Hash Functions Based on Three Permutations: A Generic Security Analysis

Conference paper

DOI: 10.1007/978-3-642-32009-5_20

Volume 7417 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Mennink B., Preneel B. (2012) Hash Functions Based on Three Permutations: A Generic Security Analysis. In: Safavi-Naini R., Canetti R. (eds) Advances in Cryptology – CRYPTO 2012. Lecture Notes in Computer Science, vol 7417. Springer, Berlin, Heidelberg


We consider the family of 2n-to-n-bit compression functions that are solely based on at most three permutation executions and on XOR-operators, and analyze its collision and preimage security. Despite their elegance and simplicity, these designs are not covered by the results of Rogaway and Steinberger (CRYPTO 2008). By defining a carefully chosen equivalence relation on this family of compression functions, we obtain the following results. In the setting where the three permutations \(\pi _1\), \(\pi _2\), \(\pi _3\) are selected independently and uniformly at random, there exist at most four equivalence classes that achieve optimal \(2^{n/2}\) collision resistance. Under a certain extremal graph theory based conjecture, these classes are then proven optimally collision secure. Three of these classes allow for finding preimages in \(2^{n/2}\) queries, and only one achieves optimal \(2^{2n/3}\) preimage resistance (with respect to the bounds of Rogaway and Steinberger, EUROCRYPT 2008). Consequently, a compression function is optimally collision and preimage secure if and only if it is equivalent to \(\mathsf {F}(x_1,x_2) = x_1\oplus \pi _1(x_1)\oplus \pi _2(x_2)\oplus \pi _3(x_1\oplus x_2\oplus \pi _1(x_1))\). For compression functions that make three calls to the same permutation we obtain a surprising negative result, namely the impossibility of optimal \(2^{n/2}\) collision security: for any scheme, collisions can be found with \(2^{2n/5}\) queries. This result casts some doubt over the existence of any (larger) secure permutation-based compression function built only on XOR-operators and (multiple invocations of) a single permutation.


Hash functionPermutation-basedCollision resistancePreimage resistance
Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  1. 1.Dept. Electrical Engineering, ESAT/COSICKU LeuvenLeuvenBelgium
  2. 2.IBBTLeuvenBelgium