I am trying to build a public hash function (thus collision-resistant and preimage-resistant, and more generally behaving like a random oracle), with input a message $M$ of fixed size $|M|=m\cdot b$ bits, and output the hash $H(M)$ of fixed size $|H(M)|=h\cdot b$ bits, using as the single primitive a $b$-bit block cipher with key of $k\cdot b$ bits, operated in CBC-encryption mode.
One of the motivation of the construction is to maintain the confidentiality of the message under DPA attacks, assuming that the implementation of the cipher in CBC-encryption mode is DPA-protected. I thus require that all message-dependent data is manipulated using the $P$ and $K$ inputs of that trusted primitive: $$F(K,IV,s,P)\to C\text{ with }|K|=k\cdot b,|IV|=b,s>0,|P|=|C|=s\cdot b,$$ $$C[0]=\text{ENC}_K(P[0]\oplus IV), C[j]=\text{ENC}_K(P[j]\oplus C_{j-1})\mathsf{\text{ if }}1\le j<s.$$
I would like security beyond that of the underlying block cipher by a security parameter $q$, with an argument that any attack requires $2^{b\cdot q}$ queries to an encryption or decryption oracle implementing $\text{ENC}$ and the corresponding decryption, for some suitable definition of security/attack which, uh, is part of the question (in particular it seems necessary to restrict the amount of memory usable by the attacker, including but not limited to as a cache for the oracle). Performance is secondary (one envisioned application is a slow KDF), a security argument (or better proof) is a must, simplicity matters.
Assume there is enough memory for the whole message, and then some. Assume at least $\min(b,k\cdot\lceil b/2\rceil)$ bits of the block cipher's key are effective (which rules out simple-DES). A typical setup could be 3DES thus $b=64$, $k=3$, and $m=64$ ($4096$-bit input), $h=8$ ($512$-bit output), $q=4$ (security of $2^{256}$ block cipher queries or memory accesses). Assume $m\ge h>1$, and if that helps assume $m\gg h$ or/and $h\gg k$ or/and $k=1$ (e.g. AES-128, ignoring attacks marginally reducing its effective key size).
What appropriate definition(s) of security are applicable?
I apologize for late realization that this is an issue, and corresponding introduction of security parameter $q$. I now think I want a collision-resistant Universal One-Way Hash Function family per this terminology.
Is there some standard construction that fits?
My review of the existing found a few hashes made from block ciphers, but suitable for $h\le2$ only, not neatly constructible from my primitive when $h>1$, and aiming at efficiency rather than a strong security argument.
If nothing standard exists, my simplest candidate is the following CBC-HASH:
- assume an arbitrary public parameter $P$ of $p\ge k$ blocks which right $k$ blocks are suitable as an initial key for the cipher ($P$ parameterize the UOWHF family; in the simplest/original setup, $p=k$);
- append $P$ to message $M$ forming $X_0$ of $m+p$ blocks $X_0[j]$, that is $M[j]\to X_0[j]\mathsf{\text{ if }}0\le j<m, K[j]\to X_0[m+j]\mathsf{\text{ if }}0\le j<p$;
- repeat for $n$ rounds, numbered $r$ from $0$ to $n-1$:
- set $K_r$ as the right $k$ blocks of $X_r$, that is $X_r[m+p-k+j]\to K_r[j]\mathsf{\text{ if }}0\le j<k$;
- CBC-encipher $X_r$ using key $K_r$ and the $b$-bit big-endian representation of $r$ as $IV$, giving $X_{r+1}$, that is $F(K_r,(r)_b,m+p,X_r)\to X_{r+1}$;
- set output $H=H(M)$ as the right $h$ blocks of the left $m$ blocks of $X_n$, that is $X_r[m-h+j]\to H[j]\mathsf{\text{ if }}0\le j<h$.
Now I am wondering how the number of rounds $n$ and the size $p$ of the initial padding shall be chosen from $q$, $h$, $m$, $k$ (perhaps $b$), and the limits on parameters for a security argument.
Can you justify, prove, improve, break, or fix CBC-HASH?
The scheme now incorporates parameter $p$ controlling the size of the UOWHF family. I retract an earlier guess on $n$ made without even a clear security definition. I hereby vow to stop modifying this question except for fixing obvious typos; any addition will be an answer.
