Reference: Advances in Cryptology-CRYPTO '02. Lecture Notes in Computer Science, vol. ??, pp. ??-??. report 2001/027.
Abstract:
Preneel, Govaerts, and Vandewalle [PGV] considered the 64 most basic ways
to construct a hash function H: {0,1}^* -> {0,1}^n from a block cipher
E: {0,1}^n x {0,1}^n -> {0,1}^n.
They regarded 12 of these 64 schemes as secure,
though no proofs or formal claims were given.
The remaining 52 schemes were shown to be subject to
various attacks.
Here we provide a formal and quantitative treatment of
the 64 constructions considered by PGV.
We prove that, in a black-box model, the 12
schemes that PGV singled out as secure really are secure: we
give tight upper and lower bounds
on their collision resistance.
Furthermore, by stepping outside of
the Merkle-Damgard approach to analysis,
we show that an additional 8 of the 64 schemes
are just as collision resistant (up to a small constant) as the first group
of schemes.
Nonetheless, we are able to differentiate among the 20
collision-resistant
schemes by bounding their security as one-way functions.
We suggest that proving black-box bounds,
of the style given here, is a feasible and useful step
for understanding the security of any
block-cipher-based hash-function construction.
Availability: pdf or ps or dvi
Rogaway's home page.