Some properties of an FSE 2005 Hash Proposal

We consider the hash function proposals by Mridul et al. presented at FSE 2005. For the proposed 2n-bit compression functions it is proved that collision attacks require Ω(2) queries of the functions in question. In this note it is shown that with O(2n/3) queries one can distinguish the proposed compression functions from a randomly chosen 2n-bit function with very good probability. Finally we note that our results do not seem to contradict any statements made the designers of the compression functions. 1 The 1/3 rate proposal from FSE 2005 [1] introduces several new constructions for hash function compression functions of varying hash rates, cf. later. We consider first the compression function of rate 1/3. Let fi : {0, 1}2n → {0, 1}n be independent random functions, for i = 1, 2, 3. Define the compression function F : {0, 1}3n → {0, 1}2n F (x, y, z) = (F1(x, y, z) | F2(x, y, z)) = (f1(x, y)⊕ f2(y, z) | f2(y, z)⊕ f3(z, x)) This function has a rate of 1/3: it compresses one block of n bits with three evaluations of the f -functions. First we note that F1(x, y, z)⊕F2(x, y, z) = (f1(x, y)⊕f3(z, x)) and thus this sum is independent of f2. The idea of the distinguishing attack is to find two sets of values x1, y1, z1 and x2, y2, z2 such that f1(x1, y1)⊕ f3(z1, x1) = f1(x2, y2)⊕ f3(z2, x2).