Chapter

Advances in Cryptology – EUROCRYPT 2005

Volume 3494 of the series Lecture Notes in Computer Science pp 526-541

On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions

  • John BlackAffiliated withDept. of Computer Science, University of Colorado
  • , Martin CochranAffiliated withDept. of Computer Science, University of Colorado
  • , Thomas ShrimptonAffiliated withDept. of Computer Science, Portland State University

Abstract

Fix a small, non-empty set of blockcipher keys  \({\mathcal K}\). We say a blockcipher-based hash function is highly-efficient if it makes exactly one blockcipher call for each message block hashed, and all blockcipher calls use a key from  \({\mathcal K}\). Although a few highly-efficient constructions have been proposed, no one has been able to prove their security. In this paper we prove, in the ideal-cipher model, that it is impossible to construct a highly-efficient iterated blockcipher-based hash function that is provably secure. Our result implies, in particular, that the Tweakable Chain Hash (TCH) construction suggested by Liskov, Rivest, and Wagner [7] is not correct under an instantiation suggested for this construction, nor can TCH be correctly instantiated by any other efficient means.

Keywords

Collision-resistant hash functions tweakable blockciphers provable security