Cryptology ePrint Archive: Report 2007/176

Seven-Property-Preserving Iterated Hashing: ROX

Elena Andreeva and Gregory Neven and Bart Preneel and Thomas Shrimpton

Abstract: Nearly all modern hash functions are constructed by iterating a compression function. At FSE'04, Rogaway and Shrimpton [RS04] formalized seven security notions for hash functions: collision resistance (Coll) and three variants of second-preimage resistance (Sec, aSec, eSec) and preimage resistance (Pre, aPre, ePre). The main contribution of this paper is in determining, by proof or counterexample, which of these seven notions is preserved by each of eleven existing iterations. Our study points out that none of them preserves more than three notions from [RSh04]. In particular, only a single iteration preserves Pre, and none preserves Sec, aSec, or aPre. The latter two notions are particularly relevant for practice, because they do not rely on the problematic assumption that practical compression functions be chosen uniformly from a family. In view of this poor state of affairs, even the mere existence of seven-property-preserving iterations seems uncertain. As a second contribution, we propose the new Random-Oracle XOR(ROX) iteration that is the first to provably preserve all seven notions, but that, quite controversially, uses a random oracle in the iteration. The compression function itself is not modeled as a random oracle though. Rather, ROX uses an auxiliary small-input random oracle (typically 170 bits) that is called only a logarithmic number of times.

Category / Keywords: foundations / Cryptographic hash functions, Merkle-Damgard, collision resistance, preimage resistance, second preimage resistance, provable security.

Date: received 10 May 2007, last revised 30 Oct 2007

Contact author: elena andreeva at esat kuleuven be

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Version: 20071030:142915 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]