[1]

M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in

*Advances in Cryptology—Proceedings of EUROCRYPT 2006*. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 409–426

CrossRef[2]

M. Bellare, J. Kilian, P. Rogaway, The security of cipher block chaining message authentication code.

*J. Comput. Syst. Sci.*
**61**(3), 362–399 (2000)

MATHCrossRefMathSciNet[3]

G. Bertoni, J. Daemen, M. Peeters, G. Assche, On the indifferentiability of the sponge construction, in

*Advances in Cryptology—Proceedings of EUROCRYPT 2008*. Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 181–197

CrossRef[4]

A. Biryukov, D. Khovratovich, I. Nikolić, Distinguisher and related-key attack on the full AES-256, in

*Advances in Cryptology—Proceedings of CRYPTO 2009*. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 229–247

CrossRef[5]

J. Black, The ideal-cipher model, revisited: an uninstantiable blockcipher-based hash function, in *Fast Software Encryption, 13th International Workshop, FSE 2006*. Lecture Notes in Computer Science, vol. 4047 (Springer, Berlin, 2006), pp. 328–340

[6]

J. Black, P. Rogaway, T. Shrimpton, Black-box analysis of the block-cipher-based hash-function constructions from PGV, in

*Advances in Cryptology—CRYPTO 2002*. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 320–335. Proceedings version of this paper

CrossRef[7]

J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly efficient blockcipher-based hash functions, in

*Advances in Cryptology—EUROCRYPT 2005*. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 526–541

CrossRef[8]

J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly-efficient blockcipher-based hash functions.

*J. Cryptol.*
**22**(3), 311–329 (2009)

MATHCrossRefMathSciNet[9]

J. Coron, Y. Dodis, C. Malinaud, P. Puniya, Merkle-Damgård revisited: how to construct a hash function, in *Advances in Cryptology—CRYPTO 2005*. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 430–448

[10]

I. Damgård, A design principle for hash functions, in *Advances in Cryptology—CRYPTO 1989*. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 416–427

[11]

Y. Dodis, J. Steinberger, Message authentication codes from unpredictable block ciphers, in

*Advances in Cryptology—Proceedings of CRYPTO 2009*. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 267–285

CrossRef[12]

Y. Dodis, T. Ristenpart, T. Shrimpton, Salvaging Merkle–Damgård for practical applications, in

*Advances in Cryptology—Proceedings of EUROCRYPT 2009*. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 371–388

CrossRef[13]

L. Duo, C. Li, Improved collision and preimage resistance bounds on PGV schemes. Technical Report 2006/462, IACR’s ePrint Archive, 2006

[14]

S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation, in *Advances in Cryptology—ASIACRYPT 1991*. Lecture Notes in Computer Science, vol. 739 (Springer, Berlin, 1992), pp. 210–224

[15]

E. Fleischmann, M. Gorski, S. Lucks, On the security of tandem-DM, in

*Fast Software Encryption, 16th International Workshop, FSE 2009*. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), pp. 84–103

CrossRef[16]

E. Fleischmann, M. Gorski, S. Lucks, Security of cyclic double block length hash functions, in *Cryptography and Coding, 12th IMA International Conference, Cryptography and Coding 2009*. Lecture Notes in Computer Science, vol. 5921 (Springer, Berlin, 2009), pp. 153–175

[17]

S. Hirose, Secure block ciphers are not sufficient for one-way hash functions in the Preneel-Govaerts-Vandewalle model, in

*Selected Areas in Cryptography 2002*. Lecture Notes in Computer Science, vol. 2595 (Springer, Berlin, 2003), pp. 339–352

CrossRef[18]

S. Hirose, Provably secure double-block-length hash functions in a black-box model, in

*Information Security and Cryptology—ICISC 2004*. Lecture Notes in Computer Science, vol. 3506 (Springer, Berlin, 2005), pp. 330–342

CrossRef[19]

ISO/IEC 10118-2. Information technology—Security techniques—Hash functions—Hash functions using an *n*-bit block cipher algorithm. International Organization for Standardization, Geneva, Switzerland, 1994

[20]

J. Kilian, P. Rogaway, How to protect DES against exhaustive key search.

*J. Cryptol.*
**14**(1), 17–35 (2001). Earlier version in

*CRYPTO 1996*
MATHCrossRefMathSciNet[21]

X. Lai, J. Massey, Hash function based on block ciphers, in

*Advances in Cryptology—Proceedings of EUROCRYPT 1992*. Lecture Notes in Computer Science, vol. 658 (Springer, Berlin, 1992), pp. 55–70

CrossRef[22]

J. Lee, J. Steinberger, Multi-property-preserving domain extension using polynomial-based modes of operation, in *Advances in Cryptology—Proceedings of EUROCRYPT 2010*. Lecture Notes in Computer Science (Springer, Berlin, 2010)

[23]

S. Lucks, A collision-resistant rate-1 double-block-length hash function, in *Symmetric Cryptography*, *Dagstuhl Seminar Proceedings*, no. 07021, Dagstuhl, Germany, 2007. Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany

[24]

S. Matyas, C. Meyer, J. Oseas, Generating strong one-way functions with cryptographic algorithms. *IBM Tech. Dis. Bull.*
**27**(10a), 5658–5659 (1985)

[25]

U. Maurer, R. Renner, C. Holenstein, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, in

*Theory of Cryptography Conference (TCC ’04)*. Lecture Notes in Computer Science, vol. 2951 (Springer, Berlin, 2004), pp. 21–39

CrossRef[26]

A. Menezes, P. van Oorschot, S. Vanstone,

*Handbook of Applied Cryptography* (CRC Press, Boca Raton, 1996)

CrossRef[27]

R. Merkle, One way hash functions and DES, in *Advances in Cryptology—CRYPTO 1989*. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 428–446

[28]

O. Özen, M. Stam, Another glance at double-length hashing, in *Cryptography and Coding, 12th IMA International Conference, Cryptography and Coding 2009*. Lecture Notes in Computer Science, vol. 5921 (Springer, Berlin, 2009), pp. 176–201

[29]

B. Preneel, Analysis and design of hash functions. PhD thesis, Katholike Universiteit Leuven (Belgium), 1993. Available from Preneel’s homepage

[30]

B. Preneel, R. Govaerts, J. Vandewalle, Hash functions based on block ciphers: a synthetic approach, in *Advances in Cryptology—Proceedings of CRYPTO 1993*. Lecture Notes in Computer Science, vol. 773 (Springer, Berlin, 1994), pp. 368–378

[31]

M. Rabin, Digitalized signatures, in *Foundations of Secure Computation* (Academic Press, New York, 1978), pp. 155–168

[32]

R. Rivest, The MD4 message digest algorithm, in *Advances in Cryptology—Proceedings of CRYPTO 1900*. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 1991), pp. 303–311

[33]

P. Rogaway, T. Shrimpton, Cryptographic hash-function basics: definitions, implications and separations for preimage resistance, second-preimage resistance, and collision resistance, in *Fast Software Encryption, 11th International Workshop, FSE 2004*. Lecture Notes in Computer Science (Springer, Berlin, 2004), pp. 371–388

[34]

P. Rogaway, J. Steinberger, Constructing cryptographic hash functions from fixed-key blockciphers, in

*Advances in Cryptology—Proceedings of CRYPTO 2008*. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 433–450

CrossRef[35]

P. Rogaway, J. Steinberger, Security/efficiency tradeoffs for permutation-based hashing, in

*Advances in Cryptology—Proceedings of EUROCRYPT 2008*. Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 220–236

CrossRef[36]

C. Shannon, Communication theory of secrecy systems.

*Bell Syst. Tech. J.*
**28**(4), 656–715 (1949)

MATHMathSciNet[37]

T. Shrimpton, M. Stam, Building a collision-resistant compression function from non-compressing primitives, in *ICALP 2008, Part II*, vol. 5126 (Springer, Berlin, 2008), pp. 643–654

[38]

D. Simon, Finding collisions on a one-way street: can secure hash functions be based on general assumptions? in

*Advances in Cryptology—Proceedings of EUROCRYPT 1998*, vol. 1403. Lecture Notes in Computer Science (Springer, Berlin, 1998), pp. 334–345

CrossRef[39]

M. Stam, Beyond uniformity: better security/efficiency tradeoffs for compression functions, in

*Advances in Cryptology—Proceedings of CRYPTO 2008*. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 397–412

CrossRef[40]

M. Stam, Block cipher based hashing revisited, in

*Fast Software Encryption 2009*. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), pp. 67–83

CrossRef[41]

J. Steinberger, The collision intractability of MDC-2 in the ideal-cipher model, in

*Advances in Cryptology—Proceedings of EUROCRYPT 2007*. Lecture Notes in Computer Science, vol. 4515 (Springer, Berlin, 2007), pp. 34–51

CrossRef[42]

J. Steinberger, Stam’s collision resistance conjecture, in

*Advances in Cryptology—Proceedings of EUROCRYPT 2010*. Lecture Notes in Computer Science, vol. 6110 (Springer, Berlin, 2010), pp. 597–615

CrossRef[43]

R. Winternitz, A secure one-way hash function built from DES, in *Proceedings of the IEEE Symposium on Information Security and Privacy* (IEEE Press, New York, 1984), pp. 88–90