Journal of Cryptology

, Volume 23, Issue 4, pp 519–545

An Analysis of the Blockcipher-Based Hash Functions from PGV


DOI: 10.1007/s00145-010-9071-0

Cite this article as:
Black, J., Rogaway, P., Shrimpton, T. et al. J Cryptol (2010) 23: 519. doi:10.1007/s00145-010-9071-0


Preneel, Govaerts, and Vandewalle (1993) considered the 64 most basic ways to construct a hash function \(H{:\;\:}\{0,1\}^{*}\rightarrow \{0,1\}^{n}\) from a blockcipher \(E{:\;\:}\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\). They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. Here we provide a proof-based treatment of the PGV schemes. We show that, in the ideal-cipher model, the 12 schemes considered secure by PGV really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the Merkle–Damgård approach to analysis, we show that an additional 8 of the PGV schemes are just as collision resistant (up to a constant). Nonetheless, we are able to differentiate among the 20 collision-resistant schemes by considering their preimage resistance: only the 12 initial schemes enjoy optimal preimage resistance. Our work demonstrates that proving ideal-cipher-model bounds is a feasible and useful step for understanding the security of blockcipher-based hash-function constructions.

Key words

Blockcipher Collision-resistant hash function Cryptographic hash function Ideal-cipher model Modes of operation 

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of ColoradoBoulderUSA
  2. 2.Department of Computer ScienceUniversity of CaliforniaDavisUSA
  3. 3.Department of Computer SciencePortland State UniversityPortlandUSA
  4. 4.LACAL, School of Computer and Communication SciencesEPFLLausanneSwitzerland

Personalised recommendations