How to Build a Hash Function from any Collision-Resistant Function

Authors:
Thomas Ristenpart and Thomas Shrimpton

Abstract:
Recent collision-finding attacks against hash functions such as MD5 and SHA-1 motivate the use of provably collision-resistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provably CR functions make poor replacements for hash functions as they fail to deliver behaviors demanded by practical use. In particular, they are easily distinguished from a random oracle. We initiate an investigation into building hash functions from provably CR functions. As a method for achieving this, we present the Mix-Compress-Mix (MCM) construction; it envelopes any provably CR function H (with suitable regularity properties) between two injective "mixing" stages. The MCM construction simultaneously enjoys (1) provable collision-resistance in the standard model, and (2) indifferentiability from a monolithic random oracle when the mixing stages themselves are indifferentiable from a random oracle that observes injectivity. We instantiate our new design approach by specifying a blockcipher-based construction that appropriately realizes the mixing stages.

References:
A preliminary version of this paper appears in Advances in Cryptology -- ASIACRYPT '07, Lecture Notes in Computer Science Vol. 4833, pp. 147--163, K. Kurosawa ed., Springer-Verlag, 2007.

Full Version:
Full version of the paper is available as a pdf.

List of Updates:
June 2010 - Fixed a bug in proof of Thm. 6.1 in full version of paper.
April 2008 - Put up full version of paper.