Abstract
Cryptographic hashing modes come in many flavors, including Merkle-Damgård with various types of strengthening, Merkle trees, and sponge functions. As underlying primitives, these functions use arbitrary functions, permutations, or block ciphers. In this work we provide three simple proofs, one per primitive type, that cover all modes where the input to the primitive consists of message bits, chaining value bits, and bits that only depend on the mode and message length. Our approach generalizes and simplifies over earlier attempts of Dodis et al. (FSE 2009) and Bertoni et al. (Int. J. Inf. Sec. 2014). We prove tight indifferentiability bounds for modes using each of these three primitive types provided that the mode satisfies some easy to verify conditions.
Highlights
Cryptographic hash functions are amongst the most-studied and most-used cryptographic functions. Their first appearance dates back to the 70s, when Rabin introduced his iterative hash function design [Rab78] and Merkle his ideas on tree hashing [Mer79], two ideas that later became the predominant approaches in hash function design
The security analysis of both approaches initially focused on preservation of collision resistance: if the underlying compression function is collision resistant, the hash function is collision resistant as well
Bertoni et al [BDPV14b] derived three quite general sufficient conditions for sound hashing and proved a tight indifferentiability bound for hashing modes taking a compression function modeled as an arbitrary function
Summary
Cryptographic hash functions are amongst the most-studied and most-used cryptographic functions. A hash function secure in the indifferentiability framework “behaves like” a random oracle, and can replace it in almost all single-stage settings (see Ristenpart et al [RSS11]) It implies resistance against collision and (second) preimage attacks, among others. The indifferentiability framework does support composability, so an approach to limit the proliferation of dedicated proofs would be to construct an indifferentiable compression function from an underlying primitive such as a block cipher or permutation, and just apply an indifferentiable mode to that compression function. Most of the proposed compression function constructions, including PGV, cannot be proven indifferentiable [KM07] This two-level approach induces a cost that can be avoided in a dedicated proof. This approach wastes n/2 bits of every compression function call
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.