Reset indifferentiability from weakened random oracle salvages one-pass hash functions

Abstract

Ristenpart et al. (EUROCRYPT 2011) showed that the indifferentiability theorem of Maurer et al. (TCC 2004) does not cover all multi-stage security notions; it only covers single-stage security notions. They defined reset indifferentiability, and proved the reset indifferentiability theorem, which covers all security notions; if a hash function is reset indifferentiable from a random oracle denoted by RO, for any security, any cryptosystem is at least as secure under the hash function as in the RO model. Unfortunately, they also proved the impossibility of one-pass hash functions such as ChopMD and Sponge; there exists a multi-security notion such that some cryptosystem is secure in the RO model but insecure when RO is replaced with a one-pass hash function. In order to ensure other multi-stage security notions,we propose a new methodology, called the WRO methodology, instead of the RO methodology. We consider "Reset Indifferentiability from Weakened Random Oracle" which salvages ChopMD and Sponge. The concrete procedure of the WRO methodology is as follows: 1 Define a new concept of WRO instead of RO, 2 Prove that a hash function H is reset indifferentiable from WRO, (here the examples are ChopMD and Sponge), and 3 For multi-stage security G, prove that a cryptosystem C is G-secure in the WRO model. As a result, C with H is G-secure by combining the results of Steps 2, 3, and the theorem of Ristenpart et al. Moreover, for a public-key encryption scheme (as C) and the chosen-distribution attack game (as the game of G) we prove that C(WRO) is G-secure, which implies the appropriateness of the new concept of the WRO methodology. © 2014 Springer International Publishing.