Improved Indifferentiability Security Analysis of chopMD Hash Function

The classical design principle Merkle-Damg̊ard [13, 6] is scrutinized by many ways such as Joux’s multicollision attack, Kelsey-Schneier second preimage attack etc. In TCC’04, Maurer et al. introduced a strong security notion called as “indifferentiability” for a hash function based on a compression function. The classical design principle is also insecure against this strong security notion whereas chopMD hash is secure with the security bound roughly σ/2 where s is the number of chopped bits and σ is the total number of message blocks queried by a distinguisher. In case of n = 2s where n is the output size of a compression function, the value σ to get a significant bound is 2 which is the birthday complexity, where the hash output size is s-bit. In this paper, we present an improved security bound for chopMD. The improved bound shown in this paper is (3(n−s)+1)q/2+q/2+σ/2 where q is the total number of queries. In case of n = 2s, chopMD is indifferentiably-secure if q = O(2/(3s + 1)) and σ = O(2) which are beyond the birthday complexity. We also present a design principle for an n-bit hash function based on a compression function f : {0, 1} → {0, 1} and show that the indifferentiability security bound for this hash function is roughly (3n + 1)σ/2. So, the new design of hash function is second-preimage and r-multicollision secure as long as the query complexity (the number of message blocks queried) of an attacker is less than 2/(3n + 1) or 2 respectively.