Results 1  10
of
12
Careful with composition: Limitations of the indifferentiability framework
 EUROCRYPT 2011, volume 6632 of LNCS
, 2011
"... We exhibit a hashbased storage auditing scheme which is provably secure in the randomoracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem applies to any ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
(Show Context)
We exhibit a hashbased storage auditing scheme which is provably secure in the randomoracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem applies to any cryptosystem. We characterize the uncovered limitation of the indifferentiability framework by showing that the formalizations used thus far implicitly exclude security notions captured by experiments that have multiple, disjoint adversarial stages. Examples include deterministic publickey encryption (PKE), passwordbased cryptography, hash function nonmalleability, keydependent message security, and more. We formalize a stronger notion, reset indifferentiability, that enables an indifferentiabilitystyle composition theorem covering such multistage security notions, but then show that practical hash constructions cannot be reset indifferentiable. We discuss how these limitations also affect the universal composability framework. We finish by showing the chosendistribution attack security (which requires a multistage game) of some important publickey encryption schemes built using a hash construction paradigm introduced by Dodis, Ristenpart, and Shrimpton. 1
A CollisionResistant Rate1 DoubleBlockLength Hash Function
"... (on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 un ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
(on the leave to BauhausUniversity Weimar, Germany) Abstract. This paper proposes a construction for collision resistant 2nbit hash functions, based on nbit block ciphers with 2nbit keys. The construction is analysed in the ideal cipher model; for n = 128 an adversary would need roughly 2 122 units of time to find a collision. The construction employs “combinatorial ” hashing as an underlying building block (like Universal Hashing for cryptographic message authentication by Wegman and Carter). The construction runs at rate 1, thus improving on a similar rate 1/2 approach by Hirose (FSE 2006). 1
S.: Some observations on indifferentiability
 In: Information Security and Privacy. Lecture Notes in Computer Science
, 2010
"... Abstract. At Crypto 2005, Coron et al. introduced a formalism to study the presence or absence of structural flaws in iterated hash functions: If one cannot differentiate a hash function using ideal primitives from a random oracle, it is considered structurally sound, while the ability to differenti ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. At Crypto 2005, Coron et al. introduced a formalism to study the presence or absence of structural flaws in iterated hash functions: If one cannot differentiate a hash function using ideal primitives from a random oracle, it is considered structurally sound, while the ability to differentiate it from a random oracle indicates a structural weakness. This model was devised as atool tosee subtle real world weaknesses while in the random oracle world. In this paper we take in a practical point of view. We show, using well known examples like NMACand the MixCompressMix (MCM) construction, how we can prove a hash construction secure and insecure at the same time in the indifferentiability setting. These constructions do not differ in their implementation but only on an abstract level. Naturally, this gives rise to the question what to conclude for the implemented hash function. Ourresultscastdoubtsaboutthenotionof“indifferentiabilityfromarandomoracle ” tobeamandatory, practically relevant criterion (as e.g., proposed by Knudsen [16] for the SHA3 competition) to separate good hash structures from bad ones.
Impossibility Results for Indifferentiability with Resets
"... Abstract. The indifferentiability framework of Maurer, Renner, and Holenstein (MRH) has gained immense popularity in recent years and has proved to be a powerful way to argue security of cryptosystems that enjoy proofs in the random oracle model. Recently, however, Ristenpart, Shacham, and Shrimpton ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The indifferentiability framework of Maurer, Renner, and Holenstein (MRH) has gained immense popularity in recent years and has proved to be a powerful way to argue security of cryptosystems that enjoy proofs in the random oracle model. Recently, however, Ristenpart, Shacham, and Shrimpton (RSS) showed that the composition theorem of MRH has a more limited scope than originally thought, and that extending its scope required the introduction of resetindifferentiability, a notion which no practical domain extenders satisfy with respect to random oracles. In light of the results of RSS, we set out to rigorously tackle the specifics of indifferentiability and resetindifferentiability by viewing the notions as special cases of a more general definition. Our contributions are twofold. Firstly, we provide the necessary formalism to refine the notion of indifferentiability regarding composition. By formalizing the definition of stage minimal games we expose new notions lying in between regular indifferentiability (MRH) and resetindifferentiability (RSS). Secondly, we answer the open problem of RSS by showing that it is impossible to build any domain extender which is resetindifferentiable from a random oracle. This result formally confirms the intuition that resetindifferentiability is too strong of a notion to be satisfied by any hash function. As a consequence we look at the weaker notion of singleresetindifferentiability, yet there as well we demonstrate that there are no “meaningful ” domain extenders which satisfy this notion. Not all is lost though, as we also view indifferentiability in a more general setting and point out the possibility for different variants of indifferentiability.
How to construct cryptosystems and hash functions in weakenend random oracle models. Cryptology ePrint Archive, Report 2009/550
, 2009
"... Abstract. In this paper, we discuss how to construct secure cryptosystems and secure hash functions in weakened random oracle models. The weakened random oracle model (WROM), which was introduced by Numayama et al. at PKC 2008, is a random oracle with several weaknesses. Though the security of crypt ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we discuss how to construct secure cryptosystems and secure hash functions in weakened random oracle models. The weakened random oracle model (WROM), which was introduced by Numayama et al. at PKC 2008, is a random oracle with several weaknesses. Though the security of cryptosystems in the random oracle model, ROM, has been discussed sufficiently, the same is not true for WROM. A few cryptosystems have been proven secure in WROM. In this paper, we will propose a new conversion that can convert any cryptosystem secure in ROM to a new cryptosystem that is secure in the first preimage tractable random oracle model FPTROM without reproof. FPTROM is ROM without preimage resistance and so is the weakest of the WROM models. Since there are many secure cryptosystems in ROM, our conversion can yield many cryptosystems secure in FPTROM. The fixed input length weakened random oracle model, FILWROM, introduced by Liskov at SAC 2006, reflects the known weakness of compression functions. We will propose new hash functions that are indifferentiable from RO when the underlying compression function is modeled by a twoway partiallyspecified preimagetractable fixed input length random oracle model (TFILROM). TFILROM is FILROM without two types of preimage resistance and is the weakest of the FILWROM models. The proposed hash functions are more efficient than the existing hash functions which are indifferentiable from RO when the underlying compression function is modeled by TFILROM.
How to Prove the Security of Practical Cryptosystems with MerkleDamg˚ard Hashing by Adopting Indifferentiability
"... Abstract. In this paper, we show that major cryptosystems such as FDH, OAEP, and RSAKEM are secure under a hash function MD h with MerkleDamg˚ard (MD) construction that uses a random oracle compression function h. First, we propose two new ideal primitives called Traceable Random Oracle (T RO) and ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we show that major cryptosystems such as FDH, OAEP, and RSAKEM are secure under a hash function MD h with MerkleDamg˚ard (MD) construction that uses a random oracle compression function h. First, we propose two new ideal primitives called Traceable Random Oracle (T RO) and Extension Attack Simulatable Random Oracle (ERO) which are weaker than a random oracle (RO). Second, we show that MD h is indifferentiable from LRO, T RO and ERO, where LRO is Leaky Random Oracle proposed by Yoneyama et al. This result means that if a cryptosystem is secure in these models, then the cryptosystem is secure under MD h following the indifferentiability theory proposed by Maurer et al. Finally, we prove that OAEP is secure in the T RO model and RSAKEM is secure in the ERO model. Since it is also known that FDH is secure in the LRO model, as a result, major cryptosystems, FDH, OAEP and RSAKEM, are secure under MD h, though MD h is not indifferentiable from RO.
Hashandsign with Weak Hashing Made Secure
"... Abstract. Digital signatures are often proven to be secure in the random oracle model while hash functions deviate more and more from this idealization. Liskov proposed to model a weak hash function by a random oracle together with another oracle allowing to break some properties of the hash functio ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Digital signatures are often proven to be secure in the random oracle model while hash functions deviate more and more from this idealization. Liskov proposed to model a weak hash function by a random oracle together with another oracle allowing to break some properties of the hash function, e.g. a preimage oracle. To avoid the need for collisionresistance, Bellare and Rogaway proposed to use target collision resistant (TCR) randomized prehashing. Later, Halevi and Krawczyk suggested to use enhanced TCR (eTCR) hashing to avoid signing the random seed. To avoid the increase in signature length in the TCR construction, Mironov suggested to recycle some signing coins in the message preprocessing. In this paper, we develop and apply all those techniques. In particular, we obtain a generic preprocessing which allows to build strongly secure signature schemes when hashing is weak and the internal (textbook) signature is weakly secure. We model weak hashing by a preimagetractable random oracle. 1
Non Observability in the Random Oracle Model
"... The Random Oracle Model, introduced by Bellare and Rogaway, provides a method to heuristically argue about the security of cryptographic primitives and protocols. The basis of this heuristic is that secure hash functions are close enough to random functions in their behavior, and so, a primitive tha ..."
Abstract
 Add to MetaCart
The Random Oracle Model, introduced by Bellare and Rogaway, provides a method to heuristically argue about the security of cryptographic primitives and protocols. The basis of this heuristic is that secure hash functions are close enough to random functions in their behavior, and so, a primitive that is secure using a random function should continue to remain secure even when the random function is replaced by a real hash function. In the security proof, this setting is realized by modeling the hash function as a random oracle. However, this approach in particular also enables any reduction, reducing a hard problem to the existence of an adversary, to observe the queries the adversary makes to its random oracle and to program the responses that the oracle provides to these queries. While, the issue of programmability of query responses has received a lot of attention in the literature, to the best of our knowledge, observability of the adversary’s queries has not been identified as an artificial artefact of the Random Oracle Model. In this work, we study the security of several popular schemes when the security reduction cannot “observe ” the adversary’s queries to the random oracle, but can (possibly) continue to “program ” the query responses. We first show that RSAPFDH and Schnorr’s signatures continue to remain secure when the security reduction is non observing (NO reductions), which is not surprising as their proofs in the random oracle model rely on programmability. We also provide two example schemes, namely, Fischlin’s NIZKPoK [Fis05] and non interactive extractable commitment scheme, extractor algorithms of which seem to rely on observability in the random oracle model. While we prove that Fischlin’s online extractors cannot exist when they are non observing, our extractable commitment scheme continues to be secure even when the extractors are non observing. We also introduce Non Observing Non Programming reductions which we believe are closest to standard model reductions. 1
The Sum Can Be Weaker Than Each Part?
"... Abstract. In this paper we study the security of summing the outputs of two independent hash functions, in an effort to increase the security of the resulting design, or to hedge against the failure of one of the hash functions. The exclusiveor (XOR) combiner H1(M)⊕H2(M) is one of the two most clas ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In this paper we study the security of summing the outputs of two independent hash functions, in an effort to increase the security of the resulting design, or to hedge against the failure of one of the hash functions. The exclusiveor (XOR) combiner H1(M)⊕H2(M) is one of the two most classical combiners, together with the concatenation combiner H1(M) ‖ H2(M). While the security of the concatenation of two hash functions is well understood since Joux’s seminal work on multicollisions, the security of the sum of two hash functions has been much less studied. The XOR combiner is well known as a good PRF and MAC combiner, and is used in practice in TLS versions 1.0 and 1.1. In a hash function setting, Hoch and Shamir have shown that if the compression functions are modeled as random oracles, or even weak random oracles (i.e. they can easily be inverted – in particular H1 and H2 offer no security), H1 ⊕H2 is indifferentiable from a random oracle up to the birthday bound. In this work, we focus on the preimage resistance of the sum of two narrow
A unified indifferentiability proof for . . .
"... In the recent years, several hash constructions have been introduced that aim at achieving enhanced security margins by strengthening the MerkleDamgård mode. However, their security analysis have been conducted independently and using a variety of proof methodologies. This paper unifies these resu ..."
Abstract
 Add to MetaCart
In the recent years, several hash constructions have been introduced that aim at achieving enhanced security margins by strengthening the MerkleDamgård mode. However, their security analysis have been conducted independently and using a variety of proof methodologies. This paper unifies these results by proposing a unique indifferentiability proof that considers a broadened form of the general compression function introduced by Stam at FSE09. This general definition enables us to capture in a realistic model most of the features of the mode of operation (e.g., message encoding, blank rounds, message insertion,...) within the preprocessing and postprocessing functions. Furthermore, it relies on an inner primitive which can be instantiated either by an ideal block cipher, or by an ideal permutation. Then, most existing hash functions can be seen as the ChopMD construction applied to some compression function which fits the broadened Stam model. Our result then gives the tightest known indifferentiability bounds for several general modes of operations, including ChopMD, Haifa or sponges. Moreover, we show that it applies in a quite automatic way, by providing the security bounds for 7 out of the 14 second round SHA3 candidates, which are in some cases improved over previously known ones.