Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV

  • John Black
  • Phillip Rogaway
  • Thomas Shrimpton
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2442)


Preneel, Govaerts, and Vandewalle [6] considered the 64 most basic ways to construct a hash function H: (0, 1)* → (0, 1)n from a block cipher E: (0, 1)n × (0, 10n → (0, 1)n. They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. The remaining 52 schemes were shown to be subject to various attacks. Here we provide a formal and quantitative treatment of the 64 constructions considered by PGV. We prove that, in a black-box model, the 12 schemes that PGV singled out as secure really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the Merkle-Damgåard approach to analysis, we show that an additional 8 of the 64 schemes are just as collision resistant (up to a small constant) as the first group of schemes. Nonetheless, we are able to differentiate among the 20 collision-resistant schemes by bounding their security as one-way functions. We suggest that proving black-box bounds, of the style given here, is a feasible and useful step for understanding the security of any block-cipher-based hash-function construction.


Hash Function Block Cipher Compression Function Oracle Query Collision Resistance 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    J. Black, P. Rogaway, and T. Shrimpton. Black-box analysis of the blockcipher-based hash-function constructions from PGV. Full version of this paper,, 2002.
  2. 2.
    I. Damgøard. A design principle for hash functions. In G. Brassard, editor, Advances in Cryptology — CRYPTO’ 89, volume 435 of Lecture Notes in Computer Science. Springer-Verlag, 1990.Google Scholar
  3. 3.
    S. Even and Y. Mansour. A construction of a cipher from a single pseudorandom permutation. In Advances in Cryptology — ASIACRYPT’ 91, volume 739 of Lecture Notes in Computer Science, pages 210–224. Springer-Verlag, 1992.Google Scholar
  4. 4.
    J. Kilian and P. Rogaway. How to protect DES against exhaustive key search. Journal of Cryptology, 14(1):17–35, 2001. Earlier version in CRYPTO’ 96.zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    R. Merkle. One way hash functions and DES. In G. Brassard, editor, Advances in Cryptology — CRYPTO’ 89, volume 435 of Lecture Notes in Computer Science. Springer-Verlag, 1990.Google Scholar
  6. 6.
    B. Preneel, R. Govaerts, and J. Vandewalle. Hash functions based on block ciphers: A synthetic approach. In Advances in Cryptology — CRYPTO’ 93, Lecture Notes in Computer Science, pages 368–378. Springer-Verlag, 1994.Google Scholar
  7. 7.
    M. Rabin. Digitalized signatures. In R. DeMillo, D. Dobkin, A. Jones, and R. Lipton, editors, Foundations of Secure Computation, pages 155–168. Academic Press, 1978.Google Scholar
  8. 8.
    C. Shannon. Communication theory of secrecy systems. Bell Systems Technical Journal, 28(4):656–715, 1949.MathSciNetGoogle Scholar
  9. 9.
    P. van Oorschot and M. Wiener. Parallel collision search with cryptanalytic applications. Journal of Cryptology, 12(1):1–28, 1999. Earlier version in ACM CCS’ 94.zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    R. Winternitz. A secure one-way hash function built from DES. In Proceedings of the IEEE Symposium on Information Security and Privacy, pages 88–90. IEEE Press, 1984.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • John Black
    • 1
  • Phillip Rogaway
    • 2
    • 3
  • Thomas Shrimpton
    • 4
  1. 1.Dept. of Computer ScienceUniversity of ColoradoBoulderUSA
  2. 2.Dept. of Computer ScienceUniversity of CaliforniaDavisUSA
  3. 3.Dept. of Computer Science, Fac of ScienceChiang Mai UniversityThailand
  4. 4.Dept. of Electrical and Computer EngineeringUniversity of CaliforniaDavisUSA

Personalised recommendations