Abstract
Designing a cryptographic scheme with minimal components is a main theme in cryptographic research. Regarding double-block-length (DBL) hashing, feed-forward operations are used to avoid attacks from the blockcipher’s decryption function, whereas Özen and Stam showed that by using an iterated structure the feed-forward operations can be eliminated. Precisely, DBL iterated hash functions are collision resistant up to about \(2^n\) query complexity when a blockcipher with n-bit blocks is used.
Regarding the security of hash functions, pseudorandom-oracle (PRO) security, which is a stronger security notion than collision resistance, is an important security criterion of hash functions. Though several DBL hash functions with PRO security have been proposed, these use feed-forward operations. Note that Özen-Stam’s hash functions are not secure PROs due to the length-extension attack. Hence, it remains an open problem to design a PRO-secure DBL hash function without feed-forward operations.
In this paper, we show that the feed-forward operations in the PRO-secure DBL hash function can be eliminated, that is, the simplified scheme is a secure PRO up to about \(2^n\) query complexity. To our knowledge, this is the first time PRO-secure DBL hash function without feed-forward operations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A collision means that there exist distinct blocks ending at the same node, that is, \(u' \xrightarrow {m'} u\) and \(u^*\xrightarrow {m^*} u\).
References
Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002). doi:10.1007/3-540-45708-9_21
Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74735-2_31
Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005). doi:10.1007/11535218_26
Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, New York (1990). doi:10.1007/0-387-34805-0_39
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993). doi:10.1007/3-540-57332-1_17
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptology 10(3), 151–162 (1997)
Fleischmann, E., Forler, C., Gorski, M., Lucks, S.: Collision resistant double-length hashing. In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 102–118. Springer, Heidelberg (2010). doi:10.1007/978-3-642-16280-0_7
Fleischmann, E., Forler, C., Lucks, S., Wenzel, J.: Weimar-DM: a highly secure double-length compression function. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 152–165. Springer, Heidelberg (2012). doi:10.1007/978-3-642-31448-3_12
Fleischmann, E., Gorski, M., Lucks, S.: Security of cyclic double block length hash functions. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 153–175. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10868-6_10
Gong, Z., Lai, X., Chen, K.: A synthetic indifferentiability analysis of some block-cipher-based hash functions. Des. Codes Crypt. 48(3), 293–305 (2008)
Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23951-9_22
Hirose, S.: Some plausible constructions of double-block-length hash functions. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006). doi:10.1007/11799313_14
Hirose, S., Kuwakado, H.: A block-cipher-based hash function using an MMO-type double-block compression function. In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) ProvSec 2014. LNCS, vol. 8782, pp. 71–86. Springer, Cham (2014). doi:10.1007/978-3-319-12475-9_6
Hirose, S., Naito, Y., Sugawara, T.: Output Masking of Tweakable Even-Mansour can be Eliminated for Message Authentication Code. In: SAC 2016. LNCS, Springer (to appear, 2016)
Hirose, S., Park, J.H., Yun, A.: A simple variant of the Merkle-Damgård scheme with a permutation. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 113–129. Springer, Heidelberg (2007). doi:10.1007/978-3-540-76900-2_7
Kurosawa, K.: Power of a public random permutation and its application to authenticated encryption. IEEE Trans. Inf. Theory 56(10), 5366–5374 (2010)
Kuwakado, H., Hirose, S.: Hashing mode using a lightweight blockcipher. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 213–231. Springer, Heidelberg (2013). doi:10.1007/978-3-642-45239-0_13
Lai, X., Massey, J.L.: Hash functions based on block ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993). doi:10.1007/3-540-47555-9_5
Lee, J., Kwon, D.: The security of abreast-DM in the ideal cipher model. IEICE Trans. 94–A(1), 104–109 (2011)
Lee, J., Stam, M.: MJH: a faster alternative to MDC-2. Des. Codes Crypt. 76(2), 179–205 (2015)
Lee, J., Stam, M., Steinberger, J.: The collision security of tandem-dm in the ideal cipher model. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 561–577. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22792-9_32
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). doi:10.1007/3-540-45708-9_3
Lucks, S.: A Collision-resistant rate-1 double-block-length hash function. In: Symmetric Cryptography, 07.01. – 12.01.2007. Dagstuhl Seminar Proceedings, vol. 07021. Internationales Begegnungs- und Forschungszentrum fuer Informatik (IBFI), Schloss Dagstuhl, Germany (2007)
Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24638-1_2
Mennink, B.: Optimal collision security in double block length hashing with single length key. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 526–543. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34961-4_32
Mennink, B.: Indifferentiability of double length compression functions. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 232–251. Springer, Heidelberg (2013). doi:10.1007/978-3-642-45239-0_14
Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, New York (1990). doi:10.1007/0-387-34805-0_40
Meyer, C., Matyas, S.: Secure program load with Manipulation Detection Code. In: SECURICOM, pp. 111–130 (1988)
Naito, Y.: Blockcipher-based double-length hash functions for pseudorandom oracles. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 338–355. Springer, Heidelberg (2012). doi:10.1007/978-3-642-28496-0_20
NIST: Announcing the Advanced Encryption Standard (AES). In: FIPS 197 (2001)
Özen, O., Stam, M.: Another glance at double-length hashing. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 176–201. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10868-6_11
Preneel, B., Bosselaers, A., Govaerts, R., Vandewalle, J.: Collision-free hash functions based on blockcipher algorithms. In: Proceedings of 1989 International Carnahan Conference on Security Technology, pp. 203–210 (1989)
Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994). doi:10.1007/3-540-48329-2_31
Rabin, M.O.: Digitalized signatures. In: Foundations of Secure Computation 1978. pp. 155–166. Academic Press, New York (1978)
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30539-2_2
Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23951-9_23
Stam, M.: Blockcipher-based hashing revisited. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 67–83. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03317-9_5
Steinberger, J.P.: The collision intractability of MDC-2 in the ideal-cipher model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 34–51. Springer, Heidelberg (2007). doi:10.1007/978-3-540-72540-4_3
Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: a lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013). doi:10.1007/978-3-642-35999-6_22
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Upper Bound of \(\Pr [\mathcal {D}^{G1} \Rightarrow 1] - \Pr [\mathcal {D}^{G2} \Rightarrow 1]\)
Let \(\mathsf {G}_i = \left( \mathcal {D}^{Gi} \Rightarrow 1 \right) \) be an event.
From \(\Pr [\mathsf {G}_1 | \lnot \mathsf {bad}_1]=\Pr [\mathsf {G}_2 | \lnot \mathsf {bad}_2]\), we have
B Proof of Theorem 1
We show that for any distinguisher \(\mathcal {D}\) there exist distinguishers \(\mathcal {D}_1\) and \(\mathcal {D}_2\), and a simulator \(\mathsf {S}\) such that
where
-
\(\mathsf {S}^\mathcal {RO}=(\mathsf {S}_E^\mathcal {RO},\mathsf {S}_{E^{-1}}^\mathcal {RO})\) is a simulator of the PRO security of \(\mathsf {F}^{E}\),
-
\(\mathsf {S}_1^{\mathcal {RO}}=(\mathsf {S}1_g^{\mathcal {RO}},\mathsf {S}1_E^{\mathcal {RO}},\mathsf {S}1_{E^{-1}}^{\mathcal {RO}})\) is a simulator of the PRO security of \(\mathsf {F}_{1}^{g,E}\), and
-
\(\mathsf {S}_2^{g,E,E^{-1}}=(\mathsf {S}2_E^{g,E,E^{-1}},\mathsf {S}2_{E^{-1}}^{g,E,E^{-1}})\) is a simulator of the indifferentiability of \(\mathsf {F}^{E}\) from \(\mathsf {F}_{1}^{g,E}\).
We first transform the advantage \(\mathsf {Adv}^\mathsf {pro}_{\mathsf {F}^{E},\mathsf {S}}(\mathcal {D})\) as follows.
We then define \(\mathsf {S}\) and \(\mathcal {D}_1\) as
where \((L,R_g,R_E,R_{E^{-1}})\) is either \((\mathsf {F}_{1}^{g,E},g,E,E^{-1})\) or \((\mathcal {RO},\mathsf {S}1_g^\mathcal {RO},\mathsf {S}1_E^\mathcal {RO},\mathsf {S}1_{E^{-1}}^\mathcal {RO})\). Then we have
We define \(\mathcal {D}_2\) as \(\mathcal {D}_2^{L,R_E,R_{E^{-1}}} = \mathcal {D}^{L,R_E,R_{E^{-1}}}\) where \(L,R_E,R_{E^{-1}}\) is either \((\mathsf {F}^{E},E,E^{-1})\) or \((\mathcal {RO},\mathsf {S}2_E^{g,E,E^{-1}},\mathsf {S}2_{E^{-1}}^{g,E,E^{-1}})\). Then we have
Next Lemma 1 and Lemma 2 are applied into the above inequation. Assume that \(\mathcal {D}\) makes queries to \(L,R_E, R_{E^{-1}}\) at most \(q_L,q_F,q_I\), respectively, and the maximum number of message blocks of a query to L is \(\ell \). In this case,
-
\(\mathcal {D}_1\) makes queries to \(L,R_g,R_E,R_{E^{-1}}\) at most \(q_L,q_F+q_I,2q_F+q_I,q_I\), respectively, and the maximum number of message blocks of a query to L is \(\ell \), and
-
\(\mathcal {D}_2\) makes queries to \(L,R_E,R_{E^{-1}}\) at most \(q_L,q_F,q_I\), respectively, and the maximum number of message blocks of a query to L is \(\ell \).
Let \(\sigma _{F}= 2(\ell +1) q_L + q_F\) be the total number of \(E\) calls and \(\sigma = \sigma _{F} + q_I\) the total number of \((E,E^{-1})\) calls. Then, putting the above parameters into Lemma 1 gives \(\alpha _F = 2(\ell q_L + 2q_F+q_I)\), \(\alpha = 2(\ell q_L + 2q_F+2q_I)\), and then
Putting the above parameters into Lemma 2 gives
Hence we have
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Naito, Y. (2017). Indifferentiability of Double-Block-Length Hash Function Without Feed-Forward Operations. In: Pieprzyk, J., Suriadi, S. (eds) Information Security and Privacy. ACISP 2017. Lecture Notes in Computer Science(), vol 10343. Springer, Cham. https://doi.org/10.1007/978-3-319-59870-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-59870-3_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59869-7
Online ISBN: 978-3-319-59870-3
eBook Packages: Computer ScienceComputer Science (R0)