A Novel Permutation-Based Hash Mode of Operation FP and the Hash Function SAMOSA

The contribution of the paper is two-fold. First, we design a novel permutationbased hash mode of operation FP, and analyze its security. The FP mode is derived by replacing the hard-to-invert primitive of the FWP mode – designed by Nandi and Paul, and presented at Indocrypt 2010 – with an easy-to-invert permutation; since easy-to-invert permutations with good cryptographic properties are normally easier to design, and are more efficient than the hard-to-invert functions, the FP mode is more suitable in practical applications than the FWP mode. We show that any n-bit hash function that uses the FP mode is indifferentiable from a random oracle up to 2 n=2 queries (up to a constant factor), if the underlying 2n-bit permutation is free from any structural weaknesses. Based on our further analysis and experiments, we conjecture that the FP mode is resistant to all non-trivial generic attacks with work less than the brute force, mainly due to its large internal state. We compare the FP mode with other permutation-based hash modes, and observe that it displays the so far best security/rate trade-off. To put this into perspective, our second contribution is a proposal for a concrete hash function SAMOSA using the new mode and the P -permutations of the SHA-3 finalist Grostl. Based on our analysis we claim that the SAMOSA family cannot be attacked with work significantly less than the brute force. We also provide hardware implementation (FPGA) results for SAMOSA to compare it with the SHA-3 finalists. In our implementations, SAMOSA family consistently beats Grostl, Blake and Skein in the throughput to area ratio. With more efficient underlying permutation, it seems possible to design a hash function based on the FP mode that can achieve even higher performances.

[1]  Kris Gaj,et al.  Throughput vs. Area Trade-offs in High-Speed Architectures of Five Round 3 SHA-3 Candidates Implemented Using Xilinx and Altera FPGAs , 2011, CHES.

[2]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[3]  Martin Schläffer Updated Differential Analysis of Grøstl , 2011 .

[4]  Mridul Nandi,et al.  Speeding Up the Wide-Pipe: Secure and Fast Hashing , 2010, INDOCRYPT.

[5]  Bart Preneel,et al.  The parazoa family: generalizing the sponge hash functions , 2012, International Journal of Information Security.

[6]  Athar Mahboob,et al.  Efficient Hardware Implementations and Hardware Performance Evaluation of SHA-3 Finalists , 2012 .

[7]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[8]  Yu Sasaki,et al.  Rebound Attack on the Full Lane Compression Function , 2009, ASIACRYPT.

[9]  Kris Gaj,et al.  Comprehensive Evaluation of High-Speed and Medium-Speed Implementations of Five SHA-3 Finalists Using Xilinx and Altera FPGAs , 2012, IACR Cryptol. ePrint Arch..

[10]  Stefan Lucks,et al.  Some Observations on Indifferentiability , 2010, ACISP.

[11]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[12]  Thomas Peyrin,et al.  Improved Rebound Attack on the Finalist Grøstl , 2012, FSE.

[13]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[14]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[15]  Rishiraj Bhattacharyya,et al.  On the Indifferentiability of Fugue and Luffa , 2011, ACNS.

[16]  Alex Biryukov,et al.  Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds , 2010, IACR Cryptol. ePrint Arch..

[17]  Douglas R. Stinson,et al.  On the complexity of the herding attack and some related attacks on hash functions , 2012, Des. Codes Cryptogr..

[18]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[19]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[20]  G. V. Assche,et al.  Sponge Functions , 2007 .

[21]  Quynh H. Dang,et al.  Secure Hash Standard | NIST , 2015 .

[22]  Shirley M. Radack,et al.  Secure Hash Standard: Updated Specifications Approved and Issued as Federal Information Processing Standard (FIPS) 180-4 | NIST , 2012 .

[23]  James H. Burrows,et al.  Secure Hash Standard , 1995 .

[24]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[25]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[26]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[27]  Mridul Nandi,et al.  Security Analysis of the Mode of JH Hash Function , 2010, FSE.

[28]  Arenberg Doctoral,et al.  Design and Analysis of Cryptographic Hash Functions , 2012 .

[29]  Ronald L. Rivest,et al.  Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 , 2009, FSE.

[30]  Shuang Wu,et al.  (Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others , 2012, FSE.

[31]  Dmitry Khovratovich Bicliques for Permutations: Collision and Preimage Attacks in Stronger Settings , 2012, ASIACRYPT.

[32]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[33]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.