## Some Plausible Constructions of Double-Block-Length Hash Functions (2006)

Venue: | FSE’06, LNCS 4047 |

Citations: | 35 - 0 self |

### BibTeX

@INPROCEEDINGS{Hirose06someplausible,

author = {Shoichi Hirose},

title = {Some Plausible Constructions of Double-Block-Length Hash Functions},

booktitle = {FSE’06, LNCS 4047},

year = {2006},

pages = {210--225},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. In this article, it is discussed how to construct a compression function with 2n-bit output using a component function with n-bit output. The component function is either a smaller compression function or a block cipher. Some constructions are presented which compose collision-resistant hash functions: Any collision-finding attack on them is at most as efficient as a birthday attack in the random oracle model or in the ideal cipher model. A new security notion is also introduced, which we call indistinguishability in the iteration, with a construction satisfying the notion.

### Citations

103 | Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV
- Black, Rogaway, et al.
- 2002
(Show Context)
Citation Context ... bits is avoided. Moreover, fixing one bit may not be sufficient and more bits may be required to be fixed. Our new construction does not involve any fixing of key bits by constants. The technique in =-=[2]-=- is used in the security proofs in this article. However, the analysis is more complicated than the one in [2] since the relation of two component-compression-function/block-cipher calls in a compress... |

96 |
Collision free hash functions and public key signature schemes
- Damgard
- 1988
(Show Context)
Citation Context ... hash function. Before being divided into the blocks, unambiguous padding is applied to the input. The length of the padded input is a multiple of ℓ ′ . In this article, Merkle-Damg˚ard strengthening =-=[5, 16]-=- is assumed for padding. Thus, the last block contains the length of the input. 2.2 Random Oracle Model and Ideal Cipher Model Random Oracle Model. Let F n ′ ,n = {f | f : {0, 1} n′ → {0, 1} n }.Inthe... |

74 | Merkle-Damg˚ard revisited: How to construct a hash function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ...ueries made by the adversary. A new security notion for a compression function is also introduced, which we call indistinguishability in the iteration. It is really weaker than the notion proposed in =-=[4]-=-. However, it may be still valuable in practice. Loosely speaking, a compression function F (x) =(f(x),f(p(x))) where f is a random oracle is called indistinguishable in the iteration if F cannot be d... |

23 |
Provably Secure Double-Block-Length Hash Functions in a BlackBox Model
- Hirose
- 2004
(Show Context)
Citation Context ...k cipher is ideal if it is assumed to be a keyed invertible random permutation. The compression function presented in this article is quite simple but has not been explicitly discussed previously. In =-=[7]-=-, it is shown that a collision-resistant hash function can be easily composed of a compression function using two distinct block ciphers. It is well-known that two distinct block ciphers can be obtain... |

22 |
Data Authentication Using Modification Detection Codes Based on a Public One Way Encryption Function”,1990, U.S. Patent Number 4,908,861
- Brachtl, Coppersmith, et al.
(Show Context)
Citation Context ...n 1 were also presented. Merkle [16] presented three DBL hash functions composed of DES with the rates at most 0.276. They are optimally collision-resistant in the ideal cipher model. MDC-2 and MDC-4 =-=[3]-=- are also DBL hash functions composed of DES with the rates 1/2 and 1/4, respectively. Lai and Massey proposed the tandem/abreast DaviesMeyer [13]. They consist of an (n, 2n) block cipher and their ra... |

14 |
Security of iterated hash functions based on block ciphers
- Hohl, Lai, et al.
(Show Context)
Citation Context ...d above is optimally collision-resistant.sKnudsen, Lai and Preneel [12] discussed the insecurity of DBL hash functions with the rate 1 composed of (n, n) block ciphers. Hohl, Lai, Meier and Waldvogel =-=[8]-=- discussed the security of compression functions of DBL hash functions with the rate 1/2. On the other hand, the security of DBL hash functions with the rate 1 composed of (n, 2n) block ciphers was di... |

8 |
Analysis of double block length hash functions
- Hattori, Hirose, et al.
(Show Context)
Citation Context ...the rate 1/2. On the other hand, the security of DBL hash functions with the rate 1 composed of (n, 2n) block ciphers was discussed by Satoh, Haga and Kurosawa [21] and by Hattori, Hirose and Yoshida =-=[6]-=-. These works presented no construction for DBL hash functions with optimal collision resistance. Many schemes with the rate less than 1 were also presented. Merkle [16] presented three DBL hash funct... |

7 | On the impossibility of highly efficient blockcipher-based hash functions
- Black, Cochran, et al.
- 2005
(Show Context)
Citation Context ... to be optimally collision-resistant in the ideal cipher model. However, his construction requires two independent block ciphers, which makes the results less attractive. Black, Cochran and Shrimpton =-=[1]-=- showed that it is impossible to construct a highly efficient block-cipher-based hash function provably secure in the ideal cipher model. A block-cipher-based hash function is highly efficient if it m... |