An analysis of the blockcipher-based hash functions from PGV

Abstract

Preneel, Govaerts, and Vandewalle (1993) considered the 64 most basic ways to construct a hash function H: {0,1}* → {0,1} ν from a blockcipher E: {0,1} ν × {0,1} ν → {0,1} ν. They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. Here we provide a proof-based treatment of the PGV schemes. We show that, in the ideal-cipher model, the 12 schemes considered secure by PGV really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the Merkle-Damgård approach to analysis, we show that an additional 8 of the PGV schemes are just as collision resistant (up to a constant). Nonetheless, we are able to differentiate among the 20 collision-resistant schemes by considering their preimage resistance: only the 12 initial schemes enjoy optimal preimage resistance. Our work demonstrates that proving ideal-cipher-model bounds is a feasible and useful step for understanding the security of blockcipher-based hash-function constructions. © 2010 International Association for Cryptologic Research.