Results 1 
3 of
3
Salvaging MerkleDamg˚ard for Practical Applications
, 2009
"... Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) MerkleDamg˚ard transform applied to a corresponding compression function. Moreover, it is well known tha ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) MerkleDamg˚ard transform applied to a corresponding compression function. Moreover, it is well known that the resulting “structured ” hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (MerkleDamg˚ard based) hash functions, there is no security guarantee either, even by idealizing the compression function. Motivated by this question, we initiate a rigorous and modular study of developing new notions of (still idealized) hash functions which would be (a) natural and elegant; (b) sufficient for arguing security of important applications; and (c) provably met by the (strengthened) MerkleDamg˚ard transform, applied to a “strong enough ” compression function. In particular, we show that a fixedlength compressing random oracle, as well as the currently used DaviesMeyer compression function (the latter analyzed in the ideal cipher model) are “strong enough ” for the two specific weakenings of the random oracle that we develop. These weaker notions, described below, are quite natural and should be interesting in their own right: • Preimage Aware Functions. Roughly, if an attacker found a “later useful ” output y of the function, then it must
Indifferentiability with distinguishers: Why Shabal does not require ideal ciphers. Cryptology ePrint Archive
 In Matsui [95
"... Shabal is based on a new provably secure mode of operation. Some relatedkey distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Shabal is based on a new provably secure mode of operation. Some relatedkey distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such distinguishers for the keyed permutation used in Shabal, and at clarifying the impact that they exert on the security of the full hash function. Most interestingly, a new security proof for Shabal’s mode of operation is provided where the keyed permutation is not assumed to be an ideal cipher anymore, but observes a distinguishing property i.e., an explicit relation verified by all its inputs and outputs. As a consequence of this extended proof, all known distinguishers for the keyed permutation are proven not to weaken the security of Shabal. In our study, we provide the foundation of a generalization of the indifferentiability framework to biased random primitives, this part being of independent interest. 1
Multipropertypreserving Domain Extension Using Polynomialbased Modes of Operation
 Advances in cryptology – EUROcrYPT’10, LNCS
"... Abstract. In this paper, we propose a new doublepiped mode of operation for multipropertypreserving domain extension of MACs (message authentication codes), PRFs (pseudorandom functions) and PROs (pseudorandom oracles). Our mode of operation performs twice as fast as the original doublepiped mode ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. In this paper, we propose a new doublepiped mode of operation for multipropertypreserving domain extension of MACs (message authentication codes), PRFs (pseudorandom functions) and PROs (pseudorandom oracles). Our mode of operation performs twice as fast as the original doublepiped mode of operation of Lucks [15] while providing comparable security. Our construction, which uses a class of polynomialbased compression functions proposed by Stam [22, 23], makes a single call to a 3nbit to nbit primitive at each iteration and uses a finalization function f2 at the last iteration, producing an nbit hash function H[f1, f2] satisfying the following properties. 1. H[f1, f2] is unforgeable up to O(2 n /n) query complexity as long as f1 and f2 are unforgeable. 2. H[f1, f2] is pseudorandom up to O(2 n /n) query complexity as long as f1 is unforgeable and f2 is pseudorandom. 3. H[f1, f2] is indifferentiable from a random oracle up to O(2 2n/3) query complexity as long as f1 and f2 are public random functions. To our knowledge, our result constitutes the first time O(2 n /n) unforgeability has been achieved using only an unforgeable primitive of nbit output length. (Yasuda showed unforgeability of O(2 5n/6) for Lucks ’ construction assuming an unforgeable primitive, but the analysis is suboptimal; in the appendix, we show how Yasuda’s bound can be improved to O(2 n).) In related work, we strengthen Stam’s collision resistance analysis of polynomialbased compression functions (showing that unforgeability of the primitive suffices) and discuss how to implement our mode by replacing f1 with a 2nbit key blockcipher in DaviesMeyer mode or by replacing f1 with the cascade of two 2nbit to nbit compression functions. 1