Blockcipher-Based Double-Length Hash Functions for Pseudorandom Oracles

  • Yusuke Naito
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7118)


PRO (Pseudorandom Oracle) is an important security of hash functions because it ensures that the PRO hash function inherits all properties of a random oracle in single stage games up to the PRO bound (e.g., collision resistant security, preimage resistant security and so on). In this paper, we propose new blockcipher-based double-length hash functions, which are PROs up to \(\mathcal{O}(2^n)\) query complexity in the ideal cipher model. Our hash functions use a single blockcipher, which encrypts an n-bit string using a 2n-bit key, and maps an input of arbitrary length to an n-bit output. Since many blockciphers supports a 2n-bit key (e.g. AES supports a 256-bit key), the assumption to use the 2n-bit key length blockcipher is acceptable. To our knowledge, this is the first time double-length hash functions based on a single (practical size) blockcipher with birthday PRO security.


Hash Function Block Cipher Random Oracle Query Complexity Compression Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellare, M., Ristenpart, T.: Multi-Property-Preserving Hash Domain Extension and the EMD Transform. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 299–314. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Brachtl, B.O., Coppersmith, D., Hyden, M.M., Matyas Jr., S.M., Meyer, C.H.W., Oseas, J., Pilpel, S., Schilling, M.: Data authentication using modification detection codes based on a public one way encryption function. US Patent No. 4,908,861 (1990) (filed August 28, 1987)Google Scholar
  3. 3.
    Chang, D., Lee, S., Nandi, M., Yung, M.: Indifferentiable Security Analysis of Popular Hash Functions with Prefix-Free Padding. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 283–298. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård Revisited: How to Construct a Hash Function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Damgård, I.B.: A Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  6. 6.
    Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging Merkle-Damgård for Practical Applications. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 371–388. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging Merkle-Damgård for Practical Applications. ePrint 2009/177 (2009)Google Scholar
  8. 8.
    Fleischmann, E., Forler, C., Gorski, M., Lucks, S.: Collision Resistant Double-Length Hashing. In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 102–118. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. 9.
    Fleischmann, E., Gorski, M., Lucks, S.: Security of Cyclic Double Block Length Hash Functions. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 153–175. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Gong, Z., Lai, X., Chen, K.: A synthetic indifferentiability analysis of some block-cipher-based hash functions. In: Des. Codes Cryptography, vol. 48, pp. 293–305 (2008)Google Scholar
  11. 11.
    Hirose, S.: Some Plausible Constructions of Double-Block-Length Hash Functions. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Hirose, S., Park, J.H., Yun, A.: A Simple Variant of the Merkle-Damgård Scheme with a Permutation. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 113–129. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. 13.
    Hoch, J.J., Shamir, A.: On the Strength of the Concatenated Hash Combiner When All the Hash Functions Are Weak. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 616–630. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Lai, X., Massey, J.L.: Hash Functions Based on Block Ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  15. 15.
    Lee, J., Kwon, D.: The Security of Abreast-DM in the Ideal Cipher Model. IEICE Transactions 94-A(1), 104–109 (2011)CrossRefGoogle Scholar
  16. 16.
    Lee, J., Stam, M.: Mjh: A Faster Alternative to mdc-2. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 213–236. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Lee, J., Stam, M., Steinberger, J.: The collision security of Tandem-DM in the ideal cipher model. ePrint 2010/409 (2010)Google Scholar
  18. 18.
    Lucks, S.: A collision-resistant rate-1 double-block-length hash function. In: Symmetric Cryptography, Symmetric Cryptography, Dagstuhl Seminar Proceedings 07021 (2007)Google Scholar
  19. 19.
    Matyas, S., Meyer, C., Oseas, J.: Generating strong one-way functions with cryptographic algorithms. IBM Technical Disclosure Bulletin 27(10a), 5658–5659 (1985)Google Scholar
  20. 20.
    Maurer, U.M., Renner, R.S., Holenstein, C.: Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  21. 21.
    Merkle, R.C.: One Way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  22. 22.
    Meyer, C.H.W., Schilling, M.: Chargement securise d’un programma avec code de detection (1987)Google Scholar
  23. 23.
    National Institute of Standards and Technoloty. FIPS PUB 180-3 Secure Hash Standard. In: FIPS PUB (2008)Google Scholar
  24. 24.
    Özen, O., Stam, M.: Another Glance at Double-Length Hashing. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 176–201. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  25. 25.
    Preneel, B., Bosselaers, A., Govaerts, R., Vandewalle, J.: Collision-free Hashfunctions Based on Blockcipher Algorithmsl. In: Proceedings of 1989 International Carnahan Conference on Security Technology, pp. 203–210 (1989)Google Scholar
  26. 26.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash Functions Based on Block Ciphers: A Synthetic Approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  27. 27.
    Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with Composition: Limitations of the Indifferentiability Framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  28. 28.
    Rivest, R.L.: The MD4 Message Digest Algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  29. 29.
    Rivest, R.L.: The MD5 Message Digest Algorithm. In: RFC 1321 (1992)Google Scholar
  30. 30.
    Steinberger, J.P.: The Collision Intractability of MDC-2 in the Ideal-Cipher Model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 34–51. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Yusuke Naito
    • 1
  1. 1.Mitsubishi Electric CorporationJapan

Personalised recommendations