Skip to main content
SpringerLink
Log in

Security of Truncated Permutation Without Initial Value

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2022 (ASIACRYPT 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13792))

Abstract

Indifferentiability is a powerful notion in cryptography. If a construction is proven to be indifferentiable from an ideal object, it can under certain assumptions instantiate that ideal object in higher-level constructions. Indifferentiability is a particularly useful model for cryptographic hash functions, and myriad results are known proving that a hash function behaves like a random oracle under the assumption that the underlying primitive (typically a compression function, a block cipher, or a permutation) is random. Recently, advances have been made in proving indifferentiability of one-way functions with fixed input length. One such example is truncation of a permutation. If one evaluates a random permutation on an input value concatenated with a fixed initial value, and truncates the output, one obtains a construction that is indifferentiable from a random function up to a certain bound (Dodis et al., FSE 2009; Choi et al., ASIACRYPT 2019). Security of this construction, however, is in part determined by the length of the initial value; omission of this fixed value yields an insecure construction.

In this paper, we reconsider truncation of a permutation, and prove that the construction is indifferentiable from a random oracle, even if this fixed initial value is replaced by a randomized value. This randomized value may be the same for different evaluations of the construction, or freshly generated, up to the discretion of the adversary. The security level is the same as that of truncation with fixed initial value, up to collisions in the randomized value.

We show that our construction has immediate implications in the context of parallel variable-length digest generation. In detail, we describe Cascade-MGF, that operates on top of any cryptographic hash function and uses the hash function output as randomized initial value in truncation. We demonstrate that Cascade-MGF compares favorably over earlier parallel variable-length digest generation constructions, namely Counter-MGF and Chained-MGF, in almost all settings.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Note that Choi et al. did not have a hash primitive, whereas we do, so the drawn parallel here is a bit odd. The comparison with Choi et al.’s proof and the induced difficulties become more apparent when we consider inverse queries, later on.

References

  1. ANSI: ANSI X9.44: Public-Key Cryptography for the Financial Services Industry Key Establishment Using Integer Factorization Cryptography (2002)

    Google Scholar 

  2. Aumasson, J.-P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 119–135. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_8

    Chapter  Google Scholar 

  3. Bernstein, D.J., Kölbl, S., Lucks, S., Massolino, P.M.C., Mendel, F., Nawaz, K., Schneider, T., Schwabe, P., Standaert, F.-X., Todo, Y., Viguier, B.: Gimli: a cross-platform permutation. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 299–320. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_15

    Chapter  Google Scholar 

  4. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: Ecrypt Hash Workshop 2007 (2007)

    Google Scholar 

  5. Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Van Assche, G., Van Keer, R.: Farfalle: parallel permutation-based cryptography. IACR Trans. Symmetric Cryptol. 2017(4), 1–38 (2017)

    Article  Google Scholar 

  6. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11

    Chapter  Google Scholar 

  7. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sufficient conditions for sound tree and sequential hashing modes. Int. J. Inf. Sec. 13(4), 335–353 (2014)

    Article  Google Scholar 

  8. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The KECCAK reference (2011)

    Google Scholar 

  9. Bhattacharya, S., Nandi, M.: Full indifferentiable security of the Xor of two or more random permutations using the \(\chi ^2\) method. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 387–412. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_15

    Chapter  Google Scholar 

  10. Black, J., Rogaway, P., Shrimpton, T., Stam, M.: An Analysis of the Blockcipher-Based Hash Functions from PGV. J. Cryptol. 23(4), 519–545 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  11. Chang, D., Lee, S., Nandi, M., Yung, M.: Indifferentiable security analysis of popular hash functions with prefix-free padding. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 283–298. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_19

    Chapter  Google Scholar 

  12. Choi, W., Lee, B., Lee, J.: Indifferentiability of truncated random permutations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 175–195. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_7

    Chapter  Google Scholar 

  13. Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_26

    Chapter  Google Scholar 

  14. Daemen, J., Hoffert, S., Van Assche, G., Van Keer, R.: The design of Xoodoo and Xoofff. IACR Trans. Symmetric Cryptol. 2018(4), 1–38 (2018)

    Article  Google Scholar 

  15. Daemen, J., Mennink, B., Van Assche, G.: Sound hashing modes of arbitrary functions, permutations, and block ciphers. IACR Trans. Symmetric Cryptol. 2018(4), 197–228 (2018)

    Article  Google Scholar 

  16. Dai, W., Hoang, V.T., Tessaro, S.: Information-theoretic indistinguishability via the chi-squared method. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 497–523. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_17

    Chapter  Google Scholar 

  17. Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_39

    Chapter  Google Scholar 

  18. Dodis, Y., Reyzin, L., Rivest, R.L., Shen, E.: Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 104–121. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_7

    Chapter  Google Scholar 

  19. Grassi, L., Mennink, B.: Security of Truncated Permutation Without Initial Value. Cryptology ePrint Archive, Paper 2022/508 (2022)

    Google Scholar 

  20. Gunsing, A.: Block-cipher-based tree hashing. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13510, pp. 205–233. Springer, Cham. (2022). https://doi.org/10.1007/978-3-031-15985-5_8

  21. Gunsing, A., Daemen, J., Mennink, B.: Errata to sound hashing modes of arbitrary functions, permutations, and block ciphers. IACR Trans. Symmetric Cryptol. 2020(3), 362–366 (2020)

    Article  Google Scholar 

  22. IEEE Computer Society: IEEE 1363.1 Standard Specifications For Public-Key Cryptography (2000)

    Google Scholar 

  23. ISO/IEC: ISO/IEC 18033–2 Information technology - Security techniques - Encryption algorithms - Part 2: Asymmetric ciphers (2006)

    Google Scholar 

  24. Kaliski, B., Staddon, J.: PKCS #1: RSA cryptography specifications version 2.0. RFC 2437, pp. 1–39 (1998)

    Google Scholar 

  25. Knudsen, L.R., Rechberger, C., Thomsen, S.S.: The grindahl hash functions. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 39–57. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74619-5_3

    Chapter  Google Scholar 

  26. Lee, J.: Indifferentiability of the sum of random permutations toward optimal security. IEEE Trans. Inf. Theory 63(6), 4050–4054 (2017)

    Article  MathSciNet  MATH  Google Scholar 

  27. Luykx, A., Mennink, B., Neves, S.: Security analysis of BLAKE2’s modes of operation. IACR Trans. Symmetric Cryptol. 2016(1), 158–176 (2016)

    Article  Google Scholar 

  28. Mandal, A., Patarin, J., Nachef, V.: Indifferentiability beyond the Birthday Bound for the Xor of Two Public Random Permutations. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 69–81. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17401-8_6

    Chapter  Google Scholar 

  29. Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_2

    Chapter  Google Scholar 

  30. Mennink, B.: Optimal collision security in double block length hashing with single length key. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 526–543. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_32

    Chapter  MATH  Google Scholar 

  31. Mennink, B.: Indifferentiability of double length compression functions. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 232–251. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-45239-0_14

    Chapter  Google Scholar 

  32. Mennink, B., Preneel, B.: On the XOR of multiple random permutations. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 619–634. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_30

    Chapter  Google Scholar 

  33. Merkle, R.C.: Protocols for public key cryptosystems. In: Proceedings of the 1980 IEEE Symposium on Security and Privacy, pp. 122–134. IEEE Computer Society (1980)

    Google Scholar 

  34. Merkle, R.C.: A Digital Signature Based on a Conventional Encryption Function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_32

    Chapter  Google Scholar 

  35. Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21

    Chapter  Google Scholar 

  36. Merkle, R.C.: Secrecy, authentication and public key systems (1979), Ph.D. thesis, UMI Research Press

    Google Scholar 

  37. NIST: NIST SP800-108: Recommendation for Key Derivation Using Pseudorandom Functions (2009)

    Google Scholar 

  38. NIST: NIST FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions (2015)

    Google Scholar 

  39. Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_31

    Chapter  Google Scholar 

  40. Rabin, M.O.: Digitalized signatures. Foundations of Secure Computation, pp. 155–166 (1978)

    Google Scholar 

  41. Rivest, R., et al.: The MD6 hash function - A proposal to NIST for SHA-3 (2008), submission to NIST’s SHA-3 competition

    Google Scholar 

  42. RSA Security: PKCS#1 v2.1: RSA Cryptography Standard (2002)

    Google Scholar 

  43. Suzuki, K., Yasuda, K.: On the security of the cryptographic mask generation functions standardized by ANSI, IEEE, ISO/IEC, and NIST (2012). NTT Technical Review

    Google Scholar 

Download references

Acknowledgments

Lorenzo Grassi is supported by the European Research Council under the ERC advanced grant agreement under grant ERC-2017-ADG Nr. 788980 ESCADA. Bart Mennink is supported by the Netherlands Organisation for Scientific Research (NWO) under grant VI.Vidi.203.099.

Author information

Authors and Affiliations

  1. Radboud University, Nijmegen, The Netherlands

    Lorenzo Grassi & Bart Mennink

Authors
  1. Lorenzo Grassi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bart Mennink
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lorenzo Grassi .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Madras, Chennai, India

    Shweta Agrawal

  2. Chinese Academy of Sciences, Beijing, China

    Dongdai Lin

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Grassi, L., Mennink, B. (2022). Security of Truncated Permutation Without Initial Value. In: Agrawal, S., Lin, D. (eds) Advances in Cryptology – ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol 13792. Springer, Cham. https://doi.org/10.1007/978-3-031-22966-4_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22966-4_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22965-7

  • Online ISBN: 978-3-031-22966-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation