Sequential Hashing with Minimum Padding

Abstract

This article presents a sequential domain extension scheme with minimum padding for hashing using a compression function. The proposed domain extension scheme is free from the length extension property. The collision resistance of a hash function using the proposed domain extension is shown to be reduced to the collision resistance and the everywhere preimage resistance of the underlying compression function in the standard model, where the compression function is assumed to be chosen at random from a function family in some efficient way. Its indifferentiability from a random oracle up to the birthday bound is also shown on the assumption that the underlying compression function is a fixed-input-length random oracle or the Davies-Meyer mode of a block cipher chosen uniformly at random. The proposed domain extension is also applied to the sponge construction and the resultant hash function is shown to be indifferentiable from a random oracle up to the birthday bound in the ideal permutation model. The proposed domain extension scheme is expected to be useful for processing short messages.

1. Introduction

1.1. Background

A cryptographic hash function takes as input a sequence of arbitrary length and produces as output a sequence of fixed length. It usually consists of a primitive and a domain extension scheme. A primitive is a compression function or a permutation, which takes a fixed-length input and produces a fixed-length output. A domain extension scheme specifies how to process an input sequence with arbitrary length using a primitive with fixed input length.

The standardized hash functions SHA-2 [1] use dedicated compression functions and a domain extension scheme due to Merkle [2] and Damgård [3]. The domain extension scheme is called strengthened Merkle-Damgård (SMD). It is a sequential iteration of a compression function and its padding algorithm appends the binary representation of the length of an input message, which is called MD strengthening.

A positive point of SMD is its preservation of collision resistance. Namely, a hash function using SMD satisfies collision resistance if its underlying compression function satisfies it. On the other hand, a negative point of SMD is its length extension property. Due to this property, the MAC function HMAC [4] invokes the underlying hash function twice. It causes inefficiency for short messages. The other negative point is that message blocks after padding may include a message block consisting only of a padding sequence, which needs an additional call to the compression function.

A domain extension scheme with minimum padding and free from the length extension property seems useful especially for processing short messages. Informally, we say that padding is minimum if the produced message blocks include no message block only with the padding sequence for any non-empty input message.

1.2. Our Contribution

This article first presents a sequential domain extension scheme with minimum padding for hashing using a compression function. The padding function of the domain extension is not injective. It extends the MDP domain extension [5] and uses two distinct permutations for domain separation. The permutations also prevent the length extension property. The permutations need not be cryptographic transformations. A typical candidate for them is bitwise XOR with a nonzero constant.

Then, the security properties of a hash function using the proposed domain extension are analyzed. The properties considered are the collision resistance and the indifferentiability.

The proposed domain extension does not preserve the collision resistance. However, it is shown that the collision resistance of a hash function using the domain extension is reduced to the collision resistance and the everywhere preimage resistance of the underlying compression function.

It is also shown that a hash function using the domain extension is indifferentiable from a variable-input-length random oracle (VIL RO) up to the birthday bound if the underlying compression function is a fixed-input-length random oracle (FIL RO) or the Davies-Meyer mode of a block cipher chosen uniformly at random.

The proposed domain extension scheme can also be applied to the sponge construction in a straightforward way. It is shown that the resultant hash function is indifferentiable from a VIL RO up to the birthday bound if the underlying permutation is chosen uniformly at random.

1.3. Related Work

The presented domain extension of hashing was first considered for a pseudorandom function using a compression function [6]. It is shown in [6] that keying via IV to the domain extension presented in the current article produces a pseudorandom function if the underlying compression function is a pseudorandom function against related-key attacks with respect to the permutations used in the domain extension.

There are many proposals for domain extension of hashing. On the other hand, little attention has been paid to padding.

The most related work was done by Bagheri et al. [7]. They proposed a generic scheme to construct an iterated hash function which requires neither a fixed IV nor the MD strengthening. Their scheme uses three distinct compression functions to get prefix-free and suffix-free property. It assumes injective padding function. They also showed that their hash function is indifferentiable from a VIL RO if the underlying compression functions are FIL ROs.

Nandi [8] showed that the suffix-free property of padding is necessary and sufficient for the plain MD domain extension to preserve the collision resistance. He also presented a suffix-free padding scheme which works for any input message M of arbitrary length. It appends $O(\log |M|)$ bits to M. The padding scheme for SHA-2, which is based on Merkle’s [2], also appends only $O(\log |M|)$ bits. However, it works only for input messages of bounded length.

Coron et al. [9] formalized the indifferentiability notion for hash functions in the framework by Maurer et al. [10]. They also showed the indifferentiability of the following domain extension schemes: prefix-free plain MD, plain MD with output truncation (chopMD), NMAC construction, and HMAC construction, where HMAC construction is rather different from the MAC function HMAC [4]. They assumed injective padding. Their work was followed by Chang et al. [11,12].

Bellare and Ristenpart introduced the notion of multi-property preservation for domain extension [13]. They also presented the EMD (enveloped MD) domain extension and showed that it preserves collision resistance, pseudorandom function, and indifferentiability assuming injective padding.

Merkle-Damgård with permutation (MDP) [5] is a variant of plain MD preventing its length-extension property. A typical example of MDP was presented by Kelsey in [14]. It uses bitwise XOR with a nonzero constant for the permutation.

Minimum padding is already common among MAC functions based on a block cipher such as CMAC [15] and PMAC [16]. The idea to finalize the iteration with multiple non-cryptographic transformations for domain separation is used in the secure CBC-MAC variants GCBC1 and GCBC2 [17].

Sarkar [18] presented a domain extension scheme preserving the collision resistance based on directed acyclic graphs. Bertoni et al. [19] formulated sufficient conditions for domain extension schemes covering both tree and sequential structures to be indifferentiable up to the birthday bound. Based on the sufficient conditions, a coding scheme for tree domain extension schemes is specified in [20], which also covers sequential domain extension schemes.

The sponge construction [21] is a scheme to construct a hash function using a function with its input length equal to its output length, which is typically a permutation. It was invented for the SHA-3 hash function [22]. It is adopted by lightweight hash functions such as PHOTON [23] and SPONGENT [24]. It is also extended to design cryptographic schemes such as authenticated encryption [25].

1.4. Organization

Section 2 gives notations used in this article and defines some security properties required of cryptographic hash functions. The proposed scheme is described in Section 3. The collision resistance of the proposed hash function is discussed in the standard model in Section 4. The indifferentiability is discussed in Section 5. The proposed domain extension is applied to the sponge construction in Section 6. A concluding remark is given in Section 7.

2. Preliminaries

2.1. Notations

Let $\Sigma =\{0,1\}$. Let ${\Sigma }^{\ast }={\bigcup }_{i=0}^{\infty }{\Sigma }^i$, and ${\left({\Sigma }^n\right)}^{+}={\bigcup }_{i=1}^{\infty }{\Sigma }^{ni}$.

For binary sequences x and y, let $x\parallel y$ be their concatenation. The empty sequence is denoted by $\epsilon$.

The operation of selecting an element from set S uniformly at random and assigning it to s is denoted by $s\twoheadleftarrow S$.

2.2. Collision Resistance and Preimage Resistance

In this section, the collision resistance and everywhere preimage resistance [26] are defined in the standard model. To do so, a family of hash functions should be introduced. Suppose that h is a hash function chosen at random from some set of hash functions from $\mathcal{X}$ to $\mathcal{Y}$ in some efficient way.

Let A be an adversary which is given h as input and tries to find a collision pair for h. A collision pair for h are a pair of distinct inputs mapped to the same output by h. The col-advantage of A against h is given by

$${\mathrm{Adv}}_h^{\mathrm{col}}\left(A\right)=Pr[(M,M^{\prime })\leftarrow A\left(h\right):h\left(M\right)=h(M^{\prime })\wedge M\ne M^{\prime }],$$

where the probability is taken over the coin tosses by A and the distribution of h.

Let A be an adversary which is given h as input and tries to find a preimage of an output for h. The pre-advantage of A against h is given by

$${\mathrm{Adv}}_h^{\mathrm{epre}}\left(A\right)=\underset{Y\in \mathcal{Y}}{max}\left\{Pr[M\leftarrow A(h):h(M)=Y]\right\},$$

where the probability is taken over the coin tosses by A and the distribution of h.

2.3. Indifferentiability from Random Oracle

Maurer et al. [10] formalized the notion of indifferentiability as a generalized notion of indistinguishability. Then, Coron et al. [9] tailored it for the security analysis of hash functions.

Let C be an algorithm with oracle access to an ideal primitive $\mathcal{P}$. Here in this article, C is a domain extension scheme using $\mathcal{P}$ with fixed input length and $C^{\mathcal{P}}$ defines a hash function. Let $\mathcal{R}$ be a VIL random oracle and S be a simulator which has oracle access to $\mathcal{R}$. $S^{\mathcal{R}}$ simulates $\mathcal{P}$ in order to convince an adversary that $\mathcal{R}$ is $C^{\mathcal{P}}$. The indiff-advantage of adversary A against $(C,S)$ is given by

$${\mathrm{Adv}}_{C,S}^{\mathrm{indiff}}\left(A\right)=\left|Pr[A^{C^{\mathcal{P}},\mathcal{P}}=1]-Pr[A^{\mathcal{R},S^{\mathcal{R}}}=1]\right|,$$

where the probabilities are taken over the coin tosses by A, S and the oracles $\mathcal{R}$ and $\mathcal{P}$. $C^{\mathcal{P}}$ and $\mathcal{R}$ are called VIL oracles, and $\mathcal{P}$ and $S^{\mathcal{R}}$ are called FIL oracles.

3. Proposed Scheme

The proposed hash function consists of a compression function $F:{\Sigma }^n\times {\Sigma }^w\to {\Sigma }^n$, permutations ${\pi }_0$ and ${\pi }_1$ over ${\Sigma }^n$, and an initialization vector $\mathit{IV}\in {\Sigma }^n$. For ${\pi }_0$ and ${\pi }_1$, it is assumed that ${\pi }_0\left(v\right)\ne v$, ${\pi }_1\left(v\right)\ne v$ and ${\pi }_0\left(v\right)\ne {\pi }_1\left(v\right)$ for any $v\in {\Sigma }^n$.

Remark 1.

Let $c_0$ and $c_1$ be distinct constants in ${\Sigma }^n\backslash \left\{\mathbf{0}\right\}$. Let ${\pi }_i\left(v\right)=v\oplus c_i$ for $i=0,1$. Then, for any $v\in {\Sigma }^n$, ${\pi }_0\left(v\right)\ne v$, ${\pi }_1\left(v\right)\ne v$ and ${\pi }_0\left(v\right)\ne {\pi }_1\left(v\right)$.

Let $\pi$ be a permutation over ${\Sigma }^n$. For $1\le i\le x$, let $X_i\in {\Sigma }^w$. The MDP domain extension [5] ${\mathsf{C}}_{\mathit{IV}}^{F,\pi }:{({\Sigma }^w)}^{+}\to {\Sigma }^n$ for F is defined as follows: ${\mathsf{C}}_{\mathit{IV}}^{F,\pi }(X_1\parallel X_2\parallel \cdots \parallel X_x)=v_x$, where $v_0\leftarrow \mathit{IV}$, $v_i\leftarrow F(v_{i-1},X_i)$ for $1\le i\le x-1$, and $v_x\leftarrow F(\pi (v_{x-1}),X_x)$.

For $M\in {\Sigma }^{\ast }$, the padding function is defined as follows:

$$\mathtt{pad}\left(M\right)=\left\{\begin{array}{cc}M\hfill & \mathrm{if}\left|M\right|>0\mathrm{and}\left|M\right|\equiv 0\left(\mathrm{mod}w\right),\hfill \\ M\parallel {10}^d\hfill & \mathrm{otherwise},\hfill \end{array}\right.$$

where d is the smallest non-negative integer such that $\left|M\right|+1+d\equiv 0(\mathrm{mod}w)$. The length of any output of $\mathtt{pad}$ is a positive multiple of w. In particular, $\mathtt{pad}\left(\epsilon \right)={10}^{w-1}$. If $\left|M\right|>0$, then $|\mathtt{pad}(M)|=w\lceil \left|M\right|/w\rceil$.

The proposed hash function $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}:{\Sigma }^{\ast }\to {\Sigma }^n$ is defined as follows:

$$H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}\left(M\right)=\left\{\begin{array}{cc}{\mathsf{C}}_{\mathit{IV}}^{F,{\pi }_0}(\mathtt{pad}\left(M\right))\hfill & \mathrm{if}\left|M\right|>0\mathrm{and}\left|M\right|\equiv 0\left(\mathrm{mod}w\right),\hfill \\ {\mathsf{C}}_{\mathit{IV}}^{F,{\pi }_1}(\mathtt{pad}\left(M\right))\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

It is also depicted in Figure 1.

4. Collision Resistance

The collision resistance of $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$ is discussed in the standard model. It is assumed that the compression function F is chosen at random from some set of functions from ${\Sigma }^n\times {\Sigma }^w$ to ${\Sigma }^n$ in some efficient way.

The collision resistance of $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$ needs a new security requirement for F, which is a kind of collision resistance. A pair of distinct inputs $(v,X)$ and $(v^{\prime },X^{\prime })$ for F are called a $\{{\pi }_0,{\pi }_1\}$-pseudo-collision pair if ${\pi }_0(F(v,X))={\pi }_1(F(v^{\prime },X^{\prime }))$. The advantage of adversary A against F with respect to $\{{\pi }_0,{\pi }_1\}$-pseudo-collision is defined similarly to the col-advantage. It is denoted by ${\mathrm{Adv}}_{F,\{{\pi }_0,{\pi }_1\}}^{\mathrm{pcol}}\left(A\right)$.

It will be shown that the collision resistance of $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$ is reduced to the collision resistance, the $\{{\pi }_0,{\pi }_1\}$-pseudo-collision resistance and the everywhere preimage resistance of F.

Lemma 1.

Any collision pair for $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$ implies a collision pair, a $\{{\pi }_0,{\pi }_1\}$-pseudo-collision pair, or a preimage of $\mathit{IV}$, ${\pi }_0^{-1}({\pi }_1\left(\mathit{IV}\right))$, or ${\pi }_1^{-1}({\pi }_0\left(\mathit{IV}\right))$ for F.

Proof. 

Let M and $M^{\prime }$ be any collision pair for $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$. It is shown below that, by tracing back the computation of $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}\left(M\right)$ and $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}(M^{\prime })$, one can find a collision pair for F, a $\{{\pi }_0,{\pi }_1\}$-pseudo-collision pair for F, or a preimage of $\mathit{IV}$, ${\pi }_0^{-1}({\pi }_1\left(\mathit{IV}\right))$, or ${\pi }_1^{-1}({\pi }_0\left(\mathit{IV}\right))$ for F. Let $|\mathtt{pad}(M)|/w=m$ and $|\mathtt{pad}(M^{\prime })|/w=m^{\prime }$.

Suppose that $\mathtt{pad}\left(M\right)=\mathtt{pad}(M^{\prime })$. Then, one of $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}\left(M\right)$ and $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}(M^{\prime })$ uses ${\pi }_0$ and the other uses ${\pi }_1$. Notice that ${\pi }_0(v)\ne {\pi }_1(v)$ for any $v\in {\Sigma }^n$. If $m=m^{\prime }=1$, then one finds a collision pair for F since ${\pi }_0\left(\mathit{IV}\right)\ne {\pi }_1\left(\mathit{IV}\right)$. If $m=m^{\prime }\ge 2$, then one finds a collision pair or a $\{{\pi }_0,{\pi }_1\}$-pseudo-collision pair for F since ${\pi }_0(v)={\pi }_1(v^{\prime })$ implies $v\ne v^{\prime }$ for any $v,v^{\prime }\in {\Sigma }^n$.

Suppose that $\mathtt{pad}\left(M\right)\ne \mathtt{pad}(M^{\prime })$.

(i)

Suppose that one of $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}\left(M\right)$ and $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}\left(M^{\prime }\right)$ uses ${\pi }_0$ and the other uses ${\pi }_1$. Assume that $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}\left(M\right)$ uses ${\pi }_0$ and $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}(M^{\prime })$ uses ${\pi }_1$ without loss of generality. If $m=m^{\prime }=1$, then one finds a collision pair for F. If $m=1$ and $m^{\prime }\ge 2$, then one finds a collision pair for F or a preimage of ${\pi }_1^{-1}({\pi }_0\left(\mathit{IV}\right))$ for F. If $m\ge 2$ and $m^{\prime }=1$, then one finds a collision pair for F or a preimage of ${\pi }_0^{-1}({\pi }_1\left(\mathit{IV}\right))$ for F. If $m\ge 2$ and $m^{\prime }\ge 2$, then one finds a collision pair or a $\{{\pi }_0,{\pi }_1\}$-pseudo-collision pair for F.

(ii)

Suppose that both of $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}\left(M\right)$ and $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}(M^{\prime })$ uses a same permutation. If $m=m^{\prime }=1$, then one finds a collision pair for F. If $m=1$ and $m^{\prime }\ge 2$, or $m\ge 2$ and $m^{\prime }=1$, then one finds a collision pair for F or a preimage of $\mathit{IV}$ for F. If $m\ge 2$ and $m^{\prime }\ge 2$, then one finds a collision pair or a preimage of $\mathit{IV}$ for F.

 ☐

Theorem 1.

For any adversary A trying to find a collision pair for $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$ with run time t, there exist adversaries $B_1$, $B_2$ and $B_3$ such that

$${\mathrm{Adv}}_{H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}}^{\mathrm{col}}\left(A\right)\le {\mathrm{Adv}}_F^{\mathrm{col}}\left(B_1\right)+{\mathrm{Adv}}_{F,\{{\pi }_0,{\pi }_1\}}^{\mathrm{pcol}}\left(B_2\right)+3{\mathrm{Adv}}_F^{\mathrm{epre}}\left(B_3\right).$$

The run times of $B_1$, $B_2$ and $B_3$ are about $t+O((|\mathtt{pad}\left(M\right)|+|\mathtt{pad}(M^{\prime })|)T_F/w)$, where M and $M^{\prime }$ are a collision pair of $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$ output by A and $T_F$ is the time required to compute F.

Proof. 

Let B be an algorithm which works as follows. B takes F as input. It first runs A with input $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$. If A fails to find a collision pair for $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$, then it aborts. Otherwise, for a collision pair M and $M^{\prime }$ output by A, it computes $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}\left(M\right)$ and $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}(M^{\prime })$.

Let $B_1$ be an adversary trying to find a collision pair for F. Let $B_2$ be an adversary trying to find a $\{{\pi }_0,{\pi }_1\}$-pseudo-collision pair for F. Let $B_3$ be an adversary trying to find a preimage of $\mathit{IV}$, ${\pi }_0^{-1}({\pi }_1\left(\mathit{IV}\right))$, or ${\pi }_1^{-1}({\pi }_0\left(\mathit{IV}\right))$ for F. All of them first run B. From Lemma 1, if A succeeds in finding a collision pair for $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$, then $B_1$, $B_2$ or $B_3$ succeed. ☐

5. Indifferentiability from Random Oracle

5.1. In the Random Oracle Model

In this section, to discuss the indifferentiability, the compression function F is assumed to be chosen uniformly at random from all the functions from ${\Sigma }^n\times {\Sigma }^w$ to ${\Sigma }^n$.

The following theorem implies that the proposed hash function is indifferentiable from a random oracle up to the birthday bound. The game-playing technique [27] is used for the proof.

Theorem 2.

Suppose that the compression function $F:{\Sigma }^n\times {\Sigma }^w\to {\Sigma }^n$ is chosen uniformly at random. Then, for the hash function $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$, there exists a simulator S of F such that, for any adversary A making at most q queries to its FIL oracle and queries to its VIL oracle which cost at most σ message blocks in total,

$${\mathrm{Adv}}_{H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}},S}^{\mathrm{indiff}}\left(A\right)\le \frac{5{(\sigma +q)}^2}{2^n}+\frac{3\sigma q}{2^n-6q+1},$$

and S makes at most q queries.

Proof. 

Each game provides two interfaces to adversary A: $\mathcal{H}$ for the hash function and $\mathcal{F}$ for the compression function. It is assumed without loss of generality that A makes no repeated queries both to $\mathcal{H}$ and to $\mathcal{F}$.

The game G1 is given in Figure 2. $\mathcal{F}$ simply calls $\mathsf{F}$, which implements the compression function F by lazy evaluation. $\mathsf{F}$ uses a partial function $\mathtt{F}$. Initially, $\mathtt{F}[v,X]=\perp$ for every $(v,X)\in {\Sigma }^n\times {\Sigma }^w$. $\mathcal{H}$ computes $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$ with the aid of $\mathsf{F}$. Thus,

$$Pr\left[A^{H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}},F}=1\right]=Pr\left[A^{\mathrm{G}1}=1\right].$$

Notice that $\mathsf{F}$ may receive repeated queries since $\mathcal{H}$ also calls $\mathsf{F}$ as well as $\mathcal{F}$.

The game G2 is given in Figure 3a. $\mathcal{F}$ and $\mathcal{H}$ are not changed and omitted.

In G2, $\mathsf{F}$ constructs and maintains a directed graph $(\mathit{V},\mathit{E})$ based on the queries to $\mathsf{F}$. It also uses a function $\mathsf{findM}$, which will be described later. Initially, $\mathit{V}=\left\{\right\}$ and $\mathit{E}=\left\{\right\}$. For a new query $(v,X)$, if $\mathsf{findM}(v,X)\ne \perp$, then $\mathsf{F}$ replaces $\mathit{V}$ with $\mathit{V}\cup \{v\}$. On the other hand, if $\mathsf{findM}(v,X)=\perp$, then $\mathsf{F}$ replaces $\mathit{V}$ with $\mathit{V}\cup \{v,\mathtt{F}[v,X]\}$ and $\mathit{E}$ with $\mathit{E}\cup \{(v,\mathtt{F}[v,X])\}$. The edge $(v,\mathtt{F}[v,X])$ is labeled with X. $\mathit{T}$ and $\mathit{H}$ are the sets of tails and heads of edges in $(\mathit{V},\mathit{E})$, respectively. Vertices with no adjacent edges in $(\mathit{V},\mathit{E})$ are also included in $\mathit{T}$. Initially, $\mathit{T}=\{\}$ and $\mathit{H}=\{\}$.

$\mathsf{findM}$ tries to find a path in $(\mathit{V},\mathit{E})$ corresponding to the computation $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}\left(M\right)$ for some M. Given $(v,X)$ as input, $\mathsf{findM}$ first searches a path from $\mathit{IV}$ to ${\pi }_0^{-1}\left(v\right)$ or ${\pi }_1^{-1}\left(v\right)$ in $(\mathit{V},\mathit{E})$. If $\mathit{IV}$ equals ${\pi }_0^{-1}\left(v\right)$ or ${\pi }_1^{-1}\left(v\right)$, then the single vertex $\mathit{IV}$ is regarded as a path. If $\mathsf{findM}$ finds a path, then let $X_1,X_2,\dots ,X_l$ be the labels of the edges on the path. If the path is $\mathit{IV}$, then $l=0$, that is, $X_1\parallel X_2\parallel \cdots \parallel X_l=\epsilon$. If there exists some $M\in {\Sigma }^{\ast }$ such that $\mathtt{pad}\left(M\right)=X_1\parallel X_2\parallel \cdots \parallel X_l\parallel X$, which depends on whether the terminal of the path is ${\pi }_0^{-1}\left(v\right)$ or ${\pi }_1^{-1}\left(v\right)$, then $\mathsf{findM}$ returns M. Otherwise, $\mathsf{findM}$ returns ⊥. It will be shown that $\mathsf{findM}(v,X)$ finds at most one path.

$\mathsf{F}$ of G2 differs from $\mathsf{F}$ of G1 only if $\mathit{bad}$ gets $\mathtt{true}$ in G2. This is because $\mathtt{F}[v,X]$ is chosen uniformly at random in G2 until $\mathit{bad}$ gets $\mathtt{true}$. For the i-th call to $\mathsf{F}$, $|\mathit{B}|\le 6i-1$ since

$$\begin{array}{cc}\hfill \mathit{B}& =\mathit{T}\cup {\pi }_0^{-1}\left(\mathit{T}\right)\cup {\pi }_1^{-1}\left(\mathit{T}\right)\cup \mathit{H}\cup {\pi }_0^{-1}({\pi }_1\left(\mathit{H}\right))\cup {\pi }_1^{-1}({\pi }_0\left(\mathit{H}\right))\cup \hfill \\ & \left\{\mathit{IV},{\pi }_0^{-1}\left(\mathit{IV}\right),{\pi }_1^{-1}\left(\mathit{IV}\right),{\pi }_0^{-1}({\pi }_1\left(\mathit{IV}\right)),{\pi }_1^{-1}({\pi }_0\left(\mathit{IV}\right))\right\},\hfill \end{array}$$

$|\mathit{T}|\le i-1$ and $|\mathit{H}|\le i-1$. $\mathsf{F}$ is called at most $(\sigma +q)$ times. Thus,

$$\left|Pr\left[A^{\mathrm{G}1}=1\right]-Pr\left[A^{\mathrm{G}2}=1\right]\right|\le Pr\left[A^{\mathrm{G}2}\mathrm{sets}\mathit{bad}\right]\le \sum _{i=1}^{\sigma +q}\frac{6i-1}{2^n}=\frac{3{(\sigma +q)}^2+2(\sigma +q)}{2^n}.$$

For the game G3 in Figure 3b, the lines from 605 to 609 in G2 are replaced with the line 605 in G3. Since they are equivalent, $Pr\left[A^{\mathrm{G}2}=1\right]=Pr\left[A^{\mathrm{G}3}=1\right]$.

The game G4 is given in Figure 4. It introduces a variable-input-length random oracle $\mathsf{H}$, which is implemented by lazy evaluation. Initially, $\mathtt{H}\left[M\right]=\perp$ for every $M\in {\Sigma }^{\ast }$. $\mathsf{H}$ may receive repeated queries since it is called by both $\mathcal{H}$ and $\mathcal{F}$. Different from $\mathsf{F}$ of G3, $\mathsf{F}$ assigns $\mathsf{H}\left(M\right)$ to $\mathtt{F}[v,X]$ at the line 603 in G4. Different from $\mathcal{H}$ of G3, $\mathcal{H}\left(M\right)$ returns $\mathsf{H}\left(M\right)$ in G4. We will see that G4 is actually equivalent to G3 in spite of these changes.

First, let us see some properties of the graph $(\mathit{V},\mathit{E})$. Both in G3 and in G4, at the beginning of each run of $\mathsf{F}$ with $(v,X)$ such that $\mathtt{F}[v,X]=\perp$, $\mathit{V}\subseteq \mathit{T}\cup \mathit{H}$. Then, whenever this run adds $\mathtt{F}[v,X]$ to both $\mathit{V}$ and $\mathit{H}$, $\mathtt{F}[v,X]$ is chosen from ${\Sigma }^n\backslash \mathit{B}$, where $\{\mathit{IV}\}\cup \mathit{T}\cup \mathit{H}\subseteq \mathit{B}$. Thus, every vertex in $(\mathit{V},\mathit{E})$ has at most one incoming edge, and $\mathit{IV}$ has no incoming edge. It implies that every vertex in $(\mathit{V},\mathit{E})$ has at most one simple path from $\mathit{IV}$. In addition, for every path $(v_1,v_2,\dots ,v_l)$ with $v_1=\mathit{IV}$, $v_i$’s are added to $(\mathit{V},\mathit{E})$ in this order. Furthermore, before $v_l$ is added to $(\mathit{V},\mathit{E})$, neither $({\pi }_0(v_l),X^{\prime })$ nor $({\pi }_1(v_l),X^{\prime })$ were asked to $\mathsf{F}$ for any $X^{\prime }\in {\Sigma }^w$ since $\{{\pi }_0^{-1}\left(\mathit{IV}\right),{\pi }_1^{-1}\left(\mathit{IV}\right)\}\cup {\pi }_0^{-1}\left(\mathit{T}\right)\cup {\pi }_1^{-1}\left(\mathit{T}\right)\subseteq \mathit{B}$.

Suppose that $\mathsf{findM}(v,X)$ finds two paths in $(\mathit{V},\mathit{E})$. Then, one is from $\mathit{IV}$ to ${\pi }_0^{-1}\left(v\right)$ and the other is from $\mathit{IV}$ to ${\pi }_1^{-1}\left(v\right)$. Notice that ${\pi }_0^{-1}\left(v\right)\ne {\pi }_1^{-1}\left(v\right)$ since ${\pi }_0\left(u\right)\ne {\pi }_1\left(u\right)$ for every $u\in {\Sigma }^n$. Suppose that both paths have two or more vertices. Then, both ${\pi }_0^{-1}\left(v\right)$ and ${\pi }_1^{-1}\left(v\right)$ are elements of $\mathit{H}$, which implies that one was added to $\mathit{H}$ after the other since at most one vertex is added to $\mathit{H}$ during each run of $\mathsf{F}$. It contradicts ${\pi }_{1\oplus b}^{-1}({\pi }_b\left(\mathit{H}\right))\subseteq \mathit{B}$ for $b\in \Sigma$. Suppose that one path is the single vertex $\mathit{IV}$ and the other has two or more vertices. ${\pi }_b^{-1}\left(v\right)=\mathit{IV}$ contradicts ${\pi }_{1\oplus b}^{-1}({\pi }_b\left(\mathit{IV}\right))\subseteq \mathit{B}$ for $b\in \Sigma$. Thus, $\mathsf{findM}(v,X)$ finds at most a single path in $(\mathit{V},\mathit{E})$.

In G4, for a new query $(v,X)$ to $\mathsf{F}$, suppose that $\mathsf{findM}$ finds a path in $(\mathit{V},\mathit{E})$ and returns M corresponding to the path and $(v,X)$. Then, M is a new query to $\mathsf{H}$, that is $\mathtt{H}\left[M\right]=\perp$, and it is assigned an element chosen uniformly at random from ${\Sigma }^n$. On the other hand, for $\mathcal{H}$, $v_x=\mathsf{H}\left(M\right)$. Thus, G4 is equivalent to G3, and $Pr\left[A^{\mathrm{G}4}=1\right]=Pr\left[A^{\mathrm{G}3}=1\right]$.

From G4 to G5, only $\mathsf{F}$ changes, which is given in Figure 5a. $\mathsf{F}$ of G5 is augmented with the lines from 600 to 606 and the lines from 614 to 616. ${\mathit{H}}_A$ is the set of heads of edges in $(\mathit{V},\mathit{E})$ in the view of A. Initially, ${\mathit{H}}_A=\{\}$. These changes do not affect the output of $\mathsf{F}$. Thus, G5 is equivalent to G4, and $Pr\left[A^{\mathrm{G}5}=1\right]=Pr\left[A^{\mathrm{G}4}=1\right]$.

From G5 to G6, only $\mathcal{H}$ changes. $\mathcal{H}$ of G6 is identical to that of G7, which is given in Figure b. In G6, $\mathcal{H}\left(M\right)$ does not call $\mathsf{F}$ and just returns $\mathsf{H}\left(M\right)$. In G6, $\mathsf{F}$ is called only by $\mathcal{F}$ and it does not receive any repeated queries, which implies that $\mathit{bad}$ never gets $\mathtt{true}$. On the other hand, $\mathit{bad}$ may get $\mathtt{true}$ in G5. If $\mathit{bad}$ gets $\mathtt{true}$ in G5, then A may trace some computation path of $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$ in $(\mathit{V},\mathit{E})$ from its middle. $|{\mathit{B}}_{\mathrm{a}}|\le 3\sigma$ since ${\mathit{B}}_{\mathrm{a}}=(\mathit{H}\backslash {\mathit{H}}_A)\cup {\pi }_0(\mathit{H}\backslash {\mathit{H}}_A)\cup {\pi }_1(\mathit{H}\backslash {\mathit{H}}_A)$ and $|\mathit{H}\backslash {\mathit{H}}_A|\le \sigma$. A knows at most $6q-1$ elements in $\mathit{B}$. Thus,

$$\left|Pr\left[A^{\mathrm{G}5}=1\right]-Pr\left[A^{\mathrm{G}6}=1\right]\right|\le Pr\left[A^{\mathrm{G}5}\mathrm{sets}\mathit{bad}\right]\le \frac{3\sigma q}{2^n-6q+1}.$$

From G6 to G7, only $\mathsf{F}$ changes. G7 is given in Figure 5b. $\mathsf{F}$ of G7 is obtained from $\mathsf{F}$ of G6 by removing the lines from 600 to 606 and the lines from 614 to 616. Since $\mathsf{F}$ does not receive any repeated queries, the lines 607 and 619 are also removed. These changes do not affect the output of $\mathsf{F}$. Thus, $Pr\left[A^{\mathrm{G}7}=1\right]=Pr\left[A^{\mathrm{G}6}=1\right]$. $\mathsf{F}$ of G7 works as a simulator S of F.

From the discussion above, we have

$$\begin{array}{cc}\hfill {\mathrm{Adv}}_{H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}},S}^{\mathrm{indiff}}\left(A\right)& =\left|Pr\left[A^{\mathrm{G}1}=1\right]-Pr\left[A^{\mathrm{G}7}=1\right]\right|\le Pr\left[A^{\mathrm{G}2}\mathrm{sets}\mathit{bad}\right]+Pr\left[A^{\mathrm{G}5}\mathrm{sets}\mathit{bad}\right]\hfill \\ & \le \frac{3{(\sigma +q)}^2+2(\sigma +q)}{2^n}+\frac{3\sigma q}{2^n-6q+1}\le \frac{5{(\sigma +q)}^2}{2^n}+\frac{3\sigma q}{2^n-6q+1}.\hfill \end{array}$$

 ☐

5.2. In the Ideal Cipher Model

In this section, $F:{\Sigma }^n\times {\Sigma }^w\to {\Sigma }^n$ is assumed to be the Davies-Meyer compression function [28] using a block cipher $E:{\Sigma }^w\times {\Sigma }^n\to {\Sigma }^n$, where the key space of E is ${\Sigma }^w$. Namely, $F(V,X)=E(X,V)\oplus V$. E is assumed to be chosen uniformly at random.

Theorem 3.

Suppose that the compression function $F:{\Sigma }^n\times {\Sigma }^w\to {\Sigma }^n$ is the Davies-Meyer mode of a block cipher E chosen uniformly at random. Let D be the decryption function of E. Then, for the hash function $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$, there exists a simulator S of $(E,D)$ such that, for any adversary A making at most $q_{\mathrm{e}}$ queries to its FIL encryption oracle, $q_{\mathrm{d}}$ queries to its FIL decryption oracle, and queries to its VIL oracle which cost at most σ message blocks in total,

$${\mathrm{Adv}}_{H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}},S}^{\mathrm{indiff}}\left(A\right)\le \frac{12{(\sigma +q_{\mathrm{e}}+q_{\mathrm{d}})}^2}{2^n}+\frac{3\sigma (q_{\mathrm{e}}+q_{\mathrm{d}})}{2^n-6(q_{\mathrm{e}}+q_{\mathrm{d}})-5},$$

and S makes at most $q_{\mathrm{e}}$ queries.

Proof. 

Each game provides three interfaces to adversary A: $\mathcal{H}$ for the hash function, $\mathcal{E}$ for the encryption and $\mathcal{D}$ for the decryption. It is assumed without loss of generality that A makes no repeated queries both to $\mathcal{H}$ and to $(\mathcal{E},\mathcal{D})$. For $\mathcal{E}$ and $\mathcal{D}$, once A gets a tuple $(\mathit{key},\mathit{pt},\mathit{ct})$ such that $E(\mathit{key},\mathit{pt})=\mathit{ct}$ by a query to $\mathcal{E}$ or $\mathcal{D}$, A never makes any query on the tuple.

The game G1 is given in Figure 6. $\mathcal{E}$ and $\mathcal{D}$ simply call $\mathsf{E}$ and $\mathsf{D}$, respectively. $\mathsf{E}$ and $\mathsf{D}$ implement the encryption function and the decryption function by lazy evaluation, respectively. $\mathcal{H}$ computes $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}$ with the aid of $\mathsf{E}$. Thus,

$$Pr\left[A^{H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}},(E,D)}=1\right]=Pr\left[A^{\mathrm{G}1}=1\right].$$

Notice that $\mathsf{E}$ and $\mathsf{D}$ may receive repeated queries since $\mathcal{H}$ also calls $\mathsf{E}$ as well as $\mathcal{E}$.

From G1 to G2, only $\mathsf{E}$ and $\mathsf{D}$ are changed, which are given in Figure 7. In G2, $\mathtt{E}[X,v]$ and $\mathtt{D}[X,u]$ are chosen uniformly at random from ${\Sigma }^n$. G1 and G2 are identical until $\mathit{bad}$ gets $\mathtt{true}$ in G2. Since $\mathsf{E}$ and $\mathsf{D}$ are called at most $\sigma +q_{\mathrm{e}}+q_{\mathrm{d}}$ times in total and $|{\mathit{P}}_X|=|{\mathit{C}}_X|\le \sigma +q_{\mathrm{e}}+q_{\mathrm{d}}$,

$$\left|Pr\left[A^{\mathrm{G}1}=1\right]-Pr\left[A^{\mathrm{G}2}=1\right]\right|\le Pr\left[A^{\mathrm{G}2}\mathrm{sets}\mathit{bad}\right]\le \frac{{(\sigma +q_{\mathrm{e}}+q_{\mathrm{d}})}^2}{2^n}.$$

From G2 to G3, only $\mathsf{E}$ and $\mathsf{D}$ are changed, which are given in Figure 8. In G3, $\mathsf{E}$ and $\mathsf{D}$ constructs and maintains a directed graph $(\mathit{V},\mathit{E})$ based on the queries to them. Initially, $\mathit{V}=\{\}$ and $\mathit{E}=\{\}$. For a new query $(X,v)$, if $\mathsf{findM}(v,X)\ne \perp$, then $\mathsf{E}$ replaces $\mathit{V}$ with $\mathit{V}\cup \{v\}$. If $\mathsf{findM}(v,X)=\perp$, then $\mathsf{E}$ replaces $\mathit{V}$ with $\mathit{V}\cup \{v,u^{\prime }\}$ and $\mathit{E}$ with $\mathit{E}\cup \{(v,u^{\prime })\}$, where $u^{\prime }=\mathsf{E}(X,v)\oplus v$. The edge $(v,u^{\prime })$ is labeled with X. On the other hand, for a new query $(X,u)$, $\mathsf{D}$ replaces $\mathit{V}$ with $\mathit{V}\cup \{v,v\oplus u\}$ and $\mathit{E}$ with $\mathit{E}\cup \{(v,v\oplus u)\}$, where $v=\mathsf{D}(X,u)$.

$\mathit{T}$ and $\mathit{H}$ are the sets of tails and heads of edges in $(\mathit{V},\mathit{E})$, respectively. Vertices with no adjacent edges in $(\mathit{V},\mathit{E})$ are also in $\mathit{T}$. Initially, $\mathit{T}=\mathit{H}=\{\}$.

$\mathsf{findM}$ tries to find a path in $(\mathit{V},\mathit{E})$ corresponding to the computation $H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}}\left(M\right)$ for some M. Given $(v,X)$ as input, $\mathsf{findM}$ first searches a path from $\mathit{IV}$ to ${\pi }_0^{-1}\left(v\right)$ or ${\pi }_1^{-1}\left(v\right)$ in $(\mathit{V},\mathit{E})$. If $\mathit{IV}$ equals ${\pi }_0^{-1}\left(v\right)$ or ${\pi }_1^{-1}\left(v\right)$, then the single vertex $\mathit{IV}$ is regarded as a path. If $\mathsf{findM}$ finds a path, then let $X_1,X_2,\dots ,X_l$ be the labels of the edges on the path. If the path is $\mathit{IV}$, then $l=0$, that is, $X_1\parallel X_2\parallel \cdots \parallel X_l=\epsilon$. If there exists some $M\in {\Sigma }^{\ast }$ such that $\mathtt{pad}\left(M\right)=X_1\parallel X_2\parallel \cdots \parallel X_l\parallel X$, which depends on whether the terminal of the path is ${\pi }_0^{-1}\left(v\right)$ or ${\pi }_1^{-1}\left(v\right)$, then $\mathsf{findM}$ returns M. Otherwise, $\mathsf{findM}$ returns ⊥.

$\mathsf{E}$ of G3 always assigns to $\mathtt{E}[X,v]$ a value chosen uniformly at random from ${\Sigma }^n$ until $\mathit{bad}$ gets true at line 607. $\mathsf{D}$ of G3 always assigns to $\mathtt{D}[X,u]$ a value chosen uniformly at random from ${\Sigma }^n$ until $\mathit{bad}$ gets true at line 703. Thus, G3 is identical to G2 until $\mathit{bad}$ gets $\mathtt{true}$ in G3. Since $|\mathit{T}|\le \sigma +q_{\mathrm{e}}+q_{\mathrm{d}}$ and $|\mathit{H}|\le \sigma +q_{\mathrm{e}}+q_{\mathrm{d}}$, $|{\mathit{B}}_{\mathrm{e}}|\le 6(\sigma +q_{\mathrm{e}}+q_{\mathrm{d}})+5$ and $|{\mathit{B}}_{\mathrm{d}}|\le 6(\sigma +q_{\mathrm{e}}+q_{\mathrm{d}})+4$. $\mathsf{E}$ is called at most $(\sigma +q_{\mathrm{e}})$ times and $\mathsf{D}$ is called at most $q_{\mathrm{d}}$ times and Thus,

$$\begin{array}{cc}\hfill \left|Pr\left[A^{\mathrm{G}2}=1\right]-Pr\left[A^{\mathrm{G}3}=1\right]\right|& \le Pr\left[A^{\mathrm{G}3}\mathrm{sets}\mathit{bad}\right]\hfill \\ & \le \frac{(6(\sigma +q_{\mathrm{e}}+q_{\mathrm{d}})+5)(\sigma +q_{\mathrm{e}})}{2^n}+\frac{(6(\sigma +q_{\mathrm{e}}+q_{\mathrm{d}})+4)q_{\mathrm{d}}}{2^n}\hfill \\ & =\frac{6{(\sigma +q_{\mathrm{e}}+q_{\mathrm{d}})}^2+5\sigma +5q_{\mathrm{e}}+4q_{\mathrm{d}}}{2^n}.\hfill \end{array}$$

For the game G4 in Figure 9, the lines from 605 to 609 of G3 are replaced with the line 605 of G4, and the lines from 701 to 705 of G3 are replaced with the line 701 of G4. Since these changes do not affect the behavior, $Pr[A^{\mathrm{G}3}=1]=Pr[A^{\mathrm{G}4}=1]$.

The game G5 is given in Figure 10. It introduces a variable-input-length random oracle $\mathsf{H}$, which is implemented by lazy evaluation. Initially, $\mathtt{H}\left[M\right]=\perp$ for every $M\in {\Sigma }^{\ast }$. $\mathsf{H}$ may receive repeated queries since it is called by both $\mathcal{H}$ and $\mathcal{F}$. Different from $\mathsf{E}$ of G4, $\mathsf{E}$ of G5 assigns $\mathsf{H}\left(M\right)$ to $u^{\prime }$ at the line 603. Different from $\mathcal{H}$ of G4, $\mathcal{H}$ of G5 returns $\mathsf{H}\left(M\right)$. We will see that G5 is actually equivalent to G4 in spite of these changes.

First, let us see some properties of the graph $(\mathit{V},\mathit{E})$. At the beginning of each run of $\mathsf{E}$ with $(X,v)$ such that $\mathtt{E}[X,v]=\perp$, $\mathit{V}\subseteq \mathit{T}\cup \mathit{H}$. Whenever $u^{\prime }$ is added to both $\mathit{V}$ and $\mathit{H}$ by this run, it is chosen from ${\Sigma }^n\backslash {\mathit{B}}_{\mathrm{e}}$, where $\mathit{T}\cup \mathit{H}\cup \{\mathit{IV}\}\subseteq {\mathit{B}}_{\mathrm{e}}$. On the other hand, at the beginning of each run of $\mathsf{D}$ with $(X,u)$ such that $\mathtt{D}[X,u]=\perp$, $\mathit{V}\subseteq \mathit{T}\cup \mathit{H}$. Then, v is chosen from ${\Sigma }^n\backslash {\mathit{B}}_{\mathrm{d}}$, and $v\oplus u$ is added to both $\mathit{V}$ and $\mathit{H}$ by this run, where $\mathit{T}\cup \mathit{H}\cup \{\mathit{IV}\}\cup (u\oplus (\mathit{T}\cup \mathit{H}\cup \{\mathit{IV}\}))\subseteq {\mathit{B}}_{\mathrm{d}}$. Thus, every vertex in $(\mathit{V},\mathit{E})$ has at most one incoming edge, and $\mathit{IV}$ has no incoming edge. It implies that every vertex in $(\mathit{V},\mathit{E})$ has at most one simple path from $\mathit{IV}$. In addition, every path $(v_1,v_2,\dots ,v_l)$ with $v_1=\mathit{IV}$ is constructed only by queries to $\mathsf{E}$, and $v_i$’s are added to $(\mathit{V},\mathit{E})$ in this order. Furthermore, before $v_i$ is added to $(\mathit{V},\mathit{E})$, neither ${\pi }_0\left(v_i\right)$ nor ${\pi }_1\left(v_i\right)$ existed in $(\mathit{V},\mathit{E})$ since ${\pi }_0^{-1}\left(\mathit{T}\right)\cup {\pi }_1^{-1}\left(\mathit{T}\right)\cup \{{\pi }_0^{-1}\left(\mathit{IV}\right),{\pi }_1^{-1}\left(\mathit{IV}\right)\}\subseteq {\mathit{B}}_{\mathrm{e}}$. Neither ${\pi }_0\left(v_i\right)$ nor ${\pi }_1\left(v_i\right)$ are added to $(\mathit{V},\mathit{E})$ as tails by the queries to $\mathsf{D}$ after $v_i$ since ${\pi }_0\left(\mathit{H}\right)\cup {\pi }_1\left(\mathit{H}\right)\cup \{{\pi }_0\left(\mathit{IV}\right),{\pi }_1\left(\mathit{IV}\right)\}\subseteq {\mathit{B}}_{\mathrm{d}}$.

Suppose that $\mathsf{findM}(v,X)$ finds two paths in $(\mathit{V},\mathit{E})$. Then, one is from $\mathit{IV}$ to ${\pi }_0^{-1}\left(v\right)$ and the other is from $\mathit{IV}$ to ${\pi }_1^{-1}\left(v\right)$. Notice that ${\pi }_0^{-1}\left(v\right)\ne {\pi }_1^{-1}\left(v\right)$ since ${\pi }_0\left(u\right)\ne {\pi }_1\left(u\right)$ for every $u\in {\Sigma }^n$. Suppose that both paths have two or more vertices. Then, both ${\pi }_0^{-1}\left(v\right)$ and ${\pi }_1^{-1}\left(v\right)$ are elements of $\mathit{H}$, which implies that one was added to $\mathit{H}$ after the other since at most one vertex is added to $\mathit{H}$ during each run of $\mathsf{E}$. It contradicts ${\pi }_{1\oplus b}^{-1}({\pi }_b\left(\mathit{H}\right))\subseteq {\mathit{B}}_{\mathrm{e}}$ for $b\in \Sigma$. Suppose that one path is the single vertex $\mathit{IV}$ and the other has two or more vertices. ${\pi }_b^{-1}\left(v\right)=\mathit{IV}$ contradicts ${\pi }_{1\oplus b}^{-1}({\pi }_b\left(\mathit{IV}\right))\subseteq {\mathit{B}}_{\mathrm{e}}$ for $b\in \Sigma$. Thus, $\mathsf{findM}(v,X)$ finds at most a single path in $(\mathit{V},\mathit{E})$.

In G5, for a new query $(v,X)$ to $\mathsf{E}$, suppose that $\mathsf{findM}$ finds a path in $(\mathit{V},\mathit{E})$ and returns M corresponding to the path and $(v,X)$. Then, M is a new query to $\mathsf{H}$, that is $\mathtt{H}\left[M\right]=\perp$, and it is assigned an element chosen uniformly at random from ${\Sigma }^n$. On the other hand, for $\mathcal{H}$, $v_x=\mathsf{H}\left(M\right)$. Thus, G5 is equivalent to G4, and $Pr[A^{\mathrm{G}5}=1]=Pr[A^{\mathrm{G}4}=1]$.

From G5 to G6, $\mathsf{E}$ and $\mathsf{D}$ change, which are given in Figure 11. $\mathsf{E}$ of G6 is augmented with the lines from 600 to 606 and the lines from 614 to 616. ${\mathit{H}}_A$ is the set of heads of edges in $(\mathit{V},\mathit{E})$ in the view of A. Initially, ${\mathit{H}}_A=\{\}$. These changes do not affect the output of $\mathsf{E}$. $\mathsf{D}$ of G6 is augmented with the lines from 700 to 704 and the line 710. These changes do not affect the output of $\mathsf{D}$, either. Thus, G6 is equivalent to G5, and $Pr[A^{\mathrm{G}6}=1]=Pr[A^{\mathrm{G}5}=1]$.

From G6 to G7, only $\mathcal{H}$ changes. $\mathcal{H}$ of G7 is identical to that of G8, which is given in Figure 12. In G7, $\mathcal{H}\left(M\right)$ does not call $\mathsf{E}$ and just returns $\mathsf{H}\left(M\right)$. In G7, $\mathsf{E}$ is called only by $\mathcal{E}$ and it does not receive any repeated queries. $\mathsf{D}$ does not receive any repeated queries, either. Thus, $\mathit{bad}$ never gets $\mathtt{true}$ in G7. On the other hand, $\mathit{bad}$ may get $\mathtt{true}$ in G6. $|{\mathit{B}}_{\mathrm{ae}}|\le 3\sigma$ and $|{\mathit{B}}_{\mathrm{ad}}|\le 3\sigma$ since ${\mathit{B}}_{\mathrm{ae}}=(\mathit{H}\backslash {\mathit{H}}_A)\cup {\pi }_0(\mathit{H}\backslash {\mathit{H}}_A)\cup {\pi }_1(\mathit{H}\backslash {\mathit{H}}_A)$, ${\mathit{B}}_{\mathrm{ad}}=(v\oplus (\mathit{H}\backslash {\mathit{H}}_A))\cup (\mathsf{H}(M)\oplus ({\pi }_0(\mathit{H}\backslash {\mathit{H}}_A)\cup {\pi }_1(\mathit{H}\backslash {\mathit{H}}_A)))$, and $|\mathit{H}\backslash {\mathit{H}}_A|\le \sigma$. A knows at most $6(q_{\mathrm{e}}+q_{\mathrm{d}})+5$ elements in ${\mathit{B}}_{\mathrm{e}}$. Thus,

$$\left|Pr\left[A^{\mathrm{G}6}=1\right]-Pr\left[A^{\mathrm{G}7}=1\right]\right|\le Pr\left[A^{\mathrm{G}6}\mathrm{sets}\mathit{bad}\right]\le \frac{3\sigma (q_{\mathrm{e}}+q_{\mathrm{d}})}{2^n-6(q_{\mathrm{e}}+q_{\mathrm{d}})-5}.$$

From G7 to G8, $\mathsf{E}$ and $\mathsf{D}$ changes. G8 is given in Figure 12. $\mathsf{E}$ of G8 is obtained from $\mathsf{E}$ of G7 by removing the lines from 600 to 606 and the lines from 614 to 616. Since $\mathsf{E}$ does not receive any repeated queries, the lines 607 and 619 are also removed. These changes do not affect the output of $\mathsf{E}$. Similarly, $\mathsf{D}$ of G8 is obtained from $\mathsf{D}$ of G7 by removing the lines from 700 to 704, the lines 705, 707, and 710. These changes do not affect the output of $\mathsf{D}$. Thus, $Pr[A^{\mathrm{G}8}=1]=Pr[A^{\mathrm{G}7}=1]$. $(\mathsf{E},\mathsf{D})$ of G8 works as a simulator S of $(E,D)$.

From the discussion above, we have

$$\begin{array}{cc}\hfill {\mathrm{Adv}}_{H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}},S}^{\mathrm{indiff}}\left(A\right)& =\left|Pr\left[A^{\mathrm{G}1}=1\right]-Pr\left[A^{\mathrm{G}8}=1\right]\right|\hfill \\ & \le Pr\left[A^{\mathrm{G}2}\mathrm{sets}\mathit{bad}\right]+Pr\left[A^{\mathrm{G}3}\mathrm{sets}\mathit{bad}\right]+Pr\left[A^{\mathrm{G}6}\mathrm{sets}\mathit{bad}\right]\hfill \\ & \le \frac{7{(\sigma +q_{\mathrm{e}}+q_{\mathrm{d}})}^2+5\sigma +5q_{\mathrm{e}}+4q_{\mathrm{d}}}{2^n}+\frac{3\sigma (q_{\mathrm{e}}+q_{\mathrm{d}})}{2^n-6(q_{\mathrm{e}}+q_{\mathrm{d}})-5}\hfill \\ & \le \frac{12{(\sigma +q_{\mathrm{e}}+q_{\mathrm{d}})}^2}{2^n}+\frac{3\sigma (q_{\mathrm{e}}+q_{\mathrm{d}})}{2^n-6(q_{\mathrm{e}}+q_{\mathrm{d}})-5}.\hfill \end{array}$$

 ☐

6. Application to Sponge Construction

6.1. Scheme

Let $P:{\Sigma }^b\to {\Sigma }^b$ be a permutation and $b=w+c$, where b, w and c are positive integers. The sponge hash function using the proposed domain extension consists of the permutation P, permutations ${\pi }_0$ and ${\pi }_1$ over ${\Sigma }^c$, and an initialization vector $\mathit{IV}\in {\Sigma }^b$. For ${\pi }_0$ and ${\pi }_1$, it is assumed that ${\pi }_0\left(u\right)\ne u$, ${\pi }_1\left(u\right)\ne u$ and ${\pi }_0\left(u\right)\ne {\pi }_1\left(u\right)$ for every $u\in {\Sigma }^c$.

For $y\in {\Sigma }^b$, let $y=y_{\mathrm{r}}\parallel y_{\mathrm{c}}$, where $y_{\mathrm{r}}\in {\Sigma }^w$ and $y_{\mathrm{c}}\in {\Sigma }^c$. In the remaining parts, some notations are abused for simplicity. For permutation $\pi$ over ${\Sigma }^c$ and string $y\in {\Sigma }^b$, $\pi \left(y\right)$ represents $y_{\mathrm{r}}\parallel \pi (y_{\mathrm{c}})$. Namely, $\pi$ is applied to the c least significant bits (LSBs) of y. For strings $y\in {\Sigma }^b$ and $X\in {\Sigma }^w$, $y\oplus X$ represents $(y_{\mathrm{r}}\oplus X)\parallel y_{\mathrm{c}}$.

Let $\pi$ be a permutation over ${\Sigma }^c$. For $1\le i\le x$, let $X_i\in {\Sigma }^w$. The tweaked sponge construction ${\mathsf{S}}_{\mathit{IV}}^{P,\pi }:{({\Sigma }^w)}^{+}\to {\Sigma }^n$ is defined as follows: ${\mathsf{S}}_{\mathit{IV}}^{P,\pi }(X_1\parallel X_2\parallel \cdots \parallel X_x)={\widehat{v}}_x$, where $v_0\leftarrow \mathit{IV}$, $v_i\leftarrow P(v_{i-1}\oplus X_i)$ for $1\le i\le x-1$, $v_x\leftarrow P(\pi (v_{x-1})\oplus X_x)$, and ${\widehat{v}}_x$ is the n most significant bits (MSBs) of $v_x$.

The sponge hash function $G_{\mathit{IV}}^{P,\{{\pi }_0,{\pi }_1\}}:{\Sigma }^{\ast }\to {\Sigma }^n$ based on the proposed domain extension is defined as follows:

$$G_{\mathit{IV}}^{P,\{{\pi }_0,{\pi }_1\}}\left(M\right)=\left\{\begin{array}{cc}{\mathsf{S}}_{\mathit{IV}}^{P,{\pi }_0}(\mathtt{pad}\left(M\right))\hfill & \mathrm{if}\left|M\right|>0\mathrm{and}\left|M\right|\equiv 0(\mathrm{mod}w),\hfill \\ {\mathsf{S}}_{\mathit{IV}}^{P,{\pi }_1}(\mathtt{pad}\left(M\right))\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

It is also depicted in Figure 13.

6.2. IRO in the Ideal Permutation Model

In this section, $P:{\Sigma }^b\to {\Sigma }^b$ is assumed to be chosen uniformly at random. The following theorem implies that the proposed hash function is indifferentiable from a random oracle up to the birthday bound.

Theorem 4.

Suppose that the permutation $P:{\Sigma }^b\to {\Sigma }^b$ is chosen uniformly at random. Then, for the hash function $G_{\mathit{IV}}^{P,\{{\pi }_0,{\pi }_1\}}$, there exists a simulator S of $(P,P^{-1})$ such that, for any adversary A making at most $q_{\mathrm{f}}$ queries to its FIL forward oracle, $q_{\mathrm{b}}$ queries to its FIL backward oracle, and queries to its VIL oracle which cost at most σ message blocks in total,

$${\mathrm{Adv}}_{G_{\mathit{IV}}^{P,\{{\pi }_0,{\pi }_1\}},S}^{\mathrm{indiff}}\left(A\right)\le \frac{12{(\sigma +q_{\mathrm{f}}+q_{\mathrm{b}})}^2}{2^c}+\frac{3\sigma (q_{\mathrm{f}}+q_{\mathrm{b}})}{2^c-6(q_{\mathrm{f}}+q_{\mathrm{b}})-5},$$

and S makes at most $q_{\mathrm{f}}$ queries.

Proof. 

Each game provides three interfaces to adversary A: $\mathcal{H}$ for the hash function, $\mathcal{P}$ for the permutation and ${\mathcal{P}}^{-1}$ for its inverse. It is assumed without loss of generality that A makes no repeated queries both to $\mathcal{H}$ and to $(\mathcal{P},{\mathcal{P}}^{-1})$. For $\mathcal{P}$ and ${\mathcal{P}}^{-1}$, once A gets a pair $(y,z)$ such that $P\left(y\right)=z$ by a query to $\mathcal{P}$ or ${\mathcal{P}}^{-1}$, A never makes any query on the pair.

The game G1 is given in Figure 14. $\mathcal{P}$ and ${\mathcal{P}}^{-1}$ simply call $\mathsf{P}$ and ${\mathsf{P}}^{-1}$, respectively. $\mathsf{P}$ and ${\mathsf{P}}^{-1}$ implement P and $P^{-1}$ by lazy evaluation, respectively. $\mathcal{H}$ computes $G_{\mathit{IV}}^{P,\{{\pi }_0,{\pi }_1\}}$ with the aid of $\mathsf{P}$ and ${\mathsf{P}}^{-1}$. Thus,

$$Pr\left[A^{G_{\mathit{IV}}^{P,\{{\pi }_0,{\pi }_1\}},(P,P^{-1})}=1\right]=Pr\left[A^{\mathrm{G}1}=1\right].$$

Notice that $\mathsf{P}$ and ${\mathsf{P}}^{-1}$ may receive repeated queries since $\mathcal{H}$ also calls $\mathsf{P}$ as well as $\mathcal{P}$.

From G1 to G2, only $\mathsf{P}$ and ${\mathsf{P}}^{-1}$ are changed, which are given in Figure 15. In G2, $\mathtt{P}\left[Y\right]$ and ${\mathtt{P}}^{-1}\left[Z\right]$ are chosen uniformly at random from ${\Sigma }^b$. G1 and G2 are identical until $\mathit{bad}$ gets $\mathtt{true}$ in G2. Since $\mathsf{P}$ and ${\mathsf{P}}^{-1}$ are called at most $\sigma +q_{\mathrm{f}}+q_{\mathrm{b}}$ times in total and $\left|\mathit{Y}\right|=\left|\mathit{Z}\right|\le \sigma +q_{\mathrm{f}}+q_{\mathrm{b}}$,

$$\left|Pr\left[A^{\mathrm{G}1}=1\right]-Pr\left[A^{\mathrm{G}2}=1\right]\right|\le Pr\left[A^{\mathrm{G}2}\mathrm{sets}\mathit{bad}\right]\le \frac{{(\sigma +q_{\mathrm{f}}+q_{\mathrm{b}})}^2}{2^b}.$$

From G2 to G3, only $\mathsf{P}$ and ${\mathsf{P}}^{-1}$ are changed, which are given in Figure 16. In G3, $\mathsf{P}$ and ${\mathsf{P}}^{-1}$ constructs and maintains a directed graph $(\mathit{V},\mathit{E})$ based on the queries to them. Initially, $\mathit{V}=\{\}$ and $\mathit{E}=\{\}$. For a new query Y, if $\mathsf{findM}\left(Y\right)=\perp$, then $\mathsf{P}$ replaces $\mathit{V}$ with $\mathit{V}\cup \{Y_{\mathrm{c}},Z_{\mathrm{c}}\}$ and $\mathit{E}$ with $\mathit{E}\cup \{(Y_{\mathrm{c}},Z_{\mathrm{c}})\}$. If there exists some $Z^{\prime }$ such that $Z^{\prime }=\mathit{IV}$ or ${\mathtt{P}}^{-1}[Z^{\prime }]\ne \perp$, and $Z_{\mathrm{c}}^{\prime }=Y_{\mathrm{c}}$, then the edge $(Y_{\mathrm{c}},Z_{\mathrm{c}})$ is labeled with $Z_{\mathrm{r}}^{\prime }\oplus Y_{\mathrm{r}}$. Otherwise, it is labeled with ⊥. If $\mathsf{findM}\left(Y\right)\ne \perp$, then $\mathsf{P}$ replaces $\mathit{V}$ with $\mathit{V}\cup \{Y_{\mathrm{c}}\}$. On the other hand, for a new query Z, ${\mathsf{P}}^{-1}$ replaces $\mathit{V}$ with $\mathit{V}\cup \{Y_{\mathrm{c}},Z_{\mathrm{c}}\}$ and $\mathit{E}$ with $\mathit{E}\cup \{(Y_{\mathrm{c}},Z_{\mathrm{c}})\}$. If there exists some $Z^{\prime }$ such that $Z^{\prime }=\mathit{IV}$ or ${\mathtt{P}}^{-1}[Z^{\prime }]\ne \perp$, and $Z_{\mathrm{c}}^{\prime }=Y_{\mathrm{c}}$, then the edge $(Y_{\mathrm{c}},Z_{\mathrm{c}})$ is labeled with $Z_{\mathrm{r}}^{\prime }\oplus Y_{\mathrm{r}}$. Otherwise, it is labeled with ⊥.

$\mathit{T}$ and $\mathit{H}$ are the sets of tails and heads of edges in $(\mathit{V},\mathit{E})$, respectively. Vertices with no adjacent edges in $(\mathit{V},\mathit{E})$ are also in $\mathit{T}$. Initially, $\mathit{T}=\mathit{H}=\{\}$.

$\mathsf{findM}$ tries to find a path in $(\mathit{V},\mathit{E})$ corresponding to the computation $G_{\mathit{IV}}^{P,\{{\pi }_0,{\pi }_1\}}\left(M\right)$ for some M. Given Y as input, $\mathsf{findM}$ first searches a path from ${\mathit{IV}}_{\mathrm{c}}$ to ${\pi }_0^{-1}\left(Y_{\mathrm{c}}\right)$ or ${\pi }_1^{-1}\left(Y_{\mathrm{c}}\right)$ in $(\mathit{V},\mathit{E})$. If ${\mathit{IV}}_{\mathrm{c}}$ equals ${\pi }_0^{-1}\left(Y_{\mathrm{c}}\right)$ or ${\pi }_1^{-1}\left(Y_{\mathrm{c}}\right)$, then the single vertex ${\mathit{IV}}_{\mathrm{c}}$ is regarded as a path. If $\mathsf{findM}$ finds a path, then let $X_1,X_2,\dots ,X_l$ be the labels of the edges on the path. If the path is ${\mathit{IV}}_{\mathrm{c}}$, then $l=0$, that is, $X_1\parallel X_2\parallel \cdots \parallel X_l=\epsilon$. Suppose that ${\tilde{Z}}_{\mathrm{c}}$ is the terminal of the path and ${\mathtt{P}}^{-1}[{\tilde{Z}}_{\mathrm{r}}\parallel {\tilde{Z}}_{\mathrm{c}}]\ne \perp$ for some ${\tilde{Z}}_{\mathrm{r}}$. If there exists some $M\in {\Sigma }^{\ast }$ such that $\mathtt{pad}\left(M\right)=X_1\parallel X_2\parallel \cdots \parallel X_l\parallel ({\tilde{Z}}_{\mathrm{r}}\oplus Y_{\mathrm{r}})$, which depends on whether ${\tilde{Z}}_{\mathrm{c}}$ equals ${\pi }_0^{-1}(Y_{\mathrm{c}})$ or ${\pi }_1^{-1}(Y_{\mathrm{c}})$, then $\mathsf{findM}$ returns M. Otherwise, $\mathsf{findM}$ returns ⊥.

$\mathsf{P}$ of G3 always assigns to $\mathtt{P}\left[Y\right]$ a value chosen uniformly at random from ${\Sigma }^b$ until $\mathit{bad}$ gets true at line 608. ${\mathsf{P}}^{-1}$ of G3 always assigns to ${\mathtt{P}}^{-1}\left[Z\right]$ a value chosen uniformly at random from ${\Sigma }^b$ until $\mathit{bad}$ gets true at line 704. Thus, G3 is identical to G2 until $\mathit{bad}$ gets $\mathtt{true}$ in G3. Since $|\mathit{T}|\le \sigma +q_{\mathrm{f}}+q_{\mathrm{b}}$ and $|\mathit{H}|\le \sigma +q_{\mathrm{f}}+q_{\mathrm{b}}$, $|{\mathit{B}}_{\mathrm{f}}|\le 6(\sigma +q_{\mathrm{f}}+q_{\mathrm{b}})+5$ and $|{\mathit{B}}_{\mathrm{b}}|\le 3(\sigma +q_{\mathrm{f}}+q_{\mathrm{b}})+3$. $\mathsf{P}$ is called at most $(\sigma +q_{\mathrm{f}})$ times and ${\mathsf{P}}^{-1}$ is called at most $q_{\mathrm{b}}$ times. Thus,

$$\begin{array}{cc}\hfill \left|Pr\left[A^{\mathrm{G}2}=1\right]-Pr\left[A^{\mathrm{G}3}=1\right]\right|& \le Pr\left[A^{\mathrm{G}3}\mathrm{sets}\mathit{bad}\right]\hfill \\ & \le \frac{(6(\sigma +q_{\mathrm{f}}+q_{\mathrm{b}})+5)(\sigma +q_{\mathrm{f}})}{2^c}+\frac{(3(\sigma +q_{\mathrm{f}}+q_{\mathrm{b}})+3)q_{\mathrm{b}}}{2^c}\hfill \\ & \le \frac{6{(\sigma +q_{\mathrm{f}}+q_{\mathrm{b}})}^2+5(\sigma +q_{\mathrm{f}}+q_{\mathrm{b}})}{2^c}.\hfill \end{array}$$

For the game G4 in Figure 17, the lines from 606 to 610 of G3 are replaced with the line 606 of G4, and the lines from 702 to 706 of G3 are replaced with the line 702 of G4. Since these changes do not affect the behaviour, $Pr[A^{\mathrm{G}3}=1]=Pr[A^{\mathrm{G}4}=1]$.

The game G5 is given in Figure 18. It introduces a variable-input-length random oracle $\mathsf{H}$, which is implemented by lazy evaluation. Initially, $\mathtt{H}[M]=\perp$ for every $M\in {\Sigma }^{\ast }$. $\mathsf{H}$ may receive repeated queries since it is called by both $\mathcal{H}$ and $\mathcal{P}$. Different from $\mathsf{P}$ of G4, $\mathsf{P}$ of G5 assigns to Z an element chosen uniformly at random from $\{\mathsf{H}\left(M\right)\}\times {\Sigma }^{b-n}$ at the line 603. Different from $\mathcal{H}$ of G4, $\mathcal{H}$ of G5 returns $\mathsf{H}\left(M\right)$. We will see that G5 is actually equivalent to G4 in spite of these changes.

First, let us see some properties of the graph $(\mathit{V},\mathit{E})$. At the beginning of each run of $\mathsf{P}$ with Y such that $\mathtt{P}\left[Y\right]=\perp$, $\mathit{V}\subseteq \mathit{T}\cup \mathit{H}$. Whenever $Z_{\mathrm{c}}$ is added to both $\mathit{V}$ and $\mathit{H}$ by this run, it is chosen from ${\Sigma }^c\backslash {\mathit{B}}_{\mathrm{f}}$, where $\mathit{T}\cup \mathit{H}\cup \{{\mathit{IV}}_{\mathrm{c}}\}\subseteq {\mathit{B}}_{\mathrm{f}}$. On the other hand, at the beginning of each run of ${\mathsf{P}}^{-1}$ with Z such that ${\mathtt{P}}^{-1}\left[Z\right]=\perp$, $\mathit{V}\subseteq \mathit{T}\cup \mathit{H}$. Then, $Y_{\mathrm{c}}$ is chosen from ${\Sigma }^n\backslash {\mathit{B}}_{\mathrm{b}}$, where $\mathit{H}\cup \{{\mathit{IV}}_{\mathrm{c}}\}\subseteq {\mathit{B}}_{\mathrm{b}}$. Thus, every vertex in $(\mathit{V},\mathit{E})$ has at most one incoming edge labeled with some element in ${\Sigma }^w$, and every incoming edge of ${\mathit{IV}}_{\mathrm{c}}$ is labeled with ⊥. It implies that every vertex in $(\mathit{V},\mathit{E})$ has at most one simple path from ${\mathit{IV}}_{\mathrm{c}}$ without edges labeled by ⊥. In addition, every path $(v_1,v_2,\dots ,v_l)$ with $v_1={\mathit{IV}}_{\mathrm{c}}$ is constructed only by queries to $\mathsf{P}$, and $v_i$’s are added to $(\mathit{V},\mathit{E})$ in this order. Furthermore, before $v_i$ is added to $(\mathit{V},\mathit{E})$, neither ${\pi }_0\left(v_i\right)$ nor ${\pi }_1\left(v_i\right)$ existed in $(\mathit{V},\mathit{E})$ since ${\pi }_0^{-1}\left(\mathit{T}\right)\cup {\pi }_1^{-1}\left(\mathit{T}\right)\cup \{{\pi }_0^{-1}({\mathit{IV}}_{\mathrm{c}}),{\pi }_1^{-1}({\mathit{IV}}_{\mathrm{c}})\}\subseteq {\mathit{B}}_{\mathrm{f}}$. Neither ${\pi }_0\left(v_i\right)$ nor ${\pi }_1\left(v_i\right)$ are added to $(\mathit{V},\mathit{E})$ as tails by the queries to ${\mathsf{P}}^{-1}$ after $v_i$ since ${\pi }_0\left(\mathit{H}\right)\cup {\pi }_1\left(\mathit{H}\right)\cup \{{\pi }_0({\mathit{IV}}_{\mathrm{c}}),{\pi }_1({\mathit{IV}}_{\mathrm{c}})\}\subseteq {\mathit{B}}_{\mathrm{b}}$.

Suppose that $\mathsf{findM}\left(Y\right)$ finds two paths in $(\mathit{V},\mathit{E})$ without edges labeled by ⊥. Then, one is from ${\mathit{IV}}_{\mathrm{c}}$ to ${\pi }_0^{-1}\left(Y_{\mathrm{c}}\right)$ and the other is from ${\mathit{IV}}_{\mathrm{c}}$ to ${\pi }_1^{-1}\left(Y_{\mathrm{c}}\right)$. Notice that ${\pi }_0^{-1}\left(Y_{\mathrm{c}}\right)\ne {\pi }_1^{-1}\left(Y_{\mathrm{c}}\right)$ since ${\pi }_0\left(v\right)\ne {\pi }_1\left(v\right)$ for every $v\in {\Sigma }^c$. Suppose that both paths have two or more vertices. Then, both ${\pi }_0^{-1}\left(Y_{\mathrm{c}}\right)$ and ${\pi }_1^{-1}\left(Y_{\mathrm{c}}\right)$ are elements of $\mathit{H}$, which implies that one was added to $\mathit{H}$ after the other since at most one vertex is added to $\mathit{H}$ during each run of $\mathsf{P}$. It contradicts ${\pi }_{1\oplus a}^{-1}({\pi }_a\left(\mathit{H}\right))\subseteq {\mathit{B}}_{\mathrm{f}}$ for $a\in \Sigma$. Suppose that one path is the single vertex ${\mathit{IV}}_{\mathrm{c}}$ and the other has two or more vertices. ${\pi }_a^{-1}\left(Y_{\mathrm{c}}\right)={\mathit{IV}}_{\mathrm{c}}$ contradicts ${\pi }_{1\oplus a}^{-1}({\pi }_a({\mathit{IV}}_{\mathrm{c}}))\subseteq {\mathit{B}}_{\mathrm{f}}$ for $a\in \Sigma$. Thus, $\mathsf{findM}\left(Y\right)$ finds at most a single path in $(\mathit{V},\mathit{E})$ without edges labeled by ⊥.

In G5, for a new query Y to $\mathsf{P}$, suppose that $\mathsf{findM}$ finds a path in $(\mathit{V},\mathit{E})$ and returns M corresponding to the path and Y. Then, M is a new query to $\mathsf{H}$, that is, $\mathtt{H}\left[M\right]=\perp$, and it is assigned an element chosen uniformly at random from ${\Sigma }^n$. On the other hand, for $\mathcal{H}$, the n MSBs of $v_x$ equals $\mathsf{H}\left(M\right)$. Thus, G5 is equivalent to G4, and $Pr[A^{\mathrm{G}5}=1]=Pr[A^{\mathrm{G}4}=1]$.

From G5 to G6, $\mathsf{P}$ and ${\mathsf{P}}^{-1}$ change, which are given in Figure 19. $\mathsf{P}$ of G6 is augmented with the lines from 600 to 606 and the lines from 615 to 617. ${\mathit{H}}_A$ is the set of heads of edges in $(\mathit{V},\mathit{E})$ in the view of A. Initially, ${\mathit{H}}_A=\{\}$. These changes do not affect the output of $\mathsf{P}$. ${\mathsf{P}}^{-1}$ of G6 is augmented with the lines from 700 to 704 and the line 711. These changes do not affect the output of ${\mathsf{P}}^{-1}$. Thus, G6 is equivalent to G5, and $Pr[A^{\mathrm{G}6}=1]=Pr[A^{\mathrm{G}5}=1]$.

From G6 to G7, only $\mathcal{H}$ changes. $\mathcal{H}$ of G7 is identical to that of G8, which is given in Figure 20. In G7, $\mathcal{H}\left(M\right)$ does not call $\mathsf{P}$ and just returns $\mathsf{H}\left(M\right)$. In G7, $\mathsf{P}$ is called only by $\mathcal{P}$ and it does not receive any repeated queries. ${\mathsf{P}}^{-1}$ does not receive any repeated queries, either. Thus, $\mathit{bad}$ never gets $\mathtt{true}$ in G7. On the other hand, $\mathit{bad}$ may get $\mathtt{true}$ in G6. $|{\mathit{B}}_{\mathrm{a}}|\le 3\sigma$ since ${\mathit{B}}_{\mathrm{a}}=(\mathit{H}\backslash {\mathit{H}}_A)\cup {\pi }_0(\mathit{H}\backslash {\mathit{H}}_A)\cup {\pi }_1(\mathit{H}\backslash {\mathit{H}}_A)$ and $|\mathit{H}\backslash {\mathit{H}}_A|\le \sigma$. A knows at most $6(q_{\mathrm{f}}+q_{\mathrm{b}})+5$ elements in ${\mathit{B}}_{\mathrm{f}}$. Thus,

$$\left|Pr\left[A^{\mathrm{G}6}=1\right]-Pr\left[A^{\mathrm{G}7}=1\right]\right|\le Pr\left[A^{\mathrm{G}6}\mathrm{sets}\mathit{bad}\right]\le \frac{3\sigma (q_{\mathrm{f}}+q_{\mathrm{b}})}{2^c-6(q_{\mathrm{f}}+q_{\mathrm{b}})-5}.$$

From G7 to G8, $\mathsf{P}$ and ${\mathsf{P}}^{-1}$ change. G8 is given in Figure 20. $\mathsf{P}$ of G8 is obtained from $\mathsf{P}$ of G7 by removing the lines from 600 to 606 and the lines from 615 to 617. Since $\mathsf{P}$ does not receive any repeated queries, the lines 607 and 620 are also removed. These changes do not affect the output of $\mathsf{P}$. Similarly, ${\mathsf{P}}^{-1}$ of G8 is obtained from ${\mathsf{P}}^{-1}$ of G7 by removing the lines from 700 to 704, the lines 705, 708 and 711. These changes do not affect the output of ${\mathsf{P}}^{-1}$. Thus, $Pr[A^{\mathrm{G}8}=1]=Pr[A^{\mathrm{G}7}=1]$. $(\mathsf{P},{\mathsf{P}}^{-1})$ of G8 works as a simulator S of $(P,P^{-1})$.

From the discussion above, we have

$$\begin{array}{cc}\hfill {\mathrm{Adv}}_{H_{\mathit{IV}}^{F,\{{\pi }_0,{\pi }_1\}},S}^{\mathrm{indiff}}\left(A\right)& =\left|Pr\left[A^{\mathrm{G}1}=1\right]-Pr\left[A^{\mathrm{G}8}=1\right]\right|\hfill \\ & \le Pr\left[A^{\mathrm{G}2}\mathrm{sets}\mathit{bad}\right]+Pr\left[A^{\mathrm{G}3}\mathrm{sets}\mathit{bad}\right]+Pr\left[A^{\mathrm{G}6}\mathrm{sets}\mathit{bad}\right]\hfill \\ & \le \frac{{(\sigma +q_{\mathrm{f}}+q_{\mathrm{b}})}^2}{2^b}+\frac{6{(\sigma +q_{\mathrm{f}}+q_{\mathrm{b}})}^2+5(\sigma +q_{\mathrm{f}}+q_{\mathrm{b}})}{2^c}+\frac{3\sigma (q_{\mathrm{f}}+q_{\mathrm{b}})}{2^c-6(q_{\mathrm{f}}+q_{\mathrm{b}})-5}\hfill \\ & \le \frac{12{(\sigma +q_{\mathrm{f}}+q_{\mathrm{b}})}^2}{2^c}+\frac{3\sigma (q_{\mathrm{f}}+q_{\mathrm{b}})}{2^c-6(q_{\mathrm{f}}+q_{\mathrm{b}})-5}.\hfill \end{array}$$

 ☐

7. Conclusions

In this article, a domain extension scheme which extends MDP [5] has been presented for iterated hashing. The collision resistance and indifferentiability from a random oracle of an iterated hash function using the domain extension have been confirmed under reasonable assumptions. For the pseudorandom-function property of the iterated hash function keyed via IV, readers are asked to see [6] for details.

The domain extension can also be applied to the sponge construction. The indifferentiability from a random oracle of the resultant hash function has been confirmed in the ideal permutation model.

The presented domain extension is simple and efficient. It is expected to be useful for lightweight cryptography.