Shoichi Hirose

Some plausible constructions of double-block-length hash functions

In this article, it is discussed how to construct a compression function with 2 n-bit output using a component function with n-bit output. The component function is either a smaller compression function or a block cipher. Some constructions are presented which compose collision-resistant hash functions: Any collision-finding attack on them is at most as efficient as the birthday attack in the random oracle model or in the ideal cipher model. A new security notion is also introduced, which we call indistinguishability in the iteration, with a construction satisfying the notion.

Provably secure double-block-length hash functions in a black-box model

In CRYPTO’89, Merkle presented three double-block-length hash functions based on DES. They are optimally collision resistant in a black-box model, that is, the time complexity of any collision-finding algorithm for them is Ω(2l/2) if DES is a random block cipher, where l is the output length. Their drawback is that their rates are low. In this article, new double-block-length hash functions with higher rates are presented which are also optimally collision resistant in the black-box model. They are composed of block ciphers whose key length is twice larger than their block length.

A simple variant of the Merkle-Damgård scheme with a permutation

We propose a new composition scheme for hash functions. It is a variant of the Merkle-Damgard construction with a permutation applied right before the processing of the last message block. We analyze the security of this scheme using the indifferentiability formalism, which was first adopted by Coron et al. to the analysis of hash functions. And we study the security of simple MAC constructions out of this scheme. Finally, we also discuss the random oracle indifferentiability of this scheme with a double-block-length compression function or the Davies-Meyer compression function composed of a block cipher.

A Simple Variant of the Merkle–Damgård Scheme with a Permutation

We propose a new composition scheme for hash functions. It is a variant of the Merkle–Damgård construction with a permutation applied right before the processing of the last message block. We analyze the security of this scheme using the indifferentiability formalism, which was first adopted by Coron et al. to the analysis of hash functions. We also study the security of simple MAC constructions out of this scheme. Finally, we discuss the random oracle indifferentiability of this scheme with a double-block-length compression function or the Davies–Meyer compression function composed of a block cipher.

Analysis of double block length hash functions

The security of double block length hash functions and their compression functions is analyzed in this paper. First, the analysis of double block length hash functions by Satoh, Haga, and Kurosawa is investigated. The focus of this investigation is their analysis of the double block length hash functions with the rate 1 whose compression functions consist of a block cipher with the key twice longer than the plaintext/ciphertext. It is shown that there exists a case uncovered by their analysis. Second, the compression functions are analyzed with which secure double block length hash functions may be constructed. The analysis shows that these compression functions are at most as secure as the compression functions of single block length hash functions.

A lightweight 256-bit hash function for hardware and low-end devices: lesamnta-LW

This paper proposes a new lightweight 256-bit hash function Lesamnta-LW with claimed security levels of at least 2120 with respect to collision, preimage, and second preimage attacks. We adopt the Merkle-Damgard domain extension; the compression function is constructed from a dedicated AES-based block cipher using the LW1 mode, for which a security reduction can be proven. In terms of lightweight implementations, Lesamnta-LW offers a competitive advantage over other 256-bit hash functions. Our size-optimized hardware implementation of Lesamnta-LW requires only 8.24 Kgates on 90 nm technology. Our software implementation of Lesamnta-LW requires only 50 bytes of RAM and runs fast on short messages on 8-bit CPUs.

A Security Analysis of Double-Block-Length Hash Functions with the Rate 1*This is a modified version of [6] in References.

In this article, the security of double-block-length hash functions with the rate 1 is analyzed, whose compression functions are composed of block ciphers with their key length twice larger than their block length. First, the analysis by Satoh, Haga and Kurosawa is investigated, and it is shown that there exists a case uncovered by their analysis. Second, a large class of compression functions are defined, and it is shown that they are at most as secure as those of single-block-length hash functions. Finally, some candidate hash functions are given which are possibly optimally collision-resistant.

Hashing Mode Using a Lightweight Blockcipher

This article proposes a hashing mode using a lightweight blockcipher. Since the block size of a lightweight blockcipher is small, the hashing mode uses a double-block-length compression function that consists of two Matyas-Meyer-Oseas MMO modes. Tag-based applications often require a hash function to be a one-way function and a primitive for constructing a pseudorandom function. We analyze the one-wayness of the hashing mode and the pseudorandomness of the keyed hashing mode under standard assumptions of an underlying blockcipher. The analysis in the standard model is practically more significant than the analysis in the ideal-primitive model.

A Scheme to Base a Hash Function on a Block Cipher

This article discusses the provable security of an iterated hash function using a block cipher. It assumes the construction using the Matyas-Meyer-Oseas (MMO) scheme for the compression function and the Merkle-Damgard with a permutation (MDP) for the domain extension transform. It is shown that this kind of hash function, MDP-MMO, is indifferentiable from the variable-input-length random oracle in the ideal cipher model. It is also shown that HMAC using MDP-MMO is a pseudorandom function if the underlying block cipher is a pseudorandom permutation under the related-key attack with respect to the permutation used in MDP. Actually, the latter result also assumes that the following function is a pseudorandom bit generator: