# The suffix-free-prefix-free hash function construction and its indifferentiability security analysis

- 255 Downloads
- 5 Citations

## Abstract

In this paper, we observe that in the seminal work on indifferentiability analysis of iterated hash functions by Coron et al. and in subsequent works, the initial value \((IV)\) of hash functions is *fixed*. In addition, these indifferentiability results do not depend on the *Merkle–Damgård (MD) strengthening* in the padding functionality of the hash functions. We propose a generic \(n\)-bit-iterated hash function framework based on an \(n\)-bit compression function called suffix-free-prefix-free (SFPF) that works for *arbitrary* \(IV\)s and does not possess *MD strengthening*. We formally prove that SFPF is indifferentiable from a random oracle (RO) when the compression function is viewed as a fixed input-length random oracle (FIL-RO). We show that some hash function constructions proposed in the literature fit in the SFPF framework while others that do not fit in this framework are not indifferentiable from a RO. We also show that the SFPF hash function framework with the provision of *MD strengthening* generalizes any \(n\)-bit-iterated hash function based on an \(n\)-bit compression function and with an \(n\)-bit chaining value that is proven indifferentiable from a RO.

## Keywords

Indifferentiability Merkle–Damgård MD strengthening Random oracle SFPF## Notes

### Acknowledgments

We would like to thank anonymous reviewers for their valuable comments on the paper. We also thank Colin Boyd and Choudary Gorantla for their comments on an earlier version of this paper and Shoichi Hirose for his discussions on this topic.

## References

- 1.Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom functions revisited: the cascade construction and its concrete security. In: Proceedings of the 37th Annual IEEE Symposium on Foundations of Computer Science, FOCS’96, pp. 514–523. IEEE Computer Society, IEEE Computer Society Press (1996)Google Scholar
- 2.Bellare, M., Ristenpart, T.: Multi-property-preserving hash domain extension and the EMD transform. In: Proceedings of ASIACRYPT 2006, vol. 4284 of Lecture Notes in Computer Science, pp. 299–314. Springer (2006)Google Scholar
- 3.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of CCS ’93p, pp. 62–73. ACM Press (1993)Google Scholar
- 4.Chang, D., Lee, S., Nandi, M., Yung, M.: Indifferentiable security analysis of popular hash functions with prefix-free padding. In: Proceedings of ASIACRYPT 2006, vol. 4284 of Lecture Notes in Computer Science, pp. 283–298. Springer (2006)Google Scholar
- 5.Chang, D., Nandi, M.: Improved Indifferentiability Security Analysis of chopMD Hash Function. In: Proc. FSE 2008, volume 5086 of Lecture Notes in Computer Science, pp. 429–443. Springer (2008)Google Scholar
- 6.Chang, D., Sung, J., Hong, S., Lee, S.: Indifferentiable security analysis of choppfMD, chopMD, chopMDP, chopWPH, chopNI, chopEMD, chopCS, and chopESh hash domain extensions. Cryptology ePrint archive, report 2008/407 (2008)Google Scholar
- 7.Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle–Damgård revisited: how to construct a hash function. In: Proceedings of CRYPTO 2005, vol. 3621 of Lecture Notes in Computer Science, pp. 430–448. Springer (2005)Google Scholar
- 8.Coron, J.-S., Patarin, J., Seurin, Y.: The random oracle model and the ideal cipher model are equivalent. In: Proceedings of CRYPTO 2008, volume 5157 of Lecture Notes in Computer Science, pp. 1–20. Springer (2008)Google Scholar
- 9.Damgård, I.B.: A design principle for hash functions. In: Proceedings of CRYPTO 1989, vol. 435 of Lecture Notes in Computer Science, pp. 416–427. Springer (1989)Google Scholar
- 10.Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: a strengthened version of RIPEMD. In: Proceedings of FSE 1996, vol. 1039 of Lecture Notes in Computer Science, pp. 71–82. Springer (1996)Google Scholar
- 11.Gong, Z., Lai, X., Chen, K.: A synthetic indifferentiability analysis of some block-cipher-based hash functions. Des. Codes Cryptogr.
**48**(3), 293–305 (2008)MathSciNetzbMATHCrossRefGoogle Scholar - 12.Hirose, S., Park, J.H., Yun, A.: A simple variant of the Merkle–Damgård scheme with a permutation. In: Proceedings of ASIACRYPT 2007, vol. 4833 of Lecture Notes in Computer Science, pp. 113–129. Springer (2007)Google Scholar
- 13.Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Proceedings of CRYPTO 2004, vol. 3152 of Lecture Notes in Computer Science, pp. 306–316. Springer (2004)Google Scholar
- 14.Kelsey, J., Kohno, T.: Herding hash functions and the Nostradamus attack. In: Proceedings of EUROCRYPT 2006, vol. 4004 of Lecture Notes in Computer Science, pp. 183–200. Springer (2006)Google Scholar
- 15.Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than \(2^{n}\) work. In: Proceedings of EUROCRYPT 2005, vol. 3494 of Lecture Notes in Computer Science, pp. 474–490. Springer (2005)Google Scholar
- 16.Lai, X., Massey, J.L.: Hash functions based on block ciphers. In: Proceedings of EUROCRYPT 1992, vol. 658 of Lecture Notes in Computer Science, pp. 53–66. Springer (1992)Google Scholar
- 17.Lucks, S.: A failure-friendly design principle for hash functions. In: Proceedings of ASIACRYPT 2005, vol. 3788 of Lecture Notes in Computer Science, pp. 474–494. Springer (2005)Google Scholar
- 18.Maurer, U.M., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Proceedings of TCC ’04, vol. 2951 of Lecture Notes in Computer Science, pp. 21–39. Springer (2004)Google Scholar
- 19.Merkle, R.C.: One way hash functions and DES. In: Proceedings of CRYPTO 1989, vol. 435 of Lecture Notes in Computer Science, pp. 428–446. Springer (1989) Google Scholar
- 20.National Institute of Standards and Technology.: FIPS PUB 180–2-Secure Hash Standard, Aug 2002Google Scholar
- 21.Preneel, B.: Analysis and design of cryptographic hash functions. Thesis (Ph.D.), Katholieke Universiteit Leuven, Leuven, Belgium, Jan 1993Google Scholar