Creative Commons Attribution 4.0 International license
We consider the general case of tree hashing modes that make use of an underlying compression function. We consider such a tree hashing mode sound if differentiating it from a random oracle, assuming the underlying compression function is a random oracle can be proven to be hard. We demonstrate two properties that such a tree hashing mode must have for such a proof to exist. For each of the two properties we show that several solutions exist to realize them. For some given solutions we demonstrate that a simple proof of indifferentiability exists and obtain an upper bound on the differentiability probability of $q^2/2^n$ with $q$ the number of queries to the underlying compression function and $n$ its output length. Finally we give two examples of hashing modes for which this proof applies: KeccakTree and Prefix-free Merkle-Damgard.
@InProceedings{bertoni_et_al:DagSemProc.09031.15,
author = {Bertoni, Guido and Daemen, Joan and Peeters, Micha\"{e}l and Van Assche, Gilles},
title = {{Sufficient conditions for sound tree hashing modes}},
booktitle = {Symmetric Cryptography},
pages = {1--1},
series = {Dagstuhl Seminar Proceedings (DagSemProc)},
ISSN = {1862-4405},
year = {2009},
volume = {9031},
editor = {Helena Handschuh and Stefan Lucks and Bart Preneel and Phillip Rogaway},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.09031.15},
URN = {urn:nbn:de:0030-drops-19463},
doi = {10.4230/DagSemProc.09031.15},
annote = {Keywords: Tree Hashing, Indifferentiability}
}