Building a Collision-Resistant Compression Function from Non-compressing Primitives

(Extended Abstract)
  • Thomas Shrimpton
  • Martijn Stam
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5126)


We consider how to build an efficient compression function from a small number of random, non-compressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2n-to-n bit compression function based on three independent n-to-n bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2n/2/nc) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixed-key ideal cipher in Davies-Meyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collision-resistant compression function from non-compressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single non-compressing random function cannot suffice.


Hash Functions Random Oracle Model Compression Functions Collision Resistance 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Thomas Shrimpton
    • 1
  • Martijn Stam
    • 2
  1. 1.University of Lugano and Portland State University 
  2. 2.EPFL 

Personalised recommendations