Efficient hashing using the AES instruction set
CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
The symbiosis between collision and preimage resistance
IMACC'11 Proceedings of the 13th IMA international conference on Cryptography and Coding
Collisions are not incidental: a compression function exploiting discrete geometry
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
Hi-index | 0.00 |
Preneel, Govaerts, and Vandewalle (1993) considered the 64 most basic ways to construct a hash function $H{:\;\:}\{0,1\}^{*}\rightarrow \{0,1\}^{n}$from a blockcipher $E{:\;\:}\{0,1\}^{n}\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}$. They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. Here we provide a proof-based treatment of the PGV schemes. We show that, in the ideal-cipher model, the 12 schemes considered secure by PGV really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the Merkle–Damgård approach to analysis, we show that an additional 8 of the PGV schemes are just as collision resistant (up to a constant). Nonetheless, we are able to differentiate among the 20 collision-resistant schemes by considering their preimage resistance: only the 12 initial schemes enjoy optimal preimage resistance. Our work demonstrates that proving ideal-cipher-model bounds is a feasible and useful step for understanding the security of blockcipher-based hash-function constructions.