Hash functions based on block ciphers and quaternary codes

  • Lars Knudsen
  • Bart Preneel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1163)


We consider constructions for cryptographic hash functions based on m-bit block ciphers. First we present a new attack on the LOKIDBH mode: the attack finds collisions in 23m/4 encryptions, which should be compared to 2m encryptions for a brute force attack. This attack breaks the last remaining subclass in a wide class of efficient hash functions which have been proposed in the literature. We then analyze hash functions based on a collision resistant compression function for which finding a collision requires at least 2m encryptions, providing a lower bound of the complexity of collisions of the hash function. A new class of constructions is proposed, based on error correcting codes over GF(22) and a proof of security is given, which relates their security to that of single block hash functions. For example, a compression function is presented which requires about 4 encryptions to hash an m-bit block, and for which finding a collision requires at least 2m encryptions. This scheme has the same hash rate as MDC-4, but better security against collision attacks. Our method can be used to construct compression functions with even higher levels of security at the cost of more internal memory.


Hash Function Security Level Block Cipher Block Length Compression Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    R. Anderson, “The classification of hash functions,” Codes and Cyphers: Cryptography and Coding IV, P.G. Farrell, Ed., Institute of Mathematics & Its Applications (IMA), 1995, pp. 83–93.Google Scholar
  2. 2.
    B.O. Brachtl, D. Coppersmith, M.M. Hyden, S.M. Matyas, C.H. Meyer, J. Oseas, S. Pilpel, M. Schilling, “Data Authentication Using Modification Detection Codes Based on a Public One Way Encryption Function,” U.S. Patent Number 4,908,861, March 13, 1990.Google Scholar
  3. 3.
    A.E. Brouwer, “Linear code bound,” Scholar
  4. 4.
    L. Brown, J. Pieprzyk, J. Seberry, “LOKI — a cryptographic primitive for authentication and secrecy applications,” Advances in Cryptology, Proc. Auscrypt'90, LNCS 453, J. Seberry, J. Pieprzyk, Eds., Springer-Verlag, 1990, pp. 229–236.Google Scholar
  5. 5.
    I.B. Damgård, “A design principle for hash functions,” Advances in Cryptology, Proc. Crypto'89, LNCS 435, G. Brassard, Ed., Springer-Verlag, 1990, pp. 416–427.Google Scholar
  6. 6.
    B. den Boer, A. Bosselaers, “Collisions for the compression function of MD5,” Advances in Cryptology, Proc. Eurocrypt'93, LNCS 765, T. Helleseth, Ed., Springer-Verlag, 1994, pp. 293–304.Google Scholar
  7. 7.
    H. Dobbertin, “Cryptanalysis of MD4,” Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 53–69.Google Scholar
  8. 8.
    H. Dobbertin, “Cryptanalysis of MD5 compress,” Presented at the rump session of Eurocrypt'96, May 1996.Google Scholar
  9. 9.
    W. Feller, “An Introduction to Probability Theory and Its Applications, Vol. 1,” Wiley & Sons, 1968.Google Scholar
  10. 10.
    FIPS 46, “Data Encryption Standard,” Federal Information Processing Standard (FIPS), Publication 46, National Bureau of Standards, U.S. Department of Commerce, Washington D.C., January 1977.Google Scholar
  11. 11.
    W. Hohl, X. Lai, T. Meier, C. Waldvogel, “Security of iterated hash functions based on block ciphers,” Advances in Cryptology, Proc. Crypto'93, LNCS 773, D. Stinson, Ed., Springer-Verlag, 1994, pp. 379–390.Google Scholar
  12. 12.
    ISO/IEC 10118, “Information technology — Security techniques — Hash-functions, Part 1: General and Part 2: Hash-functions using an n-bit block cipher algorithm,” IS 10118, 1994.Google Scholar
  13. 13.
    L.R. Knudsen, ”A Key-schedule Weakness in SAFER K-64,” Advances in Cryptology, Proc. Crypto'94, LNCS 839, Y. Desmedt, Ed., Springer-Verlag, 1994, pp. 274–286.Google Scholar
  14. 14.
    L.R. Knudsen, X. Lai, “New attacks on all double block length hash functions of hash rate 1, including the parallel-DM,” Advances in Cryptology, Proc. Eurocrypt'94, LNCS 959, A. De Santis, Ed., Springer-Verlag, 1995, pp. 410–418.Google Scholar
  15. 15.
    L.R. Knudsen, X. Lai, B. Preneel, “Attacks on Fast Double Block Length Hash Functions”. Submitted to the Journal of Cryptology.Google Scholar
  16. 16.
    X. Lai, “On the Design and Security of Block Ciphers,” ETH Series in Information Processing, Vol. 1, J.L. Massey, Ed., Hartung-Gorre Verlag, Konstanz, 1992.Google Scholar
  17. 17.
    F.J. MacWilliams, N.J. A. Sloane, “The Theory of Error-Correcting Codes,” North-Holland Publishing Company, Amsterdam, 1978.Google Scholar
  18. 18.
    S.M. Matyas, C.H. Meyer, J. Oseas, “Generating strong one-way functions with cryptographic algorithm,” IBM Techn. Disclosure Bull., Vol. 27, No. 10A, 1985, pp. 5658–5659.Google Scholar
  19. 19.
    R. Merkle, “One way hash functions and DES,” Advances in Cryptology, Proc. Crypto'89, LNCS 435, G. Brassard, Ed., Springer-Verlag, 1990, pp. 428–446.Google Scholar
  20. 20.
    J.H. Moore, G.J. Simmons, “Cycle structure of the DES for keys having palindromic (or antipalindromic) sequences of round keys,” IEEE Trans. on Software Engineering, Vol. SE-13, No. 2, 1987, pp. 262–273.Google Scholar
  21. 21.
    M. Naor, M. Yung, “Universal one-way hash functions and their cryptographic applications,” Proc. 21st ACM Symposium on the Theory of Computing, ACM, 1989, pp. 387–394.Google Scholar
  22. 22.
    B. Preneel, “Analysis and design of cryptographic hash functions,” Doctoral Dissertation, Katholieke Universiteit Leuven, 1993.Google Scholar
  23. 23.
    B. Preneel, R. Govaerts, J. Vandewalle, “On the power of memory in the design of collision resistant hash functions,” Advances in Cryptology, Proc. Auscrypt'92, LNCS 718, J. Seberry, Y. Zheng, Eds., Springer-Verlag, 1993, pp. 105–121.Google Scholar
  24. 24.
    B. Preneel, R. Govaerts, J. Vandewalle, “Hash functions based on block ciphers: a synthetic approach,” Advances in Cryptology, Proc. Crypto '93, LNCS 773, D. Stinson, Ed., Springer-Verlag, 1994, pp. 368–378.Google Scholar
  25. 25.
    J.-J. Quisquater, J.-P. Delescaille, “How easy is collision search? Application to DES,” Advances in Cryptology, Proc. Eurocrypt'89, LNCS 434, J.-J. Quisquater, J. Vandewalle, Eds., Springer-Verlag, 1990, pp. 429–434.Google Scholar
  26. 26.
    R.L. Rivest, “The MD4 message digest algorithm,” Advances in Cryptology, Proc. Crypto'90, LNCS 537, S. Vanstone, Ed., Springer-Verlag, 1991, pp. 303–311.Google Scholar
  27. 27.
    R.L. Rivest, “The MD5 message-digest algorithm,” Request for Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force, April 1992.Google Scholar
  28. 28.
    P.C. van Oorschot, M.J. Wiener, “Parallel collision search with application to hash functions and discrete logarithms,” Proc. 2nd ACM Conference on Computer and Communications Security, ACM, 1994, pp. 210–218.Google Scholar
  29. 29.
    M.J. Wiener, “Efficient DES key search,” Technical Report TR-244, School of Computer Science, Carleton University, Ottawa, Canada, May 1994. Presented at the rump session of Crypto'93.Google Scholar
  30. 30.
    G. Yuval, “How to swindle Rabin,” Cryptologia, Vol. 3, No. 3, 1979, pp. 187–189.Google Scholar

Copyright information

© Springer-Verlag 1996

Authors and Affiliations

  • Lars Knudsen
    • 1
  • Bart Preneel
    • 1
  1. 1.Dept. Electrical Engineering-ESATKatholieke Universiteit LeuvenHeverleeBelgium

Personalised recommendations