Improved Rate Upper Bound of Collision Resistant Compression Functions

Based on Stanek’s results [1] we know that in model with integer rate PGV like compression functions no high speed collision resistant compression functions exist. Thus we try to study more general multiple block ciphers based model of compression functions with rational rate, like 6/5. We show a new upper bound of the rate of collision resistant compression functions in this model. 1 Motivation and goals The cryptographic hash functions are a basic building block of many other cryptographic constructions (such as digital signature schemes, message authentication code, . . .). For more complete overview see e.g. [2, 3]. Majority of modern hash functions is based on Merkle-Damgård paradigm [4, 5]. Many compression functions are explicitly based on block cipher. Even some of “dedicated” hash functions (which were not constructed in this way) have this structure. For example, it is possible to extract 160 bits block cipher with 512 bits key (called SHACAL-1) from compression function implemented in SHA-1 hash function [6]. The idea of hash function construction by iterating block cipher is at least 30 years old [7]. Nevertheless no systematic analysis of this idea was done until 1994. In this year Preneel, Govaerts and Vandewalle done the first systematic study of 64 hash functions based on block cipher [8]. Thereafter Black, Rogaway and Shrimpton [9] analyzed these constructions in blackbox model and showed that 20 of them are collision resistant up to birthday-attack bound. At least from the usability point of view, speed is important property of hash function. So it is only natural to attempt to speedups it. One of possible speedups of iterated hash functions based on block ciphers is increasing the number of input message blocks processed by one use of block cipher. Another possibility of speedup is a restriction of keys used in all block ciphers to a small fixed set of keys. Then it is possible to pre-schedule subkeys for each round of used block ciphers, whereby saving a big amount of work. ? Supported by VEGA grant No. 1/0266/09. Traditional constructions [8] of hash functions require one block cipher transformation per input message block (so called rate-1 hash functions) and they require rekeying for every input message block. Black, Cochran and Shrimpton [10] showed in year 2005 that it is not possible to construct a provably secure rate-1 iterated hash function based on block cipher, which uses only small fixed set of keys. For these reasons our goal is to maximize rate of iterated hash function based on block cipher. In other words, we attempt to maximize the number of input message blocks processed by a single block cipher invocation.