Security/Efficiency Tradeoffs for Permutation-Based Hashing

  • Phillip Rogaway
  • John Steinberger
Conference paper

DOI: 10.1007/978-3-540-78967-3_13

Part of the Lecture Notes in Computer Science book series (LNCS, volume 4965)
Cite this paper as:
Rogaway P., Steinberger J. (2008) Security/Efficiency Tradeoffs for Permutation-Based Hashing. In: Smart N. (eds) Advances in Cryptology – EUROCRYPT 2008. EUROCRYPT 2008. Lecture Notes in Computer Science, vol 4965. Springer, Berlin, Heidelberg


We provide attacks and analysis that capture a tradeoff, in the ideal-permutation model, between the speed of a permutation-based hash function and its potential security. We show that any 2n-bit to n-bit compression function will have unacceptable collision resistance it makes fewer than three n-bit permutation invocations, and any 3n-bit to 2n-bit compression function will have unacceptable security if it makes fewer than five n-bit permutation invocations. Any rate-α hash function built from n-bit permutations can be broken, in the sense of finding preimages as well as collisions, in about N1 − α queries, where N = 2n. Our results provide guidance when trying to design or analyze a permutation-based hash function about the limits of what can possibly be done.

Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Phillip Rogaway
    • 1
  • John Steinberger
    • 2
  1. 1.Department of Computer ScienceUniversity of CaliforniaDavisUSA
  2. 2.Department of MathematicsUniversity of British ColumbiaCanada

Personalised recommendations