Indifferentiability Security of the Fast Widepipe Hash: Breaking the Birthday Barrier

Transcription

1 Indifferentiability Security of the Fast Widepipe Hash: Breaking the Birthday Barrier Dustin Moody NIST, USA Souradyuti Paul NIST, USA, KULeuven, Belgium Daniel Smith-Tone NIST, USA Abstract The main result of the paper is the solution to a longstanding open problem in the hash function literature: to show that an n-bit iterative hash function can achieve both the rate 1 efficiency, and the indifferentiability security bound that is more than n/2 bits. No hash functions, not even the SHA3 finalists, achieve this property. The Fast Widepipe (FWP) hash mode has been proposed by Nandi and Paul in 2010, as a faster variant of the popular Widepipe (WP) construction proposed by Lucks in Both FWP and WP can be constructed from an identical primitive; however, FWP enjoys a speed-up factor of at least 2 compared to WP for a reasonable selection of parameter-values. Despite many heuristic arguments provided in favor of the optimal security of FWP, the proven indifferentiability bound for the mode was only up to the birthday barrier of n/2 bits. In this paper, we break the barrier. We improve the bound to 2n/3 bits. We compare the FWP mode with other popular modes with respect to security and efficiency. To the best of our knowledge, this is the first time the indifferentiability security bound of a hash mode with rate 1 has been shown to be beyond the birthday barrier. The novel technique used to break the barrier that is based on the detection of a special set of events namely, 3-multi-collision on n bits, n-bit and 2n-bit query collisions may be of independent interest; the technique is likely to be applied to other similar rate 1 hash functions such as the JH and the Parazoa family. Our rigorous experiments give evidence that the bound could be further improved, possibly towards very close to n bits. 1 Introduction Iterative hash functions are usually composed of two parts: (1) a basic primitive (denoted by C) with finite domain and range, and (2) an iterative mode of operation (denoted by H) to extend the domain of the hash function. We denote a hash function using the mode H and the primitive C by H C. In studying the security of a hash function, it turns out that both the security of the primitive C, as well as the security of the mode of operation H need to be examined separately, since one can be attacked independent of the other. The most popular hash mode of operation is the classical Merkle-Damgärd mode [14, 23. It has the desirable property that if C is collision resistant, then MD C will also be collision resistant. Many practical hash functions, such as MD4 [28, MD5 [29, SHA-0/1/2 [25, 26 follow the Merkle- Damgärd mode of operation. However, several recent attacks have greatly undermined the security of any hash function based on Merkle-Damgärd mode. These attacks include the length-extension attack, Joux s multi-collision attack [18, the herding attack [19, and the Kelsey-Schneier preimage 1

2 attack [20, among others. All the above attacks targeted the mode of operation, and they work no matter how secure the underlying primitive C is. A telltale sign of the demise of the Merkle- Damgärd mode is that none of the 64 submissions to the ongoing SHA3 competition used the Merkle-Damgärd mode. In search of a secure replacement for the Merkle-Damgärd mode, we have broadly witnessed several stages of improvement: (1) Additional postprocessing and/or counters injected into the Merkle-Damgärd mode to eliminate the length-adjustment related attacks (e.g., HAIFA [8, EMD [4, MDP [17); (2) Widening of the output length of the primitive C to eliminate Joux s multicollision type attacks (e.g., Widepipe-MD [21, JH [30, Gröstl [16, Sponge [5, Shabal [10, Parazoa [3); (3) Multiple applications of the primitive C on the same message-block (e.g., Doublepipe MD [21). Another research direction, motivated by the innovative attacks on the hash mode of operation, has been the development of new security frameworks that can cover the above attacks as well as many others still unforeseen. Indifferentiability framework is one of them. It was introduced by Maurer et al. [22 in 2004, and was first applied to analyze hash mode of operation by Coron et al. [13 in Briefly, in this framework, we measure the extent to which a hash function is behaving as a random oracle under some idealized assumption (e.g. random oracle, ideal permutation, ideal cipher) on the underlying compression function. Indeed, security of a hash mode established in the indifferentiability framework guarantees resistance to many attacks including collision, 1st preimage, 2nd pre-image, length-extension and Joux s multi-collision, among others. Some limitations of the indifferentiability framework have been recently discovered in [15 and [27. Nevertheless, the framework still covers most known attack scenarios and, therefore, security of a mode in that setting is able to guarantee resistance to many generic attacks. The Challenge: Despite the plentifulness of iterative hash modes of operation, not one of them has been shown to have an optimal security-performance tradeoff. By security, we mean the proven indifferentiability security bound of the hash mode. By performance, we mean the rate of the hash function: The rate of a hash function, based on an ideal primitive with a bits of input, and b bits of message-block, is defined to be b/(a b). This quantity shows the fraction of the primitive-input bits being used for message-injection during the hash computation. It is clear that higher rate implies faster hash computation. To the best of our knowledge, there are no hash modes with rate 1 whose indifferentiability security bounds are larger than n/2 bits. The rates and security bounds of many popular hash modes have been tabulated in Table 1. Relevant previous work: Merkle-Damgärd Vs. Widepipe Vs. Fast Widepipe. To make a Merkle-Damgärd hash function (proposed in 1989) secure against the aforementioned Joux s multi-collision-type attacks, Lucks, in 2005, has proposed to make the intermediate chaining values of the Merkle-Damgärd mode twice as large as the final hash value; this mode is known as the Widepipe mode [21 (see Figure 1). Suppose the basic primitive in a Merkle-Damgärd hash function is: C : {0, 1} l+n {0, 1} n. Lucks has, very rightly, proposed to use a primitive C : {0, 1} l+n {0, 1} 2n to avoid many multi-collision-type attacks. The message-block and the chaining input to C in a Widepipe mode are now l n and 2n bits. Widepipe hash mode achieves close to n bits of indifferentiability security, albeit at the cost of a low rate of 1/2 (Table 1). Fast Widepipe (FWP) hash mode was proposed by Nandi and Paul in 2010 [24, as a faster variant of the Widepipe mode [21 (see Figure 1). Using any Widepipe primitive C : {0, 1} l+n {0, 1} 2n the FWP mode achieves the higher rate of 1 by allowing l bits of message-block and n bits of chaining value.[24. However, the security bound of the mode was only up to n/2 bits. 2

3 M1 M2 M3 Mk-1 Mk IV IV l-n n n C l-n l-n l-n l-n C C C C (i) n-bit hash M1 M2 M3 Mk-1 Mk IV IV l n n C l l l l-n C C C C n-bit hash (ii) Figure 1: (i) Widepipe mode and (ii) Fast Widepipe (FWP) Mode; both are using the identical primitive C. All unlabeled wires are n bits. M i s are message-blocks. Our contribution. In this paper, we extend the indifferentiability security bound of FWP mode from n/2 bits to 2n/3 bits. This is the first time the indifferentiability security of a hash mode with rate 1 has been shown to be better than the birthday bound. In addition to this main result, our proof technique may be of independent interest, as it is novel and, can potentially be used for more improved security analysis of this mode and similar ones such as the JH and the Parazoa family of modes. The main hurdle in breaking the birthday barrier of the FWP was two-pronged. First, any analysis based on the probability of collision in just n bits of output can only give a bound of n/2 bits this approach is usually followed to achieve bounds up to n/2 bits. Secondly, collisionprevention on 2n bits of output does not prevent collision in n bits of input-chain, resulting in a total message which is quadratic in i after i queries, again giving a bound only of n/2 bits. This problem arises due to the XOR operations between the interleaving n bits of successive outputs. We overcome this issue by identifying a special set of events (described in Section 4) occurring with low probabilities, namely, 3-multi-collision on the n bits of output (Type1-b,e,g), and n-bit query collision (Type1-f), in addition to the usual 2n-bit output and query collision (Type1-a,c,d). Another important feature of our methodology is allowing the growth of the graph T s, representing all possible messages, for two phases rather than the usual approach of just one. These events helped us bound the number of paths in the graph by a linear function in i, using simple combinatorial results (see Lemma 5.1). This linear bound on the size of T s, allows us to achieve a bound of 2n/3 bits. The theoretically obtained bound of 2n/3 bits agrees well with our experimental results. Moving further, our experimental results performed with a different set of events give ample evidence that the indifferentiability bound for the FWP can be stretched close to even n bits. The theoretical analysis of this result is left as an open problem. Notation and Convention. Throughout the paper we shall use the little-endian bit-ordering system. The symbol x denotes the bit-length of the bit-string x (or, the size of the set x). Let n be a fixed number. Let x parse x 1 x 2 denote parsing x into x 1 and x 2 such that x 1 n and x 2 x n. Similarly, x parse x 1 x 2 x 3 means parsing x into x 1, x 2 and x 3 such that x 1 x 2 n and x 3 x 2n. The notation M pad m 1 m k 1 m k is explained in Section 1.1. Let S t denote the sample space of the discrete random variable t. The relation A B is satisfied if and only if [ A x [ B x for all x S, where S S A S B. Other notation which we will use is 3

4 Mode of Message imitive imitive Indiff. rate Ideal operation block input output bound (b/(a b)) imitive length (b) length (a) length MD [14, 23 l l + n n 0 1 RO MDP [17 l l + n n n/2 1 RO EMD [4 l l + n n n/2 1 RO HAIFA [8 l l + n n n/2 1 RO chopmd [11, 13 l l + 2n 2n n log n 1/2 RO BLAKE [1, 12 2n 4n 2n n/2 1 IC Shabal [10 n 4n 2n n 1/3 IC JH [7 n 2n 2n n/3 1 IP Sponge [5 n 2n 2n n/2 1 IP Grøstl [16 2n 2n ( 2) 2n ( 2) n/2 1 IP Parazoa [3 n 2n 2n n/2 1 IP FWP [24 l l + n 2n n/2 1 RO FWP(this paper) l l + n 2n 2n/3 1 RO Table 1: For each case the hash-output is n-bit. For a fair comparison, we chose l n. The symbols and denote optimal and close to optimal. RO, IC and IP are abbreviations for random oracle, ideal cipher, and ideal permutation respectively. included in Table 2. Table 2: Notation a : b a is assigned the value of b a $ S a is assigned a value uniformly chosen from the set S A B Algorithm A with oracle access to B Dom(T ) The set of indices I in table T such that T [i i I ab a b [x, y The set of integers between x and y including them a[x, y The bit-string between the x th and y th bit-positions of a U[0, 2 n 1 The uniform distribution over the integers between 0 and 2 n Description of the FWP Mode Suppose l n 1. Let C : {0, 1} l+n {0, 1} 2n be a cryptographic primitive used to build the FWP hash function: {0, 1} {0, 1} n. The diagram and the description of the FWP transform are given in Figures 1 and 2. The semantics for the notation M pad m 1 m k 1 m k is as follows: Using an injective function pad : {0, 1} i 1 {0, 1} (i+1)l n, M is mapped into a string m 1 m k 1 m k such that k + 1, m i l for 1 i k 1, and m k l n. In addition to the aforementioned M l injectivity property of pad( ), another property is needed to prove the indifferentiability of FWP : there should exist a function we call it depad( ) that can efficiently compute M, given pad(m). 4

5 FWP(M) 01. M pad m 1 m 2... m k 1 m k ; 02. y 0 IV, y 0 IV ; 03. for(i 1, 2,... k 1) y i y i C(y i 1m i ) y i 1 0; 04. y k y k C(y k 1y k 1 m k); 05. return y k ; Figure 2: Pseudocode for FWP Figure 3: Indifferentiability framework for a hash function. Formally, the function depad: i 1 {0, 1} (i+1)l n {λ} {0, 1} computes depad(pad(m)) M, for all M {0, 1} ; otherwise depad( ) returns λ. The reader should convince herself that the padding rules of all practical hash functions have the above properties. For practical purposes, we now concretely define pad( ) for M {0, 1} 264 as follows: Append t zero bits and a 64-bit encoding of M to the message M. Select the least integer t 0 such that M + t + n mod l. The value IV IV used to initialize FWP can be any fixed 2n-bit constant. More details about the FWP transform can be found in [ eliminaries: Introduction to Indifferentiability Framework We begin with the definition of a random oracle. This useful object will be used frequently in the subsequent discussion. Definition 1.1 (Random oracle) A random oracle is a function RO : X Y chosen uniformly at random from the set of all Y X functions that map X Y. In other words, a function RO : X Y is a random oracle if and only if, for each x X, the value of RO(x) is chosen uniformly at random from Y. Corollary 1.2 If a function RO : X Y is a random oracle, then [ RO(x) y RO(x 1 ) y 1, RO(x 2 ) y 2,..., RO(x q ) y q 1 Y where x / {x 1, x 2,..., x q }, y Y and q Z. Next we introduce the indifferentiability framework and briefly discuss its significance. The following definition is a slightly modified version of the original definition provided in [13, 22. Definition 1.3 (Indifferentiability framework) [22 An interactive Turing machine (ITM) T with oracle access to an ideal primitive F is said to be (t A, t S, q, ε)-indifferentiable from an ideal primitive G if there exists a simulator S such that, for any distinguisher A, the following equation is satisfied: Adv G,S T,F (A) [AT,F 1 [A G,S 1 ε. The simulator S is an ITM which has oracle access to G and runs in time at most t S. The distinguisher A runs in time at most t A. The number of queries used by A is at most q. The ε is a negligible function in the security parameter of T. 5

6 We define Adv G,S T,F max A [A T,F 1 [A G,S 1. From Definition 1.3, we have that Adv G,S T,F ε. Briefly, the significance of the indifferentiability framework is the following. Suppose, an ideal primitive G (e.g. a variable-input-length random oracle) is indifferentiable from an algorithm T based on another ideal primitive F (e.g. a fixed-input-length random oracle). In such case, any cryptographic system P based on G is as secure as the P based on T F (i.e., T F replaces G in P). For a more detailed explanation, we refer the reader to [22. Pictorial Description of Definition 1.3(Figure 3). In the figure, the five entities involved in Definition 1.3 are shown: T, F, G and S have been replaced by a hash mode H, random oracles ro, RO, and a simulator s. In our case H is the FWPhash mode described in Figure 2, with C as ro. Suppose the oracle Turing machine T, and the ideal primitives F, G are respectively, a hash function H, and random oracles ro and RO. In this setting, Definition 1.3 addresses the degree to which any computationally bounded adversary is unable to distinguish between Option 1 and Option 2. 2 Indifferentiability Framework for FWP: Definitions ro FWP ro FWP1 S1 RO S A Game(FWP ro,ro) A G1 A Game(RO,S) Figure 4: Schematic diagrams of the security games used in the indifferentiability framework for FWP. The arrows show the directions in which the queries are submitted. To study the indifferentiability security of the FWP mode, we use a random oracle ro : {0, 1} l+n {0, 1} 2n for the primitive C specified in the design of FWP. To obtain the indifferentiability security bound for the FWP mode, we follow the usual game-playing techniques [4, 2. The schematic diagrams of the two cryptographic systems Option 1 and Option 2 (of Figure 3) are Game(FWP,ro) and Game(RO,S) in the present context (see Figure 4). The other game G 1 is derived from them. The pseudocode for all the games has been provided in Section 3. Informally, a game takes an adversarial query as input and produces the output. A simple example is the description of Game(FWP,ro) which is provided in Figure 6(a). We now formally define a game. Definition 2.1 (Game) A game is a stateful probabilistic algorithm that takes an adversarygenerated query as input, updates the current state, and, produces an output to the adversary. The notion of equivalence of games will play a central role in the security reduction processes to follow. To put it loosely, two games are equivalent if their input-output distributions are identical. The formal definition is below. To make the definition simpler we restrict ourselves only to games that expose identical interfaces to the adversaries. This allows us to define equivalence of a pair of games when they interact with the same adversary. This setup is relevant in our indifferentiability framework. First, we define an important parameter of a game called the view. 6

7 Definition 2.2 (View of a game) Let (x i y i ) denote the i th query and the response from the game G, when it interacts with the adversary A. The view of the game G with respect to the adversary A, after i queries is defined to be the sequence {(x 1 y 2 ),, (x i y i )}. Definition 2.3 (Equivalence of games) Denote the views of the games G 1 and G 2 after i queries by V 1i and V 2i, when they are interacting with the adversary A. The games G 1 and G 2 are said to be equivalent with respect to the adversary A if and only if V 1i V 2i, for all i > 0. Equivalence between the games G 1 and G 2 with respect to the adversary A is denoted by G 1 A G2, or simply G 1 G 2, when the adversary is clear from the context. Now we state an important lemma relating the equivalence of games and the adversarial outputs. The result immediately follows from Definition 2.3. A Lemma 2.4 If G 1 G2 then [ A G 1 1 [ A G 2 1. The probabilities are taken over all coin tosses in the games and the adversary. Roadmap. From Section 1.2, we have Adv RO,S FWP,ro max A [ A FWP,ro 1 [ A RO,S 1. In the following sections we shall estimate Adv RO,S FWP,ro using the following approach: In Section 3 and 4 we describe the security games presented in Figure 4; an important part of the description is designing a simulator S for the indifferentiability framework for FWP, and computing an upper bound of O(σ 5 ) on S s running time, where σ is the maximum number of invocations to ro. Additionally, we shall show that Game(FWP,ro) G 1, which implies by Lemma 2.4, [ A FWP,ro 1 [ A G 1 1. This, in turn, implies: Adv RO,S FWP,ro max [ A G 1 1 [ A RO,S 1. A Then in Section 6 we shall show max [ A G 1 1 [ A RO,S 1 ( σ 3 O A 2 2n + σ ) 2 n. 3 Description of the Security Games for FWP In this section, we elaborate on the games Game(FWP, ro), G 1, and Game(RO, S) that are schematically presented in Figure 4. The pseudocode for all the games is given in Figures 5 and 9. The functionalities FWP, FWP1, and RO are mappings {0, 1} {0, 1} n. We use the generic term long oracle (or l-oracle) to identify any of them and call any query submitted to a long oracle an l-query. Similarly, ro, S1, and S are mappings {0, 1} l+n {0, 1} 2n which are called short oracles (or s-oracles). The corresponding queries are called s-queries. We assume that identical queries are not submitted more than once. The games will use several global and local variables: The global variables D l and D s are two tables to store query-response pairs: D l for l-queries, and D s for s-queries. D l, D s and all local variables are initialized with ; the graph T s is also a global variable which initially contains only the root node (IV, IV ); the local variables are re-initialized every new invocation of the game, while the global data-structures maintain their states across the queries. Description of Game(FWP, ro) (Fig. 6(a)). The game Game(FWP, ro) implements the FWP ro using the l-oracle FWP and the s-oracle ro. The definition of the function FWP ro has been provided 7

8 Figure 5: The main games Game(FWP, ro) and Game(RO, S) FWP(M) 01. M pad m 1 m 2... m k 1 m k ; 02. y 0 : IV, y 0 : IV ; 03. for(i : 1, 2,... k 1) y i y i : ro(y i 1m i ) y i 1 0; 04. r : ro(y k 1 y k 1 m k); 05. return r[n, 2n 1; ro(x) (a) Game(FWP,ro) $ 11. if x / Dom(D s ) D s [x {0, 1} 2n ; 12. return D s [x; RO(M) 001. if M Dom(D l ) return D l [M[n, 2n 1; 002. r $ {0, 1} 2n ; D l [M : r; 003. return r[n, 2n 1; MessageRecon(x, T s ) 201. x parse yy m; 202. if FindNode(yy ) 0 return M : ; 203. M : FindBranch(yy ); 204. M : {M M M, M : depad(m m) λ}; 205. return M; S(x) (b) Game(RO,S) 101. r $ {0, 1} 2n ; 102. M : MessageRecon(x, T s ); 103. if M 1 M / Dom(D l ) D l [M : r; 104. if M 1 M Dom(D l ) r : D l [M; 105. D s [x : r; 106. FullGraph(D s ); 107. return r; in Section 2. The ro has been implemented through lazy sampling. The query-response pairs for the s-oracle are stored in the table D s. Description of Game(RO,S) (Fig. 6(b)). The s-oracle S( ) of this game is the simulator of the indifferentiability framework for FWP. The l-oracle of this game implements the random oracle RO( ). Construction of an effective simulator is an important part for the analysis of indifferentiability security of a hash mode of operation. The purpose of the simulator S is two-fold: (1) to output value that is uniformly distributed, and (2) to respond in such a way that FWP ro (M) and RO(M) are identically distributed. It is easy to conclude that, as long as the simulator S is able to output values satisfying the above conditions, no adversary can distinguish between (RO, S) and (FWP, ro). Our design strategy for S is fairly intuitive and simple. Before going into the detailed description, we first define the data structures and the subroutines used by the game. The game uses three global data structures: the table D s to store all s-queries and 2n-bit responses, each chosen according to the uniform distribution U[0, 2 2n 1, the table D l to store all l-queries and 2n-bit responses, each chosen according to the uniform distribution U[0, 2 2n 1, a specially designed directed graph T s ; we discuss below how T s is updated. Subroutine FullGraph: The subroutine updates the directed graph T s using the elements stored in D s. The graph T s is built in such a way that each path originating from the rootnode (IV, IV ) represents the execution of FWP( ) on a prefix of some message. See Figure 6 for the pictorial description of how several components of the graph T s is built. For example, suppose M pad m 1 m 2 M. Then the path IV IV m 1 y1 y 1 m 2 y2 y 2 represents the first twoblock execution of FWP(M) where, y 1 y 1 ro(iv m 1) IV 0 and y 2 y 2 ro(y 1m 2 ) y

9 Additionally and more importantly, the graph T s contains all possible paths derived from the elements in D s ; hence the name FullGraph. IVIV m1 ma y1 y1 m2 y2 y2 ya ya y1 y1 n l m2 ro ro n n y2' y2 m3 (ii) y3y3 (i) Figure 6: (i) The directed graph T s that is updated by the subroutines FullGraph, or PartialGraph (see Sect. 3). Example: The edge (y 1 y 1, m 2, y 2 y 2 ) is composed of the head node y 1y 1, the arrow m 2, and the tail node y 2 y 2. The left and right coordinates of a node (y ay a) is y a and y a. (ii) Generation of the edge (y 1 y 1, m 2, y 2 y 2 ) of T s using ro; the shaded rectangle is viewed as the compression function of FWP with y 1 y 1 m 2 and y 2 y 2 being the input and the output. Subroutine MessageRecon(x, T s ): The purpose of this subroutine is to reconstruct all messages M, such that FWP ro (M) can be computed using the elements in D s, and ro(x). Also, the final input to ro in FWP ro (M) is x, hence FWP ro (M) ro(x)[n, 2n 1. To serve the purpose, the subroutine proceeds as follow: first, the subroutine FindNode(x[0, 2n 1 yy ) checks whether the node yy is present in the graph T s (line 202). If present, then the subroutine FindBranch(yy ) collects all paths P from the root node (IV, IV ) to the node yy, and finally returns a set M containing messages M, such that pad(m) is the sequence of arrows on a path P concatenated with x[2n, l + n 1 m (lines ). If no such message is found then the subroutine returns the empty set (lines 202, and 204). This operation is pictorially described in Figure 7. On a new s-query x, the S assigns a uniformly sampled 2n-bit value to r (line 101). Then the subroutine MessageRecon(x, T s ) is invoked that returns a set of messages M (line 102). If the size of M is 1 and M M is not an old l-query, the D l [M is assigned the value of r (line 103). If the size of M is 1 and M M is an old l-query, the r is assigned the value of D l [M (line 104). Finally, in lines 105 and 106 the table D s and the graph T s are updated. In line 107 the value of r is returned. On an l-query M, the RO first checks whether the M has already been reconstructed using the s-queries; in such case, M already belongs to Dom(D l ) and the RO returns the most significant n bits of the D l [M, that is D l [M[n, 2n 1 (line 001). Otherwise, the D l [M is assigned a uniformly sampled 2n-bit value (line 002), and the most significant n bits of it are returned (line 003). The running time of the simulator S is dominated by the running time of MessageRecon and FullGraph. 9

10 IVIV IVIV m1 ma m1 ma y1 y1 ya ya y1 y1 m2 ya ya mb xyy m m m2 y2 y2 mb ybyb m3 y2 y2 yy y y s-query m3 y3y3 y3y3 Figure 7: Operations in MesgRecon on the graph T s in Game(RO, S) (or, on the graph T s in G 1 ). Figure 8: The graphs T s, and T s (enclosed in the dotted line) in G 1. The red nodes are unknown to the adversary, generated by ro-queries in the execution of l-queries. In Appendix A, we show that the worst-case running time of the S on the i th query is O(i 4 ). Description of G 1 (Fig. 9). The description of the game G 1 apparently looks a bit artificial in the sense that it was constructed as a hybridization of the games Game(FWP, ro) and Game(RO, S). The purpose of this game is to be a transit point from Game(FWP, ro) to Game(RO, S) so that their difference in execution can be understood. As in game Game(RO, S), the global variables of this game are the tables D s and D l, and the graph T s. First, in the description of this game, we omit the statements where the variable BAD is set (lines 000, 100, 405, 413, and 414), since they do not impact the output and the global data structures. The variable BAD is set when certain events occur in the global data structures. Those events will be discussed, when we compute [ A G 1 1 [ A RO,S 1 in Sect. 6. Now we describe the subroutines used by this game. Subroutine PartialGraph(x, r): Like the subroutine FullGraph, this subroutine also builds the graph T s in such a way that each directed path originating from the root-node (IV, IV ) represents the execution of FWP( ) on a prefix of some message (depicted in Fig. 6). However, there are differences. Rather than building all possible paths using the new pair (x, r) and the old pairs in D s, the PartialGraph augments the T s in at most two phases; hence the name PartialGraph. The details are as follows. First, the subroutine CreateCoset(y c x[0, n 1) is invoked, which returns a set Coset containing all nodes in T s, whose left-coordinate is y c (lines 401 and 402). The size of Coset determines the number of nodes to be added to T s in the 1st phase of the current iteration. 1st phase (lines 403 and 404): Using the members of Coset and the new pair (x, r), new edges are constructed, stored in Edge, and added to T s using the subroutine AddEdge. 2nd phase (lines 406 through 412): The set Edge in turn generates another set of edges in a for-loop, using the old query-response pairs stored in table D s : if the least- 10

11 FWP1(M) 000. if Type3 BAD : True; 001. if M Dom(D l ) return D l [M[n, 2n 1; 002. M pad m 1 m 2 m k 1 m k ; 003. y 0 : IV, y 0 : IV ; 004. for(i : 1,, k 1){ 005. b : 0; 006. if y i 1 m i / Dom(D s ) b : 1; 007. r : ro(y i 1 m i ); 008. y i y i : r y i 1 0; 009. if b 1 PartialGraph(y i 1 m i, r);} 010. if y k 1 y k 1 m k / Dom(D s ) b : 1; 011. r : ro(y k 1 y k 1 m k); 012. D l [M : r; 013. if b 1 PartialGraph(y k 1 y k 1 m k, r); 014. return r[n, 2n 1; MessageRecon(x, T s) 201. x parse yy m; 202. if FindNode(yy ) 0 return M : ; 203. M : FindBranch(yy ); 204. M : {M M M, M : depad(m m) λ}; 205. return M; ro(x) $ 301. if x / Dom(D s ) D s [x {0, 1} 2n ; 302. return D s [x; Figure 9: The game G 1 S1(x) 100. if Type2 BAD :True; 101. b : 0; 102. if x / Dom(D s ) b : 1; 103. r : ro(x); 104. M : MessageRecon(x, T s); 105. if M 1 M / Dom(D l ) D l [M : r; 106. If b 1 PartialGraph(x, r); 107. return r; PartialGraph(x, r) 401. x parse y c m; r parse y y ; 402. Coset : CreateCoset(y c ); 1st Phase: ( ) 403. Edge : {(y c y c, m, yy ) y : y y c, y c y c Coset}; 404. for (y c y c, m, yy ) Edge {AddEdge(y c y c, m, yy ); 405. if Type1-a Type1-b Type1-c BAD : True;} 2nd Phase: ( ) 406. for x Dom(D s ){ 407. if (y c y c, m, yy ) Edge 408. such that y : x[0, n {z : D s [x[0, n 1 y ; 410. z : D s [x[n, 2n 1; 411. m : x[n, m + n 1; 412. AddEdge(yy, m, zz );} 413. if Type1-d Type1-e Type1-f BAD : True;} 414. if Type1-g BAD : True; 11

12 significant n bits of an old query x in Dom(D s ) equals the left-coordinate y of the tail node of an edge in Edge (lines 407-8), then a new edge is constructed and added to T s at the contact point y x[0, n 1, by calling AddEdge( ) (line 412). Subroutine MessageRecon(x, T s): This subroutine has been described already in game Game(RO, S). The only change here is that, instead of the graph T s, the second argument to this subroutine is T s which is the maximal connected subgraph of T s with the root-node (IV, IV ), generated by a part of the table D s that contains only the s-queries and responses. Note that, in addition to s-queries and responses, D s contains ro-queries and responses, generated during the execution of l-queries (see Figure 8). This marks a significant difference between this game and the game Game(RO, S), which does not have any ro-query arising during the processing of an l-query. We shall quantify this difference in Section 6. On an s-query x, ro(x) is computed (line 103). The ro is implemented through lazy sampling (lines 301 and 302). Then the subroutine MessageRecon is called with (x, T s) that returns a set of reconstructed messages M (line 104). If the size of M is 1, and if the M M is not a previous l-query, D l [M is assigned the value of ro(x) (line 105). Before finally returning r (line 107), the subroutine PartialGraph is called on input (x, r) if (x, r) is fresh, i.e., b1 to update the existing graph T s (line 107). If an l-query M has already been reconstructed by S1 on some previous s-query, then D l [M[n, 2n 1 is returned (line 001). Otherwise, in lines 002 till 011, FWP1 mimics FWP, in addition to updating the graph T s (lines 009 and 013), whenever a new intermediate input is generated (lines 006 and 010). The D l [M is assigned the value of r in line 012, which is the output from the final ro call (line 011). Finally, r[n, 2n 1 is returned (line 014). Remark 1 The difference in the ways the directed graph T s is constructed by the subroutines Full- Graph and PartialGraph forms the first non-trivial step towards breaking the birthday bound for indifferentiability security of FWP. The PartialGraph augments the T s in at most two phases every invocation; it is easy to see that the T s constructed by the PartialGraph is a connected subgraph of the T s constructed by the FullGraph. We shall see later that, if the events in the lines 405, 413, and 414 do not occur, T s of Game(RO, S), and T s of G 1 are identical. As a consequence, the probability of occurrence of such events constitutes a significant fraction of FWP s overall indifferentiability bound of O( σ3 + σ 2 2n 2 ). It seems possible that, if the PartialGraph augments the T n s in more phases than just two, the indifferentiability bound could be improved further (see Section 7); however, in such cases, theoretical determination of a non-trivial upper-bound on the probability of events that tell apart the above subroutines turns out to be hard. With the above description of the games at our disposal, now we are well equipped to state and prove an easy but important result. oposition 3.1 For any distinguishing adversary A, Game(FWP, ro) G 1. oof. From the description of S1, we observe that, for all x {0, 1} l+n, S1(x) ro(x) (line 101). Likewise, from the descriptions of FWP1 and FWP, for all M {0, 1}, FWP1(M) FWP(M). The events Type1, Type2, and Type3 are still not defined. These events finally tell apart the game G 1 from the game Game(RO, S). We describe them in the following sections. 12

13 4 Definition of the events BAD i, and GOOD i In the remaining part of the paper, by a query we will mean either a message-block in an l-query, or an s-query. As a result, prior to the i th query, the sum of s-queries and message-blocks contained in l-queries is i 1. The purpose of this section is to concretely define the Type1, Type2 and Type3 events mentioned in lines 405, 413, 414, 001, and 000 of game G 1 (Figure 9). Before that, we define a couple of additional events that can be defined using Type1, Type2, and Type3 events. The symbol BAD i denotes the event when the variable BAD is set in the lines 000, 100, 405, and 413 on the i th query in game G 1. In other words, BAD i occurs when one or more of Type1, Type2, and Type3 events occur on the i th query in game G 1. The symbol GOOD i denotes i j1 BAD i for all i > 0. The symbol GOOD 0 denotes the event when no queries are submitted in game G 1. On a high level, the intuition behind the construction of the BAD i events in the game G 1 is rather straight-forward: we make sure if BAD i does not occur, and if GOOD i 1 did occur, then the views of G 1 and Game(RO, S) (up to the i th query) are identically distributed for any attacker A. Hence, the BAD i events should establish our main theorem. Theorem 4.1 (Computational Paradigm) For the games G 1 with an indifferentiability adversary A limited by σ queries and Game(RO,S), interacting [ A G 1 1 [ A RO,S 1 σ 2 [ D A sets BAD D i+1 [ BAD i+1 GOOD i i0 where D [ A G 1 1 GOOD σ 1 [ A RO,S 1 GOOD σ 1, [ A sets BAD [ GOOD σ 1, and D i+1 [ A G 1 [ 1 GOOD i BAD i+1 A RO,S 1 GOOD i BAD i+1. This computational paradigm in Theorem 4.1 has been used in most well-known constructions [2, 4, 5, 6, as well as, in the earlier security proof for FWP by Nandi and Paul [24. We also follow this paradigm. However, it is worth remembering that the BAD i events designed by Nandi and Paul in their original attempts led to indifferentiability bounds which did not go beyond the birthday barrier [24. In the present case, we had to use deeper insight to construct a different set of BAD i events to move beyond the barrier. This primarily involved tricks to overcome the interleaving of branches in successive ro calls in the FWP mode. These tricks, as mentioned in Remark 1, are an important contribution of this paper. 4.1 Type1 Event Suppose x is a fresh query, i.e. x / Dom(D s ) (a fresh query sets b in lines 106, 002, and 010 of Figure 9). Let (y c y c, m, yy ) be a new edge generated from that new query-response pair (x, r) (lines 401 through 404). Type1 event can occur for seven different cases, which are described in lines 405, 413 and 414 of Figure 9. 13

14 yc Type1-a y c m yc y c Type1-b m Type1-c y c m yc 1st phase y* y y Node-collision Type1-d yc y c m Old y* y y E1 Old1 E2 Old2 3-collision on left-coordinates Type1-e yc y c m y* y y old Query-collision (2n bits) Type1-f y c m yc 2nd phase Notation y* y y* y y* y y y y E3 m E5 E8 m m Old1 z z E4 Node-collision random n bits Old2 E: event that equality occurs n bits Old1 z z E6 Old2 n-bit equality l-n bits E7 Old3 3-collision on left-coordinates Old1 z z E9 l bits Old2 Query-collision (n bits) 2n-bit equality (a) Type1-a,b,c,d,e,f events when Bad is set in lines 405 and 413 of game G 1 (Fig. 9). x Old1 Old2 y 3-collision on right-coordinates (b) Type1-g event for which Bad is set in line 414 of game G 1. Figure 10: Type1 events when Bad is set in lines 405, 413 and 414 of game G 1 (Fig. 9). 14

15 Type1-a event (Figure 10(a)(Type1-a)): already in T s. This event occurs, if yy collides with a node Type1-b event (Figure 10(a)(Type1-b)): This event occurs, if y collides with the leftcoordinate of a node already in T s (event E 1 ), and if there exists another node with the left-coordinate y (denoted by event E 2 ). Type1-c event (Figure 10(a)(Type1-c)): This event occurs, if yy collides with the leastsignificant 2n bits of an old query stored in D s (equivalently saying, if there exists x Dom(D s ) such that yy x[0, 2n 1). Type1-d event (Figure 10(a)(Type1-d)): This event occurs, if y collides with the leastsignificant n bits of an old query (event E 3 ), and if the resulting node zz (zz D s [ym [0, 2n 1 y 0) collides with a node already in T s (event E 4 ). Type1-e event (Figure 10(a)(Type1-e)): This event occurs, if y collides with the leastsignificant n bits of an old query (event E 5 ), if the left-coordinate z of the resulting node zz (zz D s [ym [0, 2n 1 y 0) collides with the left-coordinate of a node already in T s (event E 6 ), and if there exists another node with the left-coordinate z (denoted by event E 7 ). Type1-f event (Figure 10(a)(Type1-e)): This event occurs, if y collides with the leastsignificant n bits of an old query (event E 8 ), and if the left-coordinate z of the resulting node zz (zz D s [ym [0, 2n 1 y 0) collides with the least-significant n bits of an old query stored in D s (event E 9 ). Type1-g event (Figure 10(b)): This event occurs if y equals the right coordinates of the outputs of two old queries. Remark 2 It is worth noting at this point that the Theorem 4.1 is also true without the Type1-b,e,g events. These events have been artificially created to easily bound the number of different types of nodes in the graph T s after i rounds, given GOOD i occurred (see node-counting lemma Lemma 5.1). The number of nodes, so computed, in turn helps us estimating several event probabilities computed in Section 6.4. Estimating the event probabilities without Type1-b,e,g events turns out to be hard. Inclusion of these artificial events only increase the constants hidden in the adversarial advantage computed in the form O( σ3 + σ 2 2n 2 ) in Equation 17. Since the probability of Type1-f which is an n unavoidable stopping condition in our two-phase framework, equals the probability of each of Type1- b,e,g up to a constant factor, removal of them from the computational paradigm does not improve the bound when n is increased asymptotically. However, removal of these events will play a crucial role when we attempt to provide experimental evidence that the real indifferentiability bound of the FWP can be extended beyond 2n/3 bits, by switching from two-phase to three-phase framework (see Section 7). In the next two subsections, we deal with a query which is already in the table D s. 4.2 Type2 Event This event is mentioned in line 100 of game G 1 (picture in Fig. 11(a)): Before we define this event, we first classify all query-response pairs to the random oracle ro stored in D s, according to its known and unknown parts (see Fig. 11(a)(i)). The known part of a query-response pair is the part that is present in the view of the game G 1, while the unknown part is not present in the view. We note that there are six types of such pairs. The first five types are generated due to the intermediate ro calls by l-queries. The type Q6 queries are the s-queries. All the types are described in Figure 11(a)(i). 15

16 Legends Red and green objects are unknown and known to the adversary Q1 Q2 Q3 Q4 Q5 Q6 (i) Q3 Q4 Q1 Q5 Q2 (ii) Input and output for oracle ro; Head node, and tail node denote (n,n,l-n)-bit input,and (n,n)-bit output U[0,2 2n -1 (iii) ~ (iv) inputs and outputs for oracle ro; all arrows are n bits each, except for the bold arrow which is l-n bits (a) (i) Six types of input-output pairs for ro-query; (ii), (iii), and (iv) Type2 events for which Bad is set in line 100 of game G 1. Q1 Q2 Q3 Q4 Q5 A path on Ts representing an l-query Q1/Q2/Q5 Q3/Q4 Q6 ~ U[0,2 n -1 Q6 (i) (ii) (iii) (b) Type3 events for which Bad is set in line 000 of game G 1. Figure 11: Pictorial description of Type2, and Type3 events of the game G 1 (Fig. 9). 16

17 Q1: In Q1, the least-significant n bits of input, and the least-significant n bits of output are unknown. This is the final input to ro in computation of FWP ro (M), where M is an l-query. Q2: In Q2, all 2n bits of input and the least-significant n bits of output are unknown. This is the final input to ro in computation of FWP ro (M), where M is an l-query. Q3: In Q3, all 2n bits of output are unknown. Q4: In Q4, the least-significant n bits of input and all 2n bits of output are unknown. Q5: The least-significant n bits of output are unknown. This is the final input to ro in computation of FWP ro (M), where M is an l-query. On that basis, we divide a Q5 query into following two cases that are also depicted in Figure 12. (1) In an l-query, all ro-queries preceding the last Q5 query is of type Q6; (2) All ro-queries preceding the last Q5 query has at least one query of type other than Q6. Q6, where all bits are known. Since the rule of the game is not to resubmit an old s-query, a new s-query cannot belong to the type Q6. This event occurs if a new s-query x Dom(D s ) is of type Q i, where i {1, 2, 3, 4, 5} (see Figure 11(a)(ii-iv)). IVIV IVIV Q6 Q1 Q2 Q3 Q4 Q5 A path on Ts representing an l-query Q6 Q6 Q6 Q6 Q5 ~ U[0,2 n -1 Q5 Case 1 Case 2 Figure 12: Two possible cases of Type2 for Q5 (see description in Section 4). 4.3 Type3 Event This event is mentioned in line 000 of game G 1 (picture in Fig. 11(b)). This event occurs if a query x Dom(D s ) fulfils the following conditions: 17

18 (1) The query x is the final query to ro in computation of FWP ro (M), where M is a new l-query. (2) FWP ro (M) can be computed on an already existing path P on the graph T s, and the queryresponses on P are not all Q6. For the purpose of a detailed description, We divide (2) into three subcases, according to the final query x. (2.i) If x is of type Q1, or Q2, or Q5. A simple observation shows that this case cannot happen if the variable BAD is never set, since this case implies a nodecollision in T s, that is impossible. (2.ii) If x is of type Q3 or Q4. (2.iii) If x is of type Q6, and one of the intermediate query-response pairs is not type Q oof of Theorem 4.1 With the help of the events described in Section 4, we are all set to prove our main theorem. The 2nd part of the theorem is easy. To prove the 1st part, we proceed the following way. We first observe [ A G 1 1 [ A RO,S 1 ( [ A G 1 [ 1 GOOD σ 1 A RO,S ) 1 GOOD σ 1 [ GOOD σ 1 + ( [ A G 1 1 GOOD σ 1 [ A RO,S 1 GOOD σ 1 ) [ GOOD σ 1. (1) If we can show that [ A G 1 1 GOOD σ 1 [ A RO,S 1 GOOD σ 1 (2) then Equation 1 becomes the 1st part of Theorem. In the remaining part we establish Equation 2. Let V 1,i and V 2,i denote the views of the games G 1, and Game(RO, S), after i queries have been processed. To prove Equation 2, it is sufficient to show that, given GOOD σ 1, V 1,σ and V 2,σ are identically distributed. We prove it by induction on the number of rounds i. Induction Hypothesis: Given GOOD i 1, V 1,i and V 2,i are identically distributed. Base: The hypothesis is true when i 1. Induction Step: We have to show that, given GOOD i, V 1,i+1 and V 2,i+1 are identically distributed. Let (I 1,i+1, O 1,i+1 ) and (I 2,i+1, O 2,i+1 ) denote the parts of the views generated only in the interactions of A with the games G 1, and Game(RO, S) respectively in the (i + 1) th round, i.e., while processing the (i + 1) th query. All we have to do is to verify the following two propositions. oposition 4.2 Given GOOD i, and V 1,i V 2,i, the input-views I 1,i+1 and I 2,i+1 are identically distributed. oof. This result is trivial since V 1,i V 2,i. oposition 4.3 Given GOOD i, V 1,i V 2,i, and I 1,i+1 I 2,i+1, the output-views O 1,i+1 and O 2,i+1 are either empty strings, or identically distributed. oof. Let I 1,i+1 I 2,i+1 I i+1. Now we divide it into two cases. (1) I i+1 is a new s-query: Now, given GOOD i, for the game Game(RO, S), S(I i+1 ) follows the 18

19 uniform distribution U[0, 2 2n 1. For the game G 1, given GOOD i, since I i+1 is not any of the type Q1 to Q6 stored in the table D s, S1(I i+1 ) also follows the uniform distribution U[0, 2 2n 1. (2) I i+1 is a message-block of a padded l-query for each game. Since V 1,i V 2,i, the l-queries are identical for both the games. Suppose the message-blocks of the l-query M after padding are m 1, m 2, m 3,, m k where m j l where 1 j k 1, and m k l n. Note that if I i+1 m j where 1 j k 1, then O 1,i+1 and O 2,i+1 are null strings. The only remaining case to complete the proof is when I i+1 m k. Suppose, for the game G 1, in computation of FWP ro (M), the final input to ro is yy m k where y y n. This case is again divided into two subcases. (2.i) The graph T s of G 1 already had a branch P computing FWP ro (M) just before the time the l-query M was submitted. First, we establish the following lemma which is the main ingredient in the proof. Lemma 4.4 The graphs T s and T s of the games G 1, and Game(RO, S) are isomorphic after processing i queries, given GOOD i and V 1,i V 2,i. oof. For each new ro-query, the graph T s of game G 1 is augmented in two phases (see Figure 9). In those two phases all possible nodes are added to the graph T s. Analyzing the Type1-f event in Section 4, it is seen that, if this event does not occur then no nodes can be added beyond these two phases. In other words, if Type1-f does not occur in i rounds then the graph T s contains all paths generated from all elements stored in the table D s in i rounds. This implies that the graph T s of the game G 1 which is the maximal connected subgraph of T s with the root-node generated by the s-queries and responses (IV, IV ) contains all paths generated from all s-queries. Now we also note that the graph T s of the game Game(RO, S) also contains all paths generated from all s-queries. Since V 1,i V 2,i, the graphs T s and T s of the games G 1, and Game(RO, S) are isomorphic after i rounds. We notice that the branch P can only only have Q6 queries (or, s-queries) since GOOD i occurred. Therefore, P is branch of the subgraph T s also. Since GOOD i occurred, and V 1,i V 2,i, using Lemma 4.4, P is also a branch in T s of game Game(RO, S). Hence O 1,i+1 O 2,i+1 ro(yy m k ). (2.ii) The graph T s of G 1 did not have any branch computing FWP ro (M) just before the time the l-query M was submitted. Since the Type1-a,c,d and f events did not occur in the previous rounds, yy m k is a fresh query, i.e., yy m k / D s. Therefore, O 1,i+1 ro(yy m k )[n, 2n 1 follows the uniform distribution U[2 n 1. Now it is trivial to see that the subgraph T s of G 1 also did not have any branch computing FWP ro (M). Given GOOD i and V 1,i V 2,i, using Lemma 4.4, the graph T s of game Game(RO, S) does not contain any branch computing FWP ro (M). Therefore, O 2,i+1 RO(M) follows the uniform distribution U[2 n 1. The proof is now complete. 5 Tools Needed to Bound Event obabilities In order to compute the event probabilities defined in Section 4, we need a few combinatorial results. We first fix the notation. Set i : The multiset of nodes in T s after i iterations (or, equivalently, after submission of i queries) of game G 1. 19

20 D si : The table D s after i rounds. Left-Coset A (x): Suppose A is a multiset on {0, 1} 2n. The multiset Left-Coset A (x) {a A a[0, n 1 x} contains all elements of A whose least significant n bits equal x. Such a submultiset will be called a left-coset of A, or simply a left-coset for short. Right-Coset A (x): Suppose A is a multiset on {0, 1} 2n. The multiset Right-Coset A (x) {a A a[n, 2n 1 x} contains all elements of A whose most-significant n bits equal x. Such a sub-multiset will be called a right-coset of A, or simply a right-coset for short. twin-left: A 2n-bit string a is a twin-left of a 2n-bit string b, if a[0, n 1 b[0, n 1. twin-right: A 2n-bit string a is a twin-right of a 2n-bit string b, if a[n, 2n 1 b[n, 2n 1. N 1,i : The number of nodes added to T s, during the 1st phase of the i th iteration of game G 1. N 2,i : The number of nodes added to T s, during the 2nd phase of the i th iteration of game G 1. R x,i : The number of queries where the most significant n bits (or the right-coordinate) of the output equals x. Now, we state and prove a crucial lemma that upper-bounds the size of the graph T s. Lemma 5.1 (Node Counting) Given GOOD i occurred (i > 0), (i) N 1,i+1 2, (ii) N 2,i+1 i+1, (iii) R x,i 2 for all x {0, 1} n and, (iv) Set i 2i + 1. oof. Since GOOD i occurred, Type1-b or Type1-e or Type1-g did not occur during the first i rounds of game G 1 ; therefore, the size of a maximal left-coset is 2 after i rounds. (i) N 1,i+1 is upper-bounded by the size of a maximal left-coset. Hence the result. (ii) In the 2nd phase of (i + 1) th round, a query cannot be added to more than 1 node, since the nodes generated at the 1st phase have distinct left-coordinates. As there are i + 1 queries, we get the result. (iii) This is easily established using the Type1-g event. (iv) This is proved using the following observation: the number of edges in T s after i queries is at most 2i, since more than 2i edges in T s would require at least one query to be added to the graph at more than 2 nodes, which leads to a contradiction due to the fact that the GOOD i occurred, or equivalently Type1-b,e did not occur. Now, each edge has one tail node. Therefore, including the root-node (IV, IV ), we get the result. We need the help of another three lemmas to provide a rigorous analysis for the upper-bounds that we compute in the subsequent sections: (1) one addresses a correction factor, (2) (and (3)) upper-bounds the collision probability on the left-coordinate (and right-coordinate). Lemma 5.2 (Correction Factor) If the advantage of an indifferentiable adversary A for the games G 1 and Game(RO,S), limited by σ queries, is bounded by ε, which is a negligible function in the security parameter n, then [ GOOD i 1 C for some constant C > 0, for all 0 i σ 1 and for all n > 0. 20