Building Application-Agile Hash Functions: the MCM Construction

Hash functions are often expected to provide security across applications, even if there is no formal backing for these expectations. For example SHA-1 is used variously as a collision-resistant hash function and as a real-world instantiation of a random oracle; recent attacks make either use less palatable. Better security would be provided by provable collision-resistance (resting on some underlying computational hardness assumption) and, simultaneously, some guarantee of randomoracle-like behavior. We call a hash function achieving these goals application agile. Unfortunately, known provably CR hash functions do not typically meet both goals, as the underlying structure that allows for provable collision-resistance negates any hope of behaving like a random oracle. This paper begins the investigation of application-agile hashing, and offers a generic construction for building such objects. Our MCM construction, applied to any provably CR hash function with good regularity properties, produces the first hash function simultaneously provably CR in the standard model and indifferentiable from a random oracle in the ideal cipher model.