Cryptology ePrint Archive: Report 2008/189

How to Build a Hash Function from any Collision-Resistant Function

Thomas Ristenpart and Thomas Shrimpton

Abstract: Recent collision-finding attacks against hash functions such as MD5 and SHA-1 motivate the use of provably collision-resistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provably CR functions make poor replacements for hash functions as they fail to deliver behaviors demanded by practical use. In particular, they are easily distinguished from a random oracle. We initiate an investigation into building hhash functions from provably CR functions. As a method for achieving this, we present the Mix-Compress-Mix (MCM) construction; it envelopes any provably CR function H (with suitable regularity properties) between two injective ``mixing'' stages. The MCM construction simultaneously enjoys (1) provable collision-resistance in the standard model, and (2) indifferentiability from a monolithic random oracle when the mixing stages themselves are indifferentiable from a random oracle that observes injectivity. We instantiate our new design approach by specifying a blockcipher-based construction that appropriately realizes the mixing stages.

Category / Keywords: Hash functions, random oracle, collision-resistance, pseudorandom oracles, indifferentiability

Publication Info: A preliminary version appeared at Asiacrypt 2007.

Date: received 26 Apr 2008, last revised 14 Jun 2010

Contact author: tristenp at cs ucsd edu

Available format(s): PDF | BibTeX Citation

Note: New version fixes a bug in proof of Theorem 6.1.

Version: 20100614:211620 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]