Advertisement

Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6

  • Yevgeniy Dodis
  • Leonid Reyzin
  • Ronald L. Rivest
  • Emily Shen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5665)

Abstract

MD6 [17] is one of the earliest announced SHA-3 candidates, presented by Rivest at CRYPTO’08 [16]. Since then, MD6 has received a fair share of attention and has resisted several initial cryptanalytic attempts [1,11].

Given the interest in MD6, it is important to formally verify the soundness of its design from a theoretical standpoint. In this paper, we do so in two ways: once for the MD6 compression function and once for the MD6 mode of operation. Both proofs are based on the indifferentiability framework of Maurer et al. [13](also see [9]).

The first proof demonstrates that the “prepend/map/chop” manner in which the MD6 compression function is constructed yields a compression function that is indifferentiable from a fixed-input-length (FIL), fixed-output-length random oracle.

The second proof demonstrates that the tree-based manner in which the MD6 mode of operation is defined yields a hash function that is indifferentiable from a variable-input-length (VIL), fixed-output-length random oracle.

Both proofs are rather general and apply not only to MD6 but also to other sufficiently similar hash functions.

These results may be interpreted as saying that the MD6 design has no structural flaws that make its input/output behavior clearly distinguishable from that of a VIL random oracle, even for an adversary who has access to inner components of the hash function. It follows that, under plausible assumptions about those inner components, the MD6 hash function may be safely plugged into any application proven secure assuming a monolithic VIL random oracle.

Keywords

Hash Function Random Permutation Block Cipher Random Oracle Compression Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Aumasson, J.-P., Meier, W.: Nonrandomness observed on a reduced version of the compression function with 18 rounds in about 217 operationsGoogle Scholar
  2. 2.
    Bellare, M., Ristenpart, T.: Multi-property-preserving hash domain extension and the EMD transform. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 299–314. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions (May 2007), http://www.csrc.nist.gov/pki/HashWorkshop/PublicComments/2007May.html
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sufficient conditions for sound tree hashing modes. In: Handschuh, H., Lucks, S., Preneel, B., Rogaway, P. (eds.) Symmetric Cryptography. Dagstuhl Seminar Proceedings (2009), http://www.dagstuhl.de/Materials/index.en.phtml?09031
  7. 7.
    Chabaud, F., Joux, A.: Differential collisions of SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 56–71. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  8. 8.
    Chang, D., Lee, S., Nandi, M., Yung, M.: Indifferentiable security analysis of popular hash functions with prefix-free padding. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 283–298. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: How to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Crutchfield, C.Y.: Security proofs for the MD6 hash function mode of operation. Master’s thesis, MIT EECS Department (2008), http://groups.csail.mit.edu/cis/theses/crutchfield-masters-thesis.pdf
  11. 11.
    Dinur, I., Shamir, A.: Cube attack on a reduced version of the compression function with 15 roundsGoogle Scholar
  12. 12.
    Dodis, Y., Pietrzak, K., Puniya, P.: A new mode of operation for block ciphers and length-preserving MACs. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 198–219. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    National Institute of Standards and Technology. Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3) family. Federal Register Notices, vol. 72(212), pp. 62212–62220 (November 2, 2007), http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf
  15. 15.
    National Institute of Standards and Technology. Announcing the development of new hash algorithm(s) for the revision of Federal Information Processing Standard (FIPS) 1802, secure hash standard. Federal Register Notices, vol. 72(14), pp. 2861–2863 (January 23, 2007), http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Jan07.pdf
  16. 16.
    Rivest, R.L.: Slides from invited talk at Crypto 2008 (2008), http://group.csail.mit.edu/cis/md6/Rivest-TheMD6HashFunction.ppt
  17. 17.
    Rivest, R.L., Agre, B., Bailey, D.V., Crutchfield, C., Dodis, Y., Fleming, K.E., Khan, A., Krishnamurthy, J., Lin, Y., Reyzin, L., Shen, E., Sukha, J., Sutherland, D., Tromer, E., Yin, Y.L.: The MD6 hash function: A proposal to NIST for SHA-3 (2008), http://groups.csail.mit.edu/cis/md6/submitted-2008-10-27/Supporting_Documentation/md6_report.pdf
  18. 18.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Wang, X., Yu, H., Yin, Y.L.: Efficient Collision Search Attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Yu, H., Wang, X.: Multicollision attack on the compression functions of MD4 and 3-pass HAVAL. IACR ePrint Archive, Report 2007/085 (2007), http://eprint.iacr.org/2007/085/.pdf

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Yevgeniy Dodis
    • 1
  • Leonid Reyzin
    • 2
  • Ronald L. Rivest
    • 3
  • Emily Shen
    • 3
  1. 1.New York UniversityUSA
  2. 2.Boston UniversityUSA
  3. 3.Massachusetts Institute of TechnologyUSA

Personalised recommendations