Ammour K, et al. Sci China Inf Sci March 2019 Vol. 62 032112:3
claim the non-necessity of pre fix-free c omputing (PFC) for PRO MDHF by providing a counterexam-
ple. We construct an indifferentiable MDHF assuming the compression function to be ideal. Mainly, we
tweak the padding algorithm. Our padding algorithm is defined as Pad(M) := Pad
1
(M)kPad
2
(M), wher e
k is concatenation, and Pad
1
(·) and Pad
2
(·) are two suffix-free padding algorithms (refer to Section 4 for
details). The hash process is the same as strengthened MD (SMD). Note that each message block is
hashed twice. Further, Liskov et al. [23] proposed an itera ted MDHF that processes each block twice.
Our c ounterexample is not prefix-free computing, i.e., for two messages M and M
′
= Pad(M), Pad(M) is
a prefix of Pad(M
′
). We provide a definition of the simulator that permits the maintenance of consistency
with RO in order to prove the indifferentiability of our construction.
Finally, we observed that there is no relationship between LEA and the PFC property. Indeed, from
our non-PFC counterexample given above, which is PRO, we deduce that an LEA-resistant MDHF need
not be a prefix-free computing algorithm. Furthermore, we provide a simple PFC MDHF construction
that uses a permutation at its end. We show that this construction is not secure against LEA. We
conclude that the PFC property for MDHF is not necessarily secur e agains t LEA.
Paper outline. Section 2 introduces the notations and definitions used in this pa per. The related
work a bout the variants of PRO-MDHF and the common structural property der ived are provided in
Section 3. Section 4 explores the PFC non-necessity for a PRO-MDHF. Finally, in Section 5, we show
there is no relationship between the resistance against LEA and the PFC property for an MDHF.
2 Preliminaries
In this sectio n, we introduce notations and properties which will be used throughout this paper.
Notations. Let A be the distinguisher (adversary) and hM i represents the length of a message M
in bits. MDHF denotes the Merk le -Damg˚ard ha sh function, RO represents the random oracle and S
the simulator. Let CF be the compression function, Pad the padding alg orithm, PFC-MD the prefix
free computing Merkle-Damg˚ard and PFE-MD the prefix free encoding Merkle-Damg˚ard. Assigning a
random value fro m {0, 1}
n
to z is denoted by z
$
←− {0, 1}
n
.
Random oracle (RO). The fixed-input-length random oracle (FIL-RO) is defined by a func-
tion f such that f: {0, 1}
m
7→ {0, 1}
n
chooses the value f(x) randomly from {0, 1}
n
for each x ∈
{0, 1}
m
. More precisely, assume that a subset of the input-output relations of f is known: f (x
1
) =
y
1
, f(x
2
) = y
2
, . . . , f(x
t
) = y
t
. For simplicity, we denote f (X) = Y where X = {x
1
, x
2
, . . . , x
t
} and
Y = {y
1
, y
2
, . . . , y
t
}. For a ny x ∈ {0, 1}
m
\X, Pr[f(x) = y|f (X) = Y ] =
1
2
n
for any y ∈ {0, 1}
n
. In
this paper, a random oracle RO is referred to as the one with arbitrary-length inputs, whose domain
is usually denoted as {0, 1}
∗
. Let F be the set of all functions f with the same domain and range.
The compression function CF can be e qually regarde d as a function f uniformly and randomly selected
from F.
Merkle-Damg˚ard hash functions (MDHF). MD hash function uses four basic parts which are
defined as follows:
(1) An initial value IV ∈ {0, 1}
n
.
(2) An underlying compress ion function CF: {0, 1}
n+b
7→ {0, 1}
n
such that CF(h
i−1
, m
i
) = h
i
.
(3) A classica l iterated function CF
+
IV
: ({0, 1}
n+b
)
+
7→ {0, 1}
n
defined as CF
+
IV
(m
1
, . . . , m
ℓ
) =
CF(· · · CF(CF(IV, m
1
), m
2
), · · · , m
ℓ
)
(4) An injective function called padding function Pad : {0, 1}
∗
7→ ({0, 1}
b
)
+
such that for a message
M ∈ {0, 1}
∗
, Pad(M) = (m
1
, . . . , m
ℓ
) where ℓ is the number of blocks in the message M. O ne of the roles
of ℓ is to make the length of the message compatible with the domain of CF
+
IV
.
So, the classical iterated MDHF is defined for all M ∈ {0, 1}
∗
as MD
CF
IV,Pad
(M) = CF
+
IV
(Pad(M)).
Indifferentiability. According to [10, 11], the indifferentiability is defined as follows.
Definition 1. An algorithm H with access to an ideal primitive CF is said to be (t
A
, t
S
, q, ǫ) indiffer-
entiable from an ideal primitive RO if there is a simulator S such that for any distinguisher A it holds
that