Security Reductions of the Second Round SHA-3 Candidates

In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities identified in existing hash functions, such as MD5 and SHA-1. NIST received many submissions, 51 of which got accepted to the first round. At present, 14 candidates are left in the second round. An important criterion in the selection process is the SHA-3 hash function security and more concretely, the possible security reductions of the hash function to the security of its underlying building blocks. While some of the candidates are supported with firm security reductions, for most of the schemes these results are still incomplete. In this paper, we compare the state of the art provable security reductions of the second round SHA-3 candidates. Surprisingly, we derive some security bounds from the literature, which the hash function designers seem to be unaware of. Additionally, we generalize the well-known proof of collision resistance preservation, such that all SHA-3 candidates with a suffix-free padding are covered.

[1]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[2]  John Black,et al.  On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions , 2005, EUROCRYPT.

[3]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[4]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[5]  Jean-Philippe Aumasson On the pseudorandomness of Shabal ’ s keyed permutation , 2009 .

[6]  Nasour Bagheri,et al.  Improved security analysis of Fugue-256 , 2011, ACISP 2011.

[7]  Willi Meier,et al.  SHA-3 proposal BLAKE , 2009 .

[8]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[9]  G. V. Assche,et al.  Sponge Functions , 2007 .

[10]  Van Assche,et al.  A rotational distinguisher on Shabal ’ s keyed permutation and its impact on the security proofs , 2010 .

[11]  Willi Meier,et al.  More on Shabal ’ s permutation , 2009 .

[12]  Kazuo Ohta,et al.  Evaluation of Hardware Performance for the SHA-3 Candidates Using SASEBO-GII , 2010, IACR Cryptol. ePrint Arch..

[13]  Guido Bertoni,et al.  Keccak sponge function family main document , 2009 .

[14]  E. Biham,et al.  The SHAvite-3 Hash Function , 2008 .

[15]  Yevgeniy Dodis,et al.  Getting the Best Out of Existing Hash Functions; or What if We Are Stuck with SHA? , 2008, ACNS.

[16]  Jacques Stern,et al.  Cryptanalysis of Tweaked Versions of SMASH and Reparation , 2009, Selected Areas in Cryptography.

[17]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[18]  Bruce Schneier One-way hash functions , 1991 .

[19]  John P. Steinberger,et al.  Security/Efficiency Tradeoffs for Permutation-Based Hashing , 2008, EUROCRYPT.

[20]  Hongjun Wu,et al.  The Hash Function JH , 2009 .

[21]  Olivier Billet , .

[22]  Jooyoung Lee,et al.  Collision Resistance of the JH Hash Function , 2012, IEEE Transactions on Information Theory.

[23]  M. Bellare Provable Security Support for the Skein Hash Family Version 1 , 2009 .

[24]  María Naya-Plasencia,et al.  Cryptanalysis of Luffa v2 Components , 2010, Selected Areas in Cryptography.

[25]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[26]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[27]  Raphael C.-W. Phan,et al.  On the cryptanalysis of the hash function Fugue: Partitioning and inside-out distinguishers , 2011, Inf. Process. Lett..

[28]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[29]  Xuejia Lai,et al.  Hash Function Based on Block Ciphers , 1992, EUROCRYPT.

[30]  Mridul Nandi,et al.  Security Analysis of the Mode of JH Hash Function , 2010, FSE.

[31]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[32]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[33]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[34]  Yevgeniy Dodis,et al.  Salvaging Merkle-Damgard for Practical Applications , 2009, IACR Cryptol. ePrint Arch..

[35]  Bart Preneel,et al.  The parazoa family: generalizing the sponge hash functions , 2012, International Journal of Information Security.

[36]  John Kelsey,et al.  Second Preimage Attacks on Dithered Hash Functions , 2008, EUROCRYPT.

[37]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[38]  Mridul Nandi Characterizing Padding Rules of MD Hash Functions Preserving Collision Security , 2009, ACISP.

[39]  Martin Feldhofer,et al.  High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Gröstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein , 2009, IACR Cryptol. ePrint Arch..

[40]  Gaëtan Leurent,et al.  Security Analysis of SIMD , 2010, IACR Cryptol. ePrint Arch..

[41]  Martijn Stam Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions , 2008, CRYPTO.

[42]  Phillip Rogaway,et al.  Formalizing Human Ignorance , 2006, VIETCRYPT.

[43]  Kefei Chen,et al.  A synthetic indifferentiability analysis of some block-cipher-based hash functions , 2008, Des. Codes Cryptogr..

[44]  Stefan Lucks,et al.  The Skein Hash Function Family , 2009 .

[45]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[46]  Moti Yung,et al.  Indifferentiable Security Analysis of Popular Hash Functions with Prefix-Free Padding , 2006, ASIACRYPT.

[47]  John P. Steinberger Stam's Collision Resistance Conjecture , 2010, EUROCRYPT.

[48]  Bart Preneel,et al.  On the Indifferentiability of the Grøstl Hash Function , 2010, SCN.

[49]  Bo Zhu,et al.  Revisiting the Indifferentiability of PGV Hash Functions , 2009, IACR Cryptol. ePrint Arch..

[50]  Mohamed El-Hadedy,et al.  Cryptographic hash function Blue Midnight Wish , 2009, 2009 Proceedings of the 1st International Workshop on Security and Communication Networks.

[51]  Bart Preneel,et al.  Seven-Property-Preserving Iterated Hashing: ROX , 2007, ASIACRYPT.

[52]  Carl Eklund,et al.  National Institute for Standards and Technology , 2009, Encyclopedia of Biometrics.

[53]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[54]  Mridul Nandi,et al.  Indifferentiability Characterization of Hash Functions and Optimal Bounds of Popular Domain Extensions , 2009, INDOCRYPT.

[55]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[56]  Peter Novotney Distinguisher for Shabal's Permutation Function , 2010, IACR Cryptol. ePrint Arch..

[57]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[58]  Martijn Stam,et al.  Blockcipher-Based Hashing Revisited , 2009, FSE.

[59]  Christian Forler,et al.  Classification of the SHA-3 Candidates , 2008, IACR Cryptol. ePrint Arch..