Building indifferentiable compression functions from the PGV compression functions

Abstract

Preneel, Govaerts and Vandewalle (PGV) analysed the security of single-block-length block cipher based compression functions assuming that the underlying block cipher has no weaknesses. They showed that 12 out of 64 possible compression functions are collision and (second) preimage resistant. Black, Rogaway and Shrimpton formally proved this result in the ideal cipher model. However, in the indifferentiability security framework introduced by Maurer, Renner and Holenstein, all these 12 schemes are easily differentiable from a fixed input-length random oracle (FIL-RO) even when their underlying block cipher is ideal. We address the problem of building indifferentiable compression functions from the PGV compression functions. We consider a general form of 64 PGV compression functions and replace the linear feed-forward operation in this generic PGV compression function with an ideal block cipher independent of the one used in the generic PGV construction. This modified construction is called a generic modified PGV (MPGV). We analyse indifferentiability of the generic MPGV construction in the ideal cipher model and show that 12 out of 64 MPGV compression functions in this framework are indifferentiable from a FIL-RO. To our knowledge, this is the first result showing that two independent block ciphers are sufficient to design indifferentiable single-block-length compression functions.

Appendices

Appendix 1: Differentiability attack on collision resistant PGV schemes

In this section we present the differentiability attack of Kuwakado and Morii [27] on the 12 collision resistant PGVs [8, 36]. We refer to Fig. 1 for the generic PGV construction from which the 12 collision resistant PGVs can be built. The attack is outlined below where \(F\) is any of the 12 collision resistant PGVs:

1. 1.

   Set \(CT_E=0\) and Select \(K_E \in \{0,1\}^{n}\).

2. 2.

   Query \((K_E,CT_E)\) to \(\overline{{E}^{-1}}\) and receive \(PT_E\).

3. 3.

   Extract \((h,m)\) from \(PT_E\) and \(K_E\).

4. 4.

   Query \((h,m)\) to \(\overline{F}\) and receive \(\overline{F}(h,m)\).

5. 5.

   If \(\varphi (h\Vert m)=\overline{F}(h,m)\) return 1, otherwise 0.

Recall that for all collision resistant PGV schemes, given \(PT_E\) and \(K_E\), it is possible to extract \((h,m)\) uniquely such that \(\varPhi (h\Vert m)= PT_{E}\) and \(\chi (h\Vert m)= K_{E}\). In the case of \((F,E)\), the adversary always outputs 1, whereas in case of \((R,S_{E})\) it outputs 1 with the probability of \(1/2^{n}\). Hence collision resistant PGV schemes are differentiable from a FIL-RO. This attack is also applicable when the hash value is truncated to say \(s<n\) bits. Let these \(s\) bits be the most significant bits of \(F(h,m)\). In this case, in the step 4 of the above attack, the adversary receives hash value of size \(s\) bits and compares these bits with the corresponding bits of the value computed in step 5. If they are equal, the adversary outputs 1 else 0.

Appendix 2: Formal description of games

In this section we present the Games \(G_{i}\) for \(i=0,\ldots ,7\) and the simulator used in proving the indifferentiability of the generic MPGV compression function with bijective key-map and input-to- \(E\). These Games are presented in Figs. 3, 4, 5, 6, 7, 8, 9 and 10 respectively and the simulator is presented in Algorithms 1 and 2. We define the following notation in some of the Games and the simulator algorithm: For any \(n\)-bit variable \(x\), we denote by \(count(x)\) the number of possible \(n\)-bit values that \(x\) can have. For example, \(count(CT_{E})>1\) denotes that there is more than one possible value for \(CT_{E}\).