The Design Principle of Hash Function with Merkle-Damgård Construction

The Design Principle of Hash Function with Merkle-Damg˚ardConstruction

Duo Lei1, Feng Guozhu2, Li Chao1, Feng Keqin2, and Longjiang Qu1

1 Department of Science, National University of Defense Technology, Changsha, China [email protected] 2 Department of Math, Tsinghua University, Beijing, China

Abstract. The paper discusses the security of compression function and hash function with Merkle-Damg˚ardconstruction and provides the com- plexity bound of finding a collision and primage of hash function based on the condition probability of compression function y = F (x, k). we make a conclusion that in Merkle-Damma˚ardconstruction, the require- ment of free start collision resistant and free start collision resistant on compression function is not necessary and it is enough if the compres- sion function with properties of fix start collision resistant and fix start preimage resistant. However, the condition probability PY |X=x(y) and PY |K=k(y) of compression function y = F (x, k) have much influence on the security of the hash function. The best design of compression func- tion should have properties of that y is uniformly distributed for all x and k.

KeyWord: Hash Function, Block Cipher, Merkle-Damg˚ardConstruction

1 Introduction

Most of hash functions are iterated hash function and most of compression func- tion are iterated by Merkle-Damg˚ardstructure with constant IV[3]. Since the MD5 and SHA1 are attacked by [8][14][16], more and more attentions have been paid on hash function, the discussion about hash function mainly include secu- rity of compression function, attacking methods on hash function and security of iterated structure. κ n n n Let the compression function F : {0, 1} × {0, 1} → {0, 1} , xh ∈ {0, 1} , κ n xm ∈ {0, 1} , y ∈ {0, 1} , where y = F (xm, xh), in hash iteration xh is chain- ing value. The compression function of iterated hash function has four way to build[3]: based on block cipher, based on Modular Arithmetic, based on knapsack problem and dedicate hash function. No matter what way be used to design a compression function, the basic requirement on compression func- tion is not invertible, or else we can build a collision on compression function, 2 Duo Lei, Feng Guozhu, Li Chao, Feng Keqin, and Longjiang Qu since the one way permutation is difficult to build, the condition probability 1 of all known compression function has properties of max PY |X =x (y) > n y h h 2 1 and max PY |X =x (y) > κ . In this paper, we get conclusion of that if the y m m 2 compression function is collision resistant and preimage resistant for fix start xh, then the hash function is secure, the requirement of free start collision re- sistant and free start preimage resistant are not required. But the condition probability PY |Xh=xh (y) and PY |Xm=xm (y) are the most important character which we have to consider in design of hash function and the best value are 1 1 max PY |X =x (y) = n and max PY |X =x (y) = κ . y h h 2 y m m 2

The attacking methods on hash function are aimed at finding collision, m 6= m0 getting H(m) = H(m0), if we can find the collision then we can build forgery to replace the original message. If for any given hi−1, hi we can find preimage mi satisfying hi = F (hi−1, mi) then we can build a collision in following way, 0 0 0 00 selecting an mi randomly, compute hi = F (hi−1, mi), find mi+1 and satisfy 0 00 hi = F (hi, mi+1), which implies finding collision of two message mik ... km1 00 0 and mi+1kmikmi−1k ... km1. Finding a second preimage also means finding a collision, so hash function should be immune to collision attack, preimage attack and second preimage attack. The original discussion about immune to attacks on hash function are defined as ’hard’ to find the attacks, but the ’hard’ is hard to evaluate the security of the hash function, for if n is very small then no ’hard’ way to finding the collision no matter how nice the compression function be de- signed and when n is very large a failure design of hash also means hard to find the collision. The paper make a definition of that if the best way of finding the preimage and collision are exhaustive search, then it is immune against those attack. And also the complexity bounds are given based on condition probabil- ity of compression function PY |Xh=xh (y) and PY |Xm=xm (y). Our complexity is defined as the times needed for computing the compression function.

The most famous iterated structure is M-D structure, which is not immune to extend attack, fix point attack and multi-collision attack, moreover, some slight weakness in compression (like some special plaintexts can make collision) may result in failure of hash function, so some revised structures have been given, include wide-pipe hash and double-pipe hash. Commonly, the security of structure was discussed on condition of compression function be random or- acle model, in this paper the security of those structures are given based on discussion about condition probability PZ|X=x(z) and PZ|M=m(z) of hash func- tion H, where H : {0, 1}κ·∗ × {0, 1}n → {0, 1}n, x ∈ {0, 1}n, m ∈ {0, 1}κ·∗, z ∈ {0, 1}n, and z = H(m, x). We find if the compression function is designed 1 with max PY |X =x (y) > n , then maxz PZ|M=m(z) may increased dramatically, y h h 2 1 but in random oracle model max PY |X =x (y) = n , so reanalysis the structure y h h 2 of wide-pipe hash and double-pipe hash, and give some new hash structure which can vanish the increase of maxz PZ|M=m(z). The padding is adding zero to end of message, so we assume the message length is multiple of block length. The Design Principle of Hash Function with Merkle-Damg˚ardConstruction 3

2 Definition

A discrete random variable X is a mapping from the sample space Ω to an alphabed X . X assigns a value x ∈ X to each elementary event in the Ω and the probability distribution of X is the function[5] X PX : X → < : x 7→ PX (x) = P [X = x] = P [ω]. ω∈Ω:X(ω)=x If the conditioning event involves another random variable Y defined on the same sample space, the conditional probability distribution of X given that Y takes on a value y is: PXY (x, y) PX|Y =y(x) = PY (y) whenever PY (y) is positive . Two random variables X and Y are called indepen- dent if for all x ∈ X and y ∈ Y:

PXY (x, y) = PX (x) · PY (y). Definition 1 (Perfect Secrecy[6]). A cryptosystem has perfect secrecy if

PX|Y =y(x) = PX (x) for all x ∈ {0, 1}n, y ∈ {0, 1}n. Definition 2 (Perfect Key Distribution). A cryptosystem has perfect key distribution if PK|Y =y(k) = PK (k) for all x ∈ {0, 1}n, y ∈ {0, 1}n.

In fact, PXY (xy) = PX|Y =yPY (y) = PY |Xh=xh (y)PX (x), since PX|Y =y(x) =

PX (x), we get PY |Xh=xh (y) = PY (y). Definition 3 (Random Oracles[12]). A fixed-size random oracle is a func- tion f : {0, 1}n → {0, 1}n, chosen uniformly at random from the set of all such functions. For interesting sizes a and b, it is infeasible to implement such a func- tion, or to store its truth table. Thus, we assume a public oracle which, given x ∈ {0, 1}n, computes y = f(x) ∈ {0, 1}n. κ n n n Let the compression function F : {0, 1} × {0, 1} → {0, 1} , xh ∈ {0, 1} , κ n xm ∈ {0, 1} , y ∈ {0, 1} , where y = F (xm, xh), in hash iteration, xh is chaining value. Let H : {0, 1}κ·∗ × {0, 1}n → {0, 1}n, x ∈ {0, 1}n, m ∈ {0, 1}κ·∗, z ∈ {0, 1}n, and z = H(m, x). Definition 4. Let F : {0, 1}κ × {0, 1}n → {0, 1}n, H : {0, 1}κ·∗ × {0, 1}n → n n F 4 F 4 n {0, 1} , Λ ⊂ {0, 1} . Let Ω = {(xm, xh, y)} = {(xm, xh, y)|xh ∈ {0, 1} , xm ∈ κ n H 4 H 4 {0, 1} , y ∈ {0, 1} , y = F (xm, xh)}. Let Ω = {(m, x, z)} = {(m, x, z)|x ∈ {0, 1}n, m ∈ {0, 1}κ·∗, z ∈ {0, 1}n, z = H(m, x)}. The σ-algebra F is the subsets of Ω, ωF ∈ ΩF . 4 Duo Lei, Feng Guozhu, Li Chao, Feng Keqin, and Longjiang Qu

The examples of restriction E on Ω are as followings:

F 4 F – {(xh0 , xm, y)} = {(xh0 , xm, y)|(xh0 , xm, y) ∈ Ω }; F 4 F – {(xh, xm, y)|xh ∈ Λ} = {(xh, xm, y)|(xh, xm, y) ∈ Ω , xh ∈ Λ} F 4 S F – {{(xh, xm, y)} }xh∈Λ = {{(xh, xm, y)} } xh∈Λ Definition 5 (Finding Preimage). Finding Preimage of F or H is for given F F H H y0 or z0 finding ω ∈ {(xm, xh, y0)} or ω ∈ {(m, x, z0)} .

Definition 6 (Finding Collision). Finding Collision of F or H is finding F 0F F H 0H n ω , ω ∈ A and A ∈ {{(xm, xh, y0)} }y0∈{0,1} or finding ω , ω ∈ A and H n A ∈ {{(m, x, z0)} }z0∈{0,1} . Definition 7 (Free Start Preimage Resistant). Preimage resistant of F is F F that if the best way to find ω ∈ {(xm, xh, y0)} is exhaustive search. Preimage H H resistant of H is that if the best way to find ω ∈ {(m, x, z0)} is exhaustive search.

Definition 8 (Fix Start Preimage Resistant). Let Λ ⊂ {0, 1}n, F is fix F F start preimage resistant, if the best way to find ω ∈ {(xh0 , xm, y0)} is ex- haustive search. H is fix start preimage resistant , if the best way to find ωH ∈ H {(x0, m, z0)} is exhaustive search.

Definition 9 (Free Start Collision Resistant). Collision resistant of F is F 0F F n that the best way to find ω , ω ∈ A and A ∈ {{(xm, xh, y0)} }y0∈{0,1} is exhaustive search. Collision resistant of H is that the best way to find ωH , ω0H ∈ H n A and A ∈ {{(m, x, z0)} }z0∈{0,1} is exhaustive search. Definition 10 (Fix Start Collision Resistant). Let Λ ⊂ {0, 1}n, Fix start collision resistant of F is that the best way to find ωF , ω0F ∈ A and A ∈ F n {{(xm, xh, y0)|xh ∈ Λ} }y0∈{0,1} is exhaustive search. Fix start collision re- H 0H sistant of H is that the best way to find ω , ω ∈ A and A ∈ {{(m, x, z0)|x ∈ H n Λ} }z0∈{0,1} is exhaustive search. In hash function attack, the probability of finding a primage or collision is dif- ferent from tradition point of view of probability. If the compression function F is block cipher E with form of Ek(x) = y, then the probabilities of PX|Y =y,K=k(x), PK|Y =y,X=x(k) are both equal 0 or 1 (assume the cipher with perfect key distri- bution). However, for given y, k, the value x satisfying y = Ek(x) can be found −1 directly by computing x = Ek (y), but for given y, x the value k satisfying y = Ek(x) can be found only by exhaustive search of k, that implies we should compute E for each guessing k. So we consider giving new definition about the complexity of finding collision or preimage based on the times computing F being made. Definition 11. Let F : {0, 1}κ × {0, 1}n → {0, 1}n, H : {0, 1}κ·∗ × {0, 1}n → {0, 1}n, Λ ⊂ {0, 1}n. PF and PH are defined as the minimum times required The Design Principle of Hash Function with Merkle-Damg˚ardConstruction 5 of computing F with probability of 1 finding a free start preimage of F and H, F H respectively. PΛ and PΛ are defined as the minimum times required of computing F with probability of 1 finding a fix start preimage of F or H, respectively. CF or CH is defined as the minimum times required of computing F with probability H H of 1 finding free start collision of F or H. CΛ or CΛ is defined as the minimum times required of computing F with probability of 1 finding fix start collision of F or H.

If F is block cipher F (xm, xh) = Fxh (xm), from given y, xh we can com- pute x = F −1(y) that means PF = 1. But we can’t compute x directly m xh h F from give y, xm, the only way to find k is exhaustive search, we have P = P (y )−1. Y |Xh=xh0 0

3 Hash Properties of Compression Function

4 κ 4 Let compression function y = F (xm, xh) with qx = max PY |X =x (y)2 , qx = h y h h m n 4 n κ max PY |X =x (y)2 and qy = PY (y)2 2 . The conclusions of this section are y m m that the best design of y = F (xm, xh) should satisfy qxh = qxm = 1. We make a 1 assumption of 0 = 0.

3.1 Free Start Preimage Resistance The conclusion of this subsection is Theorem1, the upper bound of free start κ n preimage resistant of F is min { 2 , 2 }, which implies the best selection of qx qx xm,xh h m free start collision resistant and free start preimage resistant have same require- ment on F .

Theorem 1. Let y = F (xm, xh) is free start preimage resistant then: 2n 2κ PF = min { , }. (1) x ,x m h qxh qxm

Proof. F (xm, xh) is preimage resistant, the only way to get preimage is exhaus- tive search. The exhaustive search has following ways:

– given y0, xh searching xm with y = F (xm, xh), the success probability is:

p = PY |Xh=xh (y0)

κ We get the minimum complexity is 2 . qxh 2n – For given y0, xm searching xh, we get the minimum complexity is . qxm – For given y0, randomly searching xh and xm, the minimum complexity is κ n 2 2 . ut qy 6 Duo Lei, Feng Guozhu, Li Chao, Feng Keqin, and Longjiang Qu

3.2 Free Start Collision Resistance

Conclusion of this subsection is Theorem2,q upperq bound ofq free start collision resistant of F is smaller than max { 2κ , 2n , 2n+κ }, which im- (qx −1) (qx −1) (qy −1) xm,xh,y h m plies the best design of F should satisfy y is uniformly distributed in {0, 1}n for each k ∈ {0, 1}κ and for each x ∈ {0, 1}n.

Theorem 2. F is not invertible for xh and xm then s s s 2κ 2n 2n+κ CF = max { , , } (2) x ,x ,y m h (qxh − 1) (qxm − 1) (qy − 1)

Proof. The collision can be get only by exhaustive search.

– The fastest way to search for collision is the way based on birthday para-

dox. For random selected xh searching xm1 , xm2 , . . . xmt finding collision of

F (xh, xmi ) = F (xh, xmj ). The max probability of success is

t−1 κ κ κ κ P κ 2 (2 − 2 PY |Xh=xh (y1)) ... (2 − (2 PY |Xh=xh (yi)) p = 1 − µ ¶ i 2κ t! t

4 κ Let denote qxh = 2 maxy PY |Xh=xh (y) then

(2κ)(2κ − q ) ... (2κ − q (t − 1)) p ≤ 1 − xh xh (2κ)(2κ − 1) ... (2κ − t + 1) tY−1 n − iq tY−1 iq − i tY−1 i = 1 − xh = 1 − (1 − xh ) = 1 − (1 − (q − 1)) 2κ − i 2κ − i 2κ − i xh i=0 i=0 i=0 t−1 t−1 Y i Y i i2 (q −1) ( κ + )(qx −1) ≈ 1 − exp 2κ−i xh ≈ 1 − exp 2 2κ2 h i=0 i=0 p κ Same as birthday paradox, when t ≥ 2 /(qxh − 1), qxh > 1 the suc- cessq probability of collision is bigger than 1/2. We get the complexity is min 2κ . qx −1 xm h q 2n – similar as item 1, we get for selectedxm the complexity is q −1 ; xm q 2n+κ – similar as item 1, we get for searching xm, xh the complexity is . ut qy −1

3.3 Fix Start Preimage Resistance

The conclusions of this subsection are Theorem3. The Design Principle of Hash Function with Merkle-Damg˚ardConstruction 7

n Theorem 3. Let y = F (xm, xh), Λ ⊂ {0, 1} then:

– If F is invertible for (y, xh) then

F PΛ = 1.

– If F is invertible for (y, xm) and fix start preimage resistant then

κ F 2 PΛ ≥ P qxh xh∈Λ

−1 Proof. If F is invertible for (y, xh), make notation of xm = F (y, xh).

−1 F – select xh ∈ Λ, compute xm0 = F (xh, y), get xm0 , So PΛ = 1. – there are two ways to search the preimage: • select xh ∈ Λ, search xm satisfy y0 = F (xm, xh), the complexity is 2κ min q x∈Λ xh • for y0, select xm search xh, for random selected xm, the maximum prob- ability of success is X X

p = PXh (xh)PXm (xm)PY |Xm=xm,Xh=xh (y0 = F (xm, xh))

xm xh∈Λ

κ the minimum requirement of computation times are P 2 . qx x∈Λ h ut

3.4 Fix Start Collision Resistance The conclusion of this subsection are Theorem4 , which tell us the best design of F also should satisfy Y is uniformly distributed in {0, 1}n for each k ∈ {0, 1}κ and for each x ∈ {0, 1}n.

n Theorem 4. Let y = F (xm, xh), Λ ⊂ {0, 1} then:

– If F is invertible for (y, xh) then ½ 2 |Γ | > 1 or q > 1 CF = xm (3) Λ 0 else

– If F is invertible for (y, xm) and fix start preimage resistant then s v κ κ u κ|Λ| F 2 2 u 2 CΛ ≥ min { , P , t P }. (4) x ∈Λ h (qxh − 1) qxh − 1 qxh − 1 xh∈Λ xh∈Λ

−1 Proof. If F is invertible for (y, xh), make notation of xm = F (y, xh). 8 Duo Lei, Feng Guozhu, Li Chao, Feng Keqin, and Longjiang Qu

0 0 – select xh ∈ Λ, and xm compute F (xm, xh), select xh ∈ Λ, get xm = −1 0 F F (xh,F (xm, xh)), so CΛ = 2. – The collision can be found in following ways: • Since F is fix start preimage resistant, for selected xh ∈ Λ, the fastest 0 way to get collision of xm, xm is random select a xm1 , . . . , xmt getting

y = F (xh, xmi , checking F (xh, xmi ) = F (xh, xmj ) equals or not, simi- qlar as proof of Theorem2, the minimum requirement of computation is 2κ . (qxh −1) 0 0 • if |Λ| > 1, for given xh, xh ∈ Λ the fastest way to find xm, xm is random 0 select xm1 , . . . , xmt , compute yi = F (xh, xmi ) and yj = F (xh, xmj ) then check y equals y0 or not, since from Theorem2 we get the minimum i j s requirement of computation is P2κ|Λ| . qxh −1 xh∈Λ • for selected x ∈ Λ,x , get F (x , x ), then minimum computation re- h m m h P 0 0 0 qxh −1 quired for finding xh ∈ Λ with F (xm, xh) = F (xh, xm) is 2κ . x∈Λ ut

4 The Security of M-D Structure

In this section, we give the proves of that if the compression function is free start preimage resistant and collision resistant, then the hash function is free start preimage resistant and but not free start collision resistant, if the com- pression function is fix start collision resistant and preimage resistant then the hash function is fix start collision resistant and preimage resistant, and also the upper bounds of collision resistance and preimage resistance are given based on the condition probabilities PY |Xh=xh (y) and PY |Xm=xm (y). And also if the com- pression function is not immune to free start preimage resistant, then the com- pression function should be designed with minimum value of maxy PY |Xh=xh (y) and maxy PY |Xm=xm (y), which imply the best design require the Y is uniformly n distributed in {0, 1} for each xh and each xm, if n = κ then the best design of compression function is permutation for each xh and each xm. Let F : {0, 1}κ ×{0, 1}κ → {0, 1}n is a compression function of hash function H, the H with M-D construction is defined as(Figure illustration is given in Fig1): H : {0, 1}κ·∗ × {0, 1}n → {0, 1}n

4 H(m, xh) = H(m∗k ... km1, x) = F (m∗,F (m∗−1,... (F (m1, xh)) ...)) n n κ·∗ where xh ∈ {0, 1} , y = F (xm, xh), y ∈ {0, 1} , m ∈ {0, 1} , m = m∗k ... km1, z = F (m∗,...F (m1, xh) ...). Lemma 1. Let F : {0, 1}κ ×{0, 1}n → {0, 1}n, H : {0, 1}κ·t ×{0, 1}n → {0, 1}n, z = F (mt,...F (m1, x) ...), and m1, . . . , mt are independent from each other then: The Design Principle of Hash Function with Merkle-Damg˚ardConstruction 9

m1 m2 mt

... x h1 ht-1 ht

Fig. 1. The M-D Hash

qt xm – PZ|M=m(z) ≤ 2n qxh – PZ|Xh=xh (z) ≤ 2κ .

Proof. It is clear t = 1 the inequality is correct, when t = 2:

PZ|M=m(z) = PZ|M=m km (z) X 2 1

= PXh (xh)PZ|M=m2km1,Xh=xh (z = F (m2,F (m1, xh))) x Xh X

= PXh (xh)PZ|M=m2km1,Xh=xh (z = F (m2, u), u = F (m1, xh)) x u Xh X

= PZ|M2=m2,U=u(z = F (m2, u)) PXh (xh)PU|M1,Xh (u = F (m1, xh)) u x X h

= PZ|M2=m2,U=u(z = F (m2, u))PU|M1=m1 (u) u X 1 ≤ q P (z = F (m , u)) ≤ q P (z) xm 2n Z|M2=m2,U=u 2 xm Z|M2=m2 u

PZ|X =x (z) X h h

= PM (m1)PM (m2)PZ|M=m2km1,Xh=xh (z = F (m2,F (m1, xh))) m ,m X1 2 X

= PM (m1)PM (m2)PZ|M=m2km1,Xh (z = F (m2, u), u = F (m1, xh)) m ,m u X1 X2 X

= PM (m2)PZ|M2,U (z = F (m2, u)) PM (m1)PU|M1,Xh (u) m u m X2 X 1

= PM (m2)PZ|M2,U=u(z = F (m2, u))PU|Xh=xh (u) m2 u X q X = P (z)P (u) ≤ xh P (u) = q /2κ. Z|U=u U|Xh=xh 2κ U|Xh=xh xh u u Let assume when t ≤ l − 1 the inequality is true, when t = l

PZ|M=m(z) 10 Duo Lei, Feng Guozhu, Li Chao, Feng Keqin, and Longjiang Qu X 0 0 0 = PXh (xh)PZ|M =m km1,Xh=xh (z = H(m ,F (m1, xh))) x Xh 0 0 0 = PZ|M =m ,U=u(z = HXh (m , u))PU|M1=m1 (u) u X 1 0 l −n ≤ q P 0 0 (z = H (m , u)) ≤ q 2 xm 2n Z|M =m ,U=u Xh xm u

PZ|X =x (z) X h h 0 0 0 = PM (m )PM (m1)PZ|M=m km1,Xh=xh (z = H(m , (F (m1, xh))) m0,m X1 0 0 0 0 = PM (m )PM (m1)PZ|M=m km1,Xh,U (z = H(m , u), u = F (m1, xh)) m0,m ,u X X1 0 0 0 0 0 = PM (m )PZ|M =m ,U=u(z = H(m , u))PU|Xh=xh (u) m0 u X q X q = P (z)P (u) ≤ xh P (u) = xh . Z|U=u U|Xh=xh 2κ U|Xh=xh 2κ u u From induction principle we get the conclusions. ut

Theorem 5. If F : {0, 1}κ × {0, 1}n → {0, 1}n is preimage resistant and colli- sion resistant, H : {0, 1}κ·t × {0, 1}n → {0, 1}n, x ∈ {0, 1}n, m ∈ {0, 1}κ·t, y ∈ n n {0, 1} , z ∈ {0, 1} , y = F (xm, xh) and z = F (mt,...F (m1, x) ...) then: – if F is preimage resistant and collision resistant 2κ 2n PH ≥ min { , } (5) x ,x m h qxh qxm

CH = 2 (6)

– If F is invertible for (y, xh) then |M| PH = Λ κ |M| + |M 0| CH = Λ κ

– If F is invertible for (y, xm) and fix start preimage resistant then s κ κ n H 2 2 2 PΛ ≥ min{ P , , |M| } (7) qxh qxh κ x∈Λ qxm s v n κ κ u κ|Λ0| H 2 2 2 u 2 CΛ ≥ min { |M| , , P , t P } (8) x ∈Λ,x h m κ (qxh − 1) qxh − 1 qxh − 1 qxm x∈Λ x∈Λ0 The Design Principle of Hash Function with Merkle-Damg˚ardConstruction 11

– If F preimage resistant and collision resistant then

n n H 2 2 PΛ ≥ min{ , |M| } (9) k∈Γ qxm n qxh s v n n u n|Γ 0| H 2 2 u 2 CΛ ≥ min { |M| , , t P } (10) k∈Γ,x n (qxm − 1) qxm − 1 qxh k∈Γ 0

−1 Proof. If F is invertible, then denote xm = F (y, xh).

– If F is preimage resistant and collision resistant:

• Let assume for given y find m, x satisfying H(mtk ... km1, x) = y then we find H(mt−1k ... km1, x), mt satisfying F (mt,H(mt−1k ... km1, x)) = y, from Theorem1 we get the conclusion. • Since H(m2km1, x) = H(m2,H(m1, x)), then we find collision. 0 −1 H |M| H |M|+|M | – If xm = F (y, xh) then: The conclusions PΛ = κ , CΛ = κ can be −1 get by the direct computation, since xm = F (y, xh). – If F is fix start preimage resistant and fix start collision resistant: • there are two ways to find the preimage: ∗ Case 1 : Using directly search way to find the preimage of z, directly searching m ∈ {0, 1}κ·∗ satisfying z = H(m, x) where x ∈ Λ. F is fix start preimage resistant, which implies for given z, x the only way of finding m satisfying z = H(m, x) is exhaustive search, more precisely, From Lemma1 and Theorem3 we get the requirement of κ P κ minimum computation is min{ 2 |M| , 2 . qx κ qx h x∈Λ h ∗ Case 2 : Using meet in middle attack way to find the preimage, 0 00 for given z, search m0 ∈ {0, 1}κ·t , m00 ∈ {0, 1}κ·t , satisfying z = H(m00, u) and u = H(m0, x) where x ∈ Λ: 4 · Select m0 randomly, searching m00, let Λ0 = {H(m0, x), x ∈ Λ}, the problem become case 1; · Select m00 randomly, get u from z = H(m00, u), then searching m0 satisfying u = H(m0, x), equals finding the preimage of u; · Guessing m0 and m00, compute u and u0 from u = H(m0, x) and 00 0 00 0 z = H(mq , u ), let t = |m |, the probability of u = u smaller than[?] 2κ , qxh · if the compression function is designed with property of that, n κt t ∃z˙ ∈ {0, 1} ,m ˙ ∈ {0, 1} satisfy PZ|M=m ˙ (z ˙) = qxm and qxm > 2n 1, then the complexity of finding preimage ofz ˙ is qt , where we xm search m satisfyz ˙ = H(m ˙ km, x). From Case 1 and Case 2, we get the conclution. • there are three ways to find the collision : 12 Duo Lei, Feng Guozhu, Li Chao, Feng Keqin, and Longjiang Qu

∗ Case 1: Directley finding collision of H: that means search m0 ∈ 0 00 {0, 1}κ·t , m00 ∈ {0, 1}κ·t satisfying H(m0, x) = H(m00, x) with x ∈ Λ. F is preimage resistant implies for given z, x the only way of finding m satisfying z = H(m, x) is exhaustive search. From Lemma1 and Theorem4 we get by directly search thes minimum requirement q κ of computation is min { 2κ , P 2 , P2κ|Λ| }. (qx −1) xh∈Λ h qxh −1 qxh −1 x∈Λ x∈Λ 0 00 ∗ Case 2: search m ∈ {0, 1}κ·t, m0 ∈ {0, 1}κ·t , m00 ∈ {0, 1}κ·t , satis- fying H(m, x) = H(m00, u) and u = H(m0, x) where x ∈ Λ: · if we randomly select m searching m0, m00, the problem becomes finding a primage of z = H(m, x); · If we randomly select m0 get u from u = H(m0, x), then search m 4 and m00 satisfying H(m, x) = H(m00, u), let Λ0 = {H(m0, x), x ∈ Λ} ∪ Λ, the problem become case 1 where x ∈ Λ0; · If randomly select m00 search m, m0 check H(m00,H(m0, x)) = H(m, x) being satisfied or not, which needs more computation than given m00 finding z and m0 satisfying z = H(m00,H(m0, x)). 0 ∗ Case 3: search m ∈ {0, 1}κ·t, m0 ∈ {0, 1}κ·t ,m ¯ ∈ {0, 1}κ·t¯,m ¯ 0 ∈ 0 {0, 1}κ·t¯ satisfy H(m0,H(m, x)) = H(m ¯ 0,H(m, ¯ x) where x ∈ Λ, similar as case 2, case 3 needs more computation than case 2. From Case 1, Case 2 and Case 3, we get the conclusion. – if F is preimage resistant and collision resistant then the conclusion can be get directly from previous item. ut Theorem5 tell us on condition of the compression function F is free start preimage resistant and free start collision resistant, the best design of H and

HK have properties of qxm = 1 and qxh = 1.

5 Conclusion

The main conclusion of this paper is that if no way to design the compression F (k, x) immune to free start preimage resistant, then the best design of compres- sion function is a block cipher with perfect key distribution and perfect security where the hash function has M-D structure. So the design of block cipher and hash function can be one problem and the design of key schedule algorithm of block cipher become important than before.

References

1. B.Preneel: The State of Cryptographic Hash Functions. In Lectures on Data Se- curity, Lecture Notes in Computer Science, Vol. 1561. Springer-Verlag, Berlin Hei- delberg New York (1999) 158-182. 2. B. Preneel, R. Govaerts, and J. Vandewalle, ” Hash functions based on block ciphers,”, In Advances in Cryptology -CRYPTO’93, Lecture Notes in Computer Science,pages 368-378. Springer-Verlag, 1994. The Design Principle of Hash Function with Merkle-Damg˚ardConstruction 13

3. B.Preneel, V. Rijmen, A.Bosselaers: Recent Developments in the Design of Conven- tional Cryptographic Algorithms. In State of the Art and Evolution of Computer Security and Industrial Cryptography. Lecture Notes in Computer Science, Vol 1528. Springer-Verlag, Berlin Heidelberg New York(1998) 106-131. 4. B. Van Rompay,Analysis and design of cryptographic hash functions, MAC algo- rithms and block cipher, K. U. Leuven, Juni 2004 5. C.Chchin. Entropy Measures and Uncoditional Security in Cryptography, PHD thesis. 6. C.E. Shannon. ”Communication theory of secrecy systems,”, Bell System Technical Journal, 28:656 – 715, 1949. 7. C. H. Meyer and S. M. Matyas. Cryptography: a New Dimension in Data Security. Wiley & Sons, 1982. 8. E.Biham and R.Chen. Near-Collisions of SHA-0,In Advances in Cryptology CRYPTO’2004, LNCS 3152,pp290-305,2004. 9. E.Biham and R.Chen. Near-Collisions of SHA-0 and SHA-1. In Selected Areas in Cryptography-SAC 2004. 10. M. O. Rabin. Digitalized Signatures. In R. A. Demillo, D. P. Dopkin, A. K. Jones, and R. J. Lipton, editors, Foundations of Secure Computation, pages 155-166, New York, 1978. Academic Press. 11. I.Damg˚ard.A design principle for hash functions. In G. Brassard, editor, Advances in Cryptology-CRYPTO’ 89, volume 435 of Lecture Notes in Computer Science. Springer-Verlag, 1990. 12. J.Black, P.Rogaway, and T.Shrimpton, ”Black-box analysis of the block-cipher- based hashfunction constructions from PGV”. In Advances in Cryptology - CRYPTO’02, volume 2442 of Lecture Notes in Computer Science. Springer-Verlag, 2002.pp.320-335. 13. J. Daemen and V. Rijmen: The Design of Rijndael: AES The Advanced Encryption Standard. Springer, 2002. 14. X. Wang, H. Yu, How to Break MD5 and Other Hash Functions, EURO- CRYPT’2005, Springer-Verlag, LNCS 3494, pp19-35, 2005. 15. X. Lai and J. L. Massey: Hash functions based on block ciphers. In Advances in Cryptology Eurocrypt’92, Lecture Notes in Computer Science, Vol. 658. Springer- Verlag, Berlin Hei-delberg New York (1993) 55-70. 16. X. Wang, X. Lai, D.Feng and H.Yu., Cryptanalysis of the Hash Functions MD4 and RIPEMD, EUROCRYPT 2005, Springer-Verlag,LNCS 3494, pp1-18, 2005.