How to Confirm Cryptosystems Security: The Original Merkle-Damgard Is Still Alive!

摘要

At Crypto 2005, Coron et al. showed that Merkle-Damgard hash function (MDHF) with a fixed input length random oracle is not indifferentiable from a random oracle RO due to the extension attack. Namely MDHF does not behave like RO. This result implies that there exists some cryptosystem secure in the RO model but insecure under MDHF. However, this does not imply that no cryptosystem is secure under MDHF. This fact motivates us to establish a criteria methodology for confirming cryptosystems security under MDHF. In this paper, we confirm cryptosystems security by using the following approach: 1. Find a variant, (RO)~～, of RO which leaks the information needed to realize the extension attack. 2. Prove that MDHF is indifferentiable from(RO)~～. 3. Prove cryptosystems security in the (RO)~～ model. From the indifferentiability framework, a cryptosystem secure in the (RO)~～ model is also secure under MDHF. Thus we concentrate on finding (RO)~～, which is weaker than RO. We propose the Traceable Random Oracle (TRO) which leaks enough information to permit the extension attack. By using TRO, we can easily confirm the security of OAEP and variants of OAEP. However, there are several practical cryptosystems whose security cannot be confirmed by TRO (e.g. RSA-KEM). This is because TRO leaks information that is irrelevant to the extension attack, Therefore, we propose another (RO)~～, the Extension Attack Simulatable Random Oracle, ERO, that leaks just the information needed for the extension attack. Fortunately, ERO is necessary and sufficient to confirm the security of cryptosystems under MDHF. This means that the security of any cryptosystem under MDHF is equivalent to that under the ERO model. We prove that RSA-KEM is secure in the ERO model.