Ideal-Cipher (Ir)reducibility for Blockcipher-Based Hash Functions [chapter]

Paul Baecher, Pooya Farshim, Marc Fischlin, Martijn Stam
2013 Lecture Notes in Computer Science  
Preneel et al. (Crypto 1993) assessed 64 possible ways to construct a compression function out of a blockcipher. They conjectured that 12 out of these 64 so-called PGV constructions achieve optimal security bounds for collision resistance and preimage resistance. This was proven by Black et al. (Journal of Cryptology, 2010), if one assumes that the blockcipher is ideal. This result, however, does not apply to "non-ideal" blockciphers such as AES. To alleviate this problem, we revisit the PGV
more » ... structions in light of the recently proposed idea of random-oracle reducibility (Baecher and Fischlin, Crypto 2011). We say that the blockcipher in one of the 12 secure PGV constructions reduces to the one in another construction, if any secure instantiation of the cipher, ideal or not, for one construction also makes the other secure. This notion allows us to relate the underlying assumptions on blockciphers in different constructions, and show that the requirements on the blockcipher for one case are not more demanding than those for the other. It turns out that this approach divides the 12 secure constructions into two groups of equal size, where within each group a blockcipher making one construction secure also makes all others secure. Across the groups this is provably not the case, showing that the sets of "good" blockciphers for each group are qualitatively distinct. We also relate the ideal ciphers in the PGV constructions with those in double-block-length hash functions such as Tandem-DM, Abreast-DM, and Hirose-DM. Here, our results show that, besides achieving better bounds, the double-block-length hash functions rely on weaker assumptions on the blockciphers to achieve collision and everywhere preimage resistance. IDEALIZED MODELS. As pointed out by Black et al. [BRSS10] , security proofs for the PGV schemes in the ICM should be treated with care. Such results indicate that in order to break the security of the PGV scheme one would need to take advantage of structural properties of the blockcipher. Yet blockciphers such as AES, or the Threefish blockcipher used in Skein, clearly display a structure which is far from an ideal object. For instance, IDEA seems quite unsuitable to base a compression function on [WPS + 12], while for AES recent related-key attacks [BK09, BKN09] cast some shadow on its suitability for this purpose. Indeed, Khovratovich [Kho10, Corollary 2] states unambiguously that "AES-256 in the Davies-Meyer hashing mode leads to an insecure hash function," but remarks that it is not known how to attack, for instance, double-block-length constructions. Moreover, it is currently still unknown how to exploit these weaknesses in AES-256 to break the standard collision or preimage security of any AES-instantiated PGV compression function. Consequently it may well be that AES makes some of the 12 PGV constructions secure, whereas others turn out to be insecure, despite a proof in the ICM. Unfortunately, it is very hard to make any security claims about specific PGV constructions with respect to a "real" blockcipher, or to even determine exactly the necessary requirements on the blockcipher for different PGV constructions to be secure. Recently, a similar issue for the random-oracle model, where a monolithic idealized hash function is used, has been addressed by Baecher and Fischlin [BF11] via the so-called random-oracle reducibility. The idea is to relate the idealized hash functions in different (primarily public-key) schemes, allowing to conclude that the requirements on the hash function in one scheme are weaker than those in the other scheme. That is, Baecher and Fischlin consider two cryptographic schemes A and B with related security games in the random-oracle model. They define that the random oracle in scheme B reduces to the one in scheme A, if any instantiation H of the random oracle, possibly through an efficient hash function or again by an oracle-based solution, which makes scheme A secure, also makes scheme B secure. As such, the requirements on the hash function for scheme B are weaker than those for the one in scheme A. To be precise, Baecher and Fischlin allow an efficient but deterministic and stateless transformation T H for instantiating the random oracle in scheme B, to account for, say, different input or output sizes of the hash functions in the schemes. Using such transformations they are able to relate the random oracles in some public-key encryption schemes, including some ElGamal-type schemes. OUR RESULTS FOR THE PGV CONSTRUCTIONS. We apply the idea of oracle reducibility to the ideal-cipher model and the PGV constructions. Take any two of the 12 PGV constructions, PGV i and PGV j , which are secure in the ICM. The goal is to show that any blockcipher (ideal or not) which makes PGV i secure, also makes PGV j secure. Here, security may refer to different games such as standard notion for collision resistance, preimage resistance, or everywhere preimage resistance [RS04], or more elaborate notions such as preimage awareness [DRS09] . Although we can ask the same question for indifferentiability from random functions [MRH04], the PGV constructions, as pointed out in [CDMP05, KM07], do not achieve this level of security. 1 Our first result divides the 12 secure PGV constructions into two groups G 1 and G 2 of size 6, where within each group the ideal cipher in each construction reduces to the ideal cipher in any other construction (with respect to collision resistance, [everywhere] preimage resistance, and preimage awareness). We sometimes call these the PGV 1 -group and the PGV 2 -group respectively: these two schemes are representatives of their respective groups. Across different groups, however, and for any of the security games, starting with the ideal cipher we can derive a blockcipher which makes all schemes in one group secure, whereas any scheme in the other group becomes insecure under this blockcipher. This separates the PGV 1 -group and the PGV 2 -group in terms of direct idealcipher reducibility. In direct reducibility we use the blockcipher in question without any modifications in another construction. This was one of the reasons to investigate different PGV constructions in the first place. For free reductions allowing arbitrary transformations T of the blockcipher, we show that the PGV constructions can be seen as transformations of each other, and under suitable T all 12 PGV constructions reduce to each other. Preneel et al. [PGV94] already discussed equivalence classes from an attack perspective. Our work reaffirms these classes and puts them on a solid theoretical foundation. Dividing the 12 constructions into two groups allows
doi:10.1007/978-3-642-38348-9_26 fatcat:w4cy6w54mnhvncercylaxlyyxy