On the Indifferentiability of the Grøstl Hash Function

The notion of indifferentiability, introduced by Maurer et al., is an important criterion for the security of hash functions. Concretely, it ensures that a hash function has no structural design flaws and thus guarantees security against generic attacks up to the proven bounds. In this work we prove the indifferentiability of Grostl, a second round SHA-3 hash function candidate. Grostl combines characteristics of the wide-pipe and chop-Merkle-Damgard iterations and uses two distinct permutations P and Q internally. Under the assumption that P and Q are random l-bit permutations, where l is the iterated state size of Grostl, we prove that the advantage of a distinguisher to differentiate Grostl from a random oracle is upper bounded by O((Kq)4/2l), where the distinguisher makes at most q queries of length at most K blocks. This result implies that Grostl behaves like a random oracle up to q = O(2n/2) queries, where n is the output size. Furthermore, we show that the output transformation of Grostl, as well as 'Grostail' (the composition of the final compression function and the output transformation), are clearly differentiable from a random oracle. This rules out indifferentiability proofs which rely on the idealness of the final state transformation.

[1]  Mihir Bellare,et al.  Multi-Property-Preserving Hash Domain Extension and the EMD Transform , 2006, ASIACRYPT.

[2]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[3]  Bart Preneel,et al.  Seven-Property-Preserving Iterated Hashing: ROX , 2007, ASIACRYPT.

[4]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[5]  Donghoon Chang,et al.  Improved Indifferentiability Security Analysis of chopMD Hash Function , 2008, FSE.

[6]  Christophe Clavier,et al.  Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers , 2009, IACR Cryptol. ePrint Arch..

[7]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[8]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[9]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[10]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[11]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[12]  Yevgeniy Dodis,et al.  Salvaging Merkle-Damgard for Practical Applications , 2009, IACR Cryptol. ePrint Arch..

[13]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[14]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[15]  Kazuo Ohta,et al.  Confirmation that Some Hash Functions Are Not Collision Free , 1991, EUROCRYPT.

[16]  Moti Yung,et al.  Indifferentiable Security Analysis of Popular Hash Functions with Prefix-Free Padding , 2006, ASIACRYPT.

[17]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[18]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[19]  Mridul Nandi,et al.  Security Analysis of the Mode of JH Hash Function , 2010, FSE.

[20]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[21]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[22]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[23]  Bruce Schneier One-way hash functions , 1991 .