1970-01-01

(2026-04) How to construct even faster and indifferentiable hash functions from random permutations

[[Liting Zhang]]
[[Han Sui]]
[[Lei Zhang]]
[[Wenling Wu]]

2026-04-12

Abstract

Designing cryptographic hash functions that simultaneously achieve high throughput and strong provable security remains a fundamental challenge in symmetric cryptography. Traditional constructions, such as the Merkle-Damg\aa rd (MD) and SPONGE paradigms, inherently suffer from structural limitations: they either expose internal chaining values to length-extension attacks or impose a rigid trade-off between security (capacity) and efficiency (rate), bounding their architectural potential.

In this paper, we introduce the \textbf{Compress-then-Randomize} paradigm, a modular design principle that structurally decouples a hash function into two independent components with distinct security objectives: (1) a \emph{variable-input-length} (VIL) compression component optimized for high-speed message absorption, requiring only collision resistance and multiple-preimage resistance; and (2) a \emph{fixed-input-length} (FIL) finalization component utilizing independent random permutations to ensure indifferentiability from a random oracle. This separation enables the VIL component to maximize processing throughput (approaching the full primitive width) while the FIL component provides robust randomness extraction, effectively mitigating length-extension attacks and achieving tight security bounds.

Leveraging this paradigm, we propose the \textbf{Rocket hash family}, comprising two instantiations: \emph{Rocket-JH} (based on the JH iteration structure with wide-pipe design) and \emph{Rocket-DoubleCBC} (utilizing dual parallel Cipher-Block-Chaining lanes). Both constructions employ pairwise distinct round permutations and achieve superior message processing rates compared to conventional SPONGE-based designs, with Rocket-2 delivering more than $2\times$ the throughput of SHA3-512 for large messages.

For practical instantiation without requiring multiple independent cryptographic primitives, we present \textbf{CTR-Perm}, a novel domain-separation technique that derives $2^w$ effectively independent round functions from a single large permutation using a counter-based input diversification. While backward queries introduce a heuristic assumption regarding preimage multiplicity (bounded by a negligible failure probability $\leq 2^{-526}$ for counter size $w \geq 64$ and hash length 512 bits), we prove the construction remains sound for practical message lengths up to $2^{w-8}$ blocks.

Finally, to formalize the security-efficiency trade-off, we propose \textbf{Hash Effectiveness} (H.E.), a scale-invariant heuristic metric defined as the product of normalized security level and normalized processing rate. We demonstrate that conventional Merkle-Damg\aa rd and SPONGE constructions exhibit H.E. values fundamentally bounded by $1/8$ , whereas the Rocket constructions achieve H.E. values approaching $1/4$ (specifically, $0.227$ for Rocket-2 with Keccak- $p$ [1600]), thereby establishing a new Pareto frontier in hash function design.