Constructing Secure Hash Functions from Weak Compression Functions: The Case for Non-Streamable Hash Functions

In a recent paper, Lucks espoused a “failure-friendly” approach to hash function design [12]. We expand on this idea in two main ways. First of all, we consider the notion of a weak ideal compression function, which is vulnerable to strong forms of attack, but is otherwise random. We show that such weak ideal compression functions can be used to create secure hash functions, thereby giving a design that can be used to eliminate attacks caused by many unusual properties of compression functions. Furthermore, the construction we give, which we call the “zipper hash,” is ideal in the sense that the overall hash function is indistinguishable from a random oracle when implemented with ideal building blocks. The zipper hash function is relatively efficient, requiring two compression function evaluations per block of input, but it is not streamable. We also show how to create an ideal compression function from ideal weak compression functions, which can be used in the standard iterated way to make a streamable hash function. However, a comparison of these two constructions, as well as consideration of certain recent attacks against iterated hash functions, lead us to the conclusion that non-streamable hash functions may be worth considering.