Indifferentiability security of a hash mode of operation guarantees the mode's resistance against all generic attacks. It is also useful to establish the security of protocols that use hash functions as random functions. The JH hash function was one of the five finalists in the National Institute of Standards and Technology SHA-3 hash function competition. Despite several years of analysis, the indifferentiability security of the JH mode has remained remarkably low, only at n/3 bits, while the two finalist modes Keccak and Grøstl offer a security guarantee of n/2 bits. Note all these three modes operate with n-bit digest and 2n-bit permutations. In this paper, we improve the indifferentiability security bound for the JH mode to n/2 bits (e.g. from approximately 171 to 256 bits when n = 512). To put this into perspective, our result guarantees the absence of (non-trivial) attacks on both JH-256 and JH-512 hash functions with time less than approximately 2^256 computations of the underlying 1024-bit permutation, under the assumption that the underlying permutations can be modeled as an ideal permutation. Our bounds are optimal for JH-256, and the best-known for JH-512. We obtain this improved bound by establishing an isomorphism of certain query-response graphs through a careful design of the simulators and bad events. Our experimental data strongly supports the theoretically obtained results.
Citation: Designs Codes and Cryptography
Pub Type: Journals
hash functions, indifferentiability, JH mode of operation, security