Interpreting Hash Function Security Proofs

  • Juraj Šarinay
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6402)


We provide a concrete security treatment of several “provably secure” hash functions. Interpreting arguments behind MQ-HASH, FSB, SWIFFTX and VSH we identify similar lines of reasoning. We aim to formulate the main security claims in a language closer to that of attacks. We evaluate designers’ claims of provable security and quantify them more precisely, deriving “second order” bounds on bounds. While the authors of FSB, MQ-HASH and SWIFFT(X) prove existence of non-trivial lower bounds on security, we show that the quantification of the bounds limits the practical significance of the proofs.


hash functions security bounds provable reducibility 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Arbitman, Y., Dogon, G., Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFTX: A Proposal for the SHA-3 Standard. Submission to NIST (2008)Google Scholar
  2. 2.
    Augot, D., Finiasz, M., Sendrier, N.: A fast provably secure cryptographic hash function. Cryptology ePrint Archive, Report 2003/230 (2003),
  3. 3.
    Augot, D., Finiasz, M., Sendrier, N.: A family of fast syndrome based cryptographic hash functions. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 64–83. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Aumasson, J.-P., Meier, W.: Analysis of multivariate hash functions. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 309–323. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Barreto, P.S.L.M., Rijmen, V.: The Whirlpool hashing function. Submitted to NESSIE (September 2000) (revised May 2003),
  6. 6.
    Barua, R., Lange, T. (eds.): INDOCRYPT 2006. LNCS, vol. 4329. Springer, Heidelberg (2006)zbMATHGoogle Scholar
  7. 7.
    Bernstein, D.J., Lange, T., Niederhagen, R., Peters, C., Schwabe, P.: Implementing Wagner’s generalized birthday attack against the SHA-3 round-1 candidate FSB. Cryptology ePrint Archive, Report 2009/292 (2009),
  8. 8.
    Billet, O., Robshaw, M.J.B., Peyrin, T.: On building hash functions from multivariate quadratic equations. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 82–95. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung [46], pp. 320–335Google Scholar
  10. 10.
    Buchmann, J., Lindner, R.: Secure parameters for SWIFFT. In: Roy, B. K., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 1–17. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptology 22(1), 93–113 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Contini, S., Lenstra, A.K., Steinfeld, R.: VSH, an efficient and provable collision-resistant hash function. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 165–182. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Coron, J.-S., Joux, A.: Cryptanalysis of a provably secure cryptographic hash function. Cryptology ePrint Archive, Report 2004/013 (2004)Google Scholar
  14. 14.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  15. 15.
    Augot, D., Finiasz, M., Gaborit, P., Manuel, S., Sendrier, N.: SHA-3 proposal: FSB. Submission to NIST (2008)Google Scholar
  16. 16.
    Finiasz, M., Gaborit, P., Sendrier, N.: Improved fast syndrome based cryptographic hash functions. In: ECRYPT Hash Function Workshop 2007 (2007)Google Scholar
  17. 17.
    Finiasz, M.: Syndrome based collision resistant hashing. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 137–147. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart [37], pp. 31–51Google Scholar
  20. 20.
    Grassl, M., Ilić, I., Magliveras, S., Steinwandt, R.: Cryptanalysis of the Tillich–Zémor Hash Function. Journal of Cryptology (2010)Google Scholar
  21. 21.
    Koblitz, N., Menezes, A.: Another Look at “Provable Security”. II. In: Barua, Lange (eds.) [6], pp. 148–175Google Scholar
  22. 22.
    Koblitz, N., Menezes, A.: Another Look at “Provable Security”. J. Cryptology 20(1), 3–37 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Lenstra, A.K., Page, D., Stam, M.: Discrete logarithm variants of VSH. In: Nguyen (ed.) [28], pp. 229–242Google Scholar
  24. 24.
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: Provably Secure FFT Hashing. In: 2nd NIST Cryptographic Hash Function Workshop (2006)Google Scholar
  25. 25.
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  26. 26.
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: A modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  27. 27.
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Computational Complexity 16(4), 365–411 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Nguyên, P.Q. (ed.): VIETCRYPT 2006. LNCS, vol. 4341. Springer, Heidelberg (2006)zbMATHGoogle Scholar
  29. 29.
    National Institute of Standards and Technology. Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA3) family. Federal Register 72(212), 62212–62220 (November 2007)Google Scholar
  30. 30.
    Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  31. 31.
    Petit, C., Lauter, K., Quisquater, J.J.: Cayley Hashes: A Class of Efficient Graph-based Hash Functions. Preprint (2007)Google Scholar
  32. 32.
    Petit, C., Lauter, K., Quisquater, J.-J.: Full cryptanalysis of LPS and Morgenstern hash functions. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 263–277. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  33. 33.
    Petit, C., Quisquater, J.-J., Tillich, J.-P., Zémor, G.: Hard and easy components of collision search in the Zémor-Tillich hash function: New attacks and reduced variants with equivalent security. In: Fischlin, M. (ed.) RSA Conference 2009. LNCS, vol. 5473, pp. 182–194. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  34. 34.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: A synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  35. 35.
    Rogaway, P.: Formalizing human ignorance. In: Nguyen (ed.) [28], pp. 211–228Google Scholar
  36. 36.
    Saarinen, M.-J.O.: Security of VSH in the real world. In: Barua, Lange [6], pp. 95–103Google Scholar
  37. 37.
    Smart, N.P. (ed.): EUROCRYPT 2008. LNCS, vol. 4965. Springer, Heidelberg (2008)zbMATHGoogle Scholar
  38. 38.
    Stam, M.: Blockcipher-based hashing revisited. In: Dunkelman, O. (ed.) Fast Software Encryption. LNCS, vol. 5665, pp. 67–83. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  39. 39.
    Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  40. 40.
    Tillich, J.-P., Zémor, G.: Hashing with SL 2. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 40–49. Springer, Heidelberg (1994)Google Scholar
  41. 41.
    Tillich, J.-P., Zémor, G.: Collisions for the LPS expander graph hash function. In: Smart [37], pp. 254–269Google Scholar
  42. 42.
    Wagner, D.: A generalized birthday problem. In: Yung [46], pp. 288–303Google Scholar
  43. 43.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  44. 44.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  45. 45.
    Yang, B.-Y., Chen, C.-H.O., Bernstein, D.J., Chen, J.-M.: Analysis of QUAD. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 290–308. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  46. 46.
    Yung, M. (ed.): CRYPTO 2002. LNCS, vol. 2442. Springer, Heidelberg (2002)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Juraj Šarinay
    • 1
  1. 1.EPFL IC LACAL, Station 14LausanneSwitzerland

Personalised recommendations