Hash Functions Based on Three Permutations: A Generic Security Analysis

  • Bart MenninkEmail author
  • Bart Preneel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)


We consider the family of 2n-to-n-bit compression functions that are solely based on at most three permutation executions and on XOR-operators, and analyze its collision and preimage security. Despite their elegance and simplicity, these designs are not covered by the results of Rogaway and Steinberger (CRYPTO 2008). By defining a carefully chosen equivalence relation on this family of compression functions, we obtain the following results. In the setting where the three permutations \(\pi _1\), \(\pi _2\), \(\pi _3\) are selected independently and uniformly at random, there exist at most four equivalence classes that achieve optimal \(2^{n/2}\) collision resistance. Under a certain extremal graph theory based conjecture, these classes are then proven optimally collision secure. Three of these classes allow for finding preimages in \(2^{n/2}\) queries, and only one achieves optimal \(2^{2n/3}\) preimage resistance (with respect to the bounds of Rogaway and Steinberger, EUROCRYPT 2008). Consequently, a compression function is optimally collision and preimage secure if and only if it is equivalent to \(\mathsf {F}(x_1,x_2) = x_1\oplus \pi _1(x_1)\oplus \pi _2(x_2)\oplus \pi _3(x_1\oplus x_2\oplus \pi _1(x_1))\). For compression functions that make three calls to the same permutation we obtain a surprising negative result, namely the impossibility of optimal \(2^{n/2}\) collision security: for any scheme, collisions can be found with \(2^{2n/5}\) queries. This result casts some doubt over the existence of any (larger) secure permutation-based compression function built only on XOR-operators and (multiple invocations of) a single permutation.


Hash function Permutation-based Collision resistance Preimage resistance 


  1. 1.
    Black, J., Cochran, M., Shrimpton, T.: On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 526–541. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Bollobás, B.: Extremal Graph Theory. Academic Press (1978)Google Scholar
  3. 3.
    Hirose, S.: Some Plausible Constructions of Double-Block-Length Hash Functions. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Lai, X., Massey, J.L.: Hash Functions Based on Block Ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  5. 5.
    Lee, J., Kwon, D.: Security of single-permutation-based compression functions. Cryptology ePrint Archive, Report 2009/145 (2009)Google Scholar
  6. 6.
    Mennink, B., Preneel, B.: Hash functions based on three permutations: A generic security analysis. Cryptology ePrint Archive, Report 2011/532 (2011), full version of this paperGoogle Scholar
  7. 7.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash Functions Based on Block Ciphers: A Synthetic Approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  8. 8.
    Rabin, M.: Digitalized signatures. In: Foundations of Secure Computation 1978, pp. 155–166. Academic Press, New York (1978)Google Scholar
  9. 9.
    Rogaway, P., Shrimpton, T.: Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Rogaway, P., Steinberger, J.: Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 433–450. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  11. 11.
    Rogaway, P., Steinberger, J.: Security/Efficiency Tradeoffs for Permutation-Based Hashing. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 220–236. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Shrimpton, T., Stam, M.: Building a Collision-Resistant Compression Function from Non-compressing Primitives. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 643–654. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Stam, M.: Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 397–412. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Steinberger, J.: Stam’s Collision Resistance Conjecture. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 597–615. Springer, Heidelberg (2010)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  1. 1.Dept. Electrical Engineering, ESAT/COSICKU LeuvenLeuvenBelgium
  2. 2.IBBTLeuvenBelgium

Personalised recommendations