Abstract
Fix a small nonempty set of blockcipher keys \(\mathcal{K}\) . We say a blockcipher-based hash function is highly-efficient if it makes exactly one blockcipher call for each message block hashed, and all blockcipher calls use a key from \(\mathcal{K}\) . Although a few highly-efficient constructions have been proposed, no one has been able to prove their security. In this paper we prove, in the ideal-cipher model, that it is impossible to construct a highly-efficient iterated blockcipher-based hash function that is provably secure. Our result implies, in particular, that the Tweakable Chain Hash (TCH) construction suggested by Liskov, Rivest, and Wagner (Advances in Cryptology–CRYPTO ’02, Lecture Notes in Computer Science, vol. 2442, pp. 31–46, Springer, Berlin, 2002) is not correct under an instantiation suggested for this construction, nor can TCH be correctly instantiated by any other efficient means.
Article PDF
Similar content being viewed by others
References
J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly-efficient blockcipher-based hash functions, in Advances in Cryptology–EUROCRYPT ’05, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 526–541
J. Black, P. Rogaway, T. Shrimpton, Black-box analysis of the block-cipher-based hash-function constructions from PGV, in Advances in Cryptology–CRYPTO ’02, ed. by M. Yung. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002)
L. Carter, M. Wegman, Universal hash functions. J. Comput. Syst. Sci. 18, 143–154 (1979)
I. Damgård, A design principle for hash functions, in Advances in Cryptology–CRYPTO ’89, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990)
R. Gennaro, Y. Gertner, J. Katz, L. Trevisan, Bounds on the efficiency of generic cryptographic constructions. SIAM J. Comput. 35(1), 217–246 (2005)
D. Goldenberg, S. Hohenberger, M. Liskov, E.C. Schwartz, H. Seyalioglu, On tweaking Luby–Rackoff blockciphers, in Advances in Cryptology–ASIACRYPT ’07, ed. by K. Kurosawa. Lecture Notes in Computer Science, vol. 4833 (Springer, Berlin, 2007), pp. 342–356
H. Handschuh, L. Knudsen, M. Robshaw, Analysis of SHA-1 in encryption mode, in Advances in Cryptology–CT-RSA ’01, ed. by D. Naccache. Lecture Notes in Computer Science, vol. 2020 (Springer, Berlin, 2001), pp. 70–83
M. Liskov, R. Rivest, D. Wagner, Tweakable block ciphers, in Advances in Cryptology–CRYPTO ’02, ed. by M. Yung. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 31–46
S. Matyas, C. Meyer, J. Oseas, Generating strong one-way functions with cryptographic algorithms. IBM Tech. Dis. Bull. 27(10), 5658–5659 (1985)
A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1996)
R. Merkle, One way hash functions and DES, in Advances in Cryptology–CRYPTO ’89, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 428–446
B. Preneel, R. Govaerts, J. Vandewalle, Hash functions based on block ciphers: A synthetic approach, in Advances in Cryptology–CRYPTO ’93, ed. by D. Stinson. Lecture Notes in Computer Science, vol. 773 (Springer, Berlin, 1994), pp. 368–378
M. Rabin, Digitalized signatures, in Foundations of Secure Computation, ed. by R. DeMillo, D. Dobkin, A. Jones (Academic Press, San Diego, 1978), pp. 155–168
P. Rogaway, J. Steinberger, Constructing cryptographic hash functions from fixed-key blockciphers, in Advances in Cryptology–CRYPTO 2008, Santa Barbara, CA, 17–21 Aug. 2008, ed. by D. Wagner. Lecture Notes in Computer Science (Springer, Berlin, 2008)
R. Schroeppel, H. Orman, The hasty pudding cipher. AES candidate submitted to NIST (1998)
C. Shannon, Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4), 656–715 (1949)
T. Shrimpton, M. Stam, Building a collision-resistant compression function from non-compressing primitives, in ICALP 08: 35th International Colloquium on Automata, Languages and Programming, Reykjavik, Iceland, July 2008, ed. by L. Aceto et al.. Lecture Notes in Computer Science, vol. 5126 (Springer, Berlin, 2008), pp. 643–654
D. Simon, Finding collisions on a one-way street: Can secure hash functions be based on general assumptions?, in Advances in Cryptology–EUROCRYPT ’98, ed. by K. Nyberg. Lecture Notes in Computer Science, vol. 1403 (Springer, Berlin, 1998), pp. 334–345
X. Wang, X. Lai, D. Feng, H. Chen, X. Yu, Cryptanalysis of the hash functions MD4 and RIPEMD, in Advances in Cryptology–EUROCRYPT ’05, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 1–18
X. Wang, Y.L. Yin, H. Yu, Finding collisions in the full SHA-1, in Advances in Cryptology–CRYPTO ’05, ed. by V. Shoup. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 17–36
X. Wang, H. Yu, How to break MD5 and other hash functions, in Advances in Cryptology–EUROCRYPT ’05, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 19–35
X. Wang, H. Yu, Y.L. Yin, Efficient collision search attacks on SHA-0, in Advances in Cryptology–CRYPTO ’05, ed. by V. Shoup. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 1–16
R. Winternitz, A secure one-way hash function built from DES, in Proceedings of the IEEE Symposium on Information Security and Privacy (IEEE Press, New York, 1984), pp. 88–90
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Black, J., Cochran, M. & Shrimpton, T. On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions. J Cryptol 22, 311–329 (2009). https://doi.org/10.1007/s00145-008-9030-1
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-008-9030-1