Sound Hashing Modes of Arbitrary Functions, Permutations, and Block - - PowerPoint PPT Presentation

Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK)

Joan Daemen1 Bart Mennink1 Gilles Van Assche2 Fast Software Encryption Paris, March 2019

1Radboud University 2STMicroelectronics

1

Hash function example 1: SHA-256

Hash function h from compression function F with Merkle-Damgård: IV M1 F M2

CV

F M3

CV

F M4 pad

CV

F

digest

Compression function F from block cipher B with Davies-Meyer: CVi Mi

• mess. expans.

data path CVi

1

Underlying primitive: block cipher with 256-bit block and 512-bit key

2

Hash function example 1: SHA-256

Hash function h from compression function F with Merkle-Damgård: IV M1 ✲ ✲ ❍❍❍ ❍ F M2 ✲

CV

✲ ❍❍❍ ❍ F M3 ✲

CV

✲ ❍❍❍ ❍ F M4 pad ✲

CV

✲ ❍❍❍ ❍ F ✲ digest Compression function F from block cipher B with Davies-Meyer: CVi Mi

• mess. expans.

data path CVi

1

Underlying primitive: block cipher with 256-bit block and 512-bit key

2

Hash function example 1: SHA-256

Hash function h from compression function F with Merkle-Damgård: IV M1 ✲ ✲ ❍❍❍ ❍ F M2 ✲

CV

✲ ❍❍❍ ❍ F M3 ✲

CV

✲ ❍❍❍ ❍ F M4 pad ✲

CV

✲ ❍❍❍ ❍ F ✲ digest Compression function F from block cipher B with Davies-Meyer: CVi ✲ Mi ✲ ❍❍❍❍❍❍❍ ❍

• mess. expans.

data path ✲ CVi+1 ✻ ⊕ ✲ Underlying primitive: block cipher with 256-bit block and 512-bit key

2

Hash function example 1: SHA-256

Hash function h from compression function F with Merkle-Damgård: IV M1 ✲ ✲ ❍❍❍ ❍ F M2 ✲

CV

✲ ❍❍❍ ❍ F M3 ✲

CV

✲ ❍❍❍ ❍ F M4 pad ✲

CV

✲ ❍❍❍ ❍ F ✲ digest Compression function F from block cipher B with Davies-Meyer: CVi ✲ Mi ✲ ❍❍❍❍❍❍❍ ❍

• mess. expans.

data path ✲ CVi+1 ✻ ⊕ ✲ Underlying primitive: block cipher with 256-bit block and 512-bit key

2

Example 2: MD6 [Rivest et al. 2008]

Hash function h from CF F with dedicated tree hash mode:

• CF F from permutation P with dedicated construction:

π

π

Underlying primitive: 5696-bit permutation

3

Example 2: MD6 [Rivest et al. 2008]

Hash function h from CF F with dedicated tree hash mode:

• Location (level,index) input to each node

1 2 3 level

(2,2) (2,0) (2,1) (2,3)

CF F from permutation P with dedicated construction:

π

π

Underlying primitive: 5696-bit permutation

3

Example 2: MD6 [Rivest et al. 2008]

Hash function h from CF F with dedicated tree hash mode:

• Location (level,index) input to each node

1 2 3 level

(2,2) (2,0) (2,1) (2,3)

CF F from permutation P with dedicated construction:

N ( N ) C

π

1-1 map π

const key+UV data 15 8+2 64

89 words 89 words 16 words

Prepend Map Chop

Underlying primitive: 5696-bit permutation

3

Example 2: MD6 [Rivest et al. 2008]

Hash function h from CF F with dedicated tree hash mode:

• Location (level,index) input to each node

1 2 3 level

(2,2) (2,0) (2,1) (2,3)

CF F from permutation P with dedicated construction:

N ( N ) C

π

1-1 map π

const key+UV data 15 8+2 64

89 words 89 words 16 words

Prepend Map Chop

Underlying primitive: 5696-bit permutation

3

Example 3: KangarooTwelve [Keccak Team 2016]

Parallel XOF from XOF with Sakura-encoded [KT 2014] tree hash mode: XOF from permutation with sponge [KT 2008]: Underlying primitive: 1600-bit permutation Keccak-p 12

4

Example 3: KangarooTwelve [Keccak Team 2016]

Parallel XOF from XOF with Sakura-encoded [KT 2014] tree hash mode:

S0 110* CV CV CV … CV CV n-1 FFFF 01 S1 110 S2 110 S3 110 Sn-2 110 Sn-1 110

XOF from permutation with sponge [KT 2008]: Underlying primitive: 1600-bit permutation Keccak-p 12

4

Example 3: KangarooTwelve [Keccak Team 2016]

Parallel XOF from XOF with Sakura-encoded [KT 2014] tree hash mode:

S0 110* CV CV CV … CV CV n-1 FFFF 01 S1 110 S2 110 S3 110 Sn-2 110 Sn-1 110

XOF from permutation with sponge [KT 2008]:

M pad trunc Z

• uter

inner r c f f f f f f absorbing squeezing

Underlying primitive: 1600-bit permutation Keccak-p 12

4

Example 3: KangarooTwelve [Keccak Team 2016]

Parallel XOF from XOF with Sakura-encoded [KT 2014] tree hash mode:

S0 110* CV CV CV … CV CV n-1 FFFF 01 S1 110 S2 110 S3 110 Sn-2 110 Sn-1 110

XOF from permutation with sponge [KT 2008]:

M pad trunc Z

• uter

inner r c f f f f f f absorbing squeezing

Underlying primitive: 1600-bit permutation Keccak-p[12]

4

Basis for security of hash functions

▶ We cannot prove a hash function h is secure Trust in security based on public scrutiny and cryptanalysis But we can prove security of idealized version

• f the function

… is h with underlying primitive replaced by random one Ideal hash function: random oracle Upper bound on advantage of distinguishing from this bound says something about the mode only better attacks must exploit specific properties of primitive In other words, they bound the success probability of generic attacks

5

Basis for security of hash functions

▶ We cannot prove a hash function h is secure ▶ Trust in security based on public scrutiny and cryptanalysis But we can prove security of idealized version

• f the function

… is h with underlying primitive replaced by random one Ideal hash function: random oracle Upper bound on advantage of distinguishing from this bound says something about the mode only better attacks must exploit specific properties of primitive In other words, they bound the success probability of generic attacks

5

Basis for security of hash functions

▶ We cannot prove a hash function h is secure ▶ Trust in security based on public scrutiny and cryptanalysis ▶ But we can prove security of idealized version H of the function

• … H is h with underlying primitive replaced by random one

Ideal hash function: random oracle Upper bound on advantage of distinguishing from this bound says something about the mode only better attacks must exploit specific properties of primitive In other words, they bound the success probability of generic attacks

5

Basis for security of hash functions

▶ We cannot prove a hash function h is secure ▶ Trust in security based on public scrutiny and cryptanalysis ▶ But we can prove security of idealized version H of the function

• … H is h with underlying primitive replaced by random one

▶ Ideal hash function: random oracle RO ▶ Upper bound on advantage of distinguishing H from RO

• this bound says something about the mode only
• better attacks must exploit specific properties of primitive

In other words, they bound the success probability of generic attacks

5

Basis for security of hash functions

▶ We cannot prove a hash function h is secure ▶ Trust in security based on public scrutiny and cryptanalysis ▶ But we can prove security of idealized version H of the function

• … H is h with underlying primitive replaced by random one

▶ Ideal hash function: random oracle RO ▶ Upper bound on advantage of distinguishing H from RO

• this bound says something about the mode only
• better attacks must exploit specific properties of primitive

▶ In other words, they bound the success probability of generic attacks

5

What can happen if you don’t have a good bound?

IV M1 F M2

CV

F M3

CV

F M4 pad

CV

F

digest

Length extension property MAC function h K M not secure against forgery fixing requires adding expensive construction: HMAC Attacks with less complexity than expected 2nd pre-image for long messages multi-collisions herding attack, … Affect all old-style hash standards: MD5, SHA-1 and all SHA-2

6

What can happen if you don’t have a good bound?

IV M1 ✲ ✲ ❍❍❍ ❍ F M2 ✲

CV

✲ ❍❍❍ ❍ F M3 ✲

CV

✲ ❍❍❍ ❍ F M4 pad ✲

CV

✲ ❍❍❍ ❍ F ✲ digest Length extension property MAC function h K M not secure against forgery fixing requires adding expensive construction: HMAC Attacks with less complexity than expected 2nd pre-image for long messages multi-collisions herding attack, … Affect all old-style hash standards: MD5, SHA-1 and all SHA-2

6

What can happen if you don’t have a good bound?

IV M1 ✲ ✲ ❍❍❍ ❍ F M2 ✲

CV

✲ ❍❍❍ ❍ F M3 ✲

CV

✲ ❍❍❍ ❍ F M4 pad ✲

CV

✲ ❍❍❍ ❍ F ✲ digest ▶ Length extension property MAC function h K M not secure against forgery fixing requires adding expensive construction: HMAC Attacks with less complexity than expected 2nd pre-image for long messages multi-collisions herding attack, … Affect all old-style hash standards: MD5, SHA-1 and all SHA-2

6

What can happen if you don’t have a good bound?

IV M1 ✲ ✲ ❍❍❍ ❍ F M2 ✲

CV

✲ ❍❍❍ ❍ F M3 ✲

CV

✲ ❍❍❍ ❍ F M4 pad ✲

CV

✲ ❍❍❍ ❍ F ✲ digest ▶ Length extension property

• MAC function h(K|M) not secure against forgery

fixing requires adding expensive construction: HMAC Attacks with less complexity than expected 2nd pre-image for long messages multi-collisions herding attack, … Affect all old-style hash standards: MD5, SHA-1 and all SHA-2

6

What can happen if you don’t have a good bound?

IV M1 ✲ ✲ ❍❍❍ ❍ F M2 ✲

CV

✲ ❍❍❍ ❍ F M3 ✲

CV

✲ ❍❍❍ ❍ F M4 pad ✲

CV

✲ ❍❍❍ ❍ F ✲ digest ▶ Length extension property

• MAC function h(K|M) not secure against forgery
• fixing requires adding expensive construction: HMAC

Attacks with less complexity than expected 2nd pre-image for long messages multi-collisions herding attack, … Affect all old-style hash standards: MD5, SHA-1 and all SHA-2

6

What can happen if you don’t have a good bound?

IV M1 ✲ ✲ ❍❍❍ ❍ F M2 ✲

CV

✲ ❍❍❍ ❍ F M3 ✲

CV

✲ ❍❍❍ ❍ F M4 pad ✲

CV

✲ ❍❍❍ ❍ F ✲ digest ▶ Length extension property

• MAC function h(K|M) not secure against forgery
• fixing requires adding expensive construction: HMAC

▶ Attacks with less complexity than expected

• 2nd pre-image for long messages
• multi-collisions
• herding attack, …

Affect all old-style hash standards: MD5, SHA-1 and all SHA-2

6

What can happen if you don’t have a good bound?

IV M1 ✲ ✲ ❍❍❍ ❍ F M2 ✲

CV

✲ ❍❍❍ ❍ F M3 ✲

CV

✲ ❍❍❍ ❍ F M4 pad ✲

CV

✲ ❍❍❍ ❍ F ✲ digest ▶ Length extension property

• MAC function h(K|M) not secure against forgery
• fixing requires adding expensive construction: HMAC

▶ Attacks with less complexity than expected

• 2nd pre-image for long messages
• multi-collisions
• herding attack, …

▶ Affect all old-style hash standards: MD5, SHA-1 and all SHA-2

6

Hashing, scope of this SoK paper

message of 21 bits M0..5 00 M6..11 00 M12..17 00 M18..20 10∗ 00 10 10 11

h

template generation Z ← T (|M|, params)

011010110101101010110 011010 00 110101 00 101010 00 110 10∗ 00 110 001 10 010 111 10 000 011 11

0101 . . . F F F F F F F

template execution H ← F(Sfinal) with S ← Y[F](Z, M) Modes for any tree topology, including sequential hashing Three types of underlying function : arbitrary function: XOF, hash, or compression function truncated permutation (truncated) block cipher

7

Hashing, scope of this SoK paper

message of 21 bits M0..5 00 M6..11 00 M12..17 00 M18..20 10∗ 00 10 10 11

h

template generation Z ← T (|M|, params)

011010110101101010110 011010 00 110101 00 101010 00 110 10∗ 00 110 001 10 010 111 10 000 011 11

0101 . . . F F F F F F F

template execution H ← F(Sfinal) with S ← Y[F](Z, M) ▶ Modes T for any tree topology, including sequential hashing Three types of underlying function : arbitrary function: XOF, hash, or compression function truncated permutation (truncated) block cipher

7

Hashing, scope of this SoK paper

message of 21 bits M0..5 00 M6..11 00 M12..17 00 M18..20 10∗ 00 10 10 11

h

template generation Z ← T (|M|, params)

011010110101101010110 011010 00 110101 00 101010 00 110 10∗ 00 110 001 10 010 111 10 000 011 11

0101 . . . F F F F F F F

template execution H ← F(Sfinal) with S ← Y[F](Z, M) ▶ Modes T for any tree topology, including sequential hashing ▶ Three types of underlying function F: arbitrary function: XOF, hash, or compression function truncated permutation (truncated) block cipher

7

Hashing, scope of this SoK paper

message of 21 bits M0..5 00 M6..11 00 M12..17 00 M18..20 10∗ 00 10 10 11

h

template generation Z ← T (|M|, params)

011010110101101010110 011010 00 110101 00 101010 00 110 10∗ 00 110 001 10 010 111 10 000 011 11

0101 . . . F F F F F F F

template execution H ← F(Sfinal) with S ← Y[F](Z, M) ▶ Modes T for any tree topology, including sequential hashing ▶ Three types of underlying function F:

• arbitrary function: XOF, hash, or compression function

truncated permutation (truncated) block cipher

7

Hashing, scope of this SoK paper

message of 21 bits M0..5 00 M6..11 00 M12..17 00 M18..20 10∗ 00 10 10 11

h

template generation Z ← T (|M|, params)

011010110101101010110 011010 00 110101 00 101010 00 110 10∗ 00 110 001 10 010 111 10 000 011 11

0101 . . . F F F F F F F

template execution H ← F(Sfinal) with S ← Y[F](Z, M) ▶ Modes T for any tree topology, including sequential hashing ▶ Three types of underlying function F:

• arbitrary function: XOF, hash, or compression function
• truncated permutation

(truncated) block cipher

7

Hashing, scope of this SoK paper

message of 21 bits M0..5 00 M6..11 00 M12..17 00 M18..20 10∗ 00 10 10 11

h

template generation Z ← T (|M|, params)

011010110101101010110 011010 00 110101 00 101010 00 110 10∗ 00 110 001 10 010 111 10 000 011 11

0101 . . . F F F F F F F

template execution H ← F(Sfinal) with S ← Y[F](Z, M) ▶ Modes T for any tree topology, including sequential hashing ▶ Three types of underlying function F:

• arbitrary function: XOF, hash, or compression function
• truncated permutation
• (truncated) block cipher

7

Conditions for sound hashing

We prove it is hard to distinguish from if satisfies certain conditions: For all cases: message-decodability subtree-freeness radical-decodability For permutations and block ciphers: leaf-anchoring

8

Conditions for sound hashing

We prove it is hard to distinguish H from RO if T satisfies certain conditions: For all cases: message-decodability subtree-freeness radical-decodability For permutations and block ciphers: leaf-anchoring

8

Conditions for sound hashing

We prove it is hard to distinguish H from RO if T satisfies certain conditions: ▶ For all cases:

• message-decodability
• subtree-freeness
• radical-decodability

▶ For permutations and block ciphers:

• leaf-anchoring

8

Trees and the set ST

all possible trees ST

ST : the set of all possible trees that can be generated by mode T

9

Condition 1: message decodability

01101000 11010100 10101000 11010000 11000110 01011110 00001111

0101 . . . F F F F F F F

= ⇒

011010110101101010110 M0..5 00 M6..11 00 M12..17 00 M18..20 10∗ 00 10 10 11

h

S there exists an algorithm for decoding S to M Z

10

Condition 1: message decodability

01101000 11010100 10101000 11010000 11000110 01011110 00001111

0101 . . . F F F F F F F

= ⇒

011010110101101010110 M0..5 00 M6..11 00 M12..17 00 M18..20 10∗ 00 10 10 11

h

∀S ∈ ST there exists an algorithm for decoding S to (M, Z)

10

Condition 2: subtree-freeness

final subtree leaf subtree just a subtree

• 11

Condition 2: subtree-freeness

final subtree leaf subtree just a subtree

• 11

Condition 2: subtree-freeness

final subtree leaf subtree just a subtree

• 11

Condition 2: subtree-freeness

final subtree leaf subtree just a subtree

• 11

Condition 2: subtree-freeness

ST

sub

sub: the set of all trees that are proper subtrees of a tree in

Subtree-freeness:

sub 12

Condition 2: subtree-freeness

ST

sub

Ssub

T

: the set of all trees that are proper subtrees of a tree in ST Subtree-freeness:

sub 12

Condition 2: subtree-freeness

ST Ssub

T

Ssub

T

: the set of all trees that are proper subtrees of a tree in ST Subtree-freeness: ST ∩ Ssub

T

= ∅

12

Condition 3: radical-decodability

01101000 11010100 11010000 11000110 01011110 00001111

0101 . . . F F F F F F

Radical: a CV that has no

• pre-image

13

Condition 3: radical-decodability

01101000 11010100 11010000 11000110 01011110 00001111

0101 . . . F F F F F F

Radical: a CV that has no F-pre-image

13

Condition 3: radical-decodability

ST Ssub

T leaf final rad

Radical-decodability, simplified: for all final subtrees (

final) one can

unambiguously identify a radical Radical-decodability, actually: this is true for all subtrees in some set

rad that includes final 14

Condition 3: radical-decodability

ST Ssub

T

Sleaf

T final rad

Radical-decodability, simplified: for all final subtrees (

final) one can

unambiguously identify a radical Radical-decodability, actually: this is true for all subtrees in some set

rad that includes final 14

Condition 3: radical-decodability

ST Ssub

T

Sleaf

T

Sfinal

T rad

Radical-decodability, simplified: for all final subtrees (

final) one can

unambiguously identify a radical Radical-decodability, actually: this is true for all subtrees in some set

rad that includes final 14

Condition 3: radical-decodability

ST Ssub

T

Sleaf

T

Sfinal

T rad

Radical-decodability, simplified: for all final subtrees (Sfinal

T

) one can unambiguously identify a radical Radical-decodability, actually: this is true for all subtrees in some set

rad that includes final 14

Condition 3: radical-decodability

ST Ssub

T

Sleaf

T

Sfinal

T

Srad

T

Radical-decodability, simplified: for all final subtrees (Sfinal

T

) one can unambiguously identify a radical Radical-decodability, actually: this is true for all subtrees in some set Srad

T

that includes Sfinal

T 14

Adversary model: differentiating from a random oracle Y R S RO D

M ,Z x M ,Z x x M ,Z

▶ Indifferentiability [Maurer et al. 2004] for hashing [Coron et al. 2005] For sponge: [KT 2008] adv

N 2 2 c: birthday bound in capacity

This paper: adv

N 2 2 n: birthday bound in CV length

If mode satisfies our conditions

15

Adversary model: differentiating from a random oracle Y R S RO D

M ,Z x M ,Z x x M ,Z

▶ Indifferentiability [Maurer et al. 2004] for hashing [Coron et al. 2005] For sponge: [KT 2008] adv

N 2 2 c: birthday bound in capacity

This paper: adv

N 2 2 n: birthday bound in CV length

If mode satisfies our conditions

15

Adversary model: differentiating from a random oracle Y R S RO D

M ,Z x M ,Z x x M ,Z

▶ Indifferentiability [Maurer et al. 2004] for hashing [Coron et al. 2005] ▶ For sponge: [KT 2008] adv ≤ (N

2

) 2−c: birthday bound in capacity This paper: adv

N 2 2 n: birthday bound in CV length

If mode satisfies our conditions

15

Adversary model: differentiating from a random oracle Y R S RO D

M ,Z x M ,Z x x M ,Z

▶ Indifferentiability [Maurer et al. 2004] for hashing [Coron et al. 2005] ▶ For sponge: [KT 2008] adv ≤ (N

2

) 2−c: birthday bound in capacity ▶ This paper: adv ≤ (N

2

) 2−n: birthday bound in CV length If mode satisfies our conditions

15

Adversary model: differentiating from a random oracle Y R S RO D

M ,Z x M ,Z x x M ,Z

▶ Indifferentiability [Maurer et al. 2004] for hashing [Coron et al. 2005] ▶ For sponge: [KT 2008] adv ≤ (N

2

) 2−c: birthday bound in capacity ▶ This paper: adv ≤ (N

2

) 2−n: birthday bound in CV length ▶ If mode satisfies our conditions

15

Condition 4: leaf-anchoring

▶ Problem with truncated permutation: inverse queries Without additional condition this is easy to distinguish Leaf anchoring n first bits of permutation input are reserved constant IV in leaf nodes CV in non-leaf nodes For block ciphers: anchoring must be in data input Other countermeasures could be taken but this is the simplest Adding a feedforward à la Davies-Meyer does not help

16

Condition 4: leaf-anchoring

▶ Problem with truncated permutation: inverse queries ▶ Without additional condition this is easy to distinguish Leaf anchoring n first bits of permutation input are reserved constant IV in leaf nodes CV in non-leaf nodes For block ciphers: anchoring must be in data input Other countermeasures could be taken but this is the simplest Adding a feedforward à la Davies-Meyer does not help

16

Condition 4: leaf-anchoring

▶ Problem with truncated permutation: inverse queries ▶ Without additional condition this is easy to distinguish ▶ Leaf anchoring

• n first bits of permutation input are reserved

constant IV in leaf nodes CV in non-leaf nodes For block ciphers: anchoring must be in data input Other countermeasures could be taken but this is the simplest Adding a feedforward à la Davies-Meyer does not help

16

Condition 4: leaf-anchoring

▶ Problem with truncated permutation: inverse queries ▶ Without additional condition this is easy to distinguish ▶ Leaf anchoring

• n first bits of permutation input are reserved
• constant IV in leaf nodes
• CV in non-leaf nodes

For block ciphers: anchoring must be in data input Other countermeasures could be taken but this is the simplest Adding a feedforward à la Davies-Meyer does not help

16

Condition 4: leaf-anchoring

▶ Problem with truncated permutation: inverse queries ▶ Without additional condition this is easy to distinguish ▶ Leaf anchoring

• n first bits of permutation input are reserved
• constant IV in leaf nodes
• CV in non-leaf nodes

▶ For block ciphers: anchoring must be in data input Other countermeasures could be taken but this is the simplest Adding a feedforward à la Davies-Meyer does not help

16

Condition 4: leaf-anchoring

▶ Problem with truncated permutation: inverse queries ▶ Without additional condition this is easy to distinguish ▶ Leaf anchoring

• n first bits of permutation input are reserved
• constant IV in leaf nodes
• CV in non-leaf nodes

▶ For block ciphers: anchoring must be in data input ▶ Other countermeasures could be taken but this is the simplest Adding a feedforward à la Davies-Meyer does not help

16

Condition 4: leaf-anchoring

▶ Problem with truncated permutation: inverse queries ▶ Without additional condition this is easy to distinguish ▶ Leaf anchoring

• n first bits of permutation input are reserved
• constant IV in leaf nodes
• CV in non-leaf nodes

▶ For block ciphers: anchoring must be in data input ▶ Other countermeasures could be taken but this is the simplest ▶ Adding a feedforward à la Davies-Meyer does not help

16

Minimum solutions for sequential hashing

With a compression function:

00 10 10 10∗ 11

h With a truncated permutation or block cipher:

IV 0 1 10

h

17

Minimum solutions for sequential hashing

With a compression function:

00 10 10 10∗ 11

h With a truncated permutation or block cipher:

IV 0 1 10∗

h

17

Interesting implications of this work

▶ Tree hashing mode on top of a secure XOF gives a secure XOF e.g., KangarooTwelve on top of sponge Sakura encoding [KT 2014] ensures subtree-freeness and radical decodability Hashing based on permutations Sponge is not covered: different type of animal MD6: n-bit IV in leaves and 1 framebit would have sufficed Hashing based on block ciphers (e.g., MD5, SHA-1 and SHA-2) Davies-Meyer feedforward is useless Merkle-Damgård strengthening is useless CV can be shorter than block length of cipher

18

Interesting implications of this work

▶ Tree hashing mode on top of a secure XOF gives a secure XOF e.g., KangarooTwelve on top of sponge Sakura encoding [KT 2014] ensures subtree-freeness and radical decodability Hashing based on permutations Sponge is not covered: different type of animal MD6: n-bit IV in leaves and 1 framebit would have sufficed Hashing based on block ciphers (e.g., MD5, SHA-1 and SHA-2) Davies-Meyer feedforward is useless Merkle-Damgård strengthening is useless CV can be shorter than block length of cipher

18

Interesting implications of this work

▶ Tree hashing mode on top of a secure XOF gives a secure XOF

• e.g., KangarooTwelve on top of sponge

Sakura encoding [KT 2014] ensures subtree-freeness and radical decodability Hashing based on permutations Sponge is not covered: different type of animal MD6: n-bit IV in leaves and 1 framebit would have sufficed Hashing based on block ciphers (e.g., MD5, SHA-1 and SHA-2) Davies-Meyer feedforward is useless Merkle-Damgård strengthening is useless CV can be shorter than block length of cipher

18

Interesting implications of this work

▶ Tree hashing mode on top of a secure XOF gives a secure XOF

• e.g., KangarooTwelve on top of sponge
• Sakura encoding [KT 2014] ensures subtree-freeness and

radical decodability Hashing based on permutations Sponge is not covered: different type of animal MD6: n-bit IV in leaves and 1 framebit would have sufficed Hashing based on block ciphers (e.g., MD5, SHA-1 and SHA-2) Davies-Meyer feedforward is useless Merkle-Damgård strengthening is useless CV can be shorter than block length of cipher

18

Interesting implications of this work

▶ Tree hashing mode on top of a secure XOF gives a secure XOF

• e.g., KangarooTwelve on top of sponge
• Sakura encoding [KT 2014] ensures subtree-freeness and

radical decodability ▶ Hashing based on permutations Sponge is not covered: different type of animal MD6: n-bit IV in leaves and 1 framebit would have sufficed Hashing based on block ciphers (e.g., MD5, SHA-1 and SHA-2) Davies-Meyer feedforward is useless Merkle-Damgård strengthening is useless CV can be shorter than block length of cipher

18

Interesting implications of this work

▶ Tree hashing mode on top of a secure XOF gives a secure XOF

• e.g., KangarooTwelve on top of sponge
• Sakura encoding [KT 2014] ensures subtree-freeness and

radical decodability ▶ Hashing based on permutations

• Sponge is not covered: different type of animal

MD6: n-bit IV in leaves and 1 framebit would have sufficed Hashing based on block ciphers (e.g., MD5, SHA-1 and SHA-2) Davies-Meyer feedforward is useless Merkle-Damgård strengthening is useless CV can be shorter than block length of cipher

18

Interesting implications of this work

▶ Tree hashing mode on top of a secure XOF gives a secure XOF

• e.g., KangarooTwelve on top of sponge
• Sakura encoding [KT 2014] ensures subtree-freeness and

radical decodability ▶ Hashing based on permutations

• Sponge is not covered: different type of animal
• MD6: n-bit IV in leaves and 1 framebit would have sufficed

Hashing based on block ciphers (e.g., MD5, SHA-1 and SHA-2) Davies-Meyer feedforward is useless Merkle-Damgård strengthening is useless CV can be shorter than block length of cipher

18

Interesting implications of this work

▶ Tree hashing mode on top of a secure XOF gives a secure XOF

• e.g., KangarooTwelve on top of sponge
• Sakura encoding [KT 2014] ensures subtree-freeness and

radical decodability ▶ Hashing based on permutations

• Sponge is not covered: different type of animal
• MD6: n-bit IV in leaves and 1 framebit would have sufficed

▶ Hashing based on block ciphers (e.g., MD5, SHA-1 and SHA-2)

• Davies-Meyer feedforward is useless

Merkle-Damgård strengthening is useless CV can be shorter than block length of cipher

18

Interesting implications of this work

▶ Tree hashing mode on top of a secure XOF gives a secure XOF

• e.g., KangarooTwelve on top of sponge
• Sakura encoding [KT 2014] ensures subtree-freeness and

radical decodability ▶ Hashing based on permutations

• Sponge is not covered: different type of animal
• MD6: n-bit IV in leaves and 1 framebit would have sufficed

▶ Hashing based on block ciphers (e.g., MD5, SHA-1 and SHA-2)

• Davies-Meyer feedforward is useless
• Merkle-Damgård strengthening is useless

CV can be shorter than block length of cipher

18

Interesting implications of this work

▶ Tree hashing mode on top of a secure XOF gives a secure XOF

• e.g., KangarooTwelve on top of sponge
• Sakura encoding [KT 2014] ensures subtree-freeness and

radical decodability ▶ Hashing based on permutations

• Sponge is not covered: different type of animal
• MD6: n-bit IV in leaves and 1 framebit would have sufficed

▶ Hashing based on block ciphers (e.g., MD5, SHA-1 and SHA-2)

• Davies-Meyer feedforward is useless
• Merkle-Damgård strengthening is useless
• CV can be shorter than block length of cipher

18

Thanks for your attention!

19

Intuition: why this works Y R S RO D

M ,Z x M ,Z x x M ,Z

▶ (RO, S) must act mode-consistent and it can:

• Subtree-freeness → A can’t learn CVs from (M, Z) queries
• Radical-decodability → S can reconstruct any full tree S

queried

• Message-decodability → S can reconstruct M and Z from S
• S then just queries RO with (M, Z) and forwards response

to A Things break down when CVs collide

20

Intuition: why this works Y R S RO D

M ,Z x M ,Z x x M ,Z

▶ (RO, S) must act mode-consistent and it can:

• Subtree-freeness → A can’t learn CVs from (M, Z) queries
• Radical-decodability → S can reconstruct any full tree S

queried

• Message-decodability → S can reconstruct M and Z from S
• S then just queries RO with (M, Z) and forwards response

to A ▶ Things break down when CVs collide

20

An example that is not radical-decodable

• 21