Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV [chapter]

John Black, Phillip Rogaway, Thomas Shrimpton
2002 Lecture Notes in Computer Science  
Preneel, Govaerts, and Vandewalle (1993) considered the 64 most basic ways to construct a hash function H : {0, 1} * → {0, 1} n from a blockcipher E: {0, 1} n ×{0, 1} n → {0, 1} n . They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. Here we provide a proof-based treatment of the PGV schemes. We show that, in the ideal-cipher model, the 12 schemes considered secure by PGV really are secure: we give tight upper and lower bounds on their collision
more » ... ce. Furthermore, by stepping outside of the Merkle-Damgård approach to analysis, we show that an additional 8 of the PGV schemes are just as collision resistant (up to a constant). Nonetheless, we are able to differentiate among the 20 collision-resistant schemes by considering their preimage resistance: only the 12 initial schemes enjoy optimal preimage resistance. Our work demonstrates that proving ideal-cipher-model bounds is a feasible and useful step for understanding the security of blockcipher-based hash-function constructions.
doi:10.1007/3-540-45708-9_21 fatcat:cup4mcjl5ndqhfvp377prxf2zq