**Reset Indifferentiability from Weakened Random Oracle Salvages One-pass Hash Functions**

*Yusuke Naito and Kazuki Yoneyama and Kazuo Ohta*

**Abstract: **Ristenpart et al. showed that the limitation of the indifferentiability
theorem of Maurer et al. which does not cover all multi stage security notions
but covers only single stage security notions, defined a new concept (reset
indifferentiability), and proved the reset indifferentiability theorem, which
is an analogy of the indifferentiability theorem covers all security
notions S: if H^U is reset indifferentiable from RO, for any security notion,
a cryptosystem C is at least as secure in the U model as in the RO model.
Unfortunately, they also proved the impossibility of H^U being reset
indifferentiable from a RO where H is a one-pass hash function such as ChopMD
and Sponge constructions.
In this paper, we will propose a new proof of molular approach instead of the
RO methodology, Reset Indifferentiability from Weakened Random Oracle, called
as the WRO methodology, in order to ensure the security of C with H^U,
salvaging ChopMD and Sponge. The concrete proof procedure of the WRO
methodology is as follows:
1. Define a new concept of WRO instead of RO,
2. Prove that H^U is reset indifferentiable from a WRO, (here an example of H
is ChopMD and Sponge), and
3. Prove that C is secure in the WRO model.
As a result we can prove that C with H^U is secure by combining the results of
Steps 2, 3, and the theorem of Ristenpart et al. Moreover, for public-key
encryption (as cryptosystem C) and chosen-distribution attack we will prove
that C(WRO) is secure, which implies the appropriateness of the new concept of
the WRO model.

**Category / Keywords: **indifferentiability, reset indifferentiability, multi-stage security game

**Date: **received 9 Jan 2012, last revised 23 May 2013

**Contact author: **Naito Yusuke at ce MitsubishiElectric co jp

**Available format(s): **PDF | BibTeX Citation

**Note: **The paper is updated according to the result of SHA-3 competition.
A result of IBE is added.

**Version: **20130524:015920 (All versions of this report)

**Short URL: **ia.cr/2012/014

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]