. 155–168
R. Rivest, The MD4 message digest algorithm, in Advances in Cryptology—Proceedings of CRYPTO 1900. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 1991), pp. 303–311
P. Rogaway, T. Shrimpton, Cryptographic hash-function basics: definitions, implications and separations for preimage resistance, second-preimage resistance, and collision resistance, in Fast Software Encryption, 11th International Workshop, FSE 2004. Lecture Notes in Computer Science (Springer, Berlin, 2004), pp. 371–388
P. Rogaway, J. Steinberger, Constructing cryptographic hash functions from fixed-key blockciphers, in Advances in Cryptology—Proceedings of CRYPTO 2008. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 433–450
P. Rogaway, J. Steinberger, Security/efficiency tradeoffs for permutation-based hashing, in Advances in Cryptology—Proceedings of EUROCRYPT 2008. Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 220–236
C. Shannon, Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4), 656–715 (1949)
T. Shrimpton, M. Stam, Building a collision-resistant compression function from non-compressing primitives, in ICALP 2008, Part II, vol. 5126 (Springer, Berlin, 2008), pp. 643–654
D. Simon, Finding collisions on a one-way street: can secure hash functions be based on general assumptions? in Advances in Cryptology—Proceedings of EUROCRYPT 1998, vol. 1403. Lecture Notes in Computer Science (Springer, Berlin, 1998), pp. 334–345
M. Stam, Beyond uniformity: better security/efficiency tradeoffs for compression functions, in Advances in Cryptology—Proceedings of CRYPTO 2008. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 397–412
M. Stam, Block cipher based hashing revisited, in Fast Software Encryption 2009. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), pp. 67–83
J. Steinberger, The collision intractability of MDC-2 in the ideal-cipher model, in Advances in Cryptology—Proceedings of EUROCRYPT 2007. Lecture Notes in Computer Science, vol. 4515 (Springer, Berlin, 2007), pp. 34–51
J. Steinberger, Stam’s collision resistance conjecture, in Advances in Cryptology—Proceedings of EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110 (Springer, Berlin, 2010), pp. 597–615
R. Winternitz, A secure one-way hash function built from DES, in Proceedings of the IEEE Symposium on Information Security and Privacy (IEEE Press, New York, 1984), pp. 88–90
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Black, J., Rogaway, P., Shrimpton, T. et al. An Analysis of the Blockcipher-Based Hash Functions from PGV. J Cryptol 23, 519–545 (2010). https://doi.org/10.1007/s00145-010-9071-0
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-010-9071-0