Provably Secure Double-Block-Length Hash Functions in a Black-Box Model

Transcription

1 Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89, Merkle presented three double-block-length hash unctions based on DES. They are optimally collision resistant in a black-box model, that is, the time complexity o any collision-inding algorithm or thes Ω(2 l/2 ) i DES is a random block cipher, where l is the output length. Their drawback is that their rates are low. In this article, new double-block-length hash unctions with higher rates are presented which are also optimally collision resistant in the blackbox model. They are composed o block ciphers whose key length is twice larger than their block length. keywords: double-block-length hash unction, black-box model, block cipher 1 Introduction A cryptographic hash unction is a unction which maps an input o arbitrary length to an output o ixed length. It is one o the most important primitives in cryptography [14] and should satisy preimage resistance, second-preimage resistance and collision resistance. Inormally, preimage resistance means that, given an output, it is ineasible to obtain an input which produces the output. Second-preimage resistance means that, given an input, it is ineasible to obtain another input which produces the same output as the given input. Collision resistance means that it is ineasible to obtain two dierent inputs which produce the same output. For simplicity, a cryptographic hash unction is called a hash unction in this article. A hash unction usually consists o iteration o a compression unction with ixed input/output length and is called an iterated hash unction. Compressionunction constructions are classiied into two types: based on block ciphers and rom scratch. The topic o this article is the ormer. It minimizes design and implementation eort with secure block ciphers. Its major drawback is slow processing speed. However, it is compensated by ast block ciphers such as AES. Furthermore, some recent work has pointed out weakness o SHA amilies [1, 18]. Thus, block-cipher-based hash unctions may become more important. Block-cipher-based hash unctions are classiied into two categories: singleblock-length (SB) and double-block-length (DB). A SB hash unction is a hash unction whose output length is equal to the block length. The output length o a DB hash unction is twice larger than the block length.

2 It is well-known that the birthday attack can ind a collision o a hash unction with time complexity O(2 l/2 ), where l is the output length o the hash unction. The block length o widely used block ciphers is 64 or 128. Thus, SB hash unctions are no longer secure in terms o collision resistance. For DB hash unctions, many constructions have been presented [4, 7 10, 12, 15]. Among them, three DB hash unctions by Merkle [15] have been shown to be optimally collision resistant in a black-box model: the time complexity o any collision-inding algorithm or thes Ω(2 l/2 ), where l is the output length. However, their rates are at most and they are not so eicient. In this article, DB hash unctions are proposed which are more eicient and optimally collision resistant in the black-box model. They can be represented in a simple orm. They are o parallel type and their rates are 1/2. They are based on block ciphers whose key length is twice larger than the block length. Thus, they can be constructed with AES or other previous AES candidates, which support 128-bit blocks and 256-bit keys. The DB hash unctions proposed in this article consist o two dierent block ciphers to be provably secure. Though it seems their drawback, a genuine tweakable block cipher [13] will help obtain virtually two dierent block ciphers with dierent tweaks. Furthermore, it is possible to transorm a DB hash unction with dierent block ciphers to the one with only one block cipher with slightly lower rate by the method used in MDC-2 [4]. Collision resistance as well as preimage resistance o the proposed DB hash unctions is proved in the black-box model. In this model, or the proposed DB hash unctions, second-preimage resistance can be regarded as preimage resistance or the output corresponding to the given input. In the black-box model, a block cipher is assumed to be an invertible keyed random permutation. This is an ideal but still proper assumption in that most o the attacks on blockcipher-based hash unctions do not utilize the internal structure o the block ciphers. The technique in [3] is used in the security proos in this article. It is assumed that two block ciphers are independent in our analysis. The rest o this article is organized as ollows. Section 2 includes notations, deinitions and related work. In Section 3, provably secure DB hash unctions with rate 1/2 consisting o two block ciphers are presented. Security proos are also shown. In Section 4, it is mentioned how to construct provably secure DB hash unctions with one block cipher. A concluding remark is given in Section 5. 2 Preliminaries 2.1 Related Work Preneel, Govaerts and Vandewalle [16] discussed the security o SB hash unctions against several attacks. They considered SB hash unctions with compression unctions represented by h i = e(k, x) z, wheree is an (n, n) block cipher, k, x, z h i 1,,h i 1,v} and v is a constant. They concluded that 12 out o 64(= 4 3 ) hash unctions are secure against the attacks. However, they did not provide any ormal proos.

3 Black, Rogaway and Shrimpton [3] presented a detailed investigation o provable security o SB hash unctions given in [16] in the black-box model. The most important result shown in their paper is that the time complexity o any collision-inding algorithm against 20 hash unctions including the 12 mentioned above is Ω(2 l/2 ), where l is the output length. Knudsen, ai and Preneel [11] discussed the security o DB hash unctions with rate 1 based on (n, n) block ciphers. Hohl, ai, Meier and Waldvogel [7] discussed the security o compression unctions o DB hash unctions with rate 1/2. On the other hand, the security o DB hash unctions with rate 1 based on (n, 2n) block ciphers was discussed by Satoh, Haga and Kurosawa [17] and by Hattori, Hirose and Yoshida [6]. Many schemes with rate less than 1 were also presented. Merkle [15] presented three DB hash unctions based on DES with rates at most They are optimally collision resistant in the black-box model. MDC-2 and MDC-4 [4] are also DB hash unctions based on DES with rates 1/2 and 1/4, respectively. ai and Massey proposed the tandem/abreast Davies-Meyer [12]. They consist o a (n, 2n) block cipher and their rates are 1/2. It is an open question whether the our schemes are optimally collision resistant or not. Knudsen and Preneel studied the schemes to construct secure compression unctions with longer outputs rom secure ones based on error-correcting codes [8 10]. It is also an open question whether optimally collision resistant compression unctions are constructed by their schemes. Recently, Black, Cochran and Shrimpton [2] showed that it is impossible to construct a highly eicient block-cipher-based hash unction provably secure in the black-box model. A block-cipher-based hash unction is highly eicient i it makes exactly one block-cipher call or each message block and all block-cipher calls use a single key. 2.2 Cryptographic Hash Functions A cryptographic hash unction H is a unction which maps an input o arbitrary length to an output o ixed length. H should satisy the ollowing properties. Preimage resistance For a given output y, it is intractable to ind an input x such that y = H(x). Second-preimage resistance For a given input x, it is intractable to ind an input x such that H(x) =H(x )andx x. Collision resistance It is intractable to ind a pair o inputs x and x such that H(x) =H(x )andx x. A hash unction H : 0, 1} 0, 1} l usually consists o a compression unction : 0, 1} l 0, 1} l 0, 1} l andaninitialvalueh 0 0, 1} l.an input s divided into the l -bit blocks m 1,m 2,...,m l. Then, h i = (h i 1, ) is computed successively or 1 i l and h l = H(m). H is called an iterated hash unction.

4 nambiguous padding is applied to its length is not a multiple o l.it is outside the scope o this article and is not described here. 2.3 Block Ciphers and a Black-Box Model A block cipher with the block length n and the key length κ, e : 0, 1} κ 0, 1} n 0, 1} n,iscalledan(n, κ) block cipher. An (n, κ) block cipher is an invertible keyed permutation: e(k, ) is a permutation or every k 0, 1} κ,and it is easy to compute both e(k, ) ande(k, ) 1.Thesetoall(n, κ) block ciphers is denoted by B(n, κ). Most o the attacks on hash unctions based on block ciphers do not utilize the internal structure o the block ciphers. Thus, the security o hash unctions based on block ciphers is oten analyzed in a black-box model, that is, under the assumption that e(k, ) is a randonvertible permutation or each k. In the black-box model, an encryption e and a decryption e 1 can be simulated by the ollowing two oracles. An encryption oracle e returns a randomly selected ciphertext or a query which is a pair o a key and a plaintext. A decryption oracle e 1 returns a randomly selected plaintext or a query which is a pair o a key and a ciphertext. The oracles e and e 1 shareatableotripletso keys, plaintexts and ciphertexts, (k i,x i,y i ) s, which are produced by the queries and the corresponding answers. Reerring to the table, they randomly select an answer to a new query under the restriction that e(k, ) is a permutation or every k. They also add the triplet produced by the query and the answer to the table. Without loss o generality, it is assumed that any adversary with the two oracles e and e 1 asks only once on a triplet o a key, a plaintext and a ciphertext obtained by a query and a corresponding answer: Once the adversary obtains (k, x, y) by a query and the answer, he just keeps it and asks neither (k, x) nor (k, y) aterward. 2.4 DB Hash Functions DB hash unctions with two block-cipher calls in their compression unctions are discussed in the article. et be a compression unction such that (h i,g i )=(h i 1,, ), where h i,g i, 0, 1} n and n is the block length. consists o and such that hi = (h i 1,, ) g i = (h i 1,, ). h i is not ed into and this kind o compression unction is called the parallel type. This type o compression unction is considered in this article.

5 Each o and is composed o a block cipher as ollows: hi = e (k,x ) z g i = e (k,x ) z, where k,x,z and k,x,z are uniquely deined by h i 1,,. The rate r o an iterated hash unction o block-cipher-based is deined by r = (# o block-cipher calls in ) n. It is a measure o the eiciency o block-cipher-based hash unctions. The major dierence should be noticed between the DB hash unctions previously proposed and ones proposed in the article. e and e are identical or the ormer, but are dierent or the latter. 2.5 Deinitions o Security As has been discussed in this section, the security o DB hash unctions is analyzed in the black-box model. Insecurity is quantiied by success probability o an optimal resource-bounded adversary. In the black-box model, the resource is the number o the queries to encryption and decryption oracles. For a set S, z R S represents random sampling rom S under the uniorm distribution. For a probabilistic algorithm M, z R M(x) meansthatz is an output o M with an input x and the output distribution is based on the random choices o M and the input distribution. Collision Resistance. The ollowing experiment FindColHF(A,H) is introduced to deine the collision resistance o a DB hash unction H with two block ciphers e and e. The adversary A is a collision-inding algorithm o H with oracles e,e 1 and e,e 1.ete±1 P represent a pair o oracles e P and e 1 P or P, }. FindColHF(A,H) e R B(n, κ); e R B(n, κ); (m, m ) R A e±1,e±1 ; i m m H(m) =H(m ) return 1; else return 0; FindColHF(A,H) returns 1 i A inds a collision. et Adv coll H (A) bethe probability that FindColHF(A,H) returns 1. The probability is taken over the uniorm distribution on B(n, κ) and coin tosses o A. Deinition 1 (Collision resistance o a hash unction). For q 1, let } Adv coll H (q) =max Adv coll H (A), A where A makes at most q queries to each o e ±1.

6 The ollowing experiment FindColCF(A,,h 0 ) is introduced to deine the collision resistance o a compression unction with two block ciphers e and e. h 0 is an initial value o an iterated hash unction o. FindColCF(A,,h 0 ) e R B(n, κ); e R B(n, κ); ((h, m), (h,m )) R A e±1,e±1 ; i ((h, m) (h,m ) (h, m) =(h,m )) (h, m) =h 0 return 1; else return 0; FindColCF(A,,h 0 ) returns 1 i A inds a collision o or a preimage o h 0. et Adv comp (A) be the probability that FindColCF(A,,h 0 ) returns 1. Deinition 2 (Collision resistance o a compression unction). For q 1, let Adv comp (q) =max A Adv comp } (A), where A asks at most q queries to each o e ±1. Preimage Resistance. The ollowing experiment FindPreImg(A,G) is introduced to deine the preimage resistance o G with two block ciphers e and e. G is a hash unction or a compression unction. FindPreImg(A,G) e R B(n, κ); e R B(n, κ); y R 0, 1} l ; x R A(y) e±1,e±1 ; i G(x) =y return 1; else return 0; FindPreImg(A,G) returns 1 i A inds a preimage o G or an output y chosen randomly. et G (A) be the probability that FindPreImg(A,G) returns 1. Deinition 3 (Preimage resistance). For q 1, let } G (q) =max G (A), A where A makes at most q queries to each o e ±1. Generally speaking, second-preimage resistance is stronger security requirement than preimage resistance. A preimage may have some inormation o another preimage which produces the same output. However, in the black-box model, or the hash unctions or the compression unctions considered in the subsequent sections, a preimage has no inormation useul to ind another preimage. Thus, only preimage resistance is discussed in this article. 3 Provably Secure DB Hash Functions with Two Block Ciphers In this section, the security o DB hash unctions with compression unctions shown in Fig. 1 is analyzed. et be a compression unction such that (h i,g i )=

7 h i 1 x e h i z k 1 k 2 k 1 k 2 z x e g i Fig. 1. A Diagram o Compression Functions with Two Block Ciphers and with Rate 1/2 (h i 1,, )and hi = (h i 1,, ) g i = (h i 1,, ). and consist o (n, 2n) block ciphers e and e, respectively, and are represented as ollows: hi = e (k 1 k 2,x ) z g i = e (k 1 k 2,x ) z, where is the concatenation and k 1,k 2,x,z, k 1,k 2,x,z 0, 1} n are represented by linear combinations o h i 1,, 0, 1} n.namely, k 1 k 1 k 2 x z = h i 1, k 2 x z = h i 1 and both and are 4 3 0, 1}-matrices. 3.1 Collision Resistance In this subsection, a suicient and simple condition o and is presented or an iterated hash unction o to be collision resistant. The collision resistance o compression unctions is ocused on in the remaining part. It has been shown in [5, 15] that an iterated hash unction is collision resistant i its compression unction is. The ollowing lemma states the act in the black-box model.

8 emma 1. [3] et H be an iterated hash unction o. Then, or q 1, Adv coll H (q) Adv comp (q). First, a notation and a simple lemma are given or later use. For 1 r 4, let (r) and(r) denote3 3 0, 1}-matrices obtained by deleting the r-th row o and, respectively. emma 2. I both (3) and (4) are non-singular, then z x,x k 1,x k 2,x k 1 k 2 }. Proo. Since (4) is non-singular, z can be represented by a linear combination o x,k 1,k 2. On the other hand, since (3) is non-singular, z cannot be represented by any linear combinations o k 1,k 2. A suicient condition is given or a compression unction to be collision resistant in the ollowing lemma. emma 3. Suppose that all o (3),(4),(3),(4) are non-singular. Then, or every 1 q 2 n 1 +1, Adv comp (q) q(q +1)/2 2n 1. Proo. et A be a collision-inding algorithm o with oracles e ±1 asks q queries to each o e ±1. Since both (4) and (4) are non-singular and k 1 = (4) h i 1, k 1 = (4) h i 1, k 2 x k 2 x. A the correspondence between (k 1,k 2,x )and(k 1,k 2,x ) is 1-to-1. Thus, once a pair o an input and an output o e,(k 1,k 2,x,y ), is ixed by A s query to e or e 1 and its reply, an input to e,(k 1,k 2,x ), is uniquely determined. Similarly, A s query to e or e 1 and its reply also uniquely determine an input to e. On the other hand, it is necessary to ask a query to each o e ±1 in order to obtain a pair o an input and an output o. The act mentioned above implies that the correspondence between a pair o a query and a reply o e ±1 and that o e ±1 is 1-to-1. Hence, without loss o generality, it is assumed that A asks a query to an oracle and the corresponding query to the other oracle at a time. Since h i = e (k 1 k 2,x ) z = y z and z x,x k 1,x k 2,x k 1 k 2 }

9 rom emma 2, h i depends both on x and on y and one o x and y is determined randomly by a reply o the oracle. Thus, h i is randomly determined by the oracle. g i is also randomly determined by the other oracle. It is assumed that z = x and z = x in the rest o the proo. The proo is similar or the other cases. For every 1 j q, letc j be the event such that (x j y j = h 0 x j y j = g 0 ) j <j(x j y j = x j y j x j y j = x j y j ), where x j,y j and x j,y j correspond to the pairs o the j-th query and its reply o e ±1, respectively. Then, j Pr[C j ] (2 n (j 1)) 2. Thus, i q 2 n 1 +1,then Adv comp (A) Pr[C 1 C q ] = q j=1 q Pr[C j ] j=1 j q (2 n (j 1)) 2 j (2 n 2 n 1 ) 2 j=1 q(q +1) 2 2n 1. The ollowing theores led immediately rom emmas 1 and 3. Theorem 1. et H be an iterated hash unction o. Suppose that all o (3),(4), (3),(4) are non-singular or. Then, Adv coll H (q) q(q +1)/22n 1 or every 1 q 2 n From this theorem, any constant probability o success in inding a collision implies that q = Ω(2 n ). There are many compression unctions satisying the condition given in Theorem 1. The number o s such that (3) and (4) are non-singular is 672. Thus, the number o compression unctions satisying the condition in Theorem 1 is = Preimage Resistance Preimage resistance o iterated hash unctions presented in the previous subsection is discussed here. The ollowing lemma shows the relationship between preimage resistance o an iterated hash unction and that o its compression unction. This lemma is also implicit in [19].

10 emma 4. [3] et H be an iterated hash unction o. Then, or q 1, H (q) Advimg (q). The preimage resistance o compression unctions given in the previous subsection is presented in the ollowing lemma. emma 5. Suppose that all o (3),(4),(3),(4) are non-singular. Then, or every g 1, (q) q/(2 n q) 2. Proo. et A be a preimage-inding algorithm o with oracles e ±1. A asks q queries to each o e ±1.etw be the input o A and w =(w,w ), where w,w 0, 1} n. It is necessary to ask a query to each o e ±1 in order to obtain a pair o an input and an output o. As in the proo o emma 3, the correspondence between a pair o a query and a reply o e ±1 and that o e±1 is 1-to-1. Hence, without loss o generality, it is assumed that A asks a query to an oracle and the corresponding query to the other oracle at a time. Since h i = y z and z x,x k 1,x k 2,x k 1 k 2 } rom emma 2, h i depends both on x and on y and one o x and y is determined randomly by a reply o the oracle. Thus, h i is randomly determined by the oracle. g i is also randomly determined by the other oracle. It is assumed that z = x and z = x in the rest o the proo. The proo is similar or the other cases. For every 1 j q, leti j be the event such that x j y j = w x j y j = w where x j,y j and x j,y j correspond to the pairs o the j-th query and its reply o e ±1, respectively. Then, Thus, Pr[I j ] 1 (2 n (j 1)) 2. (A) Pr[I 1 I q ] q Pr[I j ] j=1 q j=1 1 (2 n (j 1)) 2 q (2 n q) 2.

11 The ollowing theores led immediately rom emmas 4 and 5. Theorem 2. et H be an iterated hash unction o. Suppose that all o (3),(4), (3),(4) are non-singular or. Then, or every q 1, H (q) q (2 n q) 2. Theorem 2 implies nothing about the preimage resistance or q 2 n 2 n/2 +1. It states, however, that the success probability is (asymptotically) negligible as long as q = c 2 n or any positive constant c<1: H (c c 1 2n ) (1 c) 2 2 n. For example, i c =1/2, then H (2n 1 ) 1/2 n 1. 4 Provably Secure DB Hash Functions with One Block Cipher et e be an (n, κ) block cipher and n +2 κ. In this section, the security o DB hash unctions with compression unctions shown in Fig. 2 is analyzed. The let-side unction is ocused on. et us call it. The compression unction is represented as ollows: hi = e( v,h i 1 ) h i 1 g i = e(h i 1 v, ), where 0, 1} l or some 1 l<κ n, andv and v are constants in 0, 1} κ n l such that v v. Since v v, in the black-box model, e with v and e with v can be regarded as two independent random block ciphers. Furthermore, there exists 1-to-1 correspondence between a pair o an input and an output o e with v and that o e with v. From these observations, it is clear that the ollowing lemma can be proved in the similar way as emma 3. emma 6. For the compression unction, i1 q 2 n 1 +1,then Adv comp (q) q(q +1)/2 2n 1. The ollowing theorem states the collision resistance o an iterated hash unction o. This is immediately lead rom emmas 1 and 6.

12 Theorem 3. et H be an iterated hash unction o. Then, Adv coll H (q) q(q +1)/22n 1 or every 1 q 2 n For preimage resistance, similarly, the ollowing theores obtained. Theorem 4. et H be an iterated hash unction o. Then,orq 1, H (q) q (2 n q) 2. In the black-box model, it is suicient that v,v 0, 1} and v v. However, in practice, v,v should be longer in order to avoid weak keys and to increase independence. Suppose that l con be the length o v or v and κ =2n. Then, the rate o H is (1 l con /n)/2. For example, the rate is 7/16 i l con = n/8. The idea that two block ciphers are obtained rom one block cipher by ixing a part o the key with dierent constants is ound in the design o MDC-2 [4]. However, the security proo as shown above does not seem to be applied to MDC-2. h i 1 e h i h i 1 e h i v v v v e g i e g i Fig. 2. Compression Functions with One Block Cipher 5 Conclusion In this article, DB hash unctions provably secure in the black-box model have been presented. They are based on (n, 2n) block ciphers and can be represented in a simple orm. Future work is to explore more eicient DB hash unctions optimally collision resistant. Reerences 1. E. Biham and R. Chen. Near-collisions o SHA-0. Cryptology eprint Archive, Report 2004/146,

13 2. J. Black, M. Cochran, and T. Shrimpton. On the impossibility o highly eicient blockcipher-based hash unctions. Cryptology eprint Archive, Report 2004/062, J. Black, P. Rogaway, and T. Shrimpton. Black-box analysis o the block-cipherbased hash-unction constructions rom PGV. In CRYPTO 2002 Proceedings, pages , ecture Notes in Computer Science B. O. Brachtl, D. Coppersmith, M. M. Hyden, S. M. Matyas Jr., C. H. W. Meyer, J. Oseas, S. Pilpel, and M. Schilling. Data authentication using modiication detection codes based on a public one-way encryption unction, mar S. Patent # 4,908, I. Damgård. A design principle or hash unctions. In CRYPTO 89 Proceedings, pages , ecture Notes in Computer Science M. Hattori, S. Hirose, and S. Yoshida. Analysis o double block length hash unctions. In 9th IMA International Conerence on Cryptography and Coding, pages , ecture Notes in Computer Science W. Hohl, X. ai, T. Meier, and C. Waldvogel. Security o iterated hash unctions based on block ciphers. In CRYPTO 93 Proceedings, pages , ecture Notes in Computer Science Knudsen and B. Preneel. Hash unctions based on block ciphers and quaternary codes. In ASIACRYPT 96 Proceedings, pages 77 90, ecture Notes in Computer Science Knudsen and B. Preneel. Fast and secure hashing based on codes. In CRYPTO 97 Proceedings, pages , ecture Notes in Computer Science Knudsen and B. Preneel. Construction o secure and ast hash unctions using nonbinary error-correcting codes. IEEE Transactions on Inormation Theory, 48(9): , R. Knudsen, X. ai, and B. Preneel. Attacks on ast double block length hash unctions. Journal o Cryptology, 11(1):59 72, X. ai and J.. Massey. Hash unction based on block ciphers. In EROCRYPT 92 Proceedings, pages 55 70, ecture Notes in Computer Science M. iskov, R.. Rivest, and D. Wagner. Tweakable block ciphers. In CRYPTO 2002 Proceedings, pages 31 46, ecture Notes in Computer Science A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook o Applied Cryptography. CRC Press, R. C. Merkle. One way hash unctions and DES. In CRYPTO 89 Proceedings, pages , ecture Notes in Computer Science B. Preneel, R. Govaerts, and J. Vandewalle. Hash unctions based on block ciphers: A synthetic approach. In CRYPTO 93 Proceedings, pages , ecture Notes in Computer Science T. Satoh, M. Haga, and K. Kurosawa. Towards secure and ast hash unctions. IEICE Transactions on Fundamentals, E82-A(1):55 62, X. Wang, D. Feng, X. ai, and H. Yu. Collisions or hash unctions MD4, MD5, HAVA-128 and RIPEMD. Cryptology eprint Archive, Report 2004/199, R. S. Winternitz. A secure one-way hash unction built rom DES. In IEEE Symposium on Security and Privacy, pages 88 90, 1984.