Journal of Cryptology

, Volume 23, Issue 4, pp 519-545

First online:

An Analysis of the Blockcipher-Based Hash Functions from PGV

  • J. BlackAffiliated withDepartment of Computer Science, University of Colorado Email author 
  • , P. RogawayAffiliated withDepartment of Computer Science, University of California
  • , T. ShrimptonAffiliated withDepartment of Computer Science, Portland State University
  • , M. StamAffiliated withLACAL, School of Computer and Communication Sciences, EPFL

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access


Preneel, Govaerts, and Vandewalle (1993) considered the 64 most basic ways to construct a hash function \(H{:\;\:}\{0,1\}^{*}\rightarrow \{0,1\}^{n}\) from a blockcipher \(E{:\;\:}\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\). They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. Here we provide a proof-based treatment of the PGV schemes. We show that, in the ideal-cipher model, the 12 schemes considered secure by PGV really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the Merkle–Damgård approach to analysis, we show that an additional 8 of the PGV schemes are just as collision resistant (up to a constant). Nonetheless, we are able to differentiate among the 20 collision-resistant schemes by considering their preimage resistance: only the 12 initial schemes enjoy optimal preimage resistance. Our work demonstrates that proving ideal-cipher-model bounds is a feasible and useful step for understanding the security of blockcipher-based hash-function constructions.

Key words

Blockcipher Collision-resistant hash function Cryptographic hash function Ideal-cipher model Modes of operation