## Constructing cryptographic hash functions from fixed-key blockciphers. Full version of this paper (2008)

Citations: | 21 - 5 self |

### BibTeX

@TECHREPORT{Rogaway08constructingcryptographic,

author = {Phillip Rogaway and John Steinberger},

title = {Constructing cryptographic hash functions from fixed-key blockciphers. Full version of this paper},

institution = {},

year = {2008}

}

### OpenURL

### Abstract

Abstract. We propose a family of compression functions built from fixed-key blockciphers and investigate their collision and preimage security in the ideal-cipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2n-bit to n-bit compression function using three n-bit permutation calls that has collision security N 0.5,whereN =2 n, and we describe 3n-bit to 2n-bit compression functions using five and six permutation calls and having collision security of at least N 0.55 and N 0.63. Key words: blockcipher-based hashing, collision-resistant hashing, compression functions, cryptographic hash functions, ideal-cipher model. 1

### Citations

6955 | The mathematical theory of communications - Shannon, Weaver - 1949 |

2679 | Handbook of applied cryptography - Menezes, Oorschot, et al. - 1997 |

309 |
A design principle for hash functions
- Damg̊ard
- 1989
(Show Context)
Citation Context ...anquish any other design. This paper has only dealt with making a compression function, not a fullfledged hash function. Of course you can always turn the former into the latter using Merkle-Damg˚ard =-=[9, 18]-=- or any of the other techniques that have emerged in recent years [1, 3, 10, 22], but the “best” approach remains to be seen. Also, we have considered only collision and preimage resistance. Certainly... |

184 |
One way hash functions and des
- Merkle
- 1989
(Show Context)
Citation Context ...anquish any other design. This paper has only dealt with making a compression function, not a fullfledged hash function. Of course you can always turn the former into the latter using Merkle-Damg˚ard =-=[9, 18]-=- or any of the other techniques that have emerged in recent years [1, 3, 10, 22], but the “best” approach remains to be seen. Also, we have considered only collision and preimage resistance. Certainly... |

112 | Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV - Black, Rogaway, et al. - 2002 |

83 | Merkle-Damg̊ard revisited: How to construct a hash function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ... of Bertoni, Daemen, Peeters, and Van Assche [4, 5]. The mechanism turns an n-bit permutation (or function) into an arbitrary-output-length hash function that is indifferentiable from a random oracle =-=[8]-=- (which is stronger than collision and preimage resistance). But the concrete security bounds shown do not enable its use with a 128-bit permutation; security is never as high as N 1/2 , and approachi... |

83 |
Hash functions based on block ciphers: a synthetic approach
- Daemen, Govaerts, et al.
- 1991
(Show Context)
Citation Context ...starting point is actually a small collection of permutations. The idea of doing cryptographic hashing from such a starting point was introduced by Preneel, Govaerts, and Vandewalle some 15 years ago =-=[20]-=-, but the approach did not catch on. For years, the customary starting point for building cryptographic hash functions has been (non-fixed-key) blockciphers, even if this hasn’t always been made expli... |

63 | Multi-property-preserving hash domain extension and the EMD transform
- Bellare, Ristenpart
- 2006
(Show Context)
Citation Context ...sion function, not a fullfledged hash function. Of course you can always turn the former into the latter using Merkle-Damg˚ard [9, 18] or any of the other techniques that have emerged in recent years =-=[1, 3, 10, 22]-=-, but the “best” approach remains to be seen. Also, we have considered only collision and preimage resistance. Certainly there are other desirable properties one should aim for in a contemporary const... |

55 | Assche. On the indifferentiability of the sponge construction
- Bertoni, Daemen, et al.
(Show Context)
Citation Context ...itting a two-query preimage-finding attack and a ourquery collision-finding one. See Fig. 3. An interesting recent hash function is the sponge construction of Bertoni, Daemen, Peeters, and Van Assche =-=[4, 5]-=-. The mechanism turns an n-bit permutation (or function) into an arbitrary-output-length hash function that is indifferentiable from a random oracle [8] (which is stronger than collision and preimage ... |

50 |
Generating strong one-way functions with cryptographic algorithm
- Matyas, Meyer, et al.
- 1985
(Show Context)
Citation Context ...of message bits processed per blockcipher input bits, the latter including plaintext bits and key bits (for simplicity, equally weighted). Then SHA-1 would have an adjusted rate of 0.76; Davies-Meyer =-=[16]-=-, 0.5; MDC-2 [16], 0.27; Hirose’s double-length construction [11], 0.17; and MDC-4, 0.13. From this vantage, the adjusted rate of LP231, 0.33, and LP362, 0.17, are competitive. Regardless, adjusted ra... |

43 | A failure-friendly design principle for hash functions - Lucks - 2005 |

38 | Some Plausible Constructions of Double-Block-Length Hash Functions
- Hirose
- 2006
(Show Context)
Citation Context ...including plaintext bits and key bits (for simplicity, equally weighted). Then SHA-1 would have an adjusted rate of 0.76; Davies-Meyer [16], 0.5; MDC-2 [16], 0.27; Hirose’s double-length construction =-=[11]-=-, 0.17; and MDC-4, 0.13. From this vantage, the adjusted rate of LP231, 0.33, and LP362, 0.17, are competitive. Regardless, adjusted rate is a coarse measure of efficiency, and the current work aims o... |

28 | On the impossibility of highlyefficient blockcipher-based hash functions
- Black, Cochran, et al.
- 2005
(Show Context)
Citation Context ...n or more bits and has desirable collisionresistance bounds. Nobody has ever demonstrated such a design, and, three years ago, Black, Cochran, and Shrimpton seemed to cast a shadow on the possibility =-=[6]-=-. They showed that a prior construction in the literature was wrong, in the sense of having a query-efficient attack, and that, in fact, so will any iterated hash function whose underlying compression... |

23 | Attacks on fast double block length hash func- tions - Knudsen, Lai, et al. |

19 |
Assche, Sponge functions, Ecrypt Hash Workshop 2007
- Bertoni, Daemen, et al.
- 2007
(Show Context)
Citation Context ...itting a two-query preimage-finding attack and a ourquery collision-finding one. See Fig. 3. An interesting recent hash function is the sponge construction of Bertoni, Daemen, Peeters, and Van Assche =-=[4, 5]-=-. The mechanism turns an n-bit permutation (or function) into an arbitrary-output-length hash function that is indifferentiable from a random oracle [8] (which is stronger than collision and preimage ... |

17 | Building a collision-resistant compression function from non-compressing primitives
- Shrimpton, Stam
- 2008
(Show Context)
Citation Context ...3 N 0.67 Fig. 3. Rows 1–4: Automated analyses of our schemes instantiated with an appropriate sequence of matrices. The attacks are from prior work [24]. Rows 5–6: Automated analysis of the SS-scheme =-=[28]-=- and its single-permutation variant. N 0 N 0 ̌ ̌ ̌ Numerically, for n = 128 one must ask more than 2 84.25 queries to get a 0.5 chance to find a given preimage. See the right curve of Fig. 2. Next we ... |

15 |
The Collision Intractability of MDC-2 in the Ideal-Cipher Model
- Steinberger
- 2007
(Show Context)
Citation Context ...all, approximately 40 different named events are considered. This kind of multilevel decomposition of the collision event into sub-events is similar to the technique employed in the analysis of MDC-2 =-=[30]-=-. 4 Automated Analyses of LP Compression Functions Overview. We now describe the theory underlying a computer program we designed to get asymptotic security bounds like those of Corollaries 1 and 3 bu... |

14 |
Beyond uniformity: Better security/efficiency tradeoffs for compression functions
- Stam
- 2008
(Show Context)
Citation Context ...is limited to about N 1−(m−r)/k queries, again assuming random-like behavior, now formalized as preimage uniformity. Stam has recently shown that the collision-uniformity assumption cannot be removed =-=[29]-=-. Results. In this paper we give practical constructions that approach the limits described above for uniform permutation-based compression functions. Given numbers n, m, k, andr, and given an appropr... |

13 | Hash Functions in the Dedicated-Key Setting: Design Choices and MPP Transforms
- Bellare, Ristenpart
- 2007
(Show Context)
Citation Context ...riterion” that will be defined within the proof. A random matrix will satisfy the criterion with high probability, while a sample small-entry matrix A that works is ⎡ ⎤ 12000 A = ⎢ 22100 ⎥ ⎣ 21010⎦ . =-=(2)-=- 10112 The numbers represent points in F2128 by identifying their binary representation with coefficient vectors of a polynomial (eg, 3=x+1). We use x128 +x7+x2+x+1 as our irreducible polynomial. We a... |

12 | How to build a hash function from any collision-resistant function
- Ristenpart, Shrimpton
- 2007
(Show Context)
Citation Context ...sion function, not a fullfledged hash function. Of course you can always turn the former into the latter using Merkle-Damg˚ard [9, 18] or any of the other techniques that have emerged in recent years =-=[1, 3, 10, 22]-=-, but the “best” approach remains to be seen. Also, we have considered only collision and preimage resistance. Certainly there are other desirable properties one should aim for in a contemporary const... |

12 | Security/efficiency tradeoffs for permutation-based hashing - Rogaway, Steinberger - 2008 |

10 | Towards secure and fast hash functions - Satoh, Haga, et al. - 1999 |

9 | On the power of memory in the design of collision resistant hash functions - Preneel, Govaerts, et al. - 1993 |

9 | Combining Compression Functions and Block Cipher-Based Hash Functions - Peyrin, Gilbert, et al. - 2006 |

8 |
Analysis of double block length hash functions
- Hattori, Hirose, et al.
(Show Context)
Citation Context ...construction because of the always-present birthday attack. The second corollary is obtained by computer-aided optimization of b1,b2,B1,B2 and q for n = 128. The selected constants are (b1,b2,B1,B2) ==-=(1, 1, 12, 12)-=-. In Fig. 2 we show a graph of our security bound for the case of n=128 (the left-hand curve) with the choice of constants just named. The birthday attack (elided for clarity) would appear just to the... |

6 | Multicollisions in Iterated Hash Functions - Joux - 2004 |

5 | A new mode of operation for block ciphers and length-preserving MACs
- Dodis, Pietrzak, et al.
- 2008
(Show Context)
Citation Context ...sion function, not a fullfledged hash function. Of course you can always turn the former into the latter using Merkle-Damg˚ard [9, 18] or any of the other techniques that have emerged in recent years =-=[1, 3, 10, 22]-=-, but the “best” approach remains to be seen. Also, we have considered only collision and preimage resistance. Certainly there are other desirable properties one should aim for in a contemporary const... |

3 | A design principle for hash functions. Advances in Cryptology – CRYPTO ’89 - Damg˚ard - 1990 |

2 | Seven-property preserving iterated hashing: ROX - Andreeva, Neven, et al. - 2007 |

1 |
Seven-property preserving iterated hashing
- Andreeva, Neven, et al.
- 2007
(Show Context)
Citation Context |

1 | Designs of efficient secure large hash values. Cryptology ePrint report 2005/296 - Nandi |

1 | Towards secure and fast hash functions. TIEICE: IEICE Transactions on Communications/Electronics/Information and Systems - Satoh, Haga, et al. - 1999 |