Article thumbnail

Davies-Meyer Merkle-Damg˚ard Revisited: Variants of Indifferentiability and Random Oracles

By Yusuke Naito, Kazuki Yoneyama, Lei Wang, Kazuo Ohta and Mitsubishi Electoric Corporation

Abstract

Abstract. In this paper, we discuss the security of cryptosystems that use hash function DM-MD E that is Davies-Meyer Merkle-Damg˚ard with ideal cipher E. DM-MD E is not indifferentiable from random oracle (RO) due to the extension attack and the inverse attack. From the indifferentiability theory, there is some cryptosystem that is secure in the RO model but insecure when RO is replaced with DM-MD E. However, this does not imply that any cryptosystem secure in the RO model is insecure when RO is replaced with DM-MD E. Therefore, we analyze the security of cryptosystems with DM-MD E by using two approaches. The first approach uses weakened random oracle (WRO). Since the extension attack and the inverse attack can be applied to DM-MD E but not to RO, we define WRO such that these attacks can be applied, and analyze the security of cryptosystems with DM-MD E by using WRO. We propose the extension attack and inverse attack simulatable random oracle (EIRO) to which these attacks can be applied. We prove that DM-MD E is indifferentiable from EIRO. This implies that any cryptosystem secure in the EIRO model is secure when EIRO is replaced with DM-MD E. We prove that RSA-KEM, FDH, PSS, Fiat-Shamir and so on are secure in the EIRO model. Therefore these cryptosystem

Year: 2012
OAI identifier: oai:CiteSeerX.psu:10.1.1.219.179
Provided by: CiteSeerX
Download PDF:
Sorry, we are unable to provide the full text but you may find it at the following location(s):
  • http://citeseerx.ist.psu.edu/v... (external link)
  • http://eprint.iacr.org/2009/07... (external link)
  • Suggested articles


    To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.