Hash functions based on block ciphers

From Wikipedia, the free encyclopedia

In cryptography, there are several methods to use a block cipher to build a cryptographic hash function. The methods resemble the block cipher modes of operation usually used for encryption.

Some methods to turn any normal block cipher into the compression function for a hash function are Davies-Meyer, Miyaguchi-Preneel, Matyas-Meyer-Oseas, MDC-2 and MDC-4. They are then used inside the Merkle-Damgård structure to build the actual hash function. These methods are described in detail further down. (MDC-2 is also the name of a hash function patented by IBM.)

Using a block cipher as a hash function is usually much slower than using a specially designed hash function. This is because all known secure constructions do the key scheduling for each block of the message. It has been shown that without repeated key scheduling it is impossible to construct a secure block cipher based hash function[1]. In practice reasonable speeds are achieved provided the key scheduling of the selected block cipher is not a too heavy operation.

But, in some cases it is easier because a single implementation of a block cipher can be used for both block cipher and a hash function. It can also save code space in very tiny embedded systems like for instance smart cards or nodes in cars or other machines.

If a block cipher has a block size of say 128 bits most of the methods create a hash function that has the block size of 128 bits and produces a hash of 128 bits. But there are also methods to make hashes with double the hash size compared to the block size of the block cipher used. So a 128-bit block cipher can be turned into a 256-bit hash function.

The hash function is considered secure if the following conditions are met:

  • The block cipher is secure.
  • The resulting hash size is big enough. 64-bit is too small, 128-bit might be enough.
  • The last block is properly length padded prior to the hashing. (See the Merkle-Damgård structure below.) Length padding is normally implemented and handled internally in specialised hash functions like SHA-1 etc.

The constructions presented below: Davies-Meyer, Matyas-Meyer-Oseas and Miyaguchi-Preneel have been shown to be secure under the black-box analysis[2]. The black-box model assumes that the used block cipher is secure.

Contents

Main article: Merkle-Damgård construction

A hash function must be able to process an arbitrary-length message into a fixed-length output. This can be achieved by breaking the input up into a series of equal-sized blocks, and operating on them in sequence using a compression function. The compression function can either be specially designed for hashing or be built from a block cipher.

Merkle-Damgård hash construction

The last block processed should also be length padded, this is crucial to the security of this construction. This construction is called the Merkle-Damgård construction. Most widely used hash functions, including SHA-1 and MD5, take this form.

The Davies-Meyer hash construction
The Davies-Meyer hash construction

The Davies-Meyer hash compression function feeds each block of the message (mi) as the key to the block cipher. It feeds the previous hash value (Hi-1) as the cleartext to be encrypted. The output ciphertext is then also XORed (\oplus) with the previous hash value (Hi-1) to produce the next hash value (Hi). In the first round when there is no previous hash value it uses a constant pre-specified initial value (H0).

H_i = E_{m_i}{(H_{i-1})} \oplus {H_{i-1}}

If the block cipher uses for instance 256-bit keys then each message block (mi) is a 256-bit chunk of the message. If the same block cipher uses a block size of 128 bits then the input and output hash values in each round is 128 bits.

Variations of this method replace XOR with any other group operation, such as addition on 32-bit unsigned integers.

If the used block cipher is not secure i.e. has been broken then a so-called fixed point attack can be applied to this construction [3]. According to Bruce Schneier this "is not really worth worrying about"[4].

The security of the Davies-Meyer construction under the black-box assumption was first proved by R. Winternitz[5].


The Matyas-Meyer-Oseas hash construction
The Matyas-Meyer-Oseas hash construction

The Matyas-Meyer-Oseas hash compression function can be considered the dual (the opposite) of Davies-Meyer.

It feeds each block of the message (mi) as the cleartext to be encrypted. The output ciphertext is then also XORed (\oplus) with the same message block (mi) to produce the next hash value (Hi). The previous hash value (Hi-1) is fed as the key to the block cipher. In the first round when there is no previous hash value it uses a constant pre-specified initial value (H0).

If the block cipher has different block and key sizes the hash value (Hi-1) will have the wrong size for use as the key. The cipher might also have other special requirements on the key. Then the hash value is first fed through the function g( ) to be converted/padded to fit as key for the cipher.

H_i = E_{g(H_{i-1})}(m_i)\oplus m_i


The Miyaguchi-Preneel hash construction
The Miyaguchi-Preneel hash construction

The Miyaguchi-Preneel hash compression function is an extended variant of Matyas-Meyer-Oseas. It was independently proposed by Shoji Miyaguchi and Bart Preneel.

It feeds each block of the message (mi) as the cleartext to be encrypted. The output ciphertext is then XORed (\oplus) with the same message block (mi) and then also XORed with the previous hash value (Hi-1) to produce the next hash value (Hi). The previous hash value (Hi-1) is fed as the key to the block cipher. In the first round when there is no previous hash value it uses a constant pre-specified initial value (H0).

If the block cipher has different block and key sizes the hash value (Hi-1) will have the wrong size for use as the key. The cipher might also have other special requirements on the key. Then the hash value is first fed through the function g( ) to be converted/padded to fit as key for the cipher.

H_i = E_{g(H_{i-1})}(m_i)\oplus H_{i-1}\oplus m_i

The roles of mi and Hi-1 may be switched, so that Hi-1 is encrypted under the key mi. Thus making this method an extension of Davies-Meyer instead.


  1. ^ John Black, Martin Cochran, and Thomas Shrimpton. On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions. Advances in Cryptology -- EUROCRYPT '05, Aarhus, Denmark, 2005. The authors define a hash function "highly efficient if its compression function uses exactly one call to a block cipher whose key is fixed". In other words for a highly efficient hash function only one key scheduling is allowed for the entire message.
  2. ^ John Black, Phillip Rogaway, and Tom Shrimpton. Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. Advances in Cryptology - CRYPTO '02, Lecture Notes in Computer Science, vol. 2442, pp. 320-335, Springer, 2002. See the table on page 3, Davies-Meyer, Matyas-Meyer-Oseas and Miyaguchi-Preneel are numbered in the first column as hash functions 5, 1 and 3.
  3. ^ Handbook of Applied Cryptography by Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone. Fifth Printing (August 2001) page 375.
  4. ^ Bruce Schneier Applied Cryptography, second edition, page 448
  5. ^ R. Winternitz. A secure one-way hash function built from DES. In Proceedings of the IEEE Symposium on Information Security and Privacy, p. 88-90. IEEE Press, 1984.
Hash algorithms: Gost-Hash | HAS-160 | HAS-V | HAVAL | MDC-2 | MD2 | MD4 | MD5 | N-Hash | RadioGatún | RIPEMD | SHA family | Snefru | Tiger | VEST | WHIRLPOOL | crypt(3) DES
MAC algorithms: DAA | CBC-MAC | HMAC | OMAC/CMAC | PMAC | UMAC | Poly1305-AES | VEST
Authenticated encryption modes: CCM | EAX | GCM | OCB | VEST   Attacks: Birthday attack | Collision attack | Preimage attack | Rainbow table | Brute force attack
Standardization: CRYPTREC | NESSIE   Misc: Avalanche effect | Hash collision | Hash functions based on block ciphers
Cryptography
v  d  e
History of cryptography | Cryptanalysis | Cryptography portal | Topics in cryptography
Symmetric-key algorithm | Block cipher | Stream cipher | Public-key cryptography | Cryptographic hash function | Message authentication code | Random numbers
Retrieved from "http://en.wikipedia.org../../../h/a/s/Hash_functions_based_on_block_ciphers.html"
Advanced Search
Included Web Search Engines


Safe Search

close

Top Matching Results

Occasionally Search.com will highlight specialized results that are based on the context of your query. Examples of specialized results include specific links to news, images, or video.

Top Matching Results may highlight information from other Search.com pages, content from the CNET Network of sites, or third party content. The listings are based purely on relevance. Search.com does not receive payment for listings in this section but our partners that provide this data may get paid for listing these products.

Sponsored Links

This section contains paid listings which have been purchased by companies that want to have their sites appear for specific search terms and related content. These listings are administered, sorted and maintained by a third party and are not endorsed by Search.com.

Search Results

Search.com sends your search query to several search engines at one time and integrates the results into one list which has been sorted by relevance using Search.com's proprietary algorithm. You can customize the list of search engines included in your metasearch from the preferences.

The search engines that are used in your metasearch may allow companies to pay to have their Web sites included within the results. To view the Paid Inclusion policy for a specific search engine, please visit their Web site. Search.com does not accept payment or share revenue with any search engine partner for listings in this section.