Abstract

Cryptographic hashing modes come in many flavors, including Merkle-Damgård with various types of strengthening, Merkle trees, and sponge functions. As underlying primitives, these functions use arbitrary functions, permutations, or block ciphers. In this work we provide three simple proofs, one per primitive type, that cover all modes where the input to the primitive consists of message bits, chaining value bits, and bits that only depend on the mode and message length. Our approach generalizes and simplifies over earlier attempts of Dodis et al. (FSE 2009) and Bertoni et al. (Int. J. Inf. Sec. 2014). We prove tight indifferentiability bounds for modes using each of these three primitive types provided that the mode satisfies some easy to verify conditions.

Highlights

  • Cryptographic hash functions are amongst the most-studied and most-used cryptographic functions. Their first appearance dates back to the 70s, when Rabin introduced his iterative hash function design [Rab78] and Merkle his ideas on tree hashing [Mer79], two ideas that later became the predominant approaches in hash function design

  • The security analysis of both approaches initially focused on preservation of collision resistance: if the underlying compression function is collision resistant, the hash function is collision resistant as well

  • Bertoni et al [BDPV14b] derived three quite general sufficient conditions for sound hashing and proved a tight indifferentiability bound for hashing modes taking a compression function modeled as an arbitrary function

Read more

Summary

Introduction

Cryptographic hash functions are amongst the most-studied and most-used cryptographic functions. A hash function secure in the indifferentiability framework “behaves like” a random oracle, and can replace it in almost all single-stage settings (see Ristenpart et al [RSS11]) It implies resistance against collision and (second) preimage attacks, among others. The indifferentiability framework does support composability, so an approach to limit the proliferation of dedicated proofs would be to construct an indifferentiable compression function from an underlying primitive such as a block cipher or permutation, and just apply an indifferentiable mode to that compression function. Most of the proposed compression function constructions, including PGV, cannot be proven indifferentiable [KM07] This two-level approach induces a cost that can be avoided in a dedicated proof. This approach wastes n/2 bits of every compression function call

Sound Hashing
Application
Parameterized Hashing Mode
Template Construction
Template Execution
Definitions of Sets of Hashing Trees
Sufficient Conditions
Subtree-Freeness
Radical-Decodability
Message-Decodability
Leaf-Anchoring
Detailed Comparison with Earlier Conditions
Security of Hashing Modes
Security Model
Mode of an Arbitrary Function
Mode of a Truncated Permutation
Mode of a Block Cipher
Proof of Theorem 1
Simulator
Distinguisher
Analysis of Good Views
Analysis of Bad Views
Proof of Theorem 3
Applications
Minimal Sequential and Tree Hashing Modes
Role of the IV
Suffix-Free Merkle-Damgård
Enveloped Merkle-Damgård
Tree Hashing Modes in the Wild
Sakura
Application to Message Authentication

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.