Generic Indifferentiability Proofs of Hash Designs

Hash functions are the swiss army knife of cryptographers. They are used to generate unique identifiers in hash-and-sign signatures, as one-way functions for one-time-password, to break the structure of the input in key derivation functions and also for authentications. We propose a formal analysis of domain extenders for hash functions in the in differentiability framework. We define a general model for domain extenders and provide a unified proof of their security in the form of a generic reduction theorem. Our general model captures many iterated constructions such as domain extenders, modes of operation of symmetric cryptography such as CBC-MAC or block ciphers based on Feistel networks. Its proof has been carried out using the Computational Indistinguishability Logic of Barthe et al.. The theorem can help designers of hash functions justifying the security of their constructions: they only need to bound the probability of well-defined events. Our model allows to consider many SHA-3 finalists and is instantiated on two well-known constructions, namely Chop-MD and Sponge. Finally, the in differentiability bounds which we prove are convincing since they match previous proofs and the application of our result on the sponge construction (underlying the Keccak design) highlights the lack of an additional term in the bound provided by Bertoni et al., as was anticipated but not justified by Bresson et al..