Crooked Indifferentiability Revisited

TL;DR

This paper revisits the concept of crooked indifferentiability, identifying gaps in prior proofs, and introduces new techniques to prove the security of hash functions like sponge constructions with improved efficiency.

Contribution

It corrects and extends previous proofs of crooked indifferentiability, providing a more general and efficient analysis applicable to classical sponge constructions.

Findings

Revealed gaps in Russell et al.'s original proof.

Developed a new technique for proving crooked indifferentiability without query restrictions.

Showed sponge construction is crooked-indifferentiable with only n-bit initial vectors.

Abstract

In CRYPTO 2018, Russell et al introduced the notion of crooked indifferentiability to analyze the security of a hash function when the underlying primitive is subverted. They showed that the $n$-bit to $n$-bit function implemented using enveloped XOR construction (\textsf{EXor}) with $3n+1$ many $n$-bit functions and $3n^2$-bit random initial vectors (iv) can be proven secure asymptotically in the crooked indifferentiability setting. -We identify several major issues and gaps in the proof by Russel et al, We show that their proof can achieve security only when the adversary is restricted to make queries related to a single message. - We formalize new technique to prove crooked indifferentiability without such restrictions. Our technique can handle function dependent subversion. We apply our technique to provide a revised proof for the \textsf{EXor} construction. - We analyze crooked indifferentiability of the classical sponge construction. We show, using a simple proof idea, the sponge construction is a crooked-indifferentiable hash function using only $n$-bit random iv. This is a quadratic improvement over the {\sf EXor} construction and solves the main open problem of Russel et al.