Annual International Conference on the Theory and Applications of Cryptographic Techniques

EUROCRYPT 2005: Advances in Cryptology – EUROCRYPT 2005 pp 526-541

On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions

  • John Black
  • Martin Cochran
  • Thomas Shrimpton
Conference paper

DOI: 10.1007/11426639_31

Volume 3494 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Black J., Cochran M., Shrimpton T. (2005) On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions. In: Cramer R. (eds) Advances in Cryptology – EUROCRYPT 2005. EUROCRYPT 2005. Lecture Notes in Computer Science, vol 3494. Springer, Berlin, Heidelberg


Fix a small, non-empty set of blockcipher keys  \({\mathcal K}\). We say a blockcipher-based hash function is highly-efficient if it makes exactly one blockcipher call for each message block hashed, and all blockcipher calls use a key from  \({\mathcal K}\). Although a few highly-efficient constructions have been proposed, no one has been able to prove their security. In this paper we prove, in the ideal-cipher model, that it is impossible to construct a highly-efficient iterated blockcipher-based hash function that is provably secure. Our result implies, in particular, that the Tweakable Chain Hash (TCH) construction suggested by Liskov, Rivest, and Wagner [7] is not correct under an instantiation suggested for this construction, nor can TCH be correctly instantiated by any other efficient means.


Collision-resistant hash functionstweakable blockciphersprovable security
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • John Black
    • 1
  • Martin Cochran
    • 1
  • Thomas Shrimpton
    • 2
  1. 1.Dept. of Computer ScienceUniversity of ColoradoBoulderUSA
  2. 2.Dept. of Computer SciencePortland State UniversityPortlandUSA