Paper 2008/189

How to Build a Hash Function from any Collision-Resistant Function

Thomas Ristenpart and Thomas Shrimpton


Recent collision-finding attacks against hash functions such as MD5 and SHA-1 motivate the use of provably collision-resistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provably CR functions make poor replacements for hash functions as they fail to deliver behaviors demanded by practical use. In particular, they are easily distinguished from a random oracle. We initiate an investigation into building hhash functions from provably CR functions. As a method for achieving this, we present the Mix-Compress-Mix (MCM) construction; it envelopes any provably CR function H (with suitable regularity properties) between two injective ``mixing'' stages. The MCM construction simultaneously enjoys (1) provable collision-resistance in the standard model, and (2) indifferentiability from a monolithic random oracle when the mixing stages themselves are indifferentiable from a random oracle that observes injectivity. We instantiate our new design approach by specifying a blockcipher-based construction that appropriately realizes the mixing stages.

Note: New version fixes a bug in proof of Theorem 6.1.

Available format(s)
Publication info
Published elsewhere. A preliminary version appeared at Asiacrypt 2007.
Hash functionsrandom oraclecollision-resistancepseudorandom oraclesindifferentiability
Contact author(s)
tristenp @ cs ucsd edu
2010-06-14: revised
2008-04-29: received
See all versions
Short URL
Creative Commons Attribution


      author = {Thomas Ristenpart and Thomas Shrimpton},
      title = {How to Build a Hash Function from any Collision-Resistant Function},
      howpublished = {Cryptology ePrint Archive, Paper 2008/189},
      year = {2008},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.