Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
Hash functions based on block ciphers: a synthetic approach
CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
The random oracle methodology, revisited (preliminary version)
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Universal Padding Schemes for RSA
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Optimal Security Proofs for PSS and Other Signature Schemes
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Short Signatures from the Weil Pairing
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Simplified OAEP for the RSA and Rabin Functions
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Versatile padding schemes for joint signature and encryption
Proceedings of the 11th ACM conference on Computer and communications security
A Forward-Secure Public-Key Encryption Scheme
Journal of Cryptology
Leaky Random Oracle (Extended Abstract)
ProvSec '08 Proceedings of the 2nd International Conference on Provable Security
Chosen Ciphertext Security with Optimal Ciphertext Overhead
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Salvaging Merkle-Damgård for Practical Applications
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Blockcipher-Based Hashing Revisited
Fast Software Encryption
How to Confirm Cryptosystems Security: The Original Merkle-Damgård Is Still Alive!
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
The exact security of digital signatures-how to sign with RSA and Rabin
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Optimal asymmetric encryption and signature paddings
ACNS'05 Proceedings of the Third international conference on Applied Cryptography and Network Security
Merkle-Damgård revisited: how to construct a hash function
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Hi-index | 0.00 |
In this paper, we clarify the security of practical cryptosystems with hash functions based on key derivation functions (KDFs). We use the indifferentiability framework in order to discuss the security because the indifferentiability from Random Oracle (and its variants) guarantees that cryptosystems remain secure even if Random Oracles (ROs) are instantiated with hash functions. Though previous works on the indifferentiability of Merkle-Damgård (MD) hash functions focus on stand-alone hash functions, there is no work which focuses on MD hash functions with KDFs. Many cryptosystems need longer output lengths of hash functions than stand-alone hash functions and KDFs are used to generate longer digests as specified in PKCS #1 v2.1 and IEEE P1363. Specifically, we obtain the following results. We denote the MD hash function using Stam's type-II compression function by MD-SCFII and MD-SCFII with KDFs by KDF-MD-SCFII. - Cryptosystems secure in the pub-RO model (FDH, PSS, Fiat-Shamir, and so on): Dodis et al. proposed the indifferentiability from pub-RO to prove the security of these cryptosystems using MD-SCFII while did not consider the KDF structures. So we propose a different framework, indifferentiability from privleak-RO. Using this framework and their result, we show that these cryptosystems using KDF-MD-SCFIIs are secure. - Encryption schemes secure in the RO model (OAEP, RSA-KEM, PSEC-KEM, ECIES-KEM and so on): The encryption schemes are secure in the "fixed inputl length" RO model because the input lengths of ROs from the encryption schemes are fixed. We show that this fact guarantees the security of the encryption schemes using KDF-MD-SCFII.