Hash Functions Based on Block Ciphers

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 658)


Iterated hash functions based on block ciphers are treated. Five attacks on an iterated hash function and on its round function are formulated. The wisdom of strengthening such hash functions by constraining the last block of the message to be hashed is stressed. Schemes for constructing m-bit and 2m-bit hash round functions from m-bit block ciphers are studied. A principle is formalized for evaluating the strength of hash round functions, viz., that applying computationally simple (in both directions) invertible transformations to the input and output of a hash round function yields a new hash round function with the same security. By applying this principle, four attacks on three previously proposed 2m-bit hash round functions are formulated. Finally, three new hash round functions based on an m-bit block cipher with a 2m-bit key are proposed.


Hash Function Block Cipher Target Attack Output Pair Round Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [1]
    S. G. Akl, “On the Security of Compressed Encodings”, Advances in Cryptology-CRYPTO’83, Proceedings, pp. 209–230, Plenum Press, New York, 1984.Google Scholar
  2. [2]
    L. Brown, J. Pieprzyk and J. Seberry, “LOKI — A Cryptographic Primitive for Authentication and Secrecy Applications”, Advances in Cryptology — AUSCRYPT’90, Proceedings, LNCS 453, pp. 229–236, Springer-Verlag, 1990.CrossRefGoogle Scholar
  3. [3]
    Data Encryption Standard, FIPS PUB 46, National Tech. Info. Service, Springfield, VA, 1977.Google Scholar
  4. [4]
    I. B. Damgaard, “A Design Principle for Hash Functions”, Advances in Cryptology-CRYPTO’89, LNCS 435, pp. 416–427, Springer-Verlag, 1990.Google Scholar
  5. [5]
    R. W. Davies and W. L. Price, “Digital Signature — an Update”, Proc. International Conference on Computer Communications, Sydney, Oct 1984, Elsevier, North-Holland, pp. 843–847, 1985.Google Scholar
  6. [6]
    I.S.O. DP 10118, Hash-functions for Digital Signatures, I.S.O., April 1989.Google Scholar
  7. [7]
    ISO/IEC CD 10118, Information technology — Security techniques — Hash-functions, I.S.O., 1991.Google Scholar
  8. [8]
    X. Lai and J. L. Massey, “A Proposal for a New Block Encryption Standard”, Advances in Cryptology-EUROCRYPT’90, Proceedings, LNCS 473, pp. 389–404, Springer-Verlag, Berlin, 1991.Google Scholar
  9. [9]
    X. Lai, J. L. Massey and S. Murphy, “Markov Ciphers and Differential Cryptanalysis”, Advances in Cryptology-EUROCRYPT’91, Proceedings, LNCS 547, pp. 17–38, Springer-Verlag, Berlin, 1991.Google Scholar
  10. [10]
    S. M. Matyas, “Key Processing with Control Vectors”, Journal of Cryptology, Vol. 3, No. 2, pp. 113–136, 1991.CrossRefGoogle Scholar
  11. [11]
    S. M. Matyas, C. H. Meyer and J. Oseas, “Generating Strong One-way Functions with Cryptographic Algorithm”, IBM Technical Disclosure Bulletin, Vol. 27, No. 10A, pp. 5658–5659, March 1985.Google Scholar
  12. [12]
    W. Meier, O. Staffelbach, “Nonlinearity Criteria for Cryptographic Functions”, Advances in Cryptology — EUROCRYPT’89, Proceedings, LNCS 434, pp. 549–562, Springer-Verlag, 1990.Google Scholar
  13. [13]
    R. C. Merkle, “One Way Hash Functions and DES”, Advances in Cryptology-CRYPTO’89, Proceedings, LNCS 435, pp. 428–446, Springer-Verlag, 1990.CrossRefGoogle Scholar
  14. [14]
    C. H. Meyer and M. Schilling, “Secure Program Code with Modification Detection Code”, Proceedings of SECURICOM 88, pp. 111–130, SEDEP.8, Rue de la Michodies, 75002, Paris, France.Google Scholar
  15. [15]
    C. J. Mitchell, F. Piper and P. Wild, “Digital Signatures”, Contemporary Cryptology (Ed. G. Simmons), pp. 325–378, IEEE Press, 1991.Google Scholar
  16. [16]
    S Miyaguchi, K. Ohta and M. Iwata, “Confirmation that Some Hash Functions Are Not Collision Free”, Advances in Cryptology-EUROCRYPT’90, Proceedings, LNCS 473, pp. 326–343, Springer-Verlag, Berlin, 1991.Google Scholar
  17. [17]
    M. Naor and M. Yung, “Universal One-way Hash Functions and Their Cryptographic Applications”, Proc. 21 Annual ACM Symposium on Theory of Computing, Seattle, Washington, May 15–17, 1989, pp. 33–43.Google Scholar
  18. [18]
    B. Preneel, A. Bosselaers, R. Govaerts and J. Vandewalle, “Collision-free Hashfunctions Based on Blockcipher Algorithms.” Proceedings of 1989 International Carnahan Conference on Security Technology, pp. 203–210.Google Scholar
  19. [19]
    Private communication, B. Preneel to X. Lai, June 1992.Google Scholar
  20. [20]
    J. J. Quisquater and M. Girault, “2n-bit Hash Functions Using n-bit Symmetric Block Cipher Algorithms”, Abstracts of EUROCRYPT’89.Google Scholar
  21. [21]
    J. J. Quisquater and M. Girault, “2n-bit Hash Functions Using n-bit Symmetric Block Cipher Algorithms”, Advances in Cryptology-EUROCRYPT’89, Proceedings, LNCS 434, pp. 102–109, Springer-Verlag, Berlin, 1990.Google Scholar
  22. [22]
    R. S. Winternitz, “Producing One-Way Hash Function from DES”, Advances in Cryptology-CRYPTO’83, Proceedings, pp. 203–207, Plenum Press, New York, 1984.Google Scholar
  23. [23]
    R. S. Winternitz, “A Secure One-way Hash Function Built from DES”, Proc. 1984 IEEE Symposium on Security and Privacy, Oakland, 1984, pp. 88–90.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1993

Authors and Affiliations

  1. 1.Signal and Information Processing LaboratorySwiss Federal Institute of TechnologyZürichSwitzerland

Personalised recommendations