Compactness of Hashing Modes and Efficiency beyond Merkle Tree
share
We revisit the classical problem of designing optimally efficient cryptographically secure hash functions. Hash functions are traditionally designed via applying modes of operation on primitives with smaller domains. The results of Shrimpton and Stam (ICALP 2008), Rogaway and Steinberger (CRYPTO 2008), and Mennink and Preneel (CRYPTO 2012) show how to achieve optimally efficient designs of 2n-to-n-bit compression functions from non-compressing primitives with asymptotically optimal 2^n/2-ϵ-query collision resistance. Designing optimally efficient and secure hash functions for larger domains (> 2n bits) is still an open problem. In this work we propose the new compactness efficiency notion. It allows us to focus on asymptotically optimally collision resistant hash function and normalize their parameters based on Stam's bound from CRYPTO 2008 to obtain maximal efficiency. We then present two tree-based modes of operation -Our first construction is an Augmented Binary Tree (ABR) mode. The design is a (2^ℓ+2^ℓ-1 -1)n-to-n-bit hash function making a total of (2^ℓ-1) calls to 2n-to-n-bit compression functions for any ℓ≥ 2. Our construction is optimally compact with asymptotically (optimal) 2^n/2-ϵ-query collision resistance in the ideal model. For a tree of height ℓ, in comparison with Merkle tree, the ABR mode processes additional (2^ℓ-1-1) data blocks making the same number of internal compression function calls. -While the ABR mode achieves collision resistance, it fails to achieve indifferentiability from a random oracle within 2^n/3 queries. ABR^+ compresses only 1 less data block than ABR with the same number of compression calls and achieves in addition indifferentiability up to 2^n/2-ϵ queries.
READ FULL TEXT
