Adaptive Preimage Resistance and Permutation-based Hash Functions

In this paper, we introduce a new notion of security, called adaptive preimage resistance. We prove that a compression function that is collision resistant and adaptive preimage resistant can be combined with a public random function to yield a hash function that is indifferentiable from a random oracle. Specifically, we analyze adaptive preimage resistance of 2n-bit to n-bit compression functions that use three calls to n-bit public random permutations. This analysis also provides a simpler proof of their collision resistance and preimage resistance than the one provided by Rogaway and Steinberger [19]. By using such compression functions as building blocks, we obtain permutation-based pseudorandom oracles that outperform the Sponge construction [4] and the MD6 compression function [9] both in terms of security and efficiency.

[1]  Shoichi Hirose,et al.  Some Plausible Constructions of Double-Block-Length Hash Functions , 2006, FSE.

[2]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[3]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[4]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[5]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[6]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[7]  John Black,et al.  On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions , 2005, EUROCRYPT.

[8]  Daesung Kwon,et al.  Security of Single-permutation-based Compression Functions , 2009, IACR Cryptol. ePrint Arch..

[9]  Thomas Ristenpart,et al.  How to Build a Hash Function from Any Collision-Resistant Function , 2007, ASIACRYPT.

[10]  Shoichi Hirose Provably Secure Double-Block-Length Hash Functions in a Black-Box Model , 2004, ICISC.

[11]  Yevgeniy Dodis,et al.  Salvaging Merkle-Damgard for Practical Applications , 2009, IACR Cryptol. ePrint Arch..

[12]  Vincent Rijmen,et al.  The WHIRLPOOL Hashing Function , 2003 .

[13]  Yevgeniy Dodis,et al.  A New Mode of Operation for Block Ciphers and Length-Preserving MACs , 2008, EUROCRYPT.

[14]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[15]  Ronald L. Rivest,et al.  Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 , 2009, FSE.

[16]  John P. Steinberger,et al.  Security/Efficiency Tradeoffs for Permutation-Based Hashing , 2008, EUROCRYPT.

[17]  Mihir Bellare,et al.  Optimal Asymmetric Encryption-How to Encrypt with RSA , 1995 .

[18]  Martijn Stam Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions , 2008, CRYPTO.

[19]  John P. Steinberger,et al.  Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers , 2008, CRYPTO.

[20]  Robert S. Winternitz A Secure One-Way Hash Function Built from DES , 1984, 1984 IEEE Symposium on Security and Privacy.

[21]  John P. Steinberger,et al.  The Collision Intractability of MDC-2 in the Ideal Cipher Model , 2007, IACR Cryptol. ePrint Arch..

[22]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.