Decisional Second-Preimage Resistance: When Does SPR Imply PRE?

Abstract

There is a well-known gap between second-preimage resistance and preimage resistance for length-preserving hash functions. This paper introduces a simple concept that fills this gap. One consequence of this concept is that tight reductions can remove interactivity for multi-target length-preserving preimage problems, such as the problems that appear in analyzing hash-based signature systems. Previous reduction techniques applied to only a negligible fraction of all length-preserving hash functions, presumably excluding all off-the-shelf hash functions.

Author list in alphabetical order; see https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf. This work was supported by the U.S. National Science Foundation under grant 1314919, by the Cisco University Research Program, and by DFG Cluster of Excellence 2092 “CASA: Cyber Security in the Age of Large-Scale Adversaries”. “Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation” (or other funding agencies). Permanent ID of this document: 36ecc3ad6d0fbbe65ce36226c2e3eb875351f326. Date: 2019.09.12.

A Some Single-Variable Functions

This appendix proves features of some functions used in the proofs of theorems in Sect. 3. The proofs in this appendix are split into small lemmas to support verification, and proofs of the lemmas appear in the full version online. The notation \(\mathbf{R}_{>0}\) means the set of positive real numbers.

Lemma 39

If \(x\ne 0\) then \(e^{x}>1+x\).

Lemma 40

Any \(x\in \mathbf{R}\) has \(e^{x}-2x\ge 2-2\log 2>0\).

Lemma 41

If \(x>0\) then \(e^{x}-1+x-x^2>0\).

Lemma 42

Define \(\varphi _1(x)=x(e^{x}-1)/(e^{x}-x)\). Then \(\varphi _1\) is increasing, and maps \(\mathbf{R}_{>0}\) bijectively to \(\mathbf{R}_{>0}\).

Lemma 43

If \(x\ne 0\) then \(e^{x}+e^{-x}>2\).

Lemma 44

If \(x>0\) then \(e^{x}-e^{-x}-2x>0\).

Lemma 45

If \(x>0\) then \(e^{x}+e^{-x}-2-x^2>0\).

Lemma 46

Define \(\varphi _2(x)=x(e^{x}-1)/(e^{x}-1-x)\) for \(x>0\). Then \(\varphi _2\) is increasing, and maps \(\mathbf{R}_{>0}\) bijectively to \(\mathbf{R}_{>2}\).

Lemma 47

The ratio \((e-1)^{1-x}/x^x(1-x)^{1-x}\) for \(0<x<1\) increases for \(0<x<1/e\), has maximum value e at \(x=1/e\), and decreases for \(1/e<x<1\).

Lemma 48

The maximum value of \(1/(2x-1)^{2x-1}(1-x)^{2(1-x)}2^{1-x}\) for \(1/2<x<1\) is \(1+\sqrt{2}\).

Lemma 49

Define \(\varphi _5(x)=xe^{x}-e^{x}+1\). Then \(\varphi _5\) decreases for \(x<0\), has minimum value 0 at \(x=0\), and increases for \(x>0\).

Lemma 50

Let x be a positive real number. Define \(y=e^{x}-1-x\) and \(z=1/(x+x^2/y)\); then \(0<z<1/2\). Define \(\gamma =y^z/x z^z(1-z)^{1-z}\); then \(\gamma \le e-1\).