【 摘 要 】

We consider the generic design of compression functions based on two n -bit permutations and XOR-based mixing functions. It is known that any such function mapping n+α${n+\alpha }$ to α bits, with 1≤α≤n${1\le \alpha \le n}$, can achieve at most min{2α/2,2n/2-α/4}${\min \lbrace 2^{\alpha /2},2^{n/2-\alpha /4}\rbrace }$ collision security. Using techniques similar to Mennink and Preneel [CRYPTO 2012, Lecture Notes in Comput. Sci. 7417, Springer, Heidelberg (2012), 330–347], we show that there is only one equivalence class of these functions achieving optimal collision security, and additionally min{2α,2n/2}${\min \lbrace 2^{\alpha },2^{n/2}\rbrace }$ preimage security. The equivalence class compares well with existing functions based on two or three permutations, and is well-suited for wide-pipe hashing.

【 授权许可】

CC BY|CC BY-NC-ND   

【 预 览 】

附件列表

Files	Size	Format	View
RO202107200005264ZK.pdf	719KB	PDF	download