Paper 2009/075
Security of Practical Cryptosystems Using Merkle-Damgard Hash Function in the Ideal Cipher Model
Yusuke Naito, Kazuki Yoneyama, Lei Wang, and Kazuo Ohta
Abstract
Since the Merkle-Damgård (MD) type hash functions are differentiable from ROs even when compression functions are modeled by ideal primitives,
there is no guarantee as to the security of cryptosystems when ROs are instantiated with structural hash functions.
In this paper, we study the security of the instantiated cryptosystems whereas
the hash functions have the well known structure of Merkle-Damgård construction with Stam's type-II compression function (denoted MD-TypeII) in the Ideal Cipher Model (ICM).
Note that since the Type-II scheme includes the Davies-Meyer compression function,
SHA-256 and SHA-1 have the MD-TypeII structure.
We show that OAEP, RSA-KEM, PSEC-KEM, ECIES-KEM and many other encryption schemes are secure when using the MD-TypeII hash function.
In order to show this, we customize the indifferentiability framework of Maurer, Renner and Holenstein.
We call the customized framework ``indifferentiability with condition''.
In this framework, for some condition
Metadata
- Available format(s)
-
PDF
- Publication info
- Published elsewhere. Unknown where it was published
- Keywords
- Indifferentiability with conditionweakened random oracleMerkle-Damgårdtype-II compression functionDavies-MeyerPGVkey-derivation functionsOAEPRSA-KEMPSEC-KEMECIES-KEM.
- Contact author(s)
- tolucky tigers @ gmail com
- History
- 2010-07-29: last of 7 revisions
- 2009-02-16: received
- See all versions
- Short URL
- https://ia.cr/2009/075
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2009/075, author = {Yusuke Naito and Kazuki Yoneyama and Lei Wang and Kazuo Ohta}, title = {Security of Practical Cryptosystems Using Merkle-Damgard Hash Function in the Ideal Cipher Model}, howpublished = {Cryptology {ePrint} Archive, Paper 2009/075}, year = {2009}, url = {https://eprint.iacr.org/2009/075} }