Security Reductions of the Second Round SHA-3 Candidates

Transcription

1 Security Reductions o the Second Round SA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva, bart.mennink}@esat.kuleuven.be Abstract. In 2007, the US National Institute or Standards and Technology announced a call or the design o a new cryptographic hash algorithm in response to vulnerabilities identiied in existing hash unctions, such as MD5 and SA-1. NIST received many submissions, 51 o which got accepted to the irst round. At present, 14 candidates are let in the second round. An important criterion in the selection process is the SA-3 hash unction security and more concretely, the possible security reductions o the hash unction to the security o its underlying building blocks. While some o the candidates are supported with irm security reductions, or most o the schemes these results are still incomplete. In this paper, we compare the state o the art provable security reductions o the second round candidates. We discuss all SA-3 candidates at a high unctional level, and analyze and summarize the security reduction results. Surprisingly, we derive some security bounds rom the literature, which the hash unction designers seem to be unaware o. Additionally, we generalize the well-known proo o collision resistance preservation, such that all SA-3 candidates with a suix-ree padding are covered. 1 Introduction ash unctions are a building block or numerous cryptographic applications. In 2004 a series o attacks by Wang et al. [51,52] have exposed security vulnerabilities in the design o the most widely adopted and deployed SA-1 hash unction. As a result, the US National Institute or Standards and Technology (NIST recommended the replacement o SA-1 by the SA-2 hash unction amily and announced a call or the design o a new SA-3 hashing algorithm. The SA-3 hash unction must allow or message digests o length 224, 256, 384 and 512 bits, it should be eicient, and most importantly it should provide an adequate level o security. In the current second round, 14 candidate hash unctions are still in the race or the selection o the SA-3 hash unction. These candidates are under active evaluation by the cryptographic community. As a result o the perormed comparative analysis, several classiications o the SA-3 candidates, mostly ocussed on hardware perormance, appeared in the literature [27,50,26,35]. A classiication based on the speciied by NIST security criteria is however still due. NIST Security Requirements. NIST speciies a number o security requirements [43] to be satisied by the uture SA-3 unction: (i at least one variant o the hash unction must securely support MAC and randomized hashing. Furthermore, or all n-bit digest values, the hash unction must provide (ii preimage resistance o approximately n bits, (iii second preimage resistance o approximately n L bits, where the irst preimage is o length at most 2 L blocks, (iv collision resistance o approximately n/2 bits, and (v all variants must be resistant to the length-extension attack. Finally, (vi or any m n, the hash unction speciied by taking a ixed subset o m bits o the unction s output is required to satisy properties (ii-(v with n replaced by m. Our Contribution. In this work we provide a survey o the 14 remaining SA-3 candidates, in which we compare their security reductions. More concretely, we consider preimage, second preimage and collision resistance (security requirements (ii-(iv or the n = 256 and n = 512 variants. Most o our security analysis is realized in the ideal model, where one or more o the underlying

2 integral building blocks (e.g., the underlying block cipher or permutation(s are assumed to be ideal, i.e. random primitives. Additionally, to argue collision security we extend the standard proo o Merkle-Damgård collision resistance [21,41] to cover all SA-3 candidate hash unctions with a suix-ree padding (App. A. Notice that the basic Merkle-Damgård proo does not suice in the presence o a inal transormation and/or a chopping. Furthermore, we consider the indierentiability o the candidates. Inormally, indierentiability guarantees that a design has no structural design laws [20], and in particular (as ormally proven in App. B an indierentiability result provides upper bounds on the advantage o inding preimages, second preimages and collisions. Our main contribution consists in perorming a comparative survey o the existing security results on the 14 hash unction candidates and results derivable rom earlier works on hash unctions, and suggesting possible research directions aimed at resolving some o the identiied open problems. Section 2 briely covers the notation, and the basic principles o hash unction design. In Sect. 3, we consider all candidates rom a provable security point o view. We give a high level algorithmic description o each hash unction, and discuss the existing security results. All results are summarized in Table 1. We conclude the paper with Sect. 4 and give some inal remarks on the security comparison. 2 Preliminaries For a positive integer value n N, we denote by Z n 2 the set o bit strings o length n, and by (Zn 2 the set o strings o length a positive multiple o n bits. We denote by Z 2 the set o bit strings o arbitrary length. I x, y are two bit strings, their concatenation is denoted by x y. By x we denote the length o a bit string x, and or m, n N we denote by m n the encoding o m as an n-bit string. The unction chop n (x chops o n bits o a bit string x. Throughout, we use a uniied notation or all candidates. The value n denotes the output size o the hash unction, l the size o the chaining value, and m the number o message bits compressed in one iteration o the compression unction. A padded message is always parsed as a sequence o k 1 message blocks o length m bits: (M 1,..., M k. 2.1 Security Notions In this section we investigate the security o the hash unctions in the ideal model and the more classical generic security. Security in the ideal model. In the ideal model, a compressing unction F (either on ixed or arbitrary input lengths that uses one or more underlying building blocks is viewed insecure i there exists a successul inormation-theoretic adversary that has only query access to the idealized underlying primitives o F. The complexity o the attack is measured by the number o queries q to the primitive made by the adversary. In this work it is clear rom the context which o the underlying primitives is assumed to be ideal. The three main security properties required rom the SA-3 hash unction are preimage, second preimage and collision resistance. For each o these three notions, with Adv atk F, where atk {pre, sec, col}, we denote the maximum advantage o an adversary to break the unction F under the security notion atk. The advantage is the probability unction taken over all random choices o the underlying primitives, and the maximum is taken over all adversaries that make at most q queries to their oracles. Additionally, we consider the indierentiability o the SA-3 candidates. The indierentiability

3 ramework introduced by Maurer et al. [40] is an extension o the classical notion o indistinguishability, and ensures that a hash unction has no structural deects. We denote the indierentiability security o a hash unction by Adv pro, maximized over all distinguishers making at most q queries o maximal length K 0 message blocks to their oracles. We reer to [20] or a ormal deinition. An indierentiability bound guarantees security o the hash unction against speciic attacks. In particular, one can obtain a bound on Adv atk, or any security notion atk: Advatk Pratk RO + Advpro, where Pr atk RO denotes the success probability o a generic attack against under atk. This bound is proven in Thm. 2 (App. B. Generic security. The generic collision security in the context o this work deals with analyzing the collision resistance o hash unctions in the standard model. A hash unction is called generically (t, ε collision resistant i no adversary running in time at most t can ind two dierent messages M, M such that (M = (M with advantage more than ε. We denote by Adv gcol the generic collision resistance security o the unction, maximized over all eicient adversaries. We reer the reader to [46,45,2] or a more ormal discussion. To argue generic collision security o the hash unction (as domain extenders o ixed input length compression unctions we use the composition result o [21,41] and extend it to a wider class o suix-ree hash unctions (App. A. This result concludes the collision security o the hash unction assuming collision security guarantees rom the underlying compression unctions. We then translate ideal model collision security results on the compression unctions via the latter composition to ideal model collision results on the hash unction (expressed by Adv col. A generic collision result, generally speaking, applies to a wider class o schemes or which no bounds on the collision security o the underlying compression unctions is known, e.g. or BLAKE and BMW. I a compressing unction F outputs a bit string o length n, one expects to ind collisions with high probability ater approximately 2 n/2 queries (due to the birthday attack. Similarly, (second preimages can be ound with high probability ater approximately 2 n queries 1. Moreover, inding second preimages is provably harder than inding collisions, and similar or preimages (conditionally [46]. Formally, we have Ω(q 2 /2 n = Adv col F Adv pre F Adv col F = O(1, Ω(q/2n = Adv sec F Advcol F, and Ω(q/2n = + ε, where ε is negligible i F is a variable input length compressing unction. In the remainder, we will consider these bounds or granted, and only include security results that improve either o these bounds. A bound is called tight i the lower and upper bound are the same up to a constant actor, and optimal i the bound is tight with respect to the original lower bound. 2.2 Compression Function Design Strategies A common way to build compression unctions is to base it on a block cipher [44,16,49], or on a (limited number o permutation(s [15,47,48]. Preneel et al. [44] analyzed and categorized 64 block cipher based compression unctions. Twelve o them are ormally proven secure by Black et al. [16]. These results have been recently generalized by Stam [49]. Interestingly, the latter result implies security bounds or some compression unctions that do not it in the PGV-model, like ECO, amsi and SIMD. Throughout, by PGVx we denote the x th type compression unction o [44]. We note that PGV1, PGV3 and PGV5 are better known as the Matyas-Meyer-Oseas, the Miyaguchi-Preneel and the Davies-Meyer compression unctions, respectively. 1 Kelsey and Schneier [34] describe a second preimage attack on the Merkle-Damgård hash unction that requires at most approximately 2 n L queries, where the irst preimage is o length at most 2 L blocks. This attack does, however, not apply to all SA-3 candidates. In particular, wide-pipe designs remain mostly unaected due to their increased internal state [34].

4 In the context o permutation based compression unctions, Black et al. [15] analyzed 2l- to l-bit compression unctions based on one l-bit permutation, and proved them insecure. This result has been generalized by Rogaway and Steinberger [47] and Stam [48] to compression unctions with arbitrary input and output sizes, and an arbitrary number o underlying permutations. Their bounds indicate the expected number o queries required to ind collisions or preimages or permutation based compression unctions. 2.3 ash Function Design Strategies In order to allow the hashing o arbitrarily long strings, all SA-3 candidates employ a speciic mode o operation. Central to all designs is the iterated hash unction principle [37]: on input o an initialization vector IV, the iterated hash unction based on the compression unction proceeds a padded message (M 1,..., M k as ollows: (IV; M 1,..., M k = h k, where: h 0 = IV, h i = (h i 1, M i or i = 1,..., k. This principle is also called the plain Merkle-Damgård (MD design [41,21]. Each o the 14 remaining candidates is based on this design, possibly ollowed by a inal transormation (FT, and/or a chop-unction 2. The padding unction pad : Z 2 (Zm 2 is an injective mapping that transorms a message o arbitrary length to a message o length a multiple o m bits (the number o message bits compressed in one compression unction iteration. Most o the candidates employ a suiciently strong padding rule (c. App. C. Additionally, in some o the designs the message blocks are compressed along with speciic counters or tweaks, which may strengthen the padding rule. We distinguish between preix-ree and/or suix-ree padding. A padding rule is called suix-ree, i or any distinct M, M, there exists no bit string X such that pad(m = X pad(m. The plain MD design with any suix-ree padding (also called MD-strengthening [37] preserves collision resistance [41,21]. We generalize this result in Thm. 1 (App. A: inormally, this preservation result also holds i the iteration is inalized by a distinct compression unction and/or the chop-unction. Other security properties, like preimage resistance, are however not preserved in the MD design [2]. It is also proven that the MD design with a suix-ree padding need not necessarily be indierentiable [20]. owever, the MD construction is indierentiable i it ends with a chopping unction or a inal transormation [20] 3. A padding rule is called preix-ree, i or any distinct M, M, there exists no bit string X such that pad(m = pad(m X. It has been proved in [20] that the MD design with preix-ree padding is indierentiable rom a random oracle. Security notions like collision-resistance, are however not preserved in the MD design with preix-ree only padding. AIFA design. A concrete design based on the MD principle is the AIFA construction [13]. In AIFA the message is padded in a speciic way so as to solve some deiciencies o the original MD construction: in the iteration, each message block is accompanied with a ixed (optional salt o s bits and a (mandatory counter C i o t bits. The counter C i keeps track o the number o message 2 A unction g is a inal transormation i it diers rom, and is applied to the inal state, possibly with the injection o an additional message block. The chop-unction is not considered to be (a part o a inal transormation. 3 The indierentiability results o [20] hold i the underlying compression unction is ideal, or i the hash unction is based on the PGV5 construction with ideal block cipher.

5 bits hashed so ar, and equals 0 by deinition i the i th block does not contain any message bits. Partially due to the properties o this counter, the AIFA padding rule is suix- and preix-ree. As a consequence, the construction preserves collision resistance (c. Thm. 1 and the indierentiability results o [20] carry over. For the AIFA design, these indierentiability results are improved in [11]. Furthermore, the AIFA construction is proven secure against second preimage attacks i the underlying compression unction is assumed to behave like an ideal primitive [18]. Wide-pipe design. In the wide-pipe design [39], the iterated state size is signiicantly larger than the inal hash output: at the end o the iteration, a raction o the output o a construction is discarded. As proved in [20], the MD construction with a distinct inal transormation and/or chopping at the end is indierentiable rom a random oracle. Sponge unctions. We do not explicitly consider sponge unctions [10] as a speciic type o construction: all SA-3 candidates known to be sponge(-like unctions, Cubeash, Fugue, J, Keccak and Lua, can be described in terms o the chop-md construction (possibly with a inal transormation beore or instead o the chopping. 3 SA-3 ash Function Candidates In this section, we analyze the security o the 14 remaining SA-3 candidates in more detail. For simplicity, we only consider the proposals o the SA-3 candidates that output digests o 256 or 512 bits. Observe that in many candidate SA-3 hash unction amilies, the algorithms that output 224 or 384 bits are the same as the 256- or 512-bits algorithms, except or an additional chopping at the end. Particularly, the results o [20] and Thm. 1 carry over in most o the cases. The same remark applies to requirement (vi o NIST. Requirement (i. All designers claim that their proposal can saely be used in MAC mode [4] or or randomized hashing [33], and we do not discuss it here; Requirements (ii-(iv. Preimage, second preimage and collision resistance o each hash unction are discussed in this section. Additionally, we consider the indierentiability o the candidates; Requirement (v. All hash unction candidates are secure against the length extension attack, and thus we do not discuss it urther. Below, we examine the SA-3 candidate hash unctions in more detail. Each paragraph contains an inormal discussion or each o the second round SA-3 candidates and their security reduction results. The mathematical descriptions o the (abstracted designs are given in Fig. 1, and the candidates padding unctions are summarized in App. C. The concrete security results or all current candidate hash unctions are summarized in Table 1. More precisely, or each candidate and each security notion, this table includes the security bound, as ar as it exists, and the underlying assumption The BLAKE hash unction [3] is a AIFA construction. The message blocks are accompanied with a AIFA-counter, and more generally, the unction employs a suix- and preix-ree padding rule. The compression unction is block cipher based 4. It moreover employs an injective linear unction L, and a linear unction L that XORs the irst and second halves o the input. Security o BLAKE. The compression unction o BLAKE shows similarities with the PGV5 compression unction [16], but no security results are known or this variation. The mode o operation 4 As observed in [3, Sect. 5], the core part o the compression unction can be seen as a permutation keyed by the message, which we view here as a block cipher.

6 BLAKE: (n, l, m, s, t {(256, 256, 512, 128, 64, (512, 512, 1024, 256, 128} E : Z 2l 2 Zm 2 Z2l 2 a block cipher L : Z l+s+t 2 Z 2l 2, L : Z 2l 2 Zl 2 linear unctions (h, M, S, C = L (E M (L(h, S, C h (S S BLAKE(M = h k, where: (M 1,..., M k pad 1 (M; h 0 IV S Z s 2 ; (C i k i=1 AIFA-counter h i (h i 1, M i, S, C i or i = 1,..., k BMW: (n, l, m {(256, 512, 512, (512, 1024, 1024} E : Z m 2 Zl 2 Zm 2 a block cipher L : Z l+m+l 2 Z l 2 a compressing unction (h, M = L(h, M, E h (M g(h = (IV, h BMW(M = h, where: (M 1,..., M k pad 2 (M; h 0 IV h i (h i 1, M i or i = 1,..., k h chop l n [g(h k ] Cubeash: (n, l, m {(256, 1024, 256, (512, 1024, 256} P : Z l 2 Zl 2 a permutation (h, M = P (h (M 0 l m g(h = P 10 (h ( Cubeash(M = h, where: (M 1,..., M k pad 3 (M; h 0 IV h i (h i 1, M i or i = 1,..., k h chop l n [g(h k ] ECO: (n, l, m, s, t {(256, 512, 1536, 128, 64/128, (512, 1024, 1024, 256, 64/128} E : Z Z s+t 2 Z a block cipher L : Z Z l 2 a linear unction (h, M, S, C = L(E S,C (h M (h M ECO(M = h, where: (M 1,..., M k pad 4 (M; h 0 IV S Z s 2 ; (C i k i=1 AIFA-counter h i (h i 1, M i, S, C i or i = 1,..., k h chop l n [h k ] Fugue: (n, l, m {(256, 960, 32, (512, 1152, 32} P, P : Z l 2 Zl 2 permutations L : Z l 2 Zm 2 Zl 2 a linear unction (h, M = P (L(h, M Fugue(M = h, where: (M 1,..., M k pad 5 (M; h 0 IV h i (h i 1, M i or i = 1,..., k h chop l n [ P (h k ] Grøstl: (n, l, m {(256, 512, 512, (512, 1024, 1024} P, Q : Z l 2 Zl 2 permutations (h, M = P (h M Q(M h g(h = P (h h Grøstl(M = h, where: (M 1,..., M k pad 6 (M; h 0 IV h i (h i 1, M i or i = 1,..., k h chop l n [g(h k ] amsi: (n, l, m {(256, 256, 32, (512, 512, 64} P, P : Z 2n 2 Z 2n 2 permutations Exp : Z m 2 Zn 2 a linear code (h, M = h chop n [P (Exp(M h] g(h, M = h chop n [ P (Exp(M h] amsi(m = h, where: (M 1,..., M k pad 7 (M; h 0 IV h i (h i 1, M i or i = 1,..., k 1 h g(h k 1, M k J: (n, l, m {(256, 1024, 512, (512, 1024, 512} P : Z l 2 Zl 2 a permutation (h, M = P (h (0 l m M (M 0 l m J(M = h, where: (M 1,..., M k pad 8 (M; h 0 IV h i (h i 1, M i or i = 1,..., k h chop l n [h k ] Keccak: (n, l, m {(256, 1600, 1088, (512, 1600, 576} P : Z l 2 Zl 2 a permutation (h, M = P (h (M 0 l m Keccak(M = h, where: (M 1,..., M k pad 9 (M; h 0 IV h i (h i 1, M i or i = 1,..., k h chop l n [h k ] Lua: (n, l, m, w {(256, 768, 256, 3, (512, 1278, 256, 5} P i : Z m 2 Zm 2 (i = 1,..., w permutations L : Z wm+m 2 Z wm 2, L : Z wm 2 Z m 2 linear unctions (h, M = (P 1 (h 1 Pw(h w where (h 1,..., h w = L(h, M g(h = (L (h L ((h, 0 m Lua(M = h, where: (M 1,..., M k pad 10 (M; h 0 IV h i (h i 1, M i or i = 1,..., k h chop 512 n [g(h k ] Shabal: (n, l, m {(256, 1408, 512, (512, 1408, 512} E : Z Z Z a block cipher (h, C, M = (y 1, h 3 M, y 3 where h Z l 2 h = (h 1, h 2, h 3 Z 384+m+m 2 and (y 1, y 3 = E M,h3 (h 1 (0 320 C, h 2 + M Shabal(M = h, where: (M 1,..., M k pad 11 (M; h 0 IV h i (h i 1, i 64, M i or i = 1,..., k h k+i (h k+i 1, k 64, M k or i = 1,..., 3 h chop l n [h k+3 ] SAvite-3: (n, l, m, s, t {(256, 256, 512, 256, 64, (512, 512, 1024, 512, 128} E : Z l 2 Zm+s+t 2 Z l 2 a block cipher (h, M, S, C = E M,S,C (h h SAvite-3(M = h k, where: (M 1,..., M k pad 12 (M; h 0 IV S Z s 2 ; (C i k i=1 AIFA-counter h i (h i 1, M i, S, C i or i = 1,..., k SIMD: (n, l, m {(256, 512, 512, (512, 1024, 1024} block ciphers E, Ẽ : Zl 2 Zm 2 Zl 2 (h, M = L(h, E M (h M g(h, M = L(h, ẼM (h M SIMD(M = h, where: (M 1,..., M k pad 13 (M; h 0 IV h i (h i 1, M i or i = 1,..., k 1 h k g(h k 1, M k h chop l n [h k ] Skein: (n, l, m {(256, 512, 512, (512, 512, 512} E : Z m 2 Z128 2 Z l 2 Zm 2 a tweakable block cipher (h, T, M = E h,t (M M Skein(M = h, where: (M 1,..., M k pad 14 (M; h 0 IV (T i k i=1 round-speciic tweaks h i (h i 1, T i, M i or i = 1,..., k h chop l n [h k ] Fig. 1. The padding rules employed by the unctions are summarized in App. C. In all algorithm descriptions, IV denotes an initialization vector, h denotes state values, M denotes message blocks, S denotes a (ixed salt, C denotes a counter and T denotes a tweak. The unctions L, L, Exp underlying BLAKE, BMW, ECO, Fugue, amsi and Lua, are explained in the corresponding section.

7 o BLAKE is based on the AIFA structure, and as a consequence all security properties regarding this type hold [13]. In particular, the design preserves collision resistance, and is secure against second preimage attacks. Also, the BLAKE hash unction is indierentiable rom a random oracle i the underlying compression unction is assumed to be ideal, due to the AIFA counter [20,11]. Using Thm. 2, this indierentiability bound additionally renders an optimal collision resistance bound or BLAKE, Adv col = Θ(q2 /2 n The Blue Midnight Wish (BMW hash unction [31] is a chop-md construction, with a inal transormation beore chopping. The hash unction employs a suix-ree padding rule. The compression unction is block cipher based 5, and the inal transormation g consists o the same compression unction with the chaining value processed as a message, and with an initial value as chaining input. The compression unction employs a unction L which consists o two compression unctions with speciic properties as speciied in [31]. Security o BMW. The compression unction o BMW shows similarities with the PGV3 compression unction [16], but no security results are known or this variation. Thm. 1 applies to BMW, where the inal transormation has no message block as input. Furthermore, albeit no indierentiability proo or the BMW hash unction is known, we note that BMW can be seen as a combination o the MAC- and the chop-construction, both proven indierentiable rom a random oracle [20] The Cubeash hash unction [7] is a chop-md construction, with a inal transormation beore chopping. The compression unction is permutation based, and the inal transormation g consists o lipping a certain bit in the state and applying 10 more compression unction rounds on zero-messages. Security o Cubeash. The compression unction o Cubeash is based on one permutation 6, and collisions and preimages or the compression unction can be ound in one query to the permutation [15]. The inal transormation o Cubeash consists o ten compression unction rounds with zeromessages, preceded by one bit lip in the chaining. As a consequence, throughout the execution o Cubeash, in total at most m + 1 out o l wires o the chaining are aected by message injection. Thereore this construction ollows the sponge design with rate m + 1, and capacity l m 1, and the indierentiability result o [8] carries over 7. Using Thm. 2, this indierentiability bound additionally renders an optimal collision ( resistance bound or Cubeash, Adv col = Θ(q2 /2 n, as well as an improved upper bound O q 2 + q2 on the preimage and second preimage resistance. n 2 l n Note that these bounds are optimal or the n = 256 variant The ECO hash unction [6] is a chop-aifa construction. The message blocks are accompanied with a AIFA-counter, and more generally, the unction employs a suix- and preix-ree padding rule. The compression unction is block cipher based 8. It moreover employs a linear unction L that chops the state in blocks o length l bits, and XORs these. Security o ECO. The compression unction o ECO is a chopped single call Type-I compression unction in the categorization o [49]. Thereore, the results o [49, Thm. 15] carry over, yielding optimal security bounds or the compression unction. Observe that these results can easily be ad- 5 As observed in [31], the compression unction can be seen as a generalized PGV3 construction, where the unction 0 o [31] deines the block cipher keyed with the chaining value. 6 Eectively, this permutation consists o one simpler permutation executed 16 times iteratively. 7 The sponge design requires the last block o a padded message to be non-zero, which is not the case or Cubeash. owever, i the squeezing o the sponge takes only one round, this is not required or the indierentiability proo. 8 As observed in [6], the core part o the compression unction can be seen as a permutation keyed by the salt and counter, which we view here as a block cipher. This cipher is AES-based.

8 justed to obtain bound Adv col chop = Θ(q2 /2 n. ECO is a combination o AIFA and chop-md, but it is unclear whether all AIFA security properties hold ater chopping. Still, Thm. 1 applies to ECO, and as a consequence we obtain Adv col = Θ(q2 /2 n. Furthermore, the ECO hash unction would be indierentiable rom a random oracle i the underlying compression unction is assumed to be ideal, due to the chopping unction at the end [20]. owever, the compression unction o ECO is easily dierentiable rom a random oracle [29], and we cannot directly apply the results o [20] The Fugue hash unction [32] is a chop-md construction, with a inal transormation beore chopping. The hash unction employs a suix-ree padding rule. The compression unction is permutation based, and the inal transormation consists o a permutation P which diers rom P in the parametrization. The compression unction employs a linear unction L or message injection (TIX o [32]. Security o Fugue. The compression unction o Fugue is based on one permutation, and collisions and preimages or the compression unction can be ound in one query to the permutation [15]. As a consequence, the result o Thm. 1 is irrelevant, even though the padding rule o Fugue is suix-ree. The Fugue hash unction borrows characteristics rom the sponge design, and ideas rom the indierentiability proo o [8] may carry over. This is, however, not immediately clear due to the inal transormation beore chopping The Grøstl hash unction [30] is a chop-md construction, with a inal transormation beore chopping. The hash unction employs a suix-ree padding rule. The compression unction is permutation based, and the inal transormation g is deined as g(h = P (h h. Security o Grøstl. The compression unction o Grøstl is permutation based, and the results o [47,48] apply. Furthermore, the preimage resistance o the compression unction is analyzed in [28], and an upper bound or collision resistance can be obtained easily. As a consequence, we obtain tight security bounds on the compression unction, Adv pre = Θ(q 2 /2 l and Adv col = Θ(q 4 /2 l. Thm. 1 applies to Grøstl, where the inal transormation has no message block as input. Observe that we also have Adv col chop g = Θ(q2 /2 n, and as a consequence we obtain Adv col = Θ(q2 /2 n. Furthermore, the Grøstl hash unction is proven indierentiable rom a random oracle i the underlying permutations are ideal [1] The amsi hash unction [36] is a MD construction, with a inal transormation beore chopping. The hash unction employs a suix-ree padding rule. The compression unction is permutation based, but the last round is executed with a compression unction g based on a permutation P which diers rom P in the parametrization. The compression unctions employ a linear code Exp or message injection [36]. Security o amsi. The compression unction o amsi is a chopped single call Type-I compression unction in the categorization o [49]. Thereore, the results o [49, Thm. 15] carry over, yielding optimal security bounds or the compression unction. Observe that these bounds also apply to the unction g. Thm. 1 applies to amsi, and as a consequence we obtain Adv col = Θ(q2 /2 n. Furthermore, albeit no indierentiability proo or the amsi hash unction is known, we note that amsi can be seen as a variation o the NMAC-construction, which is proven indierentiable rom a random oracle [20] The J hash unction [53] is a chop-md construction. The hash unction employs a suix-ree padding rule. The compression unction is permutation based. Security o J. The compression unction o J is based on one permutation, and collisions and

9 preimages or the compression unction can be ound in one query to the permutation [15]. As a consequence, the result o Thm. 1 is irrelevant, even though the padding rule o J is suix-ree. The J hash unction is proven indierentiable rom a random oracle i the underlying permutation is assumed to be ideal [12]. Using Thm. 2, this indierentiability bound additionally renders improved ( upper bounds on the preimage, second preimage and collision ( resistance: we obtain Adv col = O q q3, and both Adv pre n 2 l m and Advsec are o the order O q 2 +. q3 Note that n 2 l m the collision resistance bound is optimal or the n = 256 variant The Keccak hash unction [9] is a chop-md construction. The compression unction is permutation based. The hash unction output is obtained by chopping o l n bits o the state 9. Notice that the parameters o Keccak satisy l = 2n + m. Security o Keccak. The compression unction o Keccak is based on one permutation, and collisions and preimages or the compression unction can be ound in one query to the permutation [15]. The Keccak hash unction is proven indierentiable rom a random oracle i the underlying permutation is assumed to be ideal [8]. Using Thm. 2, this indierentiability bound additionally renders an optimal collision resistance bound or Keccak, Adv col = Θ(q2 /2 n, as well as an optimal preimage second preimage resistance bound Θ(q/2 n The Lua hash unction [22] is a chop-md construction, with a inal transormation beore chopping. The compression unction is permutation based, and the inal transormation g is built on this compression unction and a linear unction L that chops the state in blocks o length m bits, and XORs these. The compression unction employs a linear unction L or message injection (MI o [22] 10. Notice that the state size o Lua satisies l = w m. Security o Lua. The compression unction o Lua is based on w permutations executed independently. As a consequence, collisions and preimages or the compression unction can be ound in at most 5 queries to the permutations [15]. The Lua hash unction borrows characteristics rom the sponge design, i the permutation P consisting o the w permutations P i is considered ideal, and ideas rom the indierentiability proo o [8] may carry over. owever, or the case o w dierent permutations P i this is not immediately clear The Shabal hash unction [19] is a chop-md construction. The message blocks are accompanied with a counter, and the last block is iterated three times. In particular, the unction employs a suix- and preix-ree padding rule. The compression unction is block cipher based 11. Notice that the parameters o Shabal satisy l = m. Security o Shabal. A bound on the collision resistance o the compression unction o Shabal is derived in [19]. Concretely, it is proven that the Shabal compression unction is collision resistant up to q = 2 (l m/2 queries. Thm. 1 applies to Shabal. Collision and preimage resistance o Shabal are studied in [19], yielding optimal bounds Adv pre = Θ(q/2n and Adv col = Θ(q2 /2 n. Furthermore, the same authors prove the Shabal hash unction to be indierentiable rom a random oracle i the underlying block cipher is assumed to be ideal [19]. ( Using Thm. 2, this indierentiability bound additionally renders an improved upper bound O q 2 + q2 on the second preimage resistance. n 2 l m Note that this bound is optimal or the n = 256 variant. 9 We notice that sponge unctions are designed more general [10], but or Keccak this description suices. 10 We deined the output transormation in a slightly more complicated but uniied way. Essentially, Lua 256 simply outputs L (h. Observe that we implicitly captured the extra compression unction call in the adjusted padding. 11 Essentially, it is a permutation tweaked by a 1024-bit key, which we view here as a block cipher.

10 3.12. The SAvite-3 hash unction [14] is a AIFA construction. The message blocks are accompanied with a AIFA-counter, and more generally, the unction employs a suix- and preix-ree padding rule. The compression unction is block cipher based. Security o SAvite-3. The compression unction o SAvite-3 is the PGV5 compression unction, and the security results o [16] carry over. As a consequence, we obtain optimal security bounds on the compression unction. The mode o operation o SAvite-3 is based on the AIFA structure, and as a consequence all security properties regarding this type hold [13]. In particular, the design preserves collision resistance, and as a consequence we obtain Adv col = Θ(q2 /2 n. Also, the design is secure against second preimage attacks. Finally, the SAvite-3 hash unction is indierentiable rom a random oracle i the underlying block cipher is assumed to be ideal, due to the preix-ree padding [20]. This result has been improved under the assumption that the underlying compression unction is ideal [11]. owever, the compression unction o SAvite-3 is easily dierentiable rom a random oracle due to the presence o ixed-points The SIMD hash unction [38] is a chop-md construction, with a inal transormation beore chopping. The hash unction employs a suix-ree padding rule. The compression unction is block cipher based, but the last round is executed with a compression unction g based on a block cipher Ẽ which diers rom E in the parametrization. These unction employ a quasi-group operation 12 L [38]. Security o SIMD. The compression unction o SIMD is a rate-1 Type-I compression unction in the categorization o [49]. Thereore, the results o [49, Thm. 6] carry over, yielding optimal security bounds or the compression unction. Observe that these bounds also apply to the unction g. Observe moreover that these results can easily be adjusted to obtain bound Adv col chop g = Θ(q2 /2 n. Thm. 1 applies to SIMD, and as a consequence we obtain Adv col = Θ(q2 /2 n. Furthermore, the SIMD hash unction would be indierentiable rom a random oracle i the underlying compression unctions are assumed to be ideal, due to the chopping unction at the end [20]. owever, the compression unctions o SIMD are easily dierentiable rom a random oracle [17], and we cannot directly apply the results o [20] The Skein hash unction [25] is a chop-md construction. The message blocks are accompanied with a round-speciic tweak 13, and more generally, the unction employs a suix- and preix-ree padding rule. The compression unction is based on a tweakable block cipher. Security o Skein. The compression unction o Skein is the PGV1 compression unction, with a dierence that a tweak is involved. As claimed in [5], the results o [16] carry over, which in turn results in optimal security bounds on the compression unction. Thm. 1 applies to Skein, and as a consequence we obtain Adv col = Θ(q2 /2 n. Furthermore, the Skein hash unction is proven indierentiable rom a random oracle i the underlying tweakable block cipher is assumed to be ideal [5]. This proo is based on the preimage-awareness approach [24]. 12 For any o the variables ixed, the unction L is a permutation. 13 More ormally, the design is based on the UBI (unique block identiier chaining mode which queries its underlying tweakable block cipher on additional tweaks, that dier in each iteration. The general description o Skein involves a speciic inal transormation. In the primary proposal o the hash unction, however, this inal transormation consists o another execution o the compression unction, with an output-speciic tweak and with message 0 m. As we included this inal message block in the padding, the given description o Skein suices.

11 4 Summary and Conclusions In this survey, we compared the security achieved by the remaining round 2 SA-3 hash unction candidates, when their underlying primitives are assumed to be ideal. The main contribution o this paper is the summary o the security reductions or the hash unction candidates in Table 1. Beore giving an interpretation o these results, we irst make some remarks on the provided classiication. Assuming ideality o the underlying primitives (permutations or block ciphers is not realistic. In particular, none o the candidates primitives is ideal, and some even have identiied weaknesses. owever, assuming ideality o these primitives gives signiicantly more conidence in the security o the higher level structure and is the only way to get useul (and comparable security bounds on the candidate hash unctions; The act that dierent hash unctions have dierent bounds, does not directly imply that one o the unctions oers a higher level o security: albeit the underlying structure o the basic primitives is abstracted away (see the previous item, still many dierences among the schemes remain (chaining size, message input size, etc.. Moreover, not all bounds are tight. Security o the compression unction. For the sponge(-like hash unctions, Cubeash, Fugue, J, Keccak and Lua, collisions and preimages or the compression unction can be ound in a constant number o queries. This act does not have direct implications or the security o the hash unction. In act, the only consequence is that it becomes unreasonable to assume ideality o the compression unction in order to prove security at a higher level. Most o the remaining nine candidates are provided with a tight bound or collision and/or preimage resistance o the compression unction, merely due to the results o [16,49]. Single exceptions are BLAKE and BMW, or which the results o [49] are not directly applicable. No security results are known or the second preimage resistance o the nine remaining candidates: albeit collision resistance implies second preimage resistance [46], the obtained security bounds would be below the requirements o NIST [43]; Indierentiability o the hash unction. Eight o the candidates are proven indierentiable rom a random oracle, and six o the candidates have a similar constructions to ones proven indierentiable. We note that there exist some dierences among the bounds. For instance, or the hash unction variant outputting n = 512 bits, the indierentiability bounds are varying between O(Kq 3 /2 512 and O((Kq 2 / These dierences are mainly caused by the act that the bounds are parameterized by the internal chaining value size l, rather than the output size n (as is the case or bounds on the collision resistance. As a consequence, a higher state size oten results in a better indierentiability bound. The indierentiability results are powerul, as they render bounds on the (second preimage and collision resistance o the design (Thm. 2; (Second preimage resistance o the hash unction. Most o the hash unctions are not provided with an optimal security bound on the preimage and second preimage resistance. Main cause or this is that the MD design does not preserve (second preimage resistance [2]. Additionally, the (second preimage bound that can be derived via the indierentiability (Thm. 2 is not always suiciently tight. Proving security against these attacks could be attempted either by making a dierent (possibly weaker assumption on the compression unction or by basing it directly on the ideality o the underlying block cipher or permutation(s. We notice that a ruitul direction might be the graph based approach ollowed by the designers o Shabal [19]; Collision resistance o the hash unction. Except or the sponge(-like unctions, the collision resistance preservation result o Thm. 1 (App. A applies to all candidates. This theorem results in a bound on the generic collision resistance o the hash unction, which, intuitively, means that inding collisions or the hash unction is at least as hard as inding collisions or (one o

12 the underlying unction(s. Together with the collision resistance bounds on the compression unctions in the ideal model, the preservation result allows or obtaining a collision resistance bound on the entire hash unction. This leads to optimal bounds on the collision resistance or ECO, Grøstl, amsi, SAvite-3, SIMD and Skein. For BLAKE, Cubeash, J (or n = 256, Keccak and Shabal, the same optimal bound is obtained dierently (e.g. based on the indierentiability o the hash unction. Again, the graph based approach may be suitable to prove collision resistance o the candidates or which no collision resistance bound is yet obtained. A hash unction that is provided with a sound security analysis, is not necessarily a good unction, nor is it a bad unction i only little security results are known. The quality o the hash unction depends urther on other criteria not covered in this classiication, such as the strength o the basic underlying primitives and sotware/hardware perormance. Yet, security reductions guarantee that the hash unction has no severe structural weaknesses, and in particular that the design does not suer weaknesses that can be trivially exploited by cryptanalysts. Thereore, we see the provided security analysis as a air comparison o the SA-3 candidates and an important contribution to the selection o the inalists. To the best o our knowledge, we included all security results to date. owever, we welcome suggestions, remarks or inormation about provable security results that could improve the quality o this work. Acknowledgments. This work has been unded in part by the IAP Program P6/26 BCRYPT o the Belgian State (Belgian Science Policy, and in part by the European Commission through the ICT program under contract ICT ECRYPT II. The irst author is supported by a Ph.D. Fellowship rom the Flemish Research Foundation (FWO-Vlaanderen. The second author is supported by a Ph.D. Fellowship rom the Institute or the Promotion o Innovation through Science and Technology in Flanders (IWT-Vlaanderen. We would like to thank Joan Daemen, Praveen Gauravaram, Charanjit Jutla and Christian Rechberger or the helpul comments. Reerences 1. Andreeva, E., Mennink, B., Preneel, B.: On the indierentiability o the Grøstl hash unction. In: SCN 10. LNCS, vol. 6280, pp Springer-Verlag, Berlin ( Andreeva, E., Neven, G., Preneel, B., Shrimpton, T.: Seven-property-preserving iterated hashing: ROX. In: ASIACRYPT 07. LNCS, vol. 4833, pp Springer-Verlag, Berlin ( Aumasson, J.P., enzen, L., Meier, W., Phan, R.: SA-3 proposal BLAKE ( Bellare, M., Canetti, R., Krawczyk,.: Keying hash unctions or message authentication. In: CRYPTO 96. LNCS, vol. 1109, pp Springer-Verlag, Berlin ( Bellare, M., Kohno, T., Lucks, S., Ferguson, N., Schneier, B., Whiting, D., Callas, J., Walker, J.: Provable security support or the skein hash amily ( Benadjila, R., Billet, O., Gilbert,., Macario-Rat, G., Peyrin, T., Robshaw, M., Seurin, Y.: SA-3 Proposal: ECO ( Bernstein, D.: Cubeash speciication ( Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indierentiability o the sponge construction. In: EUROCRYPT 08. LNCS, vol. 4965, pp Springer-Verlag, Berlin ( Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The KECCAK sponge unction amily ( Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge unctions (ECRYPT ash Workshop Bhattacharyya, R., Mandal, A., Nandi, M.: Indierentiability characterization o hash unctions and optimal bounds o popular domain extensions. In: INDOCRYPT 09. LNCS, vol. 5922, pp Springer-Verlag, Berlin ( Bhattacharyya, R., Mandal, A., Nandi, M.: Security analysis o the mode o J hash unction. In: FSE 10. LNCS, vol. 6147, pp Springer-Verlag, Berlin (2010

13 BLAKE AIFA!! type s p (n, l, m Adv pre Adv sec Adv col Adv pre Adv sec Adv gcol Adv col Adv pro BMW chop-(md+ft! % Cubeash chop-(md+ft % % ECO chop-aifa!! Fugue chop-(md+ft! % Grøstl chop-(md+ft! % amsi MD+FT! % J chop-md! % Keccak chop-md % % Lua chop-(md+ft % % Shabal chop-md!! SAvite-3 AIFA!! SIMD chop-(md+ft! % Skein chop-md!! (256, 256, 512 or (512, 512, 1024 (256, 512, 512 or (512, 1024, 1024 (256, 1024, 256 or (512, 1024, 256 (256, 512, 1536 or (512, 1024, 1024 (256, 960, 32 or (512, 1152, 32 (256, 512, 512 or (512, 1024, 1024 (256, 256, 32 or (512, 512, 64 (256, 1024, 512 or (512, 1024, 512 (256, 1600, 1088 or (512, 1600, 576 (256, 768, 256 or (512, 1278, 256 (256, 1408, 512 or (512, 1408, 512 (256, 256, 512 or (512, 512, 1024 (256, 512, 512 or (512, 1024, 1024 (256, 512, 512 or (512, 512, 512 PGV5-like PGV3-like Θ(q/2 l Θ(q 2 /2 l P, Q ideal Θ(q/2 n Pi ideal Θ(q/2 n Θ(q/2 l Θ(q/2 l Pi ideal PGV5-like PGV3-like Θ(q 2 /2 l Θ(q 4 /2 l P, Q ideal Pi ideal O(q 2 /2 l m Θ(q 2 /2 l Θ(q 2 /2 l O O ( q ( q O 2 n + q2 2 l n 2 n + q3 2 l m Θ(q/2 n Θ(q/2 n ( q 2 n + q2 2 l O Θ(q/2 n ideal ( q 2 n + q2 2 l n chop-aifa ideal O O ( q 2 n + q3 2 l m Θ(q/2 n ( q O 2 n + q2 2 l m Θ(q/2 n ideal ( q 2 n + q2 2 l +Adv gcol chop g (no preservation chop (no preservation +Adv gcol chop g +Adv gcol g (no preservation (no preservation (no preservation chop +Adv gcol chop g ideal (proo by preservation P, Q ideal (proo by preservation P, (proo by preservation O ( q 2 2 n + q3 2 l m (proo by preservation E, Ẽ ideal (proo by preservation (proo by preservation Θ(Kq 2 /2 n ideal chopmac-like ideal O((Kq 2 /2 l n chopmd construction sponge-like O((Kq 4 /2 l P, Q ideal NMAC-like, g ideal ( q 3 Kq3 O + 2 l m 2 l n Θ((Kq 2 /2 l m sponge-like Pi ideal O((Kq 2 /2 l m O((Kq 2 /2 n chopmd construction O((Kq 2 /2 l Table 1. A schematic summary o all results. The irst column describes the hash unction construction, and the second and third column show which hash unctions have a suix-ree (s or preix-ree (p padding. The ourth column summarizes the main parameters n, l, m, which denote the hash unction output size, the chaining value size and the message input size, respectively. In the remaining columns, the security bounds are summarized together with the underlying assumptions. A green box indicates the existence o an optimal upper bound, a yellow box indicates the existence o a non-trivial upper bound which is not yet optimal or both the 256 and 512 bits variant. A red box means that an eicient adversary is known or the security notion. We note that or all candidates, a red box does not have any direct consequences or the security o the hash unction. All other notions and notations and urther explained in Sect. 2.

14 13. Biham, E., Dunkelman, O.: A ramework or iterative hash unctions AIFA. Cryptology eprint Archive, Report 2007/278 ( Biham, E., Dunkelman, O.: The SAvite-3 ash Function ( Black, J., Cochran, M., Shrimpton, T.: On the impossibility o highly-eicient blockcipher-based hash unctions. In: EUROCRYPT 05. LNCS, vol. 3494, pp Springer-Verlag, Berlin ( Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis o the block-cipher-based hash-unction constructions rom PGV. In: CRYPTO 02. LNCS, vol. 2442, pp Springer-Verlag, Berlin ( Bouillaguet, C., Fouque, P.A., Leurent, G.: Security analysis o SIMD ( Bouillaguet, C., Fouque, P.A., Shamir, A., Zimmer, S.: Second preimage attacks on dithered hash unctions. Cryptology eprint Archive, Report 2007/395 ( Bresson, E., Canteaut, A., Chevallier-Mames, B., Clavier, C., Fuhr, T., Gouget, A., Icart, T., Misarsky, J.F., Naya-Plasencia, M., Paillier, P., Pornin, T., Reinhard, J.R., Thuillet, C., Videau, M.: Shabal, a Submission to NIST s Cryptographic ash Algorithm Competition ( Coron, J.S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: ow to construct a hash unction. In: CRYPTO 05. LNCS, vol. 3621, pp Springer-Verlag, Berlin ( Damgård, I.: A design principle or hash unctions. In: CRYPTO 89. LNCS, vol. 435, pp Springer- Verlag, Berlin ( De Cannière, C., Sato,., Watanabe, D.: ash Function Lua ( Dodis, Y., Puniya, P.: Getting the best out o existing hash unctions; or what i we are stuck with SA? In: ACNS 08. LNCS, vol. 5037, pp Springer-Verlag, Berlin ( Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging merkle-damgård or practical applications. In: EUROCRYPT 09. LNCS, vol. 5479, pp Springer-Verlag, Berlin ( Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein ash Function Family ( Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: Engineering comparison o SA-3 candidates ( Fleischmann, E., Forler, C., Gorski, M.: Classiication o the SA-3 candidates. Cryptology eprint Archive, Report 2008/511 ( Fouque, P.A., Stern, J., Zimmer, S.: Cryptanalysis o tweaked versions o SMAS and reparation. In: SAC 08. LNCS, vol. 5381, pp Springer-Verlag, Berlin ( Gauravaram, P., Bagheri, N.: ECO compression unction is not indierentiable rom a FIL-RO ( Gauravaram, P., Knudsen, L., Matusiewicz, K., Mendel, F., Rechberger, C., Schläer, M., Thomsen, S.: Grøstl a SA-3 candidate ( Gligoroski, D., Klima, V., Knapskog, S.J., El-adedy, M., Amundsen, J., Mjølsnes, S.F.: Cryptographic ash Function BLUE MIDNIGT WIS ( alevi, S., all, W., Jutla, C.: The ash Function Fugue ( alevi, S., Krawczyk,.: Strengthening digital signatures via randomized hashing. In: CRYPTO 06. LNCS, vol. 4117, pp Springer-Verlag, Berlin ( Kelsey, J., Schneier, B.: Second preimages on n-bit hash unctions or much less than 2 n work. In: EUROCRYPT 05. LNCS, vol. 3494, pp Springer-Verlag, Berlin ( Kobayashi, K., Ikegami, J., Matsuo, S., Sakiyama, K., Ohta, K.: Evaluation o hardware perormance or the SA-3 candidates using SASEBO-GII. Cryptology eprint Archive, Report 2010/010 ( Küçük, Ö.: The ash Function amsi ( Lai, X., Massey, J.: ash unction based on block ciphers. In: EUROCRYPT 92. LNCS, vol. 658, pp Springer-Verlag, Berlin ( Leurent, G., Bouillaguet, C., Fouque, P.A.: SIMD is a Message Digest ( Lucks, S.: A ailure-riendly design principle or hash unctions. In: ASIACRYPT 05. LNCS, vol. 3788, pp Springer-Verlag, Berlin ( Maurer, U., Renner, R., olenstein, C.: Indierentiability, impossibility results on reductions, and applications to the random oracle methodology. In: TCC 04. LNCS, vol. 2951, pp Springer-Verlag, Berlin ( Merkle, R.: One way hash unctions and DES. In: CRYPTO 89. LNCS, vol. 435, pp Springer-Verlag, Berlin ( Nandi, M.: Characterizing padding rules o MD hash unctions preserving collision security. In: ACISP 09. LNCS, vol. 5594, pp Springer-Verlag, Berlin ( National Institute or Standards and Technology. Announcing Request or Candidate Algorithm Nominations or a New Cryptographic ash Algorithm (SA3 Family (November Preneel, B., Govaerts, R., Vandewalle, J.: ash unctions based on block ciphers: A synthetic approach. In: CRYPTO 93. LNCS, vol. 773, pp Springer-Verlag, Berlin ( Rogaway, P.: Formalizing human ignorance. In: VIETCRYPT 06. LNCS, vol. 4341, pp Springer-Verlag, Berlin (2006