Journal of Cryptology

, Volume 23, Issue 4, pp 519–545

An Analysis of the Blockcipher-Based Hash Functions from PGV


DOI: 10.1007/s00145-010-9071-0

Cite this article as:
Black, J., Rogaway, P., Shrimpton, T. et al. J Cryptol (2010) 23: 519. doi:10.1007/s00145-010-9071-0


Preneel, Govaerts, and Vandewalle (1993) considered the 64 most basic ways to construct a hash function \(H{:\;\:}\{0,1\}^{*}\rightarrow \{0,1\}^{n}\) from a blockcipher \(E{:\;\:}\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\). They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. Here we provide a proof-based treatment of the PGV schemes. We show that, in the ideal-cipher model, the 12 schemes considered secure by PGV really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the Merkle–Damgård approach to analysis, we show that an additional 8 of the PGV schemes are just as collision resistant (up to a constant). Nonetheless, we are able to differentiate among the 20 collision-resistant schemes by considering their preimage resistance: only the 12 initial schemes enjoy optimal preimage resistance. Our work demonstrates that proving ideal-cipher-model bounds is a feasible and useful step for understanding the security of blockcipher-based hash-function constructions.

Key words

BlockcipherCollision-resistant hash functionCryptographic hash functionIdeal-cipher modelModes of operation

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of ColoradoBoulderUSA
  2. 2.Department of Computer ScienceUniversity of CaliforniaDavisUSA
  3. 3.Department of Computer SciencePortland State UniversityPortlandUSA
  4. 4.LACAL, School of Computer and Communication SciencesEPFLLausanneSwitzerland