Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6

Yevgeniy Dodis, Leonid Reyzin, Ronald L. Rivest, Emily Shen

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

MD6 [17] is one of the earliest announced SHA-3 candidates, presented by Rivest at CRYPTO'08 [16]. Since then, MD6 has received a fair share of attention and has resisted several initial cryptanalytic attempts [1,11]. Given the interest in MD6, it is important to formally verify the soundness of its design from a theoretical standpoint. In this paper, we do so in two ways: once for the MD6 compression function and once for the MD6 mode of operation. Both proofs are based on the indifferentiability framework of Maurer et al. [13](also see [9]). The first proof demonstrates that the "prepend/map/chop" manner in which the MD6 compression function is constructed yields a compression function that is indifferentiable from a fixed-input-length (FIL), fixed-output-length random oracle. The second proof demonstrates that the tree-based manner in which the MD6 mode of operation is defined yields a hash function that is indifferentiable from a variable-input-length (VIL), fixed-output-length random oracle. Both proofs are rather general and apply not only to MD6 but also to other sufficiently similar hash functions. These results may be interpreted as saying that the MD6 design has no structural flaws that make its input/output behavior clearly distinguishable from that of a VIL random oracle, even for an adversary who has access to inner components of the hash function. It follows that, under plausible assumptions about those inner components, the MD6 hash function may be safely plugged into any application proven secure assuming a monolithic VIL random oracle.

Original languageEnglish (US)
Title of host publicationFast Software Encryption - 16th International Workshop, FSE 2009, Revised Selected Papers
Pages104-121
Number of pages18
Volume5665 LNCS
DOIs
StatePublished - 2009
Event16th International Workshop on Fast Software Encryption, FSE 2009 - Leuven, Belgium
Duration: Feb 22 2009Feb 25 2009

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5665 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other16th International Workshop on Fast Software Encryption, FSE 2009
CountryBelgium
CityLeuven
Period2/22/092/25/09

Fingerprint

Compression Function
Hash functions
Modes of Operation
Permutation
Random Oracle
Hash Function
Output
Soundness
Defects
Demonstrate
Verify

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Dodis, Y., Reyzin, L., Rivest, R. L., & Shen, E. (2009). Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6. In Fast Software Encryption - 16th International Workshop, FSE 2009, Revised Selected Papers (Vol. 5665 LNCS, pp. 104-121). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5665 LNCS). https://doi.org/10.1007/978-3-642-03317-9_7

Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6. / Dodis, Yevgeniy; Reyzin, Leonid; Rivest, Ronald L.; Shen, Emily.

Fast Software Encryption - 16th International Workshop, FSE 2009, Revised Selected Papers. Vol. 5665 LNCS 2009. p. 104-121 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5665 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y, Reyzin, L, Rivest, RL & Shen, E 2009, Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6. in Fast Software Encryption - 16th International Workshop, FSE 2009, Revised Selected Papers. vol. 5665 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5665 LNCS, pp. 104-121, 16th International Workshop on Fast Software Encryption, FSE 2009, Leuven, Belgium, 2/22/09. https://doi.org/10.1007/978-3-642-03317-9_7
Dodis Y, Reyzin L, Rivest RL, Shen E. Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6. In Fast Software Encryption - 16th International Workshop, FSE 2009, Revised Selected Papers. Vol. 5665 LNCS. 2009. p. 104-121. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-03317-9_7
Dodis, Yevgeniy ; Reyzin, Leonid ; Rivest, Ronald L. ; Shen, Emily. / Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6. Fast Software Encryption - 16th International Workshop, FSE 2009, Revised Selected Papers. Vol. 5665 LNCS 2009. pp. 104-121 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{28cf95c6f265410d9ed427a5ea0daf29,
title = "Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6",
abstract = "MD6 [17] is one of the earliest announced SHA-3 candidates, presented by Rivest at CRYPTO'08 [16]. Since then, MD6 has received a fair share of attention and has resisted several initial cryptanalytic attempts [1,11]. Given the interest in MD6, it is important to formally verify the soundness of its design from a theoretical standpoint. In this paper, we do so in two ways: once for the MD6 compression function and once for the MD6 mode of operation. Both proofs are based on the indifferentiability framework of Maurer et al. [13](also see [9]). The first proof demonstrates that the {"}prepend/map/chop{"} manner in which the MD6 compression function is constructed yields a compression function that is indifferentiable from a fixed-input-length (FIL), fixed-output-length random oracle. The second proof demonstrates that the tree-based manner in which the MD6 mode of operation is defined yields a hash function that is indifferentiable from a variable-input-length (VIL), fixed-output-length random oracle. Both proofs are rather general and apply not only to MD6 but also to other sufficiently similar hash functions. These results may be interpreted as saying that the MD6 design has no structural flaws that make its input/output behavior clearly distinguishable from that of a VIL random oracle, even for an adversary who has access to inner components of the hash function. It follows that, under plausible assumptions about those inner components, the MD6 hash function may be safely plugged into any application proven secure assuming a monolithic VIL random oracle.",
author = "Yevgeniy Dodis and Leonid Reyzin and Rivest, {Ronald L.} and Emily Shen",
year = "2009",
doi = "10.1007/978-3-642-03317-9_7",
language = "English (US)",
isbn = "3642033164",
volume = "5665 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "104--121",
booktitle = "Fast Software Encryption - 16th International Workshop, FSE 2009, Revised Selected Papers",

}

TY - GEN

T1 - Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6

AU - Dodis, Yevgeniy

AU - Reyzin, Leonid

AU - Rivest, Ronald L.

AU - Shen, Emily

PY - 2009

Y1 - 2009

N2 - MD6 [17] is one of the earliest announced SHA-3 candidates, presented by Rivest at CRYPTO'08 [16]. Since then, MD6 has received a fair share of attention and has resisted several initial cryptanalytic attempts [1,11]. Given the interest in MD6, it is important to formally verify the soundness of its design from a theoretical standpoint. In this paper, we do so in two ways: once for the MD6 compression function and once for the MD6 mode of operation. Both proofs are based on the indifferentiability framework of Maurer et al. [13](also see [9]). The first proof demonstrates that the "prepend/map/chop" manner in which the MD6 compression function is constructed yields a compression function that is indifferentiable from a fixed-input-length (FIL), fixed-output-length random oracle. The second proof demonstrates that the tree-based manner in which the MD6 mode of operation is defined yields a hash function that is indifferentiable from a variable-input-length (VIL), fixed-output-length random oracle. Both proofs are rather general and apply not only to MD6 but also to other sufficiently similar hash functions. These results may be interpreted as saying that the MD6 design has no structural flaws that make its input/output behavior clearly distinguishable from that of a VIL random oracle, even for an adversary who has access to inner components of the hash function. It follows that, under plausible assumptions about those inner components, the MD6 hash function may be safely plugged into any application proven secure assuming a monolithic VIL random oracle.

AB - MD6 [17] is one of the earliest announced SHA-3 candidates, presented by Rivest at CRYPTO'08 [16]. Since then, MD6 has received a fair share of attention and has resisted several initial cryptanalytic attempts [1,11]. Given the interest in MD6, it is important to formally verify the soundness of its design from a theoretical standpoint. In this paper, we do so in two ways: once for the MD6 compression function and once for the MD6 mode of operation. Both proofs are based on the indifferentiability framework of Maurer et al. [13](also see [9]). The first proof demonstrates that the "prepend/map/chop" manner in which the MD6 compression function is constructed yields a compression function that is indifferentiable from a fixed-input-length (FIL), fixed-output-length random oracle. The second proof demonstrates that the tree-based manner in which the MD6 mode of operation is defined yields a hash function that is indifferentiable from a variable-input-length (VIL), fixed-output-length random oracle. Both proofs are rather general and apply not only to MD6 but also to other sufficiently similar hash functions. These results may be interpreted as saying that the MD6 design has no structural flaws that make its input/output behavior clearly distinguishable from that of a VIL random oracle, even for an adversary who has access to inner components of the hash function. It follows that, under plausible assumptions about those inner components, the MD6 hash function may be safely plugged into any application proven secure assuming a monolithic VIL random oracle.

UR - http://www.scopus.com/inward/record.url?scp=70350779943&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70350779943&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-03317-9_7

DO - 10.1007/978-3-642-03317-9_7

M3 - Conference contribution

AN - SCOPUS:70350779943

SN - 3642033164

SN - 9783642033162

VL - 5665 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 104

EP - 121

BT - Fast Software Encryption - 16th International Workshop, FSE 2009, Revised Selected Papers

ER -