On the Impact of Known-Key Attacks on Hash Functions

Transcription

1 On the Impact of Known-Key Attacs on Hash Functions Bart Mennin and Bart Preneel Dept Electrical Engineering, ESAT/COSIC, KU Leuven, and iminds, Belgium Abstract Hash functions are often constructed based on permutations or blocciphers, and security proofs are typically done in the ideal permutation or cipher model However, once these random primitives are instantiated, vulnerabilities of these instantiations may nullify the security At ASIACRYPT 007, Knudsen and Rijmen introduced nown-ey security of blocciphers, which gave rise to many distinguishing attacs on existing bloccipher constructions In this wor, we analyze the impact of such attacs on primitive-based hash functions We present and formalize the wea cipher model, which captures the case a bloccipher has a certain weaness but is perfectly random otherwise A specific instance of this model, considering the existence of sets of B queries whose XOR equals 0 at bit-positions C, where C is an index set, covers a wide range of nown-ey attacs in literature We apply this instance to the PGV compression functions, as well as to the Grøstl based on two permutations) and Shrimpton-Stam based on three permutations) compression functions, and show that these designs do not seriously succumb to any differential nown-ey attac nown to date Keywords Hash functions, nown-ey security, Knudsen-Rijmen, PGV, Grøstl, Shrimpton-Stam, collision resistance, preimage resistance 1 Introduction Cryptographic hash functions are conventionally built on top of compression functions, and in turn on one or more blocciphers Since the first appearance of such compression function Fh, m) = DES m h) by Rabin [49] in the late 70s, many bloccipher-based functions appeared in the literature [3, 5, 9, 30, 40, 43, 48, 59] These all enjoy security proofs in the ideal model, where the underlying ciphers are assumed to behave ideally Characteristic to these designs is that the ey input to the cipher depends on the input to the compression function, and that the ey scheduling needs to be sufficiently strong For instance, Biryuov et al [6] derived a related-ey attac on AES and claimed that it invalidates the security of the Davies-Meyer compression function when the underlying primitive is instantiated with AES A more recent approach to compression function design is to base them on a limited number of permutations [8, 41, 4, 51, 57] These permutations could be designed from scratch, or obtained by fixing a small set of eys and using a bloccipher for these eys only Related- or chosen-ey attacs on blocciphers do not help the adversary here, as the eys are fixed Known-Key Security of Blocciphers While in the classical security models for blocciphers the ey is secret and randomly drawn and the adversary s target is to distinguish the instantiation of the cipher from a random permutation also nown as strong) pseudorandom permutation security), this notion does not apply if the ey is nown to the adversary At ASIACRYPT 007, Knudsen and Rijmen [7] introduced nown-ey security of blocciphers Here, the ey is presumed nown, and the adversary succeeds in distinguishing if it identifies a structural property of the cipher Andreeva et al [1] proposed a way to formalize the nown-ey security of blocciphers based on the underlying primitives The model is

2 derived from the indifferentiability framewor [37] and hence all composition results carry over Intuitively: suppose some cryptosystem F is proven to achieve a certain level of security in the ideal permutation model, and consider F to be F with the permutations replaced by independent bloccipher instantiations Then, F achieves the same level of security as F, up to the nown-ey indifferentiability bound of the underlying blocciphers In [1], several bloccipher constructions are proven to be nown-ey indifferentiable, such as the multiple Even-Mansour cipher and 14 rounds of balanced Feistel with random functions using a result of Holenstein et al [4]) For such ciphers, the above approach wors well, although for Even-Mansour the composition is trivial one essentially replaces an ideal permutation by an ideal permutation) and for Feistel with 14 rounds security is only guaranteed up to n/3 queries, where n is the state size of the cipher Known-Key Attacs on Blocciphers Knudsen and Rijmen also demonstrated that the Feistel networ on n bits with 7 rounds called Feistel 7 ) is not nown-ey indifferentiable [1,7]: an adversary can generically find n/ plaintext/ciphertext tuples m, c) and m, c ) satisfying Ri n/ m c m c ) = 0 where Ri r x) outputs the r rightmost bits of x) This result has lead to a wave of other nown-ey attacs on practical constructions, including generalized/extended variants of Feistel [1,7,47,53,56], reduced versions of AES or Rijndael [,7,38,44,5], reduced variants of the blocciphers underlying SHA- and SHA-3 finalists BLAKE and Sein [, 7, 31, 34, 61], and many more [3, 11, 1, 14, 17, 18, 8, 33, 46, 47, 54, 55] This paper will mostly be concerned with differential nown-ey attacs, including reboundand boomerang-based attacs the majority of above-mentioned attacs) We highlight two results that are among the best-nown ones and that exemplify the idea of the other attacs Gilbert and Peyrin [] used the rebound technique [39] to derive a nown-ey attac on 8 rounds of AES called AES 8 ) It starts from the middle, and results in a differential trail with four active words in the beginning, and four at the end These active words are overlapping at two positions, hence one could consider this result as two tuples m, c) and m, c ) satisfying m c m c = 0 at 10n/16 bit-positions The adversary has 15 n/8 degrees of freedom in the attac, and for any choice it results in such a tuple with a certain probability The bound of n/8 is used for simplicity later on) The second attac we highlight is by Yu et al [61], who employ the boomerang technique [60] to attac 36 rounds of the bloccipher Threefish-51 called Threefish 36 ) used in Sein This attac results in four tuples m 1, c 1 ),, m 4, c 4 ) satisfying m 1 c 4 = 0 The adversary has n degrees of freedom, but any trial succeeds with probability approximately 454 Therefore, the expected number of solutions is about n 454 n/8 This attac is in fact a nownrelated-ey attac, where a fixed difference in the ey exists For simplicity, we condone this, observing that an attac with no ey difference must logically be harder In any of these cases, the traditional and commonly employed ideal cipher/permutation model falls short: results achieved in this model do not necessarily hold if the primitives are instantiated with Feistel 7, AES 8, Threefish 36, or any other nown-ey distinguishable cipher 11 Our Contributions In their seminal wor, Knudsen and Rijmen state: In some cases blocciphers are used with a ey that is nown to the adversary, and at least to a certain extent, the ey is under the adversary s control Our attacs are quite relevant to this case We investigate this fundamental question whether nown-ey attacs invalidate the security of primitive-based hash functions, but we do so in a much more general way At a high level, we present a model that goes beyond the traditional ideal cipher model as well as the principle of nown-ey attacs and that allows to generically analyze the impact of various weanesses of blocciphers on various bloccipher- and permutation-based cryptosystems Model A naive approach to analyzing the impact of nown-ey attacs would be to simply plug a certain bloccipher construction into a hash function and to analyze its security,

3 but this would be a devious and complex combinatorial tas: for a function based on r permutations, plugging Feistel 7 into it would lead to 7r underlying primitive calls Note that proving security of the Feistel construction itself is already extraordinarily hard [16, 4, 3] Instead, we model the blocciphers in such a way that they behave randomly, except that an adversary can exploit the particular relation More formally, we pose a certain predicate Φ, and we draw blocciphers randomly from the set of all ciphers that comply with predicate Φ Throughout, we refer to this model as the wea cipher model WCM) It corresponds to the ideal cipher model if Φ is trivial We present an explicit description of a random wea cipher for the case where Φ implies for each ey the existence of A sets of B queries {, m 1, c 1 ),,, m B, c B )} that comply with a certain condition ϕ These ciphers are modeled to have three interfaces: forward queries, inverse queries, and predicate queries Forward and inverse queries are as usual; on a predicate query, an adversary is given a set of B queries satisfying ϕ Multiple technicalities are involved in this formalization Most importantly, predicate Φ applies to tuples of queries, rather than single queries only, and some query responses may have a reduced entropy Above-mentioned nown-ey attacs are covered by our model if the condition ϕ states for some C {1,, n} that Bits C m 1 c 1 m B c B) = 0, 1) where Bits C x) outputs a string consisting of all bits of x whose index is in C In fact, our model is much more general: above-mentioned attacs aim to generate only one relation, while we allow an adversary to see multiple relations) The value A usually depends on n and C is regularly a large subset We consider B being a relatively small number independent of n) For the above-mentioned attac on Feistel 7, A = n/, B =, and C corresponds to the rightmost n/ bits Similarly, the attacs on AES 8 for A = n/8, B =, and C a certain set of size 10n/16) and Threefish 36 for A = n/8, B = 4, and C = {1,, n}) are covered, and so are almost all nown differential rebound- or boomerang-based) nown-ey attacs We remar that, on the other hand, the predicate is not well-suited for integral-based nown-ey attacs: upon a predicate query an attacer would receive B n queries The wea cipher model is similar to an approach followed by Bresson et al [15] for the indifferentiability analysis of the SHA-3 candidate Shabal if the underlying bloccipher shows some non-random behavior, and by Bouillaguet et al [13] to analyze the indifferentiability security of SIMD when the underlying compression function is distinguishable from a random function However, in both approaches, the underlying biased primitives were relatively easy to model For instance in [15] using our terminology), predicate Φ is a relation that holds for single queries only, and not for combinations of queries This considerably simplifies the analysis: one can derive a bias β to measure the distance between primitive responses and fully random responses, and consider oracle responses to be drawn from a set of size at least n β, and the original indifferentiability analysis carries over with minor modifications The predicate used in the analysis in [13], on the other hand, does apply to tuples of queries, but the model can simply be described using two sampling algorithms, and an adversary cannot hit a wea pair by accident which is possible in our analysis) Lisov [35] used a similar approach to prove indifferentiability security of the zipper hash if the underlying compression function is invertible up to a certain degree However, the analysis is significantly simpler, as this primitive can be perfectly modeled We finally remar that Katz et al [6] analyze the impact of related-ey attacs on blocciphers to hash functions However, in their model, the differences, x, y are fixed, an ideal cipher is generated for half of the ey space, and for the other half the cipher is adjusted as E x, y) = E x x) y This primitive can be easily modeled, but is also too generous to the attacer To our nowledge, this is the first attempt to formally analyze the effect of a wide class of bloccipher attacs on higher level cryptographic functions Nonetheless, the wea cipher model is in essence still a model: we use an abstraction of the cryptanalytic nown-ey attacs in such a way that the ideal cipher model can be relaxed to cope them A further discussion on the accuracy of the model is given in Sect 7 3

4 Table 1 Security results for the PGV, Grøstl, and Shrimpton-Stam compression functions in the wea cipher model Ideal cipher/permutation model bounds match the ones of B 3 All results are tight except for the case B = 1, C > n/) for Shrimpton-Stam PGV Grøstl Shrimpton-Stam B C collision preimage collision preimage collision preimage 1 n/ n C )/ n C n C )/4 n C )/ n C )/ n/ > n/ n C )/ n C n C )/4 n C )/ n C )/ n C n/ n/ n n/4 n/ n/ n/ > n/ n C n n C )/ n/ n C n/ 3 arbitrary n/ n n/4 n/ n/ n/ Application to Bloccipher-Based Hash Functions Preneel, Govaerts, and Vandewalle PGV) [48] classified the 64 most basic ways of constructing a n-to-n-bit compression function from a bloccipher with n-bit ey and n-bit state, and claimed security of 1 of them A formal security analysis of these functions in the ICM has been performed by Blac et al [9], and later by Duo and Li [19], Stam [59], and Blac et al [10] In more detail, in the ICM these constructions achieve tight collision security up to about n/ queries and preimage security up to about n queries Baecher et al [4] recently showed that the 1 secure PGV functions can be divided into two classes, in such a way that if a primitive maes one function secure it maes the entire class secure As first application of our model, we consider the PGV compression functions in the WCM and derive collision and preimage bounds for general A, B, C) A schematic summary of the results for various B and C is given in Table 1 we remar that A is merely a technical parameter that has no influence on the results) We also show that the bounds are optimal, by providing matching attacs Some of these attacs are similar to methods used in [7, 53, 56] to detect near-)collisions in certain PGV modes of operations using nown-ey attacs Application to Permutation-Based Hash Functions We also apply the WCM to permutation-based compression functions This is particularly interesting for two reasons: i) it allows us to understand the impact of distinguishers on permutations that are used in hash functions, and ii) a bloccipher with a fixed and nown ey is a permutation and can be used as such In more detail, we consider the Grøstl compression function [1] and the permutation-based equivalent of the Shrimpton-Stam compression function [57] see also Fig 4) In the IPM, the former is proven to achieve collision security up to n/4 queries, where n is the state size, and preimage security up to n/ [0] Rogaway and Steinberger [51] showed via an automated analysis that the latter function is collision and preimage resistant up to n/ queries asymptotically) This has been confirmed in the generalized wor of Mennin and Preneel [41] A summary of our findings for the Grøstl and Shrimpton-Stam compression functions in the WCM is given in Table 1 All results are tight, except for the case B = 1, C > n/) for Shrimpton-Stam, for which we leave proving tightness as an open problem We remar that the analysis for these schemes is much more demanding as multiple primitives are involved Impact An application of our formalization to the PGV functions and various permutationbased functions shows that these achieve a comparable level of security in the ideal and wea cipher model for a spectrum of choices for A, B, C) This result particularly implies that most relevant rebound-based including [1,, 8, 38, 5, 53, 56]) and boomerang-based including [, 7, 31, 54, 61]) nown-ey attacs nown to date do not invalidate the security of such functions, or only have a little effect For instance, the above-discussed attac on Feistel 7 satisfies B = and C = n/ and it does not affect the security; similarly for Threefish 36 for which B = 4 The attac on AES 8 is covered for B = and C = 10n/16, 4

5 which demonstrates a slight security degradation to 6n/16 for the PGV functions, but this may in part be due to our over-generosity to the adversary We remar that, even though we focused on collision and preimage resistance, the techniques can be generalized to other security notions, such as near-collisions This may entail differences in the security results We stress that these results do not mean that the analyzed functions are secure when the underlying permutations are instantiated with, say, Feistel 7 or Threefish 36 : it only means that existing nown-ey attacs, or more general weanesses such as relation 1), alone are not sufficient to invalidate the collision and preimage security of the construction Indeed, more sophisticated attacs which are not yet covered by our application of the WCM may still invalidate the security of certain modes [6] It remains a challenging open research problem to generalize the findings to underlying primitives that have multiple or different weanesses 1 Outline In Sect, we formally present the wea cipher model, and in Sect 3 we show how it relates to nown-ey attacs We apply the model to the PGV functions in Sect 4, to the Grøstl compression function in Sect 5, and to Shrimpton-Stam in Sect 6 We conclude this wor in Sect 7 Wea Cipher Model If X is a set, by x $ X we denote the uniformly random sampling of an element from X By X x, we denote X X {x} For a bit string x, its bits are numbered x = x x x x 1 If C {1,, x }, the function Bits C x) outputs a string consisting of all bits of x whose index is in C Abusing notation, Bits C x) always denotes the remaining bits technically, C = {1,, x }\C) For 0 r x, we consider Ri r x) that outputs the r rightmost bits of x In other words, Ri r x) = Bits {1,,r} x) For a function f, by domf) and rngf) we denote its domain and range, respectively 1 Security Model For κ 0 and n 1, by BCκ, n) we denote the set of all blocciphers with κ-bit ey operating on n bits If κ = 0, BCn) := BC0, n) denotes the set of all n-bit permutations If Φ is a predicate, by BC[Φ]κ, n) we denote the subset of ciphers of BCκ, n) that satisfy predicate Φ For π BC[Φ]κ, n), the input-output tuples are denoted, x, z), where π, x) = π x) = z and π 1, z) = π 1 z) = x The ey is omitted in case κ = 0 Let F : {0, 1} s {0, 1} n be a compressing function instantiated with l 1 primitives from BC[Φ]κ, n), for some predicate Φ Throughout, we consider security of F in an idealized model: we consider an adversary A that is a probabilistic algorithm with oracle access to a randomly sampled primitive π = π 1,, π l ) $ BC[Φ]κ, n) l A is information-theoretic and its complexity is only measured by the number of queries made to its oracles The adversary can mae forward and inverse queries to its oracles, and these queries are stored in a query history Q A collision-finding adversary A for F aims at finding two distinct inputs to F that compress to the same range value In more detail, we say that A succeeds if it finds two distinct inputs X, X such that FX) = FX ) and Q contains all queries required for these evaluations of F We define by Adv col F A) = Pr π $ BC[Φ]κ, n) l, X, X A π : X X FX) = FX ) the probability that A succeeds in this By Adv col F q) we define the maximum collision advantage taen over all adversaries maing q queries ) 5

6 For preimage resistance, we focus on everywhere preimage resistance [50], which captures preimage security for every point of {0, 1} n Let Z {0, 1} n be any range value Then, we say that A succeeds in finding a preimage if it obtains an input X such that FX) = Z and Q contains all queries required for this evaluation of F We define by ) Adv epre F A) = max Pr π $ BC[Φ]κ, n) l, X A π Z) : FX) = Z Z {0,1} n the probability that A succeeds, maximized over all possible choices for Z By Adv epre F q) we define the maximum everywhere) preimage advantage taen over all adversaries maing q queries If Φ is a trivial relation, we have BC[Φ]κ, n) = BCκ, n), and the above definitions boil down to security in the ideal cipher model ICM) if κ > 0 or the ideal permutation model IPM) if κ = 0 On the other hand, if Φ is a non-trivial predicate, it strictly reduces the set BCκ, n) In this case, we will refer to the model as the wea cipher model WCM), for both κ > 0 and κ = 0 Very informally, this model still involves random ciphers/permutations, with the difference that an adversary may exploit a certain additional property The modeling of a randomly drawn wea ciphers is much more delicate Random Wea Cipher For a certain class of predicates, we discuss how to model a randomly drawn wea cipher π from BC[Φ]κ, n) Let A, B N We will consider predicates that imply, for every {0, 1} κ, the existence of A sets of B distinct queries {x 1, z 1 ),, x B, z B )} that satisfy ϕ {x 1, z 1 ),, x B, z B )} ) for some condition ϕ depending on ey The predicate is denoted ΦA, B, ϕ) A is merely a technical parameter, and throughout we assume it is larger than q, the number of oracle calls an adversary can mae This definition of ΦA, B, ϕ) is fairly general Particularly, predicate B-sets may overlap and the condition ϕ can represent any function on the inputs We note that Φ can be easily generalized to tuples of different length and/or to multiple types of conditions at the same time Traditionally, an adversary has only forward π x) and inverse π 1 z) query access In order for the adversary to be able to exploit the weaness present in π, we give it additional access to π via a predicate query π Φ y): on input of y {1,, A}, the adversary obtains a B-set {x 1, z 1 ),, x B, z B )} that satisfies ϕ {x 1, z 1 ),, x B, z B )} ) A formal description of how to model π $ BC[ΦA, B, ϕ)]κ, n) is given in Fig 1 Here, for every {0, 1} κ, P is an initially empty list of π -evaluations, where a regular forward/inverse query adds one element x, z) to P and a π Φ -query may add up to B elements Additionally, P Φ is an initially empty list of queries to πφ We denote by Σ P, P Φ) {0, 1}n {0, 1} n ) B the set of all tuples {x 1, z 1 ),, x B, z B )} such that i) x 1,, x B are pairwise distinct and z 1,, z B are pairwise distinct; ii) B l=1 : xl domp ) = z l = P x l ) and z l rngp ) = x l = P 1 zl ); iii) ϕ {x 1, z 1 ),, x B, z B )} ) holds; iv) {x p1), z p1) ),, x pb), z pb) )} rngp Φ ) for any permutation p on {1,, B} For a new query π Φy), the response is then randomly drawn from Σ P, P Φ ) Conditions i-iii) are fairly self-evident; note particularly that an existing x, z) P may appear in multiple predicate queries Condition iv) assures that the drawing from Σ P, P Φ ) is not just an old predicate query or a reordering thereof The usage of this set Σ P, P Φ) allows for a uniform behavior of π Φ for every, and in general of π $ BC[ΦA, B, ϕ)]κ, n), modulo the nown existence of condition ϕ This step is fundamental to our model and new compared with previous approaches of [13, 15, 35] We remar that the model allows adversaries to mae their queries at their own discretion, eg, duplicate queries and regular queries after predicate queries are allowed 6

7 procedure π x) if P x) = : z $ {0, 1} n \rngp ) P x, z) end if return P x) procedure π 1 z) if P 1 z) = : x $ {0, 1} n \domp ) P x, z) end if return P 1 z) procedure π Φ y) if P Φ y) = : {x 1, z 1 ),, x B, z B )} $ Σ P, P Φ ) for l = 1,, B: if x l, z l ) P : P x l, z l ) end if end for P Φ y, {x 1, z 1 ),, x B, z B )}) end if return P Φ y) Fig 1 Random wea cipher π An adversary has access to π, π 1, and π Φ 3 Random Abortable Wea Cipher Security analyses in the WCM are significantly more complex than in the ICM or IPM, which is in part because predicate queries may consist of older queries This will particularly be an issue once collisions among queries are investigated To suit the analysis for this case, we transform the WCM to an abortable wea cipher model AWCM), which we denote as BC[ΦA, B, ϕ)]κ, n) At a high-level, an abortable wea cipher responds to predicate queries with new query tuples only, and aborts once it turns out that an older query appears in a newer predicate query For any {0, 1} κ and partial P and P Φ, define by Σ P Φ ) {0, 1}n {0, 1} n ) B the set of all tuples {x 1, z 1 ),, x B, z B )} such that iii) ϕ {x 1, z 1 ),, x B, z B )} ) holds; iv) {x p1), z p1) ),, x pb), z pb) )} rngp Φ ) for any permutation p on {1,, B} Σ P Φ) differs from ΣP, P Φ ) in that conditions i) and ii) are omitted, and particularly: it is independent of P A formal description of a random cipher π $ BC[ΦA, B, ϕ)]κ, n) is given in Fig It deviates from Fig 1 as follows: for every ey, π Φ responds randomly from Σ P Φ ), and it aborts if the response violates one of the two sipped conditions of Σ P, P Φ) The next lemma shows that the WCM and AWCM are indistinguishable as long as the abortable wea cipher does not abort, approximately up to the birthday bound Here, we assume that Σ P Φ ) is always large enough Lemma 1 Let π $ BC[ΦA, B, ϕ C )]κ, n) Consider an adversary that maes q queries to π Then, Pr π sets abort) B qq + 1) n B!qn Σ ) Proof Consider the i th query, for i {1,, q}, and assume it is a predicate query π Φy) We will consider the probability that this query maes π abort, provided it has not aborted so far Prior to this i th query, P Bi 1) and P Φ i Basic combinatorics shows that Σ P Φ ) = Σ ) B! P Φ, where we use that π has not aborted so far This i th query aborts only if for some l {1,, B}, the value x l equals an element in domp ) {x 1,, x l 1 } or the value z l equals an element in rngp ) {z 1,, z l 1 } 7

8 procedure π x) if P x) = : z $ {0, 1} n \rngp ) P x, z) end if return P x) procedure π 1 z) if P 1 z) = : x $ {0, 1} n \domp ) P x, z) end if return P 1 z) procedure π Φ y) if P Φ y) = : {x 1, z 1 ),, x B, z B )} $ Σ P Φ ) for l = 1,, B: if x l domp ) z l P x l ): abort if z l rngp ) x l P 1 zl ): abort if x l, z l ) {x 1, z 1 ),, x l 1, z l 1 )}: if x l, z l ) P : P x l, z l ) end if end for P Φ y, {x 1, z 1 ),, x B, z B )}) end if return P Φ y) abort Fig Random abortable wea cipher π An adversary has access to π, π 1, and π Φ Σ abort Define by P Φ) the set of all elements of Σ P Φ ) that would lead to abort We have B possible values to cause the abort namely, x 1,, z B ), and it causes the abort if it equals an element in a set of size at most P + B For any of these B P + B) choices, the number of tuples in Σ P Φ) complying with this choice is at most Σ ) Thus, n Pr π Φ y) sets abort ) = abort Σ P Φ) Σ P Φ) B P + B) Σ ) n Σ ) B! P Φ B i n B!qn Σ ) The proof is completed by summation over i = 1,, q 3 Modeling Known-Key Attacs We next apply the WCM to nown-ey attacs For the sae of explanation, we first reconsider the Knudsen-Rijmen attac on Feistel 7 [7] A detailed description of the attac is given in App A) Let n N, and let π := π be an instance of Feistel 7 with fixed ey Knudsen and Rijmen revealed four functions f, f, g, g : {0, 1} n/ {0, 1} n such that for all y {0, 1} n/ : gy) = πfy)) and g y) = πf y)), Ri n/ fy) gy)) = Ri n/ f y) g y)) ) These four functions correspond to the equations of 9) in App A and depend on the cryptographic primitive underlying Feistel 7 in a complicated way Therefore, we can safely assume that these functions behave sufficiently random, besides this particular relation ), and that they are unnown to the adversary f, f, g, g are all injective and satisfy fy) f y) and gy) g y) for all y On the other hand, collisions of the form fy) = f y ) and gy) = g y ) may occur Generically, the attac demonstrates that for ey there exist n/ possibly overlapping sets of distinct queries {x 1, z 1 ), x, z )} that satisfy Ri n/ x 1 z 1 x z ) = 0 In other words, Feistel 7 meets predicate Φ n/,, ϕ Feistel7 ), where ϕ Feistel7 {x 1, z 1 ), x, z )} ) : Ri n/ x 1 z 1 x z ) = 0 Here, we remar that the Knudsen-Rijmen attac wors for any fixed but nown ey, and that condition ϕ Feistel7 is in fact independent of the ey In this wor, we will consider a 8

9 more general predicate ΦA, B, ϕ C ) for A, B N and C {1,, n}, where {x 1, z 1 ),, x B, z B )} ) : Bits C x 1 z 1 x B z B) = 0 3) ϕ C This generalized predicate considers the case of arbitrary but fixed and nown eys, where the adversary can even choose the ey every time it maes a predicate query Note that also the attacs on AES 8 and Threefish 36 see Sect 1) are covered, as they satisfy Φ n/8,, ϕ C ) for certain C of size 10n/16 and Φ n/8, 4, ϕ {1,,n} ), respectively In general, all rebound- or boomerang-based nown-ey attac in literature are covered by predicate ΦA, B, ϕ C ) for some A, B, C Here, B is always a value independent of n usually or 4) and C is regularly a large subset of size at least n/4) Throughout, we consider A to be sufficiently large Basic Computations for AWCM For the specific condition ϕ C of 3), we derive a simpler bound on the probability that a primitive π $ BC[ΦA, B, ϕ C )]κ, n) aborts, along with some other elementary observations for π To this end, we define the notation [X], which equals 1 if X holds and 0 otherwise For conciseness, we introduce the function δ B,C [b] defined as C if B = b, δ B,C [b] = C [B = b] + [B > b] = 1 if B > b, 4) 0 otherwise Lemma Let π $ BC[ΦA, B, ϕ C )]κ, n) Consider an adversary that maes q n 1 /B queries to π Then, Pr π sets abort) B qq + 1) n Bq 5) Let {0, 1} κ and let Z, Z, Z {0, 1} n Consider any new query π Φ y) and assume it does not abort Write the response as {x 1, z 1 ),, x B, z B )} Then, i) a {1,, B} : Pr x a = Z), Pr z a = Z) 1 ; ii) a {1,, B} : Pr x a z a = Z) δ B,C[1] ; iii) {a, b} {1,, B} : Pr x a z a = Z x b z b = Z ) δ B,C[] n Bq ; iv) {a, b} {1,, B} : Pr x a = Z x b = Z x a z a x b z b = Z ) δ B,C[] 3n Bq Proof Recall from the proof of Lem 1 that Σ P Φ ) = Σ ) B! P Φ, where P Φ q For the specific predicate analyzed in this lemma, Σ ) = n ) B 1 n C In the remainder, we regularly bound B! B n ) B for B 1 or B! B n ) B 4 for B Probability of abortion The bound of 5) directly follows from Lem 1, the abovementioned size of Σ ), and the bound on B! i) Part i) Define by Σ P Φ) the set of all elements of Σ P Φ) that satisfy xa = Z Then, P Φ) n ) B n C, and Σ i) Pr x a = Z) = i) Σ P Φ) 1 Σ P Φ) n Bq 9

10 A similar analysis applies to the case z a = Z ii) Part ii) Define by Σ P Φ) the set of all elements of Σ P Φ) that satisfy xa z a = Z We mae a distinction between B = 1 and B > 1 In case B > 1, a similar reasoning as ii) in i) applies, and we have Σ P Φ) n ) B n C On the other hand, if B = 1, we ii) have Σ P Φ) = 0 if Bits ii) CZ) 0 and Σ P Φ) n if Bits C Z) = 0 In any case, and Σ ii) P Φ ) n ) B n C δ B,C [1], Pr x a z a = Z) = Σ ii) P Φ ) Σ P Φ ) δ B,C[1] n Bq Part iii) This part only applies to B > 1; if B = 1 the probability equals 0 by construction iii) Define by Σ P Φ) the set of all elements of Σ P Φ) that satisfy xa z a = Z and x b z b = Z We mae a distinction between B = and B > In case B >, a similar reasoning as in iii) i) and ii) applies, and we have Σ P Φ) n ) B 3 n C On the other hand, if B =, iii) we have Σ P Φ) = 0 if Bits CZ Z iii) ) 0 and Σ P Φ) n ) if Bits C Z Z ) = 0 In any case, and Σ iii) P Φ ) n ) B 3 n C δ B,C [], Pr x a z a = Z x b z b = Z ) = Σ iii) P Φ ) Σ P Φ ) δ B,C[] n Bq Part iv) The approach is fairly similar to case iii) If B = 1 the probability is 0 by iv) construction Define by Σ P Φ) the set of all elements of Σ P Φ) that satisfy xa = Z, x b = Z, and x a z a x b z b = Z iv) In case B >, we have Σ P Φ) n ) B 4 n C iv) On the other hand, if B =, we have Σ P Φ) = 0 if Bits CZ iv) ) 0 and Σ P Φ ) n if Bits C Z ) = 0 In any case, and Σ iv) P Φ ) n ) B 4 n C δ B,C [], Pr x a = Z x b = Z x a z a x b z b = Z ) = Σ iv) P Φ ) Σ P Φ ) δ B,C[] 3n Bq 4 Application to PGV Compression Functions We consider the 1 bloccipher-based compression functions from Preneel, Govaerts, and Vandewalle PGV) [48] In the ICM these constructions achieve tight collision security up to about n/ queries and preimage security up to about n queries [9, 10, 19, 59] The 1 constructions are depicted in Fig 3 Here, we follow the ordering of [10], where PGV1, PGV, and PGV5 are better nown as the Matyas-Meyer-Oseas [36], Miyaguchi-Preneel, and Davies-Meyer [45] compression functions Baecher et al [4] analyzed the 1 PGV constructions under ideal cipher reducibility, which at a high level covers the idea of two constructions being equally secure for the same underlying idealized bloccipher They divide the PGV functions into two classes, in such a way that if some bloccipher maes one of the constructions secure, it maes all functions in the corresponding class secure Applied to our WCM, the results of Baecher et al imply the following: 10

11 Group G 1 Group G Fig 3 The 1 PGV compression functions When in iteration mode, the message comes in at the top The groups G 1 and G refer to Lem 3 Lemma 3 Ideal Cipher Reducibility of PGV [4], informal) Let π $ BC[Φ]n, n) for some predicate Φ Let G 1 = {1, 4, 5, 8, 9, 1}, and G = {, 3, 6, 7, 10, 11} For any α {1, } and i, j G α, PGVi and PGVj achieve the same level of collision and preimage security once instantiated 1 with π Baecher et al also derive a reduction between the two classes, but this reduction requires a non-direct transformation on the ideal cipher π, 1 maing it unsuitable for our purposes Thans to Lem 3, it suffices to only analyze PGV1 and PGV in the WCM: the bounds carry over to the other 10 PGV constructions In Sect 41 we analyze the collision security of these functions in the WCM The preimage security is considered in Sect 4 41 Collision Security Theorem 1 Let n N Let α {1, } and consider PGVα Suppose π BC[ΦA, B, ϕ C )]n, n) Then, for q n 1 /B, $ Adv col PGVαq) B δ B,C [1]q n + ) B δb,c []q n + 4B q n Proof We focus on PGV The analysis for PGV1 is a simplification due to the absence of the feed-forward of the ey We consider any adversary that has query access to π $ BC[ΦA, B, ϕ C )]n, n) and maes q queries As a first step, we move from π to π $ BC[ΦA, B, ϕ C )]n, n) By Lem, this costs us an additional term B qq+1) A collision for PGV would imply the existence of two distinct query pairs, x, z),, x, z ) such that x z = x z We consider the i th query i {1,, q}) to be the first query to mae this condition satisfied, and sum over i = 1,, q at the end For regular forward or inverse) queries, the analysis of [9, 10, 59] mostly carries over The analysis of predicate queries is a bit more technical 1 If π maes the PGV constructions from group G 1 secure, there is a transformation τ such that τ π maes the constructions from G secure, and vice versa 11

12 Query π x) or π 1 z) The cases are the same by symmetry, and we consider π x) only Denote the response by z There are at most Bi 1) possible, x, z ) As z is randomly drawn from a set of size at least n Bq, it satisfies z = x x z with probability at most Bi 1) Query π Φy) Denote the query response by {, x1, z 1 ),,, x B, z B )} In case the B- set contributes only to, x, z), the same reasoning as for regular queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: B δ B,C [1]i 1) Now, consider the case the predicate query contributes to both, x, z) and, x, z ) There are B ) ways for the predicate query to contribute or 0 if B = 1) By Lem part iii), which considers the success probability for any such combination, the predicate query results in a collision with probability at most ) B δb,c [] n n Bq Conclusion Taing the maximum of all success probabilities, the i th query is successful with probability at most B δ B,C [1]i 1) + B Adv col PGVq) B δ B,C [1]q n Bq) + ) δb,c [] n n Bq B Summation over i = 1,, q gives ) δb,c []q n Bq + B qq + 1) n, Bq where the last part of the bound comes from the transition from WCM to AWCM The proof is completed by using the fact that n Bq n 1 for Bq n 1, and that q + 1 q for q 1 We note that the bound gets worse for increasing values of B This has a technical cause: predicate queries are counted equally expensive as regular queries, but result in up to B new query tuples This leads to several factors of B in the bound As this wor is mainly concerned with differential nown-ey attacs for which B is regularly small, these factors are of no major influence The implications of the bound of Thm 1 become more visible when considering particular choices of B and C i) If B = 1, then Adv col PGVαq) C q + 4q n ; n ii) If B =, then Adv col PGVαq) 0q + 4 C q n ; n iii) If B 3 independent of n), then Adv col PGVαq) 5B q + B q n n In other words, for B = and C with C n/, or for B 3 constant and C arbitrary, the PGV functions achieve the same n/ collision security level as in the ICM On the other hand, if B = 1, collisions can be found in about n C )/ queries, and if B = with C > n/, in about n C < n/ queries See also Table 1 Tightness For the cases B = 1 and C arbitrary, and B = and C arbitrary such that C > n/, we derive generic attacs that demonstrate tightness of the bound of Thm 1 Knudsen and Rijmen [7] and Sasai et al [53,56] already considered how to exploit a nown-ey pair for the underlying bloccipher to find a collision for the Matyas-Meyer-Oseas PGV1) and/or Miyaguchi-Preneel PGV) compression functions Their attacs correspond to our B = case Proposition 1 B = 1) Let n N Let α {1, } and consider PGVα Suppose π BC[ΦA, 1, ϕ C )]n, n) Then, Adv col PGVαq) q n C Proof We construct a collision-finding adversary A for PGV It fixes ey = 0, and maes predicate queries to π Φ on input of distinct values y to obtain q queries, x y, z y ) satisfying Bits C x y z y ) = 0 Any two such queries collide on the entire state, x y z y = x y z y, q with probability at least The attac for PGV1 is the same as we have taen = 0 n C $ 1

13 Proposition B = and C > n/) Let n N Let α {1, } and consider PGVα Suppose π $ BC[ΦA,, ϕ C )]n, n) Then, Adv col PGVαq) q n C Proof We construct a collision-finding adversary A for PGV It fixes ey = 0, and maes predicate queries to π Φ on input of distinct values y to obtain q -sets {, x1 y, zy), 1, x y, z y)} satisfying Bits C x 1 y zy) 1 = BitsC x y zy) These two queries collide on the entire state, x 1 y zy 1 = x y zy, 1 with probability at least If the adversary maes q predicate n C queries, we directly obtain our bound The attac for PGV1 is the same as we have taen = 0 4 Preimage Security Theorem Let n N Let α {1, } and consider PGVα Suppose π BC[ΦA, B, ϕ C )]n, n) Then, for q n /B, $ ) B Adv epre Bq PGVα q) n + B δ B,C [1]q n Due to space limitations, the proof is given in App B It is much more involved than the one of Thm 1, particularly as we cannot mae use of abortable ciphers Entering various choices of B and C shows that in the PGV functions remain mostly unaffected in the WCM if B, and the same security level as in the ICM is achieved [9, 10, 59] A slight security degradation appears for B = 1 as preimages can be found in about n C Tightness For the case B = 1, we derive a generic attac that demonstrates the tightness of the bound of Thm Proposition 3 B = 1) Let n N Let α {1, } and consider PGVα Suppose π BC[ΦA, 1, ϕ C )]n, n) Then, Adv epre PGVα q) q n C Proof Let Z be any given range value with Bits C Z) = 0 note that epre guarantees security for every range point) A preimage-finding adversary A for PGV proceeds as follows It fixes ey = 0, and maes predicate queries to π Φ on input of distinct values y to obtain q queries, x y, z y ) satisfying Bits C x y z y ) = 0 Any such query hits Z on the entire state, q x y z y = Z, with probability at least The attac for PGV1 is the same as we n C have taen = 0 5 Application to Grøstl Compression Function We consider the provable security of the compression function mode of operation of Grøstl [1] see also Fig 4): F Grøstl x 1, x ) = x π 1 x 1 ) π x 1 x ) 6) The Grøstl compression function is in fact designed to operate in a wide-pipe mode, and in the IPM, the function is proven collision secure up to about n/4 queries and preimage secure up to n/ queries [0] We consider the security of F Grøstl in the WCM, where π 1, π ) $ BC[ΦA, B, ϕ C )]n) We remar that in this section we consider eyless primitives, hence κ = 0 and the -input is dropped throughout We furthermore note that finding collisions and preimages for F Grøstl is equivalent to finding them for F Grøstlx 1, x ) = x 1 x π 1 x 1 ) π x ), 7) as F Grøstl x 1, x ) = F Grøstl x 1, x 1 x ), and we will consider F Grøstl throughout $ 13

14 x 1 π 1 x 1 π 1 x π z x π π 3 z Fig 4 Grøstl compression function left) and Shrimpton-Stam right) 51 Collision Security Theorem 3 Let n N Suppose π 1, π ) $ BC[ΦA, B, ϕ C )]n) Then, for q n 1 /B, Adv col F q) B4 δ B,C [1]q 4 Grøstl + ) B δb,c []q + n/ C q) n + B q + 4B q n n/ n The proof is given in App C If we enter particular choices of B and C into the bound, we find results comparable to the case of Sect 41 In more detail, for B = and C with C n/, or for B 3 constant and C arbitrary, F Grøstl achieves the same n/4 collision security level as in the ICM [0] If B = 1, the bound guarantees security up to about n C )/4, and if B = with C > n/, collisions can be found in about n C )/ queries See also Table 1 In App D we show that the bound is optimal, by presenting tight attacs on F Grøstl in the WCM 5 Preimage Security 1 1 Theorem 4 Let n N Suppose π 1, π ) $ BC[ΦA, B, ϕ C )]n) Then, for q n 1 /B, Adv epre F q) B δ B,C [1]q + n/ C q) Grøstl n + Bq + 4B q n/ n The proof is given in App E As before, we find that F Grøstl remains unaffected in the WCM for most cases, the sole exception being B = 1 for which preimages can be found in about n C )/ In App F we show that the bound is optimal, by presenting a tight attac on F Grøstl for B = 1 in the WCM 6 Application to Shrimpton-Stam Compression Function In this section, we consider the provable security of the Shrimpton-Stam compression function [57] see also Fig 4): x 1, x ) = x 1 π 1 x 1 ) π 3 x 1 π 1 x 1 ) x π x )) 8) This function is proven asymptotically optimally collision and preimage secure up to n/ queries in the IPM [41, 51, 57] We consider the security of in the WCM, where $ π 1, π, π 3 ) BC[ΦA, B, ϕ C )]n) 3 As in Sect 5 we consider eyless functions, hence κ = 0 and the ey inputs are dropped throughout) Our findings readily apply to the generalization of of [41] The analysis of this construction is significantly more complex than the ones of Sect 4 and Sect 5 14

15 61 Collision Security Theorem 5 Let n N Suppose π 1, π, π 3 ) $ BC[ΦA, B, ϕ C )]n) 3 Then, i) If B = 1 and C arbitrary, Adv col n C )/ nε ) 0 for n ; ii) If B = and C with C n/, Adv col n/ nε ) 0 for n ; iii) If B = and C with C > n/, Adv col n C nε ) 0 for n ; iv) If B 3 independent of n) and C arbitrary, Adv col n/ nε ) 0 for n Due to the technicality of the proof, the results are expressed in asymptotic terms The proof is given in App G For B = and C with C n/, or for B 3 constant and C arbitrary, achieves the same security level as in the IPM On the other hand, if B = 1, or if B = but C > n/, Thm 5 results in a worse bound See also Table 1 In App H we show that the bound is optimal, by presenting tight attacs on in the WCM 6 Preimage Security Theorem 6 Let n N Suppose π 1, π, π 3 ) $ BC[ΦA, B, ϕ C )]n) 3 Then, i) If B = 1 and C with C n/, Adv epre n/ nε ) 0 for n ; ii) If B = 1 and C with C > n/, Adv epre n C nε ) 0 for n ; iii) If B independent of n) and C arbitrary, Adv epre n/ nε ) 0 for n As for collision resistance, the results are expressed in asymptotic terms The proof is given in App I The bounds match the ones in the IPM, except for the case of B = 1 and C > n/ We leave it as an open problem to prove tightness of Thm 6 part ii) 7 Conclusions Since their formal introduction by Knudsen and Rijmen at ASIACRYPT 007 [7], numerous nown-ey attacs on blocciphers have appeared in literature These attacs are often considered delicate, as it is not always clear to what extent they influence the security of cryptographic functions based on these nown-ey blocciphers We presented the wea cipher model in order to investigate this impact For a specific instance of this model, considering the existence of A sets of B queries that satisfy condition ϕ C of 3), we proved that the PGV compression functions [48], the Grøstl compression function [1], and the Shrimpton-Stam compression function [57] remain mostly unaffected by the generalized weaness Additionally, preimage security of the functions turned out to be significantly less susceptible to these types of weanesses than collision security The results can be readily generalized to other primitive-based functions, such as the double bloc length compression functions Tandem-DM, Abreast-DM, and Hirose s compression functions [3, 30], and to the permutation-based sponge mode [5] Our model is general enough to cover practically all differential nown-ey attacs in literature, such as latest results based on the rebound attac [1,,8,38,5,53,56] and on the boomerang attac [,7,31,54,61] To our nowledge, our wor provides the first attempt to formally analyze the effect of a wide class of cryptanalytic attacs from a modular and provable security point of view It is a step in the direction of security beyond the ideal model, connecting practical attacs from cryptanalysis with ideal model provable security There is still a long way to go: in order to mae the connection between the two fields, we abstracted nown-ey attacs to a certain degree It remains a highly challenging open research problem to generalize our findings to multiple or different weanesses, and to different permutationbased cryptographic functions These generalizations include the analysis of nown-ey based constructions for more advanced conditions ϕ such as arbitrary polynomials) 15

16 Acnowledgments This wor was supported in part by European Union s Horizon 00 research and innovation programme under grant agreement No HECTOR and grant agreement No H00-MSCA-ITN ECRYPT-NET, and in part by the Research Council KU Leuven: GOA TENSE GOA/11/007) Bart Mennin is a Postdoctoral Fellows of the Research Foundation Flanders FWO) The authors would lie to than the anonymous reviewers for their valuable help and feedbac References 1 Andreeva, E, Bogdanov, A, Mennin, B: Towards understanding the nown-ey security of bloc ciphers In: Fast Software Encryption 013 LNCS, vol 844, pp Springer, Heidelberg 013) Aumasson, J, Çali, Çagdas, Meier, W, Özen, O, Phan, R, Varıcı, K: Improved cryptanalysis of Sein In: Advances in Cryptology - ASIACRYPT 009 LNCS, vol 591, pp Springer, Heidelberg 009) 3 Aumasson, J, Meier, W: Zero-sum distinguishers for reduced Kecca-f and for the core functions of Luffa and Hamsi 009) 4 Baecher, P, Farshim, P, Fischlin, M, Stam, M: Ideal-cipher ir)reducibility for bloccipherbased hash functions In: Advances in Cryptology - EUROCRYPT 013 LNCS, vol 7881, pp Springer, Heidelberg 013) 5 Bertoni, G, Daemen, J, Peeters, M, Van Assche, G: Sponge functions ECRYPT Hash Function Worshop 007) 6 Biryuov, A, Khovratovich, D, Niolić, I: Distinguisher and related-ey attac on the full AES-56 In: Advances in Cryptology - CRYPTO 009 LNCS, vol 5677, pp Springer, Heidelberg 009) 7 Biryuov, A, Niolić, I, Roy, A: Boomerang attacs on BLAKE-3 In: Fast Software Encryption 011 LNCS, vol 6733, pp Springer, Heidelberg 011) 8 Blac, J, Cochran, M, Shrimpton, T: On the impossibility of highly-efficient bloccipherbased hash functions In: Advances in Cryptology - EUROCRYPT 005 LNCS, vol 3494, pp Springer, Heidelberg 005) 9 Blac, J, Rogaway, P, Shrimpton, T: Blac-box analysis of the bloc-cipher-based hashfunction constructions from PGV In: Advances in Cryptology - CRYPTO 00 LNCS, vol 44, pp Springer, Heidelberg 00) 10 Blac, J, Rogaway, P, Shrimpton, T, Stam, M: An analysis of the bloccipher-based hash functions from PGV Journal of Cryptology 34), ) 11 Blondeau, C, Peyrin, T, Wang, L: Known-ey distinguisher on full PRESENT In: Advances in Cryptology - CRYPTO 015, Part I LNCS, vol 915, pp Springer, Heidelberg 015) 1 Bouillaguet, C, Dunelman, O, Leurent, G, Fouque, P: Attacs on hash functions based on generalized feistel: Application to reduced-round Lesamnta and SHAvite-3 51 In: Selected Areas in Cryptography 010 LNCS, vol 6544, pp Springer, Heidelberg 010) 13 Bouillaguet, C, Fouque, P, Leurent, G: Security analysis of SIMD In: Selected Areas in Cryptography 010 LNCS, vol 6544, pp Springer, Heidelberg 011) 14 Boura, C, Canteaut, A: Zero-sum distinguishers for iterated permutations and application to Kecca-f and Hamsi-56 In: Selected Areas in Cryptography 010 LNCS, vol 6544, pp 1 17 Springer, Heidelberg 010) 15 Bresson, E, Canteaut, A, Chevallier-Mames, B, Clavier, C, Fuhr, T, Gouget, A, Icart, T, Misarsy, JF, Naya-Plasencia, M, Paillier, P, Pornin, T, Reinhard, J, Thuillet, C, Videau, M: Indifferentiability with distinguishers: Why Shabal does not require ideal ciphers Cryptology eprint Archive, Report 009/ ) 16 Coron, J, Patarin, J, Seurin, Y: The random oracle model and the ideal cipher model are equivalent In: Advances in Cryptology - CRYPTO 008 LNCS, vol 5157, pp 1 0 Springer, Heidelberg 008) 17 Dong, L, Wu, W, Wu, S, Zou, J: Known-ey distinguisher on round-reduced 3D bloc cipher In: Information Security Applications - WISA 011 LNCS, vol 7115, pp Springer, Heidelberg 01) 18 Duan, M, Lai, X: Improved zero-sum distinguisher for full round Kecca-f permutation Chinese Science Bulletin 576), ) 16

17 19 Duo, L, Li, C: Improved collision and preimage resistance bounds on PGV schemes Cryptology eprint Archive, Report 006/46 006) 0 Fouque, P, Stern, J, Zimmer, S: Cryptanalysis of tweaed versions of SMASH and reparation In: Selected Areas in Cryptography 008 LNCS, vol 5381, pp Springer, Heidelberg 009) 1 Gauravaram, P, Knudsen, LR, Matusiewicz, K, Mendel, F, Rechberger, C, Schläffer, M, Thomsen, S: Grøstl a SHA-3 candidate 011), submission to NIST s SHA-3 competition Gilbert, H, Peyrin, T: Super-Sbox cryptanalysis: Improved attacs for AES-lie permutations In: Fast Software Encryption 010 LNCS, vol 6147, pp Springer, Heidelberg 010) 3 Hirose, S: Some plausible constructions of double-bloc-length hash functions In: Fast Software Encryption 006 LNCS, vol 4047, pp 10 5 Springer, Heidelberg 006) 4 Holenstein, T, Künzler, R, Tessaro, S: The equivalence of the random oracle model and the ideal cipher model, revisited In: Proc ACM Symposium on Theory of Computing 011 pp ACM, New Yor 011) 5 Jetchev, D, Özen, O, Stam, M: Collisions are not incidental: A compression function exploiting discrete geometry In: Theory of Cryptography Conference 01 LNCS, vol 7194, pp Springer, Heidelberg 01) 6 Katz, J, Lucs, S, Thiruvengadam, A: Hash functions from defective ideal ciphers In: CT- RSA 015 LNCS, vol 9048, pp Springer, Heidelberg 015) 7 Knudsen, L, Rijmen, V: Known-ey distinguishers for some bloc ciphers In: Advances in Cryptology - ASIACRYPT 007 LNCS, vol 4833, pp Springer, Heidelberg 007) 8 Koyama, T, Sasai, Y, Kunihiro, N: Multi-differential cryptanalysis on reduced DM- PRESENT-80: collisions and other differential properties In: Information Security and Cryptology - ICISC 01 Lecture Notes in Computer Science, vol 7839, pp Springer, Heidelberg 013) 9 Kuwaado, H, Hirose, S: Hashing mode using a lightweight bloccipher In: IMA International Conference 013 LNCS, vol 8308, pp Springer, Heidelberg 013) 30 Lai, X, Massey, J: Hash function based on bloc ciphers In: Advances in Cryptology - EU- ROCRYPT 9 LNCS, vol 658, pp Springer, Heidelberg 199) 31 Lamberger, M, Mendel, F: Higher-order differential attac on reduced SHA-56 Cryptology eprint Archive, Report 011/ ) 3 Lampe, R, Seurin, Y: Security analysis of ey-alternating Feistel ciphers In: Fast Software Encryption 014 LNCS, vol 8540, pp Springer, Heidelberg 015) 33 Lauridsen, MM, Rechberger, C: Linear distinguishers in the ey-less setting: Application to PRESENT In: Fast Software Encryption 015 LNCS, vol 9054, pp Springer, Heidelberg 015) 34 Leurent, G, Roy, A: Boomerang attacs on hash function using auxiliary differentials In: CT-RSA 01 LNCS, vol 7178, pp Springer, Heidelberg 01) 35 Lisov, M: Constructing an ideal hash function from wea ideal compression functions In: Selected Areas in Cryptography 006 LNCS, vol 4356, pp Springer, Heidelberg 007) 36 Matyas, S, Meyer, C, Oseas, J: Generating strong one-way functions with cryptographic algorithm IBM Techn Disclosure Bull 710A), ) 37 Maurer, U, Renner, R, Holenstein, C: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology In: Theory of Cryptography Conference 004 LNCS, vol 951, pp 1 39 Springer, Heidelberg 004) 38 Mendel, F, Peyrin, T, Rechberger, C, Schläffer, M: Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES bloc cipher In: Selected Areas in Cryptography 009 LNCS, vol 5867, pp Springer, Heidelberg 009) 39 Mendel, F, Rechberger, C, Schläffer, M, Thomsen, SS: The rebound attac: Cryptanalysis of reduced Whirlpool and Grøstl In: Fast Software Encryption 009 LNCS, vol 5665, pp Springer, Heidelberg 009) 40 Mennin, B: Optimal collision security in double bloc length hashing with single length ey In: Advances in Cryptology - ASIACRYPT 01 LNCS, vol 7658, pp Springer, Heidelberg 01) 41 Mennin, B, Preneel, B: Hash functions based on three permutations: A generic security analysis In: Advances in Cryptology - CRYPTO 01 LNCS, vol 7417, pp Springer, Heidelberg 01) 17

18 4 Mennin, B, Preneel, B: Efficient parallelizable hashing using small non-compressing primitives International Journal of Information Security 015), to appear 43 Meyer, C, Schilling, M: Secure program load with manipulation detection code In: Proc Securicom pp ) 44 Minier, M, Phan, R, Pousse, B: Distinguishers for ciphers and nown ey attac against Rijndael with large blocs In: Progress in Cryptology - AFRICACRYPT 009 LNCS, vol 5580, pp Springer, Heidelberg 009) 45 Miyaguchi, S, Ohta, K, Iwata, M: Confirmation that some hash functions are not collision free In: Advances in Cryptology - EUROCRYPT 90 LNCS, vol 473, pp Springer, Heidelberg 1990) 46 Naahara Jr, J: New impossible differential and nown-ey distinguishers for the 3D cipher In: Information Security Practice and Experience - ISPEC 011 LNCS, vol 667, pp 08 1 Springer, Heidelberg 011) 47 Niolić, I, Pieprzy, J, Soolowsi, P, Steinfeld, R: Known and chosen ey differential distinguishers for bloc ciphers In: Information Security and Cryptology - ICISC 010 LNCS, vol 689, pp 9 48 Springer, Heidelberg 010) 48 Preneel, B, Govaerts, R, Vandewalle, J: Hash functions based on bloc ciphers: A synthetic approach In: Advances in Cryptology - CRYPTO 93 LNCS, vol 773, pp Springer, Heidelberg 1993) 49 Rabin, M: Digitalized signatures In: Foundations of Secure Computation 78 pp Academic Press, New Yor 1978) 50 Rogaway, P, Shrimpton, T: Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance In: Fast Software Encryption 004 LNCS, vol 3017, pp Springer, Heidelberg 004) 51 Rogaway, P, Steinberger, J: Constructing cryptographic hash functions from fixed-ey blocciphers In: Advances in Cryptology - CRYPTO 008 LNCS, vol 5157, pp Springer, Heidelberg 008) 5 Sasai, Y: Known-ey attacs on Rijndael with large blocs and strengthening ShiftRow parameter In: International Worshop on Security - IWSEC 010 LNCS, vol 6434, pp Springer, Heidelberg 010) 53 Sasai, Y, Emami, S, Hong, D, Kumar, A: Improved nown-ey distinguishers on Feistel-SP ciphers and application to Camellia In: Australasian Conference on Information Security and Privacy - ACISP 01 LNCS, vol 737, pp Springer, Heidelberg 01) 54 Sasai, Y, Wang, L: Distinguishers beyond three rounds of the RIPEMD-18/-160 compression functions In: Applied Cryptography and Networ Security 01 LNCS, vol 7341, pp 75 9 Springer, Heidelberg 01) 55 Sasai, Y, Wang, L, Taasai, Y, Saiyama, K, Ohta, K: Boomerang distinguishers for full HAS-160 compression function In: International Worshop on Security - IWSEC 01 LNCS, vol 7631, pp Springer, Heidelberg 01) 56 Sasai, Y, Yasuda, K: Known-ey distinguishers on 11-round Feistel and collision attacs on its hashing modes In: Fast Software Encryption 011 LNCS, vol 6733, pp Springer, Heidelberg 011) 57 Shrimpton, T, Stam, M: Building a collision-resistant compression function from noncompressing primitives In: International Colloquium on Automata, Languages and Programming - ICALP ) 008 LNCS, vol 516, pp Springer, Heidelberg 008) 58 Smith, J: The design of Lucifer: a cryptographic device for data communications IBM Research Report RC ) 59 Stam, M: Bloccipher-based hashing revisited In: Fast Software Encryption 009 LNCS, vol 5665, pp Springer, Heidelberg 009) 60 Wagner, D: The boomerang attac In: Fast Software Encryption 99 LNCS, vol 1636, pp Springer, Heidelberg 1999) 61 Yu, H, Chen, J, Wang, X: The boomerang attacs on the round-reduced Sein-51 In: Selected Areas in Cryptography 01 LNCS, vol 7707, pp Springer, Heidelberg 01) A Knudsen-Rijmen Attac on Feistel 7 We briefly discuss the attac of Knudsen and Rijmen [7] on the classical Feistel networ on n bits with 7 rounds Before doing so, we first introduce Feistel 18

19 The Feistel networ is a very common bloccipher design strategy, dating bac to the design of Lucifer [58], and many generalizations of this design have appeared in literature We use the notation of [7] The n-bit Feistel networ with 7 rounds, called Feistel 7, uses lines of n/ bits, and consists of 7 evaluations of a fixed n/-bit permutation p Each evaluation of p is preceded by an XOR of a round ey 1,, 7, derived from the master ey using 1 Fgen some ey schedule It is depicted in Fig 5 m l 1 p p 3 p 4 p 5 p 6 p 7 p c l m r c r Fig 5 The n-bit Feistel networ with 7 rounds Now, we describe the attac by Knudsen and Rijmen on this construction [1,7] Assume 6 First, the adversary fixes an arbitrary value y {0, 1} n/ Then, from y the adversary derives two plaintext/ciphertext-pairs m l, m r ), c l, c r )) and m l, m r), c l, c r)) as follows: y is fixed to be the input to the third permutation call p for the first tuple, while for the second tuple that input is y α for some non-zero value α determined later) Then, the adversary uses p to compute the tuples in a straightforward way: m l, m r ) = z 4 py) pm r 1 ), y 3 pz 4 py))) c l, c r ) = z 4 6 py) pc r 7 ), y α 5 pz 4 py))) m l, m r) = z 4 6 py) pm r 1 ), y α 3 pz 4 6 py))) c l, c r) = z 4 py) pc r 7 ), y 5 pz 4 6 py))), 9) where α = y p 1 6 py)) and z = p α) These pairs satisfy m r c r = m r c r with probability 1, but this equation is satisfied by an ideal cipher with probability at most 1/ n/ This completes the distinguishing attac An extension of this attac to generalized balanced Feistel networs on r wires and 4r 1 rounds was derived in [1] B Proof of Theorem We focus on PGV The analysis for PGV1 is a simplification due to the absence of the feed-forward of the ey We consider any adversary that has query access to π $ BC[ΦA, B, ϕ C )]n, n) and maes q queries Let Z {0, 1} n A preimage for Z would imply the existence of a query, x, z) such that x z = Z We consider the i th query i {1,, q}) to be the first query to mae this condition satisfied, and sum over i = 1,, q at the end For regular forward or inverse) queries, the analysis of [9, 10, 59] mostly carries over The analysis of predicate queries is a more technical, particularly as we cannot mae use of abortable ciphers Query π x) or π 1 z) The cases are the same by symmetry, and we consider π x) only Denote the response by z As z is randomly drawn from a set of size at least n Bq, 1 it satisfies z = x Z with probability at most Query π Φy) Denote the query response by {, x1, z 1 ),,, x B, z B )} If all tuples are old, the query cannot be successful as no earlier query was successful, and so we assume it contains at least one new tuple The response is drawn uniformly at random from the set 19

20 Σ P, P Φ) For l = 0,, B, denote by Σl P, P Φ ) the subset of all responses that have l new query tuples and B l old query tuples which already appear in P ) By construction, Σ P, P Φ ) = B ΣP l, P Φ ) 10) l=0 Define furthermore for l = 1,, B by Σ l,pre P, P Φ ) the subset of elements of Σl P, P Φ ) for which one of the new query tuples satisfies x z = Z recall that we have excluded the case of l = 0) The predicate query is successful with probability Using 10), we bound 11) as Pr π Φ y) sets preq i ) ) = B l=1 Pr π Φ y) sets preq i ) ) Σ1,pre P, P Φ ) Σ B P, P Φ ) + Σ l,pre P, P Φ ) Σ P, P Φ ) 11) B l= Σ l,pre P, P Φ ) Σ l P, P Φ ) 1) The reason why l = 1 is treated differently, will become clear shortly We next bound all relevant sets Here, for integers a b 1, we denote by a b = a! a b)! the falling factorial power Starting with the numerators, for l = 1 we have Σ 1,pre P, P Φ ) B P B 1 n P ) Indeed, we have B positions for the sole new query to appear and P B 1 choices for the old queries For the new query, without loss of generality, x B, z B ), it needs to satisfy Bits C x B z B ) = Bits C x 1 z B 1 ) and x B z B = Z We have n P possible choices for x B, and any choice gives at most one possible z B We remar that Σ 1,pre P, P Φ) will probably be about a factor C less, as we should only count all possible solutions for the B 1 old queries that satisfy Bits C x 1 z B 1 ) = Bits C Z) Deriving a tighter bound would be a cumbersome exercise, but fortunately there is no need to do so: the fraction of elements in Σ P, P Φ ) consisting of B 1 old tuples is already small enough for the case B > 1 This is the reason why we use a special treatment for the case of l = 1 in 1) For l {,, B} we have Σ l,pre P, P Φ ) B l ) P B l n P ) l l n P ) l n C Again, the first term comes from identifying at which positions the new queries appear and the second term comes from the selection of old queries Next, we have n P ) l choices for the x-values and l positions for the winning query to occur For this particular winning query, the corresponding z-value is fixed by the equation x z = Z For the remaining l 1 z-values, there are n P ) l possibilities to freely fix the first l of them, and the last one will be adapted to the predicate condition, and can tae at most n C values Regarding the denominators, for l {1,, B} we have Σ l P, P Φ ) ) B P B l l n P ) l n P ) l 1 n C Bq n P ) l 1 n P ) l 1 n C which can be seen as follows As before, we have B l ) positions for the new queries to appear and P B l possible lists of old queries Regarding the l new queries, without loss of generality, x 1, z 1 ),,, x l, z l ), these need to satisfy Bits C x 1 z l ) = Bits C x l+1 ), 0

21 z B ) We first compute the number of choices for these new queries where z l is only used to adapt to this condition and does not need to satisfy that it is fresh For this case, we have precisely n P ) l n P ) l 1 choices for x 1,, z l 1, x l, and n C possibilities for the adaption value z l Now, we subtract the cases where this adapted value happens to collide, either with an older value in rngp ) or with any of the new z 1,, z l 1 Any of these choices would fix z l in total at most P + l 1) possibilities) Similarly to the analysis for Σ l,pre P, P Φ), where now x l will be used to be adapted to the predicate condition, there are at most P + l 1) n P ) l 1 n P ) l 1 n C choices for the fresh values As l B, and additionally P Bi 1) Bq 1) for the current query, we obtain our bound for Σ lp, P Φ ) The bound can be simplified to Σ l P, P Φ ) B l ) P B l n P ) l 1 n P ) l 1 n C n Bq), using that n P ) l = n P n P ) l 1 l 1) n Bq Plugging these bounds into 1), we find for the case B = 1: Pr π Φ y) sets preq i ) ) n P n C n q) C n q For the case B > 1 the computation is a bit more elaborate: Pr π Φ y) sets preq i ) ) B n P ) n P ) B 1 n C n Bq) P B 1 n P ) B 1 + B l= n P ) l n P ) l n P ) l 1 n P ) l 1 l n Bq For the first fraction we use that n P n P ) B 1 as B > 1, and additionally that C n For the falling factorial powers of the second fraction, we use that P B 1 Bq) B 1 and n P ) B 1 n P B 1)) B 1 n Bq) B 1 For the fraction in the sum, we use that n P ) l n P ) l n P ) l 1 = n P l 1) n P ) l 1 n P l ) 1 We obtain: Pr π Φ y) sets preq i ) ) B n Bq Bq) B 1 B n Bq) B 1 + BB q B 1 n Bq) B + B n Bq l= l n Bq Conclusion Taing the maximum of all success probabilities, the i th query is successful B with probability at most B q B 1 Summation over i = 1,, q gives + B δ B,C [1] n Bq) B n Bq Adv epre PGV q) B B q B n Bq) B + B δ B,C [1]q n Bq The proof is completed by using the fact that n Bq n 1 for Bq n C Proof of Theorem 3 We consider any adversary that has access to π 1, π ) $ BC[ΦA, B, ϕ C )]n) and maes q queries These queries are stored in a query history Q as indexed tuples of the form κ i, x i, z i ) 1

22 for regular queries, where we denote z i = π κi x i ), and {κ i, x 1 i, z1 i ),, κ i, x B i, zb i )} for predicate queries For q 0, by Q q we define the query history after q queries As a first step, we move from π 1, π ) to π 1, π ) $ BC[ΦA, B, ϕ C )]n) By Lem, this costs us an additional term B qq+1) A collision for F Grøstl would imply the existence of query pairs x 1, z 1 ), x 1, z 1) for π 1 and x, z ), x, z ) for π such that x 1, x ) x 1, x ) and x 1 z 1 x z = x 1 z 1 x z 13) We define this configuration by colq q ) For the analysis of Pr colq q )) for the case of B > 1 we introduce an auxiliary event auxq q ) Let τ > 0 be any integral value We define where setq q ) = auxq q ) : B > 1 setq q ) > q + τ ), { } κ, x i, z i ), κ, x j, z j ) Q q x i x j Bits C x i z i x j z j ) = 0 By basic probability theory: Adv col F q) Pr colq q) auxq Grøstl q )) + Pr auxq q )) + B qq + 1) n, 14) Bq where the third part of the bound comes from the transition from WCM to AWCM Starting with Pr auxq q )), we mae a distinction between B = and B 3 For B =, we mae a further distinction depending on whether or not κ, x i, z i ), κ, x j, z j ) come from the same predicate query Clearly, if this is the case, they satisfy the condition Bits C x i z i x j z j ) = 0 by design As the adversary maes at most q predicate queries, setq q ) will contain at most q solutions of this ind Regarding the case where the two queries are not from the same predicate query ie, they are from two different predicate queries or at least one of them comes from a regular query), any combination of two tuples satisfies Bits C x i z i x j z j ) = 0 with probability C Consequently, as there are at most ) Bq such combinations, Bq ) Ex setq q ) q) C Marov s inequality states that Pr auxq q )) Bq ) τ C For the case of B 3, the same bound applies with the difference that the case κ, x i, z i ), κ, x j, z j ) coming from the same predicate query does not render a solution by design but is instead counted within part two of the analysis it is already included in the ) Bq ) We proceed with the analysis of Pr colq q ) auxq q )) We consider the i th query i {1,, q}) to be the first query to mae this condition satisfied, and sum over i = 1,, q at the end For regular forward or inverse) queries, the analysis of [0] mostly carries over The analysis of predicate queries is a bit more technical Regular forward or inverse) query The cases are the same by symmetry, and we consider π 1 x 1 ) only Denote the query response by z 1 There are at most Bi 1) possible choices for each of x 1, z 1), x, z ), and x, z ), where x, z ) and x, z ) may be the same but the choice of x 1, z 1) is necessarily older than the current query As z 1 is randomly drawn from a set of size at least n Bq, it satisfies 13) with probability at most B3 i 1) 3

23 Query π 1 Φy) or πφ y) The cases are the same by symmetry, and we consider πφ 1 y) only Denote the query response by {x 1 1, z1), 1, x B 1, z1 B )} In case the B-set contributes only to x 1, z 1 ), the same reasoning as for regular queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: B 4 δ B,C [1]i 1) 3 Now, consider the case the predicate query contributes to both x 1, z 1 ) and x 1, z 1) There are B ) ways for the predicate query to contribute or 0 if B = 1) By auxqq ), there are at most q + τ choices for x, z ), x, z ) to satisfy Bits C x z x z ) = 0 By Lem part iii), the predicate query gives a solution to 13) with probability at most B δb,c []q+τ) ) n n Bq Conclusion Taing the maximum of all success probabilities, the i th query is successful with probability at most B4 δ B,C [1]i 1) 3 + ) B δb,c []q+τ) n n Bq Summation over i = 1,, q gives, using 14), Adv col F q) B4 δ B,C [1]q 4 ) B Grøstl n Bq) + δb,c []q + τq) n Bq ) n + Bq τ + B qq + 1) C n Bq The value τ forms a threshold between the second and third fraction the second fraction increases while the third fraction decreases for larger τ, and vice versa for smaller τ) We put τ = n/ C The proof is completed by using the fact that n Bq n 1 for Bq n 1, and that q + 1 q for q 1 D Tightness of the Bound of Theorem 3 For the cases B = 1 and C arbitrary, and B = and C arbitrary such that C > n/, we derive generic attacs that demonstrate tightness of the bound of Thm 3 Mendel et al [38] already exploited a nown-ey pair for the underlying permutations of Grøstl to find a semi-free-start collision with a lower complexity, but we approach the problem more generically, particularly considering arbitrary but independent π 1 and π Proposition 4 B = 1) Let n N Suppose π 1, π ) Adv col F q) Grøstl q4 n C $ BC[ΦA, 1, ϕ C )]n) Then, Proof We construct a collision-finding adversary A for F Grøstl It maes predicate queries to π1 Φ on input of distinct values y to obtain q queries 1, x 1,y, z 1,y ) satisfying Bits C x 1,y z 1,y ) = 0, and liewise for π Φ it obtains q queries, x,y, z,y ) Any two queries to π1 Φ and two queries to π Φ collide on the entire state, x 1,y z 1,y x,y z,y = x 1,y z 1,y x,y z,y, with q probability at least 4 n C Proposition 5 B = and C > n/) Let n N Suppose π 1, π ) BC[ΦA,, ϕ C )]n) Then, Adv col F q) Grøstl q n C Proof We construct a collision-finding adversary A for F Grøstl It maes predicate queries to π1 Φ on input of distinct values y to obtain q -sets {1, x 1 1,y, z1,y), 1 1, x 1,y, z1,y)} satisfying Bits C x 1 1,y z1,y) 1 = BitsC x 1,y z1,y), and liewise for π Φ it obtains q -sets {, x 1,y, z,y), 1, x,y, z,y)} Any -set from π1 Φ and -set from π Φ collide on the entire state, x 1 1,y z1,y 1 x 1,y z,y 1 = x 1,y z1,y x,y z,y, q with probability at least n C E Proof of Theorem 4 We consider any adversary that has access to π 1, π ) $ BC[ΦA, B, ϕ C )]n) and maes q queries As in App C, these queries are stored in a query history Q as indexed tuples of the $ 3

24 form κ i, x i, z i ) for regular queries and {κ i, x 1 i, z1 i ),, κ i, x B i, zb i )} for predicate queries We use the same approach as in App C In particular, we mae the same transition from π 1, π ) to π 1, π ) $ BC[ΦA, B, ϕ C )]n) Let Z {0, 1} n A preimage for Z would imply the existence of query pairs x 1, z 1 ) for π 1 and x, z ) for π such that x 1 z 1 x z = Z 15) We define this configuration by preq q ) For the analysis of Pr preq q )) we introduce an auxiliary event auxq q ) Let τ > 0 be any integral value We define where By basic probability theory: auxq q ) : setq q ) > q + τ, setq q ) = { κ, x i, z i ) Q q Bits C x i z i ) = 0 } Adv epre F q) Pr preq q ) auxq q )) + Pr auxq q )) + B qq + 1) Grøstl n, 16) Bq where the third part of the bound comes from the transition from WCM to AWCM Starting with Pr auxq q )), an identical analysis to the case of the collision resistance of F Grøstl in App C gives Pr auxq q )) Bq τ C We proceed with the analysis of Pr preq q ) auxq q )) We consider the i th query i {1,, q}) to be the first query to mae this condition satisfied, and sum over i = 1,, q at the end For regular forward or inverse) queries, the analysis of [0] mostly carries over The analysis of predicate queries is a bit more technical Regular forward or inverse) query The cases are the same by symmetry, and we consider π 1 x 1 ) only Denote the query response by z 1 There are at most Bi 1) possible choices for x, z ) As z 1 is randomly drawn from a set of size at least n Bq, it satisfies 15) with probability at most Bi 1) Query π 1 Φy) or πφ y) The cases are the same by symmetry, and we consider πφ 1 y) only Denote the query response by {x 1 1, z1), 1, x B 1, z1 B )} We mae a distinction between B = 1 and B > 1 First, if B > 1, the same reasoning as for regular queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: [B > 1] B δ B,C [1]i 1) Now, consider B = 1 By auxq q ), there are at most q +τ choices for x, z ) to satisfy Bits C x z ) = 0 By Lem part ii), the predicate gives a solution to 15) with probability at most [B = 1] δ B,C[1]q+τ) Combining, the predicate query succeeds with probability at most B δ B,C [1]q+τ) Conclusion Taing the maximum of all success probabilities, the i th query is successful with probability at most B δ B,C [1]q+τ) Summation over i = 1,, q gives, using 16), Adv epre F q) B δ B,C [1]q + τq) Grøstl n + Bq Bq τ + B qq + 1) C n Bq We put threshold τ = n/ C The proof is completed by using the fact that n 1 for Bq n 1, and that q + 1 q for q 1 4

25 F Tightness of the Bound of Theorem 4 For the case B = 1, we derive a generic attac that demonstrates the tightness of the bound of Thm 4 Proposition 6 B = 1) Let n N Suppose π 1, π ) Adv epre F q) q Grøstl n C $ BC[ΦA, 1, ϕ C )]n) Then, Proof Let Z be any given range value with Bits C Z) = 0 note that epre guarantees security for every range point) A preimage-finding adversary A for F Grøstl proceeds as follows It maes predicate queries to π1 Φ on input of distinct values y to obtain q queries 1, x 1,y, z 1,y ) satisfying Bits C x 1,y z 1,y ) = 0, and liewise for π Φ it obtains q queries, x,y, z,y ) Any query to π1 Φ and query to π Φ collide with Z on the entire state, x 1,y z 1,y x,y z,y = Z, q with probability at least n C G Proof of Theorem 5 The bul of the proof is captured in the following proposition Proposition 7 Let n N Suppose π 1, π, π 3 ) n 1 /B and any positive integral value τ, $ BC[ΦA, B, ϕ C )]n) 3 Then, for q Adv col q) τ 3 B B + )δ B,C [1]q + 4B q + e B δ B,C [1]) C q + e B q n + ) [ B τ δ B,C []q n + τb δ B,C []q 3 n + B4 δ B,C []q 5 ] 3n + eb + B ) n )q B δ B,C [1]q + δ B,C [] τ n ) τ/b+ B )) + 17) eb n 3 δ B,C [1]q ) τ/b eb τ n + n 3 δ B,C [1]q n + eb3 δ B,C []q 3 ) τ/b τ n The proof follows later in the appendix, but we first prove Thm 5 using Prop 7 Proof of Theorem 5 i) We put τ = n Then, for the particular choice of B and C the bound 17) of Prop 7 simplifies to Adv col q) 6n3 C q + 4q + e C q + e q e n + n C q ) n n For q = n C )/ nε, it is clear that all terms approach 0 for n ii) and iii) We put τ = n Then, for the particular choice of B with C arbitrary) the bound 17) of Prop 7 simplifies to Adv col q) 3n3 q + 16q + 8e q n + n C q n + 8n C q 3 n + 3 C q 5 3n + ) n/3 16eq + n n 4eq + 6e C q n n n n ) n/ 16eq + n n + 8e C q 3 n n For q = n/ nε in case C n/), and for q = n C nε in case C > n/), it is clear that all terms approach 0 for n iv) The reasoning of previous cases carries over, and we will not go into detail Note that we have δ B,C [1] = δ B,C [] = 1 for B 3 ) n 5

26 Proof of Proposition 7 $ We consider any adversary that has access to π 1, π, π 3 ) BC[ΦA, B, ϕ C )]n) 3 and maes q queries These queries are stored in a query history Q as indexed tuples of the form κ i, x i, z i ) for regular queries, where we denote z i = π κi x i ), and {κ i, x 1 i, z1 i ),, κ i, x B i, zb i )} for predicate queries For q 0, by Q q we define the query history after q queries As a first step, we move from π 1, π, π 3 ) to π 1, π, π 3 ) $ BC[ΦA, B, ϕ C )]n) 3 By Lem, this costs us an additional term B qq+1) The adversary s goal is to find a collision for, which corresponds to obtaining query pairs x 1, z 1 ), x 1, z 1) for π 1, x, z ), x, z ) for π, and x 3, z 3 ), x 3, z 3) for π 3 in the query history, such that: x 1, x ) x 1, x ), 18a) x 1 z 1 x z = x 3, x 1 z 1 x z = x 3, x 1 z 1 z 3 = x 1 z 1 z 3 We define this configuration by colq q ) This means: 18b) 18c) 18d) Adv col q) = Pr colq q )) + B qq + 1) n, 19) Bq where the second part of the bound comes from the transition from WCM to AWCM For the analysis of Pr colq q )) we introduce an auxiliary event auxq q ) Let τ, τ 3, τ 4, τ 5 > 0 be any integral values We define auxq q ) = aux 1 5 Q q ), where { {κi, x aux 1 Q q ) : 1 i, zi 1 ),, κ i, x B i, z B } i )} Q q, a, b {1,, B}, a b > 0 ; x a i zi a = x b i zi b { aux Q q ) : max κi, x i, z i ) Q q x i z i = Z } > τ ; Z {0,1} n { κi, x aux 3 Q q ) : max i, z i ), κ j, x j, z j ) Q q } Z {0,1} > τ 3 ; n κ i, x i ) κ j, x j ) x i z i x j z j = Z { 1, xi, z aux 4 Q q ) : max i ),, x, z ), 3, x l, z l ) Q q } Z,Z {0,1} n x z x l = Z > τ 4 ; x i z i x z x l z l = Z { 1, xi, z aux 5 Q q ) : max i ), 1, x j, z j ),, x, z ), 3, x l, z l ) Q q } x i x j Z {0,1} > τ 5 n x j z j x z x l = 0 x i z i x z x l z l = Z We note that aux 1 Q q ) only applies to predicate queries, but aux Q q ),, aux 5 Q q ) apply to regular queries and parts of predicate queries abusing notation) By basic probability theory, we obtain for 19): Pr colq q )) Pr colq q ) auxq q )) + Pr auxq q )) 0) We start with the analysis of Pr colq q ) auxq q )) For obtaining a query history that fulfills configuration colq q ), it may be the case that a query appears at multiple positions For instance, x 1 = x 1 We split the analysis of colq q ) into essentially all different possible cases We define for binary α 1, α, α 3 by col α1α α 3 Q) the configuration colq) restricted to x 1 = x 1 α 1, x = x α, x 3 = x 3 α 3 By construction, colq q ) α 1,α,α 3 {0,1} col α 1α α 3 Q q ), and from 19-0) we obtain the following bound on Adv col q): Adv col q) α 1,α, α 3 {0,1} Pr col α1α α 3 Q q ) auxq q )) + Pr auxq q )) + B qq + 1) n Bq 1) 6

27 The probabilities Pr col α1α α 3 Q q ) auxq q )), for all possible α 1 α α 3, are bounded in Lems 4-6 For Pr auxq q )), note that Pr auxq q )) Pr aux 1 Q q )) + Pr aux Q q ) aux 1 Q q )) + 5 Pr aux i Q q ) aux i 1 Q q )) i=3 ) The probabilities on aux 1 Q q ) and aux Q q ) are rather straightforward and bounded in Lem 7 The bounds on aux 3 Q q ),, aux 5 Q q ) are more involved and discussed in Lems 8-10 In these lemmas, we regularly mae use of Stirling s approximation: t! t/e) t for any t The proof ideas of these lemmas at a high level consist of noticing that any query adds a solution to the set in question with a certain maximal probability p, and in that case it adds at most τ solutions This means that if τ solutions are required, at least τ/τ queries have to contribute Afterwards, all lemmas are combined to obtain a bound on Adv col q) Lemma 4 Pr col 000 Q q ) auxq q )) τ 3 + τ 5 )B δ B,C [1]q n + ) Bq B τ 3 n + τ 3 B q ) )δ B,C []q B B 4 δ B,C []q 5 n + Bq 3n Bq Proof In this configuration, we consider 18) with an additional requirement that x 1 x 1, x x, and x 3 x 3 Note that 18) can be equivalently stated as x 1 x 1, x x, x 3 x 3, x 1 z 1 x z = x 3, x 1 z 1 x z = x 3, x z x 3 z 3 = x z x 3 z 3, 3a) 3b) 3c) 3d) by XORing the second and third equations to the fourth one We will use both representations interchangeably For the analysis of col 000 Q q ) auxq q ), we say that the i th query i {1,, q}) is successful if it maes configuration col 000 Q i ) satisfied and auxq i ) holds Now, by basic probability theory, we can analyze the probability of the i th query being successful, and sum over i = 1,, q Let i {1,, q} Clearly, if aux i Q i ) holds, the i th query can certainly not be successful, so we assume auxq i ) and analyze the probability the i th query maes col 000 Q i ) satisfied For regular forward or inverse) queries, the analysis of [41] mostly carries over The difficulty lies in the analysis of predicate queries Query π 1 x 1 ) or π 1 1 z 1) The cases are the same by symmetry, and we consider π 1 x 1 ) only Denote the query response by z 1 There are at most Bq choices for x 3, z 3) For any such choice, by aux 3 Q q ), there are at most τ 3 choices for x 1, z 1), x, z ) to fulfill 3c) Again by aux 3 Q q ), for any such choice there are at most τ 3 choices for x, z ), x 3, z 3 ) to fulfill 3d) As z 1 is randomly drawn from a set of size at least n Bq, 3b) is fulfilled with probability at most τ 3 Bq Query π x ) or π 1 z ) The cases are the same by symmetry, and we consider π x ) only Denote the query response by z There are at most Bq choices for x 3, z 3 ) By aux 5 Q q ), there are at most τ 5 choices for x 1, z 1 ), x 1, z 1), x, z ), x 3, z 3) to satisfy x 1 z 1 x z = x 3 and x 1 z 1 x z x 3 z 3 = z 3, hence to fulfill 18c-18d) for the particular value z 3 where we XOR the two equations) As z is randomly drawn from a set τ 5Bq of size at least n Bq, 18b) is fulfilled with probability at most Query π 3 x 3 ) Denote the query response by z 3 There are at most Bq choices for x 3, z 3) For any such choice, by aux 3 Q q ), there are at most τ 3 choices for x 1, z 1), x, z ) to fulfill 3c) By aux 3 Q q ), there are at most τ 3 choices for x 1, z 1 ), x, z ) to fulfill 3b) As z 3 7

28 is randomly drawn from a set of size at least n Bq, 3d) is fulfilled with probability at most τ 3 Bq Query π 1 3 z 3) Denote the query response by x 3 There are at most Bq choices for x, z ) By aux 5 Q q ), there are at most τ 5 choices for x 1, z 1 ), x 1, z 1), x, z ), x 3, z 3) to satisfy x 1 z 1 x z = x 3 and x 1 z 1 x z x 3 z 3 = z 3, hence to fulfill 18c-18d) for the particular value z 3 where we XOR the two equations) As x 3 is randomly drawn from a set of size at least n Bq, 18b) is fulfilled with probability at most τ 5Bq Query π Φ 1 y 1) Denote the query response by {x 1 1, z 1 1),, x B 1, z B 1 )} In case the B-set contributes at one position only say x 1, z 1 )), the same reasoning as for regular queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: τ 3 B δ B,C [1]q Now consider the case the predicate query contributes to both x 1, z 1 ) and x 1, z 1) There are B ) ways for the predicate query to contribute or 0 if B = 1) By aux3 Q q ), there are at most τ3 n choices for x, z ), x, z ), x 3, z 3 ), x 3, z 3) to fulfill 3d) By Lem part iii), 3b-3c) are fulfilled with probability at most ) B τ 3 δ B,C[] n n Bq Query π Φy ) Denote the query response by {x a, z a ), x b, z)} b In case the B-set contributes at one position only say x, z )), the same reasoning as for regular queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: τ5b δ B,C [1]q Now consider the case the predicate query contributes to both x, z ) and x, z ) There are B ) ways for the predicate query to contribute or 0 if B = 1) There are at most Bq) choices for x 3, z 3 ), x 3, z 3) By aux 3 Q q ), there are at most τ 3 choices for x 1, z 1 ), x 1, z 1) to fulfill 18d) By Lem part iii), 18b-18c) are fulfilled with probability at most ) B τ3b δ B,C []q n Bq Query π 3 Φy 3) Denote the query response by {x a 3, z3 a ), x b 3, z3)} b In case the B-set contributes at one position only say x 3, z 3 )), the same reasoning as for regular forward queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: τ 3 B δ B,C [1]q Now consider the case the predicate query contributes to both x 3, z 3 ) and x 3, z 3) There are ) B ways for the predicate query to contribute or 0 if B = 1) There are at most Bq) 4 choices for x 1, z 1 ), x 1, z 1), x, z ), x, z ) By Lem part iv), 3b-3d) are fulfilled with probability at most ) B B 4 δ B,C []q 4 3n Bq Conclusion Taing the maximum of all success probabilities, the i th query is successful with probability at most τ 3 +τ5)b δ B,C [1]q + ) B τ 3 n +τ 3B q )δ B,C [] n Bq + ) B B 4 δ B,C []q 4 3n Bq The claimed bound is obtained by summing over i = 1,, q Lemma 5 Pr col α1α α 3 Q q ) auxq q )) = 0 for α 1 α α 3 {001, 010, 011, 101}, provided τ = 1 Proof We start with the cases 001, 011 For these cases, 18d) reduces to finding x 1, z 1 ), x 1, z 1) such that x 1 z 1 = x 1 z 1 By aux Q q ) with τ = 1, there do not exist two such tuples Similarly, for 101, in order to comply with 18b) and 18c), it is required to find x, z ), x, z ) such that x z = x z, and the remaining reasoning is the same Finally for 010, 18b) and 18c) can be simplified to x 1 z 1 x 3 = x 1 z 1 x 3, which once XORed with 18d) reduces to finding x 3, z 3 ), x 3, z 3) such that x 3 z 3 = x 3 z 3, and the remaining reasoning is the same Lemma 6 Pr col α1α α 3 Q q ) auxq q )) = 0 for α 1 α α 3 {100, 110, 111} Proof If α 1 α = 11, the configuration col α1α α 3 Q q ) contradicts 18a), and if α 1 α α 3 = 100, it contradicts 18d) In any case, the configuration is invalid 8

29 ) B δb,c []q n Lemma 7 Pr aux 1 Q q )) + Pr aux Q q ) aux 1 Q q )) n Bq + ) τ+1 ) τ+1 n C ebδ B,C [1]q τ + 1) n + n ebq Bq) τ + 1) n Bq) Proof We bound these probabilities separately Pr aux 1 Q q )) This auxiliary event only applies to predicate queries where B > 1 Consider the i th query and let it be a predicate query {κ i, x 1 i, z1 i ),, κ i, x B i, zb i )} Let a, b {1,, B} distinct By Lem part iii), we find that x a i za i = xb i zb i with probability at most δ B,C[] n n Bq Summing over all queries and all choices for a, b, we obtain ) B δb,c []q n Pr aux 1 Q q )) n Bq 4) Pr aux Q q ) aux 1 Q q )) Let Z {0, 1} n Consider the i th query If this is a regular forward or inverse) query κ i, x i, z i ), it satisfies x i z i = Z with probability at most 1 On the other hand, if it is a predicate query {κ i, x 1 i, z1 i ),, κ i, x B i, zb i )}, one of the B satisfies x i z i = Z with probability at most Bδ B,C[1] if Bits C Z) = 0 Lem part B ii)) and with probability at most if Bits CZ) 0 in this case the equation could never be satisfied if B = 1, and δ B,C [1] = 1 for B > 1) By aux 1 Q q ), at most one of the B queries of the tuple equals Z If Bits C Z) = 0, more than τ queries result in a solution with probability at most ) ) τ+1 τ+1 q Bδ B,C [1] ebδb,c [1]q τ +1 τ +1) Bq)) If n BitsC Z) 0, τ+1 ebq we similarly obtain bound τ +1) Bq)) Considering any possible choice for Z, we n obtain: ) τ+1 Pr aux Q q ) aux 1 Q q )) n C ebδ B,C [1]q τ + 1) n + Bq) ) τ+1 5) n n C ebq ) τ + 1) n Bq) The claim is obtained by adding 4) and a simplified version of 5) The artificial split in the analysis of Pr aux Q q ) aux 1 Q q )) is required as a special treatment is needed for B = 1 Lemma 8 Pr aux 3 Q q ) aux Q q )) B δ B,C [1]q n + δ B,C[] n Bq n Bq n eτ B + B ) )q τ ) ) τ 3 +1 τ B+ B ) Proof Let Z {0, 1} n Consider the i th query A special treatment is needed for predicate queries as two queries from one single B-set may mae the entire equation satisfied Regular forward or inverse) query Denote the query by κ i, x i, z i ) For any other tuple κ j, x j, z j ) at most Bq choices), the equation is satisfied with probability at most 1 Hence, the query is successful with probability at most Bq By aux Q q ), each hit adds at most τ solutions Predicate query Denote the query response by {κ i, x 1 i, z1 i ),, κ i, x B i, zb i )} In case the B-set contributes at one position only say κ i, x i, z i )), the same reasoning as for regular queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: B δ B,C [1]q Again, by aux Q q ), each hit adds at most τ B solutions 9

30 Now consider the case the predicate query contributes to both κ i, x i, z i ) and κ j, x j, z j ) By Lem part iii), we find that the equation is satisfied with probability at most δ B,C[] n n Bq, and it adds at most B ) solutions Conclusion Thus, any query results in a solution with probability at most B δ B,C [1]q + δ B,C [] n n Bq, and each hit adds at most τ B+ B ) solutions Consequently, more than τ3 solutions are obtained with probability at most q τ 3+1 τ B+ B ) ) B δ B,C [1]q n Bq + δ B,C[] n n Bq ) τ 3 +1 τ B+ B ) eτ B + B ) )q B δ B,C [1]q τ n + δ B,C[] n Bq n Bq ) ) τ 3 +1 τ B+ B ) Considering any possible choice for Z, we obtain the claimed bound Lemma 9 Pr aux 4 Q q ) aux 3 Q q )) n eτ τ 3 B 3 δ B,C [1]q τ 4 + 1) n Bq) ) τ 4 +1 τ 3 B Proof Let Z, Z {0, 1} n The goal is to find tuples 1, x i, z i ),, x, z ), 3, x l, z l ) Q q such that x z x l = Z, x i z i x z x l z l = Z 6a) 6b) Consider the i th query Regular forward or inverse) query to π 1 Without loss of generality, consider a forward query Denote the query by 1, x i, z i ) There are at most Bq choices for 3, x l, z l ) For any such choice, by aux Q q ), there are at most τ choices for, x, z ) to fulfill 6a) As z i is randomly drawn from a set of size at least n Bq, 6b) is fulfilled with probability at τ most Bq By aux 3Q q ), each hit adds at most τ 3 solutions for fixed 1, x i, z i ), there are at most τ 3 choices for, x, z ), 3, x l, z l ) to satisfy 6b)) Regular forward or inverse) query to π Without loss of generality, consider a forward query Denote the query by, x, z ) There are at most Bq choices for 3, x l, z l ) As z is randomly drawn from a set of size at least n Bq, 6a) is fulfilled with probability at Bq most Again, by aux 3Q q ), each hit adds at most τ 3 solutions Regular forward or inverse) query to π 3 Consider 6) with 6a) added to 6b) Without loss of generality, consider a forward query Denote the query by 3, x l, z l ) There are at most Bq choices for 1, x i, z i ) As z l is randomly drawn from a set of size at least n Bq Bq, the replaced 6b) is fulfilled with probability at most Again, by aux 3Q q ), each hit adds at most τ 3 solutions Predicate query The same reasoning as for regular queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: τ B δ B,C [1]q Again, by aux 3 Q q ), each hit adds at most τ 3 B solutions Conclusion Thus, any query results in a solution with probability at most τb δ B,C [1]q, and each hit adds at most τ 3 B solutions Consequently, more than τ 4 solutions are obtained ) ) τ B τ 4 +1 ) δ B,C [1]q τ 3 B eττ 3B 3 δ B,C [1]q τ 4 +1 τ 3 B τ 4+1)) Considering with probability at most q τ 4 +1 τ 3 B any possible choice for Z, Z, we obtain the claimed bound Lemma 10 Pr aux 5 Q q ) aux 3 4 Q q )) B ) n eτ3 + τ τ 3 B + τ 4 B)q τ3 B δ B,C [1]q τ n + B δ B,C []q ) ) τ 5 +1 τ 3 B )+τ τ 3 B+τ 4 B Bq n Bq 30

31 Proof Let Z {0, 1} n The goal is to find distinct tuples 1, x i, z i ), 1, x j, z j ),, x, z ), 3, x l, z l ) Q q such that x j z j x z x l = 0, x i z i x z x l z l = Z 7a) 7b) Consider the i th query A special treatment is needed for predicate queries to π 1 as it may contribute two queries to one solution Regular forward or inverse) query to π 1 Without loss of generality, consider a forward query Note that it may contribute as tuple 1, x i, z i ) or as tuple 1, x j, z j ) but not both) First consider it a contribution to 1, x i, z i ) There are at most Bq choices for 3, x l, z l ) For any such choice, by aux 3 Q q ), there are at most τ 3 choices for 1, x j, z j ),, x, z ) to fulfill 7a) As z i is randomly drawn from a set of size at least n Bq, 7b) is fulfilled τ with probability at most 3Bq By aux 3Q q ), each hit adds at most τ τ 3 solutions for fixed 1, x i, z i ), there are at most τ 3 choices for, x, z ), 3, x l, z l ) to satisfy 7b) and at most τ choices 1, x j, z j ) to then satisfy 7a)) Next, consider it a contribution to 1, x j, z j ) There are at most Bq choices for 3, x l, z l ) For any such choice, by aux 3 Q q ), there are at most τ 3 choices for 1, x i, z i ),, x, z ) to fulfill 7b) As z j is randomly drawn from a set of size at least n Bq, 7a) is fulfilled τ with probability at most 3Bq By aux 4Q q ), each hit adds at most τ 4 solutions for fixed 1, x j, z j ), there are at most τ 4 choices for 1, x i, z i ),, x, z ), 3, x l, z l ) to satisfy 7)) In total, the query is successful with probability at most τ3bq and each hit adds at most τ τ 3 + τ 4 solutions Regular forward or inverse) query to π Consider 7) with 7a) added to 7b) Without loss of generality, consider a forward query Denote the query by, x, z ) There are at most Bq choices for 3, x l, z l ) For any such choice, by aux 3 Q q ), there are at most τ 3 choices for 1, x i, z i ), 1, x j, z j ) to fulfill the replaced 7b) As z is randomly drawn from a set of size at least n τ Bq, 7a) is fulfilled with probability at most 3Bq Again, by aux 3 Q q ), each hit adds at most τ τ 3 solutions Regular forward or inverse) query to π 3 Consider 7) with 7a) added to 7b) Without loss of generality, consider a forward query Denote the query by 3, x l, z l ) There are at most Bq choices for 1, x i, z i ) By aux 3 Q q ), there are at most τ 3 choices for 1, x j, z j ),, x, z ) to fulfill 7a) As z l is randomly drawn from a set of size at least n τ Bq, 7a) is fulfilled with probability at most 3Bq Again, by aux 3Q q ), each hit adds at most τ τ 3 solutions Predicate query to π 1 Denote the query response by {x 1 i, z1 i ),, xb i, zb i )} In case the B-set contributes at one position only either 1, x i, z i ) or 1, x j, z j )), the same reasoning as for regular queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: τ3b δ B,C [1]q Again, by aux 3 4 Q q ), each hit adds at most τ τ 3 B + τ 4 B solutions Now consider the case the predicate query contributes to both 1, x i, z i ) and 1, x j, z j ) There are at most Bq) choices for, x, z ), 3, x l, z l ) By Lem part iii), we find that 7) is fulfilled with probability at most B δ B,C []q n Bq By aux 3 Q q ), each hit adds at most τ B 3 ) solutions Predicate query to π or π 3 The same reasoning as for regular queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: τ3b δ B,C [1]q Again, by aux 3 Q q ), each hit adds at most τ τ 3 B solutions Conclusion Thus, any query results in a solution with probability at most τ3b δ B,C [1]q + B δ B,C []q n Bq, and each hit adds at most τ 3 B ) + τ τ 3 B + τ 4 B solutions Consequently, more 31

32 than τ 5 solutions are obtained with probability at most q τ 5+1 τ 3 B )+τ τ 3B+τ 4B ) τ3 B δ B,C [1]q n Bq B ) eτ3 + τ τ 3 B + τ 4 B)q τ3 B δ B,C [1]q τ n Bq + B δ B,C []q ) τ 5 +1 τ 3 B )+τ τ 3 B+τ 4 B n Bq + B δ B,C []q ) ) τ 5 +1 τ 3 B )+τ τ 3 B+τ 4 B n Bq Considering any possible choice for Z, we obtain the claimed bound From 1), ), and the results of Lems 4-10 we find recall that in Lem 5 we require τ = 1): Adv col q) τ 3 + τ 5 )B δ B,C [1]q + B qq + 1) n + e B δ B,C [1]) q n C + e B q n Bq 4 n Bq) + ) B τ 3 q n + τ 3 B q 3 + q n ) )δ B,C [] B B 4 δ B,C []q 5 n + Bq 3n + Bq eb + B ) n )q B δ B,C [1]q τ n + δ B,C[] n ) ) τ 3 B+ +1 B ) + Bq n Bq ) τ 4 +1 τ 3 B n eτ3 B 3 δ B,C [1]q τ 4 + 1) n + Bq) B+1 ) n eτ3 + τ4 B)q τ3 B δ B,C [1]q τ n + B δ B,C []q Bq n Bq ) ) τ 5 +1 τ 3 B+1 )+τ 4 B The proof of Prop 7 is completed by maing the following simplifications: we use the fact that n Bq n 1 for Bq n 1, and put τ 3 = τ 1, τ 4 = τ τ 1, and τ 5 = τ 3 + τ B 1) τb + 3) 1 for some integral τ > 0 Additionally, we use q + 1 q for q 1 H Tightness of the Bound of Theorem 5 For the cases B = 1 and C arbitrary, and B = and C arbitrary such that C > n/, we derive generic attacs that demonstrate tightness of the bounds of Thm 5 Proposition 8 B = 1) Let n N Suppose π 1, π, π 3 ) Adv col q) q n C $ BC[ΦA, 1, ϕ C )]n) 3 Then, Proof We construct a collision-finding adversary A whose goal is to find a collision where x = x By construction, to find a collision of such form for see 8)) it suffices to find two distinct values x 1, x 1 such that x 1 π 1 x 1 ) = x 1 π 1 x 1) To this end, the adversary maes predicate queries to π1 Φ on input of distinct values y to obtain q queries x y, z y ) satisfying Bits C x y z y ) = 0 Any two such queries collide on the entire state, x y z y = x y z y, q with probability at least n C Proposition 9 B = and C > n/) Let n N Suppose π 1, π, π 3 ) BC[ΦA,, ϕ C )]n) 3 Then, Adv col q) q n C Proof We construct a collision-finding adversary A whose goal is to find a collision where x = x By construction, to find a collision of such form for see 8)) it suffices to find two distinct values x 1, x 1 such that x 1 π 1 x 1 ) = x 1 π 1 x 1) To this end, the adversary maes $ 3

33 predicate queries to π1 Φ on input of distinct values y to obtain q -sets {x 1 y, zy), 1 x y, z y)} satisfying Bits C x 1 y zy) 1 = BitsC x y zy) These two queries collide on the entire state, x 1 y zy 1 = x y zy, 1 with probability at least If the adversary maes q predicate queries, n C we directly obtain our bound I Proof of Theorem 6 The bul of the proof is captured in the following proposition $ Proposition 10 Let n N Suppose π 1, π, π 3 ) BC[ΦA, B, ϕ C )]n) 3 Then, for q n 1 /B and any positive integral values τ, τ, τ, Adv epre q) τb3 q + 4τ τ[b = 1]B C q + τ τb 3 q + 4B q n + [B = 1] C q 3 n + ) τ ) τ n C ebδb,c [1]q ebq eb + n + n δ B,C [1]q ) τ + τ n ) τ eq [B = 1] + [B = 1] τ C τ n e C q τ n n + eτbq eq + τ C τ n The proof follows later in the appendix, but we first prove Thm 6 using Prop 10 ) τ 8) Proof of Theorem 6 i) and ii) We put τ = n, τ = n C, and τ = n max{0,n/ C } Then, for the particular choice of B with C arbitrary) the bound 8) of Prop 10 simplifies to Adv epre q) nq + 4q + 4eq + 6n max{ C,n/} q + 4e C q n + C q 3 n + 6eq e C ) n ) q eq + n C max{ C,n/} n n + n n n n For q = n/ nε in case C n/), and for q = n C nε in case C > n/), it is clear that all terms approach 0 for n iii) We put τ = and τ = n τ disappears for B ) The reasoning of previous cases carries over, and we will not go into detail Note that we have δ B,C [1] = 1 for B Proof of Proposition 10 We consider any adversary that has access to π 1, π, π 3 ) $ BC[ΦA, B, ϕ C )]n) 3 and maes q queries As in App G, these queries are stored in a query history Q as indexed tuples of the form κ i, x i, z i ) for regular queries and {κ i, x 1 i, z1 i ),, κ i, x B i, zb i )} for predicate queries We use the same approach as in App G In particular, we mae the same transition from π 1, π, π 3 ) to π 1, π, π 3 ) $ BC[ΦA, B, ϕ C )]n) 3 Let Z {0, 1} n A preimage for Z corresponds to obtaining query pairs x 1, z 1 ) for π 1, x, z ) for π, and x 3, z 3 ) for π 3 in the query history, such that: x 1 z 1 x z = x 3, x 1 z 1 z 3 = Z 9a) 9b) We define this configuration by preq q ) This means: Adv epre q) = Pr preq q )) + B qq + 1) n, 30) Bq 33

34 where the second part of the bound comes from the transition from WCM to AWCM As before, for the analysis of Pr preq q )) we introduce an auxiliary event auxq q ) Let τ 1,, τ 5 > 0 be any integral values We define auxq q ) = aux 1 5 Q q ), where aux 1 Q q ) : { κ i, x i, z i ) Q q B = 1 Bits C x i ) = 0 Bits C z i ) = Z } > τ 1 ; { aux Q q ) : max κi, x i, z i ) Q q xi z i = Z } > τ ; Z {0,1} n { κi, x aux 3 Q q ) : max i, z i ), κ j, x j, z j ) Q q } Z {0,1} > τ 3 ; n κ i κ j x i z i x j z j = Z {, xi, z aux 4 Q q ) : i ), 3, x j, z j ) Q q } > τ 4 ; B = 1 x i z i x j z j = Z Bits C x i z i x j ) = 0 { 1, xi, z aux 5 Q q ) : i ), 3, x j, z j ) Q q } > τ 5 B = 1 x i z i z j = Z Bits C x i z i x j ) = 0 Here, aux 3 Q q ) is similar to aux 3 Q q ) of App G Events aux Q q ) are only employed when B = 1 as a special treatment is needed for this case, and they only apply to Z being the target range value Again, by basic probability theory, we obtain for 30): Pr preq q )) Pr preq q ) auxq q )) + Pr auxq q )) 31) We consider Pr preq q ) auxq q )) in Lem 11 For Pr auxq q )), note that Pr auxq q )) 5 Pr aux i Q q )) + Pr aux i Q q ) aux 1 Q q )) 3) i=1 i=3 The probabilities on aux 1 Q q ), aux Q q ), and aux 3 Q q ) are straightforward and bounded in Lem 1 The bounds on aux 4 Q q ) and aux 5 Q q ) are more involved and discussed in Lem 13 and Lem 14, respectively Afterwards, all lemmas are combined to obtain a bound on Adv epre q) Lemma 11 Pr preq q ) auxq q )) τ 4 + τ 5 )[B = 1] C q + τ B q + τ 3 Bq n + [B = 1] C q 3 Bq n Bq Proof Note that 9) can be equivalently stated as x 1 z 1 x z = x 3, x z x 3 z 3 = Z, 33a) 33b) by XORing the two equations We will use both representations interchangeably For the analysis of preq q ) auxq q ), we say that the i th query i {1,, q}) is successful if it maes configuration preq i ) satisfied and auxq i ) holds Now, by basic probability theory, we can analyze the probability of the i th query being successful, and sum over i = 1,, q Let i {1,, q} Clearly, if aux i Q i ) holds, the i th query can certainly not be successful, so we assume auxq i ) and analyze the probability the i th query maes preq i ) satisfied For regular forward or inverse) queries, the analysis of [41] mostly carries over The difficulty lies in the analysis of predicate queries Query π 1 x 1 ) or π 1 1 z 1) The cases are the same by symmetry, and we consider π 1 x 1 ) only Denote the query response by z 1 By aux 3 Q q ), there are at most τ 3 choices for x, z ), x 3, z 3 ) to fulfill 33b) As z 1 is randomly drawn from a set of size at least n Bq, 33a) is fulfilled with probability at most τ 3 Query π x ) or π 1 z ) The cases are the same by symmetry, and we consider π x ) only Denote the query response by z There are at most Bq choices for x 3, z 3 ) By 34

35 aux Q q ), there are at most τ choices for x 1, z 1 ) to fulfill 9b) As z is randomly drawn from a set of size at least n τ Bq, 9a) is fulfilled with probability at most Bq Query π 3 x 3 ) Denote the query response by z 3 By aux 3 Q q ), there are at most τ 3 choices for x 1, z 1 ), x, z ) to fulfill 33a) As z 3 is randomly drawn from a set of size at least n Bq, 33b) is fulfilled with probability at most τ 3 Query π 1 3 z 3) Denote the query response by x 3 There are at most Bq choices for x, z ) By aux Q q ), there are at most τ choices for x 1, z 1 ) to fulfill 9b) As x 3 is randomly drawn from a set of size at least n Bq, 9a) is fulfilled with probability at most τ Bq Query π Φ 1 y 1) Denote the query response by {x 1 1, z 1 1),, x B 1, z B 1 )} We mae a distinction between B = 1 and B > 1 First, if B > 1, the same reasoning as for regular queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: [B > 1] τ3bδ B,C[1] τ3b Now, consider B = 1 By aux 4Q q ), there are at most τ 4 choices for x, z ), x 3, z 3 ) to satisfy x z x 3 z 3 = Z, hence to fulfill 33b), and Bits C x z x 3 ) = 0 By Lem part ii), the predicate query fulfills 33) with probability at most [B = 1] τ4 C Thus, the predicate query succeeds with probability at most τ4[b=1] C +τ 3B Query π Φy ) Denote the query response by {x 1, z), 1, x B, z B )} We mae a distinction between B = 1 and B > 1 First, if B > 1, the same reasoning as for regular queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: [B > 1] τb δ B,C [1]q τb q Now, consider B = 1 By aux 5 Q q ), there are at most τ 5 choices for x 1, z 1 ), x 3, z 3 ) to satisfy x 1 z 1 z 3 = Z, hence to fulfill 9b), and Bits C x 1 z 1 x 3 ) = 0 By Lem part ii), the predicate query fulfills 9) with probability at most [B = 1] τ5 C Thus, the predicate query succeeds with probability at most τ5[b=1] C +τ B q Query π 3 Φy 3) Denote the query response by {x 1 3, z3), 1, x B 3, z3 B )} We mae a distinction between B = 1 and B > 1 First, if B > 1, the same reasoning as for regular forward queries applies with the difference that any query of the B-set may be successful and that the bound of Lem part ii) applies: [B > 1] τ3bδ B,C[1] τ3b Now, consider B = 1 There are at most q choices for x 1, z 1 ), x, z ) Similar to Lem part iii), one can prove that the predicate query fulfills 9) with probability at most [B = 1] C q Thus, the n Bq predicate query succeeds with probability at most [B=1] C q n Bq + τ3b Conclusion Taing the maximum of all success probabilities, the i th query is successful with probability at most τ4+τ5)[b=1] C +τ B q+τ 3B + [B=1] C q n Bq The claimed bound is obtained by summing over i = 1,, q Lemma 1 Pr aux 1 Q q )) + Pr aux Q q )) + Pr aux 3 Q q ) aux 1 Q q )) e n C ) τ1+1 q eb [B = 1] τ 1 + 1) n + n C ) δ B,C [1]q τ +1 B q) τ + 1) n + Bq) n eb ) q τ +1 B τ + 1) n + n eτ B 3 δ B,C [1]q ) τ 3 +1 τ B Bq) τ 3 + 1) n Bq) Proof We bound these probabilities separately Pr aux 1 Q q )) Recall that aux 1 Q q ) only applies to B = 1 Let Z be the challenge range value Consider the i th query If this is a regular forward or inverse) query κ i, x i, z i ), it satisfies the condition with probability at most n C n q If it is a predicate query κ i, x i, z i ), it satisfies the condition with probability at most n C solutions are obtained with probability at most q τ 1+1 n q Lem part i)) More than τ 1 ) ) τ1+1 τ1+1 n C n q e n C q τ 1+1) q)) n 35

36 As the event only applies to the challenge value Z, we obtain: Pr aux 1 Q q )) [B = 1] e n C q τ 1 + 1) n q) ) τ1+1 34) Pr aux Q q )) The analysis differs from the one of Lem 7 in the fact that each hit may add at most B solutions rather than 1) Taing this into account results in the following bound: eb Pr aux Q q )) n C δ B,C [1]q τ + 1) n Bq) ) τ +1 B + n eb q τ + 1) n Bq) ) τ +1 B 35) Pr aux 3 Q q ) aux Q q )) Event aux 3 Q q ) differs from aux 3 Q q ) in the fact that a single predicate query cannot mae the entire equation satisfied Leaving out this special case in the analysis of Lem 8 results in the following bound: Pr aux 3 Q q ) aux Q q )) n eτ B 3 δ B,C [1]q ) τ 3 +1 τ B τ 3 + 1) n 36) Bq) The claim is obtained by adding 34-36) eτ1 τ C q + eτ q ) τ 4 +1 τ Lemma 13 Pr aux 4 Q q ) aux 1 Q q )) [B = 1] τ 4 + 1) n q) Proof Recall that aux 4 Q q ) only applies to B = 1 Let Z be the challenge range value The goal is to find distinct tuples, x, z ) and 3, x 3, z 3 ) Q q such that x z x 3 z 3 = Z and Bits C x z x 3 ) = 0 Consider the i th query Regular forward or inverse) query We follow the analysis of aux 3 Q q ), only focussing q n q on x z x 3 z 3 = Z The query is successful with probability at most and each hit adds at most τ solutions Predicate query to π Denote the query response by x, z ), which will satisfy Bits C x z ) = 0 By aux 1 Q q ), there are at most τ 1 choices for x 3, z 3 ) to satisfy Bits C x 3 ) = 0 and Bits C z 3 ) = Bits C Z) By Lem part ii), we find that the equation is satisfied with probability at most τ1 C n q By aux Q q ), each hit adds at most τ solutions Predicate query to π 3 Denote the query response by x 3, z 3 ), which will satisfy Bits C x 3 z 3 ) = 0 There are at most q choices for x, z ) Similar to Lem part ii), one can prove that the equation is satisfied with probability at most n C n n C q q q n q : we need the predicate query to satisfy Bits C x 3 ) = Bits C x z ), Bits C x 3 z 3 ) = 0 = Bits C x z Z), and Bits C x 3 z 3 ) = Bits C x z Z), and this gives at most n C possible tuples of Σ P, P Φ ) By aux Q q ), each hit adds at most τ solutions Conclusion Thus, if B = 1, any query results in a solution with probability at most τ 1 C +q n q, and each hit adds at most τ solutions Consequently, more than τ 4 solutions are obtained with probability at most q ) τ 1 τ 4 +1 τ Lemma 14 Pr aux 5 Q q ) aux 1 Q q )) eτ1 τ C q + eτ n C q + eτ q [B = 1] τ 5 + 1) n q) ) τ C q n q ) τ 5 +1 τ τ eτ1τ C q+eτ q τ 4+1) n q) ) τ 4 +1 τ Proof Recall that aux 5 Q q ) only applies to B = 1 Let Z be the challenge range value The goal is to find distinct tuples 1, x 1, z 1 ) and 3, x 3, z 3 ) Q q such that x 1 z 1 z 3 = Z and Bits C x 1 z 1 x 3 ) = 0, or equivalently x 1 z 1 z 3 = Z and Bits C x 3 z 3 ) = 0 Consider the i th query 36

37 Regular forward or inverse) query to π 1 Without loss of generality, consider a forward query Denote the query by x 1, z 1 ) There are at most q choices for x 3, z 3 ) As z 1 is randomly drawn from a set of size at least n q, the equation is satisfied with probability at most q n q Each hit adds at most 1 solution Regular forward query to π 3 By aux Q q ), there are at most τ n C choices for x 1, z 1 ) to satisfy Bits C x 1 z 1 x 3 ) = 0 As z 3 is randomly drawn from a set of size at least n q, the equation is satisfied with probability at most τn C n q By aux Q q ), each hit adds at most τ solutions Regular inverse query to π 3 By aux Q q ), there are at most τ choices for x 1, z 1 ) to satisfy x 1 z 1 z 3 = Z As x 3 is randomly drawn from a set of size at least n q, the equation is satisfied with probability at most τn C n q By aux Q q ), each hit adds at most τ solutions Predicate query to π 1 Denote the query response by x 1, z 1 ), which will satisfy Bits C x 1 z 1 ) = 0 By aux 1 Q q ), there are at most τ 1 choices for x 3, z 3 ) to satisfy Bits C x 3 ) = 0 and Bits C z 3 ) = Bits C Z) By Lem part ii), we find that the equation is satisfied with probability at most τ1 C n q Each hit adds at most 1 solution Predicate query to π 3 Denote the query response by x 3, z 3 ), which will satisfy Bits C x 3 z 3 ) = 0 There are at most q choices for x 1, z 1 ) Similar to the proof of Lem 13, one can prove that the equation is satisfied with probability at most n C n n C q q q n q : we need the predicate query to satisfy Bits C x 3 ) = Bits C x 1 z 1 ), Bits C x 3 z 3 ) = 0, and z 3 = x 1 z 1 Z, and this gives at most n C possible tuples of Σ P, P Φ ) By aux Q q ), each hit adds at most τ solutions Conclusion Thus, if B = 1, any query results in a solution with probability at most τ 1 C +τ n C +q n q, and each hit adds at most τ solutions Consequently, more than τ 5 solutions are obtained with probability at most 1 C +τ n C 5 +1 q ) ) τ τ +q τ τ 5 +1 n q τ ) τ eτ1τ C q+eτ n C q+eτ q 5 +1 τ 5+1) n q) From 30-31), 3), and the results of Lems we find: τ Adv epre q) τ 4 + τ 5 )[B = 1] C q + τ B q + τ 3 Bq + B qq + 1) n Bq e n C ) τ1+1 q eb [B = 1] + n C δ B,C [1]q + [B = 1] C q 3 n + Bq τ 1 + 1) n q) τ + 1) n Bq) n eb ) q τ +1 B τ + 1) n + n eτ B 3 δ B,C [1]q ) τ 3 +1 τ B Bq) τ 3 + 1) n + Bq) eτ1 τ C q + eτ q ) τ 4 +1 τ [B = 1] τ 4 + 1) n + q) eτ1 τ C q + eτ n C q + eτ q ) τ 5 +1 τ [B = 1] τ 5 + 1) n q) ) τ +1 B The proof of Prop 10 is completed by maing the following simplifications: we use the fact that n Bq n 1 for Bq n 1, and put τ = τb 1, τ 3 = τ τ B 1, τ 1 = τ 1, and τ 4 = τ 5 = τ τ 1 for some integral τ, τ, τ > 0 Additionally, we use q + 1 q for q