On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions

Abstract

Fix a small nonempty set of blockcipher keys  \(\mathcal{K}\) . We say a blockcipher-based hash function is highly-efficient if it makes exactly one blockcipher call for each message block hashed, and all blockcipher calls use a key from  \(\mathcal{K}\) . Although a few highly-efficient constructions have been proposed, no one has been able to prove their security. In this paper we prove, in the ideal-cipher model, that it is impossible to construct a highly-efficient iterated blockcipher-based hash function that is provably secure. Our result implies, in particular, that the Tweakable Chain Hash (TCH) construction suggested by Liskov, Rivest, and Wagner (Advances in Cryptology–CRYPTO ’02, Lecture Notes in Computer Science, vol. 2442, pp. 31–46, Springer, Berlin, 2002) is not correct under an instantiation suggested for this construction, nor can TCH be correctly instantiated by any other efficient means.

References

  1. [1]

    J. Black, M. Cochran, T. Shrimpton, On the impossibility of highly-efficient blockcipher-based hash functions, in Advances in Cryptology–EUROCRYPT ’05, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 526–541

    Google Scholar 

  2. [2]

    J. Black, P. Rogaway, T. Shrimpton, Black-box analysis of the block-cipher-based hash-function constructions from PGV, in Advances in Cryptology–CRYPTO ’02, ed. by M. Yung. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002)

    Google Scholar 

  3. [3]

    L. Carter, M. Wegman, Universal hash functions. J. Comput. Syst. Sci. 18, 143–154 (1979)

    MATH  Article  MathSciNet  Google Scholar 

  4. [4]

    I. Damgård, A design principle for hash functions, in Advances in Cryptology–CRYPTO ’89, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990)

    Google Scholar 

  5. [5]

    R. Gennaro, Y. Gertner, J. Katz, L. Trevisan, Bounds on the efficiency of generic cryptographic constructions. SIAM J. Comput. 35(1), 217–246 (2005)

    MATH  Article  MathSciNet  Google Scholar 

  6. [6]

    D. Goldenberg, S. Hohenberger, M. Liskov, E.C. Schwartz, H. Seyalioglu, On tweaking Luby–Rackoff blockciphers, in Advances in Cryptology–ASIACRYPT ’07, ed. by K. Kurosawa. Lecture Notes in Computer Science, vol. 4833 (Springer, Berlin, 2007), pp. 342–356

    Google Scholar 

  7. [7]

    H. Handschuh, L. Knudsen, M. Robshaw, Analysis of SHA-1 in encryption mode, in Advances in Cryptology–CT-RSA ’01, ed. by D. Naccache. Lecture Notes in Computer Science, vol. 2020 (Springer, Berlin, 2001), pp. 70–83

    Chapter  Google Scholar 

  8. [8]

    M. Liskov, R. Rivest, D. Wagner, Tweakable block ciphers, in Advances in Cryptology–CRYPTO ’02, ed. by M. Yung. Lecture Notes in Computer Science, vol. 2442 (Springer, Berlin, 2002), pp. 31–46

    Google Scholar 

  9. [9]

    S. Matyas, C. Meyer, J. Oseas, Generating strong one-way functions with cryptographic algorithms. IBM Tech. Dis. Bull. 27(10), 5658–5659 (1985)

    Google Scholar 

  10. [10]

    A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1996)

    Google Scholar 

  11. [11]

    R. Merkle, One way hash functions and DES, in Advances in Cryptology–CRYPTO ’89, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 428–446

    Google Scholar 

  12. [12]

    B. Preneel, R. Govaerts, J. Vandewalle, Hash functions based on block ciphers: A synthetic approach, in Advances in Cryptology–CRYPTO ’93, ed. by D. Stinson. Lecture Notes in Computer Science, vol. 773 (Springer, Berlin, 1994), pp. 368–378

    Google Scholar 

  13. [13]

    M. Rabin, Digitalized signatures, in Foundations of Secure Computation, ed. by R. DeMillo, D. Dobkin, A. Jones (Academic Press, San Diego, 1978), pp. 155–168

    Google Scholar 

  14. [14]

    P. Rogaway, J. Steinberger, Constructing cryptographic hash functions from fixed-key blockciphers, in Advances in Cryptology–CRYPTO 2008, Santa Barbara, CA, 17–21 Aug. 2008, ed. by D. Wagner. Lecture Notes in Computer Science (Springer, Berlin, 2008)

    Google Scholar 

  15. [15]

    R. Schroeppel, H. Orman, The hasty pudding cipher. AES candidate submitted to NIST (1998)

  16. [16]

    C. Shannon, Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4), 656–715 (1949)

    MathSciNet  Google Scholar 

  17. [17]

    T. Shrimpton, M. Stam, Building a collision-resistant compression function from non-compressing primitives, in ICALP 08: 35th International Colloquium on Automata, Languages and Programming, Reykjavik, Iceland, July 2008, ed. by L. Aceto et al.. Lecture Notes in Computer Science, vol. 5126 (Springer, Berlin, 2008), pp. 643–654

    Chapter  Google Scholar 

  18. [18]

    D. Simon, Finding collisions on a one-way street: Can secure hash functions be based on general assumptions?, in Advances in Cryptology–EUROCRYPT ’98, ed. by K. Nyberg. Lecture Notes in Computer Science, vol. 1403 (Springer, Berlin, 1998), pp. 334–345

    Google Scholar 

  19. [19]

    X. Wang, X. Lai, D. Feng, H. Chen, X. Yu, Cryptanalysis of the hash functions MD4 and RIPEMD, in Advances in Cryptology–EUROCRYPT ’05, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 1–18

    Google Scholar 

  20. [20]

    X. Wang, Y.L. Yin, H. Yu, Finding collisions in the full SHA-1, in Advances in Cryptology–CRYPTO ’05, ed. by V. Shoup. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 17–36

    Google Scholar 

  21. [21]

    X. Wang, H. Yu, How to break MD5 and other hash functions, in Advances in Cryptology–EUROCRYPT ’05, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 19–35

    Google Scholar 

  22. [22]

    X. Wang, H. Yu, Y.L. Yin, Efficient collision search attacks on SHA-0, in Advances in Cryptology–CRYPTO ’05, ed. by V. Shoup. Lecture Notes in Computer Science, vol. 3621 (Springer, Berlin, 2005), pp. 1–16

    Google Scholar 

  23. [23]

    R. Winternitz, A secure one-way hash function built from DES, in Proceedings of the IEEE Symposium on Information Security and Privacy (IEEE Press, New York, 1984), pp. 88–90

    Google Scholar 

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to M. Cochran.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Black, J., Cochran, M. & Shrimpton, T. On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions. J Cryptol 22, 311–329 (2009). https://doi.org/10.1007/s00145-008-9030-1

Download citation

Keywords

  • Collision-resistant hash functions
  • Blockcipher-based hash functions
  • Ideal-cipher model
  • Tweakable blockciphers
  • Provable security