## Security of Single-permutation-based Compression Functions

Citations: | 1 - 1 self |

### BibTeX

@MISC{Lee_securityof,

author = {Jooyoung Lee and Daesung Kwon},

title = {Security of Single-permutation-based Compression Functions},

year = {}

}

### OpenURL

### Abstract

Abstract. In this paper, we study security for a certain class of permutation-based compression functions. Denoted lp231 in [12], they are 2n-bit to n-bit compression functions using three calls to a single n-bit random permutation. We prove that lp231 is asymptotically preimage resistant up to (2 2n 3 /n) queries, adaptive preimage resistant up to (2 n 2 /n) queries/commitments, and collision resistant up to (2 n 2 /n 1+ɛ) queries for ɛ> 0. 1

### Citations

112 | Black-box analysis of the blockcipher-based hash-function constructions from
- Black, Rogaway, et al.
- 2002
(Show Context)
Citation Context ...function, adopted as ISO/IEC 10118-3 standard, is based on the Miyaguchi-Preneel construction using a modified version of AES [1]. Compression functions based on blockciphers have been widely studied =-=[4, 6, 7, 9, 10, 16, 17]-=-. Recently, researchers has begun to pay attention to building compression functions from fixed key blockciphers, where just a small number of constants are used as keys [2, 3, 11, 12, 14, 15]. Since ... |

83 |
Hash functions based on block ciphers: a synthetic approach
- Daemen, Govaerts, et al.
- 1991
(Show Context)
Citation Context ...function, adopted as ISO/IEC 10118-3 standard, is based on the Miyaguchi-Preneel construction using a modified version of AES [1]. Compression functions based on blockciphers have been widely studied =-=[4, 6, 7, 9, 10, 16, 17]-=-. Recently, researchers has begun to pay attention to building compression functions from fixed key blockciphers, where just a small number of constants are used as keys [2, 3, 11, 12, 14, 15]. Since ... |

55 |
G.V.: On the Indifferentiability of the Sponge Construction
- Bertoni, Daemen, et al.
- 2008
(Show Context)
Citation Context ...udied [4, 6, 7, 9, 10, 16, 17]. Recently, researchers has begun to pay attention to building compression functions from fixed key blockciphers, where just a small number of constants are used as keys =-=[2, 3, 11, 12, 14, 15]-=-. Since each key of a blockcipher defines an independent random permutation in the ideal cipher model, such compression functions are often called permutation-based. Permutationbased compression funct... |

49 |
Generating strong one-way functions with cryptographic algorithm
- Matyas, Meyer, et al.
- 1985
(Show Context)
Citation Context ...function, adopted as ISO/IEC 10118-3 standard, is based on the Miyaguchi-Preneel construction using a modified version of AES [1]. Compression functions based on blockciphers have been widely studied =-=[4, 6, 7, 9, 10, 16, 17]-=-. Recently, researchers has begun to pay attention to building compression functions from fixed key blockciphers, where just a small number of constants are used as keys [2, 3, 11, 12, 14, 15]. Since ... |

40 | The Whirlpool Hashing Function
- Barreto, Rijmen
- 2000
(Show Context)
Citation Context ...n off-the-shelf cryptographic primitives. For example, the Whirlpool hash function, adopted as ISO/IEC 10118-3 standard, is based on the Miyaguchi-Preneel construction using a modified version of AES =-=[1]-=-. Compression functions based on blockciphers have been widely studied [4, 6, 7, 9, 10, 16, 17]. Recently, researchers has begun to pay attention to building compression functions from fixed key block... |

38 | Some plausible constructions of double-block-length hash functions
- Hirose
(Show Context)
Citation Context |

28 | On the impossibility of highlyefficient blockcipher-based hash functions
- Black, Cochran, et al.
- 2005
(Show Context)
Citation Context ...udied [4, 6, 7, 9, 10, 16, 17]. Recently, researchers has begun to pay attention to building compression functions from fixed key blockciphers, where just a small number of constants are used as keys =-=[2, 3, 11, 12, 14, 15]-=-. Since each key of a blockcipher defines an independent random permutation in the ideal cipher model, such compression functions are often called permutation-based. Permutationbased compression funct... |

28 |
A secure one-way hash function built from DES
- Winternitz
- 1984
(Show Context)
Citation Context |

24 |
Provably secure double-block-length hash functions in a black-box model
- Hirose
- 2005
(Show Context)
Citation Context |

22 | Salvaging Merkle-Damg̊ard for Practical Applications
- Dodis, Ristenpart, et al.
- 2009
(Show Context)
Citation Context ...ptive preimage resistance would be one of the desirable properties of a secure compression function. We note that a similar security notion, called preimage awareness, was independently introduced in =-=[5]-=-. Since any compression function that is both collision resistant and adaptive preimage resistant is preimage aware, our result can be regarded as the proof of preimage awareness for lp231. 2 Prelimin... |

21 | Constructing cryptographic hash functions from fixed-key blockciphers
- Rogaway, Steinberger
- 2008
(Show Context)
Citation Context ...h Institute Yuseong-gu, Daejeon, Korea 305-390 {jlee05,ds kwon}@ensec.re.kr Abstract. In this paper, we study security for a certain class of permutation-based compression functions. Denoted lp231 in =-=[12]-=-, they are 2n-bit to n-bit compression functions using three calls to a single n-bit random permutation. We prove that lp231 is asymptotically preimage resistant up to (2 2n 3 /n) queries, adaptive pr... |

15 |
The collision intractability of MDC-2 in the ideal-cipher model
- Steinberger
- 2008
(Show Context)
Citation Context |

14 |
Beyond uniformity: Better security/efficiency tradeoffs for compression functions
- Stam
- 2008
(Show Context)
Citation Context ...udied [4, 6, 7, 9, 10, 16, 17]. Recently, researchers has begun to pay attention to building compression functions from fixed key blockciphers, where just a small number of constants are used as keys =-=[2, 3, 11, 12, 14, 15]-=-. Since each key of a blockcipher defines an independent random permutation in the ideal cipher model, such compression functions are often called permutation-based. Permutationbased compression funct... |

12 | How to build a hash function from any collision-resistant function
- Ristenpart, Shrimpton
- 2007
(Show Context)
Citation Context |

4 | Adaptive preimage resistance and permutation-based hash functions. Cryptology ePrint Archive, Report 2009/066
- Lee, Park
- 2009
(Show Context)
Citation Context ...eries for ɛ > 0. Our analysis is not only simpler than the authors of [12] estimated, but also elegant based on a recursive approach. The notion of adaptive preimage resistance is first introduced in =-=[8]-=-. A compression function that is collision resistant and adaptive preimage resistant can be composed with a public random function to yield a hash function that is indifferentiable from a random oracl... |

3 |
Building a collision-resistant function from non-compressing primitives
- Shrimpton, Stam
- 2008
(Show Context)
Citation Context |

1 |
Security/efficiency tradeoffs fro permuation-based hashing
- Rogaway, Steinberger
- 2008
(Show Context)
Citation Context ...+1 ∆−1 ∑t−1 + s=1 ( ) t ps(ls). (12) sIf ∑ t i=1 ai ̸= 0 and ∑ t i=1 bi ̸= 0, then Pr [ E t (a1, b1, . . . , at, bt; lt) ] ≤ 2 n ( q ⌈ lt+1 ∆ ) ( 2tqt−1 ⌉ 2n−1 ) ⌈ ⌉ lt +1 ∆ ∑t−1 + s=1 ( ) t ps(ls). =-=(13)-=- s Proof. Here we give a proof for inequality (13). Inequality (12) can be proved similarly. For c ∈ F2n and j ∈ [1, q], we define events E t (c, j) ⇔ A sets t∑ ( aix ji + biy ji ) = c, where j ∈ {j1,... |