## Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier

### Cached

### Download Links

### BibTeX

@MISC{Moody_indifferentiabilitysecurity,

author = {Dustin Moody and Souradyuti Paul and Daniel Smith-tone},

title = {Indifferentiability Security of the Fast Wide Pipe Hash: Breaking the Birthday Barrier},

year = {}

}

### OpenURL

### Abstract

A hash function secure in the indifferentiability framework (TCC 2004) is able to resist all meaningful generic attacks. Such hash functions also play a crucial role in establishing the security of protocols that use them as random functions. To eliminate multi-collision type attacks on the Merkle-Damgård mode (Crypto 1989), Lucks proposed widening the size of the internal state of hash functions. More specifically, he suggested that hash functions h: {0, 1} ∗ → {0, 1} n use underlying primitives of the form C: {0, 1} a → {0, 1} 2n (Asiacrypt 2005). The Fast Wide Pipe (FWP) hash mode was introduced by Nandi and Paul at Indocrypt 2010, as a faster variant of Lucks ’ Wide Pipe mode. Despite the higher speed, the proven indifferentiability bound of the FWP mode has so far been only up to the birthday barrier of n/2 bits. The main result of this paper is the improvement of the FWP bound to 2n/3 bits (up to an additive constant). The 2n/3-bit bound for FWP comes with two important implications. Many popular hash modes use primitives with a = 2n, that is C: {0, 1} 2n → {0, 1} 2n. For this

### Citations

309 |
A design principle for hash functions
- Damg̊ard
- 1989
(Show Context)
Citation Context ...me under multi-collision attacks with O(2 n/2 ) queries [23]. Therefore, their indifferentiability security bounds cannot be extended beyond n/2 bits. A few well known examples include Merkle-Damgård =-=[18, 29]-=-, HAIFA [10], EMD [6], and MDP [21]. As a result, to design a practical hash mode with indifferentiability security more than n/2 bits, it seems necessary to use primitives with 2n bits of output (or ... |

102 |
Multicollisions in iterated hash functions. application to cascaded constructions
- Joux
- 2004
(Show Context)
Citation Context ... required to break the same property of the random oracle RO : {0, 1} ∗ → {0, 1} n . Generic attacks against hash modes are abundant in the literature. See, for example, Joux’s multi-collision attack =-=[23]-=-, Kelsey-Schneier expandable message attack [25], or Kelsey-Kohno herding attack [24, 11], among others [1, 9, 22, 32]. Indifferentiability security. The indifferentiability security framework was int... |

54 | Optimal security proofs for PSS and other signature schemes
- Coron
- 2002
(Show Context)
Citation Context ...ce. Thus in some sense, an indifferentiable hash function can be viewed as eliminating potential future attacks. We note that the security of many cryptographic protocols (e.g. RSA-OAEP [34], RSA-PSS =-=[16]-=-) relies on the indifferentiability security of the underlying hash functions that the protocols use as random oracles. In such a case, the security of the hash functions against specialized attacks –... |

43 |
Yevgeniy Dodis, Cecile Malinaud, and Prashant Puniya. Merkle-Damg̊ard revisited: How to construct a hash function
- Coron
- 2005
(Show Context)
Citation Context ... 22, 32]. Indifferentiability security. The indifferentiability security framework was introduced by Maurer et al.[27] in 2004, and was first applied to analyze hash modes of operation by Coron et al.=-=[17]-=- in 2005. A hash mode proven secure in this framework is able to resist all generic attacks. More technically, the indifferentiability framework measures the extent to which a hash function behaves as... |

39 |
A Framework for Iterative Hash Functions
- Biham, Dunkelman
(Show Context)
Citation Context ...ollision attacks with O(2 n/2 ) queries [23]. Therefore, their indifferentiability security bounds cannot be extended beyond n/2 bits. A few well known examples include Merkle-Damgård [18, 29], HAIFA =-=[10]-=-, EMD [6], and MDP [21]. As a result, to design a practical hash mode with indifferentiability security more than n/2 bits, it seems necessary to use primitives with 2n bits of output (or more) [26]. ... |

17 |
A simple variant of the merkle-damg̊ard scheme with a permutation
- Hirose, Park, et al.
- 2007
(Show Context)
Citation Context ...(2 n/2 ) queries [23]. Therefore, their indifferentiability security bounds cannot be extended beyond n/2 bits. A few well known examples include Merkle-Damgård [18, 29], HAIFA [10], EMD [6], and MDP =-=[21]-=-. As a result, to design a practical hash mode with indifferentiability security more than n/2 bits, it seems necessary to use primitives with 2n bits of output (or more) [26]. Examples of hash modes ... |

16 | On the Indifferentiability of the Grøstl Hash Function
- Andreeva, Mennink, et al.
- 2010
(Show Context)
Citation Context ...lity bounds can potentially be improved beyond the birthday barrier. Despite several attempts, so far none of them has been shown to have the beyond-birthday-barrier security. See [9], [30], [31] and =-=[4]-=-. 7In all of the previous attempts, the basic approach for proving indifferentiability security has been more or less the same. First, a suitable compression function is constructed around the primit... |

11 | The Parazoa Family: Generalizing the Sponge Hash Functions. Cryptology ePrint Archive, Report 2011/028
- Andreeva, Mennink, et al.
- 2011
(Show Context)
Citation Context ...e operation input (a) block (ℓ) (ℓ/a) lower upper 1. WP,chopMD [14, 17] 2n 0 0 0 0 ro 2. JH [30] 2n n 0.5 n/2 n(1 − ɛ) ip 3. Grøstl [20] 2n n 0.5 n/2 n ip 4. Sponge [8] 2n n 0.5 n/2 n/2 ip 5. Parazoa =-=[5]-=- 2n n 0.5 up to n/2 n ip 6. FWP (this paper) 2n n 0.5 2n/3 n ro 7. Shabal [13] 4n n 0.25 n n ic 8. BLAKE [2, 15] 4n 2n 0.5 n/2 n/2 ic 9. FWP (this paper) 4n 3n 0.75 2n/3 n ro 10. WP,chop MD [14, 17] t... |

11 | Breaking the ice - finding multicollisions in iterated concatenated and expanded (ice) hash functions
- Hoch, Shamir
- 2006
(Show Context)
Citation Context ... hash modes are abundant in the literature. See, for example, Joux’s multi-collision attack [23], Kelsey-Schneier expandable message attack [25], or Kelsey-Kohno herding attack [24, 11], among others =-=[1, 9, 22, 32]-=-. Indifferentiability security. The indifferentiability security framework was introduced by Maurer et al.[27] in 2004, and was first applied to analyze hash modes of operation by Coron et al.[17] in ... |

7 | Provable Security of BLAKE with Non-Ideal Compression Function. IACR Cryptology ePrint Archive, Report 2011/620
- Andreeva, Luykx, et al.
- 2011
(Show Context)
Citation Context ...2 n(1 − ɛ) ip 3. Grøstl [20] 2n n 0.5 n/2 n ip 4. Sponge [8] 2n n 0.5 n/2 n/2 ip 5. Parazoa [5] 2n n 0.5 up to n/2 n ip 6. FWP (this paper) 2n n 0.5 2n/3 n ro 7. Shabal [13] 4n n 0.25 n n ic 8. BLAKE =-=[2, 15]-=- 4n 2n 0.5 n/2 n/2 ic 9. FWP (this paper) 4n 3n 0.75 2n/3 n ro 10. WP,chop MD [14, 17] t + 2n t t/(t + 2n) n n ro 11. FWP (this paper) t + 2n t + n (t + n)/(t + 2n) 2n/3 n ro Table 1: Indifferentiabil... |

7 |
Mridul Nandi. Security Analysis of the Mode of JH Hash Function
- Bhattacharyya, Mandal
- 2010
(Show Context)
Citation Context ... hash modes are abundant in the literature. See, for example, Joux’s multi-collision attack [23], Kelsey-Schneier expandable message attack [25], or Kelsey-Kohno herding attack [24, 11], among others =-=[1, 9, 22, 32]-=-. Indifferentiability security. The indifferentiability security framework was introduced by Maurer et al.[27] in 2004, and was first applied to analyze hash modes of operation by Coron et al.[17] in ... |

3 |
preimage attacks on dithered hash functions
- Second
(Show Context)
Citation Context ... hash modes are abundant in the literature. See, for example, Joux’s multi-collision attack [23], Kelsey-Schneier expandable message attack [25], or Kelsey-Kohno herding attack [24, 11], among others =-=[1, 9, 22, 32]-=-. Indifferentiability security. The indifferentiability security framework was introduced by Maurer et al.[27] in 2004, and was first applied to analyze hash modes of operation by Coron et al.[17] in ... |

3 |
The 1st SHA-3 Candidate Conference
- SHABAL
(Show Context)
Citation Context ...0 0 0 ro 2. JH [30] 2n n 0.5 n/2 n(1 − ɛ) ip 3. Grøstl [20] 2n n 0.5 n/2 n ip 4. Sponge [8] 2n n 0.5 n/2 n/2 ip 5. Parazoa [5] 2n n 0.5 up to n/2 n ip 6. FWP (this paper) 2n n 0.5 2n/3 n ro 7. Shabal =-=[13]-=- 4n n 0.25 n n ic 8. BLAKE [2, 15] 4n 2n 0.5 n/2 n/2 ic 9. FWP (this paper) 4n 3n 0.75 2n/3 n ro 10. WP,chop MD [14, 17] t + 2n t t/(t + 2n) n n ro 11. FWP (this paper) t + 2n t + n (t + n)/(t + 2n) 2... |

3 | M.: Indifferentiability of the hash algorithm BLAKE. Cryptology ePrint Archive
- Chang, Nandi, et al.
(Show Context)
Citation Context ...the extent to which a hash function behaves as a random oracle under the assumption that the underlying small compression function is an ideal object. Indifferentiability attacks include more attacks =-=[3, 9, 15]-=- than just those with known practical significance. Thus in some sense, an indifferentiable hash function can be viewed as eliminating potential future attacks. We note that the security of many crypt... |

2 | On the Complexity of the Herding Attack and Some Related Attacks on Hash Functions. Cryptology ePrint Archive
- Stinson, Upadhyay
(Show Context)
Citation Context ...Generic attacks against hash modes are abundant in the literature. See, for example, Joux’s multi-collision attack [23], Kelsey-Schneier expandable message attack [25], or Kelsey-Kohno herding attack =-=[24, 11]-=-, among others [1, 9, 22, 32]. Indifferentiability security. The indifferentiability security framework was introduced by Maurer et al.[27] in 2004, and was first applied to analyze hash modes of oper... |

2 |
Groestl - a SHA-3 candidate. The 1st SHA-3 Candidate Conference
- Gauravaram, Knudsen, et al.
(Show Context)
Citation Context ...eal objects. 5Mode of Primitive Message Rate Indiff. bound Primitive operation input (a) block (ℓ) (ℓ/a) lower upper 1. WP,chopMD [14, 17] 2n 0 0 0 0 ro 2. JH [30] 2n n 0.5 n/2 n(1 − ɛ) ip 3. Grøstl =-=[20]-=- 2n n 0.5 n/2 n ip 4. Sponge [8] 2n n 0.5 n/2 n/2 ip 5. Parazoa [5] 2n n 0.5 up to n/2 n ip 6. FWP (this paper) 2n n 0.5 2n/3 n ro 7. Shabal [13] 4n n 0.25 n n ic 8. BLAKE [2, 15] 4n 2n 0.5 n/2 n/2 ic... |

1 |
Assche. Sponge Functions. ECRYPT 2007, 2007. http://sponge.noekeon.org/SpongeFunctions.pdf. Accessed March 2012. (Cited on page
- Bertoni, Daemen, et al.
(Show Context)
Citation Context ... quite low. For the Sponge function – though having a high rate of 0.5 – the security bound is n/2-bit, which cannot be improved further, since there is a preimage attack with work approximately 2n/2 =-=[7]-=-. Several other designs (JH (2007), Grøstl (2007), FWP (2010) and the Parazoa family (2011)) have shown promise. Each achieves the high rate of 0.5 (if a = 3n then the FWP can achieve a rate of 0.67),... |