Subversion Resilient Hashing: Efficient Constructions and Modular Proofs for Crooked Indifferentiability

We consider the problem of constructing secure cryptographic hash functions from subverted ideal primitives. Hash functions are used to instantiate Random Oracles in cryptographic protocols. The indifferentiability security notion is a popular tool to certify the structural soundness of a hash design for such instantiations. In CRYPTO 2018, Russell, Tang, Yung, and Zhou introduced the notion of crooked-indifferentiability to extend this paradigm even when the underlying primitive of the hashing mode is subverted. They showed that an $n$ -to- $n$ -bit function implemented using Enveloped XOR construction (EXor) with $3n+1$ many independent $n$ -to- $n$ -bit functions and $3n^{2}$ -bit random seed can be proven secure asymptotically in the crooked-indifferentiability setting. Unfortunately, known techniques to prove crooked-indifferentiability are extremely complicated, and no practical hashing mode has been analyzed in this setting. 1) We introduce new techniques to prove crooked-indifferentiability. We establish that upper bounding the subversion probability of a chaining query is sufficient to argue subversion resistance of a standard indifferentiable mode of operation. Our technique links standard indifferentiability and crooked-indifferentiability and circumvents the complications of proving the consistency of the simulator in the crooked setting. 2) We prove crooked-indifferentiability of the sponge construction when the underlying primitive is modelled as an $n$ -to- $n$ -bit random function. Our proofs only require $n$ -bit randomly chosen but fixed IV and do not mandate any independent function requirement. The result naturally extends to the Merkle-Damgård domain extension with prefix-free padding. Our results minimize required randomness and solve the main open problem raised by Russell, Tang, Yung, and Zhou.