A Block-Cipher-Based Hash Function Using an MMO-Type Double-Block Compression Function

摘要

Methods to construct a hash function using an existing block cipher recently attract some interests as an approach to implement a hash function on constrained devices. It is often required to construct a hash function whose output length is larger than that of the underlying block cipher to provide sufficient level of collision resistance with the use of an existing block cipher. This article presents a new mode of double-block compression function, which is based on the mode proposed by Jonsson and Robshaw at PKC 2005. The mode can be instantiated with a block cipher whose key-length is larger than its block-length such as AES-192/256, PRESENT-128, etc. This article also provides provable security analyses to an iterated hash function using the proposed mode and the MDP domain extension. The security properties discussed are collision resistance, pseudorandom-function property of the keyed-via-IV mode, and the indifferentiability from a random oracle. It is shown, for instance, that the query complexity to differentiate the iterated hash function from a random oracle is optimal up to a constant factor in the ideal cipher model.