Formal Algebraic Reasoning About Compression Function Security
Date
2024-01-23
Authors
Javar, Zahra
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Cryptographic hash functions are fundamental in cryptographic constructions, as
they transform variable-length input into fixed-length output while maintaining essential security properties like collision resistance, preimage resistance, and indifferentiability from a random oracle (RO). Creating efficient hash functions with provable
security has long posed a challenge. Security proofs for hash functions usually fall
under the random oracle model or the ideal cipher model, which assumes access to
an ideal primitive like a truly random function or permutations.
This research endeavors to establish a systematic approach for analyzing the security of hash functions suitable for automated verification and function generation
within both ideal models. Building upon prior work [25], which employed an algebraic framework known as Linicrypt[8], primarily for analyzing collision-resistant hash
functions in the random oracle model, we extend our efforts in two key directions.
We first introduce a simple and easily verifiable property of Linicrypt programs
that characterizes preimage awareness, a security property introduced by Dodis, Ristenpart, and Shrimpton [13] who also demonstrate its utility in the construction
of indifferentiable hash functions. We also illustrate how this characterization can
be efficiently automated and provide an example by enumerating preimage-aware
compression functions that employ two random oracle calls. This includes several
functions that Dodis et al. previously proved to be preimage aware through manual
methods.
Next, we broaden the Linicrypt framework, originally proposed in the random
oracle setting, to encompass hash function security in the ideal cipher model. Within
this context, we delineate collision- and second-preimage-resistance properties using
linear-algebraic conditions on Linicrypt programs. We also introduce an efficient algorithm for determining program compliance with these conditions. As an application,
we delve into the case of block cipher-based hash functions as proposed by Preneel,
Govaerts, and Vandewall [32] and establish that our characterization encapsulates the
semantic analysis of PGV presented by Black et al.[5].
Additionally, our research further extends into the ideal cipher model to analyze group-2 compression functions, a category introduced in the well-known work[4].
These are compression functions which are not collision-resistant themselves, but pro-
duce collision-resistant hash functions when iterated by the Merkle-Damgard trans-
formation. We also provide a comprehensive characterization of collision-resistant
double block length compression functions within the ideal cipher model.