Indifferentiability of Double-Block-Length Hash Function Without Feed-Forward Operations

Abstract

Designing a cryptographic scheme with minimal components is a main theme in cryptographic research. Regarding double-block-length (DBL) hashing, feed-forward operations are used to avoid attacks from the blockcipher’s decryption function, whereas Özen and Stam showed that by using an iterated structure the feed-forward operations can be eliminated. Precisely, DBL iterated hash functions are collision resistant up to about \(2^n\) query complexity when a blockcipher with n-bit blocks is used.

Regarding the security of hash functions, pseudorandom-oracle (PRO) security, which is a stronger security notion than collision resistance, is an important security criterion of hash functions. Though several DBL hash functions with PRO security have been proposed, these use feed-forward operations. Note that Özen-Stam’s hash functions are not secure PROs due to the length-extension attack. Hence, it remains an open problem to design a PRO-secure DBL hash function without feed-forward operations.

In this paper, we show that the feed-forward operations in the PRO-secure DBL hash function can be eliminated, that is, the simplified scheme is a secure PRO up to about \(2^n\) query complexity. To our knowledge, this is the first time PRO-secure DBL hash function without feed-forward operations.

Appendices

A Upper Bound of \(\Pr [\mathcal {D}^{G1} \Rightarrow 1] - \Pr [\mathcal {D}^{G2} \Rightarrow 1]\)

Let \(\mathsf {G}_i = \left( \mathcal {D}^{Gi} \Rightarrow 1 \right) \) be an event.

$$\begin{aligned} \Pr [\mathcal {D}^{G1} \Rightarrow 1] - \Pr [\mathcal {D}^{G2} \Rightarrow 1] =&\Pr [\mathsf {G}_1] - \Pr [\mathsf {G}_2] \\ =&\Pr [\mathsf {G}_1 \wedge \mathsf {bad}_1] + \Pr [\mathsf {G}_1 \wedge \lnot \mathsf {bad}_1] \\&-\left( \Pr [\mathsf {G}_2 \wedge \mathsf {bad}_2] + \Pr [\mathsf {G}_2 \wedge \lnot \mathsf {bad}_2] \right) \\ =&\Pr [\mathsf {G}_1 | \mathsf {bad}_1] \Pr [\mathsf {bad}_1] + \Pr [\mathsf {G}_1 | \lnot \mathsf {bad}_1] \Pr [\lnot \mathsf {bad}_1] \\&-\Pr [\mathsf {G}_2 | \mathsf {bad}_2] \Pr [\mathsf {bad}_2] - \Pr [\mathsf {G}_2 | \lnot \mathsf {bad}_2] \Pr [\lnot \mathsf {bad}_2] \end{aligned}$$

From \(\Pr [\mathsf {G}_1 | \lnot \mathsf {bad}_1]=\Pr [\mathsf {G}_2 | \lnot \mathsf {bad}_2]\), we have

$$\begin{aligned} \Pr [\mathcal {D}^{G1} \Rightarrow 1] - \Pr [\mathcal {D}^{G2} \Rightarrow 1] =&\Pr [\mathsf {G}_1 | \mathsf {bad}_1] \Pr [\mathsf {bad}_1] - \Pr [\mathsf {G}_2 | \mathsf {bad}_2] \Pr [\mathsf {bad}_2] \\&+ \Pr [\mathsf {G}_1 | \lnot \mathsf {bad}_1] \left( \Pr [\lnot \mathsf {bad}_1] - \Pr [\lnot \mathsf {bad}_2] \right) \\ =&\Pr [\mathsf {G}_1 | \mathsf {bad}_1] \Pr [\mathsf {bad}_1] - \Pr [\mathsf {G}_2 | \mathsf {bad}_2] \Pr [\mathsf {bad}_2] \\&+ \Pr [\mathsf {G}_1 | \lnot \mathsf {bad}_1] \left( \Pr [\mathsf {bad}_2] - \Pr [\mathsf {bad}_1] \right) \\ \le&\max \{ \mathsf {Pr}[\mathsf {bad}_1], \mathsf {Pr}[\mathsf {bad}_2] \}. \end{aligned}$$

B Proof of Theorem 1

We show that for any distinguisher \(\mathcal {D}\) there exist distinguishers \(\mathcal {D}_1\) and \(\mathcal {D}_2\), and a simulator \(\mathsf {S}\) such that

$$\begin{aligned} \mathsf {Adv}^\mathsf {pro}_{\mathsf {F}^{E},\mathsf {S}}(\mathcal {D}) \le \mathsf {Adv}^\mathsf {pro}_{\mathsf {F}_{1}^{g,E},\mathsf {S}1}(\mathcal {D}_1)+ \mathsf {Adv}^\mathsf {indiff}_{\mathsf {F}^{E},\mathsf {F}_{1}^{g,E},\mathsf {S}2}(\mathcal {D}_2), \end{aligned}$$

where

• \(\mathsf {S}^\mathcal {RO}=(\mathsf {S}_E^\mathcal {RO},\mathsf {S}_{E^{-1}}^\mathcal {RO})\) is a simulator of the PRO security of \(\mathsf {F}^{E}\),

• \(\mathsf {S}_1^{\mathcal {RO}}=(\mathsf {S}1_g^{\mathcal {RO}},\mathsf {S}1_E^{\mathcal {RO}},\mathsf {S}1_{E^{-1}}^{\mathcal {RO}})\) is a simulator of the PRO security of \(\mathsf {F}_{1}^{g,E}\), and

• \(\mathsf {S}_2^{g,E,E^{-1}}=(\mathsf {S}2_E^{g,E,E^{-1}},\mathsf {S}2_{E^{-1}}^{g,E,E^{-1}})\) is a simulator of the indifferentiability of \(\mathsf {F}^{E}\) from \(\mathsf {F}_{1}^{g,E}\).

We first transform the advantage \(\mathsf {Adv}^\mathsf {pro}_{\mathsf {F}^{E},\mathsf {S}}(\mathcal {D})\) as follows.

$$\begin{aligned} \mathsf {Adv}^\mathsf {pro}_{\mathsf {F}^{E},\mathsf {S}}(\mathcal {D}) =&\Pr [\mathcal {D}^{\mathsf {F}^{E},E,E^{-1}} \Rightarrow 1] - \Pr [\mathcal {D}^{\mathcal {RO},\mathsf {S}_E^\mathcal {RO},\mathsf {S}_{E^{-1}}^\mathcal {RO}} \Rightarrow 1]\\ =&\left( \Pr [\mathcal {D}^{\mathsf {F}^{E},E,E^{-1}} \Rightarrow 1] - \Pr [\mathcal {D}^{\mathsf {F}_{1}^{g,E},\mathsf {S}2_E^{g,E,E^{-1}},\mathsf {S}2_{E^{-1}}^{g,E,E^{-1}}} \Rightarrow 1] \right) \\&+ \left( \Pr [\mathcal {D}^{\mathsf {F}_{1}^{g,E},\mathsf {S}2_E^{g,E,E^{-1}},\mathsf {S}2_{E^{-1}}^{g,E,E^{-1}}} \Rightarrow 1] - \Pr [\mathcal {D}^{\mathcal {RO},\mathsf {S}_E^\mathcal {RO},\mathsf {S}_{E^{-1}}^\mathcal {RO}} \Rightarrow 1] \right) \end{aligned}$$

We then define \(\mathsf {S}\) and \(\mathcal {D}_1\) as

$$\begin{aligned}&\mathsf {S}^\mathcal {RO}=(\mathsf {S}_E^\mathcal {RO},\mathsf {S}_{E^{-1}}^\mathcal {RO}) = (\mathsf {S}2_E^{\mathsf {S}1_g^\mathcal {RO},\mathsf {S}1_E^\mathcal {RO},\mathsf {S}1_{E^{-1}}^\mathcal {RO}},\mathsf {S}2_{E^{-1}}^{\mathsf {S}1_g^\mathcal {RO},\mathsf {S}1_E^\mathcal {RO},\mathsf {S}1_{E^{-1}}^\mathcal {RO}}) \text{ and } \\&\mathcal {D}_1^{L,R_g,R_E,R_{E^{-1}}} = \mathcal {D}^{L,\mathsf {S}2_E^{R_g,R_E,R_{E^{-1}}},\mathsf {S}2_{E^{-1}}^{R_g,R_E,R_{E^{-1}}}} \end{aligned}$$

where \((L,R_g,R_E,R_{E^{-1}})\) is either \((\mathsf {F}_{1}^{g,E},g,E,E^{-1})\) or \((\mathcal {RO},\mathsf {S}1_g^\mathcal {RO},\mathsf {S}1_E^\mathcal {RO},\mathsf {S}1_{E^{-1}}^\mathcal {RO})\). Then we have

$$\begin{aligned} \mathsf {Adv}^\mathsf {pro}_{\mathsf {F}^{E},\mathsf {S}}(\mathcal {D}) \le&\left( \Pr [\mathcal {D}^{\mathsf {F}^{E},E,E^{-1}} \Rightarrow 1] - \Pr [\mathcal {D}^{\mathsf {F}_{1}^{g,E},\mathsf {S}2_E^{g,E,E^{-1}},\mathsf {S}2_{E^{-1}}^{g,E,E^{-1}}} \Rightarrow 1] \right) \\&+ \left( \Pr [\mathcal {D}_1^{\mathsf {F}_{1}^{g,E},g,E,E^{-1}} \Rightarrow 1] - \Pr [\mathcal {D}_1^{\mathcal {RO},\mathsf {S}1_g^\mathcal {RO},\mathsf {S}1_E^\mathcal {RO},\mathsf {S}1_{E^{-1}}^\mathcal {RO}} \Rightarrow 1] \right) \end{aligned}$$

We define \(\mathcal {D}_2\) as \(\mathcal {D}_2^{L,R_E,R_{E^{-1}}} = \mathcal {D}^{L,R_E,R_{E^{-1}}}\) where \(L,R_E,R_{E^{-1}}\) is either \((\mathsf {F}^{E},E,E^{-1})\) or \((\mathcal {RO},\mathsf {S}2_E^{g,E,E^{-1}},\mathsf {S}2_{E^{-1}}^{g,E,E^{-1}})\). Then we have

$$\begin{aligned} \mathsf {Adv}^\mathsf {pro}_{\mathsf {F}^{E},\mathsf {S}}(\mathcal {D}) \le&\left( \Pr [\mathcal {D}_2^{\mathsf {F}^{E},E,E^{-1}} \Rightarrow 1] - \Pr [\mathcal {D}_2^{\mathsf {F}_{1}^{g,E},\mathsf {S}2_E^{g,E,E^{-1}},\mathsf {S}2_{E^{-1}}^{g,E,E^{-1}}} \Rightarrow 1] \right) \\&+ \left( \Pr [\mathcal {D}_1^{\mathsf {F}_{1}^{g,E},g,E,E^{-1}} \Rightarrow 1] - \Pr [\mathcal {D}_1^{\mathcal {RO},\mathsf {S}1_g^\mathcal {RO},\mathsf {S}1_E^\mathcal {RO},\mathsf {S}1_{E^{-1}}^\mathcal {RO}} \Rightarrow 1] \right) \\ =&\mathsf {Adv}^\mathsf {pro}_{\mathsf {F}_{1}^{g,E},\mathsf {S}_11}(\mathcal {D}_1)+ \mathsf {Adv}^\mathsf {indiff}_{\mathsf {F}^{E},\mathsf {F}_{1}^{g,E},\mathsf {S}_2}(\mathcal {D}_2). \end{aligned}$$

Next Lemma 1 and Lemma 2 are applied into the above inequation. Assume that \(\mathcal {D}\) makes queries to \(L,R_E, R_{E^{-1}}\) at most \(q_L,q_F,q_I\), respectively, and the maximum number of message blocks of a query to L is \(\ell \). In this case,

• \(\mathcal {D}_1\) makes queries to \(L,R_g,R_E,R_{E^{-1}}\) at most \(q_L,q_F+q_I,2q_F+q_I,q_I\), respectively, and the maximum number of message blocks of a query to L is \(\ell \), and

• \(\mathcal {D}_2\) makes queries to \(L,R_E,R_{E^{-1}}\) at most \(q_L,q_F,q_I\), respectively, and the maximum number of message blocks of a query to L is \(\ell \).

Let \(\sigma _{F}= 2(\ell +1) q_L + q_F\) be the total number of \(E\) calls and \(\sigma = \sigma _{F} + q_I\) the total number of \((E,E^{-1})\) calls. Then, putting the above parameters into Lemma 1 gives \(\alpha _F = 2(\ell q_L + 2q_F+q_I)\), \(\alpha = 2(\ell q_L + 2q_F+2q_I)\), and then

$$\begin{aligned} \mathsf {Adv}^\mathsf {pro}_{\mathsf {F}_{1}^{g,E},\mathsf {S}_1}(\mathcal {D}_1) \le&\frac{\alpha _F (2 \alpha _F + 4q_I + q_g -4)}{(2^n-\alpha )^2} + \frac{\alpha _F+nq_I}{2^n-\alpha } + \left( \frac{ 2e \alpha _F}{n(2^n-\alpha )} \right) ^n\\ =&\frac{2(\ell q_L + 2q_F+q_I) (4(\ell q_L + 2q_F+q_I) + 4q_I + (q_F+q_I)-4)}{(2^n-2(\ell q_L + 2q_F+2q_I))^2} \\&+ \frac{2(\ell q_L + 2q_F+q_I) + nq_I}{2^n-2(\ell q_L + 2q_F+2q_I)} + \left( \frac{ 2 e \cdot 2(\ell q_L + 2q_F+q_I)}{ n (2^n-2(\ell q_L + 2q_F+2q_I))} \right) ^n\\ \le&\frac{(\sigma + 3q_F+ q_I) (4\sigma + 7q_F+8q_I)}{(2^n-4\sigma )^2} + \frac{\sigma + 3q_F + (n+1) q_I}{2^n-4\sigma } \\&+ \left( \frac{4e (\sigma + 3q_F + q_I)}{n(2^n-4\sigma )} \right) ^n\\ \le&\frac{48 \sigma ^2}{(2^n-4\sigma )^2} + \frac{ 4\sigma + nq_I}{2^n-4\sigma } + \left( \frac{16 e \sigma }{n(2^n-4\sigma )} \right) ^n\end{aligned}$$

Putting the above parameters into Lemma 2 gives

$$\begin{aligned} \mathsf {Adv}^\mathsf {indiff}_{\mathsf {F}^{E},\mathsf {F}_{1}^{g,E},\mathsf {S}2}(\mathcal {D}_2) \le \frac{12((\ell +1) q_L + q_F + q_I)}{2^n-2((\ell +1) q_L + q_F + q_I)} \le \frac{6 \sigma }{2^n-\sigma } . \end{aligned}$$

Hence we have

$$\begin{aligned} \mathsf {Adv}^\mathsf {pro}_{\mathsf {F}^{E},\mathsf {S}}(\mathcal {D}) \le&\mathsf {Adv}^\mathsf {pro}_{\mathsf {F}_{1}^{g,E},\mathsf {S}1}(\mathcal {D}_1)+ \mathsf {Adv}^\mathsf {indiff}_{\mathsf {F}^{E},\mathsf {F}_{1}^{g,E},\mathsf {S}2}(\mathcal {D}_2) \\ \le&\frac{48 \sigma ^2}{(2^n-4\sigma )^2} + \frac{10 \sigma + nq_I}{2^n-4\sigma } + \left( \frac{16 e \sigma }{n(2^n-4\sigma )} \right) ^n. \end{aligned}$$