An Analysis of the BlockcipherBased Hash Functions from PGV
 J. Black,
 P. Rogaway,
 T. Shrimpton,
 M. Stam
 … show all 4 hide
Rent the article at a discount
Rent now* Final gross prices may vary according to local VAT.
Get AccessAbstract
Preneel, Govaerts, and Vandewalle (1993) considered the 64 most basic ways to construct a hash function \(H{:\;\:}\{0,1\}^{*}\rightarrow \{0,1\}^{n}\) from a blockcipher \(E{:\;\:}\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) . They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. Here we provide a proofbased treatment of the PGV schemes. We show that, in the idealcipher model, the 12 schemes considered secure by PGV really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the Merkle–Damgård approach to analysis, we show that an additional 8 of the PGV schemes are just as collision resistant (up to a constant). Nonetheless, we are able to differentiate among the 20 collisionresistant schemes by considering their preimage resistance: only the 12 initial schemes enjoy optimal preimage resistance. Our work demonstrates that proving idealciphermodel bounds is a feasible and useful step for understanding the security of blockcipherbased hashfunction constructions.
 M. Bellare, P. Rogaway, The security of triple encryption and a framework for codebased gameplaying proofs, in Advances in Cryptology—Proceedings of EUROCRYPT 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 409–426 CrossRef
 M. Bellare, J. Kilian, P. Rogaway, The security of cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000) CrossRef
 G. Bertoni, J. Daemen, M. Peeters, G. Assche, On the indifferentiability of the sponge construction, in Advances in Cryptology—Proceedings of EUROCRYPT 2008. Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 181–197 CrossRef
 A. Biryukov, D. Khovratovich, I. Nikolić, Distinguisher and relatedkey attack on the full AES256, in Advances in Cryptology—Proceedings of CRYPTO 2009. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 229–247 CrossRef
 J. Black, The idealcipher model, revisited: an uninstantiable blockcipherbased hash function, in Fast Software Encryption, 13th International Workshop, FSE 2006. Lecture Notes in Computer Science, vol. 4047 (Springer, Berlin, 2006), pp. 328–340
 J. Black, P. Rogaway, T. Shrimpton, Blackbox analysis of the blockcipherbased hashfunction constructions from PGV, in Advances in Cryptology—CRYPTO 2002. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 320–335. Proceedings version of this paper CrossRef
 J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly efficient blockcipherbased hash functions, in Advances in Cryptology—EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 526–541 CrossRef
 J. Black, M. Cochran, T. Shrimpton, On the impossibility of highlyefficient blockcipherbased hash functions. J. Cryptol. 22(3), 311–329 (2009) CrossRef
 J. Coron, Y. Dodis, C. Malinaud, P. Puniya, MerkleDamgård revisited: how to construct a hash function, in Advances in Cryptology—CRYPTO 2005. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 430–448
 I. Damgård, A design principle for hash functions, in Advances in Cryptology—CRYPTO 1989. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 416–427
 Y. Dodis, J. Steinberger, Message authentication codes from unpredictable block ciphers, in Advances in Cryptology—Proceedings of CRYPTO 2009. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 267–285 CrossRef
 Y. Dodis, T. Ristenpart, T. Shrimpton, Salvaging Merkle–Damgård for practical applications, in Advances in Cryptology—Proceedings of EUROCRYPT 2009. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 371–388 CrossRef
 L. Duo, C. Li, Improved collision and preimage resistance bounds on PGV schemes. Technical Report 2006/462, IACR’s ePrint Archive, 2006
 S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation, in Advances in Cryptology—ASIACRYPT 1991. Lecture Notes in Computer Science, vol. 739 (Springer, Berlin, 1992), pp. 210–224
 E. Fleischmann, M. Gorski, S. Lucks, On the security of tandemDM, in Fast Software Encryption, 16th International Workshop, FSE 2009. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), pp. 84–103 CrossRef
 E. Fleischmann, M. Gorski, S. Lucks, Security of cyclic double block length hash functions, in Cryptography and Coding, 12th IMA International Conference, Cryptography and Coding 2009. Lecture Notes in Computer Science, vol. 5921 (Springer, Berlin, 2009), pp. 153–175
 S. Hirose, Secure block ciphers are not sufficient for oneway hash functions in the PreneelGovaertsVandewalle model, in Selected Areas in Cryptography 2002. Lecture Notes in Computer Science, vol. 2595 (Springer, Berlin, 2003), pp. 339–352 CrossRef
 S. Hirose, Provably secure doubleblocklength hash functions in a blackbox model, in Information Security and Cryptology—ICISC 2004. Lecture Notes in Computer Science, vol. 3506 (Springer, Berlin, 2005), pp. 330–342 CrossRef
 ISO/IEC 101182. Information technology—Security techniques—Hash functions—Hash functions using an nbit block cipher algorithm. International Organization for Standardization, Geneva, Switzerland, 1994
 J. Kilian, P. Rogaway, How to protect DES against exhaustive key search. J. Cryptol. 14(1), 17–35 (2001). Earlier version in CRYPTO 1996 CrossRef
 X. Lai, J. Massey, Hash function based on block ciphers, in Advances in Cryptology—Proceedings of EUROCRYPT 1992. Lecture Notes in Computer Science, vol. 658 (Springer, Berlin, 1992), pp. 55–70 CrossRef
 J. Lee, J. Steinberger, Multipropertypreserving domain extension using polynomialbased modes of operation, in Advances in Cryptology—Proceedings of EUROCRYPT 2010. Lecture Notes in Computer Science (Springer, Berlin, 2010)
 S. Lucks, A collisionresistant rate1 doubleblocklength hash function, in Symmetric Cryptography, Dagstuhl Seminar Proceedings, no. 07021, Dagstuhl, Germany, 2007. Internationales Begegnungs und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany
 S. Matyas, C. Meyer, J. Oseas, Generating strong oneway functions with cryptographic algorithms. IBM Tech. Dis. Bull. 27(10a), 5658–5659 (1985)
 U. Maurer, R. Renner, C. Holenstein, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, in Theory of Cryptography Conference (TCC ’04). Lecture Notes in Computer Science, vol. 2951 (Springer, Berlin, 2004), pp. 21–39 CrossRef
 A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1996) CrossRef
 R. Merkle, One way hash functions and DES, in Advances in Cryptology—CRYPTO 1989. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 428–446
 O. Özen, M. Stam, Another glance at doublelength hashing, in Cryptography and Coding, 12th IMA International Conference, Cryptography and Coding 2009. Lecture Notes in Computer Science, vol. 5921 (Springer, Berlin, 2009), pp. 176–201
 B. Preneel, Analysis and design of hash functions. PhD thesis, Katholike Universiteit Leuven (Belgium), 1993. Available from Preneel’s homepage
 B. Preneel, R. Govaerts, J. Vandewalle, Hash functions based on block ciphers: a synthetic approach, in Advances in Cryptology—Proceedings of CRYPTO 1993. Lecture Notes in Computer Science, vol. 773 (Springer, Berlin, 1994), pp. 368–378
 M. Rabin, Digitalized signatures, in Foundations of Secure Computation (Academic Press, New York, 1978), pp. 155–168
 R. Rivest, The MD4 message digest algorithm, in Advances in Cryptology—Proceedings of CRYPTO 1900. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 1991), pp. 303–311
 P. Rogaway, T. Shrimpton, Cryptographic hashfunction basics: definitions, implications and separations for preimage resistance, secondpreimage resistance, and collision resistance, in Fast Software Encryption, 11th International Workshop, FSE 2004. Lecture Notes in Computer Science (Springer, Berlin, 2004), pp. 371–388
 P. Rogaway, J. Steinberger, Constructing cryptographic hash functions from fixedkey blockciphers, in Advances in Cryptology—Proceedings of CRYPTO 2008. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 433–450 CrossRef
 P. Rogaway, J. Steinberger, Security/efficiency tradeoffs for permutationbased hashing, in Advances in Cryptology—Proceedings of EUROCRYPT 2008. Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 220–236 CrossRef
 C. Shannon, Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4), 656–715 (1949)
 T. Shrimpton, M. Stam, Building a collisionresistant compression function from noncompressing primitives, in ICALP 2008, Part II, vol. 5126 (Springer, Berlin, 2008), pp. 643–654
 D. Simon, Finding collisions on a oneway street: can secure hash functions be based on general assumptions? in Advances in Cryptology—Proceedings of EUROCRYPT 1998, vol. 1403. Lecture Notes in Computer Science (Springer, Berlin, 1998), pp. 334–345 CrossRef
 M. Stam, Beyond uniformity: better security/efficiency tradeoffs for compression functions, in Advances in Cryptology—Proceedings of CRYPTO 2008. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 397–412 CrossRef
 M. Stam, Block cipher based hashing revisited, in Fast Software Encryption 2009. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), pp. 67–83 CrossRef
 J. Steinberger, The collision intractability of MDC2 in the idealcipher model, in Advances in Cryptology—Proceedings of EUROCRYPT 2007. Lecture Notes in Computer Science, vol. 4515 (Springer, Berlin, 2007), pp. 34–51 CrossRef
 J. Steinberger, Stam’s collision resistance conjecture, in Advances in Cryptology—Proceedings of EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110 (Springer, Berlin, 2010), pp. 597–615 CrossRef
 R. Winternitz, A secure oneway hash function built from DES, in Proceedings of the IEEE Symposium on Information Security and Privacy (IEEE Press, New York, 1984), pp. 88–90
 Title
 An Analysis of the BlockcipherBased Hash Functions from PGV
 Journal

Journal of Cryptology
Volume 23, Issue 4 , pp 519545
 Cover Date
 20101001
 DOI
 10.1007/s0014501090710
 Print ISSN
 09332790
 Online ISSN
 14321378
 Publisher
 SpringerVerlag
 Additional Links
 Topics
 Keywords

 Blockcipher
 Collisionresistant hash function
 Cryptographic hash function
 Idealcipher model
 Modes of operation
 Industry Sectors
 Authors

 J. Black ^{(1)}
 P. Rogaway ^{(2)}
 T. Shrimpton ^{(3)}
 M. Stam ^{(4)}
 Author Affiliations

 1. Department of Computer Science, University of Colorado, Boulder, CO, 80309, USA
 2. Department of Computer Science, University of California, Davis, CA, 95616, USA
 3. Department of Computer Science, Portland State University, Portland, OR, 97201, USA
 4. LACAL, School of Computer and Communication Sciences, EPFL, Station 14, Lausanne, 1015, Switzerland