nach oben

Designs, Codes and Cryptography

Erschienen in:

03.06.2016

Optimal collision security in double block length hashing with single length key

verfasst von: Bart Mennink

Erschienen in: Designs, Codes and Cryptography | Ausgabe 2/2017

Einloggen, um Zugang zu erhalten

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The idea of double block length hashing is to construct a compression function on 2n bits using a block cipher with an n-bit block size. All optimally secure double block length hash functions known in the literature employ a cipher with a key space of double block size, 2n-bit. On the other hand, no optimally secure compression functions built from a cipher with an n-bit key space are known. Our work deals with this problem. Firstly, we prove that for a wide class of compression functions with two calls to its underlying n-bit keyed block cipher collisions can be found in about \(2^{n/2}\) queries. This attack applies, among others, to functions where the output is derived from the block cipher outputs in a linear way. This observation demonstrates that all security results of designs using a cipher with 2n-bit key space crucially rely on the presence of these extra n key bits. The main contribution of this work is a proof that this issue can be resolved by allowing the compression function to make one extra call to the cipher. We propose a family of compression functions making three block cipher calls that asymptotically achieves optimal collision resistance up to \(2^{n(1-\varepsilon )}\) queries and preimage resistance up to \(2^{3n(1-\varepsilon )/2}\) queries, for any \(\varepsilon >0\). To our knowledge, this is the first optimally collision secure double block length construction using a block cipher with single length key space. We additionally prove this class of functions indifferentiable from random functions in about \(2^{n/2}\) queries, and demonstrate that no other function in this direction achieves a bound of similar kind.

Vorheriger Artikel Primitive semifields of order

Nächster Artikel Generic attacks on the Lai–Massey scheme

Nur mit Berechtigung zugänglich

In the iteration collision resistance is proven up to \(2^{3n/5}\) queries for MDC-2 [42] and \(2^{2n/3}\) queries for MJH [15]; the latter result got recently improved to \(2^n\) asymptotically [16].

The MDC-4 compression function based on one single block cipher is differentiable in 2 queries.

If k balls are thrown in l bins, the \(\alpha \) fullest bins in total contain at least \(\alpha k/l\) balls.

A winning query that would appear at multiple positions is counted in \(\mathsf {coll}_{000:\mathcal {S}_j}(Q_{q})\) for some other set \(\mathcal {S}_j\).

Note that if there are two different solutions that make the condition of the if-clause satisfied, the simulator will naturally never be able to maintain consistency with the random cipher. This event will later be considered as a bad event. If this happens, the simulator will simply take any of the solutions and execute the if-clause based on that solution. This design decision is merely for simplicity; the simulator can just as well abort.

Technically, we could have taken \(\widetilde{\mathcal {S}}\) as our simulator, therewith obtaining an improved indifferentiability bound for Theorem 3. However, for clarity and ease of presentation, we opted for simulator \(\mathcal {S}\).

Without going into detail, we refer to a slightly related work of Maurer and Tessaro [24] on indifferentiable domain extenders from random functions.

Hirose’s function can be seen as a special case of Hirose-class (using that in the attack it is not relevant whether the underlying block ciphers are distinct or the same), and our attack directly carries over.

We note that for our analysis it is not relevant whether the underlying ciphers are distinct or the same. Therefore, we consider the design to be based on one single block cipher.

Abed F., Forler C., List E., Lucks S., Wenzel J.: Counter-bDM: a provably secure family of multi-block-length compression functions. In: Progress in Cryptology—AFRICACRYPT 2014. Lecture Notes in Computer Science, vol. 8469, pp. 440–458. Springer, Heidelberg (2014).

Andreeva E., Neven G., Preneel B., Shrimpton T.: Seven-property-preserving iterated hashing: ROX. In: Advances in Cryptology—ASIACRYPT 2007. Lecture Notes in Computer Science, vol. 4833, pp. 130–146. Springer, Heidelberg (2007).

Armknecht F., Fleischmann E., Krause M., Lee J., Stam M., Steinberger J.: The preimage security of double-block-lengthcompression functions. In: Advances in Cryptology—ASIACRYPT 2011. Lecture Notes in Computer Science, vol. 7073, pp. 233–251. Springer, Heidelberg (2011).

Bellare M., Ristenpart T.: Multi-property-preserving hash domainextension and the EMD transform. In: Advances in Cryptology—ASIACRYPT 2006. Lecture Notes in Computer Science, vol. 4284, pp. 299–314. Springer, Heidelberg (2006).

Coron J., Dodis Y., Malinaud C., Puniya P.: Merkle–Damgård revisited: how to construct a hash function. In: Advances in Cryptology—CRYPTO 2005. Lecture Notes in Computer Science, vol. 3621, pp. 430–448. Springer, Heidelberg (2005).

Fleischmann E., Gorski M., Lucks S.: Security of cyclic doubleblock length hash functions. In: IMA International Conference 2009. Lecture Notes in Computer Science, vol. 5921, pp. 153–175. Springer, Heidelberg (2009).

Hirose S.: Provably secure double-block-length hash functions in ablack-box model. In: Information Security and Cryptology 2004. Lecture Notes in Computer Science, vol. 3506, pp. 330–342. Springer, Heidelberg (2005).

Hirose S.: Some plausible constructions of double-block-length hashfunctions. In: Fast Software Encryption 2006. Lecture Notes in Computer Science, vol. 4047, pp. 210–225. Springer, Heidelberg (2006).

Hirose S., Park J., Yun A.: A simple variant of theMerkle-Damgård scheme with a permutation. In: Advances in Cryptology—ASIACRYPT 2007. Lecture Notes in Computer Science, vol. 4833, pp. 113–129. Springer, Heidelberg (2007).

10.

Hong D., Kwon D.: Cryptanalysis of some double-block-length hashmodes of block ciphers with \(n\)-bit block and \(n\)-bit key.Cryptology ePrint Archive, Report 2013/174 (2013).

11.

Jetchev D., Özen O., Stam M.: Collisions are not incidental:A compression function exploiting discrete geometry. In: Theory of Cryptography Conference 2012. Lecture Notes in Computer Science, vol. 7194, pp. 303–320. Springer, Heidelberg (2012).

12.

Kuwakado H., Morii M.: Indifferentiability of single-block-lengthand rate-1 compression functions. IEICE Trans. 90-A(10), 2301–2308 (2007).

13.

Lai X., Massey J.: Hash function based on block ciphers. In: Advances in Cryptology—EUROCRYPT ’92. Lecture Notes in Computer Science, vol. 658, pp. 55–70. Springer, Heidelberg (1992).

14.

Lee J., Kwon D.: The security of Abreast-DM in the ideal cipher model. Cryptology ePrint Archive, Report 2009/225 (2009).

15.

Lee J., Stam M.: MJH: A faster alternative to MDC-2. In: CT-RSA 2011. Lecture Notes in Computer Science, vol. 6558, pp. 213–236. Springer, Heidelberg (2011).

16.

Lee J., Stam M.: MJH: A faster alternative to MDC-2. Des. Codes Cryptogr. 76(2), 179–205 (2015).

17.

Lee J., Stam M., Steinberger J.: The collision security of Tandem-DM in the ideal cipher model. Cryptology ePrint Archive, Report 2010/409 (2010), full version of [18].

18.

Lee J., Stam M., Steinberger J.: The collision security ofTandem-DM in the ideal cipher model. In: Advances in Cryptology—CRYPTO 2011. Lecture Notes in Computer Science, vol. 6841, pp. 561–577. Springer, Heidelberg (2011).

19.

Lee J., Stam M., Steinberger J.: The preimage security of double-block-length compression functions. Cryptology ePrint Archive, Report 2011/210 (2011).

20.

Lee J., Steinberger J.: Multi-property-preserving domain extensionusing polynomial-based modes of operation. In: Advances in Cryptology—EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110, pp. 573–596. Springer, Heidelberg (2010).

21.

Lucks S.: A failure-friendly design principle for hash functions. In: Advances in Cryptology—ASIACRYPT 2005. Lecture Notes in Computer Science, vol. 3788, pp. 474–494. Springer, Heidelberg (2005).

22.

Lucks S.: A collision-resistant rate-1 double-block-length hashfunction, In: Symmetric Cryptography, Dagstuhl Seminar Proceedings 07021 (2007).

23.

Maurer U., Renner R., Holenstein C.: Indifferentiability,impossibility results on reductions, and applications to the randomoracle methodology. In: Theory of Cryptography Conference 2004. Lecture Notes in Computer Science, vol. 2951, pp. 21–39. Springer, Heidelberg (2004).

24.

Maurer U., Tessaro S.: Domain extension of public randomfunctions: beyond the birthday barrier. In: Advances in Cryptology—CRYPTO 2007. Lecture Notes in Computer Science, vol. 4622, pp. 187–204. Springer, Heidelberg (2007).

25.

Mennink B.: Optimal collision security in double block lengthhashing with single length key. In: Advances in Cryptology—ASIACRYPT 2012. Lecture Notes in Computer Science, vol. 7658, pp. 526–543. Springer, Heidelberg (2012).

26.

Mennink B.: Indifferentiability of double length compressionfunctions. In: IMA International Conference on Cryptography and Coding—IMACC 2013. Lecture Notes in Computer Science, vol. 8308, pp. 232–251. Springer, Heidelberg (2013).

27.

Mennink B.: On the collision and preimage security of MDC-4 inthe ideal cipher model. Des. Codes Cryptogr. 73(1), 121–150 (2014).

28.

Mennink B., Preneel B.: Hash functions based on threepermutations: a generic security analysis. In: Advances in Cryptology—CRYPTO 2012. Lecture Notes in Computer Science, vol. 7417, pp. 330–347. Springer, Heidelberg (2012).

29.

Meyer C., Schilling M.: Secure program load with manipulation detection code. In: Proceedings of the Securicom, pp. 111–130 (1988).

30.

Miyaji A., Rashed M.: A new \((n,n)\) blockcipher hash functionusing Feistel network: apposite for RFID security. In: Computational Intelligence in Data Mining, vol. 3. SmartInnovation, Systems and Technologies, vol. 33, pp. 519–528. Springer, India (2015).

31.

Nandi M.: Towards optimal double-length hash functions. In: Progress in Cryptology—INDOCRYPT 2005. Lecture Notes in Computer Science, vol. 3797, pp. 77–89. Springer, Heidelberg (2009).

32.

Nandi M., Lee W., Sakurai K., Lee S.: Security analysis of a2/3-rate double length compression function in the black-box model.In: Fast Software Encryption 2005. Lecture Notes in Computer Science, vol. 3557, pp. 243–254. Springer, Heidelberg (2005).

33.

Özen O.: Design and Analysis of Multi-Block-Length HashFunctions. Ph.D. thesis, École Polytechnique Fédérale deLausanne, Lausanne (2012).

34.

Özen O., Stam M.: Another glance at double-length hashing. In: IMA International Conference 2009. Lecture Notes in Computer Science, vol. 5921, pp. 176–201. Springer, Heidelberg (2009).

35.

Peyrin T., Gilbert H., Muller F., Robshaw M.: Combining compression functions and block cipher-based hash functions. In: Advances in Cryptology—ASIACRYPT 2006. Lecture Notes in Computer Science, vol. 4284, pp. 315–331. Springer, Heidelberg (2006).

36.

Preneel B., Govaerts R., Vandewalle J.: Hash functions based onblock ciphers: a synthetic approach. In: Advances in Cryptology—CRYPTO ’93. Lecture Notes in Computer Science, vol. 773, pp. 368–378. Springer, Heidelberg (1993).

37.

Ristenpart T., Shacham H., Shrimpton T.: Careful withcomposition: limitations of the indifferentiability framework. In: Advances in Cryptology—EUROCRYPT 2011. Lecture Notes in Computer Science, vol. 6632, pp. 487–506. Springer, Heidelberg (2011).

38.

Rogaway P., Shrimpton T.: Cryptographic hash-function basics:Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Fast Software Encryption 2004. Lecture Notes in Computer Science, vol. 3017, pp. 371–388. Springer, Heidelberg (2004).

39.

Rogaway P., Steinberger J.: Security/efficiency tradeoffs forpermutation-based hashing. In: Advances in Cryptology—EUROCRYPT 2008. Lecture Notes in Computer Science, vol. 4965, pp. 220–236. Springer, Heidelberg (2008).

40.

Stam M.: Beyond uniformity: Better security/efficiency tradeoffsfor compression functions. In: Advances in Cryptology—CRYPTO 2008. Lecture Notes in Computer Science, vol. 5157, pp. 397–412. Springer, Heidelberg (2008).

41.

Stam M.: Blockcipher-based hashing revisited. In: Fast Software Encryption 2009. Lecture Notes in Computer Science, vol. 5665, pp. 67–83. Springer, Heidelberg (2009).

42.

Steinberger J.: The collision intractability of MDC-2 in the ideal-cipher model. In: Advances in Cryptology—EUROCRYPT 2007. Lecture Notes in Computer Science, vol. 4515, pp. 34–51. Springer, Heidelberg (2007).

43.

Steinberger J.: Stam’s collision resistance conjecture. In: Advances in Cryptology—EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110, pp. 597–615. Springer, Heidelberg (2010).

44.

Steinberger J., Sun X., Yang Z.: Stam’s conjecture and thresholdphenomena in collision resistance. In: Advances in Cryptology—CRYPTO 2012. Lecture Notes in Computer Science, vol. 7417, pp. 384–405. Springer, Heidelberg (2012).

Titel: Optimal collision security in double block length hashing with single length key
verfasst von: Bart Mennink
Publikationsdatum: 03.06.2016
Verlag: Springer US
Erschienen in: Designs, Codes and Cryptography / Ausgabe 2/2017
Print ISSN: 0925-1022
Elektronische ISSN: 1573-7586
DOI: https://doi.org/10.1007/s10623-016-0227-2

Springer Professional

Optimal collision security in double block length hashing with single length key

Abstract

Premium Partner

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Weitere Artikel der Ausgabe 2/2017

Generic attacks on the Lai–Massey scheme

A new counting method to bound the number of active S-boxes in Rijndael and 3D

An iterative algorithm for parametrization of shortest length linear shift registers over finite chain rings

Truncated differential based known-key attacks on round-reduced SIMON

Intersection sets, three-character multisets and associated codes

Primitive semifields of order

Premium Partner