Paper 2009/199

Indifferentiability with Distinguishers: Why Shabal\Does Not Require Ideal Ciphers

Emmanuel Bresson, Anne Canteaut, Benoit Chevallier-Mames, Christophe Clavier, Thomas Fuhr, Aline Gouget, Thomas Icart, Jean-Francois Misarsky, Maria Naya-Plasencia, Pascal Paillier, Thomas Pornin, Jean-Rene Reinhard, Celine Thuillet, and Marion Videau

Abstract

Shabal is based on a new provably secure mode of operation. Some related-key distinguishers for the underlying keyed permutation have been exhibited recently by Aumasson et al. and Knudsen et al., but with no visible impact on the security of Shabal. This paper then aims at extensively studying such distinguishers for the keyed permutation used in Shabal, and at clarifying the impact that they exert on the security of the full hash function. Most interestingly, a new security proof for Shabal's mode of operation is provided where the keyed permutation is not assumed to be an ideal cipher anymore, but observes a distinguishing property i.e., an explicit relation verified by all its inputs and outputs. As a consequence of this extended proof, all known distinguishers for the keyed permutation are proven not to weaken the security of Shabal. In our study, we provide the foundation of a generalization of the indifferentiability framework to biased random primitives, this part being of independent interest

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
hash functions
Contact author(s)
Anne Canteaut @ inria fr
History
2009-05-20: received
Short URL
https://ia.cr/2009/199
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2009/199,
      author = {Emmanuel Bresson and Anne Canteaut and Benoit Chevallier-Mames and Christophe Clavier and Thomas Fuhr and Aline Gouget and Thomas Icart and Jean-Francois Misarsky and Maria Naya-Plasencia and Pascal Paillier and Thomas Pornin and Jean-Rene Reinhard and Celine Thuillet and Marion Videau},
      title = {Indifferentiability with Distinguishers: Why Shabal\Does Not Require Ideal Ciphers},
      howpublished = {Cryptology ePrint Archive, Paper 2009/199},
      year = {2009},
      note = {\url{https://eprint.iacr.org/2009/199}},
      url = {https://eprint.iacr.org/2009/199}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.