Analysis of property-preservation capabilities of the ROX and ESh hash domain extenders

Similar documents
Analysis of Property-Preservation Capabilities of the ROX and ESh Hash Domain Extenders

Enhanced Target Collision Resistant Hash Functions Revisited

Provable Security of Cryptographic Hash Functions

An introduction to Hash functions

A Composition Theorem for Universal One-Way Hash Functions

University Mathematics 2

Security Properties of Domain Extenders for Cryptographic Hash Functions

A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model

Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications

1 The concept of limits (p.217 p.229, p.242 p.249, p.255 p.256) 1.1 Limits Consider the function determined by the formula 3. x since at this point

Near-Optimal conversion of Hardness into Pseudo-Randomness

Mix-Compress-Mix Revisited: Dispensing with Non-invertible Random Injection Oracles

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Construction of universal one-way hash functions: Tree hashing revisited

Introduction to Derivatives

Lecture 5, CPA Secure Encryption from PRFs

MVT and Rolle s Theorem

HMAC is a Randomness Extractor and Applications to TLS

The derivative function

HMAC is a Randomness Extractor and Applications to TLS

The Verlet Algorithm for Molecular Dynamics Simulations

Provable Chosen-Target-Forced-Midx Preimage Resistance

Differentiation in higher dimensions

Key words: collision resistance, cryptographic hash functions, preimage resistance, provable security, second-preimage resistance.

Lecture 21. Numerical differentiation. f ( x+h) f ( x) h h

LIMITS AND DERIVATIVES CONDITIONS FOR THE EXISTENCE OF A LIMIT

1 Cryptographic hash functions

WYSE Academic Challenge 2004 Sectional Mathematics Solution Set

lecture 26: Richardson extrapolation

1 Calculus. 1.1 Gradients and the Derivative. Q f(x+h) f(x)

Consider a function f we ll specify which assumptions we need to make about it in a minute. Let us reformulate the integral. 1 f(x) dx.

Chapter 5 FINITE DIFFERENCE METHOD (FDM)

Derivatives of Exponentials

Higher Order Universal One-Way Hash Functions

Combining functions: algebraic methods

Design Paradigms for Building Multi-Property Hash Functions

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

On the Security of Hash Functions Employing Blockcipher Post-processing

Volume 29, Issue 3. Existence of competitive equilibrium in economies with multi-member households

Efficient algorithms for for clone items detection

Multi-property-preserving Hash Domain Extension and the EMD Transform

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

Symmetry Labeling of Molecular Energies

Function Composition and Chain Rules

Differential Calculus (The basics) Prepared by Mr. C. Hull

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

4. The slope of the line 2x 7y = 8 is (a) 2/7 (b) 7/2 (c) 2 (d) 2/7 (e) None of these.

Sin, Cos and All That

Math 161 (33) - Final exam

Lecture 15. Interpolation II. 2 Piecewise polynomial interpolation Hermite splines

5 January Key words: collision resistance, cryptographic hash functions, preimage resistance, provable security, second-preimage resistance.

Lecture 14: Cryptographic Hash Functions

Subdifferentials of convex functions

Click here to see an animation of the derivative

2.8 The Derivative as a Function

232 Calculus and Structures

SFU UBC UNBC Uvic Calculus Challenge Examination June 5, 2008, 12:00 15:00

Pre-Calculus Review Preemptive Strike

Modeling Random Oracles under Unpredictable Queries

SECTION 3.2: DERIVATIVE FUNCTIONS and DIFFERENTIABILITY

(a) At what number x = a does f have a removable discontinuity? What value f(a) should be assigned to f at x = a in order to make f continuous at a?

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

Numerical Differentiation

Hardness Preserving Constructions of Pseudorandom Functions

5.1 We will begin this section with the definition of a rational expression. We

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Reflection Symmetries of q-bernoulli Polynomials

The Zeckendorf representation and the Golden Sequence

REVIEW LAB ANSWER KEY

3.1 Extreme Values of a Function

Improved indifferentiability security analysis of chopmd Hash Function

5 Ordinary Differential Equations: Finite Difference Methods for Boundary Problems

Effect of the Dependent Paths in Linear Hull

How to Find the Derivative of a Function: Calculus 1

Integral Calculus, dealing with areas and volumes, and approximate areas under and between curves.

HOMEWORK HELP 2 FOR MATH 151

NUMERICAL DIFFERENTIATION

Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Brazilian Journal of Physics, vol. 29, no. 1, March, Ensemble and their Parameter Dierentiation. A. K. Rajagopal. Naval Research Laboratory,

1 Cryptographic hash functions

Breaking H 2 -MAC Using Birthday Paradox

Continuity and Differentiability Worksheet

Recall from our discussion of continuity in lecture a function is continuous at a point x = a if and only if

Chapter 2 Limits and Continuity

Lecture 10 - MAC s continued, hash & MAC

Avoiding collisions Cryptographic hash functions. Table of contents

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Math 1241 Calculus Test 1

New Proofs for NMAC and HMAC: Security without Collision-Resistance

Preface. Here are a couple of warnings to my students who may be here to get a copy of what happened on a day that you missed.

Teaching Differentiation: A Rare Case for the Problem of the Slope of the Tangent Line

Continuity and Differentiability of the Trigonometric Functions

Dedicated to the 70th birthday of Professor Lin Qun

2011 Fermat Contest (Grade 11)

Foundations of Cryptography

Average Rate of Change

Characterization of reducible hexagons and fast decomposition of elementary benzenoid graphs

Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security

Math 102 TEST CHAPTERS 3 & 4 Solutions & Comments Fall 2006

Transcription:

University of Wollongong Researc Online Faculty of Informatics - Papers (Arcive) Faculty of Engineering and Information Sciences 2009 Analysis of property-preservation capabilities of te ROX and ES as domain extenders Reza Reyanitabar University of Wollongong, rezar@uow.edu.au Willy Susilo University of Wollongong, wsusilo@uow.edu.au Yi Mu University of Wollongong, ymu@uow.edu.au Publication Details Reyanitabar, M., Susilo, W. & Mu, Y. (2009). Analysis of property-preservation capabilities of te ROX and ES as domain extenders. C. Boyd & J. Gonzà lez Nieto In Information Security and Privacy, 14t Australasian Conference, ACISP 2009, July 2009, Brisbane, Australia. Lecture Notes in Computer Science, 5594 153-170. Researc Online is te open access institutional repository for te University of Wollongong. For furter information contact te UOW Library: researc-pubs@uow.edu.au

Analysis of property-preservation capabilities of te ROX and ES as domain extenders Abstract Two of te most recent and powerful multi-property preserving (MPP) as domain extension transforms are te Ramdom-Oracle-XOR (ROX) transform and te Enveloped Soup (ES) transform. Te former was proposed by Andreeva et al. at ASIACRYPT 2007 and te latter was proposed by Bellare and Ristenpart at ICALP 2007. In te existing literature, ten notions of security for as functions ave been considered in analysis of MPP capabilities of domain extension transforms, namely CR, Sec, asec, esec (TCR), Pre, apre, epre, MAC, PRF, PRO. Andreeva et al. sowed tat ROX is able to preserve seven properties; namely collision resistance (CR), tree flavors of second preimage resistance (Sec, asec, esec) and tree variants of preimage resistance (Pre, apre, epre). Bellare and Ristenpart sowed tat ES is capable of preserving five important security notions; namely CR, message autentication code (MAC), pseudorandom function (PRF), pseudorandom oracle (PRO), and target collision resistance (TCR). Noneteless, tere is no furter study on tese two MPP as domain extension transforms wit regard to te oter properties. Te aim of tis paper is to fill tis gap. Firstly, we sow tat ROX does not preserve two oter widely-used and important security notions, namely MAC and PRO. We also sow a positive result about ROX, namely tat it also preserves PRF. Secondly, we sow tat ES does not preserve oter four properties, namely Sec, asec, Pre, and apre. On te positive side we sow tat ES can preserve epre property. Our results in tis paper provide a full picture of te MPP capabilities of bot ROX and ES transforms by completing te property-preservation analysis of tese transforms in regard to all ten security notions of interest, namely CR, Sec, asec, esec (TCR), Pre, apre, epre, MAC, PRF, PRO. eywords era2015 Disciplines Pysical Sciences and Matematics Publication Details Reyanitabar, M., Susilo, W. & Mu, Y. (2009). Analysis of property-preservation capabilities of te ROX and ES as domain extenders. C. Boyd & J. Gonzà lez Nieto In Information Security and Privacy, 14t Australasian Conference, ACISP 2009, July 2009, Brisbane, Australia. Lecture Notes in Computer Science, 5594 153-170. Tis journal article is available at Researc Online: ttp://ro.uow.edu.au/infopapers/1836

Analysis of Property-Preservation Capabilities of te ROX and ES Has Domain Extenders Moammad Reza Reyanitabar, Willy Susilo, and Yi Mu Centre for Computer and Information Security Researc, Scool of Computer Science and Software Engineering University of Wollongong, Australia {mrr790, wsusilo, ymu}@uow.edu.au Abstract. Two of te most recent and powerful multi-property-preserving (MPP) as domain extension transforms are te Ramdom-Oracle-XOR (ROX) transform and te Enveloped Soup (ES) transform. Te former was proposed by Andreeva et al. at ASIACRYPT 2007 and te latter was proposed by Bellare and Ristenpart at ICALP 2007. In te existing literature, ten notions of security for as functions ave been considered in analysis of MPP capabilities of domain extension transforms, namely CR, Sec, asec, esec (TCR), Pre, apre, epre, MAC, PRF, PRO. Andreeva et al. sowed tat ROX is able to preserve seven properties; namely collision resistance (CR), tree flavors of second preimage resistance (Sec, asec, esec) and tree variants of preimage resistance (Pre, apre, epre). Bellare and Ristenpart sowed tat ES is capable of preserving five important security notions; namely CR, message autentication code (MAC), pseudorandom function (PRF), pseudorandom oracle (PRO), and target collision resistance (TCR). Noneteless, tere is no furter study on tese two MPP as domain extension transforms wit regard to te oter properties. Te aim of tis paper is to fill tis gap. Firstly, we sow tat ROX does not preserve two oter widely-used and important security notions, namely MAC and PRO. We also sow a positive result about ROX, namely tat it also preserves PRF. Secondly, we sow tat ES does not preserve oter four properties, namely Sec, asec, Pre, and apre. On te positive side we sow tat ES can preserve epre property. Our results in tis paper provide a full picture of te MPP capabilities of bot ROX and ES transforms by completing te property-preservation analysis of tese transforms in regard to all ten security notions of interest, namely CR, Sec, asec, esec (TCR), Pre, apre, epre, MAC, PRF, PRO. ey words: Has Functions, Domain Extension, MPP, ROX, ES 1 Introduction A cryptograpic as function is a function tat can map variable lengt strings to fixed lengt strings. Has functions ave been used in a vast variety of applications, e.g. digital signature, MAC, PRF, and must provide different security properties depending on te security requirements of te applications. Te most well-known property for a as function is collision resistance (CR). Neverteless, as functions are often asked to provide many oter security properties ranging from merely being a one-way function (i.e. preimage resistance property) to acting as a truly random function (i.e. a random oracle). In a formal study of cryptograpic as functions two different but related settings can be considered. Te first setting is te traditional unkeyed as function setting were a as function refers to a single function H : M {0, 1} n (e.g. SHA-1) tat maps variable lengt messages to a fixed lengt output as value. In te second setting, a as function is considered as a family of functions H : M {0, 1} n,also called a dedicated-key as function [3], indexed by a key space. Te exact role of te as function key is application-dependent; it can be a public parameter, e.g. wen te as function is used in a digital signature, or a secret key like in MAC and PRF applications. In tis paper, we consider as functions and teir security notions in te dedicated-key as function setting. Almost all cryptograpic as functions are designed based on te following two-step approac: first a compression function is designed wic is only capable of asing fixed-input-lengt (FIL) messages and ten a domain extension transform is applied to get a full-fledged as function wic can as variableinput-lengt (VIL) or arbitrary-input-lengt (AIL) messages, depending on te transform. Assume tat we

2 M. R. Reyanitabar, W. Susilo and Y. Mu ave a (dedicated-key) compression function : {0, 1} k {0, 1} n+b {0, 1} n tat can only as messages of fixed lengt (n+b) bits. A domain extension transform can use tis compression function (as a black-box) to construct a (dedicated-key) as function H : M {0, 1} n, were te message space M can be eiter {0, 1} (in wic case H is an AIL as function) or {0, 1} <2λ, for some uge positive integer λ, e.g. λ = 64 (in wic case H is a VIL as function). For instance, te strengtened-md domain extension transform [12, 8, 3] yields to a VIL as function wile te Prefix-free domain extension transform [7, 3] yields to an AIL as function. In practice te difference between being VIL or AIL as function will not be of a concern as for typical value of λ = 64 almost all messages will ave lengt less tan 2 64 bits, i.e. will belong to {0, 1} <264. From security viewpoint, te crux sougt from a domain extension transform is its property preserving capability; tat is, if te underlying compression function possesses some security property P, ten te obtained full-fledged as function H sould also provably possess te property P. Te most well-known domain extension transform is te strengtened Merkle-Damgård (MD) construction wic was sown by Merkle [12] and Damgård [8] to be a CR preserving transform. Bellare and Rogaway in [6] sowed tat strengtened MD, despite preserving CR property, is unable to preserve UOWHF property (put fort by Naor and Yung [15]) wic is a weaker tan CR property. Tey renamed UOWHF as target collision resistance (TCR) and provided four domain extension transforms for preserving te TCR property. Soup in [17] provided a transform (improving XLH transform of Bellare-Rogaway in [6]), wic is sown to be UOWHF and CR preserving. Mironov [14] sowed tat Soup s transform is optimal from key expansion viewpoint among masking based serial transforms for TCR preservation. Coron et al. [7] introduced te notion of random oracle preservation and provided prefix-free MD transform wic is capable of preserving (pseudo-)random oracle, wic means tat if te compression function is modeled as a random oracle ten te AIL as function obtained by applying prefix-free MD transform will also be indifferentiable from a random oracle [7, 11]. A new line of researc recently as been initiated by Bellare and Ristenpart in [4], and followed in several oter works, e.g. [3, 1], wit te aim of designing multi-property-preserving (MPP) domain extension transforms. An MPP transform is capable of preserving multiple security properties simultaneously wileextendingtedomainofacompressionfunction. Two of te most recent and powerful MPP transforms are te Enveloped Soup (ES) transform designed by Bellare and Ristenpart in [3] and te Random-Oracle XOR (ROX) transform by Andreeva et al. in [1]. Bot ES and ROX are variants of Soup (S) transform proposed in [17]. ES is a standard model transform and was sown to be te best-performing, in terms of property preserving capability, among te nine transforms studies in [3]. It is sown in [3] tat ESH preserves five security notions; namely CR, TCR, MAC, PRF, and PRO. ROX was sown to be te only transform among te twelve transforms investigated in [1] wic is able to preserve seven security notions; namely CR, Sec, asec, esec, Pre, apre, and epre as put fort by Rogaway and Srimpton in [16]. But unlike to oter transforms, ROX..., quite controversially, uses a random oracle in te iteration. [1], altoug Andreeva et al. in [1] provide arguments justifying te merits of suc a limited application of auxiliary FIL random oracles in teir construction from practical viewpoint. Our Contribution. We complete property-preservation analysis of te ROX and ES transforms by providing new negative and positive results in regard to teir MPP capabilities. Our results complete te property preservation analysis of ROX and ES in regard to all ten security notions of interest, namely CR, Sec,aSec,eSec(TCR),Pre,aPre,ePre,MAC,PRF,PRO.ForteROXtransform,wesowtatitdoes not preserve MAC and PRO. Tis settles te open question of [1] about MAC and PRO preservation capability of te ROX, in a negative way. On te positive side we notice tat te ROX is also a PRF preserving transform. Regarding te ES transform, we sow tat ES does not preserve Sec, asec, Pre, and apre properties. As a positive result about ES we sow tat it also preserves epre property.

Analysis of Property-Preservation Capabilities of te ROX and ES 3 Te overview of te results are sown in Table 1. A Yes means tat te property is provably preserved by te transform. A No means tat te property is not preserved and tis is sown eiter by sowing a counterexample compression function or by some attacks benefiting from te structural weakness of te transform in regard to te specific security property. Unreferenced entries are te results sown in tis paper. We leave te question of a ten-property-preserving transform witout any random oracle as an interesting open question. ES ROX CR (Coll) Yes [3] Yes [1] Sec No Yes [1] asec No Yes [1] esec (TCR or UOWHF) Yes [3] Yes [1] Pre No Yes [1] apre No Yes [1] epre Yes Yes [1] MAC Yes [3] No PRF Yes [3] Yes PRO Yes [3] No Table 1. Overview of te MPP capabilities of te ES and ROX as domain extension transforms in regard to ten security notions. Unreferenced entries are te results sown in tis paper. 2 Preliminaries 2.1 Notations If A is a probabilistic algoritm wit access to some oracle f(.) tenbyy $ A f(.) (x 1,,x n )itismeant tat y is te output random variable wic is defined by running A, given inputs x 1,,x n and aving oracle access to f(.). To sow tat an algoritm A is run witout any input, we use te notation y $ A(). By time complexity of an algoritm we mean te running time, relative to some fixed model of computation plus te size of te description of te algoritm using some fixed encoding metod. If X is a finite set, by x $ X it is meant tat x is cosen from X uniformly at random. By X Y it is meant tat te value Y is simply assigned to te variable X. Letx y denote te string obtained from concatenating string y to string x. Let1 m and 0 m, respectively, denote a string of m consecutive 1 and 0 bits, and 1 m 0 n denote te concatenation of 0 n to 1 m.by(x, y) we mean an injective encoding of two strings x and y, from wic one can efficiently recover x and y. For a binary string M, let M denote its lengt in bits and M b M /b denote its lengt in b-bit blocks. Let M[i] denote te i-t bit of M, andm i...j denote te bits from i-t to j-t positions, i.e. M i...j = M[i] M[j]. If S isafinitesetwedenotesizeofs by S. For a positive integer m, let m λ denote its representation as a binary string of lengt exactly λ bits. Te set of all binary strings of lengt n bits (for some positive integer n) is denoted as {0, 1} n, te set of all binary strings wose lengts are variable but upper-bounded by N is denoted by {0, 1} N and te set of all binary strings of arbitrary lengt is denoted by {0, 1}. Te set of all functions f : Dom Rng (from a domain Dom to a range Rng) is denoted by Func(Dom, Rng). 2.2 Definition of Security Notions In tis section, we recall definition of ten security notions for as functions; namely, te seven notions (Coll, Sec, asec, esec, Pre, apre and epre) formalized in [16] as well as PRF, MAC, PRO. All definitions are for a

4 M. R. Reyanitabar, W. Susilo and Y. Mu dedicated-key as function H : M C,wereC = {0, 1} n for some positive integer n, tekeyspace is some nonempty set and te message space M {0, 1} suc tat {0, 1} m Mfor at least a positive integer m. For any M Mand,weusetenotationsH (M) andh(, M) intercangeably. Te advantage measures for an adversary A attacking H are defined in Fig. 1 for te ten security notions. [ ] Adv Coll H (A) = Pr ;(M,M $ ) $ A() : M M H (M) =H (M ) [ ] Adv Sec[δ] ; $ M {0, $ 1} δ ; H (A) = Pr M $ A(, M) : M M H (M) =H (M ) (, State) $ A(); H (A) = Pr M {0, $ 1} δ ; M $ A(M,State) : M M H (M) =H (M ) (M,State) $ A(); Adv esec H (A) = Pr ; $ M $ A(, State) : M M H (M) =H (M ) [ ] Adv Pre[δ] ; $ M {0, $ 1} δ ; Y H H (A) = Pr (M); M $ A(, Y ) : H (M )=Y (, State) $ A(); H (A) = Pr M {0, $ 1} δ ; Y H (M); M $ A(Y,State) : H (M )=Y [ ] ep re AdvH (A) = Pr (Y,State) $ A(); ; $ M $ A(, State) : H (M )=Y [ ] Adv MAC H (A) = Pr ;(M,tag) $ $ A H(.) () : H (M) =tag M not queried [ ] [ Adv PRF H (A) = Pr : $ A H(.) () 1 Pr ρ $ Func(M, C) :A ρ(.) () 1] [ ] [ Adv PRO H (A) = Pr : $ A H (.), (.) () 1 Pr : $ A F(.), SF (,.) () 1] Adv asec[δ] ap re[δ] Adv Fig. 1. Definitions of ten security notions for a as function family H [16, 3]. We say tat H is (t, l, ɛ)-xxx, for xxx {Coll, Sec[δ], asec[δ], esec, Pre[δ], apre[δ], epre}, if te advantage of any adversary A wit time complexity at most t and using messages of lengt at most l, islesstanɛ, in attacking H in xxx sense. Note tat four of te notions (namely, Sec[δ], asec[δ], Pre[δ] and apre[δ]) are parameterized by δ were {0, 1} δ M.IfH is a compression function (i.e. an FIL as function), ten parameter δ and te resource parameter l for te adversary will be te same as te fixed input lengt of te compression function and ence omitted from te notations. It is sown in [16] tat te strengt of provisional implications between different notions depends on te relative size of δ and te as size n. For more related details we refer to [16]. For xxx {MAC,PRF}, wesaytath is (t, q, l, ɛ)-xxx if te advantage of any adversary A aving time complexity at most t and making at most q queries wit maximum query lengt of l bits is at most ɛ. PRO Notion. Te definition of pseudorandom oracle preservation for a as function was first considered by Coron et al. in [7] using te indifferentiability framework of Maurer et al. in [11], and furter studied in te following works, e.g. in [4, 3]. Te definition for te dedicated-key setting tat we consider in tis paper, as sown in Fig. 1, is due to Bellare and Ristenpart [3]. PRO is defined formally as follows. Adversary A is given oracles access to eiter te VIL as function H (.) and FIL random oracle (.), or a VIL random oracle F(.) and a simulator S F (,.). A must differentiate between tese two worlds and te simulator s goal is to mimic te FIL random oracle (.) in a way tat convinces adversary A tat H (.) isf(.) (i.e. te two worlds become indifferentiable from A s

Analysis of Property-Preservation Capabilities of te ROX and ES 5 view). Te PRO advantage of an adversary A against H is defined as te difference between te probability tat A outputs a one wen given oracle access to H (.) and (.) and te probability tat it outputs a one wen given oracle access to F(.) and te simulator S F (,.). We say tat H is (t A,t S,q 1,q 2,l,ɛ) PRO, if for any adversary A aving time complexity at most t and making at most q 1 queries from its first (left) oracle and q 2 queries from its second (rigt) oracle wit maximal query lengt of l bits, tere exits a simulator S wit time complexity t S suc tat makes Adv PRO H (A) <ɛ. Te Special Case of ROX Construction. In te case of a as function obtained using ROX construction, te VIL as function H utilizes two FIL random oracles RO 1 and RO 2 in its construction as well as a compression function. In tis case te definitions sould be straigtforwardly adapted to consider te existence of tese two auxiliary FIL random oracles, namely adversary A will be also given oracle access to RO 1 and RO 2 and te number of queries from tese oracles sould also be considered as additional resource parameters for te adversary A. One also must use te generalized PRO notion based on te indifferentiability framework of [11] to involve tese additional random oracles. We provide te required generalized definition in section 3.1 of tis paper, following [11, 4]. Briefly saying, te simulator will ave to simulate tree random oracles for te adversary, namely te compression function itself (wic for PRO notion is modeled as an FIL random oracle), as well as te two auxiliary random oracles used by te ROX in addition to. More details are given in section 3.1 of tis paper. 2.3 Has Domain Extension Assume tat we ave a compression function : {0, 1} k {0, 1} n+b {0, 1} n tat can only as messages of fixed lengt (n+b) bits. A domain extension transform can use tis compression function (as a black-box) to construct a as function H : M {0, 1} n, were te message space M can be eiter {0, 1} or {0, 1} <2λ, for some positive integer λ (e.g. λ = 64). Te key space is determined by te construction of a domain extender. Clearly log 2 ( ) k, ash involves at least one invocation of. A domain extension transform comprises two functions: an injective padding function and an iteration function. First, te padding function Pad : M D I is applied to an input message M Mto convert it to te padded message Pad(M) inadomaind I. Ten, te iteration function f : D I {0, 1} n uses te compression function as many times as required, and outputs te final as value. Te full-fledged as function H is obtained by combining te two functions. In te case of ROX transform bot te padding algoritm (rox-pad) and te iteration algoritm need small-input random oracles as well. Te padding functions used in te S, ES and ROX domain extension transforms are Strengtening, Strengtened Cain Sift and rox-pad defined as follows, were 2 λ is te maximum message lengt in bits (typically λ = 64) : Strengtening: pad s : {0, 1} <2λ L 1 {0, 1}Lb, were pad s (M) =M 10 p M λ and p is te minimumnumberof0 srequiredtomaketelengtofpad s (M) a multiple of block lengt. Strengtened Cain Sift: padcs s : {0, 1} <2λ L 1 {0, 1}Lb+b n, were padcs s (M) =M 10 r M λ 0 p, and parameters p and r aredefinedintwowaysdependingonteblocklengtb. Ifb n+λ ten p = 0, oterwise p = b n. Tenr is te minimum number of 0 s required to make te padded message a member of {0, 1} Lb+b n, for some positive integer L. rox-pad: rox-pad RO 2 : {0, 1} <2λ L 1 {0, 1}L.b,wereRO 2 : {0, 1} k {0, 1} λ {0, 1} log b {0, 1} 2n is an auxiliary FIL random oracle, and rox-pad RO 2 (M) =M RO 2 (M 1...k, M λ, 1 ) RO 2 (M 1...k, M λ, 2 ), were te last block of padded message must contain at least 2n bits generated by RO 2 wic implies adding a new final block just for padding if necessary.

6 M. R. Reyanitabar, W. Susilo and Y. Mu Te iteration functions for S, ES and ROX transforms are sown in Fig. 2, were IV,IV 1,andIV 2 are some known initial values and IV 1 IV 2. RO 1 : {0, 1} k {0, 1} k {0, 1} log λ {0, 1} n is a random oracle used by te ROX iteration function to generate required key masks. f S : {0, 1} Lb {0, 1} n,were = {0, 1} k+tn t = log 2 (L),ν(i) =max {x :2 x i} M 1 M 2 M 3 M L Algoritm f S ( 0 1 t 1,M): C 0 = IV for i =1toL do C i = ((C i 1 ν(i) ) M i ) return C L f ES : {0, 1} (L 1)b+b n {0, 1} n,were = {0, 1} k+tn t = log 2 (L 1) +1,ν(i) =max {x :2 x i} Algoritm f ES ( 0 1 t 1,M): C 0 = IV 1 ; μ = t 1 for i =1toL 1do C i = ((C i 1 ν(i) ) M i ) C L = ((IV 2 0 ) (C L 1 μ ) M L ) return C L : {0, 1} Lb {0, 1} n,were = {0, 1} k t = log 2 (L),ν(i) =max {x :2 x i} f RO1(.) ROX IV 0 1 0 M 1 M 2 IV 1 0 1 M 1 M 2 2 M L 1 ν(l 1) M 3 μ IV 2 v(l) M L 0 M L b n C L C L Algoritm f RO1(.) ROX (, M): for i =0tot 1do i = RO 1 (, M 1...k, i ) C L = f S ( 0 1 t 1,M) return C L IV 0 1 0 2 v(l) C L Fig. 2. Iteration functions of Soup (S), Enveloped Soup (ES), and ROX transforms Te variable-input-lengt (VIL) as function H : {0, 1} <2λ {0, 1} n,forh {S,ES,ROX}, obtained by applying S, ES, or ROX domain extension transforms on a fixed-input-lengt (FIL) as function : {0, 1} k {0, 1} n+b {0, 1} n is defined, respectively, as follows: S(,M)=f S (, pad s (M)), were = 0 t 1 {0, 1} k+tn ES(,M)=f ES (, padcs s (M)), were = 0 t 1 {0, 1} k+tn ROX RO 1,RO 2 (, M) =f RO 1(.) ROX (, rox-padro 2(.) (M)), were {0, 1} k 3 Property Preservation Analysis of te Transforms In tis section we analyze property preserving capability of te ROX and ES transforms in terms of te ten security notions defined in section 2.2, namely CR (Coll), Sec, asec, esec(tcr), Pre, apre, epre, MAC, PRF, PRO. ROX was already sown in [1] to be able to preserve seven properties, namely: CR (Coll), Sec, asec, esec, Pre, apre, and epre. We complete a property-preservation analysis of ROX in regard to te oter tree important security notions (i.e. MAC, PRF, PRO) and gater bot negative and positive results. On te negative side we sow tat ROX cannot preserve MAC and PRO notions. As a positive result we note tat ROX can also preserve PRF. Next we investigate ES transform. ES was already sown in [3] to be

Analysis of Property-Preservation Capabilities of te ROX and ES 7 abletopreservefiveproperties,namely:cr(coll),mac,prf,pro,andtcr(esec).wecompletete property preservation analysis of ES wit respect to te remaining five properties among te ten notions by sowing, as negative results, tat ES does not preserve four properties, namely Sec, asec, Pre, apre, and as a positive result we sow tat it can also preserve epre. 3.1 Analysis of te ROX Transform In tis section we provide two negative results about PRO and MAC preservation and one positive result about PRF preserving capability of te ROX domain extension transform. Among tese results, te negative result sowing tat ROX does not preserve PRO seems more interesting regarding te fact tat ROX, unlike all oter as domain extension transforms, uses random oracles in its construction. Indifferentiability Analysis of te ROX Construction. Our aim is to sow tat ROX transform does not preserve PRO, i.e., te VIL as function obtained using ROX transform is differentiable from a true VIL random oracle. We first provide te required generalization of PRO notion for te case of ROX construction based on te indifferentiability framework of [11]. Ten we provide our negative result in Teorem 1. For te purpose of PRO analysis (in te dedicated key as setting [3]), te compression function : {0, 1} k {0, 1} n+b {0, 1} n is modeled as a family of FIL random oracles, i.e. : {0, 1} n+b {0, 1} n is assumed to be an FIL random oracle for any value of te key were (.) =(,.). We note tat te ROX transform itself utilizes two additional FIL random oracles, namely RO 1 and RO 2 in generation of te key masks used in te iteration function and padding, respectively. Hence te VIL as function ROX,RO 1,RO 2 : {0, 1} k {0, 1} <2λ {0, 1} n will ave access to tree FIL random oracles, namely (.),RO 1 (.) andro 2 (.). According to te general indifferentiability framework of [11] wic is used to define PRO in [7, 4, 3], adversary A will be given access to four oracles; namely, a VIL oracle O 1 : {0, 1} <2λ {0, 1} n, and tree FIL oracles as O 2 : {0, 1} n+b {0, 1} n, O 3 : {0, 1} k {0, 1} k {0, 1} log λ {0, 1} n and O 4 : {0, 1} k {0, 1} λ {0, 1} log b {0, 1} 2n, and must differentiate between te following two worlds: World 1: A random key {0, $ 1} k is selected. Te oracles are set as O 1 (.) =ROX,RO 1,RO 2 (,.), O 2 (.) = (.), O 3 (.) =RO 1 (.), O 4 (.) =RO 2 (.). A is given as input and as access to te four oracles. World 2: A random key {0, $ 1} k is selected. O 1 (.) =F(.) weref : {0, 1} <2λ {0, 1} n is a true VIL random oracle. A simulator S F () =(S1 F(), SF 2 (), SF 3 ()),avingaccesstoteoraclef(.) and receiving as input, simulates te role of te tree FIL random oracles for te adversary. Tat is, in tis world wen adversary queries te first oracle (i.e. te VIL oracle) O 1 te response comes from te true VIL random oracle F(.), but wen adversary queries any of te tree FIL oracles O 2 (.), O 3 (.) and O 4 (.), te queries are forwarded to te te simulator S. Simulator will respond to tese queries trying to mimic te oracles (.),RO 1 (.) andro 2 (.), respectively, by its sub-algoritms S 1, S 2 and S 3 in a way tat convinces A tat O 1 (.) isrox,ro 1,RO 2 (,.) altougitisnowactuallyf(.). Let H (.) =H(,.) =ROX,RO 1,RO 2 (,.). Te PRO advantage of te adversary in differentiating H from F is defined as follows: Adv PRO H (A) = [ Pr A O 1, O 2, O 3, O 4 () 1 World 1 ] Pr [ A O 1, O 2, O 3, O 4 () 1 World 2 ] [ ] [ = Pr A H (.), (.), RO 1 (.), RO 2 (.) () 1 Pr A F(.), SF 1 (), SF 2 (), SF 3 () () 1] We say tat an adversary A is a (t A,t S,q 1,q 2,q 3,q 4,l,ɛ)-differentiating adversary against H if its PRO advantage is at least ɛ against any simulator S aving time complexity at most t S, were te time complexity

8 M. R. Reyanitabar, W. Susilo and Y. Mu of te adversary is at most t A, te number of queries from i-t oracle is at most q i (for 1 i 4) and te lengt of eac query is at most l bits. Now we are ready to state our negative result wic sows te inability of ROX to preserve PRO. Teorem 1 (Negative Result: PRO). ROX domain extension transform does not preserve pseudorandom oracle. Proof. We sow a (c, t S, 2, 1, 1, 2, 3b 2n, 1 2 n )-differentiating adversary against H,i.e.A as overwelming PRO advantage of 1 2 n in differentiating te VIL as function ROX,RO 1,RO 2 : {0, 1} <2λ {0, 1} n from a true VIL random oracle F : {0, 1} <2λ {0, 1} n, wit respect to any simulator S wit arbitrary time complexity t S. A astimecomplexityt A = c, werec is a small constant, and it asks only: two queries from te first oracle O 1, one query from te second oracle O 2, one query from te tird oracle O 3 and two queries from te fourt oracle O 4. Te maximum query lengt is 3b 2n bits. Adversary A acts as follows: 1. M {0, $ 1} 2b 2n and Y O 1 (M); 2. IP O 4 (M 1...k, 2b 2n λ, 1 ); 3. M $ {0, 1} b 2n and Z O 1 (M IP M ); 4. 0 O 3 (, M 1...k, 0 ); 5. OP O 4 (M 1...k, 3b 2n λ, 1 ); 6. Z ( O 2 (Y 0 ) M OP ) ; 7. If Z = Z ten return 1 (i.e. guess tat it is World 1) else return 0 (i.e. guess tat it is World 2 ) From te construction of te ROX as function and te description of te World 1, it can be seen tat Pr [ A H (.), (.), RO 1 (.), RO 2 (.) () 1 ] [ ] = 1. We claim tat Pr A F(.), SF 1 (), SF 2 (), SF 3 () () 1 = 2 min{n,2b 2n k}. Tis can be seen by noting tat in World 2, te only queries tat te simulator S F () = (S1 F(), SF 2 (), SF 3 ()) can see and must respond to are te queries from O 2, O 3,andO 4 oracles. It is wort reminding tat, te simulator cannot see query-response sequence between te adversary A and te first oracle O 1 due to te definition of indifferentiability [7, 4, 3], as tese queries are answered directly by te true VIL random oracle F in World 2. Hence referring to te description of te adversary A, itcan be seen tat te simulator S just is given te first k bits of te first message M, i.e. M 1...k, and as no information about te remaining 2b 2n k bits of te message M. Hence to make A output a one (i.e. to fool A), simulator S must eiter guess tese 2b 2n k unknown bits of M (wit success probability of 2 (2b 2n k) ) or guess te correct value of Z (wit success probability of 2 n ) in order to be able to provide a correct value Z at step 6 of A s differentiating attack. (Note tat te success probability of S in guessing te correct value of tese unknown bits is independent of te time complexity of S, i.e. t S,asS as no information about tese bits.) So, we ave Adv PRO H (A) =1 2 min{n,2b 2n k}. It remains to verify tat 2b 2n k n. According to te construction of rox pad RO 2 it must be te case tat b 2n and referring to [1], typical values for k and n are suggested as k =80bitsandn = 160 bits for an 80-bit security level, i.e. we ave k n/2. Hence min {n, 2b 2n k} = n and Adv PRO H (A) =1 2 n as claimed. MAC Preservation Analysis of te ROX. We sow tat te ROX transform does not preserve MAC (unforgeability). Tis is done by providing as a counterexample, a compression function wic is a secure MAC but for wic te VIL as function obtained by using ROX transform will be insecure in MAC sense. Assume tat tere is a compression function g : {0, 1} k {0, 1} n+b {0, 1} n 1 wic is (t, q, ɛ) MAC. Consider te following construction from [3] for a compression function : {0, 1} k {0, 1} n+b {0, 1} n, were s = log 2 (n) : { g (C M) C[i] if M = i (C M) = s 0 b s for i {1,,n 1} g (C M) C[n] oterwise

Analysis of Property-Preservation Capabilities of te ROX and ES 9 Itissownin[3]tatifg is (t, q, ɛ) MAC ten will be (t cq,q,ɛ) MAC, were c is a small constant. Note tat leaks te i-t bit of its caining variable input C to te output if its input block M equals to i s 0 b s,fori {1,,n 1}, and oterwise leaks te n-t (i.e. te last) bit of C. We use tis counterexample to prove te following negative result. Teorem 2 (Negative Result: MAC). ROX domain extension transform does not preserve MAC. Proof. Consider te above counterexample function as an FIL MAC. We sow tat te VIL function H(,.) =ROX,RO 1,RO 2 (,.) obtained by applying te ROX transform on tis FIL MAC will not be asecuremac.tisisdonebydescribinganadversarya wic can break H(,.) in MAC sense, wit success probability 1 4 and wose computational resources are only: one query from te random oracle RO 2 (.), 2(n 1) queries from te function H (.) wit maximum lengt of eac query 4b 2n bits, and a constant time complexity proportional to n. Te idea beind te construction of te adversary A is te same lengt reduction attacks used in [3] to sow tat S transform is not MAC preserving. We adapt te attack for te case of ROX transform by considering te special padding function rox-pad RO 2 used by te ROX. Te algoritm for te adversary A is sown in Fig. 3. It as oracle access to H (.) andro 2 (.). Note tat in definition of te MAC security notion, te key is considered secret from te adversary and ence A cannot compute H (.) directly. It selects an all zero string of lengt 2b 2n bits as M =0 2b 2n, for wic it tries to return a valid tag T under H (.). To tis aim, A first queries RO 2 as IP RO 2 (M 1...k, 2b 2n λ, 1 ) to get te 2n-bit response IP (IP stands for internal padding ). It ten queries oracle H (.) onn 1 messages, eac of lengt 4b 2n bits, constructed as QH i = M IP i s 0 b s 0 b 2n, and it receives te response Y i = H (QH i ), for i {1,,n 1}.Lety i denote te last bit of Y i, i.e. y i = Y i [n]. According to te ROX construction and te structure of te counterexample compression function, te value of te bit y i will be computed as y i = H (M)[i] 0 [i] 2 [n] wit overwelming probability of at least 1 2 min{2n,b s}.tiscanbe seen from (te Top-Rigt diagram in) Fig. 3 noting tat te final block contains 2n bits of random padding string (denoted by OP) as its last bits and ence tis final block input to te compression function is not equal to i s 0 b s wit probability at least 1 2 min{2n,b s},fori {1,,n 1}, and terefore will leak te last bit (i.e. n-t bit) of its caining variable input to te output Y i. Terefore wit probability at least 1 2 min{2n,b s},tevariabley i (for 1 i n 1) contains te i-t bit of te tag T for te message M (i.e. T [i] =H (M)[i]) masked wit te unknown key bits 0 [i] and 2 [n]. For any typical value of b and n (say b = 512,n = 160) we ave 1 2 min{2n,b s} 1 and so we assume tat tis probability is approximately one, to prevent unnecessary complexity in te analysis. Now A triestopeeloffteunknownkeybits 0 [i], for 1 i n 1. It queries H (.) onn 1 messages, eac of lengt 2b 2n bits, constructed as qh i = i s 0 b s 0 b 2n and receives te response Z i = H (qh i ), for i {1,,n 1}. Letz i denote te last bit of te Z i, i.e. z i = Z i [n]. According to te description of H (.) and te structure of te counterexample function, te value of bit z i will be computed as z i = H (qh i )[i] =IV [i] 0 [i] 1 [n] wit overwelming probability of at least 1 2 2n. Tis can be seen from (te Bottom-Rigt diagram in) Fig. 3 noting tat te final block contains 2n bits of random padding string (denoted by OP i ) as its last bits and ence tis final block input to te compression function is not equal to i s 0 b s wit probability at least 1 2 2n, for any i {1,,n 1}, and ence will leak te last bit (i.e. n-t bit) of its caining variable input to te output Z i. For any typical value of n (say n = 160 as in SHA-1) we ave 1 2 2n 1 and so we assume tat tis (overwelming) probability is approximately one. Now for eac i {1,,n 1} adversary builds a variable t i = y i z i IV [i] wose value will be t i = H (M)[i] 1 [n] 2 [n] (wit overwelming probability of at least (1 2 2n ) 2 1 for typical values of n, sayn = 160). Note tat te value of te remaining unknown masking bit 1 [n] 2 [n] is independent of te index i, i.e. it is te same for all t i and terefore adversary can guess tis unknown value wit probability 1/2. Tat is, for a random guess α {0, $ 1} wit probability 1/2 tevaluet i α will be

10 M. R. Reyanitabar, W. Susilo and Y. Mu equal to H (M)[i] =T [i] (i.e. te correct tag value), for all i {1,,n 1}. Itjustremainstocompute te last bit of te tag T,i.e.T [n], but A just guesses tis one bit and wit probability 1/2 tis guess will be correct. Hence te adversary A computes a correct MAC tag T for te message M under H (.) wit probability 1/4 (or more precisely wit probability 1 4 (1 (n 1)2 2n+1 ), wic for any typical value of as size n, sayn = 160, will be 1/4). Note tat te message M never is queried from H (.) in te attack and so tis is a valid forgery attack. Referring to te algoritm for A it is seen tat A is quite efficient as its computational resources are: one query from te random oracle RO 2 (.), 2(n 1) queries from te function H (.) wit maximum lengt of eac query 4b 2n bits, and a constant time complexity proportional to n wic can be easily determined from te description of A. Algoritm A H (.),RO 2(.) : M 0 2b 2n IP RO 2 (M 1...k, 2b 2n λ, 1 ) for i =1ton 1do Y i H (M IP i s 0 b s 0 b 2n ) y i Y i [n] for i =1ton 1do Z i H ( i s 0 b s 0 b 2n ) z i Z i [n] α {0, $ 1} for i =1ton 1do t i y i z i IV [i] T [i] t i α $ T [n] {0, 1} T T [1] T[n] return (M,T) IV 0 b 0 b 2n IP 0 <i> s 0 b s 1 0 <i> s 0 b s 0 b 2n OP 2 M =0 2b 2n y i = Y i [n] =H (M)[i] 0 [i] 2 [n] OP = RO 2 (0 k, 4b 2n, 1 ) IV 0 0 b 2n OP i 1 Z i z i = Z i [n] =IV [i] 0 [i] 1 [n] OP i = RO 2( i s 0 k s, 2b 2n, 1 ) Y i Fig. 3. (Left) Description of te algoritm for an adversary A against te VIL function H (.) =ROX RO 1,RO 2 (,.) based on te (counterexample) FIL MAC function. (Rigt) Te structure of te queries from H (.) and computation of te responses according to te ROX construction. Teorem 3 (Positive Result: PRF). ROX domain extension transform preserves PRF. Proof. Tis result is just a straigtforward corollary of a teorem in [3] (Teorem 5, page 407) sowing tat in te dedicated-key as function setting (were te compression function is a keyed as function) Merkle-Damgård transform and all of its variants including Soup are PRF preserving transforms. As sown in[3,5]eveniftekeymasks( 0, 1, ) in Soup construction are made public and only te key () for te compression function is kept secret ten Soup transform will still be PRF preserving. Clearly a special case will be putting te value of all key masks to zero in wic case Soup iteration will be te same as Merkle-Damgård iteration wic is a PRF preserving transform in te dedicated-key as setting [5]. We note tat te iteration function of te ROX transform is exactly te same as Soup were te key masks are generated using a random oracle (Refer to Fig. 2).

Analysis of Property-Preservation Capabilities of te ROX and ES 11 3.2 Analysis of te ES Transform Te following teorems sow our results about te ES. We sow bot negative results and a positive result about property preservation capability of ES. Teorem 4 (Negative Results: Sec, asec, Pre, and apre). ES domain extension transform does not preserve any of te Sec, asec, Pre, and apre security properties. Proof. Te proof is done by sowing, as a counterexample, a compression function wic is secure in xxx sense for xxx {Sec,aSec,Pre,aPre} but for wic te full-fledged as function obtained using ES domain extension transform is completely insecure in xxx sense for xxx {Sec[δ], asec[δ], Pre[δ], apre[δ]} and for any value of te parameter δ<2 λ (remember tat 2 λ is te maximum input message lengt in bits). Referring to te description of te strengtened cain sift padding function (padcs s )usedines transform, we consider te following two cases depending on te sizes of te parameters b, n and λ (note tat for ES, b n and typical value of λ = 64): Case 1: if b n + λ ten padcs s (M) =M 10 r M λ Case 2: if b<n+ λ ten padcs s (M) =M 10 r M λ 0 b n Assume tat tere is a compression function g : {0, 1} k {0, 1} n+b {0, 1} n 1 wic is (t, ɛ)-xxx, were xxx is any of te four properties in {Sec,aSec,Pre,aPre}. For Case 1 and Case 2, respectively, consider te following two compression functions 1 : {0, 1} k {0, 1} n+b {0, 1} n and 2 : {0, 1} k {0, 1} n+b {0, 1} n : 1 (, M) ={ 0 n if M n+b λ+1...n+b = δ λ g(, M) 1 oterwise { 0 n if M 2 (, M) = 2n+1...n+b =0 b n g(, M) 1 oterwise Construction of te counterexamples 1 and 2 are inspired from te CE 3 counterexample in [1] were we make some modifications in te conditions defining tese two functions as it is necessary to consider te effect of padcs s padding in ES transform. To complete te proof of te teorem we prove and combine te following two lemmas. Te first lemma sows tat te compression functions 1 and 2 inerit security properties xxx {Sec,aSec,Pre,aPre} from te compression function g and te second lemma sows tat ES transform cannot preserve tese four properties wile extending te domain of 1 or 2 compression functions. Note tat only one of tese compression functions are used depending on wic of te two conditions specified in Case 1 and Case 2 above are te case. Lemma 1. If g is (t, ɛ)-xxx ten 1 is (t, ɛ +2 λ )-xxx and 2 is (t, ɛ +2 (b n) )-xxx, for any of te notions xxx {Sec, asec, Pre, apre}. Proof. Te proof is provided in Appendix 1. Lemma 2. For any xxx {Sec[δ], asec[δ], Pre[δ], apre[δ]}, and for any value of δ<2 λ, tere is a simple adversary wic can break te domain extended as function ES(,M)=f ES (, padcs s (M)) using 1 or 2 as te compression function. Proof. Considering te description of te padcs s and counterexample compression functions 1 and 2, we ave ES(,M) = 0 for any M {0, 1} δ. Hence, in Pre[δ] and apre[δ] attacks adversary A just needs to output any arbitrary M {0, 1} δ and wins wit probability one. Similarly, in Sec[δ] and asec[δ] attacks A only needs to output any M {0, 1} δ wic is different from te callenge message M {0, 1} δ and wins wit probability one. Tat is, te VIL as function ES : {0, 1} <2λ {0, 1} n, defined as ES(,M)=f ES (, padcs s (M)) using 1 or 2 is completely insecure in xxx sense for xxx {Sec[δ], asec[δ], Pre[δ], apre[δ]} and for any value of te parameter δ, wereδ<2 λ.

12 M. R. Reyanitabar, W. Susilo and Y. Mu Teorem 5 (Positive Result: epre). If te compression function : {0, 1} k {0, 1} n+b {0, 1} n is (t, ɛ) epre ten te full-fledged as function ES : {0, 1} <2λ {0, 1} n defined as ES(,M)=f ES (, padcs s (M)) will be (t,ɛ) epre, were t = t c, for a small constant c. Proof. Assume tat tere is an adversary A against epre property of te as function ES wit time complexity t and advantage ɛ. We construct an adversary B wic can break te compression function in epre sense wit te same advantage (i.e. ɛ = ɛ ) and wose time complexity is tat of A plus a small constant time (i.e. t = t + c). Adversary B runs A and on receiving te value of Y from A outputs te same value Y as its own target as value in te first pase of epre game. B receives (te random key $ for ), generates 0 t 1 {0, 1} t.n,weret = log 2 (2 λ /b) + 1 and sends te key 0 t 1 to adversary A as te key for te full-fledged as function ES. Note tat because B by tis pase just knows te Y and does not know te lengt of te input message to te as function ES, it generates a key string of maximum required lengt for te XOR masks, i.e. t.n bits, for t = log 2 (2 λ /b) +1were 2 λ /b is te maximum possible input lengt in blocks and n is te as size. Now on receiving te message M from A (wic is to be a preimage for Y under ES, i.e. Y = ES( 0 t 1,M ) ), adversary B simplyoutputstevalue(iv 2 0 ) (C L 1 μ ) M L as a preimage for Y (refer to Fig. 2) wic is te input to te final application of te compression function in te construction of ES as function. Clearly B wins wenever A wins. Te time complexity of B is tat of A plus te time required to generate t random n-bit keys, were t = O(λ) (typically λ = 64), and te time to compute te as function ES on a message of lengt M. 4 Can We Preserve All Properties? In te previous section we sowed tat te ROX transform, wic is a random oracle variant of Soup, does not preserve MAC and PRO notions and also we sowed tat te Enveloped Soup (ES) transform does not preserve Sec, asec, Pre, apre notions. An immediate question arises from tis analysis is tat weter we can preserve all te ten properties simultaneously by a new domain extension transform. 4.1 Using FIL Random Oracles If we are allowed to use some FIL Random Oracles in our construction in te same way tat ROX does (i.e. uses FIL random oracles just for padding and generation of masking keys), ten our analysis in te previous section ints us towards a candidate for suc a ten-property-preserving transform by just mixing components from bot ES and ROX. We notice tat, as sown in Fig. 2, ROX utilizes Soup s iteration as its underlying iteration function and uses FIL random oracles for generation of masking keys and padding function. Hence te natural candidate for a ten property preserving transforms seems to be a random oracle variant of ES wit some necessary adaptation in a similar way tat ROX is obtained from S. We call suc a transform as Random-Oracle Enveloped Soup (RO-ES). Te construction of RO-ES can be seen as a mixture of ES and ROX elements and like te ROX construction, RO-ES also needs two small-input FIL random oracles. Te FIL random oracles in RO-ESH are used only, logaritmic number of times in message lengt, for message padding and generation of masking keys from a single key, but te compression function itself is not modeled as a random oracle. Te padding function of te RO-ES domain extension transforms is defined as follows, were 2 λ is te maximum message lengt in bits (typically λ = 64) : RO-ES-pad : {0, 1} <2λ L 1 {0, 1}L.b+b n RO-ES-pad RO 2 (M) =M 10 r RO 2 (M 1...k, M λ )

Analysis of Property-Preservation Capabilities of te ROX and ES 13,werer is te minimum number of 0 s required to make te padded message a member of {0, 1} L.b+b n, for some positive integer L, andro 2 : {0, 1} k {0, 1} λ {0, 1} b n is an FIL random oracle. Te iteration function for RO-ES transform is sown in Fig. 4, were IV 1 and IV 2 are known initial values and IV 1 IV 2. RO 1 : {0, 1} k {0, 1} k {0, 1} log λ {0, 1} n is a random oracle used by te RO-ES iteration function to generate required key masks. f RO1(.) RO ES : {0, 1}(L 1).b+b n {0, 1} n,were = {0, 1} k t = log 2 (L 1) +1,ν(i) =max {x :2 x i} M 1 M 2 M L 1 M L Algoritm f RO1(.) RO ES (, M): for i =0tot 1do i = RO 1 (, M 1...k, i ) C L = f ES ( 0 1 t 1,M) return C L IV 1 0 1 ν(l 1) μ IV 2 0 b n C L Fig. 4. Iteration function of te RO-ES transform. Te structure of te iteration is te same as ES and only te key masks are generated using an FIL random oracle RO 1. f ES is te iteration function of ES as sown by te diagram on te left and described in Fig. 2. Te VIL as function H : {0, 1} k {0, 1} <2λ {0, 1} n, obtained by applying te RO-ES domain extension transform on an FIL as function : {0, 1} k {0, 1} n+b {0, 1} n is defined as follows: H(, M) =RO-ES RO 1,RO 2 (, M) =f RO 1 RO ES (, RO-ES-padRO 2 (M)) Te proof of te following Teorem is obtained by a straigtforward (but lengty) adaptation of te previous results proved in [1] and [3], for te security of ROX and ES transforms, respectively. Teorem 6. If te compression function : {0, 1} k {0, 1} n+b {0, 1} n as security property P {CR, Sec, asec, T CR, P re, ap re, ep re, MAC, P RF, P RO}, ten te as function H obtained by RO-ES transform will also possess property P, wit te following concrete-security reductions and relations between te resources: 1. if is (t, ɛ)-cr ten H will be (t,l,ɛ )-CR, were ɛ = ɛ + q2 RO 2 2 b n and t = t 2τ(l)T 2. if is (t, ɛ)-tcr ten H will be (t,l,ɛ )-TCR, were ɛ = τ(l)ɛ + q RO 1 2 k + q2 RO 2 2 b n and t = t 2τ(l)T 3. if is (t, ɛ)-asec ten H will be (t,l,ɛ )-asec[m], were ɛ = τ(l)ɛ + q RO 1 2 k + q2 RO 2 2 b n and t = t 2τ(l)T 4. if is (t, ɛ)-sec ten H will be (t,l,ɛ )-Sec[m], were ɛ = τ(l)ɛ + q2 RO 2 2 b n and t = t 2τ(l)T 5. if is (t, ɛ)-apre ten H will be (t,l,ɛ )-apre[m], were ɛ = ɛ + q RO 1 2 k and t = t 2τ(l)T 6. if is (t, ɛ)-pre ten H will be (t,l,ɛ )-Pre[m], were ɛ = ɛ and t = t τ(l)t 7. if is (t, ɛ)-epre ten H will be (t,l,ɛ )-epre, were ɛ = ɛ and t = t τ(l)t 8. if is (t, q, ɛ)-mac ten H will be (t,q,l,ɛ )-MAC, were ɛ =(q 2 /2+3q/2+1)ɛ, t = t c(q +1)τ(l) and q =(q τ(l)+1)/τ(l)

14 M. R. Reyanitabar, W. Susilo and Y. Mu 9. if is (t, q, ɛ)-prf ten H will be (t,q,l,ɛ )-PRF, were ɛ = ɛ + q 2 τ(l) 2 /2 n, t = t cqτ(l) and q = q/τ(l) 10. if = RF n+b, n be a random oracle for any arbitrary, tenh will be (t A,t S,q 1,q 2,q 3,q 4,l,ɛ)-PRO, were running time of adversary t A is arbitrary, time complexity for simulator t S = O(q 2 2 ), q i is te number of queries by adversary from i-t oracle (for 1 i 4) and ɛ = τ(l)2 q1 2 + τ(l)q 1q 2 + q2 2 2 n + τ(l)q 1 + q 2 + q3 2 2 n In above relations: τ(l) = (l +1)/b +1 = L is te number of blocks after applying RO-ES-pad function on an l-bit message M, T is te time to compute compression function, q RO1 and q RO2 are, respectively, te number of queries from RO 1 (.) and RO 2 oracles. 4.2 Witout Any Random Oracle As it was sown in analysis of ES, as a standard model transform, te four properties, namely; Pre, apre, Sec, and asec are not preserved by ES. It appears to be a crux to preserve tese four properties (simultaneously) in te standard model. Sec. Andreeva and Preneel in SAC 2008 [2] proposed a keyed transform to extend te domain of a keyless compression function. Te proposed transform yields to a dedicated-key VIL as function wic is CR and Sec secure (were CR and Sec notions are defined for a dedicated-key as function) based on te assumptions tat underlying keyless compression function is, respectively, CR or Sec (ere CR and Sec are defined for a keyless compression function). Te setting is called keyless compression function - keyed iteration in [2]. We note tat te nature of Sec notion for te keyless compression function and tat of keyed as function is different. Unfortunately te proposed sceme cannot be sown to be Pre secure in standard model and only a random oracle argument is provided in [2] for its security in Pre sense. Pre. To te best of our knowledge, te only transform in te standard model tat is pointed out in [1] to be Pre preserving (in te dedicated-key as setting) is te XOR Tree sceme, but it does not preserve apre and asec as sown in [1]. asec and apre. Tere is currently no transform in te literature tat can preserve asec and apre in te standard model. Suc an asec and apre preserving transform in dedicated-key as setting will also yield to a construction in keyless as setting capable of preserving te Second Preimage Resistance and Preimage Resistance (a.k.a One-wayness) of te underlying keyless compression function. Remark. It is wort reminding tat we call a as domain extension transform (eiter in dedicated-key or keyless settings) capable of preserving a security property P (defined eiter for a dedicated-key or keyless as function) if te constructed VIL as function provably possesses te property P assuming tat te underlying compression function satisfies te same property P. Tis is different from a scenario were one proves tat te VIL as function as property P if its underlying compression function satisfies a different property P, e.g. [18], or a collection of different assumptions, e.g. [10, 9].

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback