Blockcipher Based Hashing Revisited

Blockcipher Based Hashing Revisited Martijn Stam

EPFL  LACAL

FSE

23 February 2009

Blockcipher Based Hashing The principle idea

K

M

n .

V

X n

E

n

W = H E (M, V )

Y

E : {0, 1}n × {0, 1}n → {0, 1}n n-bit

Block cipher with

Compression function (input consists of Hash function

H

n

E

key, operating on

HE

from

2n

n

bits to

bits message and

n

bit blocks:

n

Y = EK (X).

bits

bits chaining variable).

using Merkle-Damgård transform.

Blockcipher Based Hashing The principle idea

K

M n .

V n

n

X n

E

n

Y

W = H E (M, V )

n

E : {0, 1}n × {0, 1}n → {0, 1}n n-bit

Block cipher with

Compression function (input consists of Hash function

H

n

E

key, operating on

HE

from

2n

n

bits to

bits message and

n

bit blocks:

n

Y = EK (X).

bits

bits chaining variable).

using Merkle-Damgård transform.

Blockcipher Based Hashing The principle idea

K

M m .

V s

k

X n

E

n

Y

W = H E (M, V )

s

E : {0, 1}k × {0, 1}n → {0, 1}n k -bit

Block cipher with

Compression function (input consists of Hash function

m

HE

key, operating on

H

E

from

m+s

bits message and

n

bit blocks:

bits to

s

s

Y = EK (X).

bits

bits chaining variable).

using Merkle-Damgård transform.

Blockcipher Based Hashing Collision resistance: A measure of security

((M, V ),IV (M 0 , V 0 )) q

times

E

A D ((M, V ), (M 0 , V 0 ))

 0 0 Advcoll H (A) = Pr (M, V ) 6= (M , V )

and

 H E (M, V ) = H E (M 0 , V 0 )

Blockcipher Based Hashing Collision resistance: A measure of security

((M, V ),IV (M 0 , V 0 )) q

times

E

A D ((M, V ), (M 0 , V 0 ))

 Advcoll (A) = Pr (M, V ) 6= (M 0 , V 0 ) H

and

H E (M, V ) =



H E (M 0 , V 0 ) IV



Blockcipher Based Hashing Collision resistance: A measure of security

((M, V ),IV (M 0 , V 0 )) q

times

E

A D (M, M0 )

 Advcoll (A) = Pr (M, V ) 6= (M 0 , V 0 ) H

and

 0 Advcoll H (A) = max Pr M 6= M IV

H E (M 0 , V 0 ) IV  E E HIV (M) = HIV (M0 )

H E (M, V ) =

and





Blockcipher Based Hashing Collision resistance: A measure of security

((M, V ),IV (M 0 , V 0 )) q

E

times

A D (M, M0 )

 Advcoll (A) = Pr (M, V ) 6= (M 0 , V 0 ) H

and

 0 Advcoll H (A) = max Pr M 6= M IV

H E (M 0 , V 0 ) IV  E E HIV (M) = HIV (M0 )

H E (M, V ) =

and

coll Advcoll H (q) ≤ AdvH (q)





Example: Davies-Meyer Construction M

V

W = EV (M ) ⊕ M

E

K X

= =

W

=

M V Y⊕

V

Example: Davies-Meyer Construction M

V

W = EV (M ) ⊕ M

E

K X

= =

W

=

Y⊕

1·M 0·M

⊕ ⊕

0·V 1·V

0·M

⊕

1·V

Example: Davies-Meyer Construction M

V

E

   K 1 = 0 X

W = EV (M ) ⊕ M

   M 0 · 1 V  
M W =Y ⊕ 0 1 · V

Example: Davies-Meyer Construction M

V

E

W = EV (M ) ⊕ M

      K M M 0 = · 1 X V V    
M M W =Y ⊕ 0 1 · =Y ⊕U V V

   K 1 = 0 X

Where

K, X, U ∈ Z22 .

[PGV93]: Examined all

26 = 64

possible schemes, attack-based approach.

12 Collision Resistant Compression Functions

[PGV93] Schemes deemed secure [BRS02] Provable collision resistance:

1 n Advcoll H (q) ≤ 2 q(q + 1)/(2 − q) .

12 Collision Resistant Compression Functions

[PGV93] Schemes deemed secure [BRS02] Provable collision resistance:

1 n Advcoll H (q) ≤ 2 q(q + 1)/(2 − q) .

Further 8 Collision Resistant

Hash Functions

[BRS02] Provable secure in the iteration: [DL06] Improved bounds:

n Advcoll H (q) ≤ 3q(q + 1)/2 1 n Advcoll H (q) ≤ 2 q(q + 1)/(2 − q)

Further 8 Collision Resistant

Hash Functions

[BRS02] Provable secure in the iteration: [DL06] Improved bounds:

n Advcoll H (q) ≤ 3q(q + 1)/2 1 n Advcoll H (q) ≤ 2 q(q + 1)/(2 − q)

Questions

Why these 12 and 8 schemes? What makes them special? What do they have in common? What happens if for instance

we we we we

want want want want

to chop the output in the end? to use addition modulo 2n instead of XOR? to use a blockcipher with keys larger than the blocksize? security beyond the blocksize?

Questions

Why these 12 and 8 schemes? What makes them special? What do they have in common? What happens if for instance

we we we we

want want want want

to chop the output in the end? to use addition modulo 2n instead of XOR? to use a blockcipher with keys larger than the blocksize? security beyond the blocksize?

General Single Call Scenario

M m k

V s

Classical:

C pre n

E

C post s

n

s = n, m + s = n + k Includes PGV/BRS (for

Chopped:

Supercharged:

k = n).

s < n, m + s = n + k Includes Grindahl (for

Overloaded:

W

k = 0).

s = n, m + s > n + k Includes sponges (for k = 0). s > n, m + s = n + k Allows security beyond the birthday bound!

General Single Call Scenario

M m k

V s

Classical:

C pre n

E

C post s

n

s = n, m + s = n + k Includes PGV/BRS (for

Chopped:

Supercharged:

k = n).

s < n, m + s = n + k Includes Grindahl (for

Overloaded:

W

k = 0).

s = n, m + s > n + k Includes sponges (for k = 0). s > n, m + s = n + k Allows security beyond the birthday bound!

General Single Call Scenario

M m k

V s

Classical:

C pre n

E

C post s

n

s = n, m + s = n + k Includes PGV/BRS (for

Chopped:

Supercharged:

k = n).

s < n, m + s = n + k Includes Grindahl (for

Overloaded:

W

k = 0).

s = n, m + s > n + k Includes sponges (for k = 0). s > n, m + s = n + k Allows security beyond the birthday bound!

General Single Call Scenario

M m k

V s

Classical:

C pre n

E

C post s

n

s = n, m + s = n + k Includes PGV/BRS (for

Chopped:

Supercharged:

k = n).

s < n, m + s = n + k Includes Grindahl (for

Overloaded:

W

k = 0).

s = n, m + s > n + k Includes sponges (for k = 0). s > n, m + s = n + k Allows security beyond the birthday bound!

General Single Call Scenario

M m k

V s

Classical:

C pre n

E

C post s

n

s = n, m + s = n + k Includes PGV/BRS (for

Chopped:

Supercharged:

k = n).

s < n, m + s = n + k Includes Grindahl (for

Overloaded:

W

k = 0).

s = n, m + s > n + k Includes sponges (for k = 0). s > n, m + s = n + k Allows security beyond the birthday bound!

Type I: Secure Compression (Classical) M k k

V n Create a list of tuples Collision in

C pre n M

V → W

E

n

such that

H ⇔ Collision

C post n

W

W = H E (M, V ).

Then

in list (W -component)

Type I: Secure Compression (Classical) M k k

V n Create a list of tuples Collision in

C pre n M

V → W

E

n

such that

H ⇔ Collision

W 's

W

W = H E (M, V ).

Then

in list (W -component)

Minimize the size of this list (given The

C post n

q)

distributed roughly independent uniform.

Type I: Secure Compression (Classical) M k k

V n Create a list of tuples Collision in

C pre n M

V → W

E

n

such that

H ⇔ Collision

W 's

W

W = H E (M, V ).

Then

in list (W -component)

Minimize the size of this list (given The

C post n

q)

distributed roughly independent uniform.

Type I: Secure Compression (Classical) M k k

C pre n

V n Create a list of tuples Collision in

M

V → W

E

such that

H ⇔ Collision

W 's

W = H E (M, V ).

q)

distributed roughly independent uniform.

Then you might expect birthday bound behaviour

Advcoll H (A) ≈

(Size

W

Then

in list (W -component)

Minimize the size of this list (given The

C post n

n

2

of list)

2n

Type I: Secure Compression (Classical) M k k

C pre n

V n Create a list of tuples Collision in

M

V → W

E

such that

H ⇔ Collision

W 's

W = H E (M, V ).

q ) ⇒ C pre

Then you might expect birthday bound behaviour

(Size

Then

bijective.

distributed roughly independent uniform.

Advcoll H (A) ≈

W

in list (W -component)

Minimize the size of this list (given The

C post n

n

2

of list)

2n

=

q2 2n

Type I: Secure Compression (Classical) M k k

V n Create a list of tuples Collision in

C pre n M

V → W

E

n

such that

H ⇔ Collision

W 's

W = H E (M, V ).

q ) ⇒ C pre

Then

bijective.

distributed roughly independent uniform.

For forward queries,

C post (M, V, ·) : {0, 1}n → {0, 1}n

W

in list (W -component)

Minimize the size of this list (given The

C post n

bijective for all

M, V .

Dealing with Decryption Queries Auxiliary function C aux

K

k

D n Y n

C −pre

k n

C post n

C aux (K, X, Y ) = C post (C −pre (K, X), Y )

W

Dealing with Decryption Queries Auxiliary function C aux

K

k

D n

C −pre

k n

C post n

Y n

W

C aux (K, X, Y ) = C post (C −pre (K, X), Y ) For inverse queries,

C aux (K, ·, Y ) : {0, 1}n → {0, 1}n bijective for all K, Y M gives V → W with W 's distributed roughly independent

uniform.

Type I: Secure Compression (Classical)

1 The preprocessing

C pre

is bijective.

C post (M, V, ·)

2 For all

M, V

the postprocessing

3 For all

K, Y

the modied postprocessing

is bijective.

C aux (K, ·, Y )

is bijective.

Type I: Secure Compression (Classical)

pre
C

1 The preprocessing [PGV/BRS]

2 For all

M, V

K X

is bijective.

is invertible (6 possible matrices).

the postprocessing

C post (M, V, ·)

is bijective.

[PGV/BRS] Automatically satised.

3 For all

K, Y

[PGV/BRS]

the modied postprocessing

K U




C aux (K, ·, Y )

is bijective.

is invertible (2 possibilities per matrix).

Type I: Secure Compression (Classical)

pre
C

1 The preprocessing [PGV/BRS]

2 For all

M, V

K X

is bijective.

is invertible (6 possible matrices).

the postprocessing

C post (M, V, ·)

is bijective.

[PGV/BRS] Automatically satised.

3 For all

K, Y

[PGV/BRS]

⇒

the modied postprocessing

K U




C aux (K, ·, Y )

is bijective.

is invertible (2 possibilities per matrix).

Gives exactly the 12 Type-I PGV schemes.

Type II: Security in the Iteration (Classical)

The Duo-Li proof technique uses that list of

1 Minimize the size of this list (given 2 For a forward query

⇒

For all

M, V

W V

q) ⇒

satisfy:

C pre bijective.

is distributed roughly independent uniform

the postprocessing

3 For an inverse query

M

V → W

C post (M, V, ·)

is bijective.

is distributed roughly independent uniform

Type II: Security in the Iteration (Classical)

The Duo-Li proof technique uses that list of

1 Minimize the size of this list (given 2 For a forward query

⇒

For all

M, V

W V

q) ⇒

satisfy:

C pre bijective.

is distributed roughly independent uniform

the postprocessing

3 For an inverse query

M

V → W

C post (M, V, ·)

is bijective.

is distributed roughly independent uniform

Type II: Security in the Iteration (Classical)

The Duo-Li proof technique uses that list of

1 Minimize the size of this list (given 2 For a forward query

⇒

For all

M, V

W

M

V → W

q) ⇒

satisfy:

C pre bijective.

is distributed roughly independent uniform

the postprocessing

C post (M, V, ·)

is bijective.

3 For an inverse query V is distributed roughly independent uniform −pre For all K , C (K, ·) restricted to V is bijective.

Type II: Security in the Iteration (Classical)

The Duo-Li proof technique uses that list of

1 Minimize the size of this list (given [PGV/BRS]

K X




For all

M, V

q) ⇒

satisfy:

C pre bijective.

is invertible (6 matrices possible).

2 For a forward query

⇒

M

V → W

W

is distributed roughly independent uniform

the postprocessing

C post (M, V, ·)

is bijective.

3 For an inverse query V is distributed roughly independent uniform −pre For all K , C (K, ·) restricted to V is bijective. [PGV/BRS] The key is message dependent,

⇒

Only 4 matrices possible,

U

K=M

unrestricted.

or

K = M ⊕V.

Type II: Security in the Iteration (Classical)

The Duo-Li proof technique uses that list of

1 Minimize the size of this list (given [PGV/BRS]

K X




For all

M, V

q) ⇒

satisfy:

C pre bijective.

is invertible (6 matrices possible).

2 For a forward query

⇒

M

V → W

W

is distributed roughly independent uniform

the postprocessing

C post (M, V, ·)

is bijective.

3 For an inverse query V is distributed roughly independent uniform −pre For all K , C (K, ·) restricted to V is bijective. [PGV/BRS] The key is message dependent,

⇒ ⇒

Only 4 matrices possible,

U

K=M

or

K = M ⊕V.

unrestricted.

16 Type-II schemes: 8 as identied by [BRS02] + 8 that are Type-I.

Chopped Compression Functions (s

< n)

M 2n-s n

V s

1 The preprocessing

C pre n

C pre

E

C post s

W

is bijective.

2 For all M, V : C post (M, V, ·) is 3 For all

n

K, Y : C aux (K, ·, Y )

is

bijective bijective

. .

Chopped Compression Functions (s

< n)

M 2n-s n

V s

1 The preprocessing

C pre n

C pre

E

C post s

is bijective.

2 For all M, V : C post (M, V, ·) is 3 For all

n

K, Y : C aux (K, ·, Y )

is

bijective bijective

balanced . balanced .

W

Chopped Compression Functions (s

< n)

M 2n-s n

V s

1 The preprocessing

C pre n

C pre

E

W

is bijective.

2 For all M, V : C post (M, V, ·) is 3 For all

C post s

n

K, Y : C aux (K, ·, Y )

is

bijective bijective

balanced . balanced .

s Advcoll H (q) ≤ q(q + 1)/2 Immediate consequence: chopping e.g., Davies-Meyer is secure.

Supercharged Compression Functions Specied for the double-length scenario

M n

V

2n

1 The preprocessing

C pre

C pre

2n

E

n

C post

2n

is bijective.

2 For all M, V : C post (M, V, ·) is

3 For all

n

K, Y : C aux (K, ·, Y )

is

bijective

bijective

.

.

W

Supercharged Compression Functions Specied for the double-length scenario

M n

V

2n

1 The preprocessing

C pre

C pre

2n

E

n

C post

2n

is bijective.

2 For all M, V : C post (M, V, ·) is

3 For all

n

K, Y : C aux (K, ·, Y )

is

bijective

bijective

injective .

injective .

W

Supercharged Compression Functions Specied for the double-length scenario

M n

V

2n

1 The preprocessing

C pre

C pre

2n n

3 For all Range

n

C post

2n

is bijective.

2 For all M, V : C post (M, V, ·) is Range denoted by

E

bijective

injective .

Rpre,(M,V )

K, Y : C aux (K, ·, Y ) is denoted by Raux,(K,Y )

bijective

injective .

W

Supercharged Compression Functions Specied for the double-length scenario

M n

V

2n

1 The preprocessing

C pre

C pre

2n n

n

C post

2n

W

is bijective.

2 For all M, V : C post (M, V, ·) is Range denoted by

E

bijective

injective .

Rpre,(M,V )

K, Y : C aux (K, ·, Y ) is bijective injective . Range denoted by Raux,(K,Y )  γ = max |RZ ∩ RZ 0 | : Z, Z 0 ∈ {pre, aux} × {0, 1}2n+n , Z 6= Z 0

3 For all

Supercharged Compression Functions Specied for the double-length scenario

M n

V

2n

1 The preprocessing

C pre

C pre

2n n

n

C post

2n

W

is bijective.

2 For all M, V : C post (M, V, ·) is Range denoted by

E

bijective

injective .

Rpre,(M,V )

K, Y : C aux (K, ·, Y ) is bijective injective . Range denoted by Raux,(K,Y )  γ = max |RZ ∩ RZ 0 | : Z, Z 0 ∈ {pre, aux} × {0, 1}2n+n , Z 6= Z 0

3 For all

Advcoll H (q) ≤

γ 1/2 nq 2n−6

A Rate-1 Double-Length Compression Function Collision Resistance

M

V1

W1 E

V2

W2

= M W12 + V1 W1 + V2

A Rate-1 Double-Length Compression Function Collision Resistance

M

V1

W1 E

V2

W2

= M W12 + V1 W1 + V2

 Rpre,(M,V1 ,V2 ) = (W, M W 2 + V1 W + V2 )|W ∈ {0, 1}n  Raux,(K1 ,K2 ,Y ) = (W, W 3 + Y W 2 + K1 W + K2 )|W ∈ {0, 1}n .

A Rate-1 Double-Length Compression Function Collision Resistance

M

V1

W1 E

V2

W2

= M W12 + V1 W1 + V2

 Rpre,(M,V1 ,V2 ) = (W, M W 2 + V1 W + V2 )|W ∈ {0, 1}n  Raux,(K1 ,K2 ,Y ) = (W, W 3 + Y W 2 + K1 W + K2 )|W ∈ {0, 1}n . γ=3

⇒

n Advcoll H (q) ≤ 2(4n + 2)q/2 .

A Rate-1 Double-Length Compression Function Collision Resistance

M

V1

W1 E

V2

W2

= V2 W12 + V1 W1 + M

 Rpre,(M,V1 ,V2 ) = (W, V2 W 2 + V1 W + M )|W ∈ {0, 1}n  Raux,(K1 ,K2 ,Y ) = (W, K2 W 2 + (K1 + 1)W + Y )|W ∈ {0, 1}n . γ = 2n

⇒

n/2 Advcoll . H (q) ≤ 2(4n + 2)q/2

Conclusion

Presented a new framework to capture blockcipher based hashing. PGV/BRS results can be derived from it. Allows for easy generalization for chopping and overloading. Developed theory for supercharging compression functions. A new collision resistant rate-1 double length construction.