International Journal of Information Security

, Volume 13, Issue 4, pp 335–353 | Cite as

Sufficient conditions for sound tree and sequential hashing modes

  • Guido Bertoni
  • Joan DaemenEmail author
  • Michaël Peeters
  • Gilles Van Assche
Regular Contribution


Hash functions are usually composed of a mode of operation on top of a concrete primitive with fixed input-length and fixed output-length, such as a block cipher or a permutation. In practice, the mode is often sequential, although parallel (or tree) hashing modes are also possible. The former requires less memory, while the latter has several advantages such as its inherent parallelism and a lower cost of hash value recomputation when only a small part of the input changes. In this paper, we consider the general case of (tree or sequential) hashing modes that make use of an underlying hash function, which may in turn be sequential. We formulate a set of three simple conditions for such a (tree or sequential) hashing mode to be sound. By sound, we mean that the advantage in differentiating a hash function obtained by applying a tree hashing mode to an ideal underlying hash function from an ideal monolithic hash function is upper bounded by \(q^2/2^{n+1}\) with \(q\) the number of queries to the underlying hash function and \(n\) the length of the chaining values. We provide a proof of soundness in the indifferentiability framework. The conditions we formulate are easy to implement and to verify and can be used by the practitioner to build a tree hashing mode on top of an existing hash function. We show how to apply tree hashing modes to sequential hash functions in an optimal way, demonstrate the applicability of our conditions with two efficient and simple tree hashing modes and provide a simple method to take the union of tree hashing modes that preserves soundness. It turns out that sequential hashing modes using a compression function (i.e., a hash function with fixed input-length) can be considered as particular cases and, as a by-product, our results also apply to them. We discuss the different techniques for satisfying the three conditions, thereby shedding a new light on several published modes.


Hash functions Tree hashing modes Sequential hashing modes Indifferentiability 


  1. 1.
    Andreeva, E., Mennink, B., Preneel, B.: Security reductions of the second round SHA-3 candidates. Cryptology ePrint Archive, Report 2010/381, 2010,
  2. 2.
    Bagheri, N., Gauravaram, P., Knudsen, L.R., Zenner, E.: The suffix-free-prefix-free hash function construction and its indifferentiability security analysis. Int. J. Inf. Secur. 11(6), 419–434 (2012)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) Advances in Cryptology—Crypto ’96, LNCS, no. 1109, pp. 1–15. Springer (1996)Google Scholar
  4. 4.
    Bellare, M., Ristenpart, T.: Multi-property-preserving hash domain extension and the EMD transform. In: Lai, X. and Chen, K. (eds.) Advances in Cryptology—Asiacrypt 2006, LNCS, no. 4284, pp. 299–314. Springer (2006)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM (ed.) ACM Conference on Computer and Communications Security 1993, pp. 62–73 (1993)Google Scholar
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Keccak implementation overview, May 2012,
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N.P. (eds.) Advances in Cryptology—Eurocrypt 2008. Lecture Notes in Computer Science, vol. 4965, pp. 181–197. Springer (2008)
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sakura: A flexible coding for tree hashing. Cryptology ePrint Archive, Report 2013/231, 2013,
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. Ecrypt Hash Workshop 2007, May 2007, also available as public comment to NIST from
  10. 10.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sufficient conditions for sound tree hashing modes. In: Handschuh, H., Lucks, S., Preneel, B., Rogaway, P. (eds.) Symmetric Cryptography (Dagstuhl, Germany), Dagstuhl Seminar Proceedings, no. 09031, Schloss Dagstuhl—Leibniz-Zentrum fuer Informatik, Germany (2009)Google Scholar
  11. 11.
    Bitcoin Portal, Bitcoin protocol specification. 2013,
  12. 12.
    Chang, D., Nandi, M.: Improved indifferentiability security analysis of chopMD hash function, In: Nyberg, K. (ed.) Fast Software Encryption. Lecture Notes in Computer Science, vol. 5086, Springer, pp. 429–443 (2008)Google Scholar
  13. 13.
    Chapweske, J., Mohr, G.: Tree Hash EXchange format (THEX). 2003,
  14. 14.
    Coron, J., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: How to construct a hash function. In: Shoup, V. (ed.) Advances in Cryptology—Crypto 2005, LNCS, no. 3621, pp. 430–448. Springer (2005)Google Scholar
  15. 15.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) Advances in Cryptology—Crypto ’89, LNCS, no. 435, pp. 416–427. Springer (1989)Google Scholar
  16. 16.
    Dodis, Y., Reyzin, L., Rivest, R., Shen, E.: Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6. In: O. Dunkelman, (ed.) Fast Software Encryption. Lecture Notes in Computer Science, vol. 5665, pp. 104–121. Springer (2009)Google Scholar
  17. 17.
    Hirose, S., Park, J., Yun, A.: A simple variant of the Merkle-Damgård scheme with a permutation. Asiacrypt, pp. 113–129 (2007)Google Scholar
  18. 18.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) Theory of Cryptography—TCC 2004. Lecture Notes in Computer Science, no. 2951, pp. 21–39. Springer (2004)Google Scholar
  19. 19.
    Merkle, R.C.: Secrecy, authentication, and public key systems, PhD thesis. UMI Research Press (1982)Google Scholar
  20. 20.
    Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2008)
  21. 21.
    NIST, Federal information processing standard 180–2, secure hash standard. August 2002Google Scholar
  22. 22.
    Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with composition: Limitations of the indifferentiability framework. In: Paterson, K.G. (ed.) Eurocrypt 2011. Lecture Notes in Computer Science, vol. 6632, pp. 487–506. Springer (2011)Google Scholar
  23. 23.
    Rivest, R., Agre, B., Bailey, D.V., Cheng, S., Crutchfield, C., Dodis, Y., Fleming, K.E., Khan, A., Krishnamurthy, J., Lin, Y., Reyzin, L., Shen, E., Sukha, J., Sutherland, D., Tromer, E., Yin, Y.L.: The MD6 hash function—a proposal to NIST for SHA-3. Submission to NIST, (2008)
  24. 24.
    Sarkar, P., Schellenberg, P.J.: A parallelizable design principle for cryptographic hash functions. Cryptology ePrint Archive, Report 2002/031, 2002,

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Guido Bertoni
    • 1
  • Joan Daemen
    • 2
    Email author
  • Michaël Peeters
    • 3
  • Gilles Van Assche
    • 2
  1. 1.STMicroelectronicsAgrateItaly
  2. 2.STMicroelectronicsDiegemBelgium
  3. 3.NXP SemiconductorsHaasrodeBelgium

Personalised recommendations