Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6

MD6 [17] is one of the earliest announced SHA-3 candidates, presented by Rivest at CRYPTO'08 [16]. Since then, MD6 has received a fair share of attention and has resisted several initial cryptanalytic attempts [1,11]. Given the interest in MD6, it is important to formally verify the soundness of its design from a theoretical standpoint. In this paper, we do so in two ways: once for the MD6 compression function and once for the MD6 mode of operation. Both proofs are based on the indifferentiability framework of Maurer et al. [13](also see [9]). The first proof demonstrates that the "prepend/map/chop" manner in which the MD6 compression function is constructed yields a compression function that is indifferentiable from a fixed-input-length (FIL), fixed-output-length random oracle. The second proof demonstrates that the tree-based manner in which the MD6 mode of operation is defined yields a hash function that is indifferentiable from a variable-input-length (VIL), fixed-output-length random oracle. Both proofs are rather general and apply not only to MD6 but also to other sufficiently similar hash functions. These results may be interpreted as saying that the MD6 design has no structural flaws that make its input/output behavior clearly distinguishable from that of a VIL random oracle, even for an adversary who has access to inner components of the hash function. It follows that, under plausible assumptions about those inner components, the MD6 hash function may be safely plugged into any application proven secure assuming a monolithic VIL random oracle.

[1]  Yevgeniy Dodis,et al.  A New Mode of Operation for Block Ciphers and Length-Preserving MACs , 2008, EUROCRYPT.

[2]  Xiaoyun Wang,et al.  Multi-collision Attack on the Compression Functions of MD4 and 3-Pass HAVAL , 2007, ICISC.

[3]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[4]  G. V. Assche,et al.  Sponge Functions , 2007 .

[5]  Nigel P. Smart,et al.  Advances in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. Proceedings , 2008, EUROCRYPT.

[6]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[7]  Mihir Bellare,et al.  Multi-Property-Preserving Hash Domain Extension and the EMD Transform , 2006, ASIACRYPT.

[8]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[9]  Moti Yung,et al.  Indifferentiable Security Analysis of Popular Hash Functions with Prefix-Free Padding , 2006, ASIACRYPT.

[10]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[11]  Ronald L. Rivest The MD 6 hash function A proposal to NIST for SHA-3 , 2008 .

[12]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[13]  Guido Bertoni,et al.  Sufficient conditions for sound tree hashing modes , 2009, Symmetric Cryptography.

[14]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[15]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[16]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[17]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[18]  Kefei Chen,et al.  Advances in Cryptology - ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, December 3-7, 2006, Proceedings , 2006, ASIACRYPT.

[19]  Christopher Yale Crutchfield Security Proofs for the MD6 Hash Function Mode of Operation , 2008 .

[20]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[21]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[22]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[23]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.