Two sufficient conditions of the r-SPR property

Abstract

Some variants of second-preimage resistance(SPR) [1] assumptions of the keyless compression function, called c-SPR, r-SPR and e-SPR, have been put forth by Halevi and Krawczyk [2], in order to obtain more secure properties for the dedicated-key hash function. In this paper, we provide a full picture of the relation between r-SPR and other two security properties, Universal e-SPR and CR0 (n + b, n), and obtain two sufficient conditions of r-SPR, our contributions are twofold. Firstly, we extend the definition of the e-SPR property into the more general situation, called Universal e-SPR, we point out that for the keyless compression function, the Universal e-SPR property implies r-SPR. In the second part of this paper, we extend the analysis into the dedicated-key compression function, we point CRn (n + b, n) and CR0 (n + b, n) are c-SPR and r-SPR as for the keyless compression and hash functions. We continue analyze the dedicated-key compression family hk (c, m) = h(c, m ⊕ k) used by Bellare and Rogaway to construct TCR hash function via iterations on the SPR-like assumption [2], and get the conclusion that CR0 (n + b, n) in the case of hk (c, m) implies r-SPR of keyless compression function, that is, CR0 (n + b, n) is more secure than the r-SPR property for this specific scheme.