On the impossibility of highly-efficient blockcipher-based hash functions

Abstract

Fix a small nonempty set of blockcipher keys \mathcal{K} . We say a blockcipher-based hash function is highly-efficient if it makes exactly one blockcipher call for each message block hashed, and all blockcipher calls use a key from \mathcal{K} . Although a few highly-efficient constructions have been proposed, no one has been able to prove their security. In this paper we prove, in the ideal-cipher model, that it is impossible to construct a highly-efficient iterated blockcipher-based hash function that is provably secure. Our result implies, in particular, that the Tweakable Chain Hash (TCH) construction suggested by Liskov, Rivest, and Wagner (Advances in Cryptology-CRYPTO '02, Lecture Notes in Computer Science, vol. 2442, pp. 31-46, Springer, Berlin, 2002) is not correct under an instantiation suggested for this construction, nor can TCH be correctly instantiated by any other efficient means. © 2008 International Association for Cryptologic Research.