Abstract: We discuss the provable security of block-cipher-based hash functions. We first introduce a new model called a weak ideal cipher model. In this model, an adversary is allowed to make key-disclosure queries to the oracle as well as encryption and decryption queries. A key-disclosure query is a pair of a plaintext and a ciphertext, and the reply is a corresponding key. Thus, in this model, a block cipher is random but completely insecure as a block cipher. It is shown that collision resistant hash functions can be constructed in this model. Hash functions indifferentiable from random oracles can also be constructed. This work is inspired by the compression function construction of a SHA-3 candidate Blue Midnight Wish. However, the results do not seem to have direct implications in its security. |