Results 1 
1 of
1
Building a collisionresistant compression function from noncompressing primitives
 In ICALP 2008, Part II
, 2008
"... Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We consider how to build an efficient compression function from a small number of random, noncompressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2nton bit compression function based on three independent nton bit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires Θ(2 n/2 /n c) queries for c ≈ 1. This result remains valid if two of the three random functions are replaced by a fixedkey ideal cipher in DaviesMeyer mode (i.e., EK(x) ⊕ x for permutation EK). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collisionresistant compression function from noncompressing functions. It also relates to an open question from Black et al. (Eurocrypt’05), who showed that compression functions that invoke a single noncompressing random function cannot suffice. We also explore the relationship of our problem with that of doubling the output of a hash function and we show how our compression function can be used to double the output length of ideal hashes.