## Blockcipher Based Hashing Revisited (2009)

Venue: | Fast Software Encryption – FSE ’09 |

Citations: | 3 - 0 self |

### BibTeX

@INPROCEEDINGS{Stam09blockcipherbased,

author = {Martijn Stam},

title = {Blockcipher Based Hashing Revisited},

booktitle = {Fast Software Encryption – FSE ’09},

year = {2009}

}

### OpenURL

### Abstract

Abstract. We revisit the rate-1 blockcipher based hash functions as first studied by Preneel, Govaerts and Vandewalle (Crypto’93) and later extensively analysed by Black, Rogaway and Shrimpton (Crypto’02). We analyse a further generalization where any pre- and postprocessing is considered. This leads to a clearer understanding of the current classification of rate-1 blockcipher based schemes as introduced by Preneel et al. and refined by Black et al. In addition, we also gain insight in chopped, overloaded and supercharged compression functions. In the latter category we propose two compression functions based on a single call to a blockcipher whose collision resistance exceeds the birthday bound on the cipher’s blocklength. 1

### Citations

2478 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context .... Such schemes are called rate-1; in general the rate measures the number of message blocks that are hashed per call to the blockcipher. Specific examples of rate-1 schemes were given by Davies-Meyer =-=[25]-=-, Matyas-Meyer-Oseas [23], and Miyaguchi-Preneel [27, 31]. Preneel et al. [31] studied the general construction H(M, V ) = E(K, X)⊕ U where K, X, U ∈ {0, M, V, M ⊕ V } (or affine offsets thereof). The... |

289 |
A Design Principle for Hash Functions
- Damgård
- 1990
(Show Context)
Citation Context ...∗ (the set of arbitrary length bitstrings) to {0, 1} s for some s > 0. A compression function can be made into a hash function by iterating it. We briefly recall the standard Merkle-Damgård iteration =-=[12, 26]-=-, where we assume that there is already some injective padding from {0, 1} ∗ → ({0, 1} m ) ∗ \∅ in place (note that we disallow the empty message M = ∅ as output of the injective padding). Given an in... |

175 |
One way hash functions and DES
- Merkle
- 1990
(Show Context)
Citation Context ...∗ (the set of arbitrary length bitstrings) to {0, 1} s for some s > 0. A compression function can be made into a hash function by iterating it. We briefly recall the standard Merkle-Damgård iteration =-=[12, 26]-=-, where we assume that there is already some injective padding from {0, 1} ∗ → ({0, 1} m ) ∗ \∅ in place (note that we disallow the empty message M = ∅ as output of the injective padding). Given an in... |

104 | Black-box analysis of the block-cipher-based hash-function construction from
- Black, Rogaway, et al.
- 2002
(Show Context)
Citation Context ...s thereof). They concluded that of the 4 3 = 64 possibilities all but 12 allow collision attacks on the compression function with a complexity beating the birthday bound of 2 n/2 . Later Black et al. =-=[8]-=- showed that in the ideal cipher model these 12 compression functions are indeed collision resistant up to the birthday bound. More surprisingly, they also showed that an additional 8 construction are... |

79 | Random mapping statistics. in - Flajolet, Odlyzko - 1990 |

76 | P.: Merkle-Damg˚ard revisited: How to construct a hash function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ...ic to oracle-based functions (and no standard model equivalent is known). Indeed, both notions were introduced as a technical tool to prove indifferentiability of a hash function from a random oracle =-=[24, 11]-=-, which is inherently outside the standard model. For simplicity, we will discuss only blockcipher based compression functions below. The generalization to hash functions or functions based on other p... |

75 | Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance
- Rogaway, Shrimpton
- 2004
(Show Context)
Citation Context ...s in some specified compression function. There exist several definitions depending on the distribution of the element of which a preimage needs to be found. We opt for everywhere preimage resistance =-=[33]-=-, which intuitively states that all points are hard to invert. 2 We also give the natural dual definition of somewhere preimage resistance [2], meaning that there is some point in the range that is ha... |

73 | C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology
- Maurer, Renner, et al.
(Show Context)
Citation Context ...ic to oracle-based functions (and no standard model equivalent is known). Indeed, both notions were introduced as a technical tool to prove indifferentiability of a hash function from a random oracle =-=[24, 11]-=-, which is inherently outside the standard model. For simplicity, we will discuss only blockcipher based compression functions below. The generalization to hash functions or functions based on other p... |

72 |
Hash functions based on block ciphers: A synthetic approach
- Preneel, Govaerts, et al.
- 1994
(Show Context)
Citation Context ... measures the number of message blocks that are hashed per call to the blockcipher. Specific examples of rate-1 schemes were given by Davies-Meyer [25], Matyas-Meyer-Oseas [23], and Miyaguchi-Preneel =-=[27, 31]-=-. Preneel et al. [31] studied the general construction H(M, V ) = E(K, X)⊕ U where K, X, U ∈ {0, M, V, M ⊕ V } (or affine offsets thereof). They concluded that of the 4 3 = 64 possibilities all but 12... |

54 | function based on block ciphers
- Lai, Massey
- 1992
(Show Context)
Citation Context ...ttack we described finds preimages in the compression function. One can wonder to what extent preimages in the related iterated hash function can be found. Using a well-known meet-in-themiddle attack =-=[19]-=- this would imply preimage for the iterated hash functions can be found using (a small constant multiple of) 2 (n+s)/2 queries. The only catch with this attack is that we need to find 2 (s−n)/2 preima... |

52 |
Assche, G.: On the Indifferentiability of the Sponge Construction
- Bertoni, Daemen, et al.
- 2008
(Show Context)
Citation Context ... to maintain n + k = s + m. In particular one can achieve compression even for fixed-key (k = 0) blockciphers. (This leads to a significant improvement of robustness [35] over the sponge construction =-=[5, 6]-=-.) Overloaded Compression Functions Here one tries to cram the compression function by having more input to the compression function than the blockcipher can handle, i.e., s + m > n + k. Examples are ... |

43 |
Generating strong one-way functions with cryptographic algorithm
- Matyas, Meyer, et al.
- 1985
(Show Context)
Citation Context ... rate-1; in general the rate measures the number of message blocks that are hashed per call to the blockcipher. Specific examples of rate-1 schemes were given by Davies-Meyer [25], Matyas-Meyer-Oseas =-=[23]-=-, and Miyaguchi-Preneel [27, 31]. Preneel et al. [31] studied the general construction H(M, V ) = E(K, X)⊕ U where K, X, U ∈ {0, M, V, M ⊕ V } (or affine offsets thereof). They concluded that of the 4... |

42 | A failure-friendly design principle for hash functions
- Lucks
- 2005
(Show Context)
Citation Context ...ttractivity of our double length proposal for the purpose of construction a hash function with larger output length, it might still be useful in construction a single-length proposal with a wide-pipe =-=[21]-=-. In particular, if we have two independent blockciphers E1 and E2, we can create a hash function by first computing (W1, W2) using our MD-iterated double length hash function based on E1 and outputti... |

34 | M.: Kangaroos, Monopoly and Discrete Logarithms - Pollard - 2000 |

24 |
Provably secure double-block-length hash functions in a black-box model
- Hirose
- 2005
(Show Context)
Citation Context ...6 · 2 = 12 schemes in total. These are exactly the 12 schemes that PGV singled out as secure. ⊓⊔ We note that the requirements on the matrices ( ) ( ) K K X and U are similar to those given by Hirose =-=[16]-=- for the case of collision resistant double length compression functions based on two calls to a blockcipher with key size k = 2n + 1 (where the +1 is used for domain separation purposes only). Indeed... |

20 | Salvaging Merkle-Damg˚ard for Practical Applications
- Dodis, Ristenpart, et al.
- 2009
(Show Context)
Citation Context ... epre H H Adaptive Preimage Resistance and Preimage Awareness. Recently two new notions related to preimage resistance were introduced, namely adaptive preimage resistance [20] and preimage awareness =-=[13]-=-. Unlike the notions described above (which can easily be given for the standard model), it is specific to oracle-based functions (and no standard model equivalent is known). Indeed, both notions were... |

16 |
Assche, Sponge functions, Ecrypt Hash Workshop 2007
- Bertoni, Daemen, et al.
- 2007
(Show Context)
Citation Context ... to maintain n + k = s + m. In particular one can achieve compression even for fixed-key (k = 0) blockciphers. (This leads to a significant improvement of robustness [35] over the sponge construction =-=[5, 6]-=-.) Overloaded Compression Functions Here one tries to cram the compression function by having more input to the compression function than the blockcipher can handle, i.e., s + m > n + k. Examples are ... |

15 | The ideal-cipher model, revisited: An uninstantiable blockcipher-based hash function
- Black
- 2006
(Show Context)
Citation Context ... the blockcipher itself has no weaknesses. Nonetheless, in all known instances of a security loss after instantiation, this either was the goal from the beginning (and the hash function is contrived) =-=[7]-=- or the blockcipher itself already has obvious shortcomings [30]. Despite the concept of initial vector being somewhat alien to a compression function on its own, it turns out helpful to consider a pr... |

13 |
Cubehash specification (2.b.1
- Bernstein
- 2008
(Show Context)
Citation Context ...on by having more input to the compression function than the blockcipher can handle, i.e., s + m > n + k. Examples are the sponge construction [5, 6] or the (related) compression function of Cubehash =-=[4]-=-: in both instances a fixed permutation is used (k = 0) yet the chaining variable is of blocksize (s = n). Our bound on collision resistance of the compression function is worse than if we would chop ... |

13 |
Beyond uniformity: Better security/efficiency tradeoffs for compression functions
- Stam
- 2008
(Show Context)
Citation Context ... compression function is worse than if we would chop the chaining variable (to make space for the message). This superiority of a smaller chaining variable is somewhat similar to one reported by Stam =-=[37]-=-, although for overloaded compression functions part of the problem are overly loose bounds. We also note that having a larger chaining variable gives the potential for better collision resistance in ... |

12 |
T.: Seven-Property-Preserving Iterated Hashing
- Andreeva, Neven, et al.
- 2007
(Show Context)
Citation Context ...case the advantage of A is the maximum success probability taken over the choice of possible initial values V0, which is input to A). Everywhere preimage resistance is preserved in the (MD-)iteration =-=[1]-=-, so we get: Theorem 4. Let H be a blockcipher based compression function and let H be the iterated hash function based on H. Then (q) ≤ Advepre(q) ≤ Advcoll H (q) . Adv epre H H Adaptive Preimage Res... |

10 |
The Grindahl Hash Functions
- Knudsen, Rechberger, et al.
(Show Context)
Citation Context ...ssion becomes feasible even for fixed permutations (corresponding to k = 0). In view of the recent availability of huge size permutations constructions with s < n gain traction; an example is Grindahl=-=[18]-=-. We will refer to this scenario as compression in the postprocessing, the corresponding H E ’s are called chopped compression functions. Similarly, one might also try to improve efficiency by squeezi... |

10 | Security/efficiency tradeoffs for permutation-based hashing
- Rogaway, Steinberger
- 2008
(Show Context)
Citation Context ... 2 n/2+k−m queries are required; to find preimages roughly 2 n+k−m queries should suffice. It is interesting to compare the collision resistance thus achieved with recently conjectured optimal bounds =-=[34, 37]-=-. A straightforward generalization of Rogaway and Steinberger’s result [34] suggests the best we can achieve is collision resistance up to 2 n/2+k−m queries, neatly corresponding to our construction. ... |

8 | A collision-resistant rate-1 double-block-length hash function
- Lucks
(Show Context)
Citation Context ... one attempts to boost collision resistance beyond the birthday bound on the blocksize by setting s > n. Typically for such a scenario one expects more than one call to the blockcipher, however Lucks =-=[22]-=- recently gave a rate-1 double length compression function (based on a blockcipher with double key length) with collision resistance in the iteration close to the birthday bound. Stam [37] later gave ... |

7 |
The MD6 hash function – a proposal to NIST for SHA-3, Submission to NIST
- Rivest, Agre, et al.
- 2008
(Show Context)
Citation Context ...istance up to 2 3n/4 queries based on a blockcipher with k = n bit keys. Although we consider the scenarios above representative, they are by no means exhaustive. For instance the SHA-3 candidate MD6 =-=[32]-=- employs a fixed permutation (so k = 0) with some input bits fixed, requiring m+s < n. Were collision resistance the only concern, this choice would be suboptimal: one should either increase m (and th... |

6 |
New 128-bit Hash functions
- Iwata
- 1989
(Show Context)
Citation Context ... measures the number of message blocks that are hashed per call to the blockcipher. Specific examples of rate-1 schemes were given by Davies-Meyer [25], Matyas-Meyer-Oseas [23], and Miyaguchi-Preneel =-=[27, 31]-=-. Preneel et al. [31] studied the general construction H(M, V ) = E(K, X)⊕ U where K, X, U ∈ {0, M, V, M ⊕ V } (or affine offsets thereof). They concluded that of the 4 3 = 64 possibilities all but 12... |

4 | Adaptive preimage resistance and permutation-based hash functions. Cryptology ePrint Archive, Report 2009/066
- Lee, Park
- 2009
(Show Context)
Citation Context ...pre(q) ≤ Advcoll H (q) . Adv epre H H Adaptive Preimage Resistance and Preimage Awareness. Recently two new notions related to preimage resistance were introduced, namely adaptive preimage resistance =-=[20]-=- and preimage awareness [13]. Unlike the notions described above (which can easily be given for the standard model), it is specific to oracle-based functions (and no standard model equivalent is known... |

2 | Improved Collision and Preimage Resistance Bounds on PGV Schemes. Cryptology ePrint Archive, Report 2006/462
- Duo, Li
- 2006
(Show Context)
Citation Context ...More surprisingly, they also showed that an additional 8 construction are secure when properly iterated, even though collisions can easily be found in the respective compression functions. Duo and Li =-=[14]-=- later gave an alternative proof resulting in improved bounds. Neither of these articles provides a deeper understanding of what makes these 12 respectively 8 schemes special to make them secure as co... |

1 |
Another glance at preimage resistance
- Andreeva, Stam
- 2009
(Show Context)
Citation Context ...s to be found. We opt for everywhere preimage resistance [33], which intuitively states that all points are hard to invert. 2 We also give the natural dual definition of somewhere preimage resistance =-=[2]-=-, meaning that there is some point in the range that is hard to invert. This definition is typically to weak to use for any applications, but it often best captures a successful adversary’s capabiliti... |

1 |
Hash functions and information theoretic security
- Bagheri, Knudsen, et al.
- 2009
(Show Context)
Citation Context ...ated and only a single message block is being hashed, the resulting output allows easy recovery of this message (since the incoming state is the known initial vector). As also noted by Bagheri et al. =-=[3]-=- (as well as by an FSE’09 referee) the double length construction allows a preimage attack with expected query-complexity of around q ≈ 2n+1 . We have given the general attack discussing Proposition 2... |

1 |
Double length blockcipher based hashing
- Özen, Stam
- 2008
(Show Context)
Citation Context ...resistant double length compression functions based on two calls to a blockcipher with key size k = 2n + 1 (where the +1 is used for domain separation purposes only). Indeed, our work can be extended =-=[28]-=- to the relevant 2-call scenario and thus derive the very requirements given by Hirose. The requirements for the Type-II schemes turn out surprisingly simple: indeed apart from the preprocessing havin... |

1 |
Second preimages for iterated hash functions and their implications on macs
- Pramstaller, Lamberger, et al.
- 2007
(Show Context)
Citation Context ...known instances of a security loss after instantiation, this either was the goal from the beginning (and the hash function is contrived) [7] or the blockcipher itself already has obvious shortcomings =-=[30]-=-. Despite the concept of initial vector being somewhat alien to a compression function on its own, it turns out helpful to consider a preimage to the initial vector a collision. Note that we deviate s... |

1 |
A new permutation-based variable-input-length variable-output-length hash function
- Ross, Shrimpton, et al.
- 2009
(Show Context)
Citation Context ... extra for message bits if we want to maintain n + k = s + m. In particular one can achieve compression even for fixed-key (k = 0) blockciphers. (This leads to a significant improvement of robustness =-=[35]-=- over the sponge construction [5, 6].) Overloaded Compression Functions Here one tries to cram the compression function by having more input to the compression function than the blockcipher can handle... |

1 | The hash function jh. Submission to NIST, 2008. A Unreal Collisions According to our and Black et al.’s results [8], the (Type-II) rate-1 blockcipher based compression function - Wu |