Sequential Hashing with Minimum Padding

This article presents a sequential domain extension scheme with minimum padding for hashing using a compression function. The proposed domain extension scheme is free from the length extension property. The collision resistance of a hash function using the proposed domain extension is shown to be reduced to the collision resistance and the everywhere preimage resistance of the underlying compression function in the standard model, where the compression function is assumed to be chosen at random from a function family in some efficient way. Its indifferentiability from a random oracle up to the birthday bound is also shown on the assumption that the underlying compression function is a fixed-input-length random oracle or the Davies-Meyer mode of a block cipher chosen uniformly at random. The proposed domain extension is also applied to the sponge construction and the resultant hash function is shown to be indifferentiable from a random oracle up to the birthday bound in the ideal permutation model. The proposed domain extension scheme is expected to be useful for processing short messages.


Background
A cryptographic hash function takes as input a sequence of arbitrary length and produces as output a sequence of fixed length.It usually consists of a primitive and a domain extension scheme.A primitive is a compression function or a permutation, which takes a fixed-length input and produces a fixed-length output.A domain extension scheme specifies how to process an input sequence with arbitrary length using a primitive with fixed input length.
The standardized hash functions SHA-2 [1] use dedicated compression functions and a domain extension scheme due to Merkle [2] and Damgård [3].The domain extension scheme is called strengthened Merkle-Damgård (SMD).It is a sequential iteration of a compression function and its padding algorithm appends the binary representation of the length of an input message, which is called MD strengthening.
A positive point of SMD is its preservation of collision resistance.Namely, a hash function using SMD satisfies collision resistance if its underlying compression function satisfies it.On the other hand, a negative point of SMD is its length extension property.Due to this property, the MAC function HMAC [4] invokes the underlying hash function twice.It causes inefficiency for short messages.The other negative point is that message blocks after padding may include a message block consisting only of a padding sequence, which needs an additional call to the compression function.
A domain extension scheme with minimum padding and free from the length extension property seems useful especially for processing short messages.Informally, we say that padding is minimum if the produced message blocks include no message block only with the padding sequence for any non-empty input message.

Our Contribution
This article first presents a sequential domain extension scheme with minimum padding for hashing using a compression function.The padding function of the domain extension is not injective.It extends the MDP domain extension [5] and uses two distinct permutations for domain separation.The permutations also prevent the length extension property.The permutations need not be cryptographic transformations.A typical candidate for them is bitwise XOR with a nonzero constant.
Then, the security properties of a hash function using the proposed domain extension are analyzed.The properties considered are the collision resistance and the indifferentiability.
The proposed domain extension does not preserve the collision resistance.However, it is shown that the collision resistance of a hash function using the domain extension is reduced to the collision resistance and the everywhere preimage resistance of the underlying compression function.
It is also shown that a hash function using the domain extension is indifferentiable from a variable-input-length random oracle (VIL RO) up to the birthday bound if the underlying compression function is a fixed-input-length random oracle (FIL RO) or the Davies-Meyer mode of a block cipher chosen uniformly at random.
The proposed domain extension scheme can also be applied to the sponge construction in a straightforward way.It is shown that the resultant hash function is indifferentiable from a VIL RO up to the birthday bound if the underlying permutation is chosen uniformly at random.

Related Work
The presented domain extension of hashing was first considered for a pseudorandom function using a compression function [6].It is shown in [6] that keying via IV to the domain extension presented in the current article produces a pseudorandom function if the underlying compression function is a pseudorandom function against related-key attacks with respect to the permutations used in the domain extension.
There are many proposals for domain extension of hashing.On the other hand, little attention has been paid to padding.
The most related work was done by Bagheri et al. [7].They proposed a generic scheme to construct an iterated hash function which requires neither a fixed IV nor the MD strengthening.Their scheme uses three distinct compression functions to get prefix-free and suffix-free property.It assumes injective padding function.They also showed that their hash function is indifferentiable from a VIL RO if the underlying compression functions are FIL ROs.
Nandi [8] showed that the suffix-free property of padding is necessary and sufficient for the plain MD domain extension to preserve the collision resistance.He also presented a suffix-free padding scheme which works for any input message M of arbitrary length.It appends O(log |M|) bits to M. The padding scheme for SHA-2, which is based on Merkle's [2], also appends only O(log |M|) bits.However, it works only for input messages of bounded length.
Coron et al. [9] formalized the indifferentiability notion for hash functions in the framework by Maurer et al. [10].They also showed the indifferentiability of the following domain extension schemes: prefix-free plain MD, plain MD with output truncation (chopMD), NMAC construction, and HMAC construction, where HMAC construction is rather different from the MAC function HMAC [4].They assumed injective padding.Their work was followed by Chang et al. [11,12].
Bellare and Ristenpart introduced the notion of multi-property preservation for domain extension [13].They also presented the EMD (enveloped MD) domain extension and showed that it preserves collision resistance, pseudorandom function, and indifferentiability assuming injective padding.
Merkle-Damgård with permutation (MDP) [5] is a variant of plain MD preventing its length-extension property.A typical example of MDP was presented by Kelsey in [14].It uses bitwise XOR with a nonzero constant for the permutation.Minimum padding is already common among MAC functions based on a block cipher such as CMAC [15] and PMAC [16].The idea to finalize the iteration with multiple non-cryptographic transformations for domain separation is used in the secure CBC-MAC variants GCBC1 and GCBC2 [17].
Sarkar [18] presented a domain extension scheme preserving the collision resistance based on directed acyclic graphs.Bertoni et al. [19] formulated sufficient conditions for domain extension schemes covering both tree and sequential structures to be indifferentiable up to the birthday bound.Based on the sufficient conditions, a coding scheme for tree domain extension schemes is specified in [20], which also covers sequential domain extension schemes.
The sponge construction [21] is a scheme to construct a hash function using a function with its input length equal to its output length, which is typically a permutation.It was invented for the SHA-3 hash function [22].It is adopted by lightweight hash functions such as PHOTON [23] and SPONGENT [24].It is also extended to design cryptographic schemes such as authenticated encryption [25].

Organization
Section 2 gives notations used in this article and defines some security properties required of cryptographic hash functions.The proposed scheme is described in Section 3. The collision resistance of the proposed hash function is discussed in the standard model in Section 4. The indifferentiability is discussed in Section 5.The proposed domain extension is applied to the sponge construction in Section 6.A concluding remark is given in Section 7.

Notations
For binary sequences x and y, let x y be their concatenation.The empty sequence is denoted by ε.The operation of selecting an element from set S uniformly at random and assigning it to s is denoted by s S.

Collision Resistance and Preimage Resistance
In this section, the collision resistance and everywhere preimage resistance [26] are defined in the standard model.To do so, a family of hash functions should be introduced.Suppose that h is a hash function chosen at random from some set of hash functions from X to Y in some efficient way.
Let A be an adversary which is given h as input and tries to find a collision pair for h.A collision pair for h are a pair of distinct inputs mapped to the same output by h.The col-advantage of A against h is given by Adv where the probability is taken over the coin tosses by A and the distribution of h.Let A be an adversary which is given h as input and tries to find a preimage of an output for h.The pre-advantage of A against h is given by Adv epre h where the probability is taken over the coin tosses by A and the distribution of h.

Indifferentiability from Random Oracle
Maurer et al. [10] formalized the notion of indifferentiability as a generalized notion of indistinguishability.Then, Coron et al. [9] tailored it for the security analysis of hash functions.
Let C be an algorithm with oracle access to an ideal primitive P.Here in this article, C is a domain extension scheme using P with fixed input length and C P defines a hash function.Let R be a VIL random oracle and S be a simulator which has oracle access to R. S R simulates P in order to convince an adversary that R is C P .The indiff-advantage of adversary A against (C, S) is given by where the probabilities are taken over the coin tosses by A, S and the oracles R and P. C P and R are called VIL oracles, and P and S R are called FIL oracles.

Proposed Scheme
The proposed hash function consists of a compression function F : Σ n × Σ w → Σ n , permutations π 0 and π 1 over Σ n , and an initialization vector IV ∈ Σ n .For π 0 and π 1 , it is assumed that π Let π be a permutation over Σ n .For 1 For M ∈ Σ * , the padding function is defined as follows: where d is the smallest non-negative integer such that |M| + 1 + d ≡ 0 (mod w).The length of any output of pad is a positive multiple of w.In particular, pad(ε) = 10 w−1 .If |M| > 0, then |pad(M)| = w |M|/w .The proposed hash function H F,{π 0 ,π 1 } IV : Σ * → Σ n is defined as follows: It is also depicted in Figure 1.

Collision Resistance
The collision resistance of H F,{π 0 ,π 1 } IV is discussed in the standard model.It is assumed that the compression function F is chosen at random from some set of functions from Σ n × Σ w to Σ n in some efficient way.
The collision resistance of H F,{π 0 ,π 1 } IV needs a new security requirement for F, which is a kind of collision resistance.A pair of distinct inputs (v, X) and (v , X ) for F are called a {π 0 , π 1 }-pseudo-collision pair if π 0 (F(v, X)) = π 1 (F(v , X )).The advantage of adversary A against F with respect to {π 0 , π 1 }-pseudo-collision is defined similarly to the col-advantage.It is denoted by Adv pcol F,{π 0 ,π 1 } (A).
It will be shown that the collision resistance of H F,{π 0 ,π 1 } IV is reduced to the collision resistance, the {π 0 , π 1 }-pseudo-collision resistance and the everywhere preimage resistance of F.
Proof.Let M and M be any collision pair for H F,{π 0 ,π 1 } IV . It is shown below that, by tracing back the computation of H F,{π 0 ,π 1 } IV (M) and H F,{π 0 ,π 1 } IV (M ), one can find a collision pair for F, a {π 0 , π 1 }-pseudo-collision pair for F, or a preimage of Suppose that pad(M) = pad(M ).

(M ).
Let B 1 be an adversary trying to find a collision pair for F. Let B 2 be an adversary trying to find a {π 0 , π 1 }-pseudo-collision pair for F. Let B 3 be an adversary trying to find a preimage of IV, π −1 0 (π 1 (IV)), or π −1 1 (π 0 (IV)) for F. All of them first run B. From Lemma 1, if A succeeds in finding a collision pair for H F,{π 0 ,π 1 } IV , then B 1 , B 2 or B 3 succeed.

In the Random Oracle Model
In this section, to discuss the indifferentiability, the compression function F is assumed to be chosen uniformly at random from all the functions from Σ n × Σ w to Σ n .
The following theorem implies that the proposed hash function is indifferentiable from a random oracle up to the birthday bound.The game-playing technique [27] is used for the proof.
Theorem 2. Suppose that the compression function F : Σ n × Σ w → Σ n is chosen uniformly at random.Then, for the hash function H F,{π 0 ,π 1 } IV , there exists a simulator S of F such that, for any adversary A making at most q queries to its FIL oracle and queries to its VIL oracle which cost at most σ message blocks in total, and S makes at most q queries.
Proof.Each game provides two interfaces to adversary A: H for the hash function and F for the compression function.It is assumed without loss of generality that A makes no repeated queries both to H and to F .The game G1 is given in Figure 2. F simply calls F, which implements the compression function F by lazy evaluation.F uses a partial function F.
with the aid of F. Thus, Notice that F may receive repeated queries since H also calls F as well as F .The game G2 is given in Figure 3a.F and H are not changed and omitted.In G2, F constructs and maintains a directed graph (V, E) based on the queries to F. It also uses a function findM, which will be described later.Initially, V = {} and T and H are the sets of tails and heads of edges in (V, E), respectively.Vertices with no adjacent edges in (V, E) are also included in T. Initially, T = {} and H = {}.
Interface H(M): Function F(v, X): findM tries to find a path in (V, E) corresponding to the computation H F,{π 0 ,π 1 } IV (M) for some M. Given (v, X) as input, findM first searches a path from , then the single vertex IV is regarded as a path.If findM finds a path, then let X 1 , X 2 , . . ., X l be the labels of the edges on the path.If the path is IV, , then findM returns M. Otherwise, findM returns ⊥.It will be shown that findM(v, X) finds at most one path.
F of G2 differs from F of G1 only if bad gets true in G2.This is because F[v, X] is chosen uniformly at random in G2 until bad gets true.
F is called at most (σ + q) times.Thus, For the game G3 in Figure 3b, the lines from 605 to 609 in G2 are replaced with the line 605 in G3.Since they are equivalent, Pr The game G4 is given in Figure 4.It introduces a variable-input-length random oracle H, which is implemented by lazy evaluation.Initially, H[M] = ⊥ for every M ∈ Σ * .H may receive repeated queries since it is called by both H and F .Different from F of G3, F assigns H(M) to F[v, X] at the line 603 in G4.Different from H of G3, H(M) returns H(M) in G4.We will see that G4 is actually equivalent to G3 in spite of these changes.
Interface H(M): Function H(M): First, let us see some properties of the graph (V, E).Both in G3 and in G4, at the beginning of each run of F with (v, X) such that F[v, X] = ⊥, V ⊆ T ∪ H.Then, whenever this run adds F[v, X] to both V and H, F[v, X] is chosen from Σ n \ B, where {IV} ∪ T ∪ H ⊆ B. Thus, every vertex in (V, E) has at most one incoming edge, and IV has no incoming edge.It implies that every vertex in (V, E) has at most one simple path from IV.In addition, for every path (v 1 , v 2 , . . ., v l ) with v 1 = IV, v i 's are added to (V, E) in this order.Furthermore, before v l is added to (V, E), neither (π 0 (v l ), X ) nor (π 1 (v l ), X ) were asked to F for any X ∈ Σ w since {π −1 0 (IV), for every u ∈ Σ n .Suppose that both paths have two or more vertices.Then, both π −1 0 (v) and π −1 1 (v) are elements of H, which implies that one was added to H after the other since at most one vertex is added to H during each run of F.
Suppose that one path is the single vertex IV and the other has two or more vertices.
In G4, for a new query (v, X) to F, suppose that findM finds a path in (V, E) and returns M corresponding to the path and (v, X).Then, M is a new query to H, that is H[M] = ⊥, and it is assigned an element chosen uniformly at random from Σ n .On the other hand, for H, v x = H(M).Thus, G4 is equivalent to G3, and Pr From G4 to G5, only F changes, which is given in Figure 5a.F of G5 is augmented with the lines from 600 to 606 and the lines from 614 to 616.H A is the set of heads of edges in (V, E) in the view of A. Initially, H A = {}.These changes do not affect the output of F. Thus, G5 is equivalent to G4, and Pr Interface H(M): Function H(M): From G5 to G6, only H changes. H of G6 is identical to that of G7, which is given in Figure 5b.In G6, H(M) does not call F and just returns H(M).In G6, F is called only by F and it does not receive any repeated queries, which implies that bad never gets true.On the other hand, bad may get true in G5.If bad gets true in G5, then A may trace some computation path of H From G6 to G7, only F changes.G7 is given in Figure 5b.F of G7 is obtained from F of G6 by removing the lines from 600 to 606 and the lines from 614 to 616.Since F does not receive any repeated queries, the lines 607 and 619 are also removed.These changes do not affect the output of F. Thus, Pr A G7 = 1 = Pr A G6 = 1 .F of G7 works as a simulator S of F.
From the discussion above, we have

In the Ideal Cipher Model
In this section, F : Σ n × Σ w → Σ n is assumed to be the Davies-Meyer compression function [28] using a block cipher E : Σ w × Σ n → Σ n , where the key space of E is Σ w .Namely, F(V, X) = E(X, V) ⊕ V. E is assumed to be chosen uniformly at random.Theorem 3. Suppose that the compression function F : Σ n × Σ w → Σ n is the Davies-Meyer mode of a block cipher E chosen uniformly at random.Let D be the decryption function of E.Then, for the hash function H F,{π 0 ,π 1 } IV , there exists a simulator S of (E, D) such that, for any adversary A making at most q e queries to its FIL encryption oracle, q d queries to its FIL decryption oracle, and queries to its VIL oracle which cost at most σ message blocks in total, and S makes at most q e queries.
Proof.Each game provides three interfaces to adversary A: H for the hash function, E for the encryption and D for the decryption.It is assumed without loss of generality that A makes no repeated queries both to H and to (E , D).For E and D, once A gets a tuple (key, pt, ct) such that E(key, pt) = ct by a query to E or D, A never makes any query on the tuple.The game G1 is given in Figure 6.E and D simply call E and D, respectively.E and D implement the encryption function and the decryption function by lazy evaluation, respectively.H computes H F,{π 0 ,π 1 } IV with the aid of E. Thus, Notice that E and D may receive repeated queries since H also calls E as well as E .
Interface H(M): . P X and C X are the sets of values already assigned as plaintexts and ciphertexts for key X, respectively.
From G1 to G2, only E and D are changed, which are given in Figure 7.In G2, E[X, v] and D[X, u] are chosen uniformly at random from Σ n .G1 and G2 are identical until bad gets true in G2.Since E and D are called at most σ + q e + q d times in total and |P  From G2 to G3, only E and D are changed, which are given in Figure 8.In G3, E and D constructs and maintains a directed graph (V, E) based on the queries to them.Initially, V = {} and T and H are the sets of tails and heads of edges in (V, E), respectively.Vertices with no adjacent edges in (V, E) are also in T. Initially, T = H = {}.
findM tries to find a path in (V, E) corresponding to the computation H F,{π 0 ,π 1 } IV (M) for some M. Given (v, X) as input, findM first searches a path from , then the single vertex IV is regarded as a path.If findM finds a path, then let X 1 , X 2 , . . ., X l be the labels of the edges on the path.If the path is IV, which depends on whether the terminal of the path is π −1 0 (v) or π −1 1 (v), then findM returns M. Otherwise, findM returns ⊥.
E of G3 always assigns to E[X, v] a value chosen uniformly at random from Σ n until bad gets true at line 607.D of G3 always assigns to D[X, u] a value chosen uniformly at random from Σ n until bad gets true at line 703.Thus, G3 is identical to G2 until bad gets true in G3.Since |T| ≤ σ + q e + q d and |H| ≤ σ + q e + q d , |B e | ≤ 6(σ + q e + q d ) + 5 and |B d | ≤ 6(σ + q e + q d ) + 4. E is called at most (σ + q e ) times and D is called at most q d times and Thus, For the game G4 in Figure 9, the lines from 605 to 609 of G3 are replaced with the line 605 of G4, and the lines from 701 to 705 of G3 are replaced with the line 701 of G4.Since these changes do not affect the behavior, Pr[  The game G5 is given in Figure 10.It introduces a variable-input-length random oracle H, which is implemented by lazy evaluation.Initially, H[M] = ⊥ for every M ∈ Σ * .H may receive repeated queries since it is called by both H and F .Different from E of G4, E of G5 assigns H(M) to u at the line 603.Different from H of G4, H of G5 returns H(M).We will see that G5 is actually equivalent to G4 in spite of these changes.
First, let us see some properties of the graph (V, E).At the beginning of each run of E with (X, v) such that E[X, v] = ⊥, V ⊆ T ∪ H. Whenever u is added to both V and H by this run, it is chosen from Σ n \ B e , where T ∪ H ∪ {IV} ⊆ B e .On the other hand, at the beginning of each run of D with (X, u) such that D[X, u] = ⊥, V ⊆ T ∪ H.Then, v is chosen from Σ n \ B d , and v ⊕ u is added to both V and H by this run, where T ∪ H ∪ {IV} ∪ (u ⊕ (T ∪ H ∪ {IV})) ⊆ B d .Thus, every vertex in (V, E) has at most one incoming edge, and IV has no incoming edge.It implies that every vertex in (V, E) has at most one simple path from IV.In addition, every path (v 1 , v 2 , . . ., v l ) with v 1 = IV is constructed only by queries to E, and v i 's are added to (V, E) in this order.Furthermore, before v i is added to Interface H(M): Function H(M): Interface H(M): Function H(M): From the discussion above, we have 12(σ + q e + q d ) 2 2 n + 3σ(q e + q d ) 2 n − 6(q e + q d ) − 5 .

Scheme
Let P : Σ b → Σ b be a permutation and b = w + c, where b, w and c are positive integers.The sponge hash function using the proposed domain extension consists of the permutation P, permutations π 0 and π 1 over Σ c , and an initialization vector IV ∈ Σ b .For π 0 and π 1 , it is assumed that π 0 (u) = u, π 1 (u) = u and π 0 (u) = π 1 (u) for every u ∈ Σ c .
For y ∈ Σ b , let y = y r y c , where y r ∈ Σ w and y c ∈ Σ c .In the remaining parts, some notations are abused for simplicity.For permutation π over Σ c and string y ∈ Σ b , π(y) represents y r π(y c ). Namely, π is applied to the c least significant bits (LSBs) of y.For strings y ∈ Σ b and X ∈ Σ w , y ⊕ X represents (y r ⊕ X) y c .
Let π be a permutation over Σ c .For 1 ≤ i ≤ x, let X i ∈ Σ w .The tweaked sponge construction S P,π IV : (Σ w ) + → Σ n is defined as follows: ), and vx is the n most significant bits (MSBs) of v x .
The sponge hash function G P,{π 0 ,π 1 } IV : Σ * → Σ n based on the proposed domain extension is defined as follows: It is also depicted in Figure 13.

IRO in the Ideal Permutation Model
In this section, P : Σ b → Σ b is assumed to be chosen uniformly at random.The following theorem implies that the proposed hash function is indifferentiable from a random oracle up to the birthday bound.
Theorem 4. Suppose that the permutation P : Σ b → Σ b is chosen uniformly at random.Then, for the hash function G P,{π 0 ,π 1 } IV , there exists a simulator S of (P, P −1 ) such that, for any adversary A making at most q f queries to its FIL forward oracle, q b queries to its FIL backward oracle, and queries to its VIL oracle which cost at most σ message blocks in total, and S makes at most q f queries.
Proof.Each game provides three interfaces to adversary A: H for the hash function, P for the permutation and P −1 for its inverse.It is assumed without loss of generality that A makes no repeated queries both to H and to (P, P −1 ).For P and P −1 , once A gets a pair (y, z) such that P(y) = z by a query to P or P −1 , A never makes any query on the pair.The game G1 is given in Figure 14.P and P −1 simply call P and P −1 , respectively.P and P −1 implement P and P −1 by lazy evaluation, respectively.H computes G P,{π 0 ,π 1 } IV with the aid of P and P −1 .Thus, Pr A G P,{π 0 ,π 1 } IV ,(P,P −1 ) = 1 = Pr A G1 = 1 .
Notice that P and P −1 may receive repeated queries since H also calls P as well as P.
Interface H(M):   From G1 to G2, only P and P −1 are changed, which are given in Figure 15.In G2, P[Y] and P −1 [Z] are chosen uniformly at random from Σ b .G1 and G2 are identical until bad gets true in G2.Since P and P −1 are called at most σ + q f + q b times in total and From G2 to G3, only P and P −1 are changed, which are given in Figure 16.In G3, P and P −1 constructs and maintains a directed graph (V, E) based on the queries to them.Initially, V = {} and E = {}.
T and H are the sets of tails and heads of edges in (V, E), respectively.Vertices with no adjacent edges in (V, E) are also in T. Initially, T = H = {}.
findM tries to find a path in (V, E) corresponding to the computation G P,{π 0 ,π 1 } IV (M) for some M. Given Y as input, findM first searches a path from ), then the single vertex IV c is regarded as a path.If findM finds a path, then let X 1 , X 2 , . . ., X l be the labels of the edges on the path.If the path is IV c , then l = 0, that is, ), then findM returns M. Otherwise, findM returns ⊥.P of G3 always assigns to P[Y] a value chosen uniformly at random from Σ b until bad gets true at line 608.P −1 of G3 always assigns to P −1 [Z] a value chosen uniformly at random from Σ b until bad gets true at line 704.Thus, G3 is identical to G2 until bad gets true in G3.Since |T| ≤ σ + q f + q b and |H| ≤ σ + q f + q b , |B f | ≤ 6(σ + q f + q b ) + 5 and |B b | ≤ 3(σ + q f + q b ) + 3. P is called at most (σ + q f ) times and P −1 is called at most q b times.Thus, For the game G4 in Figure 17, the lines from 606 to 610 of G3 are replaced with the line 606 of G4, and the lines from 702 to 706 of G3 are replaced with the line 702 of G4.Since these changes do not affect the behaviour, Pr The game G5 is given in Figure 18.It introduces a variable-input-length random oracle H, which is implemented by lazy evaluation.Initially, H[M] = ⊥ for every M ∈ Σ * .H may receive repeated queries since it is called by both H and P. Different from P of G4, P of G5 assigns to Z an element chosen uniformly at random from {H(M)} × Σ b−n at the line 603.Different from H of G4, H of G5 returns H(M).We will see that G5 is actually equivalent to G4 in spite of these changes.
Interface H(M):  First, let us see some properties of the graph (V, E).At the beginning of each run of P with Y such that P[Y] = ⊥, V ⊆ T ∪ H. Whenever Z c is added to both V and H by this run, it is chosen from Σ c \ B f , where T ∪ H ∪ {IV c } ⊆ B f .On the other hand, at the beginning of each run of P −1 with Z such that Function P(Y):

Conclusions
In this article, a domain extension scheme which extends MDP [5] has been presented for iterated hashing.The collision resistance and indifferentiability from a random oracle of an iterated hash function using the domain extension have been confirmed under reasonable assumptions.For the pseudorandom-function property of the iterated hash function keyed via IV, readers are asked to see [6] for details.
The domain extension can also be applied to the sponge construction.The indifferentiability from a random oracle of the resultant hash function has been confirmed in the ideal permutation model.
The presented domain extension is simple and efficient.It is expected to be useful for lightweight cryptography.

Theorem 1 .
uses π 0 and the other uses π 1 .Assume that H F,{π 0 ,π 1 } IV (M) uses π 0 and H F,{π 0 ,π 1 } IV (M ) uses π 1 without loss of generality.If m = m = 1, then one finds a collision pair for F. If m = 1 and m ≥ 2, then one finds a collision pair for F or a preimage of π −1 1 (π 0 (IV)) for F. If m ≥ 2 and m = 1, then one finds a collision pair for F or a preimage of π −1 0 (π 1 (IV)) for F. If m ≥ 2 and m ≥ 2, then one finds a collision pair or a {π 0 , π 1 }-pseudo-collision pair for F.(ii)Suppose that both of H F,{π 0 ,π 1 } IV (M) and H F,{π 0 ,π 1 } IV (M ) uses a same permutation.If m = m = 1, then one finds a collision pair for F. If m = 1 and m ≥ 2, or m ≥ 2 and m = 1, then one finds a collision pair for F or a preimage of IV for F. If m ≥ 2 and m ≥ 2, then one finds a collision pair or a preimage of IV for F. For any adversary A trying to find a collision pair for H F,{π 0 ,π 1 } IV with run time t, there exist adversaries B 1 , B 2 and B 3 such that

The run times of B 1 ,
B 2 and B 3 are about t + O((|pad(M)| + |pad(M )|)T F /w), where M and M are a collision pair of H F,{π 0 ,π 1 } IV output by A and T F is the time required to compute F. Proof.Let B be an algorithm which works as follows.B takes F as input.It first runs A with input H F,{π 0 ,π 1 } IV .If A fails to find a collision pair for H F,{π 0 ,π 1 } IV , then it aborts.Otherwise, for a collision pair M and M output by A, it computes H F,{π 0 ,π 1 } IV (M) and H F,{π 0 ,π 1 } IV

Figure 7 .
Figure 7. Game G2.H, E and D, which are not changed, are omitted.

Figure 9 .
Figure 9. Game G4.H, E and D are not changed and omitted.

Figure 13 .
Figure 13.The sponge hash function based on the proposed domain extension.M = M 1 M 2 • • • M m , where |M i | = w for 1 ≤ i ≤ m − 1.

Figure 14 .
Figure 14.Game G1.For the partial function P and its inverse P −1 , initially, P[Y] = ⊥ for every Y ∈ Σ b and P−1 [Z] = ⊥ for every Z ∈ Σ b .If Z is assigned to P[Y], then Y is assigned to P −1 [Z].If Y is assigned to P −1 [Z], then Z is assigned to P[Y].Y and Z are the sets of values already assigned as inputs and outputs of P and P −1 , respectively.Initially, Y = Z = {}.
For a new query Y, if findM(Y) = ⊥, then P replaces V with V ∪ {Y c , Z c } and E with E ∪ {(Y c , Z c )}.If there exists some Z such that Z = IV or P −1 [Z ] = ⊥, and Z c = Y c , then the edge (Y c , Z c ) is labeled with Z r ⊕ Y r .Otherwise, it is labeled with ⊥.If findM(Y) = ⊥, then P replaces V with V ∪ {Y c }. On the other hand, for a new query Z, P −1 replaces V with V ∪ {Y c , Z c } and E with E ∪ {(Y c , Z c )}.If there exists some Z such that Z = IV or P −1 [Z ] = ⊥, and Z c = Y c , then the edge (Y c , Z c ) is labeled with Z r ⊕ Y r .Otherwise, it is labeled with ⊥.

Figure 15 .
Figure 15.Game G2.H, P and P −1 , which are not changed, are omitted.

Figure 17 .
Figure 17.Game G4.H, P and P −1 are not changed and omitted.