Building a Collision-Resistant Compression Function from Non-compressing Primitives

We consider how to build an efficient compression function from a small number of random, non-compressing primitives. Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a 2n-to-nbit compression function based on three independent n-to-nbit random functions, each called only once. We show that if the three random functions are treated as black boxes then finding collisions requires i¾?(2n/2/nc) queries for c≈ 1. This result remains valid if two of the three random functions are replaced by a fixed-key ideal cipher in Davies-Meyer mode (i.e., E K (x) i¾? xfor permutation E K ). We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collision-resistant compression function from non-compressing functions. It also relates to an open question from Black et al. (Eurocrypt'05), who showed that compression functions that invoke a single non-compressing random function cannot suffice.

[1]  Marc Girault,et al.  A Generalized Birthday Attack , 1988, EUROCRYPT.

[2]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[3]  Ramarathnam Venkatesan,et al.  Foiling Birthday Attacks in Length-Doubling Transformations - Benes: A Non-Reversible Alternative to Feistel , 1996, EUROCRYPT.

[4]  John P. Steinberger,et al.  Security/Efficiency Tradeoffs for Permutation-Based Hashing , 2008, EUROCRYPT.

[5]  Norman L. Johnson,et al.  Urn models and their application , 1977 .

[6]  Kouichi Sakurai,et al.  Security Analysis of a 2/3-Rate Double Length Compression Function in the Black-Box Model , 2005, FSE.

[7]  Charles M. Grinstead,et al.  Introduction to probability , 1999, Statistics for the Behavioural Sciences.

[8]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[9]  Joos Vandewalle,et al.  On the Power of Memory in the Design of Collision Resistant Hash Functions , 1992, AUSCRYPT.

[10]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[11]  Thomas Peyrin,et al.  Combining Compression Functions and Block Cipher-Based Hash Functions , 2006, ASIACRYPT.

[12]  Shoichi Hirose Provably Secure Double-Block-Length Hash Functions in a Black-Box Model , 2004, ICISC.

[13]  John Black,et al.  On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions , 2005, EUROCRYPT.

[14]  Thomas Peyrin,et al.  Security Analysis of Constructions Combining FIL Random Oracles , 2007, FSE.

[15]  Brian R. Gladman Implementation Experience with AES Candidate Algorithms , 1999 .

[16]  William Millan,et al.  Constructing Secure Hash Functions by Enhancing Merkle-Damgård Construction , 2006, ACISP.

[17]  Bruce Schneier One-way hash functions , 1991 .

[18]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[19]  Lars R. Knudsen SMASH - A Cryptographic Hash Function , 2005, FSE.

[20]  Mihir Bellare,et al.  Multi-Property-Preserving Hash Domain Extension and the EMD Transform , 2006, ASIACRYPT.

[21]  Ueli Maurer,et al.  Domain Extension of Public Random Functions: Beyond the Birthday Barrier , 2007, CRYPTO.

[22]  William Feller,et al.  An Introduction to Probability Theory and Its Applications , 1951 .

[23]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[24]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[25]  Feller William,et al.  An Introduction To Probability Theory And Its Applications , 1950 .

[26]  Moti Yung,et al.  Indifferentiable Security Analysis of Popular Hash Functions with Prefix-Free Padding , 2006, ASIACRYPT.

[27]  Pieter Retief Kasselman,et al.  Analysis and design of cryptographic hash functions , 1999 .

[28]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[29]  John P. Steinberger,et al.  The Collision Intractability of MDC-2 in the Ideal Cipher Model , 2007, IACR Cryptol. ePrint Arch..

[30]  Martijn Stam Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions , 2008, CRYPTO.

[31]  Vincent Rijmen,et al.  Breaking a New Hash Function Design Strategy Called SMASH , 2005, Selected Areas in Cryptography.

[32]  John P. Steinberger,et al.  Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers , 2008, CRYPTO.

[33]  Ivan Damgård,et al.  Collision Free Hash Functions and Public Key Signature Schemes , 1987, EUROCRYPT.

[34]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[35]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[36]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[37]  Lars R. Knudsen,et al.  Some Attacks Against a Double Length Hash Proposal , 2005, ASIACRYPT.