Show Summary Details
More options …

# Journal of Mathematical Cryptology

Managing Editor: Magliveras, Spyros S. / Steinwandt, Rainer / Trung, Tran

Editorial Board: Blackburn, Simon R. / Blundo, Carlo / Burmester, Mike / Cramer, Ronald / Dawson, Ed / Gilman, Robert / Gonzalez Vasco, Maria Isabel / Grosek, Otokar / Helleseth, Tor / Kim, Kwangjo / Koblitz, Neal / Kurosawa, Kaoru / Lauter, Kristin / Lange, Tanja / Menezes, Alfred / Nguyen, Phong Q. / Pieprzyk, Josef / Rötteler, Martin / Safavi-Naini, Rei / Shparlinski, Igor E. / Stinson, Doug / Takagi, Tsuyoshi / Williams, Hugh C. / Yung, Moti

4 Issues per year

CiteScore 2017: 1.43

SCImago Journal Rank (SJR) 2017: 0.293
Source Normalized Impact per Paper (SNIP) 2017: 1.117

Mathematical Citation Quotient (MCQ) 2017: 0.51

Online
ISSN
1862-2984
See all formats and pricing
More options …
Volume 10, Issue 2

# Indifferentiability security of the fast wide pipe hash: Breaking the birthday barrier

Dustin Moody
/ Daniel Smith-Tone
• Corresponding author
• NIST, Computer Security Division, Gaithersburg, Maryland; and Department of Mathematics, University of Louisville, Louisville, Kentucky, USA
• Email
• Other articles by this author:
Published Online: 2016-04-21 | DOI: https://doi.org/10.1515/jmc-2014-0044

## Abstract

A hash function secure in the indifferentiability framework (TCC 2004) is able to resist all meaningful generic attacks. Such hash functions also play a crucial role in establishing the security of protocols that use them as random functions. To eliminate multi-collision type attacks on the Merkle–Damgård mode (Crypto 1989), Lucks proposed widening the size of the internal state of hash functions (Asiacrypt 2005). The fast wide pipe (FWP) hash mode was introduced by Nandi and Paul at Indocrypt 2010, as a faster variant of Lucks' wide pipe mode. Despite the higher speed, the proven indifferentiability bound of the FWP mode has so far been only up to the birthday barrier of $n/2$ bits. The main result of this paper is the improvement of the FWP bound to $2n/3$ bits (up to an additive constant). We also provide evidence that the bound may be extended beyond $2n/3$ bits.

MSC: 94A60

## References

• 1

E. Andreeva, C. Bouillaguet, P.-A. Fouque, J. J. Hoch, J. Kelsey, A. Shamir and S. Zimmer, Second preimage attacks on dithered hash functions, Advances in Cryptology (EUROCRYPT 2008), Lecture Notes in Comput. Sci. 4965, Springer, Berlin (2008), 270–288. Google Scholar

• 2

E. Andreeva, A. Luykx and B. Mennink, Provable security of BLAKE with non-ideal compression function, Selected Areas in Cryptography (SAC 2012), Lecture Notes in Comput. Sci. 7707, Springer, Berlin (2013), 321–338. Google Scholar

• 3

E. Andreeva, B. Mennink and B. Preneel, On the indifferentiability of the Grøstl hash function, Security and Cryptography for Networks (SCN 2010), Lecture Notes in Comput. Sci. 6280, Springer, Berlin (2010), 88–105. Google Scholar

• 4

E. Andreeva, B. Mennink and B. Preneel, The Parazoa family: Generalizing the Sponge hash functions, Int. J. Inform. Security 11 (2012), 3, 149–165. Google Scholar

• 5

M. Bellare and T. Ristenpart, Multi-property-preserving hash domain extension and the EMD transform, Advances in Cryptology (ASIACRYPT 2006), Lecture Notes in Comput. Sci. 4284, Springer, Berlin (2006), 299–314. Google Scholar

• 6

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, Sponge functions, preprint 2007, http://sponge.noekeon.org/SpongeFunctions.pdf.

• 7

G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, On the indifferentiability of the Sponge construction, Advances in Cryptology (ASIACRYPT 2008), Lecture Notes in Comput. Sci. 4965, Springer, Berlin (2008), 181–197. Google Scholar

• 8

R. Bhattacharyya, A. Mandal and M. Nandi, Security analysis of the mode of JH hash function, Fast Software Encryption (FSE 2010), Lecture Notes in Comput. Sci. 6147, Springer, Berlin (2010), 168–191. Google Scholar

• 9

E. Biham and O. Dunkelman, A framework for iterative hash functions – HAIFA, preprint 2007, https://eprint.iacr.org/2007/278.

• 10

S. R. Blackburn, D. R. Stinson and J. Upadhyay, On the complexity of the herding attack and some related attacks on hash functions, Des. Codes Cryptogr. 64 (2012), 1–2, 171–193.

• 11

E. Bresson, A. Canteaut, B. Chevallier-Mames, C. Clavier, T. Fuhr, A. Gouget, T. Icart, J.-F. Misarsky, M. Naya-Plasencia, P. Paillier, T. Pornin, J.-R. Reinhard, C. Thuillet and M. Videau, Indifferentiability with distinguishers: Why Shabal does not require ideal ciphers, preprint 2009, https://eprint.iacr.org/2009/199.

• 12

D. Chang and M. Nandi, Improved indifferentiability security analysis of chopMD hash function, Fast Software Encryption (FSE 2008), Lecture Notes in Comput. Sci. 5086, Springer, Berlin (2008), 429–443. Google Scholar

• 13

D. Chang, M. Nandi and M. Yung, Indifferentiability of the hash algorithm BLAKE, preprint 2011, https://eprint.iacr.org/2011/623

• 14

J.-S. Coron, Optimal security proofs for PSS and other signature schemes, Advances in Cryptology (EUROCRYPT 2002), Lecture Notes in Comput. Sci. 2332, Springer, Berlin (2002), 272–287. Google Scholar

• 15

J.-S. Coron, Y. Dodis, C. Malinaud and P. Puniya, Merkle–Damgård revisited: How to construct a hash function, Advances in Cryptology (CRYPTO 2005), Lecture Notes in Comput. Sci. 3621, Springer, Berlin (2005), 430–448. Google Scholar

• 16

I. Damgård, A design principle for hash functions, Advances in Cryptology (CRYPTO '89), Lecture Notes in Comput. Sci. 435, Springer, Berlin (1990), 416–427. Google Scholar

• 17

E. Fleischmann, M. Gorski and S. Lucks, Some observations on indifferentiability, Information Security and Privacy (ACISP 2010), Lecture Notes in Compu. Sci. 6168, Springer, Berlin (2010), 117–134. Google Scholar

• 18

P. Gauravaram, L. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schlaffer and S. Thomsen, Grøstl – A SHA-3 candidate, preprint 2011, www.groestl.info/Groestl.pdf.

• 19

S. Hirose, J. H. Park and A. Yun, A simple variant of the Merkle–Damgård scheme with a permutation, Advances in Cryptology (ASIACRYPT 2007), Lecture Notes in Comput. Sci. 4833, Springer, Berlin (2007), 113–129. Google Scholar

• 20

J. J. Hoch and A. Shamir, Breaking the ice – Finding multicollisions in iterated concatenated and expanded (ICE) hash functions, Fast Software Encryption (FSE 2006), Lecture Notes in Comput. Sci. 4047, Springer, Berlin (2006), 179–194. Google Scholar

• 21

A. Joux, Multicollisions in iterated hash functions: Application to cascaded constructions, Advances in Cryptology (CRYPTO 2004), Lecture Notes in Comput. Sci. 3152, Springer, Berlin (2004), 306–316. Google Scholar

• 22

J. Kelsey and T. Kohno, Herding hash functions and the Nostradamus attack, Advances in Cryptology (EUROCRYPT 2006), Lecture Notes in Comput. Sci. 4004, Springer, Berlin (2006), 183–200. Google Scholar

• 23

J. Kelsey and B. Schneier, Second preimages on n-bit hash functions for much less than 2n work, Advances in Cryptology (EUROCRYPT 2005), Lecture Notes in Comput. Sci. 3494, Springer, Berlin (2005), 474–490. Google Scholar

• 24

S. Lucks, A failure-friendly design principle for hash functions, Advances in Cryptology (ASIACRYPT 2005), Lecture Notes in Comput. Sci. 3788, Springer, Berlin (2005), 474–494. Google Scholar

• 25

U. M. Maurer, R. Renner and C. Holenstein, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, Theory of Cryptography (TCC 2004), Lecture Notes in Comput. Sci. 2951, Springer, Berlin (2004), 21–39. Google Scholar

• 26

R. C. Merkle, One way hash functions and DES, Advances in Cryptologyn (CRYPTO '89), Lecture Notes in Comput. Sci. 435, Springer, Berlin (1990), 428–446. Google Scholar

• 27

D. Moody, S. Paul and D. Smith-Tone, Improved indifferentiability security bound for the JH mode, Des. Codes Cryptography 79 (2016), 2, 237–259. Google Scholar

• 28

M. Nandi and S. Paul, Speeding up the wide-pipe: Secure and fast hashing, Progress in Cryptology (INDOCRYPT 2010), Lecture Notes in Comput. Sci. 6498, Springer, Berlin (2010), 144–162. Google Scholar

• 29

M. Nandi and D. R. Stinson, Multicollision attacks on some generalized sequential hash functions, IEEE Trans. Inform. Theory 53 (2007), 759–767.

• 30

T. Ristenpart, H. Shacham and T. Shrimpton, Careful with composition: Limitations of the indifferentiability framework, Advances in Cryptology (EUROCRYPT 2011), Lecture Notes in Comput. Sci. 6632, Springer, Berlin (2011), 487–506. Google Scholar

• 31

V. Shoup, OAEP reconsidered, Advances in Cryptology (CRYPTO 2001), Lecture Notes in Comput. Sci. 2139, Springer, Berlin (2001), 239–259. Google Scholar

• 32

D. Smith-Tone and C. Tone, A measure of dependence for cryptographic primitives relative to ideal functions, Rocky Mountain J. Math. 45 (2015), 1283–1309.

• 33

H. Wu, The JH hash function, preprint 2009, http://ehash.iaik.tugraz.at/uploads/1/1d/Jh20090915.pdf.

Revised: 2015-12-04

Accepted: 2016-04-05

Published Online: 2016-04-21

Published in Print: 2016-06-01

Citation Information: Journal of Mathematical Cryptology, Volume 10, Issue 2, Pages 101–133, ISSN (Online) 1862-2984, ISSN (Print) 1862-2976,

Export Citation