Message authentication with one-way hash functions
IEEE INFOCOM '92 Proceedings of the eleventh annual joint conference of the IEEE computer and communications societies on One world through communications (Vol. 3)
Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
Constructing VIL-MACsfrom FIL-MACs: Message Authentication under Weakened Assumptions
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
A Design Principle for Hash Functions
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Leaky Random Oracle (Extended Abstract)
ProvSec '08 Proceedings of the 2nd International Conference on Provable Security
Salvaging Merkle-Damgård for Practical Applications
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
A simple variant of the Merkle-Damgård scheme with a permutation
ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
Multi-property-preserving hash domain extension and the EMD transform
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Merkle-Damgård revisited: how to construct a hash function
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Security of practical cryptosystems using Merkle-Damgård hash function in the ideal cipher model
ProvSec'11 Proceedings of the 5th international conference on Provable security
The first 30 years of cryptographic hash functions and the NIST SHA-3 competition
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Hi-index | 0.00 |
At Crypto 2005, Coron et al. showed that Merkle-Damgård hash function (MDHF) with a fixed input length random oracle is not indifferentiable from a random oracle RO due to the extension attack. Namely MDHF does not behave like RO. This result implies that there exists some cryptosystem secure in the RO model but insecure under MDHF. However, this does not imply that no cryptosystem is secure under MDHF. This fact motivates us to establish a criteria methodology for confirming cryptosystems security under MDHF. In this paper, we confirm cryptosystems security by using the following approach: 1 Find a variant, $\widetilde{\mathsf{RO}}$, of RO which leaks the information needed to realize the extension attack. 1 Prove that MDHF is indifferentiable from $\widetilde{\mathsf{RO}}$. 1 Prove cryptosystems security in the $\widetilde{\mathsf{RO}}$ model. From the indifferentiability framework, a cryptosystem secure in the $\widetilde{\mathsf{RO}}$ model is also secure under MDHF. Thus we concentrate on finding $\widetilde{\mathsf{RO}}$, which is weaker than RO. We propose the Traceable Random Oracle (TRO) which leaks enough information to permit the extension attack. By using TRO, we can easily confirm the security of OAEP and variants of OAEP. However, there are several practical cryptosystems whose security cannot be confirmed by TRO (e.g. RSA-KEM). This is because TRO leaks information that is irrelevant to the extension attack. Therefore, we propose another $\widetilde{\mathsf{RO}}$, the Extension Attack Simulatable Random Oracle, ERO, that leaks just the information needed for the extension attack. Fortunately, ERO is necessary and sufficient to confirm the security of cryptosystems under MDHF. This means that the security of any cryptosystem under MDHF is equivalent to that under the ERO model. We prove that RSA-KEM is secure in the ERO model.