Su cient conditions for sound hashing using atruncatedpermutation

Su cient conditions for sound hashing using atruncatedpermutation Sander van Dam supervised by Joan Daemen icis 10/8/2016

For my thesis I corrected and expanded upon the paper 1. Due to the nature of my thesis, I was unable to write every part of it and also to include some mandatory parts as related work. Therefore I discussed with my supervisor (Joan Daemen) to write something about the theory behind my thesis and something about related work. That means this thesis consists of two documents. The first is a piece about the theory behind my thesis and the second is the corrected paper. A word of thanks First of all I d like to thank my supervisor Joan Daemen for always giving me both very quick and extremely helpful answers to every question I had. Secondly I d like to thank Bart Mennink for helping me with the computations of the probabilities for the proof. And, finally, I d like to thank my parents and my fellow student Daniel Roeven for proofreading my thesis and picking it up at the printshop while I was out of the country. 1 Su cient conditions for sound hashing using a truncated permutation by Joan Daemen, Tony Dusenge, and Gilles Van Assche

2 b 2 b (2 b )! n

1 2 n G

T Q X (Q) T H T I ±1 (s, p) (s,p) s s T

T (s, p) p = f(s) G/T D X D Y T = T good T bad Adv(A) ε + Pr(D Y T bad ) τ T good : Pr(D X = τ) Pr(D Y = τ) 1 ε ε Pr(D Y T bad ) Pr(D X=τ) Pr(D Y =τ) Adv(A) Pr(D Y T bad ) Pr(D X = τ) Pr(D Y = τ) comp X Ω X comp Y Ω Y

1 2 1 3 1 2 3 Q 2 /2 n+1 Q n

T F P b T P T [P] P n P n T [P] n F P n M A M A F F (M,A) h = T [F](M,A) T Z M A Z = T ( M,A) F F Z Z M F h = T [F](M,A) S F S = Z[F](M,Z) h = F(S ) S S

h = T [F](M,A) Z = T ( M,A) S = Z[F](M,Z) h = F(S ) A M M A A ( M,A) Z Z α α S α α (α) α (α) Z α Z β α = (β) Z α Z β Z α Z β α 0,α 1,α d 1 α = α 0 α i 1 = (α i ) α d 1 = (β) Z β Z α d Z α Z β Z α α Z J J Z J Z α Z α [x] 0 x< Z α S α A M A Z Z α [x] S α [x] [0, M 1] M Z M[y] S α [x] y Z α [x] F β

F Z F(S β )[y] S α [x] β Z α [x] y S α c α Adv(A) = (X; Y ) (X; Y ) T (s, p) p = f(s) G/T D X D Y T = T good T bad Adv(A) ε + Pr(D Y T bad ) τ T good : Pr(D X = τ) Pr(D Y = τ) 1 ε ε Pr(D Y T bad ) Pr(D X=τ) Pr(D Y =τ) Adv(A) Pr(D Y T bad ) Pr(D X = τ) Pr(D Y = τ) comp X Ω X comp Y Ω Y ε A T T F F n F n

T [F] (M,A) (M,A ) S S S = S F n F n F n T A S J S T A S T A β J (β) J S (β) n 1 β S A A O(m) m S A A T T [F] F n T T [F] T ( M,A) M A S T S M 1 A O(m) m S T h = T [F](M) M h = T [F](M ) M M M T T (M,A) (M,A ) α T ( M,A) S S α S S (M,A) (M,A )

T P n P 1 S α S P n (S α ) n c S α S P 1 (c x) b X X S α X S S S P 1 (p) X n x n x n T Z α T Z α n Z β T Z β n T T P G RO T [P] P P P 1 H (M,A) M Z 2 A y Z n 2 y = T [P](M,A) I ±1 I +1 s Z b 2 p Zb 2 p = P(s) I 1 p Z b 2 s Zb 2 s = P 1 (p) G S RO G S G H n (M,A) I ±1 I +1 I 1 S G S P G[RO] T [P] RO S[RO] G[RO] S I +1 (s) I +1 (s ) s s I 1 (p) I 1 (p ) p p p = I +1 (s) s = I 1 (p)

T [P] G[RO] S Q X (T [P], P) (G[RO], S[RO]) Q X H Q H I ±1 Q I ±1 Q H Q H,i =(M i,a i ) Q I ±1 Q I ±1,i =(k, f) k Z b 2 f k I+1 I 1 T T Q X (Q) T H T I ±1 Q I ±1 X (Q H )=T [X (Q I ±1)](Q H ) q X P P 1 X =(T [P], P) Q I ±1 Q H T [P] Q I ±1,i P P 1 Q H,i =(M i,a i ) H f T ( M i,a i ) T A i M i f T ( M,A) T [P] P A M f T ( M,A) T ( M,A) Q I ±1,i Q H,i T T T (M,Z) (s, p, a, c) T s T (M,Z)

s T T S s = S S J S β S J c β (S β,p,, ) T p n = c β M A S s T (M,Z) S T (M,Z) T (s, p) T I +1 I 1 T + T T + T T T + T n T (s, p) (s,p ) T s s s s p n = p n n T s (M,Z) s T c β (s, p) T + p n = c β n β (s, p,, ) T + p n = c β n T + S n T + T + T s T + MZ c J = { } S = s Z = s A (S J) Z c β S J (s,p,, ) T + p n = c J = J {β} S β = s Z β = s (s,p,, ) T + c (s,p,, ) T + p n = c A (S J ) Z J A (S J) Z J S J M S J Z J (M,Z) S[RO] T C

S[RO] T = T + T (,,,IV) p = I +1 (s) s, p Z b 2 (s, t,, ) T p = t (M,Z) p G(M,Z) b n) p T + T + (s, p,, ) c p Z b 2 \ T r T + T + (s, p,,c) n p Z b 2 \ T r T + T + (s, p,, { p n }) p s = I 1 (p) s, p Z b 2 (i, p,, ) T s = i s Z b 2 \ T l T T (s, p,, { s n }) s C T (s, p, a, c) s, p Z b 2 a c c T l T r I +1 (s) s T l (s, p, a, c) T I 1 (p) p T r (s, p, a, c) T I +1 (s) s / T l p T r I 1 (p) p / T r s T l T I +1 (s) s T I 1 T c n c T T c T I +1 (s) T p n c I 1 (p) s n T c s s n = s n

I +1 (s) c T T c c T C C c T T G[RO] I +1 (s) T s T (M,Z) G[RO] (M,Z) T n G[RO](M,Z) (b n) b p p T l s (M,Z) p T r (x) n = x(x 1)(x 2)...(x n + 1) T (s, p, a, c) s p a T c a T c a T c c T c { p n } I c { s n } (s, p, a, c) (s,p,a,c ) c = c T T = T succes T nosucces

T succes q 1 T nosucces q 2 q 1 q 2 i q 1 + q 2 Q Q 1 Q 2 D X = T D Y = T Ω comp Ω X =2 b! comp X =(2 b Q)! Pr(D X = T )= comp X Ω X = (2b Q)! 2 b! =(2 b ) Q 1 2 b 1 2 b i δ(i) 0 i q 1 1 i q 2 Pr(D Y = T )= Q i=1 1 2 b δ(i)i Q Pr(D X = T ) Pr(D Y = T ) = q=1 2b δ(q)q (2 b ) Q i 2 b i Pr(D X = T ) 2 b (A) E+ D Y T bad (A) D Y T bad

q 1 q 2 i i i 2 b q 2 2 n i 2 n (D Y T bad ) Q 1 q 1 =0 Q2 q 1 2 b + q 2 =0 Q1(Q1 1) q 2 2 n = 2 2 b + Q 2 (Q 2 1) 2 2 n = Q 1(Q 1 1) 2 b+1 + Q 2(Q 2 1) 2 n+1. b n Q 1 =0 Q 2 = Q Q 1(Q 1 1) + 2 b+1 Q 2 (Q 2 1) Q(Q 1) 2 n+1 2 n+1 Q(Q 1) (A) 2 n+1 Q2 2 n+1.

F P n M F M F M A F F

F T M 0 M 0 CV 2 M M M M 1 F(01 M 1 ) h = T [F](M) M T [F](M ) M M h M CV 0 h M M = M M 2 M 3 M