The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Étant donné que la fonction de hachage Merkle-Damgård (notée MDFH) qui utilise un oracle aléatoire de longueur d'entrée fixe comme fonction de compression n'est pas indifférentiable d'un oracle aléatoire (noté RO) en raison de l'attaque d'extension, il n'y a aucune garantie pour la sécurité de cryptosystèmes, qui sont sécurisés dans le modèle RO, lorsque RO est instancié avec MDHF. Ce fait nous motive à établir une méthodologie de critères pour confirmer la sécurité des cryptosystèmes lorsque RO est instancié avec MDHF. Dans cet article, nous confirmons la sécurité des cryptosystèmes en utilisant l'approche suivante : 1.Trouvez un oracle aléatoire affaibli (noté WRO) qui divulgue les valeurs nécessaires pour réaliser l'attaque d'extension. 2. Prouver que MDHF est indifférenciable de WRO. 3.Prouvez la sécurité des cryptosystèmes dans le modèle WRO. Le cadre d'indifférenciabilité de Maurer, Renner et Holenstein garantit que nous pouvons utiliser le cryptosystème en toute sécurité lorsque WRO est instancié avec MDHF. Nous nous concentrons donc sur une telle découverte WRO. Nous proposons Traceable Random Oracle (noté TRO) qui divulgue suffisamment de valeurs pour permettre l'attaque d'extension. En utilisant TRO, nous pouvons facilement confirmer la sécurité du schéma de cryptage OAEP et des variantes du schéma de cryptage OAEP. Il existe cependant plusieurs systèmes cryptographiques pratiques dont la sécurité ne peut pas être confirmée par TRO (par exemple RSA-KEM). En effet, TRO divulgue des valeurs qui ne sont pas pertinentes pour l'attaque d'extension. Par conséquent, nous proposons un autre WRO, Extension Attack Simulatable Random Oracle (noté ERO), qui fuit juste la valeur nécessaire pour l’attaque d’extension. Heureusement, l'ERO est nécessaire et suffisant pour confirmer la sécurité des cryptosystèmes sous MDHF. Cela signifie que la sécurité de tous le cryptosystème sous MDHF est équivalent à cela dans le cadre du modèle ERO. Nous prouvons que RSA-KEM est sécurisé dans le modèle ERO.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copier
Yusuke NAITO, Kazuki YONEYAMA, Lei WANG, Kazuo OHTA, "Security of Cryptosystems Using Merkle-Damgård in the Random Oracle Model" in IEICE TRANSACTIONS on Fundamentals,
vol. E94-A, no. 1, pp. 57-70, January 2011, doi: 10.1587/transfun.E94.A.57.
Abstract: Since the Merkle-Damgård hash function (denoted by MDFH) that uses a fixed input length random oracle as a compression function is not indifferentiable from a random oracle (denoted by RO) due to the extension attack, there is no guarantee for the security of cryptosystems, which are secure in the RO model, when RO is instantiated with MDHF. This fact motivates us to establish a criteria methodology for confirming cryptosystems security when RO is instantiated with MDHF. In this paper, we confirm cryptosystems security by using the following approach: 1.Find a weakened random oracle (denoted by WRO) which leaks values needed to realize the extension attack. 2.Prove that MDHF is indifferentiable from WRO. 3.Prove cryptosystems security in the WRO model. The indifferentiability framework of Maurer, Renner and Holenstein guarantees that we can securely use the cryptosystem when WRO is instantiated with MDHF. Thus we concentrate on such finding WRO. We propose Traceable Random Oracle (denoted by TRO) which leaks values enough to permit the extension attack. By using TRO, we can easily confirm the security of OAEP encryption scheme and variants of OAEP encryption scheme. However, there are several practical cryptosystems whose security cannot be confirmed by TRO (e.g. RSA-KEM). This is because TRO leaks values that are irrelevant to the extension attack. Therefore, we propose another WRO, Extension Attack Simulatable Random Oracle (denoted by ERO), which leaks just the value needed for the extension attack. Fortunately, ERO is necessary and sufficient to confirm the security of cryptosystems under MDHF. This means that the security of any cryptosystem under MDHF is equivalent to that under the ERO model. We prove that RSA-KEM is secure in the ERO model.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.E94.A.57/_p
Copier
@ARTICLE{e94-a_1_57,
author={Yusuke NAITO, Kazuki YONEYAMA, Lei WANG, Kazuo OHTA, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Security of Cryptosystems Using Merkle-Damgård in the Random Oracle Model},
year={2011},
volume={E94-A},
number={1},
pages={57-70},
abstract={Since the Merkle-Damgård hash function (denoted by MDFH) that uses a fixed input length random oracle as a compression function is not indifferentiable from a random oracle (denoted by RO) due to the extension attack, there is no guarantee for the security of cryptosystems, which are secure in the RO model, when RO is instantiated with MDHF. This fact motivates us to establish a criteria methodology for confirming cryptosystems security when RO is instantiated with MDHF. In this paper, we confirm cryptosystems security by using the following approach: 1.Find a weakened random oracle (denoted by WRO) which leaks values needed to realize the extension attack. 2.Prove that MDHF is indifferentiable from WRO. 3.Prove cryptosystems security in the WRO model. The indifferentiability framework of Maurer, Renner and Holenstein guarantees that we can securely use the cryptosystem when WRO is instantiated with MDHF. Thus we concentrate on such finding WRO. We propose Traceable Random Oracle (denoted by TRO) which leaks values enough to permit the extension attack. By using TRO, we can easily confirm the security of OAEP encryption scheme and variants of OAEP encryption scheme. However, there are several practical cryptosystems whose security cannot be confirmed by TRO (e.g. RSA-KEM). This is because TRO leaks values that are irrelevant to the extension attack. Therefore, we propose another WRO, Extension Attack Simulatable Random Oracle (denoted by ERO), which leaks just the value needed for the extension attack. Fortunately, ERO is necessary and sufficient to confirm the security of cryptosystems under MDHF. This means that the security of any cryptosystem under MDHF is equivalent to that under the ERO model. We prove that RSA-KEM is secure in the ERO model.},
keywords={},
doi={10.1587/transfun.E94.A.57},
ISSN={1745-1337},
month={January},}
Copier
TY - JOUR
TI - Security of Cryptosystems Using Merkle-Damgård in the Random Oracle Model
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 57
EP - 70
AU - Yusuke NAITO
AU - Kazuki YONEYAMA
AU - Lei WANG
AU - Kazuo OHTA
PY - 2011
DO - 10.1587/transfun.E94.A.57
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E94-A
IS - 1
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - January 2011
AB - Since the Merkle-Damgård hash function (denoted by MDFH) that uses a fixed input length random oracle as a compression function is not indifferentiable from a random oracle (denoted by RO) due to the extension attack, there is no guarantee for the security of cryptosystems, which are secure in the RO model, when RO is instantiated with MDHF. This fact motivates us to establish a criteria methodology for confirming cryptosystems security when RO is instantiated with MDHF. In this paper, we confirm cryptosystems security by using the following approach: 1.Find a weakened random oracle (denoted by WRO) which leaks values needed to realize the extension attack. 2.Prove that MDHF is indifferentiable from WRO. 3.Prove cryptosystems security in the WRO model. The indifferentiability framework of Maurer, Renner and Holenstein guarantees that we can securely use the cryptosystem when WRO is instantiated with MDHF. Thus we concentrate on such finding WRO. We propose Traceable Random Oracle (denoted by TRO) which leaks values enough to permit the extension attack. By using TRO, we can easily confirm the security of OAEP encryption scheme and variants of OAEP encryption scheme. However, there are several practical cryptosystems whose security cannot be confirmed by TRO (e.g. RSA-KEM). This is because TRO leaks values that are irrelevant to the extension attack. Therefore, we propose another WRO, Extension Attack Simulatable Random Oracle (denoted by ERO), which leaks just the value needed for the extension attack. Fortunately, ERO is necessary and sufficient to confirm the security of cryptosystems under MDHF. This means that the security of any cryptosystem under MDHF is equivalent to that under the ERO model. We prove that RSA-KEM is secure in the ERO model.
ER -