TY - GEN
T1 - Revisiting Collision and Local Opening Analysis of ABR Hash
AU - Dhar, Chandranan
AU - Dodis, Yevgeniy
AU - Nandi, Mridul
N1 - Funding Information:
Funding Yevgeniy Dodis: Partially supported by gifts from VMware Labs and Google, and NSF grants 1815546 and 2055578. Mridul Nandi: Partially supported by the project “Study and Analysis of IoT Security” under Government of India at R.C.Bose Centre for Cryptology and Security, Indian Statistical Institute, Kolkata.
Publisher Copyright:
© Chandranan Dhar, Yevgeniy Dodis, and Mridul Nandi; licensed under Creative Commons License CC-BY 4.0
PY - 2022/7/1
Y1 - 2022/7/1
N2 - The question of building the most efficient tn-to-n-bit collision-resistant hash function H from a smaller (say, 2n-to-n-bit) compression function f is one of the fundamental questions in symmetric key cryptography. This question has a rich history, and was open for general t, until a recent breakthrough paper by Andreeva, Bhattacharyya and Roy at Eurocrypt'21, who designed an elegant mode (which we call ABR) achieving roughly 2t/3 calls to f, which matches the famous Stam's bound from CRYPTO'08. Unfortunately, we have found serious issues in the claims made by the authors. These issues appear quite significant, and range from verifiably false statements to noticeable gaps in the proofs (e.g., omissions of important cases and unjustified bounds). We were unable to patch up the current proof provided by the authors. Instead, we prove from scratch the security of the ABR construction for the first non-trivial case t = 11 (ABR mode of height 3), which was incorrectly handled by the authors. In particular, our result matches Stam's bound for t = 11. While the general case is still open, we hope our techniques will prove useful to finally settle the question of the optimal efficiency of hash functions.
AB - The question of building the most efficient tn-to-n-bit collision-resistant hash function H from a smaller (say, 2n-to-n-bit) compression function f is one of the fundamental questions in symmetric key cryptography. This question has a rich history, and was open for general t, until a recent breakthrough paper by Andreeva, Bhattacharyya and Roy at Eurocrypt'21, who designed an elegant mode (which we call ABR) achieving roughly 2t/3 calls to f, which matches the famous Stam's bound from CRYPTO'08. Unfortunately, we have found serious issues in the claims made by the authors. These issues appear quite significant, and range from verifiably false statements to noticeable gaps in the proofs (e.g., omissions of important cases and unjustified bounds). We were unable to patch up the current proof provided by the authors. Instead, we prove from scratch the security of the ABR construction for the first non-trivial case t = 11 (ABR mode of height 3), which was incorrectly handled by the authors. In particular, our result matches Stam's bound for t = 11. While the general case is still open, we hope our techniques will prove useful to finally settle the question of the optimal efficiency of hash functions.
KW - ABR hash
KW - collision resistance
KW - local opening
UR - http://www.scopus.com/inward/record.url?scp=85134346633&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85134346633&partnerID=8YFLogxK
U2 - 10.4230/LIPIcs.ITC.2022.11
DO - 10.4230/LIPIcs.ITC.2022.11
M3 - Conference contribution
AN - SCOPUS:85134346633
T3 - Leibniz International Proceedings in Informatics, LIPIcs
BT - 3rd Conference on Information-Theoretic Cryptography, ITC 2022
A2 - Dachman-Soled, Dana
PB - Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing
T2 - 3rd Conference on Information-Theoretic Cryptography, ITC 2022
Y2 - 5 July 2022 through 7 July 2022
ER -