On the Impact of Known-Key Attacks on Hash Functions

Transcription

1 On the Impact of Known-Key Attacs on Hash Functions Bart Mennin and Bart Preneel Dept Electrical Engineering, ESAT/COSIC, KU Leuven, and iminds, Belgium Abstract Hash functions are often constructed based on permutations or blocciphers, and security proofs are typically done in the ideal permutation or cipher model However, once these random primitives are instantiated, vulnerabilities of these instantiations may nullify the security At ASIACRYPT 007, Knudsen and Rijmen introduced nown-ey security of blocciphers, which gave rise to many distinguishing attacs on existing bloccipher constructions In this wor, we analyze the impact of such attacs on primitive-based hash functions We present and formalize the wea cipher model, which captures the case a bloccipher has a certain weaness but is perfectly random otherwise A specific instance of this model, considering the existence of sets of B queries whose XOR equals 0 at bit-positions C, where C is an index set, covers a wide range of nown-ey attacs in literature We apply this instance to the PGV compression functions, as well as to the Grøstl based on two permutations) and Shrimpton-Stam based on three permutations) compression functions, and show that these designs do not seriously succumb to any differential nown-ey attac nown to date Keywords Hash functions, nown-ey security, Knudsen-Rijmen, PGV, Grøstl, Shrimpton-Stam, collision resistance, preimage resistance 1 Introduction Cryptographic hash functions are conventionally built on top of compression functions, and in turn on one or more blocciphers Since the first appearance of such compression function Fh, m) = DES m h) by Rabin [49] in the late 70s, many bloccipher-based functions appeared in the literature [3, 5, 9, 30, 40, 43, 48, 59] These all enjoy security proofs in the ideal model, where the underlying ciphers are assumed to behave ideally Characteristic to these designs is that the ey input to the cipher depends on the input to the compression function, and that the ey scheduling needs to be sufficiently strong For instance, Biryuov et al [6] derived a related-ey attac on AES and claimed that it invalidates the security of the Davies-Meyer compression function when the underlying primitive is instantiated with AES A more recent approach to compression function design is to base them on a limited number of permutations [8, 41, 4, 51, 57] These permutations could be designed from scratch, or obtained by fixing a small set of eys and using a bloccipher for these eys only Related- or chosen-ey attacs on blocciphers do not help the adversary here, as the eys are fixed Known-Key Security of Blocciphers While in the classical security models for blocciphers the ey is secret and randomly drawn and the adversary s target is to distinguish the instantiation of the cipher from a random permutation also nown as strong) pseudorandom permutation security), this notion does not apply if the ey is nown to the adversary At ASIACRYPT 007, Knudsen and Rijmen [7] introduced nown-ey security of blocciphers Here, the ey is presumed nown, and the adversary succeeds in distinguishing if it identifies a structural property of the cipher Andreeva et al [1] proposed a way to formalize the nown-ey security of blocciphers based on the underlying primitives The model is

2 derived from the indifferentiability framewor [37] and hence all composition results carry over Intuitively: suppose some cryptosystem F is proven to achieve a certain level of security in the ideal permutation model, and consider F to be F with the permutations replaced by independent bloccipher instantiations Then, F achieves the same level of security as F, up to the nown-ey indifferentiability bound of the underlying blocciphers In [1], several bloccipher constructions are proven to be nown-ey indifferentiable, such as the multiple Even-Mansour cipher and 14 rounds of balanced Feistel with random functions using a result of Holenstein et al [4]) For such ciphers, the above approach wors well, although for Even-Mansour the composition is trivial one essentially replaces an ideal permutation by an ideal permutation) and for Feistel with 14 rounds security is only guaranteed up to n/3 queries, where n is the state size of the cipher Known-Key Attacs on Blocciphers Knudsen and Rijmen also demonstrated that the Feistel networ on n bits with 7 rounds called Feistel 7 ) is not nown-ey indifferentiable [1,7]: an adversary can generically find n/ plaintext/ciphertext tuples m, c) and m, c ) satisfying Ri n/ m c m c ) = 0 where Ri r x) outputs the r rightmost bits of x) This result has lead to a wave of other nown-ey attacs on practical constructions, including generalized/extended variants of Feistel [1,7,47,53,56], reduced versions of AES or Rijndael [,7,38,44,5], reduced variants of the blocciphers underlying SHA- and SHA-3 finalists BLAKE and Sein [, 7, 31, 34, 61], and many more [3, 11, 1, 14, 17, 18, 8, 33, 46, 47, 54, 55] This paper will mostly be concerned with differential nown-ey attacs, including reboundand boomerang-based attacs the majority of above-mentioned attacs) We highlight two results that are among the best-nown ones and that exemplify the idea of the other attacs Gilbert and Peyrin [] used the rebound technique [39] to derive a nown-ey attac on 8 rounds of AES called AES 8 ) It starts from the middle, and results in a differential trail with four active words in the beginning, and four at the end These active words are overlapping at two positions, hence one could consider this result as two tuples m, c) and m, c ) satisfying m c m c = 0 at 10n/16 bit-positions The adversary has 15 n/8 degrees of freedom in the attac, and for any choice it results in such a tuple with a certain probability The bound of n/8 is used for simplicity later on) The second attac we highlight is by Yu et al [61], who employ the boomerang technique [60] to attac 36 rounds of the bloccipher Threefish-51 called Threefish 36 ) used in Sein This attac results in four tuples m 1, c 1 ),, m 4, c 4 ) satisfying m 1 c 4 = 0 The adversary has n degrees of freedom, but any trial succeeds with probability approximately 454 Therefore, the expected number of solutions is about n 454 n/8 This attac is in fact a nownrelated-ey attac, where a fixed difference in the ey exists For simplicity, we condone this, observing that an attac with no ey difference must logically be harder In any of these cases, the traditional and commonly employed ideal cipher/permutation model falls short: results achieved in this model do not necessarily hold if the primitives are instantiated with Feistel 7, AES 8, Threefish 36, or any other nown-ey distinguishable cipher 11 Our Contributions In their seminal wor, Knudsen and Rijmen state: In some cases blocciphers are used with a ey that is nown to the adversary, and at least to a certain extent, the ey is under the adversary s control Our attacs are quite relevant to this case We investigate this fundamental question whether nown-ey attacs invalidate the security of primitive-based hash functions, but we do so in a much more general way At a high level, we present a model that goes beyond the traditional ideal cipher model as well as the principle of nown-ey attacs and that allows to generically analyze the impact of various weanesses of blocciphers on various bloccipher- and permutation-based cryptosystems Model A naive approach to analyzing the impact of nown-ey attacs would be to simply plug a certain bloccipher construction into a hash function and to analyze its security,

3 but this would be a devious and complex combinatorial tas: for a function based on r permutations, plugging Feistel 7 into it would lead to 7r underlying primitive calls Note that proving security of the Feistel construction itself is already extraordinarily hard [16, 4, 3] Instead, we model the blocciphers in such a way that they behave randomly, except that an adversary can exploit the particular relation More formally, we pose a certain predicate Φ, and we draw blocciphers randomly from the set of all ciphers that comply with predicate Φ Throughout, we refer to this model as the wea cipher model WCM) It corresponds to the ideal cipher model if Φ is trivial We present an explicit description of a random wea cipher for the case where Φ implies for each ey the existence of A sets of B queries {, m 1, c 1 ),,, m B, c B )} that comply with a certain condition ϕ These ciphers are modeled to have three interfaces: forward queries, inverse queries, and predicate queries Forward and inverse queries are as usual; on a predicate query, an adversary is given a set of B queries satisfying ϕ Multiple technicalities are involved in this formalization Most importantly, predicate Φ applies to tuples of queries, rather than single queries only, and some query responses may have a reduced entropy Above-mentioned nown-ey attacs are covered by our model if the condition ϕ states for some C {1,, n} that Bits C m 1 c 1 m B c B) = 0, 1) where Bits C x) outputs a string consisting of all bits of x whose index is in C In fact, our model is much more general: above-mentioned attacs aim to generate only one relation, while we allow an adversary to see multiple relations) The value A usually depends on n and C is regularly a large subset We consider B being a relatively small number independent of n) For the above-mentioned attac on Feistel 7, A = n/, B =, and C corresponds to the rightmost n/ bits Similarly, the attacs on AES 8 for A = n/8, B =, and C a certain set of size 10n/16) and Threefish 36 for A = n/8, B = 4, and C = {1,, n}) are covered, and so are almost all nown differential rebound- or boomerang-based) nown-ey attacs We remar that, on the other hand, the predicate is not well-suited for integral-based nown-ey attacs: upon a predicate query an attacer would receive B n queries The wea cipher model is similar to an approach followed by Bresson et al [15] for the indifferentiability analysis of the SHA-3 candidate Shabal if the underlying bloccipher shows some non-random behavior, and by Bouillaguet et al [13] to analyze the indifferentiability security of SIMD when the underlying compression function is distinguishable from a random function However, in both approaches, the underlying biased primitives were relatively easy to model For instance in [15] using our terminology), predicate Φ is a relation that holds for single queries only, and not for combinations of queries This considerably simplifies the analysis: one can derive a bias β to measure the distance between primitive responses and fully random responses, and consider oracle responses to be drawn from a set of size at least n β, and the original indifferentiability analysis carries over with minor modifications The predicate used in the analysis in [13], on the other hand, does apply to tuples of queries, but the model can simply be described using two sampling algorithms, and an adversary cannot hit a wea pair by accident which is possible in our analysis) Lisov [35] used a similar approach to prove indifferentiability security of the zipper hash if the underlying compression function is invertible up to a certain degree However, the analysis is significantly simpler, as this primitive can be perfectly modeled We finally remar that Katz et al [6] analyze the impact of related-ey attacs on blocciphers to hash functions However, in their model, the differences, x, y are fixed, an ideal cipher is generated for half of the ey space, and for the other half the cipher is adjusted as E x, y) = E x x) y This primitive can be easily modeled, but is also too generous to the attacer To our nowledge, this is the first attempt to formally analyze the effect of a wide class of bloccipher attacs on higher level cryptographic functions Nonetheless, the wea cipher model is in essence still a model: we use an abstraction of the cryptanalytic nown-ey attacs in such a way that the ideal cipher model can be relaxed to cope them A further discussion on the accuracy of the model is given in Sect 7 3

4 Table 1 Security results for the PGV, Grøstl, and Shrimpton-Stam compression functions in the wea cipher model Ideal cipher/permutation model bounds match the ones of B 3 All results are tight except for the case B = 1, C > n/) for Shrimpton-Stam PGV Grøstl Shrimpton-Stam B C collision preimage collision preimage collision preimage 1 n/ n C )/ n C n C )/4 n C )/ n C )/ n/ > n/ n C )/ n C n C )/4 n C )/ n C )/ n C n/ n/ n n/4 n/ n/ n/ > n/ n C n n C )/ n/ n C n/ 3 arbitrary n/ n n/4 n/ n/ n/ Application to Bloccipher-Based Hash Functions Preneel, Govaerts, and Vandewalle PGV) [48] classified the 64 most basic ways of constructing a n-to-n-bit compression function from a bloccipher with n-bit ey and n-bit state, and claimed security of 1 of them A formal security analysis of these functions in the ICM has been performed by Blac et al [9], and later by Duo and Li [19], Stam [59], and Blac et al [10] In more detail, in the ICM these constructions achieve tight collision security up to about n/ queries and preimage security up to about n queries Baecher et al [4] recently showed that the 1 secure PGV functions can be divided into two classes, in such a way that if a primitive maes one function secure it maes the entire class secure As first application of our model, we consider the PGV compression functions in the WCM and derive collision and preimage bounds for general A, B, C) A schematic summary of the results for various B and C is given in Table 1 we remar that A is merely a technical parameter that has no influence on the results) We also show that the bounds are optimal, by providing matching attacs Some of these attacs are similar to methods used in [7, 53, 56] to detect near-)collisions in certain PGV modes of operations using nown-ey attacs Application to Permutation-Based Hash Functions We also apply the WCM to permutation-based compression functions This is particularly interesting for two reasons: i) it allows us to understand the impact of distinguishers on permutations that are used in hash functions, and ii) a bloccipher with a fixed and nown ey is a permutation and can be used as such In more detail, we consider the Grøstl compression function [1] and the permutation-based equivalent of the Shrimpton-Stam compression function [57] see also Fig 4) In the IPM, the former is proven to achieve collision security up to n/4 queries, where n is the state size, and preimage security up to n/ [0] Rogaway and Steinberger [51] showed via an automated analysis that the latter function is collision and preimage resistant up to n/ queries asymptotically) This has been confirmed in the generalized wor of Mennin and Preneel [41] A summary of our findings for the Grøstl and Shrimpton-Stam compression functions in the WCM is given in Table 1 All results are tight, except for the case B = 1, C > n/) for Shrimpton-Stam, for which we leave proving tightness as an open problem We remar that the analysis for these schemes is much more demanding as multiple primitives are involved Impact An application of our formalization to the PGV functions and various permutationbased functions shows that these achieve a comparable level of security in the ideal and wea cipher model for a spectrum of choices for A, B, C) This result particularly implies that most relevant rebound-based including [1,, 8, 38, 5, 53, 56]) and boomerang-based including [, 7, 31, 54, 61]) nown-ey attacs nown to date do not invalidate the security of such functions, or only have a little effect For instance, the above-discussed attac on Feistel 7 satisfies B = and C = n/ and it does not affect the security; similarly for Threefish 36 for which B = 4 The attac on AES 8 is covered for B = and C = 10n/16, 4

5 which demonstrates a slight security degradation to 6n/16 for the PGV functions, but this may in part be due to our over-generosity to the adversary We remar that, even though we focused on collision and preimage resistance, the techniques can be generalized to other security notions, such as near-collisions This may entail differences in the security results We stress that these results do not mean that the analyzed functions are secure when the underlying permutations are instantiated with, say, Feistel 7 or Threefish 36 : it only means that existing nown-ey attacs, or more general weanesses such as relation 1), alone are not sufficient to invalidate the collision and preimage security of the construction Indeed, more sophisticated attacs which are not yet covered by our application of the WCM may still invalidate the security of certain modes [6] It remains a challenging open research problem to generalize the findings to underlying primitives that have multiple or different weanesses 1 Outline In Sect, we formally present the wea cipher model, and in Sect 3 we show how it relates to nown-ey attacs We apply the model to the PGV functions in Sect 4, to the Grøstl compression function in Sect 5, and to Shrimpton-Stam in Sect 6 We conclude this wor in Sect 7 Wea Cipher Model If X is a set, by x $ X we denote the uniformly random sampling of an element from X By X x, we denote X X {x} For a bit string x, its bits are numbered x = x x x x 1 If C {1,, x }, the function Bits C x) outputs a string consisting of all bits of x whose index is in C Abusing notation, Bits C x) always denotes the remaining bits technically, C = {1,, x }\C) For 0 r x, we consider Ri r x) that outputs the r rightmost bits of x In other words, Ri r x) = Bits {1,,r} x) For a function f, by domf) and rngf) we denote its domain and range, respectively 1 Security Model For κ 0 and n 1, by BCκ, n) we denote the set of all blocciphers with κ-bit ey operating on n bits If κ = 0, BCn) := BC0, n) denotes the set of all n-bit permutations If Φ is a predicate, by BC[Φ]κ, n) we denote the subset of ciphers of BCκ, n) that satisfy predicate Φ For π BC[Φ]κ, n), the input-output tuples are denoted, x, z), where π, x) = π x) = z and π 1, z) = π 1 z) = x The ey is omitted in case κ = 0 Let F : {0, 1} s {0, 1} n be a compressing function instantiated with l 1 primitives from BC[Φ]κ, n), for some predicate Φ Throughout, we consider security of F in an idealized model: we consider an adversary A that is a probabilistic algorithm with oracle access to a randomly sampled primitive π = π 1,, π l ) $ BC[Φ]κ, n) l A is information-theoretic and its complexity is only measured by the number of queries made to its oracles The adversary can mae forward and inverse queries to its oracles, and these queries are stored in a query history Q A collision-finding adversary A for F aims at finding two distinct inputs to F that compress to the same range value In more detail, we say that A succeeds if it finds two distinct inputs X, X such that FX) = FX ) and Q contains all queries required for these evaluations of F We define by Adv col F A) = Pr π $ BC[Φ]κ, n) l, X, X A π : X X FX) = FX ) the probability that A succeeds in this By Adv col F q) we define the maximum collision advantage taen over all adversaries maing q queries ) 5

6 For preimage resistance, we focus on everywhere preimage resistance [50], which captures preimage security for every point of {0, 1} n Let Z {0, 1} n be any range value Then, we say that A succeeds in finding a preimage if it obtains an input X such that FX) = Z and Q contains all queries required for this evaluation of F We define by ) Adv epre F A) = max Pr π $ BC[Φ]κ, n) l, X A π Z) : FX) = Z Z {0,1} n the probability that A succeeds, maximized over all possible choices for Z By Adv epre F q) we define the maximum everywhere) preimage advantage taen over all adversaries maing q queries If Φ is a trivial relation, we have BC[Φ]κ, n) = BCκ, n), and the above definitions boil down to security in the ideal cipher model ICM) if κ > 0 or the ideal permutation model IPM) if κ = 0 On the other hand, if Φ is a non-trivial predicate, it strictly reduces the set BCκ, n) In this case, we will refer to the model as the wea cipher model WCM), for both κ > 0 and κ = 0 Very informally, this model still involves random ciphers/permutations, with the difference that an adversary may exploit a certain additional property The modeling of a randomly drawn wea ciphers is much more delicate Random Wea Cipher For a certain class of predicates, we discuss how to model a randomly drawn wea cipher π from BC[Φ]κ, n) Let A, B N We will consider predicates that imply, for every {0, 1} κ, the existence of A sets of B distinct queries {x 1, z 1 ),, x B, z B )} that satisfy ϕ {x 1, z 1 ),, x B, z B )} ) for some condition ϕ depending on ey The predicate is denoted ΦA, B, ϕ) A is merely a technical parameter, and throughout we assume it is larger than q, the number of oracle calls an adversary can mae This definition of ΦA, B, ϕ) is fairly general Particularly, predicate B-sets may overlap and the condition ϕ can represent any function on the inputs We note that Φ can be easily generalized to tuples of different length and/or to multiple types of conditions at the same time Traditionally, an adversary has only forward π x) and inverse π 1 z) query access In order for the adversary to be able to exploit the weaness present in π, we give it additional access to π via a predicate query π Φ y): on input of y {1,, A}, the adversary obtains a B-set {x 1, z 1 ),, x B, z B )} that satisfies ϕ {x 1, z 1 ),, x B, z B )} ) A formal description of how to model π $ BC[ΦA, B, ϕ)]κ, n) is given in Fig 1 Here, for every {0, 1} κ, P is an initially empty list of π -evaluations, where a regular forward/inverse query adds one element x, z) to P and a π Φ -query may add up to B elements Additionally, P Φ is an initially empty list of queries to πφ We denote by Σ P, P Φ) {0, 1}n {0, 1} n ) B the set of all tuples {x 1, z 1 ),, x B, z B )} such that i) x 1,, x B are pairwise distinct and z 1,, z B are pairwise distinct; ii) B l=1 : xl domp ) = z l = P x l ) and z l rngp ) = x l = P 1 zl ); iii) ϕ {x 1, z 1 ),, x B, z B )} ) holds; iv) {x p1), z p1) ),, x pb), z pb) )} rngp Φ ) for any permutation p on {1,, B} For a new query π Φy), the response is then randomly drawn from Σ P, P Φ ) Conditions i-iii) are fairly self-evident; note particularly that an existing x, z) P may appear in multiple predicate queries Condition iv) assures that the drawing from Σ P, P Φ ) is not just an old predicate query or a reordering thereof The usage of this set Σ P, P Φ) allows for a uniform behavior of π Φ for every, and in general of π $ BC[ΦA, B, ϕ)]κ, n), modulo the nown existence of condition ϕ This step is fundamental to our model and new compared with previous approaches of [13, 15, 35] We remar that the model allows adversaries to mae their queries at their own discretion, eg, duplicate queries and regular queries after predicate queries are allowed 6

7 procedure π x) if P x) = : z $ {0, 1} n \rngp ) P x, z) end if return P x) procedure π 1 z) if P 1 z) = : x $ {0, 1} n \domp ) P x, z) end if return P 1 z) procedure π Φ y) if P Φ y) = : {x 1, z 1 ),, x B, z B )} $ Σ P, P Φ ) for l = 1,, B: if x l, z l ) P : P x l, z l ) end if end for P Φ y, {x 1, z 1 ),, x B, z B )}) end if return P Φ y) Fig 1 Random wea cipher π An adversary has access to π, π 1, and π Φ 3 Random Abortable Wea Cipher Security analyses in the WCM are significantly more complex than in the ICM or IPM, which is in part because predicate queries may consist of older queries This will particularly be an issue once collisions among queries are investigated To suit the analysis for this case, we transform the WCM to an abortable wea cipher model AWCM), which we denote as BC[ΦA, B, ϕ)]κ, n) At a high-level, an abortable wea cipher responds to predicate queries with new query tuples only, and aborts once it turns out that an older query appears in a newer predicate query For any {0, 1} κ and partial P and P Φ, define by Σ P Φ ) {0, 1}n {0, 1} n ) B the set of all tuples {x 1, z 1 ),, x B, z B )} such that iii) ϕ {x 1, z 1 ),, x B, z B )} ) holds; iv) {x p1), z p1) ),, x pb), z pb) )} rngp Φ ) for any permutation p on {1,, B} Σ P Φ) differs from ΣP, P Φ ) in that conditions i) and ii) are omitted, and particularly: it is independent of P A formal description of a random cipher π $ BC[ΦA, B, ϕ)]κ, n) is given in Fig It deviates from Fig 1 as follows: for every ey, π Φ responds randomly from Σ P Φ ), and it aborts if the response violates one of the two sipped conditions of Σ P, P Φ) The next lemma shows that the WCM and AWCM are indistinguishable as long as the abortable wea cipher does not abort, approximately up to the birthday bound Here, we assume that Σ P Φ ) is always large enough Lemma 1 Let π $ BC[ΦA, B, ϕ C )]κ, n) Consider an adversary that maes q queries to π Then, Pr π sets abort) B qq + 1) n B!qn Σ ) Proof Consider the i th query, for i {1,, q}, and assume it is a predicate query π Φy) We will consider the probability that this query maes π abort, provided it has not aborted so far Prior to this i th query, P Bi 1) and P Φ i Basic combinatorics shows that Σ P Φ ) = Σ ) B! P Φ, where we use that π has not aborted so far This i th query aborts only if for some l {1,, B}, the value x l equals an element in domp ) {x 1,, x l 1 } or the value z l equals an element in rngp ) {z 1,, z l 1 } 7

8 procedure π x) if P x) = : z $ {0, 1} n \rngp ) P x, z) end if return P x) procedure π 1 z) if P 1 z) = : x $ {0, 1} n \domp ) P x, z) end if return P 1 z) procedure π Φ y) if P Φ y) = : {x 1, z 1 ),, x B, z B )} $ Σ P Φ ) for l = 1,, B: if x l domp ) z l P x l ): abort if z l rngp ) x l P 1 zl ): abort if x l, z l ) {x 1, z 1 ),, x l 1, z l 1 )}: if x l, z l ) P : P x l, z l ) end if end for P Φ y, {x 1, z 1 ),, x B, z B )}) end if return P Φ y) abort Fig Random abortable wea cipher π An adversary has access to π, π 1, and π Φ Σ abort Define by P Φ) the set of all elements of Σ P Φ ) that would lead to abort We have B possible values to cause the abort namely, x 1,, z B ), and it causes the abort if it equals an element in a set of size at most P + B For any of these B P + B) choices, the number of tuples in Σ P Φ) complying with this choice is at most Σ ) Thus, n Pr π Φ y) sets abort ) = abort Σ P Φ) Σ P Φ) B P + B) Σ ) n Σ ) B! P Φ B i n B!qn Σ ) The proof is completed by summation over i = 1,, q 3 Modeling Known-Key Attacs We next apply the WCM to nown-ey attacs For the sae of explanation, we first reconsider the Knudsen-Rijmen attac on Feistel 7 [7] A detailed description of the attac is given in App A) Let n N, and let π := π be an instance of Feistel 7 with fixed ey Knudsen and Rijmen revealed four functions f, f, g, g : {0, 1} n/ {0, 1} n such that for all y {0, 1} n/ : gy) = πfy)) and g y) = πf y)), Ri n/ fy) gy)) = Ri n/ f y) g y)) ) These four functions correspond to the equations of 9) in App A and depend on the cryptographic primitive underlying Feistel 7 in a complicated way Therefore, we can safely assume that these functions behave sufficiently random, besides this particular relation ), and that they are unnown to the adversary f, f, g, g are all injective and satisfy fy) f y) and gy) g y) for all y On the other hand, collisions of the form fy) = f y ) and gy) = g y ) may occur Generically, the attac demonstrates that for ey there exist n/ possibly overlapping sets of distinct queries {x 1, z 1 ), x, z )} that satisfy Ri n/ x 1 z 1 x z ) = 0 In other words, Feistel 7 meets predicate Φ n/,, ϕ Feistel7 ), where ϕ Feistel7 {x 1, z 1 ), x, z )} ) : Ri n/ x 1 z 1 x z ) = 0 Here, we remar that the Knudsen-Rijmen attac wors for any fixed but nown ey, and that condition ϕ Feistel7 is in fact independent of the ey In this wor, we will consider a 8

9 more general predicate ΦA, B, ϕ C ) for A, B N and C {1,, n}, where {x 1, z 1 ),, x B, z B )} ) : Bits C x 1 z 1 x B z B) = 0 3) ϕ C This generalized predicate considers the case of arbitrary but fixed and nown eys, where the adversary can even choose the ey every time it maes a predicate query Note that also the attacs on AES 8 and Threefish 36 see Sect 1) are covered, as they satisfy Φ n/8,, ϕ C ) for certain C of size 10n/16 and Φ n/8, 4, ϕ {1,,n} ), respectively In general, all rebound- or boomerang-based nown-ey attac in literature are covered by predicate ΦA, B, ϕ C ) for some A, B, C Here, B is always a value independent of n usually or 4) and C is regularly a large subset of size at least n/4) Throughout, we consider A to be sufficiently large Basic Computations for AWCM For the specific condition ϕ C of 3), we derive a simpler bound on the probability that a primitive π $ BC[ΦA, B, ϕ C )]κ, n) aborts, along with some other elementary observations for π To this end, we define the notation [X], which equals 1 if X holds and 0 otherwise For conciseness, we introduce the function δ B,C [b] defined as C if B = b, δ B,C [b] = C [B = b] + [B > b] = 1 if B > b, 4) 0 otherwise Lemma Let π $ BC[ΦA, B, ϕ C )]κ, n) Consider an adversary that maes q n 1 /B queries to π Then, Pr π sets abort) B qq + 1) n Bq 5) Let {0, 1} κ and let Z, Z, Z {0, 1} n Consider any new query π Φ y) and assume it does not abort Write the response as {x 1, z 1 ),, x B, z B )} Then, i) a {1,, B} : Pr x a = Z), Pr z a = Z) 1 ; ii) a {1,, B} : Pr x a z a = Z) δ B,C[1] ; iii) {a, b} {1,, B} : Pr x a z a = Z x b z b = Z ) δ B,C[] n Bq ; iv) {a, b} {1,, B} : Pr x a = Z x b = Z x a z a x b z b = Z ) δ B,C[] 3n Bq Proof Recall from the proof of Lem 1 that Σ P Φ ) = Σ ) B! P Φ, where P Φ q For the specific predicate analyzed in this lemma, Σ ) = n ) B 1 n C In the remainder, we regularly bound B! B n ) B for B 1 or B! B n ) B 4 for B Probability of abortion The bound of 5) directly follows from Lem 1, the abovementioned size of Σ ), and the bound on B! i) Part i) Define by Σ P Φ) the set of all elements of Σ P Φ) that satisfy xa = Z Then, P Φ) n ) B n C, and Σ i) Pr x a = Z) = i) Σ P Φ) 1 Σ P Φ) n Bq 9

10 A similar analysis applies to the case z a = Z ii) Part ii) Define by Σ P Φ) the set of all elements of Σ P Φ) that satisfy xa z a = Z We mae a distinction between B = 1 and B > 1 In case B > 1, a similar reasoning as ii) in i) applies, and we have Σ P Φ) n ) B n C On the other hand, if B = 1, we ii) have Σ P Φ) = 0 if Bits ii) CZ) 0 and Σ P Φ) n if Bits C Z) = 0 In any case, and Σ ii) P Φ ) n ) B n C δ B,C [1], Pr x a z a = Z) = Σ ii) P Φ ) Σ P Φ ) δ B,C[1] n Bq Part iii) This part only applies to B > 1; if B = 1 the probability equals 0 by construction iii) Define by Σ P Φ) the set of all elements of Σ P Φ) that satisfy xa z a = Z and x b z b = Z We mae a distinction between B = and B > In case B >, a similar reasoning as in iii) i) and ii) applies, and we have Σ P Φ) n ) B 3 n C On the other hand, if B =, iii) we have Σ P Φ) = 0 if Bits CZ Z iii) ) 0 and Σ P Φ) n ) if Bits C Z Z ) = 0 In any case, and Σ iii) P Φ ) n ) B 3 n C δ B,C [], Pr x a z a = Z x b z b = Z ) = Σ iii) P Φ ) Σ P Φ ) δ B,C[] n Bq Part iv) The approach is fairly similar to case iii) If B = 1 the probability is 0 by iv) construction Define by Σ P Φ) the set of all elements of Σ P Φ) that satisfy xa = Z, x b = Z, and x a z a x b z b = Z iv) In case B >, we have Σ P Φ) n ) B 4 n C iv) On the other hand, if B =, we have Σ P Φ) = 0 if Bits CZ iv) ) 0 and Σ P Φ ) n if Bits C Z ) = 0 In any case, and Σ iv) P Φ ) n ) B 4 n C δ B,C [], Pr x a = Z x b = Z x a z a x b z b = Z ) = Σ iv) P Φ ) Σ P Φ ) δ B,C[] 3n Bq 4 Application to PGV Compression Functions We consider the 1 bloccipher-based compression functions from Preneel, Govaerts, and Vandewalle PGV) [48] In the ICM these constructions achieve tight collision security up to about n/ queries and preimage security up to about n queries [9, 10, 19, 59] The 1 constructions are depicted in Fig 3 Here, we follow the ordering of [10], where PGV1, PGV, and PGV5 are better nown as the Matyas-Meyer-Oseas [36], Miyaguchi-Preneel, and Davies-Meyer [45] compression functions Baecher et al [4] analyzed the 1 PGV constructions under ideal cipher reducibility, which at a high level covers the idea of two constructions being equally secure for the same underlying idealized bloccipher They divide the PGV functions into two classes, in such a way that if some bloccipher maes one of the constructions secure, it maes all functions in the corresponding class secure Applied to our WCM, the results of Baecher et al imply the following: 10

11 Group G 1 Group G Fig 3 The 1 PGV compression functions When in iteration mode, the message comes in at the top The groups G 1 and G refer to Lem 3 Lemma 3 Ideal Cipher Reducibility of PGV [4], informal) Let π $ BC[Φ]n, n) for some predicate Φ Let G 1 = {1, 4, 5, 8, 9, 1}, and G = {, 3, 6, 7, 10, 11} For any α {1, } and i, j G α, PGVi and PGVj achieve the same level of collision and preimage security once instantiated 1 with π Baecher et al also derive a reduction between the two classes, but this reduction requires a non-direct transformation on the ideal cipher π, 1 maing it unsuitable for our purposes Thans to Lem 3, it suffices to only analyze PGV1 and PGV in the WCM: the bounds carry over to the other 10 PGV constructions In Sect 41 we analyze the collision security of these functions in the WCM The preimage security is considered in Sect 4 41 Collision Security Theorem 1 Let n N Let α {1, } and consider PGVα Suppose π BC[ΦA, B, ϕ C )]n, n) Then, for q n 1 /B, $ Adv col PGVαq) B δ B,C [1]q n + ) B δb,c []q n + 4B q n Proof We focus on PGV The analysis for PGV1 is a simplification due to the absence of the feed-forward of the ey We consider any adversary that has query access to π $ BC[ΦA, B, ϕ C )]n, n) and maes q queries As a first step, we move from π to π $ BC[ΦA, B, ϕ C )]n, n) By Lem, this costs us an additional term B qq+1) A collision for PGV would imply the existence of two distinct query pairs, x, z),, x, z ) such that x z = x z We consider the i th query i {1,, q}) to be the first query to mae this condition satisfied, and sum over i = 1,, q at the end For regular forward or inverse) queries, the analysis of [9, 10, 59] mostly carries over The analysis of predicate queries is a bit more technical 1 If π maes the PGV constructions from group G 1 secure, there is a transformation τ such that τ π maes the constructions from G secure, and vice versa 11

12 Query π x) or π 1 z) The cases are the same by symmetry, and we consider π x) only Denote the response by z There are at most Bi 1) possible, x, z ) As z is randomly drawn from a set of size at least n Bq, it satisfies z = x x z with probability at most Bi 1) Query π Φy) Denote the query response by {, x1, z 1 ),,, x B, z B )} In case the B- set contributes only to, x, z), the same reasoning as for regular queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: B δ B,C [1]i 1) Now, consider the case the predicate query contributes to both, x, z) and, x, z ) There are B ) ways for the predicate query to contribute or 0 if B = 1) By Lem part iii), which considers the success probability for any such combination, the predicate query results in a collision with probability at most ) B δb,c [] n n Bq Conclusion Taing the maximum of all success probabilities, the i th query is successful with probability at most B δ B,C [1]i 1) + B Adv col PGVq) B δ B,C [1]q n Bq) + ) δb,c [] n n Bq B Summation over i = 1,, q gives ) δb,c []q n Bq + B qq + 1) n, Bq where the last part of the bound comes from the transition from WCM to AWCM The proof is completed by using the fact that n Bq n 1 for Bq n 1, and that q + 1 q for q 1 We note that the bound gets worse for increasing values of B This has a technical cause: predicate queries are counted equally expensive as regular queries, but result in up to B new query tuples This leads to several factors of B in the bound As this wor is mainly concerned with differential nown-ey attacs for which B is regularly small, these factors are of no major influence The implications of the bound of Thm 1 become more visible when considering particular choices of B and C i) If B = 1, then Adv col PGVαq) C q + 4q n ; n ii) If B =, then Adv col PGVαq) 0q + 4 C q n ; n iii) If B 3 independent of n), then Adv col PGVαq) 5B q + B q n n In other words, for B = and C with C n/, or for B 3 constant and C arbitrary, the PGV functions achieve the same n/ collision security level as in the ICM On the other hand, if B = 1, collisions can be found in about n C )/ queries, and if B = with C > n/, in about n C < n/ queries See also Table 1 Tightness For the cases B = 1 and C arbitrary, and B = and C arbitrary such that C > n/, we derive generic attacs that demonstrate tightness of the bound of Thm 1 Knudsen and Rijmen [7] and Sasai et al [53,56] already considered how to exploit a nown-ey pair for the underlying bloccipher to find a collision for the Matyas-Meyer-Oseas PGV1) and/or Miyaguchi-Preneel PGV) compression functions Their attacs correspond to our B = case Proposition 1 B = 1) Let n N Let α {1, } and consider PGVα Suppose π BC[ΦA, 1, ϕ C )]n, n) Then, Adv col PGVαq) q n C Proof We construct a collision-finding adversary A for PGV It fixes ey = 0, and maes predicate queries to π Φ on input of distinct values y to obtain q queries, x y, z y ) satisfying Bits C x y z y ) = 0 Any two such queries collide on the entire state, x y z y = x y z y, q with probability at least The attac for PGV1 is the same as we have taen = 0 n C $ 1

13 Proposition B = and C > n/) Let n N Let α {1, } and consider PGVα Suppose π $ BC[ΦA,, ϕ C )]n, n) Then, Adv col PGVαq) q n C Proof We construct a collision-finding adversary A for PGV It fixes ey = 0, and maes predicate queries to π Φ on input of distinct values y to obtain q -sets {, x1 y, zy), 1, x y, z y)} satisfying Bits C x 1 y zy) 1 = BitsC x y zy) These two queries collide on the entire state, x 1 y zy 1 = x y zy, 1 with probability at least If the adversary maes q predicate n C queries, we directly obtain our bound The attac for PGV1 is the same as we have taen = 0 4 Preimage Security Theorem Let n N Let α {1, } and consider PGVα Suppose π BC[ΦA, B, ϕ C )]n, n) Then, for q n /B, $ ) B Adv epre Bq PGVα q) n + B δ B,C [1]q n Due to space limitations, the proof is given in App B It is much more involved than the one of Thm 1, particularly as we cannot mae use of abortable ciphers Entering various choices of B and C shows that in the PGV functions remain mostly unaffected in the WCM if B, and the same security level as in the ICM is achieved [9, 10, 59] A slight security degradation appears for B = 1 as preimages can be found in about n C Tightness For the case B = 1, we derive a generic attac that demonstrates the tightness of the bound of Thm Proposition 3 B = 1) Let n N Let α {1, } and consider PGVα Suppose π BC[ΦA, 1, ϕ C )]n, n) Then, Adv epre PGVα q) q n C Proof Let Z be any given range value with Bits C Z) = 0 note that epre guarantees security for every range point) A preimage-finding adversary A for PGV proceeds as follows It fixes ey = 0, and maes predicate queries to π Φ on input of distinct values y to obtain q queries, x y, z y ) satisfying Bits C x y z y ) = 0 Any such query hits Z on the entire state, q x y z y = Z, with probability at least The attac for PGV1 is the same as we n C have taen = 0 5 Application to Grøstl Compression Function We consider the provable security of the compression function mode of operation of Grøstl [1] see also Fig 4): F Grøstl x 1, x ) = x π 1 x 1 ) π x 1 x ) 6) The Grøstl compression function is in fact designed to operate in a wide-pipe mode, and in the IPM, the function is proven collision secure up to about n/4 queries and preimage secure up to n/ queries [0] We consider the security of F Grøstl in the WCM, where π 1, π ) $ BC[ΦA, B, ϕ C )]n) We remar that in this section we consider eyless primitives, hence κ = 0 and the -input is dropped throughout We furthermore note that finding collisions and preimages for F Grøstl is equivalent to finding them for F Grøstlx 1, x ) = x 1 x π 1 x 1 ) π x ), 7) as F Grøstl x 1, x ) = F Grøstl x 1, x 1 x ), and we will consider F Grøstl throughout $ 13

14 x 1 π 1 x 1 π 1 x π z x π π 3 z Fig 4 Grøstl compression function left) and Shrimpton-Stam right) 51 Collision Security Theorem 3 Let n N Suppose π 1, π ) $ BC[ΦA, B, ϕ C )]n) Then, for q n 1 /B, Adv col F q) B4 δ B,C [1]q 4 Grøstl + ) B δb,c []q + n/ C q) n + B q + 4B q n n/ n The proof is given in App C If we enter particular choices of B and C into the bound, we find results comparable to the case of Sect 41 In more detail, for B = and C with C n/, or for B 3 constant and C arbitrary, F Grøstl achieves the same n/4 collision security level as in the ICM [0] If B = 1, the bound guarantees security up to about n C )/4, and if B = with C > n/, collisions can be found in about n C )/ queries See also Table 1 In App D we show that the bound is optimal, by presenting tight attacs on F Grøstl in the WCM 5 Preimage Security 1 1 Theorem 4 Let n N Suppose π 1, π ) $ BC[ΦA, B, ϕ C )]n) Then, for q n 1 /B, Adv epre F q) B δ B,C [1]q + n/ C q) Grøstl n + Bq + 4B q n/ n The proof is given in App E As before, we find that F Grøstl remains unaffected in the WCM for most cases, the sole exception being B = 1 for which preimages can be found in about n C )/ In App F we show that the bound is optimal, by presenting a tight attac on F Grøstl for B = 1 in the WCM 6 Application to Shrimpton-Stam Compression Function In this section, we consider the provable security of the Shrimpton-Stam compression function [57] see also Fig 4): x 1, x ) = x 1 π 1 x 1 ) π 3 x 1 π 1 x 1 ) x π x )) 8) This function is proven asymptotically optimally collision and preimage secure up to n/ queries in the IPM [41, 51, 57] We consider the security of in the WCM, where $ π 1, π, π 3 ) BC[ΦA, B, ϕ C )]n) 3 As in Sect 5 we consider eyless functions, hence κ = 0 and the ey inputs are dropped throughout) Our findings readily apply to the generalization of of [41] The analysis of this construction is significantly more complex than the ones of Sect 4 and Sect 5 14

15 61 Collision Security Theorem 5 Let n N Suppose π 1, π, π 3 ) $ BC[ΦA, B, ϕ C )]n) 3 Then, i) If B = 1 and C arbitrary, Adv col n C )/ nε ) 0 for n ; ii) If B = and C with C n/, Adv col n/ nε ) 0 for n ; iii) If B = and C with C > n/, Adv col n C nε ) 0 for n ; iv) If B 3 independent of n) and C arbitrary, Adv col n/ nε ) 0 for n Due to the technicality of the proof, the results are expressed in asymptotic terms The proof is given in App G For B = and C with C n/, or for B 3 constant and C arbitrary, achieves the same security level as in the IPM On the other hand, if B = 1, or if B = but C > n/, Thm 5 results in a worse bound See also Table 1 In App H we show that the bound is optimal, by presenting tight attacs on in the WCM 6 Preimage Security Theorem 6 Let n N Suppose π 1, π, π 3 ) $ BC[ΦA, B, ϕ C )]n) 3 Then, i) If B = 1 and C with C n/, Adv epre n/ nε ) 0 for n ; ii) If B = 1 and C with C > n/, Adv epre n C nε ) 0 for n ; iii) If B independent of n) and C arbitrary, Adv epre n/ nε ) 0 for n As for collision resistance, the results are expressed in asymptotic terms The proof is given in App I The bounds match the ones in the IPM, except for the case of B = 1 and C > n/ We leave it as an open problem to prove tightness of Thm 6 part ii) 7 Conclusions Since their formal introduction by Knudsen and Rijmen at ASIACRYPT 007 [7], numerous nown-ey attacs on blocciphers have appeared in literature These attacs are often considered delicate, as it is not always clear to what extent they influence the security of cryptographic functions based on these nown-ey blocciphers We presented the wea cipher model in order to investigate this impact For a specific instance of this model, considering the existence of A sets of B queries that satisfy condition ϕ C of 3), we proved that the PGV compression functions [48], the Grøstl compression function [1], and the Shrimpton-Stam compression function [57] remain mostly unaffected by the generalized weaness Additionally, preimage security of the functions turned out to be significantly less susceptible to these types of weanesses than collision security The results can be readily generalized to other primitive-based functions, such as the double bloc length compression functions Tandem-DM, Abreast-DM, and Hirose s compression functions [3, 30], and to the permutation-based sponge mode [5] Our model is general enough to cover practically all differential nown-ey attacs in literature, such as latest results based on the rebound attac [1,,8,38,5,53,56] and on the boomerang attac [,7,31,54,61] To our nowledge, our wor provides the first attempt to formally analyze the effect of a wide class of cryptanalytic attacs from a modular and provable security point of view It is a step in the direction of security beyond the ideal model, connecting practical attacs from cryptanalysis with ideal model provable security There is still a long way to go: in order to mae the connection between the two fields, we abstracted nown-ey attacs to a certain degree It remains a highly challenging open research problem to generalize our findings to multiple or different weanesses, and to different permutationbased cryptographic functions These generalizations include the analysis of nown-ey based constructions for more advanced conditions ϕ such as arbitrary polynomials) 15

16 Acnowledgments This wor was supported in part by European Union s Horizon 00 research and innovation programme under grant agreement No HECTOR and grant agreement No H00-MSCA-ITN ECRYPT-NET, and in part by the Research Council KU Leuven: GOA TENSE GOA/11/007) Bart Mennin is a Postdoctoral Fellows of the Research Foundation Flanders FWO) The authors would lie to than the anonymous reviewers for their valuable help and feedbac References 1 Andreeva, E, Bogdanov, A, Mennin, B: Towards understanding the nown-ey security of bloc ciphers In: Fast Software Encryption 013 LNCS, vol 844, pp Springer, Heidelberg 013) Aumasson, J, Çali, Çagdas, Meier, W, Özen, O, Phan, R, Varıcı, K: Improved cryptanalysis of Sein In: Advances in Cryptology - ASIACRYPT 009 LNCS, vol 591, pp Springer, Heidelberg 009) 3 Aumasson, J, Meier, W: Zero-sum distinguishers for reduced Kecca-f and for the core functions of Luffa and Hamsi 009) 4 Baecher, P, Farshim, P, Fischlin, M, Stam, M: Ideal-cipher ir)reducibility for bloccipherbased hash functions In: Advances in Cryptology - EUROCRYPT 013 LNCS, vol 7881, pp Springer, Heidelberg 013) 5 Bertoni, G, Daemen, J, Peeters, M, Van Assche, G: Sponge functions ECRYPT Hash Function Worshop 007) 6 Biryuov, A, Khovratovich, D, Niolić, I: Distinguisher and related-ey attac on the full AES-56 In: Advances in Cryptology - CRYPTO 009 LNCS, vol 5677, pp Springer, Heidelberg 009) 7 Biryuov, A, Niolić, I, Roy, A: Boomerang attacs on BLAKE-3 In: Fast Software Encryption 011 LNCS, vol 6733, pp Springer, Heidelberg 011) 8 Blac, J, Cochran, M, Shrimpton, T: On the impossibility of highly-efficient bloccipherbased hash functions In: Advances in Cryptology - EUROCRYPT 005 LNCS, vol 3494, pp Springer, Heidelberg 005) 9 Blac, J, Rogaway, P, Shrimpton, T: Blac-box analysis of the bloc-cipher-based hashfunction constructions from PGV In: Advances in Cryptology - CRYPTO 00 LNCS, vol 44, pp Springer, Heidelberg 00) 10 Blac, J, Rogaway, P, Shrimpton, T, Stam, M: An analysis of the bloccipher-based hash functions from PGV Journal of Cryptology 34), ) 11 Blondeau, C, Peyrin, T, Wang, L: Known-ey distinguisher on full PRESENT In: Advances in Cryptology - CRYPTO 015, Part I LNCS, vol 915, pp Springer, Heidelberg 015) 1 Bouillaguet, C, Dunelman, O, Leurent, G, Fouque, P: Attacs on hash functions based on generalized feistel: Application to reduced-round Lesamnta and SHAvite-3 51 In: Selected Areas in Cryptography 010 LNCS, vol 6544, pp Springer, Heidelberg 010) 13 Bouillaguet, C, Fouque, P, Leurent, G: Security analysis of SIMD In: Selected Areas in Cryptography 010 LNCS, vol 6544, pp Springer, Heidelberg 011) 14 Boura, C, Canteaut, A: Zero-sum distinguishers for iterated permutations and application to Kecca-f and Hamsi-56 In: Selected Areas in Cryptography 010 LNCS, vol 6544, pp 1 17 Springer, Heidelberg 010) 15 Bresson, E, Canteaut, A, Chevallier-Mames, B, Clavier, C, Fuhr, T, Gouget, A, Icart, T, Misarsy, JF, Naya-Plasencia, M, Paillier, P, Pornin, T, Reinhard, J, Thuillet, C, Videau, M: Indifferentiability with distinguishers: Why Shabal does not require ideal ciphers Cryptology eprint Archive, Report 009/ ) 16 Coron, J, Patarin, J, Seurin, Y: The random oracle model and the ideal cipher model are equivalent In: Advances in Cryptology - CRYPTO 008 LNCS, vol 5157, pp 1 0 Springer, Heidelberg 008) 17 Dong, L, Wu, W, Wu, S, Zou, J: Known-ey distinguisher on round-reduced 3D bloc cipher In: Information Security Applications - WISA 011 LNCS, vol 7115, pp Springer, Heidelberg 01) 18 Duan, M, Lai, X: Improved zero-sum distinguisher for full round Kecca-f permutation Chinese Science Bulletin 576), ) 16

17 19 Duo, L, Li, C: Improved collision and preimage resistance bounds on PGV schemes Cryptology eprint Archive, Report 006/46 006) 0 Fouque, P, Stern, J, Zimmer, S: Cryptanalysis of tweaed versions of SMASH and reparation In: Selected Areas in Cryptography 008 LNCS, vol 5381, pp Springer, Heidelberg 009) 1 Gauravaram, P, Knudsen, LR, Matusiewicz, K, Mendel, F, Rechberger, C, Schläffer, M, Thomsen, S: Grøstl a SHA-3 candidate 011), submission to NIST s SHA-3 competition Gilbert, H, Peyrin, T: Super-Sbox cryptanalysis: Improved attacs for AES-lie permutations In: Fast Software Encryption 010 LNCS, vol 6147, pp Springer, Heidelberg 010) 3 Hirose, S: Some plausible constructions of double-bloc-length hash functions In: Fast Software Encryption 006 LNCS, vol 4047, pp 10 5 Springer, Heidelberg 006) 4 Holenstein, T, Künzler, R, Tessaro, S: The equivalence of the random oracle model and the ideal cipher model, revisited In: Proc ACM Symposium on Theory of Computing 011 pp ACM, New Yor 011) 5 Jetchev, D, Özen, O, Stam, M: Collisions are not incidental: A compression function exploiting discrete geometry In: Theory of Cryptography Conference 01 LNCS, vol 7194, pp Springer, Heidelberg 01) 6 Katz, J, Lucs, S, Thiruvengadam, A: Hash functions from defective ideal ciphers In: CT- RSA 015 LNCS, vol 9048, pp Springer, Heidelberg 015) 7 Knudsen, L, Rijmen, V: Known-ey distinguishers for some bloc ciphers In: Advances in Cryptology - ASIACRYPT 007 LNCS, vol 4833, pp Springer, Heidelberg 007) 8 Koyama, T, Sasai, Y, Kunihiro, N: Multi-differential cryptanalysis on reduced DM- PRESENT-80: collisions and other differential properties In: Information Security and Cryptology - ICISC 01 Lecture Notes in Computer Science, vol 7839, pp Springer, Heidelberg 013) 9 Kuwaado, H, Hirose, S: Hashing mode using a lightweight bloccipher In: IMA International Conference 013 LNCS, vol 8308, pp Springer, Heidelberg 013) 30 Lai, X, Massey, J: Hash function based on bloc ciphers In: Advances in Cryptology - EU- ROCRYPT 9 LNCS, vol 658, pp Springer, Heidelberg 199) 31 Lamberger, M, Mendel, F: Higher-order differential attac on reduced SHA-56 Cryptology eprint Archive, Report 011/ ) 3 Lampe, R, Seurin, Y: Security analysis of ey-alternating Feistel ciphers In: Fast Software Encryption 014 LNCS, vol 8540, pp Springer, Heidelberg 015) 33 Lauridsen, MM, Rechberger, C: Linear distinguishers in the ey-less setting: Application to PRESENT In: Fast Software Encryption 015 LNCS, vol 9054, pp Springer, Heidelberg 015) 34 Leurent, G, Roy, A: Boomerang attacs on hash function using auxiliary differentials In: CT-RSA 01 LNCS, vol 7178, pp Springer, Heidelberg 01) 35 Lisov, M: Constructing an ideal hash function from wea ideal compression functions In: Selected Areas in Cryptography 006 LNCS, vol 4356, pp Springer, Heidelberg 007) 36 Matyas, S, Meyer, C, Oseas, J: Generating strong one-way functions with cryptographic algorithm IBM Techn Disclosure Bull 710A), ) 37 Maurer, U, Renner, R, Holenstein, C: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology In: Theory of Cryptography Conference 004 LNCS, vol 951, pp 1 39 Springer, Heidelberg 004) 38 Mendel, F, Peyrin, T, Rechberger, C, Schläffer, M: Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES bloc cipher In: Selected Areas in Cryptography 009 LNCS, vol 5867, pp Springer, Heidelberg 009) 39 Mendel, F, Rechberger, C, Schläffer, M, Thomsen, SS: The rebound attac: Cryptanalysis of reduced Whirlpool and Grøstl In: Fast Software Encryption 009 LNCS, vol 5665, pp Springer, Heidelberg 009) 40 Mennin, B: Optimal collision security in double bloc length hashing with single length ey In: Advances in Cryptology - ASIACRYPT 01 LNCS, vol 7658, pp Springer, Heidelberg 01) 41 Mennin, B, Preneel, B: Hash functions based on three permutations: A generic security analysis In: Advances in Cryptology - CRYPTO 01 LNCS, vol 7417, pp Springer, Heidelberg 01) 17

18 4 Mennin, B, Preneel, B: Efficient parallelizable hashing using small non-compressing primitives International Journal of Information Security 015), to appear 43 Meyer, C, Schilling, M: Secure program load with manipulation detection code In: Proc Securicom pp ) 44 Minier, M, Phan, R, Pousse, B: Distinguishers for ciphers and nown ey attac against Rijndael with large blocs In: Progress in Cryptology - AFRICACRYPT 009 LNCS, vol 5580, pp Springer, Heidelberg 009) 45 Miyaguchi, S, Ohta, K, Iwata, M: Confirmation that some hash functions are not collision free In: Advances in Cryptology - EUROCRYPT 90 LNCS, vol 473, pp Springer, Heidelberg 1990) 46 Naahara Jr, J: New impossible differential and nown-ey distinguishers for the 3D cipher In: Information Security Practice and Experience - ISPEC 011 LNCS, vol 667, pp 08 1 Springer, Heidelberg 011) 47 Niolić, I, Pieprzy, J, Soolowsi, P, Steinfeld, R: Known and chosen ey differential distinguishers for bloc ciphers In: Information Security and Cryptology - ICISC 010 LNCS, vol 689, pp 9 48 Springer, Heidelberg 010) 48 Preneel, B, Govaerts, R, Vandewalle, J: Hash functions based on bloc ciphers: A synthetic approach In: Advances in Cryptology - CRYPTO 93 LNCS, vol 773, pp Springer, Heidelberg 1993) 49 Rabin, M: Digitalized signatures In: Foundations of Secure Computation 78 pp Academic Press, New Yor 1978) 50 Rogaway, P, Shrimpton, T: Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance In: Fast Software Encryption 004 LNCS, vol 3017, pp Springer, Heidelberg 004) 51 Rogaway, P, Steinberger, J: Constructing cryptographic hash functions from fixed-ey blocciphers In: Advances in Cryptology - CRYPTO 008 LNCS, vol 5157, pp Springer, Heidelberg 008) 5 Sasai, Y: Known-ey attacs on Rijndael with large blocs and strengthening ShiftRow parameter In: International Worshop on Security - IWSEC 010 LNCS, vol 6434, pp Springer, Heidelberg 010) 53 Sasai, Y, Emami, S, Hong, D, Kumar, A: Improved nown-ey distinguishers on Feistel-SP ciphers and application to Camellia In: Australasian Conference on Information Security and Privacy - ACISP 01 LNCS, vol 737, pp Springer, Heidelberg 01) 54 Sasai, Y, Wang, L: Distinguishers beyond three rounds of the RIPEMD-18/-160 compression functions In: Applied Cryptography and Networ Security 01 LNCS, vol 7341, pp 75 9 Springer, Heidelberg 01) 55 Sasai, Y, Wang, L, Taasai, Y, Saiyama, K, Ohta, K: Boomerang distinguishers for full HAS-160 compression function In: International Worshop on Security - IWSEC 01 LNCS, vol 7631, pp Springer, Heidelberg 01) 56 Sasai, Y, Yasuda, K: Known-ey distinguishers on 11-round Feistel and collision attacs on its hashing modes In: Fast Software Encryption 011 LNCS, vol 6733, pp Springer, Heidelberg 011) 57 Shrimpton, T, Stam, M: Building a collision-resistant compression function from noncompressing primitives In: International Colloquium on Automata, Languages and Programming - ICALP ) 008 LNCS, vol 516, pp Springer, Heidelberg 008) 58 Smith, J: The design of Lucifer: a cryptographic device for data communications IBM Research Report RC ) 59 Stam, M: Bloccipher-based hashing revisited In: Fast Software Encryption 009 LNCS, vol 5665, pp Springer, Heidelberg 009) 60 Wagner, D: The boomerang attac In: Fast Software Encryption 99 LNCS, vol 1636, pp Springer, Heidelberg 1999) 61 Yu, H, Chen, J, Wang, X: The boomerang attacs on the round-reduced Sein-51 In: Selected Areas in Cryptography 01 LNCS, vol 7707, pp Springer, Heidelberg 01) A Knudsen-Rijmen Attac on Feistel 7 We briefly discuss the attac of Knudsen and Rijmen [7] on the classical Feistel networ on n bits with 7 rounds Before doing so, we first introduce Feistel 18

19 The Feistel networ is a very common bloccipher design strategy, dating bac to the design of Lucifer [58], and many generalizations of this design have appeared in literature We use the notation of [7] The n-bit Feistel networ with 7 rounds, called Feistel 7, uses lines of n/ bits, and consists of 7 evaluations of a fixed n/-bit permutation p Each evaluation of p is preceded by an XOR of a round ey 1,, 7, derived from the master ey using 1 Fgen some ey schedule It is depicted in Fig 5 m l 1 p p 3 p 4 p 5 p 6 p 7 p c l m r c r Fig 5 The n-bit Feistel networ with 7 rounds Now, we describe the attac by Knudsen and Rijmen on this construction [1,7] Assume 6 First, the adversary fixes an arbitrary value y {0, 1} n/ Then, from y the adversary derives two plaintext/ciphertext-pairs m l, m r ), c l, c r )) and m l, m r), c l, c r)) as follows: y is fixed to be the input to the third permutation call p for the first tuple, while for the second tuple that input is y α for some non-zero value α determined later) Then, the adversary uses p to compute the tuples in a straightforward way: m l, m r ) = z 4 py) pm r 1 ), y 3 pz 4 py))) c l, c r ) = z 4 6 py) pc r 7 ), y α 5 pz 4 py))) m l, m r) = z 4 6 py) pm r 1 ), y α 3 pz 4 6 py))) c l, c r) = z 4 py) pc r 7 ), y 5 pz 4 6 py))), 9) where α = y p 1 6 py)) and z = p α) These pairs satisfy m r c r = m r c r with probability 1, but this equation is satisfied by an ideal cipher with probability at most 1/ n/ This completes the distinguishing attac An extension of this attac to generalized balanced Feistel networs on r wires and 4r 1 rounds was derived in [1] B Proof of Theorem We focus on PGV The analysis for PGV1 is a simplification due to the absence of the feed-forward of the ey We consider any adversary that has query access to π $ BC[ΦA, B, ϕ C )]n, n) and maes q queries Let Z {0, 1} n A preimage for Z would imply the existence of a query, x, z) such that x z = Z We consider the i th query i {1,, q}) to be the first query to mae this condition satisfied, and sum over i = 1,, q at the end For regular forward or inverse) queries, the analysis of [9, 10, 59] mostly carries over The analysis of predicate queries is a more technical, particularly as we cannot mae use of abortable ciphers Query π x) or π 1 z) The cases are the same by symmetry, and we consider π x) only Denote the response by z As z is randomly drawn from a set of size at least n Bq, 1 it satisfies z = x Z with probability at most Query π Φy) Denote the query response by {, x1, z 1 ),,, x B, z B )} If all tuples are old, the query cannot be successful as no earlier query was successful, and so we assume it contains at least one new tuple The response is drawn uniformly at random from the set 19

20 Σ P, P Φ) For l = 0,, B, denote by Σl P, P Φ ) the subset of all responses that have l new query tuples and B l old query tuples which already appear in P ) By construction, Σ P, P Φ ) = B ΣP l, P Φ ) 10) l=0 Define furthermore for l = 1,, B by Σ l,pre P, P Φ ) the subset of elements of Σl P, P Φ ) for which one of the new query tuples satisfies x z = Z recall that we have excluded the case of l = 0) The predicate query is successful with probability Using 10), we bound 11) as Pr π Φ y) sets preq i ) ) = B l=1 Pr π Φ y) sets preq i ) ) Σ1,pre P, P Φ ) Σ B P, P Φ ) + Σ l,pre P, P Φ ) Σ P, P Φ ) 11) B l= Σ l,pre P, P Φ ) Σ l P, P Φ ) 1) The reason why l = 1 is treated differently, will become clear shortly We next bound all relevant sets Here, for integers a b 1, we denote by a b = a! a b)! the falling factorial power Starting with the numerators, for l = 1 we have Σ 1,pre P, P Φ ) B P B 1 n P ) Indeed, we have B positions for the sole new query to appear and P B 1 choices for the old queries For the new query, without loss of generality, x B, z B ), it needs to satisfy Bits C x B z B ) = Bits C x 1 z B 1 ) and x B z B = Z We have n P possible choices for x B, and any choice gives at most one possible z B We remar that Σ 1,pre P, P Φ) will probably be about a factor C less, as we should only count all possible solutions for the B 1 old queries that satisfy Bits C x 1 z B 1 ) = Bits C Z) Deriving a tighter bound would be a cumbersome exercise, but fortunately there is no need to do so: the fraction of elements in Σ P, P Φ ) consisting of B 1 old tuples is already small enough for the case B > 1 This is the reason why we use a special treatment for the case of l = 1 in 1) For l {,, B} we have Σ l,pre P, P Φ ) B l ) P B l n P ) l l n P ) l n C Again, the first term comes from identifying at which positions the new queries appear and the second term comes from the selection of old queries Next, we have n P ) l choices for the x-values and l positions for the winning query to occur For this particular winning query, the corresponding z-value is fixed by the equation x z = Z For the remaining l 1 z-values, there are n P ) l possibilities to freely fix the first l of them, and the last one will be adapted to the predicate condition, and can tae at most n C values Regarding the denominators, for l {1,, B} we have Σ l P, P Φ ) ) B P B l l n P ) l n P ) l 1 n C Bq n P ) l 1 n P ) l 1 n C which can be seen as follows As before, we have B l ) positions for the new queries to appear and P B l possible lists of old queries Regarding the l new queries, without loss of generality, x 1, z 1 ),,, x l, z l ), these need to satisfy Bits C x 1 z l ) = Bits C x l+1 ), 0