On High-Rate Cryptographic Compression Functions

Size: px

Start display at page:

Download "On High-Rate Cryptographic Compression Functions"

Luke Lawrence
5 years ago
Views:

1 On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, Bratislava, Slovak Republic {ostertag, stanek}@dcs.mph.uniba.sk Abstract. The security o iterated hash unctions relies on the properties o underlying compression unctions. We study highly eicient compression unctions based on block ciphers. We propose a model or highrate compression unctions, and give an upper bound or the rate o any collision resistant compression unction in our model. In addition, we show that natural generalizations o constructions by Preneel, Govaerts, and Vandewalle to the case o rate-2 compression unctions are not collision resistant. Key words: Hash unctions, compression unctions, block ciphers, provable security. 1 Introduction Cryptographic hash unctions are basic building blocks in many security constructions digital signatures, message authentication codes, etc. Almost all modern hash unctions are built by iterating a compression unction according the Merkle-Damgård paradigm [3, 5]. Moreover, these compression unctions are oten based on some underlying block cipher. Even dedicated hash unction like SHA-1 is based on a block cipher called SHACAL-1 [4]. The irst systematic study o 64 block cipher based hash unctions was done by Preneel, Govaerts, and Vandewalle [6]. Subsequently, Black, Rogaway, and Shrimpton [2] analyzed these constructions in black box model and proved that 20 o them are collision resistant up to the birthday-attack bound. An important property o a hash unction is perormance. Thereore, one would like to maximize the rate o hash unction the number o message blocks processed with one block cipher transormation. Another way to design ast hash unctions is the usage o keys rom a small ixed set o keys in all block cipher transormations, thus enabling a pre-scheduling o keys. Classical constructions [6] are rate-1 and require rekeying or every message block. Recently, Black, We appreciate any comments and suggestions.

2 Cochran, and Shrimpton [1] shown, that it is impossible to construct (block cipher based) provably secure rate-1 iterated hash unction that use small ixed set o keys. Our contribution. We analyze the existence o high-rate compression unctions. Our contribution is twoold: 1. We propose a general model o (block cipher based) high-rate compression unctions, and show an upper bound or rate o provably secure compression unctions. 2. We show that generalizations o rate-1 constructions by Preneel, Govaerts, and Vandewalle [6] to the case o rate-2 compression unctions are not collision resistant. Remark 1. We ocus solely on collision resistance as the most problematic property o cryptographic hash unctions. Moreover, the results o our analysis are mostly negative, so there is no need to study other properties. The paper is structured as ollows. Section 2 contains notions and deinitions used in the paper. In addition, we present our model o high-rate compression unctions. In Section 3 we give an upper bound or rate o collision resistant compression unctions in the model. The analysis o rate-2 compression unctions is presented in Section 4. 2 Background and Deinitions The notation used in the paper ollows closely the notation introduced in [1, 2]. Let V m be a set o all m-ary binary vectors, i.e. V m = {0, 1} m. Let k and n be positive integers. A block cipher is a unction E : V k V n V n, where or each key K V k, the unction E K ( ) = E(K, ) is a permutation on V n. Let Bloc(k, n) be the set o all block ciphers E : V k V n V n. The inverse o block cipher E is denoted by E 1. A (block cipher based) compression unction is a unction : Bloc(k, n) (V a V b ) V c, where a, b, and c are positive integers such that a + b c. An iterated hash o compression unction : Bloc(k, n) (V a V b ) V a is the hash unction H : Bloc(k, n) Vb V a deined by H E (m 1... m l ) = h l, where h i = E (h i 1, m i ) and h 0 is a ixed element rom V a. We set H E (ε) = h 0 or empty string ε. We oten omit superscripts E to and H. I the computation o E (h, m) uses e queries o E then (and its iterated hash H) is rate-r, where r = (b/n)/e. Oten n b, and the rate represents the average number o message blocks processed by single E transormation. For example, or b/n = 3 and e = 2 we get compression unction o rate-(3/2). The experiment o choosing a random element x rom the inite set S will be denoted by x $ S.

3 Black-box model. An adversary A is given access to oracles E and E 1 where E is a block cipher. We write these oracles as superscripts, i.e. A E,E 1. We omit the superscripts when the oracles are clear rom context. The adversary s task is attacking the collision resistance o a hash unction H. We measure the adversary s eort o inding collision as a unction o the number o E or E 1 queries it makes. Notice that we assume inormation-theoretic adversary, i.e. the computational power o the adversary is not limited in any way. Attacks in this model treat the block cipher as a black box. The only structural property o the block cipher captured by the model is the invertibility. The model cannot guarantee the security o block cipher based hash unctions instantiated with block ciphers having signiicant structural properties (e.g. weak keys). On the other hand, the black-box model is stronger that treating the block cipher as a random unction, because the adversary s ability to compute E 1. We deine the advantage o an adversary in inding collisions in a compression unction : Bloc(k, n) (V a V b ) V c. Naturally (h, m) and (h, m ) collide under i they are distinct and E (h, m) = E (h, m ). We also take into account a collision with empty string, i.e. producing (h, m) such that E (h, m) = h 0. We look at the number o queries that the adversary makes compare this with the probability o inding a collision. Deinition 1 (Collision resistance o a compression unction [2]). Let be a block cipher based compression unction, : Bloc(k, n) (V a V b ) V c. Fix a constant h 0 V c and an adversary A. Then the advantage o inding collisions in is the probability Adv comp (A) = Pr [ E $ Bloc(k, n); ((h, m), (h, m )) A E,E 1 : (h, m) (h, m ) E (h, m) = E (h, m ) E (h, m) = h 0 ] For q 0 we write Adv comp (q) = max A {Adv comp (A)} where the maximum is taken over all adversaries that ask at most q oracle (E or E 1 ) queries. Deinition 2 (Collision resistance o a hash unction [2]). Let H be a block cipher based hash unction, and let A be an adversary. Then the advantage o inding collisions in H is the probability [ Adv coll H (A) = Pr E $ Bloc(k, n); (M, M ) A E,E 1 : ] M M H E (M) = H E (M ) For q 0 we write Adv coll H (q) = max A {Adv coll H (A)} where the maximum is taken over all adversaries that ask at most q oracle (E or E 1 ) queries. The ollowing theorem orms a basis or construction o iterated hash unctions (Merkle-Damgård paradigm). It shows that the collision resistance o compression unction is suicient or the collision resistance o its iterated hash unction.

4 Theorem 1 (Merkle-Damgård [3, 5]). Let : Bloc(k, n) V n V n V n be a compression unction and let H be an iterated hash o. Then Adv coll H (q) Adv comp (q) or any q 1. Remark 2. Birthday attack is a generic collision-inding attack on a compression/hash unction. The advantage o birthday attack is Θ(q 2 /2 n ), where q is number o evaluations o the unction and n is the length o output. Usually, a compression unction (hash unction H) is called collision resistant up to the birthday-attack bound, or simply collision resistant i Adv comp (q) = Θ(q 2 /2 n ) (Adv coll H (q)) = Θ(q 2 /2 n )). 2.1 A Model o High-Rate Compression Function We deine a model o high-rate compression unction : Bloc(k, n) (V a V b ) V a. The model assumes ollowing: The evaluation o compression unction uses a single query E to compute (h, m). The length o m is an integer multiple o the E s block length n, i.e. b = rn where r 1. According to the second condition the compression unction is rate-r. Let 1 : V a V rn V n, 2 : V a V rn V k, and 3 : V a V rn V n V a be arbitrary unctions. The computation o the compression unction : Bloc(k, n) (V a V nr ) V a is deined as: unction E (h, m) : X 1 (h, m) K 2 (h, m) Y E(K, X) return 3 (h, m, Y ) When convenient we express m as a concatenation o n bit blocks. These r blocks are denoted by m (1),..., m (r). Our model o high-rate compression unction used in iterated hash is depicted in Fig. 1. m (1),..., m (r) h i 1 1 E 3 h i 2 key Fig. 1. Model o high-rate compression unction

5 The model is quite general it covers all compression unctions that takes r blocks o a message and process them using exactly one encryption transormation E. Notice that all rate-1 schemes rom [6] (we call them PGV) are special instances o the model. 3 An Upper Bound or the Rate o Compression Function In the ollowing theorem, we present an attack on collision resistance o compression unction. This attack works on any compression unction belonging to the model. As a by-product we obtain an upper bound or rate o any collision resistant compression unction. Theorem 2 (Upper bound or rate o a compression unction). Let E Bloc(n, k). Let 1 : V a V rn V n, 2 : V a V rn V k, and 3 : V a V rn V n V a be arbitrary unctions. Let : V a V rn V a be a compression unction deined as (h, m) = 3 (h, m, E 2 (h,m)( 1 (h, m))). Let r > 1+k/n. Then Adv comp (1) = 1. Proo. We describe an adversary A that asks exactly one oracle query. For any X V n, and K V k we denote by D X,K the set o all pairs (h, m) such that 1 (h, m) = X, and 2 (h, m) = K, i.e. D X,K = (X) 2 (K). Adversary A proceeds as ollows: 1. A inds such X V n, and K V k that D X,K is maximal. 2. A computes Y = E K (X). 3. A inds a collision in the set D X,K, i.e. (h, m), (h, m ) D X,K : (h, m) (h, m ) 3 (h, m, Y ) = 3 (h, m, Y ). One can easily check that (h, m) and (h, m ) orm a collision or compression unction : (h, m) = 3 (h, m, E 2 (h,m)( 1 (h, m))) = 3 (h, m, E K (X)) = = 3 (h, m, E K (X)) = 3 (h, m, E 2 (h,m )( 1 (h, m ))) = (h, m ) Now, we argue that A succeeds in the third step o the attack. First, we show that D X,K 2 a+n(r 1) k. Let us assume the opposite holds: D X,K < 2 a+n(r 1) k or all X V n, K V k. Then X V n, K V k D X,K < 2 n+k 2 a+n(r 1) k = 2 a+nr. On the other hand X V n, K V k D X,K = X V n (X) 2 (K) = 1 1 (X) = 2a+nr, K V k X V n a contradiction. Thus, the adversary selects X, K with D X,K 2 a+n(r 1) k in the irst step o the attack. Since the range o compression unction has 2 a

6 elements (the range is the same as the range o 3 ), the adversary succeeds in inding collision i D X,K > 2 a. The inequality is satisied i 2 a+n(r 1) k > 2 a, or equivalently r > 1 + k/n. Adversary A produces a collision in compression unction with probability 1 (assuming r > 1 + k/n). Moreover, the adversary asks exactly one oracle (E) query during the attack. Thus, Adv comp (1) = 1. Remark 3. Recall that the adversary was not computationally limited and the attack has exponential time complexity (more precisely, steps 1 and 3). The theorem gives an upper bound 1 + k/n or the rate o collision resistant compression unction. Compression unctions with higher rate cannot be collision resistant (at least compression unctions in our model). However, the theorem says nothing about collision resistance o compression unctions with rate r 1 + k/n. A natural question is whether this upper bound or collision resistant compression unctions can be achieved. A negative answer or a class o compression unctions is given in the ollowing section. 4 PGV-like Rate-2 Compression Functions The constructions o compression unctions rom block cipher oten assume equal key and block lengths [6], i.e. k = n. Then the upper bound rom Theorem 2 simpliies to r 2. Similarly, the output o compression unction has usually the same length as the block, i.e. a = n. Thus, we consider rate-2 compression unctions o the orm : V n V 2n V n. Preneel, Govaerts, and Vandewalle [6] studied rate-1 compression unctions. They considered all 64 compression unctions o the orm (h, m) = E a (b) c where a, b, c {h, m, h m, v} (v is a ixed constant). As showed in [2], 12 compression unction are collision resistant, and additional 8, though not collision resistant, orm collision resistant hash unctions. A natural extension o above constructions to the case o rate-2 compression unctions is the ollowing scheme: (h, (m (1), m (2) )) = E a (b) c, (1) where a, b, c {h, m (1), m (2), h m (1), h m (2), m (1) m (2), h m (1) m (2), v}. This way we obtain 512 compression unctions. Remark 4. Notice that the compression unctions instantiated in the scheme all in our model 1 (h, m) = b, 2 (h, m) = a, and 3 (h, m, Y ) = Y c. We show that no compression unction o the orm (1) is collision resistant (or any unction there exists an adversary that inds a collision and asks at most two queries). We partition these unctions into distinct classes according attacks that ind (at least one) collision. Summary o the classes is given in Table 1. For each class the table shows the number o compression unctions in the class, and the number o oracle queries needed in collision inding attack.

7 Table 1. Collision classes o rate-2 compression unctions class unctions queries 1 Superluous Variables Balanced Combinations Compensations Hard Core 60 2, 0 Remark 5. There are compression unctions that are vulnerable to multiple attacks using e.g. superluous variables or balanced combinations. In such situation we assign particular unction to the class with lowest number. 4.1 Class 1 Superluous Variables First class contains all those compression unctions that do not depend on all input vectors, i.e. at least one o h, m (1), m (2) is not required or computing the unction. Examples o such compression unctions are E h (h m (1) ) h, E m (2)(v) m (1) m (2), or E v (h m (2) ) h m (2). Trivially, one can ind many collisions in compression unctions rom this class. It suices to vary the superluous variable. Moreover, no oracle queries are needed to produce collisions. 4.2 Class 2 Balanced Combinations Our second class consists o those compression unctions that are not in class 1, and have a balanced combination o two input vectors. Let x 1, x 2 {h, m (1), m (2) } be two distinct input vectors, i.e. x 1 x 2. We call a combination x 1 x 2 balanced in compression unction, i every occurrence o x 1 in s parameters a, b or c implies x 2 occurrence in the same parameters (and vice versa). Examples o compression unctions in this class are: E h m (1) m (2)(m(1) m (2) ) v, E m (2)(h m (1) ) h m (1), E h m (2)(h m (1) m (2) ) h m (1) m (2). It can be easily seen that collisions can be ind without any oracle queries. Balanced combination x 1 x 2 allows choosing 2 n values pairs (x 1, x 2 ) without changing parameters a, b, and c. Hence, the value o does not change either. 4.3 Class 3 Compensations Third class o compression unctions contains those unctions (not in classes 1 and 2) that have some input vector solely in either parameter b or parameter c.

8 Let x {h, m (1), m (2) } be such input vector. Let x appears only in s parameter b, i.e. input o block cipher transormation. An adversary can ind collision in the ollowing way. He sets the output o to some ixed value z. Similarly he sets the values o all input vectors except x randomly. Using a query to E 1 oracle the adversary can compute suitable x value. Repeating this procedure or dierent random choice o input vectors values and the same ixed z, the adversary obtains a collision or. The situation or x appearing solely in parameter c is treated analogously. Examples o compression unctions in this class are: E m (2)(m (1) ) h m (2), E m (1)(m (2) ) h m (1) m (2), E h m (1)(m (1) m (2) ) v. 4.4 Class 4 Hard Core There are 60 compression unctions let ater sorting the unctions into classes 1, 2, and 3. Let us denote this set C. We call two unctions 1, 2 permutationequivalent, i 1 can be obtained rom 2 by some permutation o its inputs. It can be easily observed that Adv comp 1 (q) = Adv comp 2 (q) or any permutationequivalent compression unctions 1, 2, and any q 0. Thereore the set C can be partitioned to equivalence classes. Since every equivalence class has 6 members, it suices to analyze the collision resistance o any 10 permutationnonequivalent compression unctions (each one drawn rom dierent equivalence class). One selection o these 10 unctions is shown in Table 2. Table 2. Permutation-nonequivalent compression unctions o hard core class i a b c 1 m (1) m (2) h h m (2) 2 m (1) m (2) h m (2) h 3 m (1) m (2) h m (2) h m (2) 4 m (1) m (2) h m (2) h m (1) 5 m (1) m (2) h m (2) h m (1) m (2) 6 m (1) m (2) h m (1) m (2) h m (2) 7 h m (1) m (2) m (2) m (1) 8 h m (1) m (2) m (2) m (1) m (2) 9 h m (1) m (2) m (1) m (2) m (2) 10 h m (1) m (2) m (1) m (2) h m (2) Now we show collisions in all 10 permutation-nonequivalent compression unctions. Hence, all 60 unctions rom set C are not collision resistant. We

9 reer compression unctions rom Table 2 as 1,..., 10. For brevity, let 0 (1) be all-zero (all-one) vector in V n, respectively. Let A be ollowing collision inding adversary: 1. A sets (h, m (1), m (2) ) = (0, 0, 0), i.e. i (h, m (1), m (2) ) = E 0 (0). 2. A asks two oracle queries and computes x = E 0 (0) E 1 (0). 3. A solves ollowing equations (a, b, c denote corresponding linear combinations o h, m (1), m (2) or compression unction i ): a = 1 b = 0 c = x For any solution (h, m (1), m (2) ) we have i (h, m (1), m (2) ) = E a (b ) c = E 1 (0) E 0 (0) E 1 (0) = E 0 (0). Hence any solution dierent rom (0, 0, 0) yields a collision. Let us illustrate adversary s computation on 1. Adversary A solves ollowing equations in step 3: m (1) m (2) = 1 h = 0 h m (2) = x Solution is (h, m (1), m (2) ) = (0, 1 x, x) (0, 0, 0), and A obtains a collision. Adversary A can successully ind collisions or all unctions 1,..., 10, see Table 3, except or 3 and 4 due to the linear dependence o a, b, and c. We produce collisions or these unctions separately (moreover, no oracle queries are needed). It can be easily veriied that 3 (0, 0, 0) = 3 (1, 1, 1), and 4 (0, 0, 0) = 4 (1, 1, 1). Summarizing attacks rom this section we obtain ollowing theorem: Theorem 3. Let E Bloc(n, k). Let : V n V 2n V n be a compression unction deined as (h, (m (1), m (2) )) = E a (b) c, where a, b, c {h, m (1), m (2), h m (1), h m (2), m (1) m (2), h m (1) m (2), v}. Then Adv comp (2) = 1. Remark 6. The attacks presented in this section do not use the ull strength o black-box model a computationally unbounded adversary. These attacks require just polynomially bounded adversary asking constant number oracle queries. 5 Conclusion Many interesting questions arise rom the results presented in the paper. We state two most prominent ones as open problems: 1. Are there any collision resistant compression unctions with rate > 1?

10 Table 3. Collisions or (0, 0, 0) produced by adversary A i h m (1) m (2) x x 2 x 1 x x x x 1 x 6 1 x 1 x 7 1 x x x x x x x 1 x 2. Collision resistance o compression unction is suicient, but not necessary condition or collision resistance o iterated hash [2]. Are there any PGV-like rate-2 compression unctions that result in collision resistant iterated hash unction? Reerences 1. Black, J., Cochran, M., Shrimpton, T.: On the Impossibility o Highly-Eicient Blockcipher-Based Hash Functions, In Advances in Cryptology Eurocrypt 05, LNCS 3494, Springer-Verlag, Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis o the block-cipher-based hash-unction constructions rom PGV, In Advances in Cryptology CRYPTO 02, LNCS 2442, Springer-Verlag, Damgård, I.: A design principle or hash unctions, In Advances in Cryptology CRYPTO 89, LNCS 435, Springer-Verlag, Handschuh, H., Knudsen, L., Robshaw, M.: Analysis o SHA-1 in encryption mode, In Advances in Cryptology CT-RSA 01, LNCS 2020, Springer-Verlag, Merkle, R.: One way hash unctions and DES, In Advances in Cryptology CRYPTO 89, LNCS 435, Springer-Verlag, Preneel, B., Govaerts, R., Vandewalle, J.: Hash unctions based on block ciphers: A synthetic approach, In Advances in Cryptology CRYPTO 93, LNCS 773, Springer-Verlag, 1994.

Provably Secure Double-Block-Length Hash Functions in a Black-Box Model

Provably Secure Double-Block-Length Hash Functions in a Black-Box Model Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,