Security analysis of the mode of JH hash function

Rishiraj Bhattacharyya; Avradip Mandal; Mridul Nandi

doi:10.1007/978-3-642-13858-4_10

Security analysis of the mode of JH hash function

Rishiraj Bhattacharyya^*, Avradip Mandal, Mridul Nandi

^*Corresponding author for this work

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

29 Citations (Scopus)

Abstract

Recently, NIST has selected 14 second round candidates of SHA3 competition. One of these candidates will win the competition and eventually become the new hash function standard. In TCC'04, Maurer et al introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. Indifferentiability is the appropriate notion of modeling a random oracle as well as a strong security criteria for a hash-design. In this paper we analyze the indifferentiability and preimage resistance of JH hash function which is one of the SHA3 second round candidates. JH uses a 2n bit fixed permutation based compression function and applies chopMD domain extension with specific padding. We show under the assumption that the underlying permutations is a 2n-bit random permutation, JH mode of operation with output length 2n - s bits, is indifferentiable from a random oracle with distinguisher's advantage bounded by where σ is the total number of blocks queried by distinguisher. We show that the padding rule used in JH is essential as there is a simple indifferentiablity distinguisher (with constant query complexity) against JH mode of operation without length padding outputting n bit digest. We prove that a little modification (namely chopping different bits) of JH mode of operation enables us to construct a hash function based on random permutation (without any length padding) with similar bound of sponge constructions (with fixed output size) and with same efficiency. On the other hand, we improve the preimage attack of query complexity 2^510.3 due to Mendel and Thompson. Using multicollisions in both forward and reverse direction, we show a preimage attack on JH with n = 512,s = 512 in 2 ⁵⁰⁷ queries to the permutation.

Original language	English
Title of host publication	Fast Software Encryption - 17th International Workshop, FSE 2010, Revised Selected Papers
Pages	168-191
Number of pages	24
DOIs	https://doi.org/10.1007/978-3-642-13858-4_10
Publication status	Published - 2010
Event	17th International Workshop on Fast Software Encryption, FSE 2010 - Seoul, Korea, Republic of Duration: 7 Feb 2010 → 10 Feb 2010

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	6147 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	17th International Workshop on Fast Software Encryption, FSE 2010
Country/Territory	Korea, Republic of
City	Seoul
Period	7/02/10 → 10/02/10

Keywords

chop-MD
Indifferentiability
JH
random permutation
SHA-3 candidate

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-642-13858-4_10

Cite this

Bhattacharyya, R., Mandal, A., & Nandi, M. (2010). Security analysis of the mode of JH hash function. In Fast Software Encryption - 17th International Workshop, FSE 2010, Revised Selected Papers (pp. 168-191). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6147 LNCS). https://doi.org/10.1007/978-3-642-13858-4_10

@inproceedings{7a2f83d395d549f891bdf9f06d8e4b94,

title = "Security analysis of the mode of JH hash function",

abstract = "Recently, NIST has selected 14 second round candidates of SHA3 competition. One of these candidates will win the competition and eventually become the new hash function standard. In TCC'04, Maurer et al introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. Indifferentiability is the appropriate notion of modeling a random oracle as well as a strong security criteria for a hash-design. In this paper we analyze the indifferentiability and preimage resistance of JH hash function which is one of the SHA3 second round candidates. JH uses a 2n bit fixed permutation based compression function and applies chopMD domain extension with specific padding. We show under the assumption that the underlying permutations is a 2n-bit random permutation, JH mode of operation with output length 2n - s bits, is indifferentiable from a random oracle with distinguisher's advantage bounded by where σ is the total number of blocks queried by distinguisher. We show that the padding rule used in JH is essential as there is a simple indifferentiablity distinguisher (with constant query complexity) against JH mode of operation without length padding outputting n bit digest. We prove that a little modification (namely chopping different bits) of JH mode of operation enables us to construct a hash function based on random permutation (without any length padding) with similar bound of sponge constructions (with fixed output size) and with same efficiency. On the other hand, we improve the preimage attack of query complexity 2510.3 due to Mendel and Thompson. Using multicollisions in both forward and reverse direction, we show a preimage attack on JH with n = 512,s = 512 in 2 507 queries to the permutation.",

keywords = "chop-MD, Indifferentiability, JH, random permutation, SHA-3 candidate",

author = "Rishiraj Bhattacharyya and Avradip Mandal and Mridul Nandi",

year = "2010",

doi = "10.1007/978-3-642-13858-4_10",

language = "English",

isbn = "3642138578",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "168--191",

booktitle = "Fast Software Encryption - 17th International Workshop, FSE 2010, Revised Selected Papers",

note = "17th International Workshop on Fast Software Encryption, FSE 2010 ; Conference date: 07-02-2010 Through 10-02-2010",

}

Bhattacharyya, R, Mandal, A & Nandi, M 2010, Security analysis of the mode of JH hash function. in Fast Software Encryption - 17th International Workshop, FSE 2010, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6147 LNCS, pp. 168-191, 17th International Workshop on Fast Software Encryption, FSE 2010, Seoul, Korea, Republic of, 7/02/10. https://doi.org/10.1007/978-3-642-13858-4_10

Security analysis of the mode of JH hash function. / Bhattacharyya, Rishiraj; Mandal, Avradip; Nandi, Mridul.
Fast Software Encryption - 17th International Workshop, FSE 2010, Revised Selected Papers. 2010. p. 168-191 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6147 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Security analysis of the mode of JH hash function

AU - Bhattacharyya, Rishiraj

AU - Mandal, Avradip

AU - Nandi, Mridul

PY - 2010

Y1 - 2010

N2 - Recently, NIST has selected 14 second round candidates of SHA3 competition. One of these candidates will win the competition and eventually become the new hash function standard. In TCC'04, Maurer et al introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. Indifferentiability is the appropriate notion of modeling a random oracle as well as a strong security criteria for a hash-design. In this paper we analyze the indifferentiability and preimage resistance of JH hash function which is one of the SHA3 second round candidates. JH uses a 2n bit fixed permutation based compression function and applies chopMD domain extension with specific padding. We show under the assumption that the underlying permutations is a 2n-bit random permutation, JH mode of operation with output length 2n - s bits, is indifferentiable from a random oracle with distinguisher's advantage bounded by where σ is the total number of blocks queried by distinguisher. We show that the padding rule used in JH is essential as there is a simple indifferentiablity distinguisher (with constant query complexity) against JH mode of operation without length padding outputting n bit digest. We prove that a little modification (namely chopping different bits) of JH mode of operation enables us to construct a hash function based on random permutation (without any length padding) with similar bound of sponge constructions (with fixed output size) and with same efficiency. On the other hand, we improve the preimage attack of query complexity 2510.3 due to Mendel and Thompson. Using multicollisions in both forward and reverse direction, we show a preimage attack on JH with n = 512,s = 512 in 2 507 queries to the permutation.

AB - Recently, NIST has selected 14 second round candidates of SHA3 competition. One of these candidates will win the competition and eventually become the new hash function standard. In TCC'04, Maurer et al introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two systems. Indifferentiability is the appropriate notion of modeling a random oracle as well as a strong security criteria for a hash-design. In this paper we analyze the indifferentiability and preimage resistance of JH hash function which is one of the SHA3 second round candidates. JH uses a 2n bit fixed permutation based compression function and applies chopMD domain extension with specific padding. We show under the assumption that the underlying permutations is a 2n-bit random permutation, JH mode of operation with output length 2n - s bits, is indifferentiable from a random oracle with distinguisher's advantage bounded by where σ is the total number of blocks queried by distinguisher. We show that the padding rule used in JH is essential as there is a simple indifferentiablity distinguisher (with constant query complexity) against JH mode of operation without length padding outputting n bit digest. We prove that a little modification (namely chopping different bits) of JH mode of operation enables us to construct a hash function based on random permutation (without any length padding) with similar bound of sponge constructions (with fixed output size) and with same efficiency. On the other hand, we improve the preimage attack of query complexity 2510.3 due to Mendel and Thompson. Using multicollisions in both forward and reverse direction, we show a preimage attack on JH with n = 512,s = 512 in 2 507 queries to the permutation.

KW - chop-MD

KW - Indifferentiability

KW - JH

KW - random permutation

KW - SHA-3 candidate

UR - http://www.scopus.com/inward/record.url?scp=77954740517&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-13858-4_10

DO - 10.1007/978-3-642-13858-4_10

M3 - Conference contribution

AN - SCOPUS:77954740517

SN - 3642138578

SN - 9783642138577

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 168

EP - 191

BT - Fast Software Encryption - 17th International Workshop, FSE 2010, Revised Selected Papers

T2 - 17th International Workshop on Fast Software Encryption, FSE 2010

Y2 - 7 February 2010 through 10 February 2010

ER -

Security analysis of the mode of JH hash function

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this