Improved Collision and Preimage Resistance Bounds on PGV Schemes

Transcription

1 Improved Collision and Preimage Resistance Bounds on PGV Schemes Lei Duo 1 and Chao Li 1 Department of Science, National University of Defense Technology, Changsha, China Duoduolei@gmail.com Department of Science, National University of Defense Technology, Changsha, China Abstract. Preneel, Govaerts, and Vandewalle[14](PGV) considered 64 most basic ways to construct a hash function from a block cipher, and regarded 1 of those 64 schemes as secure. Black, Pogaway and Shrimpton[3](BRS) provided a formal and uantitative treatment of those 64 constructions and proved that, in black-box model, the 1 schemes ( group 1 ) that PGV singled out as secure really are secure. By stepping outside of the Merkle-Damgård[4] approach to analysis, an additional 8 (group ) of the 64 schemes are just as collision resistant as the first group of schemes. Tight upper and lower bounds on collision resistance of those 0 schemes were given. In this paper, those collision resistance and preimage resistance bounds are improved, which shows that, in black box model, collision bounds of those 0 schemes are same. In Group 1 schemes, 8 out of 1 can find fixed point easily. Bounds on second preimage, multicollisions of Joux[6], fixed-point multicollisons[8] and combine of the two kinds multicollisions are also given. From those bound, Group 1 schemes can also be deviled into two group. Key Words: Hash Function, Block Cipher, M-D Construction 1 Introduction Most of hash functions iterated a compression function by Merkle-Damgård structure with constant [13]. Building hash function based on block cipher gone back to Rabin[15], wherein one makes the compression function out of a block cipher. This topic had been systematically analyzed in [3, 10, 11, 14]. Block cipher hash has been less widely used, for a variety of reasons. Black, Rogaway, and Shrimpton[3] given some fresh light on the block cipher based hash and taken a proof-centric look at the 64 block cipher based compression function iterated by Merkel-Damgård structure. First summary of those 64 schemes was presented by Preneel, Govaerts, and Vandewalle[14]. Recently, some new double length block cipher based hash functions have been recommend[7, 1]. PGV Paper PGV paper[14] considered turning a block cipher E : {0, 1} n

2 Lei Duo and Chao Li {0, 1} n {0, 1} n into a hash function H : ({0, 1} n ) {0, 1} n using a compression function F : {0, 1} n {0, 1} n {0, 1} n derived from E. PGV considered all 64 compression functions F of the form F (h, m i ) = E a (b) c, where a, b, c {h, m i, h m i, v}, in which v {0, 1} n is a constant. Of the 64 such schemes, the authors of [14] regarded 1 as secure. Another 13 schemes they classify as backward attackable. The remaining 39 schemes are subject to damaging attacks identified by [14] and others. BRS Paper BRS paper[3] taken a more proof-centric look at the schemes from PGV, proved additional 8 schemes were collision resistant, divided the 0 schemes into two group where the group 1 scheme, {H 1,..., H 1 }, was the 1 schemes picked by PGV and the group scheme, {H 13,..., H 0 }, was the new founded 8 schemes. For the new founded schemes, the hash function H immune to collision attack within the Merkle-Damgård paradigm, the compression functions were not immune to collision attack, the proves of collision resistant of group used the assumptions of E was a black box model and H with fix start model. They also gave both upper and lower bounds for each. Our PGV Results We reanalyze those 64 schemes, improve the upper and lower bounds that were given in BRS paper, using method based on graph theory, by which, hashing procedure is considered as directed graph drawing procedure and attacking method is considered path building method on directed graph. Tabel1 is contrast of bounds between BRS and ours. Table considers the second preimage bounds with plain padding and MD-strengthening padding. Table 1. Summary of results on collision and preimage resistance bounds including BRS and ours. The adversary asks at most uery. Message padding is plain padding. Collision Resistance Preimage Resistance Category UP Bound Low Bound UP Bound Low Bound BRS Our BRS Our BRS Our BRS Our Group-1: H [1..4] 0.039( 1)( 3) H [1..1] n (+1) (+1) (+1) n n n n+1 n 1 n 1 n 0.6 n n 1 3(+1) 0.3( 1) 9(+3) (+1) 0.15 (+1) n n n n n n+ 1 schemes H [5..1] 0.3( 1) Group-:H [13..0] Short DiCycle Multicollisions This attack is an attack similar to Multicollisions, if Multicollisions is regarded as attack using short undirected cycle to build collisions, then Short DiCycle Multicollisions is attack using short directed cycle to build collisions. This attack was first given by Kelsey and Schneier[8]. Summary of Short DiCycle multicollisions, Combine of Joux s and Kelsey s Multicollisions, that are contrast with Joux s Multicollisions are given in Tabel3.

3 Improved Collision and Preimage Resistance Bounds on PGV Schemes 3 Table. Summary of bounds on second preimage resistance. Adversary asks at most uery with plain padding(plainpd) and MD-strengthening padding(md-sp). t is the first message length. Second Preimage UP Low Attack PlainPD MD-SP PlainPD MD-SP H [1..4] H [5..1] H [13..0] (t+1) (t+1) n n 1 n+ n (t 1) (t 1) n n+ (+t+3) (+t) (+4t+3) (+t) n n n+ n+ Table 3. Summary of Short DiCycle multicollisions, Combine Multicollisions, that are contrast with Joux s Multicollisions. Message padding is MD-strengthening padding with time consuming(time), minimum message length(mml) and maximum collide numbers(mcn). Joux s Short Dicycle Combine Multicollisons Multicollisions Multicollisions Multicollisions Time MML MCN Time MML MCN Time MML MCN H [1..4] H [5..1] K n/ K K K n/ L + K S(L, K) a 3K n/ L+K K S(L, K) H [13..0] K n/ L + K S L(K) 3K n/ L+K K S(L, K) a S(L, K) = K il... i 3 (i i L =0 i L 1 =0 i + 1) =0 Notations and Definitions Let message block: m {0, 1} n, message: m = m 1... m i t =1{0, 1} n and instance of message: m i t =1{0, 1} n. If m, m {0, 1} n, then m m {0, 1} n and m = m = n. Let m (t) 1 = m 1... m 1, where m (t) 1 = t n. Let 0 be n bit 0. Let a hash function algorithm H : M Y with initial value, for any m M with H(m, ). Let Block cipher E : {0, 1} n {0, 1} n {0, 1} n using notation E(x, k) or E k (x), key k {0, 1} n. 64 Schemes We consider the schemes F (h, m i ) = E a (b) c, where a, b, c {h, m i, h m i, v}, in which block cipher E : {0, 1} n {0, 1} n {0, 1} n. has compression function F, in which is numbered as BRS[3]. Not loosing generally, we assume v = 0. Message Padding Take the L-bit input message m (L < n/ ) and append a 1 followed by 0 bits such that z is the smallest positive integer satisfying (L z n/ mod n) and, finally, append the binary representation of the length of the original message P(m). We call this padding method as MDstrengthening m 1 0 (z) P(m). The padding m 1 0 (z) is called plain padding, in which z is the smallest positive integer satisfying (L z 0 mod n). Ideal Cipher Model[16] A block cipher with the block length n and the

4 4 Lei Duo and Chao Li key length κ is called an (n, κ) block cipher. Let E : {0, 1} n {0, 1} κ {0, 1} n be an (n, κ) block cipher. Then, E(k, ) is a permutation for every k {0, 1} κ, and it is easy to compute both E(k, ) and E(k, ) 1. Let B n,κ be the set of all (n, κ) block ciphers. In the ideal cipher model, E is assumed to be randomly selected from B n,κ. The encryption E and the decryption E 1 are simulated by the following two oracles. The encryption oracle E first receives a pair of a key and a plaintext as a uery. Then, it returns a randomly selected ciphertext. On the other hand, the decryption oracle E 1 first receives a pair of a key and a ciphertext as a uery. Then, it returns a randomly selected plaintext. Adversary We consider a computationally unbounded adversary with access to either a E and E 1. The adversarys running time is determined by her number of E ueries. Our adversaries are probabilistic algorithms, and we concentrate on the expected running time. We will describe the running time asymptotically. Advantage on Collision We write x $ S for the experiment of choosing a random element from the finite set S and calling it x. An adversary is an algorithm with access to one or more oracles. We write these as superscripts. The adversary A with the oracle E, E 1 is a collision-finding algorithm of H. The advantage of A finding collisions in H is: Adv coll H (A) = P r[e $ B n,κ ; (m, m ) $ A E,E 1 : m m H(m) = H(m )]. Advantage on Preimage The advantage of A finding preimage in H is: (A) = P r[e $ B n,κ ; $ {0, 1} n ; m A E,E 1 () : = H(m)]. Advantage on Second Preimage The advantage of A finding second preimage in H is: H sp re Adv H (A) = P r[e $ B n,κ ; m $ {0, 1} n ; m A E,E 1 (m) : H(m) = H(m )]. For > 1 let AdvH attack () = max A {Advattack H (A)}, where A makes at most ueries to E, E 1 in total, attack {coll, pre, sp re}. Simulating a Ideal Cipher Oracle[3] An adversary A access to a simulate ideal cipher oracle for E and E 1, which is defined as follows: Algorithm SimulateOracles(A, n) Initially, i 0 and E k (x) = undefined for all (x, k) {0, 1} n {0, 1} n Run A?,?, answering oracle ueries as follows: When A asks a uery (x, k) to its left oracle: $ i i + 1; k i k; x i x; y i Range(Ek ); E k (x) y i; return y i to A When A asks a uery (k, y) to its right oracle: $ i i + 1; k i k; y i y; x i Domain(Ek ); E k (x i) y; return x i to A When A halts, outputting a string out: return ((x 1, k 1, y 1),..., (x i, k i, y i), out) Fig. 1. Domain(E k ) is the set of points x where E k (x) is no longer undefined and Domain(E k ) = {0, 1} n Domain(E k ). Range(E k ) is the set of points where E k (x) is no longer undefined and Range(E k ) = {0, 1} n Range(E k ).

5 Improved Collision and Preimage Resistance Bounds on PGV Schemes 5 Merkle-Damgård Graph Let H : ({0, 1} κ ) {0, 1} n be a Merkel Damagård construction hash function with compression function F : {0, 1} n {0, 1} κ {0, 1} n and initial value. Let Merkle-Damgård Graph be a directed graph G = (VG, E G ). If h = F (h, e), then h and h are in vertex set V G {0, 1} n and (h, e, h ) or h e h, an arc begin from h point at h, is in edge set E G = {(h, e, h )} {0, 1} n {0, 1} κ {0, 1} n. Graph Drawing Attack Let A?,? be an adversary attacking. We analyze the behavior of A when its left oracle is instantiated by E $ B n,n and its right oracle is instantiated by E 1. Assume that A asks its oracles at most total ueries. A runs the algorithm SimulateOracle(A, n) and draws a directed graph G H. When A asks an E uery(x, k) and this returns a value y, or when A asks an E 1 uery of (k, y) and this returns x. Then A adds vertexes f 1 (x, k, y), f 3 (x, k, y) and an arc (f 1 (x, k, y), f (x, k, y), f 3 (x, k, y)) to G H. Time consuming of graph drawing procedure is neglected. For h i = F (h, m i ), the relations f 1 = f = f 3 = h i = f 1 = f = f 3 = h i = 1 k x y x E h (m i) m i 13 x k x y E wi (m i) k x k y x E h (w i) w i 14 x k x y k E wi (m i) w i 3 k x y x k E h (m i) w i 15 x k y E mi (h ) 4 k x k y x k E h (w i) m i 16 x x k y E wi (h ) 5 x k y x E mi (h ) h 17 x k y k E mi (h ) m i 6 x k k y x E mi (w i) w i 18 x x k y k E wi (h ) w i 7 x k y x k E mi (h ) w i 19 x k k y E mi (w i) 8 x k k y x k E mi (w i) h 0 x k k y k E mi (w i) m i 9 x k x y x E wi (m i) m i 1 k x y k E h (m i) h 10 x x k y x E wi (h ) h k x k y k E h (w i) h 11 x k x y x k E wi (m i) h 3 k x y E h (m i) 1 x x k y x k E wi (h ) m i 4 k x k y E h (w i) Fig.. Rules for the functions of building vertexes and arc, in which the adversary gets uery (x, k, y) then computes the value f 1 := f 1(x, k, y), f := f (x, k, y) and f 3 := f 3(x, k, y). w i := h m i. The first and sixth columns are the number of those Group 1[1..1] and Group [13..0] and additional 4 schemes numbered [1..4]. among h i, m i, h and f 1, f, f 3 are that: h = f 1 (x, k, y), m i = f (x, k, y) and h i = f 3 (x, k, y), or saying f 3 (x, k, y) = F i (f 1 (x, k, y), f (x, k, y)). Relation among f 1 (x, k, y), f (x, k, y), f 3 (x, k, y) of those 0 schemes are in Fig. Combine of running SimulateOracle(A, n) and Graph drawing procedure is showing in Fig3, named GraphDrawing(A, n). Let G H be G H after -th uery, G H begin with G 0 H. Let H be connected subgraph of G H, C be directed cycle or loop in G H, C be undirected cycle or loop in G H ( on assuming the arc is undirected), and P be directed directed Path in G H.

6 6 Lei Duo and Chao Li In different attack, A uses following methods: A selects different G 0 H ; A defines different event as success event; In i-th uery, A adds restriction on selection of (x i, k i ) for E uery, or on selection of (y i, k i )for E 1 uery. GraphDrawing(A, n) Initially, i 0 and E k (x) = undefined for all (x, k) {0, 1} n {0, 1} n, G H = G 0 H. Run A?,?, answering oracle ueries as follows: When A asks a uery (x $ {0, 1} n, k $ {0, 1} n ) to its left oracle: i i + 1; k i k; x i x; y i $ Range(Ek ); E k (x) y i; return y i to A; When A asks a uery (y $ {0, 1} n, k $ {0, 1} n ) to its right oracle: $ i i + 1; k i k; y i y; x i Domain(Ek ); E k (x i) y; return x i to A; V G {f 1(x i, k i, y i), f 3(x i, k i, y i)}; H V G i H E G i H E G H {(f 1(x i, k i, y i), f (x i, k i, y i), f 3(x i, k i, y i))}; When A halts, outputting a string and Graph G i H: return ((x 1, k 1, y 1),..., (x i, k i, y i), G i H). Fig. 3. Adversary A executes its (simulated) oracle to form a directed graph G H build attack on, where G H : V GH {0, 1} n ; E GH {0, 1} n {0, 1} n {0, 1} n. to Conventions We assume the adversary does not ask any oracle uery in which the response is already known; namely, if A asks a uery E k (x) and this return y, then A does not ask a subseuent uery of E k (x) or E 1 k (y); and if A asks E 1 k (y) and this return x, then A does not ask a subseuent uery of E 1 k (y) or E k(x). We also assume a successful adversary always outputs one or more messages m i, which either collide or (nd)preimages. Before finishing, the adversary asks all the oracles calls to compute all hash values H(m i, ). In E uery(x, k), f 1 (x, k, y) and f (x, k, y) are not influenced the return value y, so before asking E uery, we use notation? to represent the unknown y; namely, when x and k is known, f 1 (x, k, y) is known, then, before getting E uery(x, k), we use f 1 (x, k,?) to represent this value. And before getting E 1 uery(k, y), we use notation? to represent some unknown x. 3 Collision Resistance of PGV Schemes BRS paper analyzed the group 1 schemes using the Merkle-Damgård paradigm, for their compression functions are collision resistant. Group schemes were analyzed by graph theory. We use Merkel-Damagård drawing method to analyze those schemes, by which preimage, second preimage or collision finding attack is converted to special path finding algorithm. Theorem1 and Theorem based on the fact that, adversary A runs algorithm GraphDrawing(A, n) with G 0 =

7 Improved Collision and Preimage Resistance Bounds on PGV Schemes 7 { }, if A gets connect subgraph H G H with a cycle or loop C in it and vertex in it, then he formes a collision attack on. h m 1 0 Collision on H is that two directed paths m P = h 1 m 0... l hl and P =... m l h l have same start h 0 = h 0 and same end h l = h l, or P P builds a connect graph, a cycle or loop and on it. However this way of collision does not consider the message padding. If H uses MD strengthening padding, then the length of P and P should be eual or the message lengths are included in m l and m l. The proofs of Theorem is on condition of plain padding, that is also holden in MD strengthening padding, by restricting f 1 (x i, k i,?) = or including message length in f (x i, k i,?). Theorem 1. Fix n 1, message padding is plain padding, Group 1 Scheme: AdvH coll (A) ( + 1)/ n for any 1 and [1..1]. Group Scheme: AdvH coll (A) ( + 1)/ n for any 1 and [13..0]. Group 3 Scheme: AdvH coll (A) = 1 for any and [1..64]. Proof. Let A?,? be an adversary attacking. A runs GraphDrawing(A, n) with 0 G = { }. Let E be the event that, as a result of the adversary s ueries, there be a connected subgraph H G H, which has a Cycle or loop C and vertex. Let assume { } be a connected graph. Let E i be the event that E occurs by the i-th uery. Define E 0 be the null event. Then Pr[E] = i=1 Pr[E i E... E 0 ]. We have AdvH coll (A) Pr[E]. Claim AdvH coll (A) Pr[E]. Meaning collision on at least is a connected subgraph H G H, H has a cycle or loop C and vertex. A outputs colliding message m = m 1... m l and m = m 1... m l ; that is H i(m, ) = H i (m, ). In path m P = h 1 0 m 1 m m h m 1... l hl and P = h 0 h 1... m l h l, we have h 0 = h 0, h l = h l and P P. Then there exists at least one cycle or loop in P P and P P. P P is a connect subgraph. Claim Let H be connect subgraph in G H and in each H, a cycle or a loop C H or H. Let H G H, H be union of all such connected subgraphs in G H. Then V H + 1. If H is a connect subgraph, then V H E H + 1. If a cycle or loop C H, then V H E H. Since V H = V H E H + 1 E G + 1 = + 1, we have V H + 1. H Claim Let V er H (f (x, k, y)) i be event that f (x i, k i, y i ) H. Then P r[e i E... E 0 ] Pr[V er H (f 1) i V er H (f 3) i ]. Let E occurs in i-th uery. Then there exists a connected subgraph H with H and a cycle or loop C in H and H G i H. We will give proof of H (f 1, f, f 3 ) H. If that is true, then f 1, f 3 H. Firstly, if (f 1, f, f 3 ) is in cycle C, then H (f 1, f, f 3 ) is connected graph and H. Secondly, if (f 1, f, f 3 ) is not in cycle C, then at most two connected graph in

8 8 Lei Duo and Chao Li H (f 1, f, f 3 ) denoted H 1 and H. Since H, we have H 1 H. Let assume H 1. If there is a cycle in H 1, then that is conflict with collision occur in i-th uery. Since (f 1, f, f 3 ) / C, then there is a circle in H. We have H 1 H H, that implies f 1, f 3 H. Claim Pr[E] (+1), [1..1]. n Given E... E 0, the event E i occurs at least in case that, the return vertex of i-th uery has been exist in vertexes set H. Pr[V er H (f 1) i V er H (f 3) i ] Pr[V er H (f 3) i V er H (f 1) i ]. If E i occurs via an E uery(x i, k i ), then y i is a random value from a set of size at least n (i 1). Then f 3 (x i, k i, y i ) is a random value from a set of size at least n (i 1). We also have V H i. So, i n (). Pr[E i E... E 0 ] Alternatively, let E i occur via an E 1 uery(y i, k i ). For schemes [1..4], A can select f 1 (x i, k i, y i ) H directly, that success probability is same as asking E-uery. For schemes [5..1], f 1 (x i, k i, y i ) is a random value from a set of size at least n (i 1). Then Claim Pr[V er H (f 1) i V er H (f 3) i ] = Pr[V er H (f 1) i V er H (f 3) i ]Pr[V er H (f 3) i ] We have Pr[E] i=1 Pr[E i E... E 0 ] i=1 Pr[E] (+1) n, [13..0]. i n () (+1). n If E i occurs via an E uery(x i, k i ), then that probability is same as gruop1. Alternatively, if E i occurs via an E 1 uery(y i, k i ), then f 1 (x i, k i, y i ) is a random value from a set of size at least n (i 1). So, Pr[V er H (f 1) i V er H (f 3) i ] Pr[V er H We can select vertex f 3 (x i, k i, y i ) in H Pr[E] i=0 Pr[E i E... E 0 ] i=1 Claim Pr[E] = 1, [1..64]. (f 1) i V er H (f 3) i ]. We have, i n () (+1). n Pr[E i E... E 0 ] Pr[V er H (f 1) i V er H (f 3) i ] In th uery, we can directly select f 1 (x i, k i, y i ), f 3 (x i, k i, y i ) V H 1. So we have Pr[E] = 1,. Theorem. Fix n 1, message padding is plain padding, Group 1 Scheme Group Scheme Adv coll Adv coll (A) ( + 1)/ n+1 for any 1 and [1..1]. (A) ( + 1)/ n+1 for any 1 and [13..0]. Proof. Let A?,? be an adversary attacking. A runs GraphDrawing(A, n) with G 0 = { }. Let A only ask E uery(x, k). In each uery, A selects x and k to satisfy f 1 (x, k,?) V GH. Then G H is connected graph and G H, that is G i = H. i Let C be the event of G H and there exists a cycle or loop in C. Let C i be the event that C occurs by the i-th uery. Define C 0 be the null event. Then Pr[C] = i=1 Pr[C i C... C 0 ]. We have Adv coll (A) Pr[C].

9 Improved Collision and Preimage Resistance Bounds on PGV Schemes 9 Claim AdvH coll (A) Pr[C]. If adversary A build a cycle or loop C in i-th uery. Then there are two directed path P and P in G i with P = h 0 h 1... h l, P = h 0 h 1... h l, in which h l = h l = f 3(x i, k i, y i ) and P P. Claim P r[c i C... C 0 ] Pr[V er G (f 3 ) i ]. H If f 3 (x i, k i, y i ) G, then E(G i ) = V (G i ). There must exist a cycle or loop in G H. Claim AdvH coll (A) ( + 1)/ n+1 for any 1 and [1..0]. Given C... C 0, the event C i occurs in case that, the return vertex of i-th uery has been exist in vertexes set G. If E i occurs via an E uery(x i, k i ), then y i is a random value from a set of size at most n. Then f 3 (x i, k i, y i ) is a random value from a set of size at most n. So, Pr[C] i=1 Pr[C i C... C 0 ] i=1 i = (+1) n. n+1 Theorem 3. Fix n 1, message padding is MD strengthening padding, for any 1 and [1..0]. ( 1)/ n Adv coll (A) ( 1)/ n+1 4 Preimage Resistance of PGV Schemes The proofs of Theorem 4 and Theorem 5 follow the fact that, a preimage is a directed path from to in graph G H. If adversary A finds a directed path from to, then he builds a preimage. The bounds on preimage attack not consider the MD-strengthening padding, if the padding is considered, the bounds are same. Because message length can be added in f (x i, k i, y i ), before asking i-th uery. Theorem 4. Fix n 1, given, message padding is plain padding, Group 1 Scheme Group Scheme Others Scheme (A) / n 1 for any 1 and [1..1]. (A) ( + 1)/ n for any 1 and [13..0]. (A) = 1 for any 1 and [1..64]. Proof. Let A?,? be an adversary attacking. A runs GraphDrawing(A, n) with G 0 = {, }. Preimage finding is not finding a cycle or loop, it is finding a path. Let assume { } and {} be connected subgraphs. Let E be the event that, as a result of the adversary s ueries, there are formed a directed path P in G H, P and P. Let E i be the event that E occurs by the i-th uery. Define E 0 be the null event. Then Pr[E] = i=1 Pr[E i E... E 0 ]. We have (A) Pr[E]. Claim (A) Pr[E]. Implying preimage on H at least is a path P G H, in which P and P.

10 10 Lei Duo and Chao Li Claim Let Arc (f 3 (x, k, y)) be event that f 3 (x, k, y) =. Then P r[e] Pr[Arc (f 3 (x, k, y))]. That implies at least a directed arc point at. Claim Let H a be connect subgraph in G H with a H a, in which a {, }. Let Ha be the connect graph after -th uery. Then V H Claim P r[e i E... E 0 ] Pr[V er H Claim Pr[E], [1..1]. n 1 Claim Pr[E] (+1), [13..0]. n Claim Pr[E] = 1, [1..64]. For given and, we have P r[v er H Detail is in Appendix A. (f 1 ) i V er H +. H (f 3 ) i ]. (f 1 ) i V er H (f 3 ) i ] = 1. Theorem 5. Fix n 1, given, message padding is plain padding, Group 1 Scheme Group Scheme (A) / n for any 1 and [1..1]. (A) ( + 1)/ n+ for any 1 and [13..0]. Proof. Let A?,? be an adversary attacking. A runs GraphDrawing(A, n) with G 0 = {, }. Claim AdvH coll (A) / n for any 1 and [1..1]. A only asks E uery(x, k) with x i and k i satisfing f 1 (x i, k i,?) H. Let C be the event of H and at least a edge in H. AdvH coll Claim Adv coll (A) Pr[C] i=1 Pr[V er H (f 3 ) i ] i=1 1 n = n. (A) ( + 1)/ n+ for any 1 and [13..0]. A asks E uery(x, k) and E 1 uery(y, k), alternately. In odd-th uery, A selects x and k satisfying f 1 (x, k,?) H, in even-th uery, A selects y and k satisfing f 3 (?, k, y) H. Let C be the event of H and at least a edge in H. If C occurs in E uery, then AdvH coll (A) Pr[C] Pr[V er H (f 3 ) i ] i/ +1 i=1. If C occurs in E 1 uery, then n Adv coll (A) Pr[C] Pr[V er H Detail is in Appendix A. (f 1 ) i ] i=1 i/ +1 n. 5 Second Preimage Resistance of PGV Schemes Second preimage bounds on with plain-padding and MD-strengthening are different, for the success events of those two attacks are different. Let the given message build a path P. Second preimage attack with plain padding is also a direct path P finding attack, for which the target is all vertexes in path P. Theorem 6. Fix n > 1, 1, let H(m, ) =, m = m 1... m t, message padding is plain padding,

11 Improved Collision and Preimage Resistance Bounds on PGV Schemes 11 Group 1 Scheme: (t+1) sp re Adv n (A) (t+1) for [1..1]. n 1 Group Scheme: (4t++3) sp re Adv n+ (A) (t++3) for [13..0]. n Proof. This proof is followed the proofs of Theorem 4 and Theorem 5. Let A?,? be an adversary attacking. Let m = m 1... m t, σ := H(m, ), m = m 1..., m, t. Let σ 0 :=. A runs GraphDrawing(A, n) with G 0 := {σ 0 t}. A follows graph drawing method of Theorem 4 and Theorem 5. UP Bound of Group 1 In -uery Pr[Arc σ (f 3 )], we have n 1 sp re Adv () t =0 Pr[Arc σ (f 3 )] (t+1). In i-th uery Pr[V er n 1 H (f σ 3 ) i ] t t+1 sp re. We have, Adv n () i=1 Pr[V er H (f σ 3 ) i ] (t+1) t. n UP Bound of Group Since Pr[V er H (f σ 3 ) i V er t H (f 1 ) i ] i+t+1 n (). sp re Adv () i+t+1 i=0 n () (+t+3). In i-th uery, Pr[V er n H (f σ 3 ) i ] t i +t+1 sp re. We have, Adv n () i=1 Pr[V er H (f 3 ) i ] (4t++3). n+ Theorem 7 is based on the facts that, if the message length is considered, in each uery, the target image set is not set {σ, 0 t}, is a vertex in it. Then the bound will become same as preimage attack. However, in schemes [5..0], A can build a short direct cycle or loop C, in this way, the length of second message can be controlled by A. Let L = C. The target image set becomes {σ L t/l }. C can found by precomputation with complexity of O( n/ ), which can be used in any second preimage attack, that was not included in complexity bounds of finding second preimage. Theorem 7. Fix n > 1, 1, let H(m, ) =, m = m 1... m t, message padding is MD strengthening padding, sp re Schemes [1..4] Adv n (A). n 1 (t 1) sp re Schemes [5..1] Adv n (A) (t 1). n 1 (+1) sp re Schemes [13..0] Adv n+ (A) (+1). n Proof. This proof is followed the proofs of Theorem 6 and Theorem 7. Let A?,? be an adversary attacking. Let σ := H(m, ), m = m 1..., m, t. Schemes [1..4] For M D-strengthening, when message length is included in f (x i, k i, y i ), the success event is Arcσ, not V er Hσ. Schemes [5..1] Before attacking, [5..1], A find message blocks m 1 and m with (m 1 m (i), ) = (m 1 m (j), ), i, j > 0, detail is given in next section, called expandable fixed point. Let = (m 1, ). Let G 0 H := {σ, }. We have (t 1) sp re Adv n (A) (t 1). n 1 Schemes [13..0] Before attacking, [13..0], A find message blocks m 1 and m with ((m 1 m ) (i), ) = ((m 1 m ) (j), ), i, j > 0, detail is given in next section. Let G 0 H := {σ t}. We have (+t) n+ sp re Adv (A) (+t). n σ

12 1 Lei Duo and Chao Li 6 Multicollisions on PGV Schemes Multicollisions Multicollisions attack is first given by Joux[6], which is a way to produce a large number of messages that collide for an iterated hash function, with only a little more work than is needed to find a single pair of messages that collide. More precisely, using t collision H(B 1... B l, ) = H(B 1... B l, ), where B i B i and l = 1,..., t, we can build t -collisions in H. The time consuming is t O( n/ ). The collide block finding procedure is illustrated as Algorithm CollisionBlock(A, h, t): CollisionBlock(A, h, t) For i := 1 to A selects x i, k i with f 1 (x i, k i,?) = h, then asks E uery(x i, k i ). A success with f 3 (x i, k i, y i ) = f 3 (x j, k j, y j ), return m t f (x i, k i, y i ); m t f (x j, k j, y j ); h t f 3 (x i, k i, y i ); Fixed-Point Expandable Message A fixed point is a pair (h, m i ) such that h = F (h, m i ). Compression functions based on Davies-Meyer construction, such as the SHA family, MD4, MD5 and Tiger, have easily found fixed points. Kelesy and Schneier[8] gave a second preimage attack based on Fixed-Point expandable message. We call it expandable short dicycle in this paper, for, in schemes [13..0], fixed-point expandable message is not easy to be found, but a similar expandable short directed cycle as expandable fixed point can be found and attacks based on them. Expandable Short DiCycle Expandable Short dicycle reuires a short directed cycle or loop being build with desired prefix. Let A?,? be an adversary attacking. A runs algorithm GraphDrawing(A, n). The expandable short dicycle found algorithm is as follows: ExpandableDiCycle(A, h, t, ) For i := 1 to n/ A selects (x i, k i ) with f 1 (x i, k i,?) = h asks E uery(x i, k i ). For i := 1 to n/ If {5, 8, 10, 11} Then A selects (y i, k i ) with y i = 0 asks E 1 uery(y i, k i ). If {6, 7, 9, 1} Then A selects (y i, k i ) with y i = k i asks E 1 uery(y i, k i ). If [13..0] Then A selects (y i, k i ) with f 3(?, k i, y i ) = h asks E 1 uery(y i, k i ). A success with f 3 (x i, k i, y i ) = f 1 (x j, k j, y j ), return m t f (x i, k i, y i ); m tt f (x j, k j, y j ); h t f 3 (x i, k i, y i ); Short DiCycle Multicollisions Short DiCycle Multicollisions attack is first given in[8], which is a way to produce a large number of messages that collide for an iterated hash function, with only a little more work than is needed to find a single pair of expandable short dicyle. More precisely, using t short dicycle, we

13 Improved Collision and Preimage Resistance Bounds on PGV Schemes 13 can build multicollisions in. The time consuming is t O( n/ ). (m 1 m (k1) m t m (kt) tt ) = (m 1 m (k 1 ) m t m (k t ) tt ), [5..1] With t i=1 k i = t i=1 k i. Let l := t i=1 k i. Then adversary takes t n/ times finding S l (t), l + t length multicollisions, where S l (t) = t i l =0 S l 1(i l ). S l (t) = t S l 1 (i l ) = i l =0 t i l i l =0 i l 1 =0 S l (i l 1 ) = t i l i l =0 i l 1 =0... i 3 i =0 S (i ). Where S (i) = i + 1. For schemes [13..0], the minimum message length is l + t with t n/ complexity and S l (t) collisions. Combine Multicollisions Let A?,? be an adversary attacking. A runs algorithm GraphDrawing(A, n) building multicollision, where original multicollisions and short Dicycle multicollisions are combined. (m 1 m (k1) 11 m m 3 m (k) m t 1 m (kt) t 1t 1 m t) = (m 1 m (k 1 ) 11 m m 3 m (k ) m t 1 m (k t ) t 1t 1 m t), [5..1] With t i=1 k i = t i=1 k i. Let l := t i=1 k i.then adversary takes O(3t n/ ) times E uery to get O( t (t + 1) l 1 ), t + l length multicollisions, where l t h Schemes[5..1] n/+i h h CollisionBlock(A,h) 1 Schemes[13..0] 3 Joux's Multicollisions 4 DiCycle Multicollisons 5 DiCycle Multicollisons 6 f (x i,k i,y i ) f 1 (x i,k i,y i ) f 3 (x i,k i,y i ) Combine Multicollisions 7 Graph Example 8 Fig. 4. Directed Cycle finding algorithms of schemes [5..1] and [13..0] are illustrated in subgraph 1 and. Undirected Cycle(Multicollision block) finding algorithm is given in subgraph 3. Joux s Multicollisions, Kelsey s Multicollisions on schemes [5..1] and [13..0] and combine of those two Multicollisions are presented in subgraph 4, 5, 6, 7, respectively.

14 14 Lei Duo and Chao Li 7 Conclusions In this paper, we give the bounds on PGV schemes against preimage, second preimage, collision and multicollisions, and that are improved by graph drawing method and short cycle build method. We omit the bounds of some new attacks including second preimage attack based on other expandable message[8] and preimage attack based on herding attack[9], for those bounds can be precise by similar way as second preimage attack. From the bounds, schemes [1..4] seems better than schemes [5..0], but more analysis is reuired. References 1. E.Biham and R.Chen. Near-Collisions of SHA-0 and SHA-1. In Selected Areas in Cryptography-SAC E.Biham and R.Chen. Near-Collisions of SHA-0,In Advances in Cryptology CRYPTO 004, LNCS 315,pp90-305, J.Black, P.Rogaway, and T.Shrimpton, Black-box analysis of the block-cipherbased hashfunction constructions from PGV. In Advances in Cryptology - CRYPTO 0, volume 44 of Lecture Notes in Computer Science. Springer-Verlag, 00.pp I.Damgård. A design principle for hash functions. In G. Brassard, editor, Advances in Cryptology-CRYPTO 89, volume 435 of Lecture Notes in Computer Science. Springer-Verlag, J.Daemen and V.Rijmen: The Design of Rijndael: AES The Advanced Encryption Standard. Springer, A.Joux. Multicollisions in iterated hash functions, application to cascaded constructions. Crypto 04, LNCS 315, 306C S. Hirose. Some plausible constructions of double-block-length hash functions. In Preproceedings of the 13th Fast Software Encryption Workshop (FSE 006), pp , J. Kelsey and B. Schneier. Second preimages on n-bit hash functions for much less than n work. In R. Cramer, editor, EUROCRYPT 005, LNCS 3494, pp , John Kelsey, Tadayoshi Kohno. Herding Hash Functions and the Nostradamus Attack. In S. Vaudenay, editor, EUROCRYPT 006, LNCS 4004, pp , X.Lai and J.L.Massey: Hash functions based on block ciphers. In Advances in Cryptology Eurocrypt 9, Lecture Notes in Computer Science, Vol Springer- Verlag, Berlin Hei-delberg New York (1993) C. H. Meyer and S. M. Matyas. Cryptography: a New Dimension in Data Security. Wiley & Sons, M. Nandi, W. Lee, K. Sakurai, and S. Lee. Security analysis of a /3-rate double length compression function in the black-box model. In Proceedings of the 1th Fast Software Encryption (FSE 005), LNCS 35571, pp , B.Preneel, V. Rijmen, A.Bosselaers: Recent Developments in the Design of Conventional Cryptographic Algorithms. In State of the Art and Evolution of Computer Security and Industrial Cryptography. Lecture Notes in Computer Science, Vol 158. Springer-Verlag, Berlin Heidelberg New York(1998)

15 Improved Collision and Preimage Resistance Bounds on PGV Schemes B. Preneel, R. Govaerts, and J. Vandewalle, Hash functions based on block ciphers,, In Advances in Cryptology -CRYPTO 93, Lecture Notes in Computer Science,pages Springer-Verlag, M. O. Rabin. Digitalized Signatures. In R. A. Demillo, D. P. Dopkin, A. K. Jones, and R. J. Lipton, editors, Foundations of Secure Computation, pages , New York, Academic Press. 16. C.E. Shannon. Communication theory of secrecy systems,, Bell System Technical Journal, 8:656C715, X.Wang, H.Yu, How to Break MD5 and Other Hash Functions, EURO- CRYPT 005, Springer-Verlag, LNCS 3494, pp19-35, X. Wang, X. Lai, D.Feng and H.Yu., Cryptanalysis of the Hash Functions MD4 and RIPEMD, EUROCRYPT 005, Springer-Verlag,LNCS 3494, pp1-18, 005. A Bounds on Preimage The following theorem is proof of Theorem4. Theorem 8. Fix n 1, given, message padding is plain padding, Group 1 Scheme Group Scheme Others Scheme (A) / n 1 for any 1 and [1..1]. (A) ( + 1)/ n for any 1 and [13..0]. (A) = 1 for any 1 and [1..64]. Proof. Let A?,? be an adversary attacking. A runs GraphDrawing(A, n) with G 0 = {, }. Preimage finding is not finding a cycle or loop, it is finding a path. Let assume { } and {} be connected subgraphs. Let E be the event that, as a result of the adversary s ueries, there are formed a directed path P in G H, P and P. Let E i be the event that E occurs by the i-th uery. Define E 0 be the null event. Then Pr[E] = i=1 Pr[E i E... E 0 ]. We have (A) Pr[E]. Claim (A) Pr[E]. Implying preimage on H at least is a path P G H, in which P and P. Adversary A find message m = m 1... m l with H(m, ) =. m Then we build path P = h 1 m 0 m h1... l we have h0 =, h l =. Then there exists at least one path P, in which P and P. Claim Let Arc (f 3 (x, k, y)) be event that f 3 (x, k, y) =. Then P r[e] Pr[Arc (f 3 (x, k, y))]. That implies at least a directed arc point at. Claim Let H a be connect subgraph in G H with a H a, in which a {, }. Let Ha be the connect graph after -th uery. Then V H +. H Claim P r[e i E... E 0 ] Pr[V er H (f 1 ) i V er H (f 3 ) i ]. If E occurs in i-th uery, then there exists a Path P with, P and P G i H. We will give proof of P (f 1, f, f 3 ) H H. If that is true, then f 1 H and f 3 H. Since (f 1, f, f 3 ) is in path P, two connected graph in P (f 1, f, f 3 ) denoted H 1 and H. Since P, we have H 1 H. Let H 1. If in H 1, then that is conflict with path occur in i-th uery. We have f 1 H and f 3 H.

16 16 Lei Duo and Chao Li Claim Pr[E] n 1, [1..1]. If Arc (f 3 (x, k, y)) occurs via an E uery(x, k), then y is a random value from a set of size at least n (i 1). Then f 3 (x i, k i, y i ) is a random value from a set of size at least n (i 1). Let the A try time, then Pr[Arc (f 3 )] n (i 1). Alternatively, if E i occurs via an E 1 uery(y, k), then f 3 (x i, k i, y i ) is still a random value from a set of size at least n (i 1). Then Pr[E] Pr[Arc (f 3 )] n (i 1) n 1. Claim Pr[E] (+1), [13..0]. n Given E... E 0, the event E i occurs in case that, the return vertex of i-th uery has been exist in vertexes set H and H Pr[V er H (f 1 ) i V er H (f 3 ) i ] Pr[V er H. (f 3 ) i V er H (f 1 ) i ]. If E i occurs via an E uery(x i, k i ), then y i is a random value from a set of size at least n (i 1). Then f 3 (x i, k i, y i ) is a random value from a set of size at least n (i 1). We also have V H i. So, Pr[E i E... E 0 ] i n (i 1). Alternatively, if E i occurs via an E 1 uery(y i, k i ), then f 1 (x i, k i, y i ) is a random value from a set of size at least n (i 1). Then Pr[V er H (f 1 ) V er H (f 3 ) i ] = Pr[V er H Pr[E i E... E 0 ] We have Pr[E] i i=1 n () (+1). n Claim Pr[E] = 1, [1..64]. For given and, we have P r[v er H The following theorem is proof of Theorem5. i n (i 1). (f 1 ) i V er H (f 3 ) i ] (f 1 ) i V er H (f 3 ) i ] = 1. Theorem 9. Fix n 1, given, message padding is plain padding, Group 1 Scheme Group Scheme (A) / n for any 1 and [1..1]. (A) ( + 1)/ n+ for any 1 and [13..0]. Proof. Let A?,? be an adversary attacking.

17 Improved Collision and Preimage Resistance Bounds on PGV Schemes 17 Claim AdvH coll (A) / n for any 1 and [1..1]. Followed the attack on Theorem 4, let adversary A only ask E uery(x, k). In each uery, select x i and k i to satisfy f 1 (x i, k i,?) H. Let C be the event of H and at least a edge in H. Let C i be the event that C occurs by the i-th uery. Define C 0 be the null event. Then Pr[C] = i=1 Pr[C i C... C 0 ]. We have AdvH coll (A) Pr[C]. If adversary A builds a connected Graph H with H, then there is a path P from to. If C i occurs via an E uery(x i, k i ), then y i is a random value from a set of size at most n. Then f 3 (x i, k i, y i ) is a random value from a set of size at most n. So, Pr[V er H (f 1 ) i V er H (f 3 ) i ] Pr[V er H (f 3 ) i ] 1 n Pr[C i C... E 0 ] 1 n. We have Pr[E] i=1 1 = n. n Claim AdvH coll (A) ( + 1)/ n+ for any 1 and [13..0]. In the proof of Theorem3, let adversary A ask E uery(x, k) and E 1 uery(y, k), alternately. In odd-th uery, select x and k to satisfy f 1 (x, k,?) H, in even-th uery, select y and k to satisfy f 3 (?, k, y) H. Let C be the event of H and at least a edge in H. Let C i be the event that C occurs by the i-th uery. Define C 0 be the null event. Then Pr[C] = i=1 Pr[C i C... C 0 ]. We have AdvH coll (A) Pr[C]. If adversary A build a connected Graph H with H, then there is a path P from to. Given C... C 0, the event C i occurs in case that, the return vertex of i-th uery f 3 (x i, k i, y i ) has been exist in vertexes set V H. If C i occurs via an E uery(x i, k i ), then y i is a random value from a set of size at most n. Then f 3 (x i, k i, y i ) is a random value from a set of size at most n. So, Pr[V er H (f 1 ) i V er H (f 3 ) i ] Pr[V er H (f 3 ) i ] Pr[C i C... E 0 ] i/ + 1 n. If C i occurs via an E 1 uery(y i, k i ), then x i is a random value from a set of size at most n. Then Pr[C i C... E 0 ] i/ + 1 n. We have Pr[E] i i=1 = (+1) n+1. n+