Non-random properties of compression and Hash functions using linear cryptanalysis

Abstract

We report on linear analyses of block-cipher based compression and hash functions. Our aim is not to find collisions nor (second) preimages, but to detect non-random properties that may distinguish a compression or hash function from an ideal primitive (random oracle). We study single-block modes of operation such as Davies-Meyer (DM), Matyas-Meyer-Oseas (MMO) and Miyaguchi-Preneel (MP) and double-block modes such as Hirose's, Tandem-DM, Parallel-DM and Abreast-DM. This paper points out weaknesses coming from the feedforward operation used in these hash modes. We use an inside-out approach: we show how a weakness (linear relation) in the underlying block cipher can propagate to the compression function and eventually to the whole hash function. To demonstrate our ideas, we instantiate the block cipher underlying these modes with 21-round PRESENT, the full 16-round DES and 9-round Serpent. For instance, in DM-PRESENT-80 mode, we can distinguish the hash function from an ideal primitive with 264 hash computations.