**Seven-Property-Preserving Iterated Hashing: ROX
**

*Elena Andreeva and Gregory Neven and Bart Preneel and Thomas Shrimpton*

**Abstract: **Nearly all modern hash functions are constructed by iterating a
compression function. At FSE'04, Rogaway and Shrimpton [RS04] formalized seven security notions for hash functions: collision resistance (Coll) and three variants of second-preimage resistance (Sec, aSec, eSec) and preimage resistance (Pre, aPre, ePre). The main contribution of this paper is in determining, by proof or counterexample, which of these seven notions is preserved by each of eleven existing iterations.
Our study points out that none of them preserves more than three
notions from [RSh04]. In particular, only a single iteration preserves Pre, and none preserves Sec, aSec, or aPre. The latter two notions are particularly relevant for practice, because they do not rely on the problematic assumption that practical compression functions be chosen uniformly from a family. In view of this poor state of affairs, even the mere existence of seven-property-preserving iterations seems uncertain.
As a second contribution, we propose the new Random-Oracle XOR(ROX) iteration that is the first to provably preserve all seven notions, but that, quite controversially, uses a random oracle in the iteration. The compression function itself is not modeled as a random oracle though. Rather, ROX uses an auxiliary small-input random oracle (typically 170 bits) that is called only a logarithmic number of times.

**Category / Keywords: **foundations / Cryptographic hash functions, Merkle-Damgard, collision resistance, preimage resistance, second preimage resistance, provable security.

**Date: **received 10 May 2007, last revised 30 Oct 2007

**Contact author: **elena andreeva at esat kuleuven be

**Available format(s): **Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

**Version: **20071030:142915 (All versions of this report)

**Short URL: **ia.cr/2007/176

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]