Indifferentiability of Double-Block-Length Hash Function Without Feed-Forward Operations

  • Yusuke NaitoEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10343)


Designing a cryptographic scheme with minimal components is a main theme in cryptographic research. Regarding double-block-length (DBL) hashing, feed-forward operations are used to avoid attacks from the blockcipher’s decryption function, whereas Özen and Stam showed that by using an iterated structure the feed-forward operations can be eliminated. Precisely, DBL iterated hash functions are collision resistant up to about \(2^n\) query complexity when a blockcipher with n-bit blocks is used.

Regarding the security of hash functions, pseudorandom-oracle (PRO) security, which is a stronger security notion than collision resistance, is an important security criterion of hash functions. Though several DBL hash functions with PRO security have been proposed, these use feed-forward operations. Note that Özen-Stam’s hash functions are not secure PROs due to the length-extension attack. Hence, it remains an open problem to design a PRO-secure DBL hash function without feed-forward operations.

In this paper, we show that the feed-forward operations in the PRO-secure DBL hash function can be eliminated, that is, the simplified scheme is a secure PRO up to about \(2^n\) query complexity. To our knowledge, this is the first time PRO-secure DBL hash function without feed-forward operations.


Double-block-length hash Blockcipher Feed-forward operations Pseudorandom oracle 


  1. 1.
    Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_21 CrossRefGoogle Scholar
  2. 2.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74735-2_31 CrossRefGoogle Scholar
  3. 3.
    Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005). doi: 10.1007/11535218_26 CrossRefGoogle Scholar
  4. 4.
    Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, New York (1990). doi: 10.1007/0-387-34805-0_39 CrossRefGoogle Scholar
  5. 5.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993). doi: 10.1007/3-540-57332-1_17 Google Scholar
  6. 6.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptology 10(3), 151–162 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Fleischmann, E., Forler, C., Gorski, M., Lucks, S.: Collision resistant double-length hashing. In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 102–118. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-16280-0_7 CrossRefGoogle Scholar
  8. 8.
    Fleischmann, E., Forler, C., Lucks, S., Wenzel, J.: Weimar-DM: a highly secure double-length compression function. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 152–165. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31448-3_12 CrossRefGoogle Scholar
  9. 9.
    Fleischmann, E., Gorski, M., Lucks, S.: Security of cyclic double block length hash functions. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 153–175. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10868-6_10 CrossRefGoogle Scholar
  10. 10.
    Gong, Z., Lai, X., Chen, K.: A synthetic indifferentiability analysis of some block-cipher-based hash functions. Des. Codes Crypt. 48(3), 293–305 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23951-9_22 CrossRefGoogle Scholar
  12. 12.
    Hirose, S.: Some plausible constructions of double-block-length hash functions. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006). doi: 10.1007/11799313_14 CrossRefGoogle Scholar
  13. 13.
    Hirose, S., Kuwakado, H.: A block-cipher-based hash function using an MMO-type double-block compression function. In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) ProvSec 2014. LNCS, vol. 8782, pp. 71–86. Springer, Cham (2014). doi: 10.1007/978-3-319-12475-9_6 Google Scholar
  14. 14.
    Hirose, S., Naito, Y., Sugawara, T.: Output Masking of Tweakable Even-Mansour can be Eliminated for Message Authentication Code. In: SAC 2016. LNCS, Springer (to appear, 2016)Google Scholar
  15. 15.
    Hirose, S., Park, J.H., Yun, A.: A simple variant of the Merkle-Damgård scheme with a permutation. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 113–129. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-76900-2_7 CrossRefGoogle Scholar
  16. 16.
    Kurosawa, K.: Power of a public random permutation and its application to authenticated encryption. IEEE Trans. Inf. Theory 56(10), 5366–5374 (2010)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Kuwakado, H., Hirose, S.: Hashing mode using a lightweight blockcipher. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 213–231. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-45239-0_13 CrossRefGoogle Scholar
  18. 18.
    Lai, X., Massey, J.L.: Hash functions based on block ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993). doi: 10.1007/3-540-47555-9_5 Google Scholar
  19. 19.
    Lee, J., Kwon, D.: The security of abreast-DM in the ideal cipher model. IEICE Trans. 94–A(1), 104–109 (2011)CrossRefGoogle Scholar
  20. 20.
    Lee, J., Stam, M.: MJH: a faster alternative to MDC-2. Des. Codes Crypt. 76(2), 179–205 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Lee, J., Stam, M., Steinberger, J.: The collision security of tandem-dm in the ideal cipher model. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 561–577. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22792-9_32 CrossRefGoogle Scholar
  22. 22.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_3 CrossRefGoogle Scholar
  23. 23.
    Lucks, S.: A Collision-resistant rate-1 double-block-length hash function. In: Symmetric Cryptography, 07.01. – 12.01.2007. Dagstuhl Seminar Proceedings, vol. 07021. Internationales Begegnungs- und Forschungszentrum fuer Informatik (IBFI), Schloss Dagstuhl, Germany (2007)Google Scholar
  24. 24.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24638-1_2 CrossRefGoogle Scholar
  25. 25.
    Mennink, B.: Optimal collision security in double block length hashing with single length key. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 526–543. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34961-4_32 CrossRefGoogle Scholar
  26. 26.
    Mennink, B.: Indifferentiability of double length compression functions. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 232–251. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-45239-0_14 CrossRefGoogle Scholar
  27. 27.
    Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, New York (1990). doi: 10.1007/0-387-34805-0_40 CrossRefGoogle Scholar
  28. 28.
    Meyer, C., Matyas, S.: Secure program load with Manipulation Detection Code. In: SECURICOM, pp. 111–130 (1988)Google Scholar
  29. 29.
    Naito, Y.: Blockcipher-based double-length hash functions for pseudorandom oracles. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 338–355. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28496-0_20 CrossRefGoogle Scholar
  30. 30.
    NIST: Announcing the Advanced Encryption Standard (AES). In: FIPS 197 (2001)Google Scholar
  31. 31.
    Özen, O., Stam, M.: Another glance at double-length hashing. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 176–201. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10868-6_11 CrossRefGoogle Scholar
  32. 32.
    Preneel, B., Bosselaers, A., Govaerts, R., Vandewalle, J.: Collision-free hash functions based on blockcipher algorithms. In: Proceedings of 1989 International Carnahan Conference on Security Technology, pp. 203–210 (1989)Google Scholar
  33. 33.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994). doi: 10.1007/3-540-48329-2_31 Google Scholar
  34. 34.
    Rabin, M.O.: Digitalized signatures. In: Foundations of Secure Computation 1978. pp. 155–166. Academic Press, New York (1978)Google Scholar
  35. 35.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30539-2_2 CrossRefGoogle Scholar
  36. 36.
    Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23951-9_23 CrossRefGoogle Scholar
  37. 37.
    Stam, M.: Blockcipher-based hashing revisited. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 67–83. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03317-9_5 CrossRefGoogle Scholar
  38. 38.
    Steinberger, J.P.: The collision intractability of MDC-2 in the ideal-cipher model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 34–51. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-72540-4_3 CrossRefGoogle Scholar
  39. 39.
    Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: a lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-35999-6_22 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Mitsubishi Electric CorporationKanagawaJapan

Personalised recommendations