Indifferentiability security of the fast wide pipe hash: Breaking the birthday barrier

Dustin Moody 1 , Souradyuti Paul 2  and Daniel Smith-Tone 3
  • 1 NIST, Computer Security Division, Gaithersburg, Maryland, USA
  • 2 CSE, IIT, Gandhinagar, India
  • 3 NIST, Computer Security Division, Gaithersburg, Maryland; and Department of Mathematics, University of Louisville, Louisville, Kentucky, USA

Abstract

A hash function secure in the indifferentiability framework (TCC 2004) is able to resist all meaningful generic attacks. Such hash functions also play a crucial role in establishing the security of protocols that use them as random functions. To eliminate multi-collision type attacks on the Merkle–Damgård mode (Crypto 1989), Lucks proposed widening the size of the internal state of hash functions (Asiacrypt 2005). The fast wide pipe (FWP) hash mode was introduced by Nandi and Paul at Indocrypt 2010, as a faster variant of Lucks' wide pipe mode. Despite the higher speed, the proven indifferentiability bound of the FWP mode has so far been only up to the birthday barrier of n/2 bits. The main result of this paper is the improvement of the FWP bound to 2n/3 bits (up to an additive constant). We also provide evidence that the bound may be extended beyond 2n/3 bits.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • 1

    E. Andreeva, C. Bouillaguet, P.-A. Fouque, J. J. Hoch, J. Kelsey, A. Shamir and S. Zimmer, Second preimage attacks on dithered hash functions, Advances in Cryptology (EUROCRYPT 2008), Lecture Notes in Comput. Sci. 4965, Springer, Berlin (2008), 270–288.

  • 2

    E. Andreeva, A. Luykx and B. Mennink, Provable security of BLAKE with non-ideal compression function, Selected Areas in Cryptography (SAC 2012), Lecture Notes in Comput. Sci. 7707, Springer, Berlin (2013), 321–338.

  • 3

    E. Andreeva, B. Mennink and B. Preneel, On the indifferentiability of the Grøstl hash function, Security and Cryptography for Networks (SCN 2010), Lecture Notes in Comput. Sci. 6280, Springer, Berlin (2010), 88–105.

  • 4

    E. Andreeva, B. Mennink and B. Preneel, The Parazoa family: Generalizing the Sponge hash functions, Int. J. Inform. Security 11 (2012), 3, 149–165.

  • 5

    M. Bellare and T. Ristenpart, Multi-property-preserving hash domain extension and the EMD transform, Advances in Cryptology (ASIACRYPT 2006), Lecture Notes in Comput. Sci. 4284, Springer, Berlin (2006), 299–314.

  • 6

    G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, Sponge functions, preprint 2007, http://sponge.noekeon.org/SpongeFunctions.pdf.

  • 7

    G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, On the indifferentiability of the Sponge construction, Advances in Cryptology (ASIACRYPT 2008), Lecture Notes in Comput. Sci. 4965, Springer, Berlin (2008), 181–197.

  • 8

    R. Bhattacharyya, A. Mandal and M. Nandi, Security analysis of the mode of JH hash function, Fast Software Encryption (FSE 2010), Lecture Notes in Comput. Sci. 6147, Springer, Berlin (2010), 168–191.

  • 9

    E. Biham and O. Dunkelman, A framework for iterative hash functions – HAIFA, preprint 2007, https://eprint.iacr.org/2007/278.

  • 10

    S. R. Blackburn, D. R. Stinson and J. Upadhyay, On the complexity of the herding attack and some related attacks on hash functions, Des. Codes Cryptogr. 64 (2012), 1–2, 171–193.

  • 11

    E. Bresson, A. Canteaut, B. Chevallier-Mames, C. Clavier, T. Fuhr, A. Gouget, T. Icart, J.-F. Misarsky, M. Naya-Plasencia, P. Paillier, T. Pornin, J.-R. Reinhard, C. Thuillet and M. Videau, Indifferentiability with distinguishers: Why Shabal does not require ideal ciphers, preprint 2009, https://eprint.iacr.org/2009/199.

  • 12

    D. Chang and M. Nandi, Improved indifferentiability security analysis of chopMD hash function, Fast Software Encryption (FSE 2008), Lecture Notes in Comput. Sci. 5086, Springer, Berlin (2008), 429–443.

  • 13

    D. Chang, M. Nandi and M. Yung, Indifferentiability of the hash algorithm BLAKE, preprint 2011, https://eprint.iacr.org/2011/623

  • 14

    J.-S. Coron, Optimal security proofs for PSS and other signature schemes, Advances in Cryptology (EUROCRYPT 2002), Lecture Notes in Comput. Sci. 2332, Springer, Berlin (2002), 272–287.

  • 15

    J.-S. Coron, Y. Dodis, C. Malinaud and P. Puniya, Merkle–Damgård revisited: How to construct a hash function, Advances in Cryptology (CRYPTO 2005), Lecture Notes in Comput. Sci. 3621, Springer, Berlin (2005), 430–448.

  • 16

    I. Damgård, A design principle for hash functions, Advances in Cryptology (CRYPTO '89), Lecture Notes in Comput. Sci. 435, Springer, Berlin (1990), 416–427.

  • 17

    E. Fleischmann, M. Gorski and S. Lucks, Some observations on indifferentiability, Information Security and Privacy (ACISP 2010), Lecture Notes in Compu. Sci. 6168, Springer, Berlin (2010), 117–134.

  • 18

    P. Gauravaram, L. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schlaffer and S. Thomsen, Grøstl – A SHA-3 candidate, preprint 2011, www.groestl.info/Groestl.pdf.

  • 19

    S. Hirose, J. H. Park and A. Yun, A simple variant of the Merkle–Damgård scheme with a permutation, Advances in Cryptology (ASIACRYPT 2007), Lecture Notes in Comput. Sci. 4833, Springer, Berlin (2007), 113–129.

  • 20

    J. J. Hoch and A. Shamir, Breaking the ice – Finding multicollisions in iterated concatenated and expanded (ICE) hash functions, Fast Software Encryption (FSE 2006), Lecture Notes in Comput. Sci. 4047, Springer, Berlin (2006), 179–194.

  • 21

    A. Joux, Multicollisions in iterated hash functions: Application to cascaded constructions, Advances in Cryptology (CRYPTO 2004), Lecture Notes in Comput. Sci. 3152, Springer, Berlin (2004), 306–316.

  • 22

    J. Kelsey and T. Kohno, Herding hash functions and the Nostradamus attack, Advances in Cryptology (EUROCRYPT 2006), Lecture Notes in Comput. Sci. 4004, Springer, Berlin (2006), 183–200.

  • 23

    J. Kelsey and B. Schneier, Second preimages on n-bit hash functions for much less than 2n work, Advances in Cryptology (EUROCRYPT 2005), Lecture Notes in Comput. Sci. 3494, Springer, Berlin (2005), 474–490.

  • 24

    S. Lucks, A failure-friendly design principle for hash functions, Advances in Cryptology (ASIACRYPT 2005), Lecture Notes in Comput. Sci. 3788, Springer, Berlin (2005), 474–494.

  • 25

    U. M. Maurer, R. Renner and C. Holenstein, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, Theory of Cryptography (TCC 2004), Lecture Notes in Comput. Sci. 2951, Springer, Berlin (2004), 21–39.

  • 26

    R. C. Merkle, One way hash functions and DES, Advances in Cryptologyn (CRYPTO '89), Lecture Notes in Comput. Sci. 435, Springer, Berlin (1990), 428–446.

  • 27

    D. Moody, S. Paul and D. Smith-Tone, Improved indifferentiability security bound for the JH mode, Des. Codes Cryptography 79 (2016), 2, 237–259.

  • 28

    M. Nandi and S. Paul, Speeding up the wide-pipe: Secure and fast hashing, Progress in Cryptology (INDOCRYPT 2010), Lecture Notes in Comput. Sci. 6498, Springer, Berlin (2010), 144–162.

  • 29

    M. Nandi and D. R. Stinson, Multicollision attacks on some generalized sequential hash functions, IEEE Trans. Inform. Theory 53 (2007), 759–767.

  • 30

    T. Ristenpart, H. Shacham and T. Shrimpton, Careful with composition: Limitations of the indifferentiability framework, Advances in Cryptology (EUROCRYPT 2011), Lecture Notes in Comput. Sci. 6632, Springer, Berlin (2011), 487–506.

  • 31

    V. Shoup, OAEP reconsidered, Advances in Cryptology (CRYPTO 2001), Lecture Notes in Comput. Sci. 2139, Springer, Berlin (2001), 239–259.

  • 32

    D. Smith-Tone and C. Tone, A measure of dependence for cryptographic primitives relative to ideal functions, Rocky Mountain J. Math. 45 (2015), 1283–1309.

  • 33

    H. Wu, The JH hash function, preprint 2009, http://ehash.iaik.tugraz.at/uploads/1/1d/Jh20090915.pdf.

OPEN ACCESS

Journal + Issues

JMC is a forum for original research articles in the area of mathematical cryptology. Works in the theory of cryptology and articles linking mathematics with cryptology are welcome. Submissions from all areas of mathematics significant for cryptology are published, including but not limited to, algebra, algebraic geometry, coding theory, combinatorics, number theory, probability and stochastic processes.

Search