Abstract
At ASIACRYPT’06, Chang et al. analyzed the indifferentiability of some popular hash functions based on block ciphers, namely, the twenty collision resistant PGV, the MDC2 and the PBGV hash functions, etc. In particular, two indifferentiable attacks were presented on the four of the twenty collision resistant PGV and the PBGV hash functions with the prefix-free padding. In this article, a synthetic indifferentiability analysis of some block-cipher-based hash functions is considered. First, a more precise definition is proposed on the indifferentiability adversary in block-cipher-based hash functions. Next, the advantage of indifferentiability is separately analyzed by considering whether the hash function is keyed or not. Finally, a limitation is observed in Chang et al.’s indifferentiable attacks on the four PGV and the PBGV hash functions. The formal proofs show the fact that those hash functions are indifferentiable from a random oracle in the ideal cipher model with the prefix-free padding, the NMAC/HMAC and the chop construction.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Bellare M., Rogaway P.: Random oracle are practical: a paradigm for designing efficient protocols. In: ACM CCS’93, ACM, pp. 62–73 (1993).
Black J., Rogaway P., Shrimpton T.: Black-box analysis of the black-cipher-based hash-function constructions from PGV. In: Advances in Cryptology–CRYPTO’02. LNCS 2442, pp. 320–335 (2002).
Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. SIAM J Comput. 32(3), 586–615 (2003)
Brachtl B.O., Coppersmith D., Hyden M.M., Matyas S.M., Meyer C.H., Oseas J., Pilpel S., Schilling M.: Data authentication using modification detection codes based on a public one way encryption function. US Patent Number 4,908,861, 13 March 1990.
Brown D.: Generic groups, collision resistance, and ECDSA. http://eprint.iacr.org/2002/026 (2002) Accessed 27 Feb 2002.
Canetti R., Goldreich O., Halevi S.: The randoom oracle methodology, revisited. In: Proceedings of 30th ACM Symposium on the Theory of Computing. ACM Press, pp. 209–218 (1998).
Chang D.H., Lee S.J., Nandi M., Yung M.: Indifferentiable security analysis of popular hash functions with prefix-free padding. In: Lai X., Chen K. (eds.), ASIACRYPT 2006, LNCS 4284, pp. 283–298 (2006).
Coron J.S., Dodis Y., Malinaud C., Puniya P.: Merkle-damgard revisited: how to construct a hash function. In: Advances in Cryptology–CRYPTO’05, LNCS 3621, pp. 21–39 (2005).
Damgard I.: A design principle for hash functions. In: Advances in Cryptology, Cyrpto’89, LNCS 435, pp. 416–427 (1989).
Dent A.: Adapting the weakness of the random oracle to the generic model. In: ASIACRYPT 2002, LNCS 2501, pp. 101–109 (2002).
Fujisaki E., Okamoto T.: Secure integration of asymmetric and symmetric encryption schemes. In: CRYPTO’99, LNCS 1666, pp. 537–554 (1999).
Goldwasser S., Tauman Y.: On the (In) security of the Fiat-Shamir paradigm. In: FOCS 2003, IEEE Computer Society, pp. 102–122 (2003).
Hirose S.: Some plausible constructions of double-block-length hash functions. In: FSE 2006, LNCS 4047, pp. 210–225 (2006).
Knudsen, L.R., Lai, X., Preneel, B.: Attacks on fast double block length hash functions. J. Cryptol. 11, 59–72 (1998)
Lai X., Massey J.L.: Hash functions based on block ciphers. In: Advances in Cryptology-Eurocrypt’92, LNCS 658, pp. 55–70 (1993).
Lucks S.: A failure-friendly design principle for hash functions. In: ASIACRYPT 2005, LNCS 3788, pp. 474–494 (2005).
Maurer U., Renner R., Holenstein C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Theory of Cryptography—TCC 2004, LNCS 2951, pp. 21–39 (2004).
Merkle R.C.: One way hash functions and DES. In: Advances in Cryptology, Crypto’89, LNCS 435, pp. 428–446 (1989).
Nielsen J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: CRYPTO’98, LNCS 2442, pp. 111–126 (2002).
Paillier P., Vergnaud D.: Discrete-log-based signatures may not be equivalent to discrete log. In: ASIACRYPT 2005, LNCS 3788, pp. 1–20 (2005).
Preneel B., Bosselaers A., Govaerts R., Vandewalle J.: Collision-free hash-functions based on blockcipher algorithms. In: Proceedings of 1989 International Carnahan Conference on Security Technology, pp. 203–210 (1989).
Preneel B., Govaerts R., Vandewalle J.: Hash functions based on block ciphers: a synthetic approach. In: Advances in Cryptology-CRYPTO’93, LNCS 773, pp. 368–378 (1994).
Rogaway P., Shrimpton T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance and collision resistance. In: FSE 2004, LNCS 3017, pp. 371–388 (2004).
Shannon, C.: Communication theory of secrecy systems. Bell Syst. Tech. J 28(4), 656–715 (1949)
Wang X., Yin Y., Yu H.: Finding collision in the Full SHA-1. In: CRYPTO’05, LNCS 3621, pp. 17–36 (2005).
Wang X., Yu H.: How to break MD5 and other hash functions. In: EUROCRYPT’05, LNCS 3494, pp. 19–35 (2005).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by V. Rijmen.
Rights and permissions
About this article
Cite this article
Gong, Z., Lai, X. & Chen, K. A synthetic indifferentiability analysis of some block-cipher-based hash functions. Des. Codes Cryptogr. 48, 293–305 (2008). https://doi.org/10.1007/s10623-008-9208-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-008-9208-4