TY - GEN
T1 - T5
T2 - 2nd Conference on Information-Theoretic Cryptography, ITC 2021
AU - Dodis, Yevgeniy
AU - Khovratovich, Dmitry
AU - Mouha, Nicky
AU - Nandi, Mridul
N1 - Publisher Copyright:
© 2021 Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing. All rights reserved.
PY - 2021/7/1
Y1 - 2021/7/1
N2 - Given 2n-to-n compression functions h1, h2, h3, we build a new 5n-to-n compression function T5, using only 3 compression calls: T5(m1, m2, m3, m4, m5):= h3(h1(m1, m2) ⊕ m5, h2(m3, m4) ⊕ m5) ⊕ m5 We prove that this construction matches Stam's bound, by providing Õ(q2/2n) collision security and O(q3/22n + nq/2n) preimage security (the latter term dominates in the region of interest, when q < 2n/2). In particular, it provides birthday security for hashing 5 inputs using three 2n-to-n compression calls, instead of only 4 inputs in prior constructions. Thus, we get a sequential variant of the Merkle-Damgård (MD) hashing, where t message blocks are hashed using only 3t/4 calls to the 2n-to-n compression functions; a 25% saving over traditional hash function constructions. This time reduces to t/4 (resp. t/2) sequential calls using 3 (resp. 2) parallel execution units; saving a factor of 4 (resp. 2) over the traditional MD-hashing, where parallelism does not help to process one message. We also get a novel variant of a Merkle tree, where t message blocks can be processed using 0.75(t − 1) compression function calls and depth 0.86 log2 t, thereby saving 25% in the number of calls and 14% in the update time over Merkle trees. We provide two modes for a local opening of a particular message block: conservative and aggressive. The former retains the birthday security, but provides longer proofs and local verification time than the traditional Merkle tree. For the aggressive variant, we reduce the proof length to a 29% overhead compared to Merkle trees (1.29 log2 t vs log2 t), but the verification time is now 14% faster (0.86 log2 t vs log2 t). However, birthday security is only shown under a plausible conjecture related to the 3-XOR problem, and only for the (common, but not universal) setting where the root of the Merkle tree is known to correspond to a valid t-block message.
AB - Given 2n-to-n compression functions h1, h2, h3, we build a new 5n-to-n compression function T5, using only 3 compression calls: T5(m1, m2, m3, m4, m5):= h3(h1(m1, m2) ⊕ m5, h2(m3, m4) ⊕ m5) ⊕ m5 We prove that this construction matches Stam's bound, by providing Õ(q2/2n) collision security and O(q3/22n + nq/2n) preimage security (the latter term dominates in the region of interest, when q < 2n/2). In particular, it provides birthday security for hashing 5 inputs using three 2n-to-n compression calls, instead of only 4 inputs in prior constructions. Thus, we get a sequential variant of the Merkle-Damgård (MD) hashing, where t message blocks are hashed using only 3t/4 calls to the 2n-to-n compression functions; a 25% saving over traditional hash function constructions. This time reduces to t/4 (resp. t/2) sequential calls using 3 (resp. 2) parallel execution units; saving a factor of 4 (resp. 2) over the traditional MD-hashing, where parallelism does not help to process one message. We also get a novel variant of a Merkle tree, where t message blocks can be processed using 0.75(t − 1) compression function calls and depth 0.86 log2 t, thereby saving 25% in the number of calls and 14% in the update time over Merkle trees. We provide two modes for a local opening of a particular message block: conservative and aggressive. The former retains the birthday security, but provides longer proofs and local verification time than the traditional Merkle tree. For the aggressive variant, we reduce the proof length to a 29% overhead compared to Merkle trees (1.29 log2 t vs log2 t), but the verification time is now 14% faster (0.86 log2 t vs log2 t). However, birthday security is only shown under a plausible conjecture related to the 3-XOR problem, and only for the (common, but not universal) setting where the root of the Merkle tree is known to correspond to a valid t-block message.
KW - Collision resistance
KW - Hash functions
KW - Merkle trees
KW - Merkle-Damgård
UR - http://www.scopus.com/inward/record.url?scp=85115292295&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85115292295&partnerID=8YFLogxK
U2 - 10.4230/LIPIcs.ITC.2021.24
DO - 10.4230/LIPIcs.ITC.2021.24
M3 - Conference contribution
AN - SCOPUS:85115292295
T3 - Leibniz International Proceedings in Informatics, LIPIcs
BT - 2nd Conference on Information-Theoretic Cryptography, ITC 2021
A2 - Tessaro, Stefano
PB - Schloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing
Y2 - 23 July 2021 through 26 July 2021
ER -