1 Introduction

For decades, the leading approach in hash function design has been blockcipher-based: A cipher \(E\) is employed in a certain mode to obtain a hash function that satisfies some security guarantees. This approach has been analyzed in detail [13, 14, 20, 23, 24, 26, 28, 34, 37, 38, 47], and is followed by numerous hash functions, including the well-known SHA-{0, 1, 2} and MD{4, 5}. The recent trend is, however, predominantly permutation-based. Notably, three out of the five finalists in NIST’s SHA-3 competition [36], including the eventual winner Keccak [8], are built on permutations, and also the recently started CAESAR authenticated encryption competition [15] received a wide range of permutation-based submissions [1, 2, 5, 10, 11, 17, 22, 25, 35, 43, 44].

Permutations do not require a key schedule (and particularly, there is no need to re-key, which could be quite expensive for some blockciphers) and are simpler to design and analyze. Additionally, the study of constructions starting from small domain random functions or permutations is highly relevant [19, 30]. Note that, furthermore, a small set of permutations can be easily generated from one blockcipher by fixing a handful of keys.

Consider a compression function \(F{:}\;\{0,1\}^{M+n}\rightarrow \{0,1\}^{n}\) making \(d\) calls to an \(s\)-bit primitive \(f\) (a blockcipher, non-compressing function, or permutation). The efficiency of such a construction is commonly expressed in terms of a rate: \(\frac{M}{ds}\), the number of message bits divided by the (scaled) number of primitive calls. Intuitively, a larger rate corresponds to less primitive calls per message compression and thus to a higher efficiency. The “scaling” is done by the term \(s\) in the denominator, and a construction with a larger underlying primitive has a larger value \(s\) and thus a lower rate.

Many blockcipher-based compression functions achieve a high rate. For instance, the classical \(2n\)-to-\(n\)-bit Davies–Meyer compression function \(F(h,m)=E(m,h)\,\oplus \,h\) has rate \(1\). Double-length blockcipher-based compression function such as Tandem-DM [28] compress at a rate 1/2: They map \(3n\) bits to \(2n\) bits making \(2\) calls to an \(n\)-bit blockcipher.

For non-compressing primitives, which do not offer compression on their own, a high rate appears harder to achieve. One approach of designing a hash function \(\mathcal {H}{:}\;\{0,1\}^{*}\rightarrow \{0,1\}^{n}\) with optimal \(n/2\)-bit collision security is using non-compressing primitives of size significantly larger than \(n\) bits. This approach is for instance followed by the Sponge [9]: It iterates a permutation on \(c+m\) bits, where \(c\) is the capacity and \(m\) equals the message block size.Footnote 1 Sponge functions make one primitive call per message block, have a rate \(\frac{m}{c+m}\), and are proven secure up to \(2^{c/2}\) queries [6]. (We remark that sponge functions allow for variable output sizes, by making extra primitive calls in the squeezing phase and outputting \(m\) bits at a time. This approach, however, requires extra primitive calls, which influences the rate.) The new SHA-3 hashing standard is a sponge using a \(1600\)-bit permutation, and above computations apply. For example, SHA-3-256 offers \(256\)-bit security by compressing at a rate of about \(2/3\), and SHA-3-512 offers \(512\)-bit security by compressing at a rate of about \(1/3\). Note that, intuitively, one should be able to achieve about \(800\)-bit security using a \(1600\)-bit primitive.

Black et al. [12], however, showed that it is impossible to construct a secure \(n\)-bit hash or compression function using one call to an \(n\)-bit non-compressing primitive. More generally, for a function \(F{:}\;\{0,1\}^{M+n}\rightarrow \{0,1\}^{n}\) making \(d\) calls to an \(s\)-bit primitive, collisions can be found in at most \(2^{(ds-M)/(d+1)}\) queries, a bound commonly known as “Stam’s bound” and proven in [41, 46, 48, 49]. Stam’s bound implies that a \(2n\)-to-\(n\)-bit function requires at least three \(n\)-bit primitive calls to achieve optimal collision resistance; hence, such a function has rate at most \(1/3\). The problem of designing such a function has been well studied [29, 31, 42, 45], and we highlight the Shrimpton–Stam compression function, which we will refer to as \(S^2\):

$$\begin{aligned} S^2(x_0,x_1) = f_0(x_0)\,\oplus \,f_2(f_0(x_0)\,\oplus \,f_1(x_1)). \end{aligned}$$

The design is proven asymptotically optimally collision secure if \(f_0,f_1,f_2\) are three independent \(n\)-bit random functions or if they are instantiated as \(f_i(x)=\pi _i(x)\,\oplus \,x\) for distinct permutations \(\pi _i\) [31]. It is, however, known to be insecure if one takes \(f_0=f_1=f_2\) [31, 45]. This and other functions have a rate of \(1/3\) or worse, and improving it has turned out to be a very difficult theoretical problem.

1.1 Our contributions

We introduce the family of compression functions \(S^r{:}\;\{0,1\}^{rn}\rightarrow \{0,1\}^{n}\) for \(r\ge 1\). For \(r=8\), the function \(S^8\) is depicted in Fig. 1. The function makes \(2r-1\) function calls to \(2\lceil \log _2r\rceil +1\) distinct primitives. Our class of functions is a graphical generalization of the Shrimpton–Stam compression function \(S^2\), but it offers a higher rate \(\frac{r-1}{2r-1}\), approaching 1/2 for increasing values of \(r\), and thus allowing for a more efficient throughput of data while achieving comparable collision security. This rate is in fact optimal, witnessed by Stam’s bound which suggests that at least \(2r-1\) function calls need to be made. Additionally, \(S^r\) is well parallelizable and generally benefits from the same advantages as tree-based hash functions.

Fig. 1
figure 1

Compression function \(S^8{:}\;\{0,1\}^{8n}\rightarrow \{0,1\}^{n}\) making \(15\) primitive calls. Here, \(f_{j,b}\) (for \((j,b)\in (\{0,1,2\}\times \{0,1\})\cup \{(3,0)\}\)) are one-way functions, but these can be instantiated as \(f_{j,b}(x)=\pi _{j,b}(x)\,\oplus \,x\) at no collision security loss

Full size image

1.2 Efficiency

Based on the SHA-3 permutation \(\pi {:}\;\{0,1\}^{1600}\rightarrow \{0,1\}^{1600}\), our function \(S^r\) achieves almostFootnote 2 \(800\)-bit security with a rate approaching 1/2. This is in sharp contrast to SHA-3-512 which only achieves \(512\)-bit security by compressing at a rate of about \(1/3\). If we instantiate our function \(S^r\) using smaller versions of the SHA-3 permutation, for instance on \(400\) or \(200\) bits, we can still get a high security level of almost \(200\) or \(100\) bits, respectively, while hashing at a rate that approaches 1/2. This is of particular interest for lightweight cryptography, because \(S^r\) shows that approximately the same level of security can be achieved as comparable schemes, but using much smaller underlying primitives.

We present a generic comparison of \(S^r\) in a Merkle–Damgård mode of operation (MD-\(S^r\)) [16, 33] or in a Merkle tree (MT-\(S^r\)) [32] with sponge functions [9], Grøstl [21], and MD6 [39] in Table 1. In this analysis (see “Appendix 1” for the technical details), we aim for comparable \(2^{n/2}\) collision security and adopt the design parameters accordingly. We also include a comparison for a specific set of parameters. We observe that \(S^r\) achieves comparable rate and efficiency, but using primitives that are a factor \(2\) to \(4\) smaller. However, the security analysis of \(S^r\) requires more distinct primitives than the other functions, and the proof is performed in a slightly different model (see Sect. 1.3).

Table 1 Simplified comparison of MD-\(S^r\) with the sponge function and Grøstl (first), and MT-\(S^r\) with MD6 (second)
Full size table

1.3 Security

We prove that \(S^r\), either based on random functions or random permutations, is collision secure up to about \(2^{n/2}/n\) queries. In other words, \(S^r\) is asymptotically nearly optimally collision secure. In Fig. 2, we compare the rates and collision security guarantees of various instantiations of \(S^r\), both for the general case and for \(n=512\). The proof is performed in a model where the adversary makes its queries layer-wise, which means that all queries to \(f_{j-1,0}\) and \(f_{j-1,1}\) must be made before all queries to \(f_{j,0}\) and \(f_{j,1}\), for \(j=1,\ldots ,\ell \). We also present a proof of \(n/3\)-bit security in the fully adaptive model and justify why it cannot be easily improved. This is in part as security proofs are known to become significantly harder when based on non-compressing primitives [30]. We conjecture that \(S^r\) does achieve optimal collision security. Additionally, for technical reasons we require distinctness of the \(2\lceil \log _2r\rceil +1\) underlying primitives. This can be achieved by employing a single blockcipher for a fixed set of distinct keys. In Sect. 7, we show that it is non-trivial to reduce the number of distinct primitives in \(S^r\).

Fig. 2
figure 2

Rates of \(S^r{:}\;\{0,1\}^{rn}\rightarrow \{0,1\}^{n}\) for various values of \(r\), with on the right a supporting graph for \(n=512\)

Full size image

Next, we prove that \(S^2\) based on random functions is preimage resistant up to \(2^{2n/3}\) queries (solving an open problem of Shrimpton and Stam [45]). This result does not apply to the permutation-based setting: An attack on \(S^r\) proving tight \(2^{n/2}\) security is derived for any \(r\ge 2\). We also show that a simple tweak can make \(S^r\) optimally preimage secure. Formally, if we consider a hash or compression function \(F\) followed by a sufficiently strong finalization function \(G\), the design is as collision secure as the weakest of both and as preimage secure as \(G\) (see also Lemma 1). The efficiency (rate) of the design is dominated by the rate of \(F\). Concretely:

$$\begin{aligned} \mathcal {H}(M) = f\circ \text {MD-}S^r(M), \end{aligned}$$

where \(G:=f\) is a random function, is collision resistant up to about \(2^{n/2}/n\) queries (the bound of \(S^r\)), and is preimage resistant up to about \(2^n\) queries (the preimage security of \(f\)), and it has a rate of more or less \(\frac{r-1}{2r-1}\). Hence, in this way, one combines the efficiency and collision security of \(S^r\) with the preimage security of \(f\). The same result holds if \(f(x)=\pi (x)\,\oplus \,x\) for a permutation \(\pi \).Footnote 3 We remark that this trick does not apply to second preimage resistance.

1.4 Outline

We present our family of functions \(S^r\) based on functions \(f_{j,b}\) in Sect. 2. Next, we give a security analysis of \(S^r\): The model is introduced in Sect. 3, collision resistance is analyzed in Sect. 4, and preimage resistance in Sect. 5. In Sect. 6, we discuss the effect of instantiating the underlying primitives \(f_{j,b}\) using permutations \(\pi _{j,b}\). The work is concluded in Sect. 7.

2 Hash function proposal \(S^r\)

Throughout, \(r\) and \(\ell \) always denote integral parameters. We consider \(n\in \mathbb {N}\) and put \(N=2^n\). For simplicity, we first introduce \(S^r\) for \(r\) being a power of two. Next, we generalize it to arbitrary \(r\ge 1\).

2.1 \(S^r\) for \(r=2^\ell \)

Write \(r=2^\ell \) with \(\ell \ge 0\), and let \(f_{j,b}{:}\;\{0,1\}^{n}\rightarrow \{0,1\}^{n}\) be one-way functions for \((j,b)\in (\{0,\ldots ,\ell -1\}\times \{0,1\})\cup \{(\ell ,0)\}\). A description of \(S^r{:}\;\{0,1\}^{rn}\rightarrow \{0,1\}^{n}\) is given in Fig. 3 together with an illustration of \(S^4\). \(S^r\) makes in total \(2r-1\) primitive calls, which is optimal with respect to Stam’s bound. These calls are made to in total \(2\ell +1\) distinct primitives.

Fig. 3
figure 3

\(S^r\) for \(r=2^\ell \) with \(\ell \ge 0\) and an illustration of \(S^4\). Here, we write \((y\,\oplus \,z)_{j,i}=y_{j,i}\,\oplus \,z_{j,i}\)

Full size image

The description of \(S^r\) can informally be described by the following two steps. First, the inputs \(u_0,\ldots ,u_{r-1}\) are “processed” using functions \(f_{0,0},f_{0,1}\). Second, for \(j=1,\ldots ,\ell \) and \(i=0,\ldots ,2^{\ell -j}-1\), at position \(({j,i})\), the function \(S^r\) proceeds as follows: Given the outcomes of the rounds at positions \((j-1,2i)\) and \((j-1,2i+1)\), the primitive \(f_{j,i\,\mathrm{mod}\,2}\) is evaluated on input of the XOR of these, and its output is XORed with the outcome of round \((j-1,2i)\). Eventually, the output of \(S^r\) is the value obtained after the last step (for \(j=\ell \)). The feed-forwards in the evaluation are necessary: Absence of them would allow an adversary to find a collision in, say, \(x_{1,0}\)—typically found in about \(2^{n/4}\) queries—in order to obtain a collision for \(S^r\). They also prevent trivial attacks where, e.g., the left and right input halves are swapped.

2.2 \(S^r\) for arbitrary \(r\)

The description of \(S^r\) for arbitrary \(r\ge 1\) is given in Fig. 4 together with an illustration of \(S^3\). The generalized \(S^r\), indeed, also makes \(2r-1\) primitive calls (to in total \(2\lceil \log _2r\rceil +1\) distinct primitives). Although this description is significantly more complex than the one of Fig. 3, the intuition is rather simple and we give it for \(r=3\).

Fig. 4
figure 4

\(S^r\) for \(r\ge 1\) with \(\ell =\lceil \log _2r \rceil \) and an illustration of \(S^3\)

Full size image

To define \(S^3\), we first consider \(S^4\) (see the illustration of Fig. 3). Now, \(S^3\) only has inputs \((u_0,u_1,u_2)\) and no \(u_3\), and therefore, the “fork” that processes inputs \(u_2\) and \(u_3\) in \(S^4\) only gets \(u_2\). We can then simply discard the two corresponding calls \(f_{0,0}\) and \(f_{0,1}\) and define \(u_2\) to be the input to \(f_{1,1}\). The resulting function matches the illustration of \(S^3\) in Fig. 4. In general, if the function has \(r\) input blocks, where \(2^{\ell -1}<r\le 2^\ell \), the idea is to have \(2^{\ell -1}\) input blocks right before the second layer. This means that in the first layer, \(2(r-2^{\ell -1})\) input blocks have to be processed to obtain \(r-2^{\ell -1}\) blocks \(x_{1,i}\). These are then appended with the remaining \(r-2(r-2^{\ell -1})=2^\ell -r\) compression function input blocks to obtain \(2^{\ell -1}\) input values to the second layer. From this point onwards, the function description is the same as in Fig. 3.

3 Security model

For two sets \(S,T\subseteq \{0,1\}^{n}\), we denote \(S\,\oplus \,T=\{s\,\oplus \,t \mid (s,t)\in S\times T\}\). For \(n\in \mathbb {N}\), we denote by \(\mathsf {Func}(n)\) the set of all functions \(\{0,1\}^{n}\rightarrow \{0,1\}^{n}\) and by \(\mathsf {Perm}(n)\) its subset of all permutations on \(n\) bits. We consider the security of \(S^r\) in the ideal model, where its underlying primitives, denoted as a set \(\mathcal {P}\), are considered to be randomly drawn from \(\mathsf {Func}(n)\). (Later on, we consider \(S^r\) where its underlying functions \(f_{j,b}\) are instantiated as \(f_{j,b}(x)=\pi _{j,b}(x)\,\oplus \,x\), and in this case, we consider \(S^r\) based on ideal permutations from \(\mathsf {Perm}(n)\).) We consider adversaries \(A\) that have unbounded computational power and query access to these random primitives \(\mathcal {P}\), and their complexities are solely measured by the number of queries they make to their oracles. We assume that the adversarial queries are stored in a query history \(\mathcal {Q}\). We require that \(\mathcal {Q}\) always contains the queries necessary for the evaluation of the mounted collision or preimage attack.

Collision resistance Adversary \(A\) finds a collision for \(S^r\) if it obtains two distinct tuples \(\underline{u}=(u_0,\ldots ,u_{r-1})\), \(\underline{u}'=(u_0',\ldots ,u_{r-1}')\) that satisfy \(S^r(\underline{u})=S^r(\underline{u}')\). The advantage of a collision-finding adversary \(A\) is defined as

$$\begin{aligned} \mathsf {Adv}_{S^r}^{\mathsf {col}}[A]&= \mathbb {P}\Big [\mathcal {P}\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Func}(n)^{2\lceil \log _2r\rceil +1},\;\underline{u},\underline{u}'\leftarrow A^{\mathcal {P}} \\&\quad :\underline{u}\ne \underline{u}' \;\wedge \; S^r(\underline{u})=S^r(\underline{u}')\Big ]. \end{aligned}$$

For a set of adversaries \(\mathcal {A}\), we define by \(\mathsf {Adv}_{S^r}^{\mathsf {col}}[\mathcal {A}]\) the maximum advantage of any adversary \(A\in \mathcal {A}\).

Preimage resistance We consider preimage security for every range point (also known as everywhere preimage resistance [40]). Prior to making any query to its oracles, \(A\) is given a range value \(v\in \{0,1\}^{n}\), and \(A\) succeeds in finding a preimage for \(v\) if it detects a \(\underline{u}\) satisfying \(S^r(\underline{u})=v\). The success probability of \(A\) is then maximized over all possible chosen range values. The advantage of an everywhere preimage-finding adversary \(A\) is defined as

$$\begin{aligned}&\mathsf {Adv}_{S^r}^{\mathsf {epre}}[A] \\&\quad = \max _{v\,\in \,\{0,1\}^{n}} \mathbb {P}\left[ \mathcal {P}\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Func}(n)^{2\lceil \log _2r\rceil +1},\;\underline{u}\leftarrow A^{\mathcal {P}}(v) {:}\; S^r(\underline{u})=v \right] . \end{aligned}$$

For a set of adversaries \(\mathcal {A}\), we define by \(\mathsf {Adv}_{S^r}^{\mathsf {epre}}[\mathcal {A}]\) the maximum advantage of any adversary \(A\in \mathcal {A}\).

Composition Evidently, equivalent definitions can be given for functions \(F{:}\;\{0,1\}^{s}\rightarrow \{0,1\}^{n}\) based on a different amount of primitives \(\mathcal {P}\) from \(\mathsf {Func}(n)\), or even on different primitives. We present the following useful lemma regarding the collision and preimage security of \(G\circ F\) for any hash or compression function \(F\) and any sufficiently strong finalization function \(G\) based on \(\mathcal {P}\). One can think of \(F\) being \(S^r\) or even MD-\(S^r\) and \(G\) an element from \(\mathsf {Func}(n)\).

Lemma 1

Consider \(G\circ F\) based on random primitives \(\mathcal {P}\). Then, for any adversary \(A\),

$$\begin{aligned} \mathsf {Adv}_{G\circ F}^{\mathsf {col}}[A]\le & {} \mathsf {Adv}_{G}^{\mathsf {col}}[A] + \mathsf {Adv}_{F}^{\mathsf {col}}[A], \\ \mathsf {Adv}_{G\circ F}^{\mathsf {epre}}[A]\le & {} \mathsf {Adv}_{G}^{\mathsf {epre}}[A]. \end{aligned}$$

Proof

For \(G\circ F\), denote the input to \(F\) as \(u\), the input to \(G\) (the output of \(F\)) as \(v\) and the output of \(G\) as \(w\). In order to find a collision for \(G\circ F\), the adversary needs to find two different \(u,u'\) with \(w=w'\). Clearly, if the intermediate values \(v,v'\) are distinct, such a collision implies a collision for \(G\), and otherwise it implies a collision for \(F\). Next, for preimage resistance, consider a given range value \(w\) and assume the adversary finds a preimage \(u\). Then, \(F(u)\) is a preimage of \(w\) under \(G\). \(\square \)

4 Collision security of \(S^r\)

In this section, we analyze the collision resistance of \(S^r\). First, in Sect. 4.1, we consider the case of \(r=2^\ell \) (with security proofs in Sects. 4.2, 4.3). Next, in Sect. 4.4, we show how the result generalizes to arbitrary values of \(r\).

4.1 \(S^r\) for \(r=2^\ell \)

We derive the following result for the collision resistance of \(S^r\) for \(r=2^\ell \) with \(\ell \ge 0\) (Fig. 3).

Theorem 1

Let \(r=2^\ell \) with \(\ell \ge 0\). Let \(\mathcal {A}^\mathsf {lw}(q)\) denote the set of all adversaries that make at most \(q\) queries and make those layer-wise (all queries to \(f_{j-1,b}\) are made before all queries to \(f_{j,b'}\) (for \(j=1,\ldots ,\ell \) and \(b,b'\) arbitrary)). Then, for any positive integer value \(\tau \ge 2\),

$$\begin{aligned} \mathsf {Adv}_{S^r}^{\mathsf {col}}[\mathcal {A}^\mathsf {lw}(q)] \le \frac{2(\tau ^\ell q)^2}{N} + 2N\left( \frac{e(\tau ^\ell q)^2}{N}\right) ^{\tau }. \end{aligned}$$

The proof is presented in Sect. 4.2. At a very high level, it is performed in a recursive manner: We demonstrate that a collision for \(S^r\) either happens in the last round or that “something happened at an earlier stage.” In more detail, we first claim that associated with every query \((x_{j,b},y_{j,b})\) to \(f_{j,b}\), there are at most \(\tau ^j\) possible values \(z_{j,b}\), for some threshold value \(\tau \). Then, the adversary wins in either of the following two cases: (i) It finds a collision assuming that our claim holds, or (ii) it breaks the claim. Putting \(\tau =n^{1/\ell }\) and recalling \(N=2^n\), we find that for any \(\varepsilon >0\),

$$\begin{aligned} \mathsf {Adv}_{S^r}^{\mathsf {col}}[\mathcal {A}^\mathsf {lw}(N^{1/2}/n^{1+\varepsilon })] \le \frac{2}{n^{2\varepsilon }} + 2\left( \frac{2^\ell e}{n^{2\varepsilon }}\right) ^{n^{1/\ell }}, \end{aligned}$$

which approaches \(0\) for \(n\rightarrow \infty \). For various \(\ell \), the bound of Theorem 1 is depicted in Fig. 5.

Fig. 5
figure 5

The function \(\mathsf {Adv}_{S^r}^{\mathsf {col}}[\mathcal {A}^\mathsf {lw}(q)]\) of Theorem 1 for \(n=256\) for \(\ell =16,8,4,2\) (from left to right), in comparison with the trivial bound \(q(q+1)/2^n\) (dashed line)

Full size image

Theorem 1 is restricted to adversaries that make their queries layer-wise (hence the “\(\mathsf {lw}\)” in \(\mathcal {A}^\mathsf {lw}(q)\)). Intuitively, this does not limit the impact of the security proof: The best way for an adversary to find a collision is to make queries to \(f_{j,b}\) for increasing values of \(j\) in such a way to obtain a maximal yield (the number of inputs to \(S^r\) that can be evaluated using the queries made by the adversary). In fact, Shrimpton and Stam [45] already pointed out that for \(S^2\), it is fair to just consider adversaries that query their oracles sequentially (top layer first, bottom layer next). Unfortunately, the proof of Theorem 1 cannot straightforwardly be generalized to the fully adaptive case due to a complicated technicality: A query to \(f_{j,b}\) influences all possible lower-level feed-forward values. Nevertheless, using a simple tweak, it is possible to generalize Theorem 1 to adaptive security up to about \(2^{n/3}\) queries:

Theorem 2

Let \(r=2^\ell \) with \(\ell \ge 0\). Let \(\mathcal {A}(q)\) denote the set of all adversaries that make at most \(q\) queries. Then, for any positive integer value \(\tau \ge 2\),

$$\begin{aligned} \mathsf {Adv}_{S^r}^{\mathsf {col}}[\mathcal {A}(q)] \le \frac{2(\tau ^\ell q)^2}{N} + 2N\left( \frac{e(\tau ^\ell q)^2}{N}\right) ^{\tau } + \frac{2\tau ^{2\ell }q^3}{N}. \end{aligned}$$

The proof is given in Sect. 4.3. We conjecture that this result can be improved to approximately \(2^{n/2}\) collision secure (in the fully adaptive model).

4.2 Proof of Theorem 1

We consider the security of \(S^r{:}\;\{0,1\}^{rn}\rightarrow \{0,1\}^{n}\), for \(r=2^\ell \) with \(\ell \ge 0\), based on \(2\ell +1\) functions \(\big \{ f_{j,b}\;\mid \;(j,b)\in (\{0,\ldots ,\ell -1\}\times \{0,1\})\cup \{(\ell ,0)\}\big \}\) randomly drawn from \(\mathsf {Func}(n)\). The focus is on adversaries that make all queries to \(f_{j-1,b}\) before all queries to \(f_{j,b'}\).

We consider any adversary \(A\) that has query access to its oracles \(\mathcal {P}\) and makes \(q\) queries. These queries are stored in a query history \(\mathcal {Q}\) as indexed tuples of the form \((x^k_{j,b},y^k_{j,b})\), where \(k\) is the query index (omitted if irrelevant) and \(({j,b})\) refers to the oracle index. For \(q\ge 0\), by \(\mathcal {Q}_q\), we define the query history after \(q\) queries.

Associated with each query \((x_{j,b},y_{j,b})\) is a multiset \(\mathcal {Z}_{j,b}\) of all possible feed-forward values \(z_{j,b}\) occurring for this query. For example, for a query \((x_{0,0},y_{0,0})\), we have \(\mathcal {Z}_{0,0}=\{0\}\), and for an additional query \((x_{1,0},y_{1,0})\) for which also \((x_{0,1},y_{0,0}\,\oplus \,x_{1,0})\) to \(f_{0,1}\) exists, \(\mathcal {Z}_{1,0}=\{y_{0,0}\}\). Abusing notation, we sometimes refer to the query and its feed-forward set as \((x_{j,b},y_{j,b},\mathcal {Z}_{j,b})\) or simply \((x,y,\mathcal {Z})_{j,b}\). We recall notation \((y\,\oplus \,z)_{j,b}=y_{j,b}\,\oplus \,z_{j,b}\). Note that \(\mathcal {Z}_{j,b}\) is independent of the position at which \(x_{j,b}\) may occur in \(S^r\): It may occur at position \((j,b+2\lambda )\) for \(\lambda \in \{0,\ldots ,2^{\ell -j-1}-1\}\), but for every such position, its corresponding feed-forward set is the same.

Denote by \(\mathsf {col}{S^r}(\mathcal {Q}_{q})\) the event that \(A\) finds two distinct evaluations of \(S^r\) satisfying \(S^r(u_0,\ldots ,u_{r-1})=S^r(u_0',\ldots ,u_{r-1}')\). We write \(x_{j,i},y_{j,i},z_{j,i}\) for all intermediate values corresponding to the first evaluation and \(x'_{j,i},y'_{j,i},z'_{j,i}\) for all values of the second evaluation. By definition:

$$\begin{aligned} \mathsf {Adv}_{S^r}^{\mathsf {col}}[A] = \mathbb {P}\left[ \mathsf {col}{S^r}(\mathcal {Q}_{q})\right] . \end{aligned}$$
(1)

For the analysis of \(\mathbb {P}\left[ \mathsf {col}{S^r}(\mathcal {Q}_{q})\right] \), we introduce two helping events. Here, let \(\tau \ge 2\) be any integer value.

$$\begin{aligned}&\mathsf {eA}(\mathcal {Q})_{j,b}{:}\; \exists \;(x,y,\mathcal {Z})_{j,b},(x',y',\mathcal {Z}')_{j,b}\in \mathcal {Q}_q\;\text {such that} \\&\quad x_{j,b}\ne x_{j,b}' \wedge y_{j,b}\,\oplus \,y_{j,b}' \in \mathcal {Z}_{j,b}\,\oplus \,\mathcal {Z}_{j,b}';\\&\mathsf {eB}(\mathcal {Q})_j {:}\; \max _{z\in \{0,1\}^{n}}\; \bigg |\bigg \{\begin{array}{l} (x,y,\mathcal {Z})_{j-1,0},(x,y,\mathcal {Z})_{j-1,1}\in \mathcal {Q}_q \;\big |\; \\ y_{j-1,0} \,\oplus \,y_{j-1,1}\,\oplus \,z \in \mathcal {Z}_{j-1,0} \,\oplus \,\mathcal {Z}_{j-1,1} \end{array} \bigg \}\bigg | \\&\quad > \tau ^j. \end{aligned}$$

We simply write \(\mathsf {eA}(\mathcal {Q})_j=\mathsf {eA}(\mathcal {Q})_{j,0}\cup \mathsf {eA}(\mathcal {Q})_{j,1}\) and \(\mathsf {eX}(\mathcal {Q})=\bigcup _j\mathsf {eX}(\mathcal {Q})_j\) for \(\mathsf {X}=\mathsf {A},\mathsf {B}\). We furthermore write \(\mathsf {e}(\mathcal {Q})=\mathsf {eA}(\mathcal {Q})\cup \mathsf {eB}(\mathcal {Q})\). First, in Lemma 2, we demonstrate that finding a collision is at least as hard as finding a solution for \(\mathsf {eA}(\mathcal {Q}_{q})\).

Lemma 2

\(\mathsf {col}{S^r}(\mathcal {Q}_{q})\Rightarrow \mathsf {eA}(\mathcal {Q}_{q})\).

Proof

The proof is by contradiction. Assume \(\lnot \mathsf {eA}(\mathcal {Q}_q)\), and suppose an adversary makes all queries for the computation of \(S^r\) on input of two different vectors \((u_0,\ldots ,u_{r-1})\) and \((u_0',\ldots ,u_{r-1}')\). By construction:

$$\begin{aligned} S^r(u_0,\ldots ,u_{r-1})&= (y\,\oplus \,z)_{\ell ,0}=(y'\,\oplus \,z')_{\ell ,0} \\&= S^r(u_0',\ldots ,u_{r-1}'). \end{aligned}$$

First, assume \(x_{\ell ,0}\ne x_{\ell ,0}'\). Then, the collision forms a valid solution to \(\mathsf {eA}(\mathcal {Q}_{q})_{\ell ,0}\), contradicting our assumption. Next, assume \(x_{\ell ,0}=x_{\ell ,0}'\). Then also \(y_{\ell ,0}=y_{\ell ,0}'\) and thus \(z_{\ell ,0}=z_{\ell ,0}'\). By construction, this implies \((y\,\oplus \,z)_{\ell -1,0}=(y'\,\oplus \,z')_{\ell -1,0}\) and \((y\,\oplus \,z)_{\ell -1,1}=(y'\,\oplus \,z')_{\ell -1,1}\). Note that \(S^r\) without the \(\ell \hbox {th}\) layer corresponds to two parallel independent \(S^{r/2}\) evaluations: One with inputs \((u_0,\ldots ,u_{r/2-1})\) and output \((y\,\oplus \,z)_{\ell -1,0}\) and one with inputs \((u_{r/2},\ldots ,u_{r-1})\) and output \((y\,\oplus \,z)_{\ell -1,1}\). Given that the collision for \(S^r\) is non-trivial, it implies a non-trivial collision of either of the two \(S^{r/2}\)’s. Consider the \(S^{r/2}\) with the non-trivial collision and apply the same reasoning using \(\mathsf {eA}(\mathcal {Q}_{q})_{\ell -1,b}\). Here, \(b=0\) iff the non-trivial collision is in the left half. At some point, one indeed ends up with a distinct pair \(x_{j,i}\ne x_{j,i}'\) for some \(j=\ell ,\ldots ,0\), as \((u_0,\ldots ,u_{r-1})\ne (u_0',\ldots ,u_{r-1}')\). \(\square \)

Therefore, we obtain for (1):

$$\begin{aligned} \mathbb {P}\left[ \mathsf {col}{S^r}(\mathcal {Q}_{q})\right] \le \mathbb {P}\left[ \mathsf {eA}(\mathcal {Q}_{q})\right] \le \mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right] . \end{aligned}$$

A bound on this probability is derived in Lemma 3.

Lemma 3

\(\displaystyle \mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right] \le \frac{2(\tau ^\ell q)^2}{N} + 2N\left( \frac{e(\tau ^\ell q)^2}{N}\right) ^{\tau }\).

Proof

Recall the notation \(\mathsf {e}(\mathcal {Q}_{q})=\mathsf {eA}(\mathcal {Q}_{q})\cup \mathsf {eB}(\mathcal {Q}_{q})\). By basic probability theory:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right]&\le \sum _{j=0}^\ell \mathbb {P}\left[ \mathsf {eA}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {eB}(\mathcal {Q}_q)_j\right] \nonumber \\&\quad + \sum _{j=1}^\ell \mathbb {P}\left[ \mathsf {eB}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-1}\right] , \end{aligned}$$
(2)

noting that \(\mathsf {eB}(\mathcal {Q}_{q})_0\) is false by construction. We consider both probabilities separately.

We recall that \(A\) makes all queries to \(f_{j-1,b}\) before all queries to \(f_{j,b'}\). This particularly means that, at the point of making queries to \(f_{j,b}\), the sets \(\mathcal {Z}_{j,b}\) are fixed (by all previous queries) and remain unchanged. In more detail, we regularly use the following observation for any query \((x,y,\mathcal {Z})_{j,b}\) to \(f_{j,b}\): \(\lnot \mathsf {eB}(\mathcal {Q}_q)_j \Rightarrow |\mathcal {Z}_{j,b}|\le \tau ^j\).

\(\mathsf {eA}(\mathcal {Q}_{q})_j\) Assume \(\lnot \mathsf {eB}(\mathcal {Q}_q)_j\) holds. Consider any \(b\) and any two distinct queries \((x,y,\mathcal {Z})_{j,b}\) and \((x',y',\mathcal {Z}')_{j,b}\) to \(f_{j,b}\) (at most \({q\atopwithdelims ()2}\) choices). These queries render a solution if \(y_{j,b}\,\oplus \,y_{j,b}' \in \mathcal {Z}_{j,b}\,\oplus \,\mathcal {Z}_{j,b}'\). By \(\lnot \mathsf {eB}(\mathcal {Q}_q)_j\), we have \(|\mathcal {Z}_{j,b}|,|\mathcal {Z}_{j,b}'|\le \tau ^j\). Consequently, the two queries complete the collision with probability at most \(\frac{\tau ^{2j}}{N}\). Summing over all queries to \(f_{j,b}\), and both choices of \(b\), we obtain:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {eA}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {eB}(\mathcal {Q}_q)_j\right] \le 2\frac{(\tau ^jq)^2}{2N} = \frac{(\tau ^jq)^2}{N}. \end{aligned}$$

\(\mathsf {eB}(\mathcal {Q}_{q})_j\) Assume \(\lnot \mathsf {e}(\mathcal {Q}_q)_{j-1}\) holds. Consider any \(z\in \{0,1\}^{n}\). By virtue of \(\lnot \mathsf {eB}(\mathcal {Q}_q)_{j-1}\), any query \((x,y,\mathcal {Z})_{j-1,0}\) has \(|\mathcal {Z}_{j-1,0}|\le \tau ^{j-1}\). Similar for any query \((x,y,\mathcal {Z})_{j-1,1}\).

Without loss of generality (by symmetry) consider a new query \((x,y,\mathcal {Z})_{j-1,0}\). This adds a solution to \(\mathsf {eB}(\mathcal {Q}_{q})_j\) with probability at most \(\tau ^{2(j-1)}q/N\), and any hit adds at most \(\tau ^{j-1}\) values (by \(\lnot \mathsf {eA}(\mathcal {Q}_q)_{j-1}\)). More than \(\tau ^j\) solutions are added with probability at most

$$\begin{aligned}&{q\atopwithdelims ()\frac{\tau ^j}{\tau ^{j-1}}} \left( \frac{\tau ^{2(j-1)}q}{N}\right) ^{\frac{\tau ^j}{\tau ^{j-1}}}\\&\quad \le \left( \frac{e\tau ^{2j-3}q^2}{N}\right) ^{\tau } \le \left( \frac{e(\tau ^jq)^2}{N}\right) ^{\tau }. \end{aligned}$$

Summing over all \(N\) values \(z\), we obtain:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {eB}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-1}\right] \le N\left( \frac{e(\tau ^jq)^2}{N}\right) ^{\tau }. \end{aligned}$$

Conclusion of proof From (2), we obtain:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right]&\le \sum _{j=0}^\ell \frac{(\tau ^jq)^2}{N} + \sum _{j=1}^\ell N\left( \frac{e(\tau ^jq)^2}{N}\right) ^{\tau } \\&= \frac{q^2}{N}\sum _{j=0}^\ell \tau ^{2j} + N\left( \frac{eq^2}{N}\right) ^{\tau }\sum _{j=1}^\ell \tau ^{2\tau j}\\&\le \frac{2(\tau ^\ell q)^2}{N} + 2N\left( \frac{e(\tau ^\ell q)^2}{N}\right) ^{\tau }. \end{aligned}$$

Here, we use that \(\sum _{j=0}^{\ell } x^j = \frac{x^{\ell +1}-1}{x-1}\le \frac{x}{x-1}x^\ell \le 2x^\ell \) for \(x\ge 2\). \(\square \)

4.3 Proof of Theorem 2

The proof of security against adaptive adversaries follows the proof of Theorem 1 in Sect. 4, but differs in various aspects. First of all, we add the following event \(\mathsf {eC}(\mathcal {Q})\):

$$\begin{aligned}&\mathsf {eC}(\mathcal {Q})_{j,b}{:}\; \exists \;(x,y,\mathcal {Z})_{j-1,0}^k,(x,y,\mathcal {Z})_{j-1,1}^{k'},(x,y)_{j,b}^{k''} \\&\quad \in \mathcal {Q}_q\;\text {such that} \\&\quad \max \{k,k'\}>k'' \wedge y_{j-1,0} \,\oplus \,y_{j-1,1}\,\oplus \,x_{j,b}\\&\quad \in \mathcal {Z}_{j-1,0} \,\oplus \,\mathcal {Z}_{j-1,1}. \end{aligned}$$

We define \(\mathsf {eC}(\mathcal {Q})_j\) and \(\mathsf {eC}(\mathcal {Q})\) similar as before and write \(\mathsf {e}(\mathcal {Q})=\mathsf {eA}(\mathcal {Q})\cup \mathsf {eB}(\mathcal {Q})\cup \mathsf {eC}(\mathcal {Q})\). \(\mathsf {eC}(\mathcal {Q})\) essentially covers the case that somewhere in the evaluation of \(S^r\) a fork \((y\,\oplus \,z)_{j-1,0} \,\oplus \,(y\,\oplus \,z)_{j-1,1}=x_{j,b}\) is completed by an upper-level query. It could essentially also be the case that \(k''>k,k'\) but a new query results in a fresh element in \(\mathcal {Z}_{j-1,0}\), therewith rendering a hit, but in this case the query would invalidate \(\mathsf {eC}(\mathcal {Q})\) in the first place (for an earlier value of \(j\)). Intuitively, assuming \(\lnot \mathsf {eC}(\mathcal {Q}_q)\), we can indeed consider the adversary to make its queries layer-wise.

Lemma 2 still holds, and

$$\begin{aligned} \mathbb {P}\left[ \mathsf {col}{S^r}(\mathcal {Q}_{q})\right] \le \mathbb {P}\left[ \mathsf {eA}(\mathcal {Q}_{q})\right] \le \mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right] . \end{aligned}$$

A bound on this probability is derived in Lemma 4. It is similar to Lemma 3.

Lemma 4

\(\mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right] \le \frac{2(\tau ^\ell q)^2}{N} + 2N\left( \frac{e(\tau ^\ell q)^2}{N}\right) ^{\tau } + \frac{2\tau ^{2\ell }q^3}{N}\).

Proof

Recall the notation \(\mathsf {e}(\mathcal {Q}_{q})=\mathsf {eA}(\mathcal {Q}_{q})\cup \mathsf {eB}(\mathcal {Q}_{q})\cup \mathsf {eC}(\mathcal {Q}_{q})\). Write \(\mathsf {eBC}(\mathcal {Q}_{q})=\mathsf {eB}(\mathcal {Q}_{q})\cup \mathsf {eC}(\mathcal {Q}_{q})\). By basic probability theory:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right]\le & {} \;\sum _{j=0}^\ell \mathbb {P}\left[ \mathsf {eA}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {eBC}(\mathcal {Q}_q)_j \cap \cap _{j'=1}^{j-1} \lnot \mathsf {e}(\mathcal {Q}_q)_{j'}\right] \, \nonumber \\&+ \,\sum _{j=1}^\ell \mathbb {P}\left[ \mathsf {eB}(\mathcal {Q}_{q})_j \cap \cap _{j'=1}^{j-1} \lnot \mathsf {e}(\mathcal {Q}_q)_{j'}\right] \nonumber \\&+ \,\mathbb {P}\left[ \mathsf {eC}(\mathcal {Q}_{q})_j \cap \cap _{j'=1}^{j-1} \lnot \mathsf {e}(\mathcal {Q}_q)_{j'}\right] . \end{aligned}$$
(3)

Indeed, \(\mathsf {e}(\mathcal {Q}_{q})\) should be triggered for some \(j\). Therefore, we consider any \(j\), assume \(\mathsf {e}(\mathcal {Q}_{q})_{j'}\) has not been triggered for any \(j'<j\), and consider the probability that a query for this specific value of \(j\) triggers \(\mathsf {e}(\mathcal {Q})_j\). This event can then be further divided into a success for \(\mathsf {eA}(\mathcal {Q}_{q})_j,\, \mathsf {eB}(\mathcal {Q}_{q})_j\), or \(\mathsf {eC}(\mathcal {Q}_{q})_j\).

\(\mathsf {eA}(\mathcal {Q}_{q})_j\). Assume \(\lnot \mathsf {eBC}(\mathcal {Q}_q)_j \cap \cap _{j'=1}^{j-1} \lnot \mathsf {e}(\mathcal {Q}_q)_{j'}\) holds. Consider any \(b\). The equation of \(\mathsf {eA}(\mathcal {Q}_{q})_j\) could get satisfied in two ways: (i) via a query to \(f_{j,b}\), or (ii) via a query \((x,y)_{j',b'}\) for \(j'<j\) that results in a new value in \(\mathcal {Z}_{j,b}\) for any older query \((x,y)_{j,b}\). However, in case (ii) the query to \(f_{j',b'}\) triggered \(\mathsf {eC}(\mathcal {Q})_{j'+1}\), which is impossible by assumption. The remaining analysis is the same as in Lemma 3, and we obtain:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {eA}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {eBC}(\mathcal {Q}_q)_j \cap \cap _{j'=1}^{j-1} \lnot \mathsf {e}(\mathcal {Q}_q)_{j'}\right] \le \frac{(\tau ^jq)^2}{N}. \end{aligned}$$

\(\mathsf {eB}(\mathcal {Q}_{q})_j\). Assume \(\cap _{j'=1}^{j-1} \lnot \mathsf {e}(\mathcal {Q}_q)_{j'}\) holds. Consider any \(z\in \{0,1\}^{n}\). The equation of \(\mathsf {eB}(\mathcal {Q}_{q})_j\) could get satisfied in two ways: (i) via a query \((x,y,\mathcal {Z})_{j-1,0}\) or \((x,y,\mathcal {Z})_{j-1,1}\), or (ii) via a query \((x,y,\mathcal {Z})_{j',b'}\) for \(j'<j-1\) that results in a new value in either \(\mathcal {Z}_{j-1,0}\) for any older query \((x,y)_{j-1,0}\) or \(\mathcal {Z}_{j-1,1}\) for any older query \((x,y)_{j-1,1}\). However, in case (ii) the query to \(f_{j',b'}\) triggered \(\mathsf {eC}(\mathcal {Q})_{j'+1}\), which is impossible by assumption. Therefore, it suffices to consider the case a fresh query to \(f_{j-1,0}\) or \(f_{j-1,1}\) makes the equation satisfied. The remaining analysis is the same as in Lemma 3, and we obtain:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {eB}(\mathcal {Q}_{q})_j \cap \cap _{j'=1}^{j-1} \lnot \mathsf {e}(\mathcal {Q}_q)_{j'}\right] \le N\left( \frac{e(\tau ^jq)^2}{N}\right) ^{\tau }. \end{aligned}$$

\(\mathsf {eC}(\mathcal {Q}_{q})_j\). Assume \(\cap _{j'=1}^{j-1} \lnot \mathsf {e}(\mathcal {Q}_q)_{j'}\) holds. Similar to \(\mathsf {eB}(\mathcal {Q}_{q})_j\), by assumption the equation of \(\mathsf {eC}(\mathcal {Q}_{q})_j\) could only be triggered via a query \((x,y,\mathcal {Z})_{j-1,0}\) or \((x,y,\mathcal {Z})_{j-1,1}\). Any query \((x,y,\mathcal {Z})_{j-1,0}\) has \(|\mathcal {Z}_{j-1,0}|\le \tau ^{j-1}\), due to \(\lnot \mathsf {eB}(\mathcal {Q}_q)_{j-1}\), and similar for any \((x,y,\mathcal {Z})_{j-1,1}\).

Consider the \(\max \{k,k'\}\)th query. There are at most \(q^2\) choices for the other two queries, and it adds a solution to \(\mathsf {eC}(\mathcal {Q}_{q})_{j,b}\) with probability at most \(\tau ^{2(j-1)}q^2/N\). Summing over all queries, we eventually find:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {eC}(\mathcal {Q}_{q})_j \cap \cap _{j'=1}^{j-1} \lnot \mathsf {e}(\mathcal {Q}_q)_{j'}\right] \le \frac{\tau ^{2j}q^3}{N}. \end{aligned}$$

Conclusion of proof The proof is now completed via (3), as in Lemma 3. \(\square \)

4.4 \(S^r\) for arbitrary \(r\)

The previous analysis carries over to the generalized \(S^r\) (Fig. 4) almost verbatim, with the difference that we take \(\ell =\lceil \log _2r \rceil \). The only technical change lies in the sets \(\mathcal {Z}_{j,b}\) associated with the queries: A query to \(f_{j,b}\) may occur in an evaluation of \(S^r\) at position \((j,b+2\lambda )\) for \(\lambda \in \{0,\ldots ,2^{\ell -j-1}-1\}\), and due to the asymmetric character of \(S^r\) it may have two different feed-forward sets. For the proof of Lemma 3, this concretely means that we need to consider two feed-forward sets associated with every query. This affects the bound as follows: Regarding \(\mathsf {eA}(\mathcal {Q}_{q})_j\), we end up with bound \(\frac{(2\tau ^jq)^2}{N}\). For \(\mathsf {eB}(\mathcal {Q})_j\), a collision is found with probability at most \((2\tau ^{j-1})^2q/N\) and any hit adds at most \(2\tau ^{j-1}\) values. Using \(\tau \ge 2\), this results in the same bound for \(\mathsf {eB}(\mathcal {Q})_j\):

$$\begin{aligned} \mathbb {P}\left[ \mathsf {eB}(\mathcal {Q}_{q})_j \cap \lnot \mathsf {e}(\mathcal {Q}_q)_{j-1}\right]&\le N\left( \frac{e(2^3\tau ^{2j-3}q)^2}{N}\right) ^{\tau } \\&\le N\left( \frac{e(\tau ^jq)^2}{N}\right) ^{\tau }. \end{aligned}$$

Hence, as a direct corollary of Theorems 1 and 2 (to which the same reasoning applies), we find:

Corollary 1

Let \(r\ge 1\) with \(\ell =\lceil \log _2r \rceil \). Let \(\mathcal {A}^\mathsf {lw}(q)\) be as in Theorem 1, and \(\mathcal {A}(q)\) as in Theorem 2. Then, for any positive integer value \(\tau \ge 2\),

$$\begin{aligned}&\mathsf {Adv}_{S^r}^{\mathsf {col}}[\mathcal {A}^\mathsf {lw}(q)] \le \frac{8(\tau ^\ell q)^2}{N} + 2N\left( \frac{e(\tau ^\ell q)^2}{N}\right) ^{\tau },\\&\mathsf {Adv}_{S^r}^{\mathsf {col}}[\mathcal {A}(q)] \le \frac{8(\tau ^\ell q)^2}{N} + 2N\left( \frac{e(\tau ^\ell q)^2}{N}\right) ^{\tau } + \frac{8\tau ^{2\ell }q^3}{N}. \end{aligned}$$

The asymptotic behavior of the bounds remains the same.

5 Preimage security of \(S^r\)

Theorem 1 trivially implies preimage security up to the birthday bound. For \(r=1,2\), we derive the following result in the fully adaptive model. This result particularly solves an open problem of Shrimpton and Stam [45], namely to prove \(2n/3\)-bit preimage security of their design (optimal w.r.t. the bounds of Rogaway and Steinberger [41]).

Theorem 3

Let \(r\in \{1,2\}\). Let \(\mathcal {A}(q)\) be as in Theorem 2. Then, for any positive integer value \(\tau \ge 2\),

$$\begin{aligned}&\mathsf {Adv}_{S^1}^{\mathsf {epre}}[\mathcal {A}(q)] \le \frac{q}{N}, \\&\mathsf {Adv}_{S^2}^{\mathsf {epre}}[\mathcal {A}(q)] \le \frac{\tau q}{N} + \frac{q^3}{N^2}+ (N+2)\left( \frac{2eq^2}{\tau N}\right) ^{\tau /2}. \end{aligned}$$

The proof is given in Sect. 5.1. Similar to Theorem 1, we can put \(\tau =N^{1/3}\) and find that for any \(\varepsilon >0,\, \mathsf {Adv}_{S^2}^{\mathsf {epre}}[\mathcal {A}(N^{2/3}/n^{\varepsilon })]\) approaches \(0\) for \(n\rightarrow \infty \). Unfortunately, the proof cannot be easily generalized to larger \(r\): The threshold value \(\tau ^\ell \) starts exploding for \(\ell \ge 2\).

We remark that \(S^r\) (or MD-\(S^r\)) for \(r\ge 2\) can be made preimage resistant up to \(N\) queries by adding one single primitive call at the end of its evaluation (now only for \(S^r\), a similar claim for MD-\(S^r\) was already made in Sect. 1):

Theorem 4

Let \(r\ge 1\) with \(\ell =\lceil \log _2r \rceil \). Suppose \(\mathcal {P}=\big \{ f_{j,b}\;\mid \;(j,b)\in (\{0,\ldots ,\ell -1\}\times \{0,1\})\cup \{(\ell ,0)\}\big \}\cup \{f\}\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Func}(n)^{2\ell +2}\). Let \(\mathcal {A}(q)\) be as in Theorem 2. Then,

$$\begin{aligned} \mathsf {Adv}_{f\circ S^r}^{\mathsf {epre}}[\mathcal {A}(q)] \le \frac{q}{N}. \end{aligned}$$

Proof

The proof directly follows from Lemma 1 and Theorem 3, noting \(S^1=f\). \(\square \)

5.1 Proof of Theorem 3

\(S^1\) is equal to \(f_{0,0}\), and the result is trivial. We proceed with \(S^2\). We employ the same conventions and notations as in the proof of Sect. 4. As before, we consider any adversary \(A\) that has query access to its oracles \(\mathcal {P}\) and makes \(q\) queries. Recall that \(\mathcal {Z}_{0,b}=\{0\}\) for \(b=0,1\). In fact, we only need \(\mathcal {Z}_{1,0}\) and therefore we will discard the notion entirely (and write everything explicitly).

Let \(v\in \{0,1\}^{n}\) be the challenged range value. Denote by \(\mathsf {pre}{S^2}(\mathcal {Q}_{q})\) the event that \(A\) finds an evaluation of \(S^2\) satisfying \(S^2(u_0,u_1)=v\). By definition:

$$\begin{aligned} \mathsf {Adv}_{S^2}^{\mathsf {epre}}[A] = \mathbb {P}\left[ \mathsf {pre}{S^2}(\mathcal {Q}_{q})\right] . \end{aligned}$$
(4)

For the analysis of \(\mathbb {P}\left[ \mathsf {pre}{S^2}(\mathcal {Q}_{q})\right] \) we introduce four helping events. Here, let \(\tau \ge 2\) be any integer value.

$$\begin{aligned}&\mathsf {eA}(\mathcal {Q})_{j,b}{:}\; \exists \;\text {distinct}\;(x,y)_{j,b},(x',y')_{j,b},(x'',y'')_{j,b}\\&\quad \in \mathcal {Q}_q\;\text {such that} \\&\quad y_{j,b}=y_{j,b}'=y_{j,b}''\;\text {or}\;(x\,\oplus \,y)_{j,b}=(x'\,\oplus \,y')_{j,b}\\&\quad =(x''\,\oplus \,y'')_{j,b}; \\&\mathsf {eB}(\mathcal {Q}) {:}\; \max _{z\in \{0,1\}^{n}}\; \big |\big \{ (x,y)_{0,0},(x,y)_{0,1}\in \mathcal {Q}_q \;\big |\; y_{0,0} \,\oplus \,y_{0,1}\\&\quad =z \big \}\big | > \tau ; \\&\mathsf {eC}(\mathcal {Q}) {:}\; \big |\big \{ (x,y)_{0,1},(x,y)_{1,0}\in \mathcal {Q}_q \;\big |\; y_{0,1} \,\oplus \,(x\,\oplus \,y)_{1,0} \\&\quad =v \big \}\big | >\tau ;\\&\mathsf {eD}(\mathcal {Q}) {:}\; \big |\big \{ (x,y)_{0,0},(x,y)_{1,0}\\&\quad \in \mathcal {Q}_q \;\big |\; y_{0,0} \,\oplus \,y_{1,0}=v \big \}\big | >\tau . \end{aligned}$$

We write \(\mathsf {eA}(\mathcal {Q})=\mathsf {eA}(\mathcal {Q})_{0,0}\cup \mathsf {eA}(\mathcal {Q})_{0,1}\cup \mathsf {eA}(\mathcal {Q})_{1,0}\), \(\mathsf {eBCD}(\mathcal {Q})=\mathsf {eB}(\mathcal {Q})\cup \mathsf {eC}(\mathcal {Q})\cup \mathsf {eD}(\mathcal {Q})\), and \(\mathsf {e}(\mathcal {Q})=\mathsf {eA}(\mathcal {Q})\cup \mathsf {eBCD}(\mathcal {Q})\). In Lemma 5, we demonstrate that finding a preimage assuming \(\lnot \mathsf {eBCD}(\mathcal {Q}_q)\) happens with probability at most \(\frac{\tau q}{N}\).

Lemma 5

\(\displaystyle \mathbb {P}\left[ \mathsf {pre}{S^2}(\mathcal {Q}_{q}) \cap \lnot \mathsf {eBCD}(\mathcal {Q}_q)\right] \le \frac{\tau q}{N}\).

Proof

Assume \(\lnot \mathsf {eBCD}(\mathcal {Q}_q)\). We make a distinction among queries made to \(f_{0,0},\, f_{0,1}\), and \(f_{1,0}\).

Starting with a query \((x,y)_{1,0}\) to \(f_{1,0}\), it renders a preimage for \(S^2\) if \(y_{1,0}\,\oplus \,y_{0,0}=v\) for some older queries \((x,y)_{0,0},(x,y)_{0,1}\) satisfying \(y_{0,0} \,\oplus \,y_{0,1}=x_{1,0}\). By \(\lnot \mathsf {eB}(\mathcal {Q}_q)\), there are at most \(\tau \) such solutions. Consequently, the query results in a preimage with probability at most \(\frac{\tau }{N}\).

Next, for a query \((x,y)_{0,0}\) to \(f_{0,0}\), it results in a preimage if \(y_{1,0}\,\oplus \,y_{0,0}=v\) and \(y_{0,0} \,\oplus \,y_{0,1}=x_{1,0}\) for some older queries \((x,y)_{0,1},(x,y)_{1,0}\). By \(\lnot \mathsf {eC}(\mathcal {Q}_q)\), there are at most \(\tau \) solutions to \(y_{1,0}\,\oplus \,v = y_{0,1}\,\oplus \,x_{1,0}\). Consequently, the query results in a preimage with probability at most \(\frac{\tau }{N}\).

Finally, for a query \((x,y)_{0,1}\) to \(f_{0,1}\), it gives a preimage if \(y_{0,0} \,\oplus \,y_{0,1}=x_{1,0}\) for some older queries \((x,y)_{0,0},(x,y)_{1,0}\) satisfying \(y_{1,0}\,\oplus \,y_{0,0}=v\). By \(\lnot \mathsf {eD}(\mathcal {Q}_q)\), there are at most \(\tau \) such solutions. Consequently, the query results in a preimage with probability at most \(\frac{\tau }{N}\).

Summing over all queries, we obtain our bound. \(\square \)

Therefore, we obtain for (4):

$$\begin{aligned} \mathbb {P}\left[ \mathsf {pre}{S^2}(\mathcal {Q}_{q})\right] \le \frac{\tau q}{N} + \mathbb {P}\left[ \mathsf {eBCD}(\mathcal {Q}_{q})\right] \le \frac{\tau q}{N} + \mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right] . \end{aligned}$$

A bound on \(\mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right] \) is derived in Lemma 6.

Lemma 6

\(\mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right] \le \frac{q^3}{N^2} + (N+2)\left( \frac{2eq^2}{\tau N}\right) ^{\tau /2}\).

Proof

By basic probability theory:

$$\begin{aligned}&\mathbb {P}\left[ \mathsf {e}(\mathcal {Q}_{q})\right] \le \;\mathbb {P}\left[ \mathsf {eA}(\mathcal {Q}_{q})\right] \mathbb {P}\left[ \mathsf {eB}(\mathcal {Q}_{q}) \cap \lnot \mathsf {eA}(\mathcal {Q}_q)\right] \,\nonumber \\&\quad + \;\mathbb {P}\left[ \mathsf {eC}(\mathcal {Q}_{q}) \cap \lnot \mathsf {eA}(\mathcal {Q}_q)\right] + \mathbb {P}\left[ \mathsf {eD}(\mathcal {Q}_{q}) \cap \lnot \mathsf {eA}(\mathcal {Q}_q)\right] .\nonumber \\ \end{aligned}$$
(5)

We consider the four probabilities separately.

\(\mathsf {eA}(\mathcal {Q}_{q})\). Consider any \({j,b}\) and any three distinct queries \((x,y)_{j,b},\, (x',y')_{j,b}\), and \((x'',y'')_{j,b}\) to \(f_{j,b}\) (at most \({q\atopwithdelims ()3}\) choices). These queries render a solution if \(y_{j,b}=y_{j,b}'=y_{j,b}''\) or \((x\,\oplus \,y)_{j,b}=(x'\,\oplus \,y')_{j,b}=(x''\,\oplus \,y'')_{j,b}\), which happens with probability at most \(\frac{2}{N^2}\). Summing over all queries to \(f_{j,b}\), and all choices of \({j,b}\) (three in total), we obtain:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {eA}(\mathcal {Q}_{q})\right] \le \frac{q^3}{N^2}. \end{aligned}$$

\(\mathsf {eB}(\mathcal {Q}_{q})\). Assume \(\lnot \mathsf {eA}(\mathcal {Q}_q)\) holds. Consider any \(z\in \{0,1\}^{n}\). Without loss of generality (by symmetry) consider a new query \((x,y)_{0,1}\). This adds a solution to \(\mathsf {eB}(\mathcal {Q}_{q})\) with probability at most \(q/N\), and any hit adds at most \(2\) solutions [by \(\lnot \mathsf {eA}(\mathcal {Q}_q)\)]. More than \(\tau \) solutions are added with probability at most \({q\atopwithdelims ()\tau /2} \left( \frac{q}{N}\right) ^{\tau /2}\le \left( \frac{2eq^2}{\tau N}\right) ^{\tau /2}\). Summing over all \(N\) values \(z\), we obtain:

$$\begin{aligned} \mathbb {P}\left[ \mathsf {eB}(\mathcal {Q}_{q}) \cap \lnot \mathsf {eA}(\mathcal {Q}_q)\right] \le N\left( \frac{2eq^2}{\tau N}\right) ^{\tau /2}. \end{aligned}$$

\(\mathsf {eC}(\mathcal {Q}_{q})\) and \(\mathsf {eD}(\mathcal {Q}_{q})\). The analysis is similar to \(\mathsf {eB}(\mathcal {Q}_{q})\) except that there is no need to sum over all values \(z\).

Conclusion of proof The proof is now completed via (5). \(\square \)

6 Instantiation using permutations

In this section, we discuss the effect of instantiating \(S^r\) with random permutations \(\pi _{j,b}\) instead of random functions \(f_{j,b}\). The most basic and well-established way is to set \(f_{j,b}(x)=\pi _{j,b}(x)\,\oplus \,x\), and we consider \(S^r\) with its underlying primitives transformed this way. For ease of presentation, we focus on \(S^r\) for \(r=2^\ell \) with \(\ell \ge 0\), but the findings carry over to the general setting.

For the top layer of \(S^r\), the feed-forward of \(x\) in \(f_{0,b}\) is necessary: In absence of it, it suffices for an adversary to find a collision with these calls eliminated and to just make \(r\) inverse calls afterwards. However, for the remaining evaluations of \(f_{j,b}\) (with \(j\ge 1\)), the feed-forward \(x\) is pointless: It simply corresponds to reflecting \(S^r\) along its vertical axis.Footnote 4 Thus, we focus on \(S^r\) with \(f_{0,b}(x)=\pi _{0,b}(x)\,\oplus \,x\) (for \(b\in \{0,1\}\)) and \(f_{j,b}(x)=\pi _{j,b}(x)\) (for \((j,b)\in (\{1,\ldots ,\ell -1\}\times \{0,1\})\cup \{(\ell ,0)\}\)), where \(\big \{ \pi _{j,b}\;\mid \;(j,b)\in (\{0,\ldots ,\ell -1\}\times \{0,1\})\cup \{(\ell ,0)\}\big \}\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm}(n)^{2\ell +1}\). A formal description is given in Fig. 6.

Fig. 6
figure 6

Alternative permutation-based description of \(S^r\) of Fig. 3 and an illustration of \(S^4\)

Full size image

Starting with collision resistance, we transform Theorem 1 to the permutation-based setting.

Theorem 5

Let \(r=2^\ell \) with \(\ell \ge 0\). Suppose \(\mathcal {P}=\big \{ \pi _{j,b}\;\mid \;(j,b)\in (\{0,\ldots ,\ell -1\}\times \{0,1\})\cup \{(\ell ,0)\}\big \}\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm}(n)^{2\ell +1}\). Let \(\mathcal {A}^\mathsf {lw}(q)\) be as in Theorem 1. Then, for any positive integer value \(\tau \ge 3\),

$$\begin{aligned} \mathsf {Adv}_{S^r}^{\mathsf {col}}[\mathcal {A}^\mathsf {lw}(q)] \le \frac{4(\tau ^\ell q)^2}{N-q} + 8N\left( \frac{e(\tau ^\ell q)^2}{N-q}\right) ^{\tau ^{1/2}-1}. \end{aligned}$$

The proof is in the same spirit as the one of Theorem 1 but is technically more demanding and is included in “Appendix 2”. Theorem 2 (for fully adaptive adversaries) and Corollary 1 (for arbitrary \(r\ge 1\)) generalize in a similar way.

Unfortunately, the preimage result of Theorem 3 does not carry over to the permutation-based case: A preimage for \(S^2\) can be found in approximately \(2^{n/2}\) queries [31, 45]. In Theorem 6, we generalize the attack to the case \(r=2^\ell \) with \(\ell \ge 1\); it generalizes to arbitrary \(r\ge 2\) the obvious way.

Theorem 6

Let \(r=2^\ell \) with \(\ell \ge 1\). Suppose \(\mathcal {P}=\big \{ \pi _{j,b}\;\mid \;(j,b)\in (\{0,\ldots ,\ell -1\}\times \{0,1\})\cup \{(\ell ,0)\}\big \}\xleftarrow {{\scriptscriptstyle \$}}\mathsf {Perm}(n)^{2\ell +1}\). Let \(\mathcal {A}((2r-1)q)\) denote the set of all adversaries that make at most \((2r-1)q\) queries. Then,

$$\begin{aligned} \mathsf {Adv}_{S^r}^{\mathsf {epre}}[\mathcal {A}((2r-1)q)] \ge \frac{q^2}{N}. \end{aligned}$$

Proof

Let \(v\) be any given range value. We consider the following adversary. First, for \(k=1,\ldots ,q\), it randomly selects a tuple \((u_0,\ldots ,u_{r/2-1})^k\), computes the left half of \(S^r\) up to \((y\,\oplus \,z)_{\ell -1,0}^k\), and queries \(x_{\ell ,0}^k\leftarrow \pi _{\ell ,0}^{-1}(v\,\oplus \,(y\,\oplus \,z)_{\ell -1,0}^k)\). Next, for \(k'=1,\ldots ,q\), it randomly selects a tuple \((u_{r/2+1},\ldots ,u_{r})^{k'}\) and computes the right half of \(S^r\) up to \((y\,\oplus \,z)_{\ell -1,1}^{k'}\). A preimage for \(S^r\) is found if there exist \(k,k'\in \{1,\ldots ,q\}\) such that

$$\begin{aligned} (y\,\oplus \,z)_{\ell -1,0}^k\,\oplus \,x_{\ell ,0}^k = (y\,\oplus \,z)_{\ell -1,1}^{k'}. \end{aligned}$$

This happens with probability at least \(\frac{q^2}{N}\). \(\square \)

Nevertheless, the trick of applying a postprocessing \(\pi (x)\,\oplus \,x\) to \(S^r\) to get \(2^n\) preimage security (cf. Theorem 4) still applies.

7 Conclusion

Our generalized \(S^r\) compression function design achieves high efficiency, approaching rate 1/2 using primitives of state size. The function can be used in a Merkle–Damgård mode of operation or in a Merkle tree. Compared with recent designs such as sponge functions, Grøstl, and MD6, \(S^r\) achieves asymptotically the same collision security and offers comparable rates, but using primitives that are at least twice as small, saving a significant amount of computational overhead. However, we acknowledge that \(S^r\) uses more distinct primitives. Depending on the application, \(S^r\) may be more suitable than the other schemes, and it complements well to these designs.

\(S^r\) can be securely instantiated using non-compressing one-way functions or permutations, but our targeted generality comes at a technical price: The asymptotic \(n/2\)-bit collision security is only proven in a setting where the adversary is limited to making its queries layer-wise. Although we present a proof in the fully adaptive model up to \(2^{n/3}\) queries, we expect this bound to be non-optimal and conjecture (almost) optimal collision security of \(S^r\) in the adaptive model.

The proof of \(S^r\) requires \(2\lceil \log _2r\rceil +1\) distinct primitives: one primitive for the last layer, and two for every but last layer. While this requirement has a partly technical cause, it is far from trivial to analyze \(S^r\) with less distinct primitives. For instance, in the permutation-based setting (see Fig. 6), \(S^2\) and \(S^3\) are insecure if \(\pi _{\ell ,0}=\pi _{\ell -1,1}\): putting \(x_{\ell -1,1}=\pi _{\ell -1,1}^{-1}((y\,\oplus \,z)_{\ell -1,0})\) yields hash value \(0\), for arbitrary \((y\,\oplus \,z)_{\ell -1,0}\). It is unclear how these observations generalize to larger \(S^r\) (based on one-way functions or permutations), and this remains an interesting open research problem.