0

Let $f(x)$ and $g(x)$ denote two independent, “ideal”, unkeyed, public $n$-bit permutations (two publicly known bijective functions that produce $n$-bit outputs from $n$-bit inputs), where $n$ is an arbitrary natural number greater than or equal to $3$ (the number $3$ is here because it is the minimal size of a “cryptographically significant” S-Box).

Does there exist an efficient iterative algorithm (based on $f(x)$ and $g(x)$ as the underlying functions) that allows to construct a cryptographically secure $n$-bit hash function for $k$-bit inputs, assuming that $k$ is an arbitrary natural number greater than or equal to zero (that is, there should be no limit on the maximum length of the input)?

lyrically wicked
  • 1,337
  • 7
  • 10
  • Intermix $f$ and $g$ using Feistel network? – DannyNiu Feb 24 '20 at 05:36
  • 1
    Why can't you "just" use a Sponge construction with $f$? – SEJPM Feb 24 '20 at 09:21
  • 1
    @SEJPM: if I use a sponge construction with the single underlying $n$-bit permutation, the size of the cryptographically secure hash output will be significantly less than $n$. For example, SHA-3 uses the $1600$-bit underlying permutation, but the size of hash is $512$ bits. – lyrically wicked Feb 24 '20 at 09:41
  • 1
    @lirycally-wicked that is wrong. With a sponge you can have unbounded output, as in SHAKE. You just need to restrict the input size to n-c where c is the double of the security you target. – Ruggero Feb 24 '20 at 10:08
  • @Ruggero: If a sponge function is used, the length of hash (denoted by $n$) is determined by the fixed length $N$ of the underlying permutation, and $n$ must be not greater than $N-r-c/2$, where $c$ denotes capacity and $r$ denotes rate. The maximum possible length of input is not bounded, and the hash function uses the same underlying permutation for any length of the input. – lyrically wicked Feb 26 '20 at 04:12
  • 1
    @lirycally-wicked No. The squeezing phase, where you produce the output, can require multiple permutation calls and for each one it outputs the size of the rate. If your rate is 1, you can have hashes of 256 bits just by doing 256 permutations in the squeezing phase. – Ruggero Feb 26 '20 at 09:17
  • @Ruggero: The notion of a cryptographically secure hash implies that the size of hash coincides with the maximum possible security parameter for this size. Extending the output with SHAKE is absolutely pointless if I want to increase the length of hash (explanation can be found here). – lyrically wicked Feb 27 '20 at 05:05
  • @lirycally-wicked That is true, but it's not strictly related to size of the permutation. If you output 512 bits and your capacity is at least 512 bits, you will have 256 bit security independently on how many permutations you perform to squeeze your 512 bit output. Of course having a capacity of 512 bits requires a permutation greater than 512 bits, but 513 bits will suffice. – Ruggero Feb 27 '20 at 08:46
  • @Ruggero: the maximum size of hash is directly determined by the width of the underlying permutation. It is not possible to output more than $c/2$ bits as the final hash. Since the width $N$ of the permutation is constant and the size of $c$ cannot be greater than $N-1$, the sponge construction does not allow to output more than $(N-1)/2$ bits as the cryptographic hash. – lyrically wicked Feb 27 '20 at 09:21
  • @lyrically-wicked No. You keep assuming the output should come from a single call to the permutation but that's wrong. This will be my final comment. – Ruggero Feb 27 '20 at 11:21
  • @Ruggero: the fact that a sponge allows to obtain an unbounded output does not contradict the fact that the size of a cryptographically secure hash is bounded by $c/2$, no matter how many calls to the permutation are applied in the squeezing phase. – lyrically wicked Feb 28 '20 at 04:50

2 Answers2

1

If I understand the question correctly, one such possible construction would be something that was used in the SHA-3 competition candidate Grøstl, where an iterated compression function is built from two fixed permutations $P$ and $Q$:

Compression function of Groestl

The security proof of that construction is based on the paper: P.-A. Fouque, J. Stern, and S. Zimmer. Cryptanalysis of Tweaked Versions of SMASH and Reparation. Selected Areas in Cryptography 2008, LNCS 5381, Springer, 2009

Kris
  • 632
  • 4
  • 8
  • 2
    The size of $P$ and $Q$ in this construction is equal to $2n$ (where $n$ is the size of hash). My question implies that the size of each of the two permutations is equal to $n$. – lyrically wicked Feb 28 '20 at 04:17
0

It is impossible to construct a collision-resistant hash function from one-way permutations, via a black-box construction. Thus, the answer in principle is no; such a construction is impossible. Finding collisions on a one-way street: Can secure hash functions be based on general assumptions? by Simon (Eurocrypt'98). This answer does not relate to heuristic constructions, but you cannot do this with a proof of security (unless it's not black box).

The question here actually relates to "ideal" permutations, and under such an assumption it may be different. (Although, I'm not sure what is meant by "public" ideal.) My answer referred to (non-ideal) one-way permutations.

Yehuda Lindell
  • 27,820
  • 1
  • 66
  • 83