Abstract
A cryptographic hash \(\left( \text {CH}\right) \) is an algorithm that invokes an arbitrary domain of the message and returns fixed size of an output. The numbers of application of cryptographic hash are enormous such as message integrity, password verification, and pseudorandom generation. Furthermore, the \(\mathrm {CH}\) is an efficient primitive of security solution for IoT-end devices, constrained devices, and RfID. The construction of the \(\mathrm {CH}\) depends on a compression function, where the compression function is constructed through a scratch or blockcipher. Generally, the blockcipher based cryptographic hash is more applicable than the scratch based hash because of direct implementation of blockcipher rather than encryption function. Though there are many \(\left( n, 2n\right) \) blockcipher based compression functions, but most of the prominent schemes such as MR, Weimar, Hirose, Tandem, Abreast, Nandi, and ISA09 are focused for rigorous security bound rather than efficiency. Therefore, a more efficient construction of blockcipher based compression function is proposed, where it provides higher efficiency-rate including a satisfactory collision security bound. The efficiency-rate \(\left( r\right) \) of the proposed scheme is \(r \approx 1\). Furthermore, the collision security is bounded by \(q=2^{125.84}\) \(\left( q=\text {numer of query}\right) \). Moreover, the proposed construction requires two calls of blockcipher under single iteration of encryption. Additionally, it has double key scheduling and it’s operational mode is parallel.
This work is partially supported by the Grant-in-Aid for Scientific Research (C)(15K00183) and (15K00189) and Japan Science and Technology Agency, CREST and Infrastructure Development for Promoting International S&T Cooperation.
C. Su—JSPS Grant-in-Aid for Young Scientists (15K16005).
You have full access to this open access chapter, Download conference paper PDF
1 Introduction
A cryptographic hash \(\left( \mathrm {CH}\right) \) is defined as to proceed data from an arbitrary domain to a fixed domain [1, 2, 6–8, 10]. The applications of \(\mathrm {CH}\) are enormous. Generally, the \(\mathrm {CH}\) is used in message verification, password verification, pseudorandom generation, and message authentication [1–3, 7]. Furthermore, the cryptographic hash is an efficient primitive of security solution for IoT-end device, RfID, and resource constrained device [35–39, 44]. Usually, the internal construction of \(\mathrm {CH}\) depends on compression function [16, 17]. The compression function is based on scratch or blockcipher [6, 8, 16, 17, 31]. The blockcipher based compression function is a combination of component functions (Fig. 1). The component functions depend on the 16 modes of PGV construction so far [8, 16, 17]. Additionally, a classical structure of Merkle Damgrad is used for message encryption of the cryptographic hash, if message size is bigger than the blocksize [1–3]. According to Fig. 1, message \(\left( M\right) \) is multiple of blocklength. Hence, message is partitioned as \(M|m_{i=1}||\text {. . .}||m_{l}\). Thereafter, partitioned message injects as input with initial vector value \(\left( IV\right) \). The function \(F_i\) is called compression function, which is built by blockcipher or scratch. Usually, one of the PGV modes needs to select as a component function of compression function [8, 16, 17]. On the contrary, the generic of blockcipher compression function is more suitable than that of the scratch for encryption of a constrained device, IoT-end device because of implementation of blockcipher rather than the encryption function [5, 6, 13, 14].
Usually, the blockcipher based compression function is classified as single block-length \(\left( \mathcal {SBL}\right) \) and double block-length \(\left( \mathcal {DBL}\right) \). Due to short size of output, the application of \(\mathcal {SBL}\) is limited now [2, 9, 33]. On the other hand, the \(\mathcal {DBL}\) is more reliable construction due to its better resistance against birthday attack [2, 13, 16, 18, 21, 28]. Moreover, the \(\mathcal {DBL}\) is categorized as \(\left( n, n\right) \) and \(\left( n, 2n\right) \) blockcipher \(\left( \text {base is key size}\right) \). The \(\left( n, 2n\right) \) blockcipher is better due to upper security bound \(\left( \text {larger key space}\right) \) [6, 8, 13, 20, 23]. Generally, there are certain parameters that indicate the strength of blockcipher based compression function such as:
-
security bound \(\left( CR:{\text {collision}} \text { and } PR:{\text {preimage resistance}}\right) \)
-
efficiency-rate \(\left( r\right) \)
-
number of calling blockcipher \(\left( \#E\right) \)
-
key scheduling \(\left( KS\right) \)
-
operational mode \(\left( OM\right) \)
The CR is defined as a game, where an adversary tries to find similar output under two different input, but the advantage of adversary is very limited [6, 13, 21]. Under PR, it is infeasible for adversary to find any \(m\left( \text {message}\right) \) such that \(y=F\left( m\right) \), where y is predefined by the adversary [2, 6, 16]. The number of blockcipher \(\left( \#E\right) \) depends on number of calling blockcipher per message-block encryption. The KS directs the number of key requirement for single message block encryption [16]. Furthermore, the OM stands for operational mode \(\left( \text {parallel or serial}\right) \) [17, 18]. In addition, the efficiency-rate [6, 15] is defined as:
Motivation. The parameters of CR, PR, r, \(\#E\), OM, and KS are vital for any satisfactory scheme of blockcipher based compression function [1, 6–8, 13, 21]. Firstly, certain gaps are identified from the current familiar schemes based on the above parameters. Thus, the importance of the findings are shown in the field of efficient and secure communication. For example, the key scheduling cost is analysed in respect of construction of compression function. Usually, 176 bytes are needed for operating of single key scheduling [27]. Hence, minimization of key scheduling is a common practice. Additionally, the operation mode is very crucial for resource limited devices, where the parallel mode can provide maximum support in respect of memory system [29, 30]. Moreover, the efficiency-rate needs to reach the landmark \(\left( {r=1}\right) \) [6, 13, 15, 21]. There are some well-known schemes of blockcipher compression function such as MR, Weimar, Hirose, Tandem, Abreast, Nandi, and ISA09 (Table 1). For example, the CR of MR scheme is bounded by \(q={2^{126.70}}\) but the r is 1 / 2 \(\left( q:\text {number of queries}\right) \). The scheme of Weimar-DM provides tight security bound such as \(q={2^{126.23}}\) [6]. Moreover, it follows double key scheduling including 1 / 2 efficiency-rate. The scheme of Hirose delivers marginal security bound as \(q={2^{124.55}}\) but it ensures a single key scheduling. However, the CR and PR bound of the Tandem-DM and Abreast-DM are not satisfactory as that of the MR, Weimar, and Hirose [23]. Moreover, the efficiency-rate of Tandem-DM and Abreast-DM is 1 / 2 like MR, Weimar, and Hirose [6, 11, 12]. Though the scheme of Nandi is bounded by \(q=O\left( 2^{2n/3}\right) \) but it provides higher efficiency-rate \(\left( r=2/3\right) \) [20]. Additionally, the construction of ISA09 provides better efficiency-rate \(\left( r={2/3}\right) \) [21]. According to the above discussions and Table 1, most of the existing schemes have rigorous security margin. However, the efficiencies are low for the constructions of MR, Weimar, Hirose, Tandem and Abreast. On the other hand, the schemes of Nandi and ISA09 satisfies higher efficiency-rate. Moreover, the constructions of Nandi and ISA09 satisfies \(KS=3\) and \(\#E=3\) [20, 21]. On the contrary, the OM is serial for Nandi and ISA09 schemes. Thus, the overall efficiencies are not adequate for the ISA09 and Nandi schemes.
Now-a-days, the importance of an efficient blockcipher compression function are enormous [6, 8, 13, 33, 34, 40, 41, 44]. The blockcipher is one of the important cryptographic primitive for the security solution of IoT environment according to certain standards such as ISO/IEC29192-1, ISO/IEC29192-2, ISO/IEC29192-3, and ISO/IEC29192-4, [42–44]. Generally, IoT-end device, RfID, and constrained device are used in IoT environment [39–42]. Furthermore, these devices need to operate fast but the major draw-backs are limited memory, power, and processor [37, 38, 42–44]. Therefore, the cryptographic solution scheme should satisfies the property of better efficiency. In summary, the targets for an efficient blockcipher compression function are as follows:
-
higher efficiency-rate
-
reasonable key scheduling
-
less number of calling blockcipher \(\left( \#E\right) \)
-
operational mode
-
satisfiable security bound
Contribution. In this paper, a blockcipher based compression function is proposed. The component function of the proposed construction follows one of the secure modes of PGV. The contributions of the proposed construction are as follows:
-
efficiency rate, \(r=0.996\)
-
\(KS=2\)
-
\(\#E=2\)
-
Parallel mode
-
CR security bound, \(q=2^{125.84}|q:\text {number of query}\)
In addition, a comparative study of the proposed construction and current familiar schemes is given through Table 2.
Outline. The basic preliminaries are provided in Sect. 2. The technical details of the proposed scheme are given in Sect. 3. Section 4 is responsible for the analysis of security bound. Furthermore, the result analysis is given including performance analysis in Sect. 5. Finally, the conclusions and future works are provided in Sect. 6.
2 Preliminaries
2.1 Ideal Cipher Model (ICM)
In ideal cipher model, a blockcipher is defined as \(\mathcal {B}\left( n,k\right) \) where n means block-length and k means key-length. The operation of \(\mathcal {B}\left( n,k\right) \) is \(\mathcal {E} = {\left\{ {0,1} \right\} ^n} \times {\left\{ {0,1} \right\} ^k} \rightarrow {\left\{ {0,1} \right\} ^n}\). The reply of forward \(\left( \mathcal {E}\right) \) and backward \(\left( \mathcal {E}^{-1}\right) \) query is random and independent permutation of \(\mathcal {K} \in {\left\{ {0,1} \right\} ^k}\). Let \(\mathcal {BLOCK}_n^k\) is the set of all blockciphers \(\mathcal {B}\left( n,k\right) \). Under ideal cipher model, \(\mathcal {E}\) is chosen randomly from \(\mathcal {BLOCK}_n^k\). Actually, \(\mathcal {E}\) invokes key and plaintext as input and returns ciphertext as output. On the contrary, input of \({\mathcal {E}}^{-1}\) are key and ciphertext. Then output is plaintext. Usually, the query and response through \({\mathcal {E}}\) and \({\mathcal {E}}^{-1}\) are stored as \(k_i, x_i, y_i\). Moreover, the adversary is not allowed to make any duplicate query [17, 22].
2.2 Security Definition
There are certain properties, which are responsible for analysing the security issue of blockcipher compression function. For example, collision resistance \(\left( {CR}\right) \), preimage resistance \(\left( {PR}\right) \), padding oracle attack, and initial value \(\left( {CV}\right) \) attack are the most familiar properties [6, 13, 23, 24]. In this section, the collision and preimage resistance of the blockcipher compression function are briefly discussed [16–19].
Collision Resistance of Compression Function. The adversary \({\mathcal {A}}\) is allowed for accessing to the blockcipher oracle \(\left( \mathcal {E} \in \mathcal {BLOCK}_n^k\right) \). Hence, the output of compression function are \(\left( {{\alpha _1},{\beta _1},{m_1}} \right) \) and \(\left( {{\alpha _2},{\beta _2},{m_2}} \right) \). Furthermore, an experiment is defined as \({\text {Exp-col}}{{\text {l}}_{{f_{\mathcal {E}}}}}\left( \mathcal {A} \right) \). The output of the experiment is 1 iff following condition satisfies.
where \(f_\mathcal {E}^{\text {}}\) is a blockcipher compression function and \(\alpha , \beta \) are chaining values including \(m|\,\text {message}\). The advantage of adversary for finding a collision under \(f_\mathcal {E}^{\text {}}\) is defined below. Let, \(\mathrm{{Adv}}_{{f_{\mathcal {E}}}}^{{\text {coll}}}\left( \mathcal {A} \right) = \Pr \left[ {{\text {Exp-col}}{{\text {l}}_{{f_{\mathcal E}}}}\left( {\mathcal A} \right) = 1} \right] \), where coll stands for collision. The advantage of adversary \(\mathcal {A}\) is quantified by the number of queries that are allowed to ask blockcipher oracle. Therefore, \(\mathrm{{Adv}}_{{f_{\mathcal {E}}}}^{\mathrm{{coll}}}\left( q \right) = {\max _\mathcal{A}}\left\{ {\mathrm{{Adv}}_{{f_\mathcal{E}}}^{\mathrm{{coll}}}\left( \mathcal{A} \right) } \right\} \), where the maximum is taken over all adversaries that ask at most q oracle queries [16, 19].
Preimage Resistance of Compression Function. The adversary \({\mathcal {A}}\) has access on blockcipher oracle \(\left( \mathcal {E} \in \mathcal {BLOCK}_n^k\right) \). Furthermore, \({\mathcal {A}}\) selects value of \(\alpha , \beta \) randomly before making any query to blockcipher oracle. Let the feedback of oracle are \(\alpha ' \text { and }\beta '\) in respect of adversarial query. In addition, assume an experiment \({\text {Exp-pr}}{\mathrm{{e}}_{{f_\mathcal{E}}}}\left( \mathcal{A} \right) \), where pre stands for preimage. Hence, the output of the defined experiment is 1 iff:
where \(f_\mathcal {E}^{\text {}}\) is a blockcipher compression function and \(\alpha _1, \beta _1\) are chaining values including \(m|\,\text {message}\). The advantage of adversary for finding a preimage under \(f_\mathcal {E}^{\text {}}\) is defined by \(\mathrm{{Adv}}_{{f_\mathcal{E}}}^{\mathrm{{pre}}}\left( \mathcal{A} \right) = \Pr \left[ {{\text {Exp-pr}}{\mathrm{{e}}_{{f_\mathcal{E}}}}\left( \mathcal{A} \right) = 1} \right] \). Moreover, the advantage of \(\mathcal {A}\) is evaluated through the total number of queries. Therefore, \(\mathrm{{Adv}}_{{f_\mathcal{E}}}^{\mathrm{{pre}}}\left( q \right) = {\max _{\mathcal {A}}}\left\{ {\mathrm{{Adv}}_{{f_{\mathcal {E}}}}^{\mathrm{{pre}}}\left( \mathcal {A} \right) } \right\} \), where the maximum is taken over all adversaries that ask q oracle queries [16, 19].
3 Proposed Scheme
Usually, the efficiency-rate can be increased by using three calls of blockcipher. The above method is used in Nandi and ISA09 [20, 21]. Furthermore, a method of using a pair of chaining values including message in the two blockciphers is also useful. Such kind of method is used in MDC-2 and later in MDC-4 [4, 9, 32, 45]. The proposed construction is actually inspired and followed by the construction of MDC-2 and MDC-4 [4, 9, 45]. However, in respect of security there is a drawback for these \(\left( \text {MDC-2, 4}\right) \) kind of construction. In MDC-2, two chaining values are used as input, where message is common for two blockciphers. There is no dependency between two chaining values as input. On the contrary, it can be said that the computations of the two block ciphers used in the compression function are completely isolated. For example, given the input and output \(\left( x_1, y_1 \rightarrow x_2, y_2\right) \), if the input is swapped then the new output will be swapped values of the old output \(\left( y_1, x_1 \rightarrow y_2, x_2\right) \). It actually suffers for symmetric property. Therefore, certain changes are occurred in the proposed construction (Fig. 2). For example, one constant bit 0 and 1 is used to each of the block ciphers as part of the key for the proposed scheme (trivial practice in cryptography, [14]). Hence, the attacker can’t predict the output of the chaining values which is given under the assumption where the attacker can freely alter the input of chaining values and message. This premise is used for breaking the symmetric property of the proposed scheme, where x||y and y||x will be treated as two different values. Moreover, the scheme is secured under a generic attack because of the ideal cipher model primitive [26]. Additionally, the MDC-2, MDC-4 are \(\left( n, n\right) \)-bit \(\mathcal {DBL}\) hash functions with efficiency-rate 1 / 2 and 1 / 4 [24], where the proposed scheme is based on \(\left( n, 2n\right) \) blockcipher. Furthermore, a different component function is used in respect of the MDC-2 and MDC-4. The proposed scheme can compress 4n bits into 2n bits, where MDC-2 and MDC-4 can compress 3n bits to 2n bits. Furthermore, the proposed scheme satisfies type-1 \(\left( \text {from Stam's conjecture}\right) \), where two blockciphers \({\mathcal {E}_{\text {l}},\,\mathcal {E}_{\text {r}}}\) are distinct and independent under the ICM [8, 16]. In general, the proposed scheme is defined as variant of the MDC-2 and MDC-4.
Definition 1
Let \({\mathcal {E} \in \mathcal {BLOCK}_n^k}\) be a block cipher taking a set of k-bit key and n-bit block-length such that \(\mathcal {E}_{\text {l},\text {r}}={\left\{ {0,1} \right\} ^k} \times {\left\{ {0,1} \right\} ^n} \rightarrow {\left\{ {0,1} \right\} ^n}\). \(\mathcal {E}^{\text {dbl}}={\left\{ {0,1} \right\} ^k} \times {\left\{ {0,1} \right\} ^{2n}} \rightarrow {\left\{ {0,1} \right\} ^{2n}}\) is defined as a double block length \(\left( \text {dbl}\right) \) cipher and parallel calling of two independent blockciphers of \({\mathcal {E}_{\text {l},\,\text {r}}}\) such that,
where parameters are defined as \({m_i} \in {\left\{ {0,1} \right\} ^{2n - 1}},\left( {a,b,x,y} \right) \in {\left\{ {0,1} \right\} ^n}\) and \(l\left( {{m_i}} \right) = {\text {lsb of }}{m_i} \in {\left\{ {0,1} \right\} ^n},c = \left\{ 1 \right\} \). Thus, the final output is \(f_\mathcal {E} \left( {{a_i},{b_i}} \right) \) where,
Definition 2
Let \(f_\mathcal {E}={\left\{ {0,1} \right\} ^{k}} \times {\left\{ {0,1} \right\} ^{2n}} \rightarrow {\left\{ {0,1} \right\} ^{2n}}\) be a blockcipher based compression function such as \({\left( {{a_i},{b_i},{m_i}} \right) = f\left( {{a_i},{b_i},{m_i}} \right) ,{} {\text {}}}\) where, \({a_i} \in {\left\{ {0,1} \right\} ^n}\), \({b_i} \in {\left\{ {0,1} \right\} ^n}\), \({m_i} \in {\left\{ {0,1} \right\} ^{2n - 1}}\), and \(c = \left\{ {0,1} \right\} \). Therefore, \({f_\mathcal {E}}\) consists of ideal blockcipher \(\left( \mathcal{E} \right) \) such as:
4 Security Analysis
The security proof of the proposed scheme follows an ICM [16, 17], where \(\mathcal {A}\) is not allowed to make any duplicate query. For example, the query of \({\mathcal {E}\left( {k},{x}\right) }={y}\) isn’t being executed by the adversary, if \({\mathcal {E}^{-1}\left( {k}, {y}\right) = {x}}\) query is already in the query storage \(\left( \mathcal {Q}\right) \). The adversary \(\mathcal {A}\) searches for a collision under a pair of different inputs \(\left( \text {query}\right) \) through the blockcipher oracle. Additionally, \(\mathcal {A}\) tries to find an output of compression function for making collision with initial chaining value. Moreover, the preimage attack means: Adversary \(\mathcal {A}\) selects \(\alpha ', \beta '\) randomly and tries to find \(f\left( \alpha ,\beta ,m\right) =\alpha ',\beta '\). In addition, the advantage of \(\mathcal {A}\) is very limited to get the above success.
4.1 Collision Security Analysis
An adversary \(\mathcal {A}\) has access to a blockcipher oracle for finding a collision. The query is \({Q_i}\) and corresponding response is triplet as \((m:\text {mesage},\,k: \text {key}, c: \text {ciphertext})\). For any i-th iteration \(\left( i \le q\right) \), the query process looks either \({Q_i}\in \left\{ \left( m, k\right) =c\right\} \) or \({Q_i}\in \left\{ \left( c, k\right) =m\right\} \). The \({Q_i}\) stores in \({\mathcal {Q}} \in \left( {{Q_1},{Q_2},...,{Q_i}} \right) \) for each iteration of i where \(\mathcal {Q}:{\text {query storage}}\). Under this circumstance, adversary \(\mathcal {A}\) has target to find,
According to the definition of proposed scheme, 1 is re-defined as:
Theorem 1
Let \(f_\mathcal {E}\) be a double block-length compression function (Definitions 1 and 2). An adversary, \({\mathcal {A}}\) is assigned for finding a collision \(\left( \text {coll}\right) \) under the \(f_\mathcal {E}\) after q pairs of queries. Hence, the advantage of \({\mathcal {A}}\) is bounded by,
Proof
An adversary \(\mathcal {A}\) makes a relevant query to the blockcipher oracle, where the number of query is limited by q queries. For any i-th query, the reply of \({x_i}\) and \({y_i}\) randomly selects by the adversary from the blockcipher oracle. The main difficulty is to find out the set size of an oracle from where these fresh value come. There are three possible incidents that are responsible for collision-hit under any i-th iteration. In the beginning, the three incidents are clarified through two targets \(\left( {\mathcal {TAR}}1,\, {\mathcal {TAR}}2\right) \). The goal of the first incident is to find a collision for two distinct queries \(\left( j<i\right) \) where \({\mathcal {TAR}}1\) represents the responsibilities of the first incident. The \({\mathcal {TAR}}2\) is responsible for second and third incident. Since \(\mathcal {A}\) has target to find a collision through single query. Furthermore, \(\mathcal {A}\) investigates for a collision against initial chaining values. Finally, three phases of \(\mathcal {QUERY}\), \(\mathcal {RESPONSE}\), and \(\mathcal {CHECK}\) have been defined under \({\mathcal {TAR}}1\) and \({\mathcal {TAR}}2\). Let adversary \(\mathcal {A}\) is allowed to ask query to blockcipher oracle at \(\mathcal {QUERY}\) phase. Moreover, corresponding feedback assign under \(\mathcal {RESPONSE}\) phase. In addition, a collision is checked in the phase of \(\mathcal {CHECK}\).
Collision probability based on the first incident \(\left( {\mathcal {TAR}}1\right) \). Under an iteration of i, a pair of query is executed that returns two distinct outputs. According to Algorithm 1, there is a chance to make collision through two different query-pairs after any i-th \(\left( j<i<q\right) \) iteration. For example, a query pair of j-th iteration are:
Moreover, the query responses are \({a_i} \leftarrow {E_{\mathrm{{l}},\bar{m}||c}}\left( {\overline{{a_{i - 1}} \oplus l\left( {{m_i}} \right) } } \right) \oplus \left( {{a_{i - 1}} \oplus l\left( {{m_i}} \right) } \right) \oplus c\) and \({{b_i} \leftarrow {E_{\mathrm{{r}},m||\bar{c}}}\left( {{a_{i - 1}} \oplus l\left( {{m_i}} \right) } \right) \oplus \left( {{a_{i - 1}} \oplus l\left( {{m_i}} \right) } \right) \oplus \bar{c}}\) on the i-th \(\left( j<i\right) \) iteration. Let \({^{{\mathcal {TAR}}1}{\mathcal {C}_i}}\) be an event, where adversary tries to find a collision through different two iterations \(\left( j<i\le q\right) \). Thus, Eq. 2 is re-defined as:
From \(3 \wedge 4\), the probability of collision hit under the event of \({^{{\mathcal {TAR}}1}{\mathcal {C}_i}}\) is \(\frac{{2(i - 1)}}{{{{\left( {{2^n} - \left( {i - 1} \right) } \right) }^2}}}\) \(\left( \text {when}\,j <i \le q\right) \). Therefore, the probability of single event under the \({\mathcal {TAR}}1\) is:
If \({^{{\mathcal {TAR}}1}{\mathcal {C}}}\) be the events of all colliding pairs under the \(f_{\mathcal {E}}\) for q pairs of queries. Hence,
Collision probability based on the second and third incident \(\left( {\mathcal {TAR}}2\right) \). Let \(a_i, b_i\) be the output of compression function \(\left( i<q\right) \), where
Hence, there is a probability to make collision when \(a_i=b_i\). Let \({^{{\mathcal {TAR}}2}{\mathcal {C}_i}}\) be a collision event for the above condition under the check phase of \(i < q\). Furthermore, there is an option to make a collision with initial chaining values. For example, the output pair of the proposed scheme \(a_{i},\,b_{i}\) collides with the initial chaining values \(\left( a_0,\,b_0\right) \) at any phase of query process. Therefore, the conditions of collision-hit under the initial key attack are \(\left\{ {{a_i} = \left( {{a_0}} \right) ,\left( {{b_0}} \right) } \right\} \vee \left\{ {{b_i} = \left( {{a_0}} \right) ,\left( {{b_0}} \right) } \right\} \).
Hence, the probability of collision under two incidents is at most \(1/({2^n}-i) \times 2 \times 2/({2^n}-i)\). Finally, the probability of these two incidents under the event of \({^{{\mathcal {TAR}}2}{\mathcal {C}}}\) for q pairs of queries is:
Adding the values of 5 and 6, Theorem 1 satisfies.
4.2 Preimage Security Analysis
A standard proof technique of Armknecht et al. is used for the preimgae security proof of the proposed scheme [14]. The PR security bound of MR, Weimar, Hirose, Tandem and Abreast is also based on [14]. The two important concepts are adopted such as query: super, normal and adjacent query-pair from [6, 14]. Let \(\mathcal {A}\) randomly picks the output value of compression function \(\left( {a',\,b'}\right) \). Now \(\mathcal {A}\) has target to find a probability for preimage-hit through \(f_\mathcal {E}^\mathrm{{p}}\left( {{a_i},{b_i},m} \right) = \left( {a',b'} \right) \) condition, where \({{a_i},{b_i},m}:\) input of compression function and \({{a_i} \ne {b_i}}\).
Theorem 2
Let \(f_\mathcal {E}\) be a double block-length compression function. An adversary \(\mathcal {A}\) is defined for finding a preimage-hit under the \(f_\mathcal {E}\) after q pairs of queries. Hence, the advantage of \(\mathcal {A}\) is bounded by,
Proof
An adversary \(\mathcal {A}\) keeps a query database in the form of,
In such a fashion, when the oracle size reaches N / 2 \(\left( N: \text {Oracle size}\left( 2^{n}\right) \right) \), the rest of the queries under the key-set reaches the adversary as free query [6, 14, 25]. This free set of queries exist in the domain which is called the super query database \(\left( \mathcal {SQD}\right) \). On the other hand, the first N / 2 is defined as a normal query database \(\left( \mathcal {NQD}\right) \) [14]. Additionally, the free queries are asked by the adversary non-adaptively in the super query database \(\left( \mathcal {SQD}\right) \). Therefore the successful conditions of a preimage-hit are:
Equations 7 and 8 can occur in either in the domain of a normal query win \(\left( \mathcal {NQW}\right) \) or super query win \(\left( \mathcal {SQW}\right) \). Therefore, the probability of the preimage-hit is \(\Pr \left[ {{\mathcal {NQW}}} \right] + \Pr \left[ {{\mathcal {SQW}}} \right] \).
Probability of \(\mathcal {NQW}\). The adversary \(\mathcal {A}\) makes any relevant query independently and receives \({a_i},\,{b_i}\). Furthermore, \(\mathcal {A}\) executes until the oracle set size reaches to N / 2 [6, 14]. According to the above mentioned conditions (7, 8), the hitting probability is .
If \(\mathcal {A}\) makes a query \({\mathcal {E}_{\text {l},{\overline{m}_i}||c}}\left( {\overline{{a_{i - 1}} \oplus l\left( {{m_i}} \right) } } \right) \) \(\left( \text {left block}\right) \) then the answer of a right block provides as free query to \(\mathcal {A}\) because of the adjacent query pair [6, 14]. Thereafter, the set size is \((2^{n}-q)/2\) which outfits the probability as . Thus, the probability of the normal query is:
Probability of \(\mathcal {SQW}\). The concept of a super query oracle is very simple [6, 14]. If the query oracle reaches at the point of N / 2, then the rest of the queries set as free to the adversary [6, 14]. Later these queries are asked by the adversary non-adaptively [14] for finding a preimage-hit (Algorithm 3). Moreover, the preimage-hit is notified either in this domain \(\left( \mathcal {SQD}\right) \) or not. Thus, the probability is either 2 / N or 0 for any output value of \(a_{i}/b_{i}\). Now a pair of conditions under \(\mathcal {SQW}\) are:
According to 10, the answer of \({a_i}\) has a possibility to come from the set size of N / 2. Hence, the probability is 2 / N. Recalling the concept of an adjacent query pair \(\left( \text {free query}\right) \) [6, 14], where the answer of another block \(\left( \text {right block}\right) \) comes from the set size of N / 2. As a result, the probability of 10 is in total \({4/N^{2}}\). In similar way, the probability of 11 is \({4/N^{2}}\). Now, the final probability of the \(\mathcal {SQW}\) is evaluated based on the the number of points for a \(\mathcal {SQW}\), the cost of \(\mathcal {SQW}\) and the probability of obtaining preimgae-hit such as:
5 Result Analysis
5.1 Collision Resistance Analysis
Theorem 1 provides a probability of collision hit under the given adversary \({\mathcal {A}}\). The number of queries \(\left( q\right) \) is important for finding an upper bound of the collision security. Hence, the value of q is required to investigate when the adversarial advantage is 1 / 2 \(\left( \text {birthday attack}\right) \).
Let, \(N = {2^n}\) and \({\text {Adv}}_{f_E}^{{\text {coll}}}({\mathcal A}) \le \frac{{6{q^2} - 2q}}{{{{\left( {{2^n} - q} \right) }^2}}}\) [Theorem 1], where \(n=128\). According to the birthday attack [1, 6, 13, 20, 21], \({\text {Adv}}_{f_\mathcal {E}}^{\text {coll}}\left( {\mathcal A} \right) = \frac{1}{2}\). Thus, the number of queries are \(q = {2^{125.84}}\).
5.2 Efficiency-rate
The efficiency-rate of a blockcipher based compression function is defined as \(r = \frac{{\left| m \right| }}{{\left( {n \times \# E} \right) }}\), where |m| = length of message, n = blocklength and \({\#E}\) = number of blockcipher calls. According to the definitions (Definitions 1 and 2) of the proposed scheme, the efficiency-rate is \({{r_{\text {}}} = 0.996} \Rightarrow {{r_{\text {}}} \approx 1}\). In Fig. 3, the proposed scheme is compared with the existing schemes in respect of efficiency-rate.
5.3 Performance Analysis
In this section, a comparison study is given for the proposed scheme in respect of memory resources. It is known that 176 bytes of memory is required for single key scheduling [27]. For example, a 2n-bit size of message is taken for encryption. Therefore, the following Tables 3 and 4 are made based on the characteristics of the current familiar schemes and the proposed scheme. For any \(\mathcal {DBL}\) compression function, the output is 2n-bit. Therefore, assume that the minimum \(2n \rightarrow {\gamma }\) bit is required to store the output value \(\left( \text {denoted as}\,\, \mathcal {V}\right) \) of i-th iteration. In Table 4, the message size is 2n-bit for example. Hence, the memory resource doesn’t need to store the output for the proposed scheme. Next, the above cost (Table 4) is generalized including the number of iterations \(\left( l\right) \) for tn-bit message \(\left( t > 2\right) \) in Table 5. Additionally, the proposed scheme is faster than that of the MR, Weimar, Tandem, Abreast \(\left( \text {if,}\,\, m > 2n\right) \) in certain cases.
6 Conclusion
This paper studied the gap between security bound and efficiency of compression function for the cryptographic hash. Additionally, study result introduces that the blockcipher based compression function is more suitable than the scratch based construction for security solution of IoT-end devices, RfID, and constrained devices. Thus, a better efficient compression function \(\left( \text {blockcipher based}\right) \) is proposed in this paper. Additionally, the proposed scheme provides improved efficiency-rate, less call of blockcipher, and reasonable security bound. It satisfies two calls of 2n-bit key property, where two block ciphers are independent. The proof technique of this scheme depends on the ICM tool. The proposed scheme has a provision of fixed size message encryption property. Therefore, this property opens a window for new applications, where a variable length of the message can be encrypted without padding. Finally, the proposed scheme is secure under one of the modes of PGV which can be extended to make the scheme secure under all modes of the PGV [17–19].
References
Bogdanov, A., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y.: Hash functions and RFID tags: mind the gap. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 283–299. Springer, Heidelberg (2008)
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography, 5th edn. CRC Press, Boca Raton (2001)
Kaps, J.-P., Sunar, B.: Energy comparison of AES and SHA-1 for ubiquitous computing. In: Zhou, X., Sokolsky, O., Yan, L., Jung, E.-S., Shao, Z., Mu, Y., Lee, D.C., Kim, D.Y., Jeong, Y.-S., Xu, C.-Z. (eds.) EUC Workshops 2006. LNCS, vol. 4097, pp. 372–381. Springer, Heidelberg (2006)
Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)
Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)
Fleischmann, E., Forler, C., Lucks, S., Wenzel, J.: Weimar-DM: a highly secure double-length compression function. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 152–165. Springer, Heidelberg (2012)
Lee, J., Kapitanova, K., Son, S.H.: The price of security in wireless sensor networks. Comput. Netw. 54(17), 2967–2978 (2010). Elsevier
Özen, O., Stam, M.: Another glance at double-length hashing. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 176–201. Springer, Heidelberg (2009)
Lee, J., Stam, M.: MJH: a faster alternative to MDC-2. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 213–236. Springer, Heidelberg (2011)
Lai, X., Massey, J.L.: Hash functions based on block ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993)
Lee, J., Kwon, D.: The security of abreast-DM in the ideal cipher model. IEICE Trans. 94–A(1), 104–109 (2011)
Lee, J., Stam, M., Steinberger, J.: The collision security of Tandem-DM in the ideal cipher model. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 561–577. Springer, Heidelberg (2011)
Hirose, S.: Some plausible constructions of double-block-length hash functions. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006)
Armknecht, F., Fleischmann, E., Krause, M., Lee, J., Stam, M., Steinberger, J.: The preimage security of double-block-length compression functions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 233–251. Springer, Heidelberg (2011)
Mennink, B.: Optimal collision security in double block length hashing with single length key. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 526–543. Springer, Heidelberg (2012)
Black, J.A., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)
Black, J., Rogaway, P., Shrimpton, T., Stam, M.: An analysis of the blockcipher-based hash functions from PGV. J. Cryptol. 23, 519–545 (2010)
Hirose, S., Kuwakado, H.: Collision resistance of hash functions in a weak ideal cipher model. IEICE Trans. 95A(1), 251–255 (2012)
Liskov, M.: Constructing an ideal hash function from weak ideal compression functions. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 358–375. Springer, Heidelberg (2007)
Nandi, M., Lee, W.I., Sakurai, K., Lee, S.-J.: Security analysis of a 2/3-Rate double length compression function in the black-box model. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 243–254. Springer, Heidelberg (2005)
Lee, J., Hong, S., Sung, J., Park, H.: A new double-block-length hash function using feistel structure. In: Park, J.H., Chen, H.-H., Atiquzzaman, M., Lee, C., Kim, T., Yeo, S.-S. (eds.) ISA 2009. LNCS, vol. 5576, pp. 11–20. Springer, Heidelberg (2009)
Shannon, C.E.: Communication theory of secrecy systems. Bell Syst. Tech. J. 128(4), 656–715 (1949)
Miyaji, A., Mazumder, R.: A new (n, 2n) double block length hash function based on single key scheduling. In: IEEE Explore, AINA, pp. 564–570 (2015)
Abed, F., Forler, C., List, E., Lucks, S., Wenzel, J.: Counter-bDM: a provably secure family of multi-block-length compression functions. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT. LNCS, vol. 8469, pp. 440–458. Springer, Heidelberg (2014)
Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)
Dodis, Y., Puniya, P.: On the relation between the ideal cipher and the random oracle models. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 184–206. Springer, Heidelberg (2006)
Joan, D., Vincent, R.: The Design of Rijndael, AES-The Advanced Encryption Standard. Springer, Heidelberg (2002). ISBN: 978-3-662-04722-4
Kuwakado, H., Hirose, S.: Hashing mode using a lightweight blockcipher. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 213–231. Springer, Heidelberg (2013)
Burak, D.: Parallelization of a block cipher based on chaotic neural networks. In: Rutkowski, L., et al. (eds.) ICAISC 2015, Part II. LNCS(LNAI), vol. 9120, pp. 191–201. Springer, Switzerland (2015)
Bos, J.W., Özen, O., Stam, M.: Efficient hashing using the AES instruction set. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 507–522. Springer, Heidelberg (2011)
Mazumder, R., Miyaji, A.: A new scheme of blockcipher hash. IEICE Trans. 99–D(4), 796–804 (2016)
Knudsen, L.R., Mendel, F., Rechberger, C., Thomsen, S.S.: Cryptanalysis of MDC-2. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 106–120. Springer, Heidelberg (2009)
Miyaji, A., Mazumder, R., Sawada, T.: A new (n, n) blockcipher hash function: apposite for short messages. In: IEEE Explore, Asia JCIS, pp. 56–63 (2014)
Mazumder, R., Miyaji, A.: A single key scheduling based compression function. In: Lambrinoudakis, C., Gabillon, A. (eds.) CRiSIS 2015. LNCS, vol. 9572, pp. 207–222. Springer, Switzerland (2015)
Barreto, L., Celesti, A., Villari, M., Fazio, M., Puliafito, A.: An authentication model for IoT clouds. In: IEEE Explore, ASONAM, pp. 1032–1035 (2015)
Riahi, A., Natalizio, E., Challal, Y., Mitton, N., Iera, A.: A systemic and cognitive approach for IoT security. In: IEEE Explore, ICNC, pp. 183–188 (2014)
Lee, J.Y., Huang, Y.H.: A lightweight authentication protocol for internet of things. In: IEEE Explore, ISNE, pp. 1–2 (2014)
Jing, Q., Vasilakos, A.V., Wan, J.: Security of the internet of things: perspectives and challenges. Wirel. Netw. 20(8), 2481–2501 (2014). Springer
Abomhara, M., Kien, G.M.: Security and privacy in the internet of things: current status and open issues. In: IEEE Explore, PRIMS, pp. 1–8 (2014)
Zanella, A., Bui, N., Castellani, A., Vangelista, L., Zorzi, M.: Internet of things for smart cities. IEEE Internet Things J. 1(1), 22–32 (2014)
Xu, L.D., He, W., Li, S.: Internet of things in industries: a survey. IEEE Trans. Ind. Inf. 10(4), 2233–2243 (2014)
Hirose, S., Ideguchi, K., Kuwakado, H., Owada, T., Preneel, B., Yoshida, H.: A lightweight 256-Bit hash function for hardware and low-end devices: Lesamnta-LW. In: Rhee, K.-H., Nyang, D.H. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 151–168. Springer, Heidelberg (2011)
Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit Blockcipher CLEFIA, IACR archive, Extended Abstract. https://www.iacr.org/archive/fse2007/45930182/45930182.pdf
Yoshida, H.: On the standardization of cryptographic application techniques for IoT devices in ITU techniques for IoT devices in ITU-T and ISO/IEC JTC 1 T and ISO/IEC JTC1 (2015). https://www.ietf.org/proceedings/94/slides/slides-94-saag-2.pdf
Fleischmann, E., Forler, C., Lucks, S.: The collision security of MDC-4. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 252–269. Springer, Heidelberg (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 IFIP International Federation for Information Processing
About this paper
Cite this paper
Mazumder, R., Miyaji, A., Su, C. (2016). An Efficient Construction of a Compression Function for Cryptographic Hash. In: Buccafurri, F., Holzinger, A., Kieseberg, P., Tjoa, A., Weippl, E. (eds) Availability, Reliability, and Security in Information Systems. CD-ARES 2016. Lecture Notes in Computer Science(), vol 9817. Springer, Cham. https://doi.org/10.1007/978-3-319-45507-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-45507-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45506-8
Online ISBN: 978-3-319-45507-5
eBook Packages: Computer ScienceComputer Science (R0)