How to Build a Hash Function from any Collision-Resistant Function
Thomas Ristenpart and
Recent collision-finding attacks against hash functions such as MD5 and SHA-1 motivate the
use of provably collision-resistant (CR) functions in their place. Finding a collision in a provably
CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately,
existing provably CR functions make poor replacements for hash functions as they fail to deliver
behaviors demanded by practical use. In particular, they are easily distinguished from a random
oracle. We initiate an investigation into building hash functions from provably CR functions.
As a method for achieving this, we present the Mix-Compress-Mix (MCM) construction; it
envelopes any provably CR function H (with suitable regularity properties) between two injective
"mixing" stages. The MCM construction simultaneously enjoys (1) provable collision-resistance
in the standard model, and (2) indifferentiability from a monolithic random oracle when the
mixing stages themselves are indifferentiable from a random oracle that observes injectivity.
We instantiate our new design approach by specifying a blockcipher-based construction that
appropriately realizes the mixing stages.
A preliminary version of this paper appears in Advances in Cryptology -- ASIACRYPT '07,
Lecture Notes in Computer Science Vol. 4833, pp. 147--163, K. Kurosawa ed., Springer-Verlag, 2007.
Full version of the paper is available as a pdf.
List of Updates:
June 2010 - Fixed a bug in proof of Thm. 6.1 in full version of paper.
April 2008 - Put up full version of paper.