20 research outputs found
The suffix-free-prefix-free hash function construction and its indifferentiability security analysis
In this paper, we observe that in the seminal work on indifferentiability analysis of iterated hash functions by Coron et al. and in subsequent works, the initial value (IV) of hash functions is fixed. In addition, these indifferentiability results do not depend on the Merkle–Damgård (MD) strengthening in the padding functionality of the hash functions. We propose a generic n -bit-iterated hash function framework based on an n -bit compression function called suffix-free-prefix-free (SFPF) that works for arbitrary IV s and does not possess MD strengthening. We formally prove that SFPF is indifferentiable from a random oracle (RO) when the compression function is viewed as a fixed input-length random oracle (FIL-RO). We show that some hash function constructions proposed in the literature fit in the SFPF framework while others that do not fit in this framework are not indifferentiable from a RO. We also show that the SFPF hash function framework with the provision of MD strengthening generalizes any n -bit-iterated hash function based on an n -bit compression function and with an n -bit chaining value that is proven indifferentiable from a RO
Various Security Analysis of a pfCM-MD Hash Domain Extension and Applications based on the Extension
We propose a new hash domain extension \textit{a prefix-free-Counter-Masking-MD (pfCM-MD)}. And, among security notions for the hash function, we focus on the indifferentiable security notion by which we can check whether the structure of a given hash function has any weakness or not. Next, we consider the security of HMAC, two new prf constructions, NIST SP 800-56A key derivation function, and the randomized hashing in NIST SP 800-106, where all of them are based on the pfCM-MD. Especially, due to the counter of the pfCM-MD, the pfCM-MD are secure against all of generic second-preimage attacks such as Kelsey-Schneier attack \cite{KeSc05} and Elena {\em et al.}\u27 attck \cite{AnBoFoHoKeShZi08}. Our proof technique and most of notations follow those in \cite{BeDaPeAs08,Bellare06,BeCaKr96a}
Indifferentiable Security Analysis of choppfMD, chopMD, a chopMDP, chopWPH, chopNI, chopEMD, chopCS, and chopESh Hash Domain Extensions
We provide simple and unified indifferentiable security analyses of choppfMD, chopMD, a chopMDP (where the permutation is to be xored with any non-zero constant.), chopWPH (the chopped version of Wide-Pipe Hash proposed in \cite{Lucks05}), chopEMD, chopNI, chopCS, chopESh hash domain extensions. Even though there are security analysis of them in the case of no-bit chopping (i.e., ), there is no unified way to give security proofs. All our proofs in this paper follow the technique introduced in \cite{BeDaPeAs08}. These proofs are simple and easy to follow
On Finding Quantum Multi-collisions
A -collision for a compressing hash function is a set of distinct
inputs that all map to the same output. In this work, we show that for any
constant , quantum
queries are both necessary and sufficient to achieve a -collision with
constant probability. This improves on both the best prior upper bound
(Hosoyamada et al., ASIACRYPT 2017) and provides the first non-trivial lower
bound, completely resolving the problem
Indifferentiability of the Hash Algorithm BLAKE
The hash algorithm BLAKE, one of the SHA-3 finalists, was designed by
Aumasson, Henzen, Meier, and Phan. Unlike other SHA-3 finalists, there is no known indifferentiable security proof on BLAKE. In this paper, we provide the indifferentiable security proof on BLAKE with the bound O(\delta^2/2^{n-3}), where \delta is the total number of blocks
of queries, and n is the hash output size
Quantum Multicollision-Finding Algorithm
The current paper presents a new quantum algorithm for finding multicollisions, often denoted by -collisions, where an -collision for a function is a set of distinct inputs having the same output value. Although it is fundamental in cryptography, the problem of finding multicollisions has not received much attention \emph{in a quantum setting}. The tight bound of quantum query complexity for finding -collisions of random functions has been revealed to be , where is the size of a codomain. However, neither the lower nor upper bound is known for -collisions. The paper first integrates the results from existing research to derive several new observations, e.g.~-collisions can be generated only with quantum queries for a small constant . Then a new quantum algorithm is proposed, which finds an -collision of any function that has a domain size times larger than the codomain size. A rigorous proof is given to guarantee that the expected number of quantum queries is for a small constant , which matches the tight bound of for and improves the known bounds, say, the above simple bound of
Improved (Pseudo) Preimage Attacks on Reduced-Round GOST and Grøstl-256 and Studies on Several Truncation Patterns for AES-like Compression Functions (Full Version)
In this paper, we present improved preimage attacks on the reduced-round \texttt{GOST} hash function family, which serves as the new Russian hash standard, with the aid of techniques such as the rebound attack, the Meet-in-the-Middle preimage attack and the multicollisions. Firstly, the preimage attack on 5-round \texttt{GOST-256} is proposed which is the first preimage attack for \texttt{GOST-256} at the hash function level. Then we extend the (previous) attacks on 5-round \texttt{GOST-256} and 6-round \texttt{GOST-512} to 6.5 and 7.5 rounds respectively by exploiting the involution property of the \texttt{GOST} transposition operation.
Secondly, inspired by the preimage attack on \texttt{GOST-256}, we also study the impacts of four representative truncation patterns on the resistance of the Meet-in-the-Middle preimage attack against \texttt{AES}-like compression functions, and propose two stronger truncation patterns which make it more difficult to launch this type of attack. Based on our investigations, we are able to slightly improve the previous pseudo preimage attacks on reduced-round \texttt{Grøstl-256}
Sufficient conditions for sound hashing using a truncated permutation
In this paper we give a generic security proof for hashing modes that make use of an underlying fixed-length permutation. We formulate a set of five simple conditions, which are easy to implement and to verify, for such a hashing mode to be sound. These hashing modes include tree hashing modes and sequential hashing modes. We provide a proof that for any hashing mode satisfying the five conditions, the advantage in differentiating it from an ideal monolithic hash function is upper bounded by q^2/2^{n+1} with q the number of queries to the underlying permutation and n the length of the chaining values
From Indifferentiability to Constructive Cryptography (and Back)
The concept of indifferentiability of systems, a generalized form of
indistinguishability, was proposed in 2004 to provide a simplified
and generalized explanation of impossibility results like the
non-instantiability of random oracles by hash functions due to
Canetti, Goldreich, and Halevi (STOC 1998). But indifferentiability
is actually a constructive notion, leading to possibility
results. For example, Coron {\em et al.} (Crypto 2005) argued that the
soundness of the construction of a hash function from a
compression function can be demonstrated by proving that
is indifferentiable from a random oracle if is an ideal random
compression function.
The purpose of this short paper is to describe how the
indifferentiability notion was a precursor to the theory of
constructive cryptography and thereby to provide a simplified and
generalized treatment of indifferentiability as a special type of
constructive statement