We show that any n-bit hash function that uses the FP mode is indifferentiable from a random oracle up to 2^n/2 queries (up to a constant factor), if the underlying 2n-bit permutation is free from any structural weaknesses. Based on our further analysis and experiments, we conjecture that the FP mode is resistant to all non-trivial generic attacks with work less than the brute force, mainly due to its large internal state. We compare the FP mode with other permutation-based hash modes, and observe that it displays the so-far best security/rate trade-off.
To put this into perspective, our second contribution is a proposal for a concrete hash function SAMOSA using the new mode and the $P$-permutations of the SHA-3 finalist Groestl. Based on our analysis we claim that the SAMOSA family cannot be attacked with work significantly less than the brute force. We also provide hardware implementation (FPGA) results for SAMOSA to compare it with the SHA-3 finalists. In our implementations, SAMOSA family consistently beats Groestl, Blake and Skein in the throughput to area ratio. With more efficient underlying permutation, it seems possible to design a hash function based on the FP mode that can achieve even higher performances.Category / Keywords: secret-key cryptography / Hash mode, indifferentiability, permutation, FPGA implementation Publication Info: Indocrypt 2012 Date: received 21 Oct 2012, last revised 22 Oct 2012 Contact author: souradyuti paul at gmail com Available format(s): PDF | BibTeX Citation Version: 20121025:125319 (All versions of this report) Short URL: ia.cr/2012/597 Discussion forum: Show discussion | Start new discussion