Improved indifferentiability security bound for the JH mode

Indifferentiability security of a hash mode of operation guarantees the mode’s resistance against all generic attacks. It is also useful to establish the security of protocols that use hash functions as random functions. The JH hash function was one of the five finalists in the National Institute of Standards and Technology SHA-3 hash function competition. Despite several years of analysis, the indifferentiability security of the JH mode has remained remarkably low, only at $$n/3$$n/3 bits, while the two finalist modes Keccak and Grøstl offer a security guarantee of $$n/2$$n/2 bits. Note all these three modes operate with $$n$$n-bit digest and $$2n$$2n-bit permutations. In this paper, we improve the indifferentiability security bound for the JH mode to $$n/2$$n/2 bits (e.g. from approximately 171 to 256 bits when $$n=512$$n=512). To put this into perspective, our result guarantees the absence of (non-trivial) attacks on both the JH-256 and JH-512 hash functions with time less than approximately $$2^{256}$$2256 computations of the underlying 1024-bit permutation, under the assumption that the underlying permutations can be modeled as an ideal permutation. Our bounds are optimal for JH-256, and the best known for JH-512. We obtain this improved bound by establishing an isomorphism of certain query-response graphs through a careful design of the simulators and bad events. Our experimental data strongly supports the theoretically obtained results.

[1]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[2]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[3]  Shoichi Hirose,et al.  A Simple Variant of the Merkle–Damgård Scheme with a Permutation , 2010, Journal of Cryptology.

[4]  Bart Preneel,et al.  Security Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein , 2012, AFRICACRYPT.

[5]  Daniel Smith-Tone,et al.  A Measure of Dependence for Cryptographic Primitives Relative to Ideal Functions , 2015, IACR Cryptol. ePrint Arch..

[6]  Mridul Nandi,et al.  Security Analysis of the Mode of JH Hash Function , 2010, FSE.

[7]  Praveen Gauravaram,et al.  On Randomizing Hash Functions to Strengthen the Security of Digital Signatures , 2009, EUROCRYPT.

[8]  Souradyuti Paul,et al.  Indifferentiability security of the fast wide pipe hash: Breaking the birthday barrier , 2016, J. Math. Cryptol..

[9]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[10]  James H. Burrows,et al.  Secure Hash Standard , 1995 .

[11]  John Kelsey,et al.  On hash functions using checksums , 2010, International Journal of Information Security.

[12]  Bart Preneel,et al.  On the Indifferentiability of the Gröstl Hash Function , 2010, IACR Cryptol. ePrint Arch..

[13]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[14]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[15]  Praveen Gauravaram,et al.  Security Analysis of Randomize-Hash-then-Sign Digital Signatures , 2011, Journal of Cryptology.

[16]  Adi Shamir,et al.  Breaking the ICE - Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions , 2006, FSE.

[17]  Atul Luykx,et al.  Provable Security of BLAKE with Non-ideal Compression Function , 2012, Selected Areas in Cryptography.

[18]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[19]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[20]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[21]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[22]  Jooyoung Lee,et al.  Collision Resistance of the JH Hash Function , 2012, IEEE Transactions on Information Theory.

[23]  Mihir Bellare,et al.  Multi-Property-Preserving Hash Domain Extension and the EMD Transform , 2006, ASIACRYPT.

[24]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[25]  Ronald L. Rivest,et al.  The MD4 Message-Digest Algorithm , 1990, RFC.

[26]  Bart Preneel,et al.  The parazoa family: generalizing the sponge hash functions , 2012, International Journal of Information Security.

[27]  Nasour Bagheri,et al.  Building indifferentiable compression functions from the PGV compression functions , 2016, Des. Codes Cryptogr..

[28]  Mridul Nandi,et al.  Indifferentiability Characterization of Hash Functions and Optimal Bounds of Popular Domain Extensions , 2009, INDOCRYPT.

[29]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[30]  John Kelsey,et al.  Second Preimage Attacks on Dithered Hash Functions , 2008, EUROCRYPT.

[31]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[32]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[33]  Carl Pomerance,et al.  Advances in Cryptology — CRYPTO ’87 , 2000, Lecture Notes in Computer Science.

[34]  Stefan Lucks,et al.  Some Observations on Indifferentiability , 2010, ACISP.

[35]  Bart Preneel,et al.  On the Indifferentiability of the Grøstl Hash Function , 2010, SCN.

[36]  John Kelsey,et al.  Linear-XOR and Additive Checksums Don't Protect Damgård-Merkle Hashes from Generic Attacks , 2008, CT-RSA.

[37]  Moti Yung,et al.  Indifferentiability of the Hash Algorithm BLAKE , 2011, IACR Cryptol. ePrint Arch..

[38]  Bart Preneel,et al.  Security Reductions of the Second Round SHA-3 Candidates , 2010, ISC.

[39]  Douglas R. Stinson,et al.  Multicollision Attacks on Some Generalized Sequential Hash Functions , 2007, IEEE Transactions on Information Theory.

[40]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[41]  Mridul Nandi,et al.  Speeding Up the Wide-Pipe: Secure and Fast Hashing , 2010, INDOCRYPT.