On the Impact of Known-Key Attacks on Hash Functions

Transcription

1 On the Impact of Known-Key Attacs on Hash Functions Bart Mennin and Bart Preneel Dept Electrical Engineering, ESAT/COSIC, KU Leuven, and iminds, Belgium Abstract Hash functions are often constructed based on permutations or blocciphers, and security proofs are typically done in the ideal permutation or cipher model However, once these random primitives are instantiated, vulnerabilities of these instantiations may nullify the security At ASIACRYPT 007, Knudsen and Rijmen introduced nown-ey security of blocciphers, which gave rise to many distinguishing attacs on existing bloccipher constructions In this wor, we analyze the impact of such attacs on primitive-based hash functions We present and formalize the wea cipher model, which captures the case a bloccipher has a certain weaness but is perfectly random otherwise A specific instance of this model, considering the existence of sets of B queries whose XOR equals 0 at bit-positions C, where C is an index set, covers a wide range of nown-ey attacs in literature We apply this instance to the PGV compression functions, as well as to the Grøstl based on two permutations) and Shrimpton-Stam based on three permutations) compression functions, and show that these designs do not seriously succumb to any differential nown-ey attac nown to date Keywords Hash functions, nown-ey security, Knudsen-Rijmen, PGV, Grøstl, Shrimpton-Stam, collision resistance, preimage resistance 1 Introduction Cryptographic hash functions are conventionally built on top of compression functions, and in turn on one or more blocciphers Since the first appearance of such compression function Fh, m) = DES m h) by Rabin [49] in the late 70s, many bloccipher-based functions appeared in the literature [3, 5, 9, 30, 40, 43, 48, 59] These all enjoy security proofs in the ideal model, where the underlying ciphers are assumed to behave ideally Characteristic to these designs is that the ey input to the cipher depends on the input to the compression function, and that the ey scheduling needs to be sufficiently strong For instance, Biryuov et al [6] derived a related-ey attac on AES and claimed that it invalidates the security of the Davies-Meyer compression function when the underlying primitive is instantiated with AES A more recent approach to compression function design is to base them on a limited number of permutations [8, 41, 4, 51, 57] These permutations could be designed from scratch, or obtained by fixing a small set of eys and using a bloccipher for these eys only Related- or chosen-ey attacs on blocciphers do not help the adversary here, as the eys are fixed Known-Key Security of Blocciphers While in the classical security models for blocciphers the ey is secret and randomly drawn and the adversary s target is to distinguish the instantiation of the cipher from a random permutation also nown as strong) pseudorandom permutation security), this notion does not apply if the ey is nown to the adversary At ASIACRYPT 007, Knudsen and Rijmen [7] introduced nown-ey security of blocciphers Here, the ey is presumed nown, and the adversary succeeds in distinguishing if it identifies a structural property of the cipher Andreeva et al [1] proposed a way to formalize the nown-ey security of blocciphers based on the underlying primitives The model is

2 derived from the indifferentiability framewor [37] and hence all composition results carry over Intuitively: suppose some cryptosystem F is proven to achieve a certain level of security in the ideal permutation model, and consider F to be F with the permutations replaced by independent bloccipher instantiations Then, F achieves the same level of security as F, up to the nown-ey indifferentiability bound of the underlying blocciphers In [1], several bloccipher constructions are proven to be nown-ey indifferentiable, such as the multiple Even-Mansour cipher and 14 rounds of balanced Feistel with random functions using a result of Holenstein et al [4]) For such ciphers, the above approach wors well, although for Even-Mansour the composition is trivial one essentially replaces an ideal permutation by an ideal permutation) and for Feistel with 14 rounds security is only guaranteed up to n/3 queries, where n is the state size of the cipher Known-Key Attacs on Blocciphers Knudsen and Rijmen also demonstrated that the Feistel networ on n bits with 7 rounds called Feistel 7 ) is not nown-ey indifferentiable [1,7]: an adversary can generically find n/ plaintext/ciphertext tuples m, c) and m, c ) satisfying Ri n/ m c m c ) = 0 where Ri r x) outputs the r rightmost bits of x) This result has lead to a wave of other nown-ey attacs on practical constructions, including generalized/extended variants of Feistel [1,7,47,53,56], reduced versions of AES or Rijndael [,7,38,44,5], reduced variants of the blocciphers underlying SHA- and SHA-3 finalists BLAKE and Sein [, 7, 31, 34, 61], and many more [3, 11, 1, 14, 17, 18, 8, 33, 46, 47, 54, 55] This paper will mostly be concerned with differential nown-ey attacs, including reboundand boomerang-based attacs the majority of above-mentioned attacs) We highlight two results that are among the best-nown ones and that exemplify the idea of the other attacs Gilbert and Peyrin [] used the rebound technique [39] to derive a nown-ey attac on 8 rounds of AES called AES 8 ) It starts from the middle, and results in a differential trail with four active words in the beginning, and four at the end These active words are overlapping at two positions, hence one could consider this result as two tuples m, c) and m, c ) satisfying m c m c = 0 at 10n/16 bit-positions The adversary has 15 n/8 degrees of freedom in the attac, and for any choice it results in such a tuple with a certain probability The bound of n/8 is used for simplicity later on) The second attac we highlight is by Yu et al [61], who employ the boomerang technique [60] to attac 36 rounds of the bloccipher Threefish-51 called Threefish 36 ) used in Sein This attac results in four tuples m 1, c 1 ),, m 4, c 4 ) satisfying m 1 c 4 = 0 The adversary has n degrees of freedom, but any trial succeeds with probability approximately 454 Therefore, the expected number of solutions is about n 454 n/8 This attac is in fact a nownrelated-ey attac, where a fixed difference in the ey exists For simplicity, we condone this, observing that an attac with no ey difference must logically be harder In any of these cases, the traditional and commonly employed ideal cipher/permutation model falls short: results achieved in this model do not necessarily hold if the primitives are instantiated with Feistel 7, AES 8, Threefish 36, or any other nown-ey distinguishable cipher 11 Our Contributions In their seminal wor, Knudsen and Rijmen state: In some cases blocciphers are used with a ey that is nown to the adversary, and at least to a certain extent, the ey is under the adversary s control Our attacs are quite relevant to this case We investigate this fundamental question whether nown-ey attacs invalidate the security of primitive-based hash functions, but we do so in a much more general way At a high level, we present a model that goes beyond the traditional ideal cipher model as well as the principle of nown-ey attacs and that allows to generically analyze the impact of various weanesses of blocciphers on various bloccipher- and permutation-based cryptosystems Model A naive approach to analyzing the impact of nown-ey attacs would be to simply plug a certain bloccipher construction into a hash function and to analyze its security,

3 but this would be a devious and complex combinatorial tas: for a function based on r permutations, plugging Feistel 7 into it would lead to 7r underlying primitive calls Note that proving security of the Feistel construction itself is already extraordinarily hard [16, 4, 3] Instead, we model the blocciphers in such a way that they behave randomly, except that an adversary can exploit the particular relation More formally, we pose a certain predicate Φ, and we draw blocciphers randomly from the set of all ciphers that comply with predicate Φ Throughout, we refer to this model as the wea cipher model WCM) It corresponds to the ideal cipher model if Φ is trivial We present an explicit description of a random wea cipher for the case where Φ implies for each ey the existence of A sets of B queries {, m 1, c 1 ),,, m B, c B )} that comply with a certain condition ϕ These ciphers are modeled to have three interfaces: forward queries, inverse queries, and predicate queries Forward and inverse queries are as usual; on a predicate query, an adversary is given a set of B queries satisfying ϕ Multiple technicalities are involved in this formalization Most importantly, predicate Φ applies to tuples of queries, rather than single queries only, and some query responses may have a reduced entropy Above-mentioned nown-ey attacs are covered by our model if the condition ϕ states for some C {1,, n} that Bits C m 1 c 1 m B c B) = 0, 1) where Bits C x) outputs a string consisting of all bits of x whose index is in C In fact, our model is much more general: above-mentioned attacs aim to generate only one relation, while we allow an adversary to see multiple relations) The value A usually depends on n and C is regularly a large subset We consider B being a relatively small number independent of n) For the above-mentioned attac on Feistel 7, A = n/, B =, and C corresponds to the rightmost n/ bits Similarly, the attacs on AES 8 for A = n/8, B =, and C a certain set of size 10n/16) and Threefish 36 for A = n/8, B = 4, and C = {1,, n}) are covered, and so are almost all nown differential rebound- or boomerang-based) nown-ey attacs We remar that, on the other hand, the predicate is not well-suited for integral-based nown-ey attacs: upon a predicate query an attacer would receive B n queries The wea cipher model is similar to an approach followed by Bresson et al [15] for the indifferentiability analysis of the SHA-3 candidate Shabal if the underlying bloccipher shows some non-random behavior, and by Bouillaguet et al [13] to analyze the indifferentiability security of SIMD when the underlying compression function is distinguishable from a random function However, in both approaches, the underlying biased primitives were relatively easy to model For instance in [15] using our terminology), predicate Φ is a relation that holds for single queries only, and not for combinations of queries This considerably simplifies the analysis: one can derive a bias β to measure the distance between primitive responses and fully random responses, and consider oracle responses to be drawn from a set of size at least n β, and the original indifferentiability analysis carries over with minor modifications The predicate used in the analysis in [13], on the other hand, does apply to tuples of queries, but the model can simply be described using two sampling algorithms, and an adversary cannot hit a wea pair by accident which is possible in our analysis) Lisov [35] used a similar approach to prove indifferentiability security of the zipper hash if the underlying compression function is invertible up to a certain degree However, the analysis is significantly simpler, as this primitive can be perfectly modeled We finally remar that Katz et al [6] analyze the impact of related-ey attacs on blocciphers to hash functions However, in their model, the differences, x, y are fixed, an ideal cipher is generated for half of the ey space, and for the other half the cipher is adjusted as E x, y) = E x x) y This primitive can be easily modeled, but is also too generous to the attacer To our nowledge, this is the first attempt to formally analyze the effect of a wide class of bloccipher attacs on higher level cryptographic functions Nonetheless, the wea cipher model is in essence still a model: we use an abstraction of the cryptanalytic nown-ey attacs in such a way that the ideal cipher model can be relaxed to cope them A further discussion on the accuracy of the model is given in Sect 7 3

4 Table 1 Security results for the PGV, Grøstl, and Shrimpton-Stam compression functions in the wea cipher model Ideal cipher/permutation model bounds match the ones of B 3 All results are tight except for the case B = 1, C > n/) for Shrimpton-Stam PGV Grøstl Shrimpton-Stam B C collision preimage collision preimage collision preimage 1 n/ n C )/ n C n C )/4 n C )/ n C )/ n/ > n/ n C )/ n C n C )/4 n C )/ n C )/ n C n/ n/ n n/4 n/ n/ n/ > n/ n C n n C )/ n/ n C n/ 3 arbitrary n/ n n/4 n/ n/ n/ Application to Bloccipher-Based Hash Functions Preneel, Govaerts, and Vandewalle PGV) [48] classified the 64 most basic ways of constructing a n-to-n-bit compression function from a bloccipher with n-bit ey and n-bit state, and claimed security of 1 of them A formal security analysis of these functions in the ICM has been performed by Blac et al [9], and later by Duo and Li [19], Stam [59], and Blac et al [10] In more detail, in the ICM these constructions achieve tight collision security up to about n/ queries and preimage security up to about n queries Baecher et al [4] recently showed that the 1 secure PGV functions can be divided into two classes, in such a way that if a primitive maes one function secure it maes the entire class secure As first application of our model, we consider the PGV compression functions in the WCM and derive collision and preimage bounds for general A, B, C) A schematic summary of the results for various B and C is given in Table 1 we remar that A is merely a technical parameter that has no influence on the results) We also show that the bounds are optimal, by providing matching attacs Some of these attacs are similar to methods used in [7, 53, 56] to detect near-)collisions in certain PGV modes of operations using nown-ey attacs Application to Permutation-Based Hash Functions We also apply the WCM to permutation-based compression functions This is particularly interesting for two reasons: i) it allows us to understand the impact of distinguishers on permutations that are used in hash functions, and ii) a bloccipher with a fixed and nown ey is a permutation and can be used as such In more detail, we consider the Grøstl compression function [1] and the permutation-based equivalent of the Shrimpton-Stam compression function [57] see also Fig 4) In the IPM, the former is proven to achieve collision security up to n/4 queries, where n is the state size, and preimage security up to n/ [0] Rogaway and Steinberger [51] showed via an automated analysis that the latter function is collision and preimage resistant up to n/ queries asymptotically) This has been confirmed in the generalized wor of Mennin and Preneel [41] A summary of our findings for the Grøstl and Shrimpton-Stam compression functions in the WCM is given in Table 1 All results are tight, except for the case B = 1, C > n/) for Shrimpton-Stam, for which we leave proving tightness as an open problem We remar that the analysis for these schemes is much more demanding as multiple primitives are involved Impact An application of our formalization to the PGV functions and various permutationbased functions shows that these achieve a comparable level of security in the ideal and wea cipher model for a spectrum of choices for A, B, C) This result particularly implies that most relevant rebound-based including [1,, 8, 38, 5, 53, 56]) and boomerang-based including [, 7, 31, 54, 61]) nown-ey attacs nown to date do not invalidate the security of such functions, or only have a little effect For instance, the above-discussed attac on Feistel 7 satisfies B = and C = n/ and it does not affect the security; similarly for Threefish 36 for which B = 4 The attac on AES 8 is covered for B = and C = 10n/16, 4

5 which demonstrates a slight security degradation to 6n/16 for the PGV functions, but this may in part be due to our over-generosity to the adversary We remar that, even though we focused on collision and preimage resistance, the techniques can be generalized to other security notions, such as near-collisions This may entail differences in the security results We stress that these results do not mean that the analyzed functions are secure when the underlying permutations are instantiated with, say, Feistel 7 or Threefish 36 : it only means that existing nown-ey attacs, or more general weanesses such as relation 1), alone are not sufficient to invalidate the collision and preimage security of the construction Indeed, more sophisticated attacs which are not yet covered by our application of the WCM may still invalidate the security of certain modes [6] It remains a challenging open research problem to generalize the findings to underlying primitives that have multiple or different weanesses 1 Outline In Sect, we formally present the wea cipher model, and in Sect 3 we show how it relates to nown-ey attacs We apply the model to the PGV functions in Sect 4, to the Grøstl compression function in Sect 5, and to Shrimpton-Stam in Sect 6 We conclude this wor in Sect 7 Wea Cipher Model If X is a set, by x $ X we denote the uniformly random sampling of an element from X By X x, we denote X X {x} For a bit string x, its bits are numbered x = x x x x 1 If C {1,, x }, the function Bits C x) outputs a string consisting of all bits of x whose index is in C Abusing notation, Bits C x) always denotes the remaining bits technically, C = {1,, x }\C) For 0 r x, we consider Ri r x) that outputs the r rightmost bits of x In other words, Ri r x) = Bits {1,,r} x) For a function f, by domf) and rngf) we denote its domain and range, respectively 1 Security Model For κ 0 and n 1, by BCκ, n) we denote the set of all blocciphers with κ-bit ey operating on n bits If κ = 0, BCn) := BC0, n) denotes the set of all n-bit permutations If Φ is a predicate, by BC[Φ]κ, n) we denote the subset of ciphers of BCκ, n) that satisfy predicate Φ For π BC[Φ]κ, n), the input-output tuples are denoted, x, z), where π, x) = π x) = z and π 1, z) = π 1 z) = x The ey is omitted in case κ = 0 Let F : {0, 1} s {0, 1} n be a compressing function instantiated with l 1 primitives from BC[Φ]κ, n), for some predicate Φ Throughout, we consider security of F in an idealized model: we consider an adversary A that is a probabilistic algorithm with oracle access to a randomly sampled primitive π = π 1,, π l ) $ BC[Φ]κ, n) l A is information-theoretic and its complexity is only measured by the number of queries made to its oracles The adversary can mae forward and inverse queries to its oracles, and these queries are stored in a query history Q A collision-finding adversary A for F aims at finding two distinct inputs to F that compress to the same range value In more detail, we say that A succeeds if it finds two distinct inputs X, X such that FX) = FX ) and Q contains all queries required for these evaluations of F We define by Adv col F A) = Pr π $ BC[Φ]κ, n) l, X, X A π : X X FX) = FX ) the probability that A succeeds in this By Adv col F q) we define the maximum collision advantage taen over all adversaries maing q queries ) 5

6 For preimage resistance, we focus on everywhere preimage resistance [50], which captures preimage security for every point of {0, 1} n Let Z {0, 1} n be any range value Then, we say that A succeeds in finding a preimage if it obtains an input X such that FX) = Z and Q contains all queries required for this evaluation of F We define by ) Adv epre F A) = max Pr π $ BC[Φ]κ, n) l, X A π Z) : FX) = Z Z {0,1} n the probability that A succeeds, maximized over all possible choices for Z By Adv epre F q) we define the maximum everywhere) preimage advantage taen over all adversaries maing q queries If Φ is a trivial relation, we have BC[Φ]κ, n) = BCκ, n), and the above definitions boil down to security in the ideal cipher model ICM) if κ > 0 or the ideal permutation model IPM) if κ = 0 On the other hand, if Φ is a non-trivial predicate, it strictly reduces the set BCκ, n) In this case, we will refer to the model as the wea cipher model WCM), for both κ > 0 and κ = 0 Very informally, this model still involves random ciphers/permutations, with the difference that an adversary may exploit a certain additional property The modeling of a randomly drawn wea ciphers is much more delicate Random Wea Cipher For a certain class of predicates, we discuss how to model a randomly drawn wea cipher π from BC[Φ]κ, n) Let A, B N We will consider predicates that imply, for every {0, 1} κ, the existence of A sets of B distinct queries {x 1, z 1 ),, x B, z B )} that satisfy ϕ {x 1, z 1 ),, x B, z B )} ) for some condition ϕ depending on ey The predicate is denoted ΦA, B, ϕ) A is merely a technical parameter, and throughout we assume it is larger than q, the number of oracle calls an adversary can mae This definition of ΦA, B, ϕ) is fairly general Particularly, predicate B-sets may overlap and the condition ϕ can represent any function on the inputs We note that Φ can be easily generalized to tuples of different length and/or to multiple types of conditions at the same time Traditionally, an adversary has only forward π x) and inverse π 1 z) query access In order for the adversary to be able to exploit the weaness present in π, we give it additional access to π via a predicate query π Φ y): on input of y {1,, A}, the adversary obtains a B-set {x 1, z 1 ),, x B, z B )} that satisfies ϕ {x 1, z 1 ),, x B, z B )} ) A formal description of how to model π $ BC[ΦA, B, ϕ)]κ, n) is given in Fig 1 Here, for every {0, 1} κ, P is an initially empty list of π -evaluations, where a regular forward/inverse query adds one element x, z) to P and a π Φ -query may add up to B elements Additionally, P Φ is an initially empty list of queries to πφ We denote by Σ P, P Φ) {0, 1}n {0, 1} n ) B the set of all tuples {x 1, z 1 ),, x B, z B )} such that i) x 1,, x B are pairwise distinct and z 1,, z B are pairwise distinct; ii) B l=1 : xl domp ) = z l = P x l ) and z l rngp ) = x l = P 1 zl ); iii) ϕ {x 1, z 1 ),, x B, z B )} ) holds; iv) {x p1), z p1) ),, x pb), z pb) )} rngp Φ ) for any permutation p on {1,, B} For a new query π Φy), the response is then randomly drawn from Σ P, P Φ ) Conditions i-iii) are fairly self-evident; note particularly that an existing x, z) P may appear in multiple predicate queries Condition iv) assures that the drawing from Σ P, P Φ ) is not just an old predicate query or a reordering thereof The usage of this set Σ P, P Φ) allows for a uniform behavior of π Φ for every, and in general of π $ BC[ΦA, B, ϕ)]κ, n), modulo the nown existence of condition ϕ This step is fundamental to our model and new compared with previous approaches of [13, 15, 35] We remar that the model allows adversaries to mae their queries at their own discretion, eg, duplicate queries and regular queries after predicate queries are allowed 6

7 procedure π x) if P x) = : z $ {0, 1} n \rngp ) P x, z) end if return P x) procedure π 1 z) if P 1 z) = : x $ {0, 1} n \domp ) P x, z) end if return P 1 z) procedure π Φ y) if P Φ y) = : {x 1, z 1 ),, x B, z B )} $ Σ P, P Φ ) for l = 1,, B: if x l, z l ) P : P x l, z l ) end if end for P Φ y, {x 1, z 1 ),, x B, z B )}) end if return P Φ y) Fig 1 Random wea cipher π An adversary has access to π, π 1, and π Φ Note that, for simplicity of analysis, we detached the drawing in π and π 1 z) from π Φ y) More formally, the drawing in the former sets do not tae into account the existence of tuples in Σ P, P Φ ) This is merely for simplicity of analysis, but it quite accurately captures a random wea cipher as long as Σ P, P Φ ) 0 This is particularly the case if we require that q + AB n We than Damian Vizár for pointing out the necessity of this side condition 3 Random Abortable Wea Cipher Security analyses in the WCM are significantly more complex than in the ICM or IPM, which is in part because predicate queries may consist of older queries This will particularly be an issue once collisions among queries are investigated To suit the analysis for this case, we transform the WCM to an abortable wea cipher model AWCM), which we denote as BC[ΦA, B, ϕ)]κ, n) At a high-level, an abortable wea cipher responds to predicate queries with new query tuples only, and aborts once it turns out that an older query appears in a newer predicate query For any {0, 1} κ and partial P and P Φ, define by Σ P Φ ) {0, 1}n {0, 1} n ) B the set of all tuples {x 1, z 1 ),, x B, z B )} such that iii) ϕ {x 1, z 1 ),, x B, z B )} ) holds; iv) {x p1), z p1) ),, x pb), z pb) )} rngp Φ ) for any permutation p on {1,, B} Σ P Φ) differs from ΣP, P Φ ) in that conditions i) and ii) are omitted, and particularly: it is independent of P A formal description of a random cipher π $ BC[ΦA, B, ϕ)]κ, n) is given in Fig It deviates from Fig 1 as follows: for every ey, π Φ responds randomly from Σ P Φ ), and it aborts if the response violates one of the two sipped conditions of Σ P, P Φ) The next lemma shows that the WCM and AWCM are indistinguishable as long as the abortable wea cipher does not abort, approximately up to the birthday bound Here, we assume that Σ P Φ ) is always large enough Lemma 1 Let π $ BC[ΦA, B, ϕ C )]κ, n) Consider an adversary that maes q queries to π Then, Pr π sets abort) B qq + 1) n B!qn Σ ) 7

8 procedure π x) if P x) = : z $ {0, 1} n \rngp ) P x, z) end if return P x) procedure π 1 z) if P 1 z) = : x $ {0, 1} n \domp ) P x, z) end if return P 1 z) procedure π Φ y) if P Φ y) = : {x 1, z 1 ),, x B, z B )} $ Σ P Φ ) for l = 1,, B: if x l domp ) z l P x l ): abort if z l rngp ) x l P 1 zl ): abort if x l, z l ) {x 1, z 1 ),, x l 1, z l 1 )}: if x l, z l ) P : P x l, z l ) end if end for P Φ y, {x 1, z 1 ),, x B, z B )}) end if return P Φ y) abort Fig Random abortable wea cipher π An adversary has access to π, π 1, and π Φ Proof Consider the i th query, for i {1,, q}, and assume it is a predicate query π Φy) We will consider the probability that this query maes π abort, provided it has not aborted so far Prior to this i th query, P Bi 1) and P Φ i Basic combinatorics shows that Σ P Φ ) = Σ ) B! P Φ, where we use that π has not aborted so far This i th query aborts only if for some l {1,, B}, the value x l equals an element in domp ) {x 1,, x l 1 } or the value z l equals an element in rngp ) {z 1,, z l 1 } abort Σ Define by P Φ) the set of all elements of Σ P Φ ) that would lead to abort We have B possible values to cause the abort namely, x 1,, z B ), and it causes the abort if it equals an element in a set of size at most P + B For any of these B P + B) choices, the number of tuples in Σ P Φ) complying with this choice is at most Σ ) Thus, n Pr π Φ y) sets abort ) = abort Σ P Φ) Σ P Φ) B P + B) Σ ) n Σ ) B! P Φ B i n B!qn Σ ) The proof is completed by summation over i = 1,, q 3 Modeling Known-Key Attacs We next apply the WCM to nown-ey attacs For the sae of explanation, we first reconsider the Knudsen-Rijmen attac on Feistel 7 [7] A detailed description of the attac is given in App A) Let n N, and let π := π be an instance of Feistel 7 with fixed ey Knudsen and Rijmen revealed four functions f, f, g, g : {0, 1} n/ {0, 1} n such that for all y {0, 1} n/ : gy) = πfy)) and g y) = πf y)), Ri n/ fy) gy)) = Ri n/ f y) g y)) ) These four functions correspond to the equations of 9) in App A and depend on the cryptographic primitive underlying Feistel 7 in a complicated way Therefore, we can safely assume that these functions behave sufficiently random, besides this particular relation ), and that they are unnown to the adversary f, f, g, g are all injective and satisfy fy) 8

9 f y) and gy) g y) for all y On the other hand, collisions of the form fy) = f y ) and gy) = g y ) may occur Generically, the attac demonstrates that for ey there exist n/ possibly overlapping sets of distinct queries {x 1, z 1 ), x, z )} that satisfy Ri n/ x 1 z 1 x z ) = 0 In other words, Feistel 7 meets predicate Φ n/,, ϕ Feistel7 ), where ϕ Feistel7 {x 1, z 1 ), x, z )} ) : Ri n/ x 1 z 1 x z ) = 0 Here, we remar that the Knudsen-Rijmen attac wors for any fixed but nown ey, and that condition ϕ Feistel7 is in fact independent of the ey In this wor, we will consider a more general predicate ΦA, B, ϕ C ) for A, B N and C {1,, n}, where {x 1, z 1 ),, x B, z B )} ) : Bits C x 1 z 1 x B z B) = 0 3) ϕ C This generalized predicate considers the case of arbitrary but fixed and nown eys, where the adversary can even choose the ey every time it maes a predicate query Note that also the attacs on AES 8 and Threefish 36 see Sect 1) are covered, as they satisfy Φ n/8,, ϕ C ) for certain C of size 10n/16 and Φ n/8, 4, ϕ {1,,n} ), respectively In general, all rebound- or boomerang-based nown-ey attac in literature are covered by predicate ΦA, B, ϕ C ) for some A, B, C Here, B is always a value independent of n usually or 4) and C is regularly a large subset of size at least n/4) Throughout, we consider A to be sufficiently large Basic Computations for AWCM For the specific condition ϕ C of 3), we derive a simpler bound on the probability that a primitive π $ BC[ΦA, B, ϕ C )]κ, n) aborts, along with some other elementary observations for π To this end, we define the notation [X], which equals 1 if X holds and 0 otherwise For conciseness, we introduce the function δ B,C [b] defined as C if B = b, δ B,C [b] = C [B = b] + [B > b] = 1 if B > b, 4) 0 otherwise Lemma Let π $ BC[ΦA, B, ϕ C )]κ, n) Consider an adversary that maes q n 1 /B queries to π Then, Pr π sets abort) B qq + 1) n Bq 5) Let {0, 1} κ and let Z, Z, Z {0, 1} n Consider any new query π Φ y) and assume it does not abort Write the response as {x 1, z 1 ),, x B, z B )} Then, i) a {1,, B} : Pr x a = Z), Pr z a = Z) 1 n Bq ; ii) a {1,, B} : Pr x a z a = Z) δ B,C[1] n Bq ; iii) {a, b} {1,, B} : Pr x a z a = Z x b z b = Z ) δ B,C[] n Bq ; iv) {a, b} {1,, B} : Pr x a = Z x b = Z x a z a x b z b = Z ) δ B,C[] 3n Bq Proof Recall from the proof of Lem 1 that Σ P Φ ) = Σ ) B! P Φ, where P Φ q For the specific predicate analyzed in this lemma, Σ ) = n ) B 1 n C In the remainder, we regularly bound B! B n ) B for B 1 or B! B n ) B 4 for B 9

10 Probability of abortion The bound of 5) directly follows from Lem 1, the abovementioned size of Σ ), and the bound on B! i) Part i) Define by Σ P Φ) the set of all elements of Σ P Φ) that satisfy xa = Z Then, P Φ) n ) B n C, and Σ i) Pr x a = Z) = i) Σ P Φ) 1 Σ P Φ) n Bq A similar analysis applies to the case z a = Z ii) Part ii) Define by Σ P Φ) the set of all elements of Σ P Φ) that satisfy xa z a = Z We mae a distinction between B = 1 and B > 1 In case B > 1, a similar reasoning as ii) in i) applies, and we have Σ P Φ) n ) B n C On the other hand, if B = 1, we ii) have Σ P Φ) = 0 if Bits ii) CZ) 0 and Σ P Φ) n if Bits C Z) = 0 In any case, and Σ ii) P Φ ) n ) B n C δ B,C [1], Pr x a z a = Z) = Σ ii) P Φ ) Σ P Φ ) δ B,C[1] n Bq Part iii) This part only applies to B > 1; if B = 1 the probability equals 0 by construction iii) Define by Σ P Φ) the set of all elements of Σ P Φ) that satisfy xa z a = Z and x b z b = Z We mae a distinction between B = and B > In case B >, a similar reasoning as in iii) i) and ii) applies, and we have Σ P Φ) n ) B 3 n C On the other hand, if B =, iii) we have Σ P Φ) = 0 if Bits CZ Z iii) ) 0 and Σ P Φ) n ) if Bits C Z Z ) = 0 In any case, and Σ iii) P Φ ) n ) B 3 n C δ B,C [], Pr x a z a = Z x b z b = Z ) = Σ iii) P Φ ) Σ P Φ ) δ B,C[] n Bq Part iv) The approach is fairly similar to case iii) If B = 1 the probability is 0 by iv) construction Define by Σ P Φ) the set of all elements of Σ P Φ) that satisfy xa = Z, x b = Z, and x a z a x b z b = Z iv) In case B >, we have Σ P Φ) n ) B 4 n C iv) On the other hand, if B =, we have Σ P Φ) = 0 if Bits CZ iv) ) 0 and Σ P Φ ) n if Bits C Z ) = 0 In any case, and Σ iv) P Φ ) n ) B 4 n C δ B,C [], Pr x a = Z x b = Z x a z a x b z b = Z ) = 4 Application to PGV Compression Functions Σ iv) P Φ ) Σ P Φ ) δ B,C[] 3n Bq We consider the 1 bloccipher-based compression functions from Preneel, Govaerts, and Vandewalle PGV) [48] In the ICM these constructions achieve tight collision security up to about n/ queries and preimage security up to about n queries [9, 10, 19, 59] The 1 10

11 Group G 1 Group G Fig 3 The 1 PGV compression functions When in iteration mode, the message comes in at the top The groups G 1 and G refer to Lem 3 constructions are depicted in Fig 3 Here, we follow the ordering of [10], where PGV1, PGV, and PGV5 are better nown as the Matyas-Meyer-Oseas [36], Miyaguchi-Preneel, and Davies-Meyer [45] compression functions Baecher et al [4] analyzed the 1 PGV constructions under ideal cipher reducibility, which at a high level covers the idea of two constructions being equally secure for the same underlying idealized bloccipher They divide the PGV functions into two classes, in such a 1 way that if some bloccipher maes one of the constructions secure, it maes all functions in the corresponding class secure Applied to our WCM, the results of Baecher et al imply the following: Lemma 3 Ideal Cipher Reducibility of PGV [4], informal) Let π $ BC[Φ]n, n) for some predicate Φ Let G 1 = {1, 4, 5, 8, 9, 1}, and G = {, 3, 6, 7, 10, 11} For any α {1, } and i, j G α, PGVi and PGVj achieve the same level of collision and preimage security once instantiated with π Baecher et al also derive a reduction between the two classes, but this reduction requires a non-direct transformation on the ideal cipher π, 1 maing it unsuitable for our purposes Thans to Lem 3, it suffices to only analyze PGV1 and PGV in the WCM: the bounds carry over to the other 10 PGV constructions In Sect 41 we analyze the collision security of these functions in the WCM The preimage security is considered in Sect 4 41 Collision Security Theorem 1 Let n N Let α {1, } and consider PGVα Suppose π BC[ΦA, B, ϕ C )]n, n) Then, for q n 1 /B, $ Adv col PGVαq) B δ B,C [1]q n + ) B δb,c []q n + 4B q n 1 If π maes the PGV constructions from group G 1 secure, there is a transformation τ such that τ π maes the constructions from G secure, and vice versa 11

12 Proof We focus on PGV The analysis for PGV1 is a simplification due to the absence of the feed-forward of the ey We consider any adversary that has query access to π $ BC[ΦA, B, ϕ C )]n, n) and maes q queries As a first step, we move from π to π $ BC[ΦA, B, ϕ C )]n, n) By Lem, this costs us an additional term B qq+1) n Bq A collision for PGV would imply the existence of two distinct query pairs, x, z),, x, z ) such that x z = x z We consider the i th query i {1,, q}) to be the first query to mae this condition satisfied, and sum over i = 1,, q at the end For regular forward or inverse) queries, the analysis of [9, 10, 59] mostly carries over The analysis of predicate queries is a bit more technical Query π x) or π 1 z) The cases are the same by symmetry, and we consider π x) only Denote the response by z There are at most Bi 1) possible, x, z ) As z is randomly drawn from a set of size at least n Bq, it satisfies z = x x z with probability at most Bi 1) n Bq Query π Φy) Denote the query response by {, x1, z 1 ),,, x B, z B )} In case the B- set contributes only to, x, z), the same reasoning as for regular queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: B δ B,C [1]i 1) n Bq Now, consider the case the predicate query contributes to both, x, z) and, x, z ) There are B ) ways for the predicate query to contribute or 0 if B = 1) By Lem part iii), which considers the success probability for any such combination, the predicate query results in a collision with probability at most ) B δb,c [] n n Bq Conclusion Taing the maximum of all success probabilities, the i th query is successful with probability at most B δ B,C [1]i 1) n Bq + ) B δb,c [] n n Bq Summation over i = 1,, q gives Adv col PGVq) B δ B,C [1]q n Bq) + B ) δb,c []q n Bq + B qq + 1) n, Bq where the last part of the bound comes from the transition from WCM to AWCM The proof is completed by using the fact that n Bq n 1 for Bq n 1, and that q + 1 q for q 1 We note that the bound gets worse for increasing values of B This has a technical cause: predicate queries are counted equally expensive as regular queries, but result in up to B new query tuples This leads to several factors of B in the bound As this wor is mainly concerned with differential nown-ey attacs for which B is regularly small, these factors are of no major influence The implications of the bound of Thm 1 become more visible when considering particular choices of B and C i) If B = 1, then Adv col PGVαq) C q + 4q n ; n ii) If B =, then Adv col PGVαq) 0q + 4 C q n ; n iii) If B 3 independent of n), then Adv col PGVαq) 5B q + B q n n In other words, for B = and C with C n/, or for B 3 constant and C arbitrary, the PGV functions achieve the same n/ collision security level as in the ICM On the other hand, if B = 1, collisions can be found in about n C )/ queries, and if B = with C > n/, in about n C < n/ queries See also Table 1 Tightness For the cases B = 1 and C arbitrary, and B = and C arbitrary such that C > n/, we derive generic attacs that demonstrate tightness of the bound of Thm 1 Knudsen and Rijmen [7] and Sasai et al [53,56] already considered how to exploit a nown-ey pair for 1

13 the underlying bloccipher to find a collision for the Matyas-Meyer-Oseas PGV1) and/or Miyaguchi-Preneel PGV) compression functions Their attacs correspond to our B = case Proposition 1 B = 1) Let n N Let α {1, } and consider PGVα Suppose π BC[ΦA, 1, ϕ C )]n, n) Then, Adv col PGVαq) q n C $ Proof We construct a collision-finding adversary A for PGV It fixes ey = 0, and maes predicate queries to π Φ on input of distinct values y to obtain q queries, x y, z y ) satisfying Bits C x y z y ) = 0 Any two such queries collide on the entire state, x y z y = x y z y, q with probability at least The attac for PGV1 is the same as we have taen = 0 n C Proposition B = and C > n/) Let n N Let α {1, } and consider PGVα Suppose π $ BC[ΦA,, ϕ C )]n, n) Then, Adv col PGVαq) q n C Proof We construct a collision-finding adversary A for PGV It fixes ey = 0, and maes predicate queries to π Φ on input of distinct values y to obtain q -sets {, x1 y, zy), 1, x y, z y)} satisfying Bits C x 1 y zy) 1 = BitsC x y zy) These two queries collide on the entire state, x 1 y zy 1 = x y zy, 1 with probability at least If the adversary maes q predicate n C queries, we directly obtain our bound The attac for PGV1 is the same as we have taen = 0 4 Preimage Security Theorem Let n N Let α {1, } and consider PGVα Suppose π BC[ΦA, B, ϕ C )]n, n) Then, for q n /B, $ ) B Adv epre Bq PGVα q) n + B δ B,C [1]q n Due to space limitations, the proof is given in App B It is much more involved than the one of Thm 1, particularly as we cannot mae use of abortable ciphers Entering various choices of B and C shows that in the PGV functions remain mostly unaffected in the WCM if B, and the same security level as in the ICM is achieved [9, 10, 59] A slight security degradation appears for B = 1 as preimages can be found in about n C Tightness For the case B = 1, we derive a generic attac that demonstrates the tightness of the bound of Thm Proposition 3 B = 1) Let n N Let α {1, } and consider PGVα Suppose π BC[ΦA, 1, ϕ C )]n, n) Then, Adv epre PGVα q) q n C $ Proof Let Z be any given range value with Bits C Z) = 0 note that epre guarantees security for every range point) A preimage-finding adversary A for PGV proceeds as follows It fixes ey = 0, and maes predicate queries to π Φ on input of distinct values y to obtain q queries, x y, z y ) satisfying Bits C x y z y ) = 0 Any such query hits Z on the entire state, q x y z y = Z, with probability at least The attac for PGV1 is the same as we n C have taen = 0 13

14 x 1 π 1 x 1 π 1 x π z x π π 3 z Fig 4 Grøstl compression function left) and Shrimpton-Stam right) 5 Application to Grøstl Compression Function We consider the provable security of the compression function mode of operation of Grøstl [1] see also Fig 4): F Grøstl x 1, x ) = x π 1 x 1 ) π x 1 x ) 6) The Grøstl compression function is in fact designed to operate in a wide-pipe mode, and in the IPM, the function is proven collision secure up to about n/4 queries and preimage secure up to n/ queries [0] We consider the security of F Grøstl in the WCM, where π 1, π ) $ BC[ΦA, B, ϕ C )]n) We remar that in this section we consider eyless primitives, hence κ = 0 and the -input is dropped throughout We furthermore note that finding collisions and preimages for F Grøstl is equivalent to finding them for F Grøstlx 1, x ) = x 1 x π 1 x 1 ) π x ), 7) as F Grøstl x 1, x ) = F Grøstl x 1, x 1 x ), and we will consider F Grøstl throughout 51 Collision Security 1 1 Theorem 3 Let n N Suppose π 1, π ) $ BC[ΦA, B, ϕ C )]n) Then, for q n 1 /B, Adv col F q) B4 δ B,C [1]q 4 Grøstl + ) B δb,c []q + n/ C q) n + B q + 4B q n n/ n The proof is given in App C If we enter particular choices of B and C into the bound, we find results comparable to the case of Sect 41 In more detail, for B = and C with C n/, or for B 3 constant and C arbitrary, F Grøstl achieves the same n/4 collision security level as in the ICM [0] If B = 1, the bound guarantees security up to about n C )/4, and if B = with C > n/, collisions can be found in about n C )/ queries See also Table 1 In App D we show that the bound is optimal, by presenting tight attacs on F Grøstl in the WCM 5 Preimage Security Theorem 4 Let n N Suppose π 1, π ) $ BC[ΦA, B, ϕ C )]n) Then, for q n 1 /B, Adv epre F q) B δ B,C [1]q + n/ C q) Grøstl n + Bq + 4B q n/ n The proof is given in App E As before, we find that F Grøstl remains unaffected in the WCM for most cases, the sole exception being B = 1 for which preimages can be found in about n C )/ In App F we show that the bound is optimal, by presenting a tight attac on F Grøstl for B = 1 in the WCM 14

15 6 Application to Shrimpton-Stam Compression Function In this section, we consider the provable security of the Shrimpton-Stam compression function [57] see also Fig 4): x 1, x ) = x 1 π 1 x 1 ) π 3 x 1 π 1 x 1 ) x π x )) 8) This function is proven asymptotically optimally collision and preimage secure up to n/ queries in the IPM [41, 51, 57] We consider the security of in the WCM, where $ π 1, π, π 3 ) BC[ΦA, B, ϕ C )]n) 3 As in Sect 5 we consider eyless functions, hence κ = 0 and the ey inputs are dropped throughout) Our findings readily apply to the generalization of of [41] The analysis of this construction is significantly more complex than the ones of Sect 4 and Sect 5 61 Collision Security Theorem 5 Let n N Suppose π 1, π, π 3 ) $ BC[ΦA, B, ϕ C )]n) 3 Then, i) If B = 1 and C arbitrary, Adv col n C )/ nε ) 0 for n ; ii) If B = and C with C n/, Adv col n/ nε ) 0 for n ; iii) If B = and C with C > n/, Adv col n C nε ) 0 for n ; iv) If B 3 independent of n) and C arbitrary, Adv col n/ nε ) 0 for n Due to the technicality of the proof, the results are expressed in asymptotic terms The proof is given in App G For B = and C with C n/, or for B 3 constant and C arbitrary, achieves the same security level as in the IPM On the other hand, if B = 1, or if B = but C > n/, Thm 5 results in a worse bound See also Table 1 In App H we show that the bound is optimal, by presenting tight attacs on in the WCM 6 Preimage Security Theorem 6 Let n N Suppose π 1, π, π 3 ) $ BC[ΦA, B, ϕ C )]n) 3 Then, i) If B = 1 and C with C n/, Adv epre n/ nε ) 0 for n ; ii) If B = 1 and C with C > n/, Adv epre n C nε ) 0 for n ; iii) If B independent of n) and C arbitrary, Adv epre n/ nε ) 0 for n As for collision resistance, the results are expressed in asymptotic terms The proof is given in App I The bounds match the ones in the IPM, except for the case of B = 1 and C > n/ We leave it as an open problem to prove tightness of Thm 6 part ii) 7 Conclusions Since their formal introduction by Knudsen and Rijmen at ASIACRYPT 007 [7], numerous nown-ey attacs on blocciphers have appeared in literature These attacs are often considered delicate, as it is not always clear to what extent they influence the security of cryptographic functions based on these nown-ey blocciphers We presented the wea cipher model in order to investigate this impact For a specific instance of this model, considering the existence of A sets of B queries that satisfy condition ϕ C of 3), we proved that the PGV compression functions [48], the Grøstl compression function [1], and the Shrimpton-Stam compression function [57] remain mostly unaffected by the generalized weaness Additionally, preimage security of the functions turned out to be significantly less susceptible to these types of weanesses than collision security The results can be readily generalized to other primitive-based functions, such as the double bloc length compression 15

16 functions Tandem-DM, Abreast-DM, and Hirose s compression functions [3, 30], and to the permutation-based sponge mode [5] Our model is general enough to cover practically all differential nown-ey attacs in literature, such as latest results based on the rebound attac [1,,8,38,5,53,56] and on the boomerang attac [,7,31,54,61] To our nowledge, our wor provides the first attempt to formally analyze the effect of a wide class of cryptanalytic attacs from a modular and provable security point of view It is a step in the direction of security beyond the ideal model, connecting practical attacs from cryptanalysis with ideal model provable security There is still a long way to go: in order to mae the connection between the two fields, we abstracted nown-ey attacs to a certain degree It remains a highly challenging open research problem to generalize our findings to multiple or different weanesses, and to different permutationbased cryptographic functions These generalizations include the analysis of nown-ey based constructions for more advanced conditions ϕ such as arbitrary polynomials) Acnowledgments This wor was supported in part by European Union s Horizon 00 research and innovation programme under grant agreement No HECTOR and grant agreement No H00-MSCA-ITN ECRYPT-NET, and in part by the Research Council KU Leuven: GOA TENSE GOA/11/007) Bart Mennin is a Postdoctoral Fellows of the Research Foundation Flanders FWO) The authors would lie to than the anonymous reviewers for their valuable help and feedbac We than Damian Vizár for suggestions References 1 Andreeva, E, Bogdanov, A, Mennin, B: Towards understanding the nown-ey security of bloc ciphers In: Fast Software Encryption 013 LNCS, vol 844, pp Springer, Heidelberg 013) Aumasson, J, Çali, Çagdas, Meier, W, Özen, O, Phan, R, Varıcı, K: Improved cryptanalysis of Sein In: Advances in Cryptology - ASIACRYPT 009 LNCS, vol 591, pp Springer, Heidelberg 009) 3 Aumasson, J, Meier, W: Zero-sum distinguishers for reduced Kecca-f and for the core functions of Luffa and Hamsi 009) 4 Baecher, P, Farshim, P, Fischlin, M, Stam, M: Ideal-cipher ir)reducibility for bloccipherbased hash functions In: Advances in Cryptology - EUROCRYPT 013 LNCS, vol 7881, pp Springer, Heidelberg 013) 5 Bertoni, G, Daemen, J, Peeters, M, Van Assche, G: Sponge functions ECRYPT Hash Function Worshop 007) 6 Biryuov, A, Khovratovich, D, Niolić, I: Distinguisher and related-ey attac on the full AES-56 In: Advances in Cryptology - CRYPTO 009 LNCS, vol 5677, pp Springer, Heidelberg 009) 7 Biryuov, A, Niolić, I, Roy, A: Boomerang attacs on BLAKE-3 In: Fast Software Encryption 011 LNCS, vol 6733, pp Springer, Heidelberg 011) 8 Blac, J, Cochran, M, Shrimpton, T: On the impossibility of highly-efficient bloccipherbased hash functions In: Advances in Cryptology - EUROCRYPT 005 LNCS, vol 3494, pp Springer, Heidelberg 005) 9 Blac, J, Rogaway, P, Shrimpton, T: Blac-box analysis of the bloc-cipher-based hashfunction constructions from PGV In: Advances in Cryptology - CRYPTO 00 LNCS, vol 44, pp Springer, Heidelberg 00) 10 Blac, J, Rogaway, P, Shrimpton, T, Stam, M: An analysis of the bloccipher-based hash functions from PGV Journal of Cryptology 34), ) 11 Blondeau, C, Peyrin, T, Wang, L: Known-ey distinguisher on full PRESENT In: Advances in Cryptology - CRYPTO 015, Part I LNCS, vol 915, pp Springer, Heidelberg 015) 1 Bouillaguet, C, Dunelman, O, Leurent, G, Fouque, P: Attacs on hash functions based on generalized feistel: Application to reduced-round Lesamnta and SHAvite-3 51 In: Selected Areas in Cryptography 010 LNCS, vol 6544, pp Springer, Heidelberg 010) 16

17 13 Bouillaguet, C, Fouque, P, Leurent, G: Security analysis of SIMD In: Selected Areas in Cryptography 010 LNCS, vol 6544, pp Springer, Heidelberg 011) 14 Boura, C, Canteaut, A: Zero-sum distinguishers for iterated permutations and application to Kecca-f and Hamsi-56 In: Selected Areas in Cryptography 010 LNCS, vol 6544, pp 1 17 Springer, Heidelberg 010) 15 Bresson, E, Canteaut, A, Chevallier-Mames, B, Clavier, C, Fuhr, T, Gouget, A, Icart, T, Misarsy, JF, Naya-Plasencia, M, Paillier, P, Pornin, T, Reinhard, J, Thuillet, C, Videau, M: Indifferentiability with distinguishers: Why Shabal does not require ideal ciphers Cryptology eprint Archive, Report 009/ ) 16 Coron, J, Patarin, J, Seurin, Y: The random oracle model and the ideal cipher model are equivalent In: Advances in Cryptology - CRYPTO 008 LNCS, vol 5157, pp 1 0 Springer, Heidelberg 008) 17 Dong, L, Wu, W, Wu, S, Zou, J: Known-ey distinguisher on round-reduced 3D bloc cipher In: Information Security Applications - WISA 011 LNCS, vol 7115, pp Springer, Heidelberg 01) 18 Duan, M, Lai, X: Improved zero-sum distinguisher for full round Kecca-f permutation Chinese Science Bulletin 576), ) 19 Duo, L, Li, C: Improved collision and preimage resistance bounds on PGV schemes Cryptology eprint Archive, Report 006/46 006) 0 Fouque, P, Stern, J, Zimmer, S: Cryptanalysis of tweaed versions of SMASH and reparation In: Selected Areas in Cryptography 008 LNCS, vol 5381, pp Springer, Heidelberg 009) 1 Gauravaram, P, Knudsen, LR, Matusiewicz, K, Mendel, F, Rechberger, C, Schläffer, M, Thomsen, S: Grøstl a SHA-3 candidate 011), submission to NIST s SHA-3 competition Gilbert, H, Peyrin, T: Super-Sbox cryptanalysis: Improved attacs for AES-lie permutations In: Fast Software Encryption 010 LNCS, vol 6147, pp Springer, Heidelberg 010) 3 Hirose, S: Some plausible constructions of double-bloc-length hash functions In: Fast Software Encryption 006 LNCS, vol 4047, pp 10 5 Springer, Heidelberg 006) 4 Holenstein, T, Künzler, R, Tessaro, S: The equivalence of the random oracle model and the ideal cipher model, revisited In: Proc ACM Symposium on Theory of Computing 011 pp ACM, New Yor 011) 5 Jetchev, D, Özen, O, Stam, M: Collisions are not incidental: A compression function exploiting discrete geometry In: Theory of Cryptography Conference 01 LNCS, vol 7194, pp Springer, Heidelberg 01) 6 Katz, J, Lucs, S, Thiruvengadam, A: Hash functions from defective ideal ciphers In: CT- RSA 015 LNCS, vol 9048, pp Springer, Heidelberg 015) 7 Knudsen, L, Rijmen, V: Known-ey distinguishers for some bloc ciphers In: Advances in Cryptology - ASIACRYPT 007 LNCS, vol 4833, pp Springer, Heidelberg 007) 8 Koyama, T, Sasai, Y, Kunihiro, N: Multi-differential cryptanalysis on reduced DM- PRESENT-80: collisions and other differential properties In: Information Security and Cryptology - ICISC 01 Lecture Notes in Computer Science, vol 7839, pp Springer, Heidelberg 013) 9 Kuwaado, H, Hirose, S: Hashing mode using a lightweight bloccipher In: IMA International Conference 013 LNCS, vol 8308, pp Springer, Heidelberg 013) 30 Lai, X, Massey, J: Hash function based on bloc ciphers In: Advances in Cryptology - EU- ROCRYPT 9 LNCS, vol 658, pp Springer, Heidelberg 199) 31 Lamberger, M, Mendel, F: Higher-order differential attac on reduced SHA-56 Cryptology eprint Archive, Report 011/ ) 3 Lampe, R, Seurin, Y: Security analysis of ey-alternating Feistel ciphers In: Fast Software Encryption 014 LNCS, vol 8540, pp Springer, Heidelberg 015) 33 Lauridsen, MM, Rechberger, C: Linear distinguishers in the ey-less setting: Application to PRESENT In: Fast Software Encryption 015 LNCS, vol 9054, pp Springer, Heidelberg 015) 34 Leurent, G, Roy, A: Boomerang attacs on hash function using auxiliary differentials In: CT-RSA 01 LNCS, vol 7178, pp Springer, Heidelberg 01) 35 Lisov, M: Constructing an ideal hash function from wea ideal compression functions In: Selected Areas in Cryptography 006 LNCS, vol 4356, pp Springer, Heidelberg 007) 17