Improved Indifferentiable Security Analysis of PHOTON

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8642)


In this paper, we study the indifferentiable security of the domain extension algorithm of the PHOTON hash function that was proven to be indifferentiable from a random oracle up to \(\mathcal{O}(2^{\min\{ c/2, c^\prime/2 \}})\) query complexity, where c is the capacity in the absorbing step of PHOTON and c is that in the squeezing step. By reducing the size c , one can reduce the processing time spent by PHOTON, while the indifferentiable security is degraded. Note that there is no generic attack on PHOTON with \(\mathcal{O}(2^{c^\prime/2})\) query complexity. Thus it is interesting to investigate the optimality of the indifferentiable security and the size of c ensuring the \(\mathcal{O}(2^{c/2})\) security.

For these motivations, first, we prove that PHOTON is indifferentiable from a random oracle up to \(\mathcal{O}(\min \{ q_{\mathsf{mcoll}} (d^\ast,c-c^\prime ), 2^{c/2} \})\) query complexity where q mcoll (d  ∗ ,c − c ) is the query complexity to find a d  ∗ -multi-collision of (c − c ) bits of hash values and d  ∗  satisfies \(q_{\mathsf{mcoll}} (d^\ast,c-c^\prime ) = 2^{c^\prime }/d^\ast\). We also show that there exists a generic attack on PHOTON with the same query complexity. Thus the indifferentiable security of our proof is optimal.

Second, by using this bound we study the parameter c ensuring the \(\mathcal{O}(2^{c/2})\) security. We show that the \(\mathcal{O}(2^{c/2})\) security is ensured if c  ≥ c/2 + log2 c, which implies that we can reduce the processing time by PHOTON with keeping the same indifferentiable security.

Finally, we propose a faster construction than PHOTON with keeping the same indifferentiable security, where the length of the first message block is modified from r bits to r + c/2 bits.


Indifferentiability from a random oracle PHOTON optimal security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Andreeva, E., Mennink, B., Preneel, B.: The Parazoa Family: Generalizing the Sponge Hash Functions. Int. J. Inf. Sec. 11 (2012)Google Scholar
  2. 2.
    Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: A Lightweight Hash. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 1–15. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: The Keccak sponge function family,
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT Hash Workshop (2007)Google Scholar
  5. 5.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the Indifferentiability of the Sponge Construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: spongent: A Lightweight Hash Function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    Canteaut, A., Fuhr, T., Naya-Plasencia, M., Paillier, P., Reinhard, J.-R., Videau, M.: A Unified Indifferentiability Proof for Permutation- or Block Cipher-Based Hash Functions. IACR Cryptology ePrint Archive, 2012/363Google Scholar
  8. 8.
    Chang, D., Nandi, M.: Improved Indifferentiability Security Analysis of chopMD Hash Function. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 429–443. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  9. 9.
    Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård Revisited: How to Construct a Hash Function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Guo, J., Peyrin, T., Poschmann, A.: The photon family of lightweight hash functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Maurer, U.M., Renner, R., Holenstein, C.: Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. 12.
    Naito, Y., Sasaki, Y., Wang, L., Yasuda, K.: Generic State-Recovery and Forgery Attacks on ChopMD-MAC and on NMAC/HMAC. In: Sakiyama, K., Terada, M. (eds.) IWSEC 2013. LNCS, vol. 8231, pp. 83–98. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  13. 13.
    Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with Composition: Limitations of the Indifferentiability Framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  14. 14.
    Steinberger, J.P.: The Collision Intractability of MDC-2 in the Ideal-Cipher Model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 34–51. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Suzuki, K., Tonien, D., Kurosawa, K., Toyota, K.: Birthday paradox for multi-collisions. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296, pp. 29–40. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Mitsubishi Electric Corporation and The University of Electro-CommunicationsJapan
  2. 2.The University of Electro-CommunicationsJapan

Personalised recommendations