Journal of Cryptology

, Volume 23, Issue 4, pp 519–545 | Cite as

An Analysis of the Blockcipher-Based Hash Functions from PGV

Article

Abstract

Preneel, Govaerts, and Vandewalle (1993) considered the 64 most basic ways to construct a hash function \(H{:\;\:}\{0,1\}^{*}\rightarrow \{0,1\}^{n}\) from a blockcipher \(E{:\;\:}\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\). They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. Here we provide a proof-based treatment of the PGV schemes. We show that, in the ideal-cipher model, the 12 schemes considered secure by PGV really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the Merkle–Damgård approach to analysis, we show that an additional 8 of the PGV schemes are just as collision resistant (up to a constant). Nonetheless, we are able to differentiate among the 20 collision-resistant schemes by considering their preimage resistance: only the 12 initial schemes enjoy optimal preimage resistance. Our work demonstrates that proving ideal-cipher-model bounds is a feasible and useful step for understanding the security of blockcipher-based hash-function constructions.

Key words

Blockcipher Collision-resistant hash function Cryptographic hash function Ideal-cipher model Modes of operation 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Advances in Cryptology—Proceedings of EUROCRYPT 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 409–426 CrossRefGoogle Scholar
  2. [2]
    M. Bellare, J. Kilian, P. Rogaway, The security of cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000) MATHCrossRefMathSciNetGoogle Scholar
  3. [3]
    G. Bertoni, J. Daemen, M. Peeters, G. Assche, On the indifferentiability of the sponge construction, in Advances in Cryptology—Proceedings of EUROCRYPT 2008. Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 181–197 CrossRefGoogle Scholar
  4. [4]
    A. Biryukov, D. Khovratovich, I. Nikolić, Distinguisher and related-key attack on the full AES-256, in Advances in Cryptology—Proceedings of CRYPTO 2009. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 229–247 CrossRefGoogle Scholar
  5. [5]
    J. Black, The ideal-cipher model, revisited: an uninstantiable blockcipher-based hash function, in Fast Software Encryption, 13th International Workshop, FSE 2006. Lecture Notes in Computer Science, vol. 4047 (Springer, Berlin, 2006), pp. 328–340 Google Scholar
  6. [6]
    J. Black, P. Rogaway, T. Shrimpton, Black-box analysis of the block-cipher-based hash-function constructions from PGV, in Advances in Cryptology—CRYPTO 2002. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 320–335. Proceedings version of this paper CrossRefGoogle Scholar
  7. [7]
    J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly efficient blockcipher-based hash functions, in Advances in Cryptology—EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 526–541 CrossRefGoogle Scholar
  8. [8]
    J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly-efficient blockcipher-based hash functions. J. Cryptol. 22(3), 311–329 (2009) MATHCrossRefMathSciNetGoogle Scholar
  9. [9]
    J. Coron, Y. Dodis, C. Malinaud, P. Puniya, Merkle-Damgård revisited: how to construct a hash function, in Advances in Cryptology—CRYPTO 2005. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 430–448 Google Scholar
  10. [10]
    I. Damgård, A design principle for hash functions, in Advances in Cryptology—CRYPTO 1989. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 416–427 Google Scholar
  11. [11]
    Y. Dodis, J. Steinberger, Message authentication codes from unpredictable block ciphers, in Advances in Cryptology—Proceedings of CRYPTO 2009. Lecture Notes in Computer Science, vol. 5677 (Springer, Berlin, 2009), pp. 267–285 CrossRefGoogle Scholar
  12. [12]
    Y. Dodis, T. Ristenpart, T. Shrimpton, Salvaging Merkle–Damgård for practical applications, in Advances in Cryptology—Proceedings of EUROCRYPT 2009. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 371–388 CrossRefGoogle Scholar
  13. [13]
    L. Duo, C. Li, Improved collision and preimage resistance bounds on PGV schemes. Technical Report 2006/462, IACR’s ePrint Archive, 2006 Google Scholar
  14. [14]
    S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation, in Advances in Cryptology—ASIACRYPT 1991. Lecture Notes in Computer Science, vol. 739 (Springer, Berlin, 1992), pp. 210–224 Google Scholar
  15. [15]
    E. Fleischmann, M. Gorski, S. Lucks, On the security of tandem-DM, in Fast Software Encryption, 16th International Workshop, FSE 2009. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), pp. 84–103 CrossRefGoogle Scholar
  16. [16]
    E. Fleischmann, M. Gorski, S. Lucks, Security of cyclic double block length hash functions, in Cryptography and Coding, 12th IMA International Conference, Cryptography and Coding 2009. Lecture Notes in Computer Science, vol. 5921 (Springer, Berlin, 2009), pp. 153–175 Google Scholar
  17. [17]
    S. Hirose, Secure block ciphers are not sufficient for one-way hash functions in the Preneel-Govaerts-Vandewalle model, in Selected Areas in Cryptography 2002. Lecture Notes in Computer Science, vol. 2595 (Springer, Berlin, 2003), pp. 339–352 CrossRefGoogle Scholar
  18. [18]
    S. Hirose, Provably secure double-block-length hash functions in a black-box model, in Information Security and Cryptology—ICISC 2004. Lecture Notes in Computer Science, vol. 3506 (Springer, Berlin, 2005), pp. 330–342 CrossRefGoogle Scholar
  19. [19]
    ISO/IEC 10118-2. Information technology—Security techniques—Hash functions—Hash functions using an n-bit block cipher algorithm. International Organization for Standardization, Geneva, Switzerland, 1994 Google Scholar
  20. [20]
    J. Kilian, P. Rogaway, How to protect DES against exhaustive key search. J. Cryptol. 14(1), 17–35 (2001). Earlier version in CRYPTO 1996 MATHCrossRefMathSciNetGoogle Scholar
  21. [21]
    X. Lai, J. Massey, Hash function based on block ciphers, in Advances in Cryptology—Proceedings of EUROCRYPT 1992. Lecture Notes in Computer Science, vol. 658 (Springer, Berlin, 1992), pp. 55–70 CrossRefGoogle Scholar
  22. [22]
    J. Lee, J. Steinberger, Multi-property-preserving domain extension using polynomial-based modes of operation, in Advances in Cryptology—Proceedings of EUROCRYPT 2010. Lecture Notes in Computer Science (Springer, Berlin, 2010) Google Scholar
  23. [23]
    S. Lucks, A collision-resistant rate-1 double-block-length hash function, in Symmetric Cryptography, Dagstuhl Seminar Proceedings, no. 07021, Dagstuhl, Germany, 2007. Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany Google Scholar
  24. [24]
    S. Matyas, C. Meyer, J. Oseas, Generating strong one-way functions with cryptographic algorithms. IBM Tech. Dis. Bull. 27(10a), 5658–5659 (1985) Google Scholar
  25. [25]
    U. Maurer, R. Renner, C. Holenstein, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, in Theory of Cryptography Conference (TCC ’04). Lecture Notes in Computer Science, vol. 2951 (Springer, Berlin, 2004), pp. 21–39 CrossRefGoogle Scholar
  26. [26]
    A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1996) CrossRefGoogle Scholar
  27. [27]
    R. Merkle, One way hash functions and DES, in Advances in Cryptology—CRYPTO 1989. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 428–446 Google Scholar
  28. [28]
    O. Özen, M. Stam, Another glance at double-length hashing, in Cryptography and Coding, 12th IMA International Conference, Cryptography and Coding 2009. Lecture Notes in Computer Science, vol. 5921 (Springer, Berlin, 2009), pp. 176–201 Google Scholar
  29. [29]
    B. Preneel, Analysis and design of hash functions. PhD thesis, Katholike Universiteit Leuven (Belgium), 1993. Available from Preneel’s homepage Google Scholar
  30. [30]
    B. Preneel, R. Govaerts, J. Vandewalle, Hash functions based on block ciphers: a synthetic approach, in Advances in Cryptology—Proceedings of CRYPTO 1993. Lecture Notes in Computer Science, vol. 773 (Springer, Berlin, 1994), pp. 368–378 Google Scholar
  31. [31]
    M. Rabin, Digitalized signatures, in Foundations of Secure Computation (Academic Press, New York, 1978), pp. 155–168 Google Scholar
  32. [32]
    R. Rivest, The MD4 message digest algorithm, in Advances in Cryptology—Proceedings of CRYPTO 1900. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 1991), pp. 303–311 Google Scholar
  33. [33]
    P. Rogaway, T. Shrimpton, Cryptographic hash-function basics: definitions, implications and separations for preimage resistance, second-preimage resistance, and collision resistance, in Fast Software Encryption, 11th International Workshop, FSE 2004. Lecture Notes in Computer Science (Springer, Berlin, 2004), pp. 371–388 Google Scholar
  34. [34]
    P. Rogaway, J. Steinberger, Constructing cryptographic hash functions from fixed-key blockciphers, in Advances in Cryptology—Proceedings of CRYPTO 2008. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 433–450 CrossRefGoogle Scholar
  35. [35]
    P. Rogaway, J. Steinberger, Security/efficiency tradeoffs for permutation-based hashing, in Advances in Cryptology—Proceedings of EUROCRYPT 2008. Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 220–236 CrossRefGoogle Scholar
  36. [36]
    C. Shannon, Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4), 656–715 (1949) MATHMathSciNetGoogle Scholar
  37. [37]
    T. Shrimpton, M. Stam, Building a collision-resistant compression function from non-compressing primitives, in ICALP 2008, Part II, vol. 5126 (Springer, Berlin, 2008), pp. 643–654 Google Scholar
  38. [38]
    D. Simon, Finding collisions on a one-way street: can secure hash functions be based on general assumptions? in Advances in Cryptology—Proceedings of EUROCRYPT 1998, vol. 1403. Lecture Notes in Computer Science (Springer, Berlin, 1998), pp. 334–345 CrossRefGoogle Scholar
  39. [39]
    M. Stam, Beyond uniformity: better security/efficiency tradeoffs for compression functions, in Advances in Cryptology—Proceedings of CRYPTO 2008. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 397–412 CrossRefGoogle Scholar
  40. [40]
    M. Stam, Block cipher based hashing revisited, in Fast Software Encryption 2009. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin, 2009), pp. 67–83 CrossRefGoogle Scholar
  41. [41]
    J. Steinberger, The collision intractability of MDC-2 in the ideal-cipher model, in Advances in Cryptology—Proceedings of EUROCRYPT 2007. Lecture Notes in Computer Science, vol. 4515 (Springer, Berlin, 2007), pp. 34–51 CrossRefGoogle Scholar
  42. [42]
    J. Steinberger, Stam’s collision resistance conjecture, in Advances in Cryptology—Proceedings of EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110 (Springer, Berlin, 2010), pp. 597–615 CrossRefGoogle Scholar
  43. [43]
    R. Winternitz, A secure one-way hash function built from DES, in Proceedings of the IEEE Symposium on Information Security and Privacy (IEEE Press, New York, 1984), pp. 88–90 Google Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of ColoradoBoulderUSA
  2. 2.Department of Computer ScienceUniversity of CaliforniaDavisUSA
  3. 3.Department of Computer SciencePortland State UniversityPortlandUSA
  4. 4.LACAL, School of Computer and Communication SciencesEPFLLausanneSwitzerland

Personalised recommendations