We consider the family of 2n-to-n-bit compression functions that are solely based on at most three permutation executions and on XOR-operators, and analyze its collision and preimage security. Despite their elegance and simplicity, these designs are not covered by the results of Rogaway and Steinberger CRYPTO 2008. By defining a carefully chosen equivalence relation on this family of compression functions, we obtain the following results. In the setting where the three permutations $$\pi _1$$, $$\pi _2$$, $$\pi _3$$ are selected independently and uniformly at random, there exist at most four equivalence classes that achieve optimal $$2^{n/2}$$ collision resistance. Under a certain extremal graph theory based conjecture, these classes are then proven optimally collision secure. Three of these classes allow for finding preimages in $$2^{n/2}$$ queries, and only one achieves optimal $$2^{2n/3}$$ preimage resistance with respect to the bounds of Rogaway and Steinberger, EUROCRYPT 2008. Consequently, a compression function is optimally collision and preimage secure if and only if it is equivalent to $$\mathsf {F}x_1,x_2 = x_1\oplus \pi _1x_1\oplus \pi _2x_2\oplus \pi _3x_1\oplus x_2\oplus \pi _1x_1$$. For compression functions that make three calls to the same permutation we obtain a surprising negative result, namely the impossibility of optimal $$2^{n/2}$$ collision security: for any scheme, collisions can be found with $$2^{2n/5}$$ queries. This result casts some doubt over the existence of any larger secure permutation-based compression function built only on XOR-operators and multiple invocations of a single permutation.
[1]
Martijn Stam.
Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions
,
2008,
CRYPTO.
[2]
John P. Steinberger,et al.
Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers
,
2008,
CRYPTO.
[3]
Thomas Shrimpton,et al.
Building a Collision-Resistant Compression Function from Non-compressing Primitives
,
2008,
ICALP.
[4]
Thomas Shrimpton,et al.
Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance
,
2004,
FSE.
[5]
Joos Vandewalle,et al.
Hash Functions Based on Block Ciphers: A Synthetic Approach
,
1993,
CRYPTO.
[6]
Shoichi Hirose,et al.
Some Plausible Constructions of Double-Block-Length Hash Functions
,
2006,
FSE.
[7]
John Black,et al.
On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions
,
2005,
EUROCRYPT.
[8]
Xuejia Lai,et al.
Hash Function Based on Block Ciphers
,
1992,
EUROCRYPT.
[9]
Daesung Kwon,et al.
Security of Single-permutation-based Compression Functions
,
2009,
IACR Cryptol. ePrint Arch..
[10]
John P. Steinberger,et al.
Security/Efficiency Tradeoffs for Permutation-Based Hashing
,
2008,
EUROCRYPT.
[11]
B. Bollobás,et al.
Extremal Graph Theory
,
2013
.
[12]
John P. Steinberger.
Stam's Collision Resistance Conjecture
,
2010,
EUROCRYPT.