Careful with Composition: Limitations of the Indifferentiability Framework

  • Thomas Ristenpart
  • Hovav Shacham
  • Thomas Shrimpton
Conference paper

DOI: 10.1007/978-3-642-20465-4_27

Part of the Lecture Notes in Computer Science book series (LNCS, volume 6632)
Cite this paper as:
Ristenpart T., Shacham H., Shrimpton T. (2011) Careful with Composition: Limitations of the Indifferentiability Framework. In: Paterson K.G. (eds) Advances in Cryptology – EUROCRYPT 2011. EUROCRYPT 2011. Lecture Notes in Computer Science, vol 6632. Springer, Berlin, Heidelberg


We exhibit a hash-based storage auditing scheme which is provably secure in the random-oracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem from [27] applies to any cryptosystem. We characterize the uncovered limitations of indifferentiability by showing that the formalizations used thus far implicitly exclude security notions captured by experiments that have multiple, disjoint adversarial stages. Examples include deterministic public-key encryption (PKE), password-based cryptography, hash function nonmalleability, and more. We formalize a stronger notion, reset indifferentiability, that enables a composition theorem covering such multi-stage security notions, but our results show that practical hash constructions cannot be reset indifferentiable. We finish by giving direct security proofs for several important PKE schemes.

Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Thomas Ristenpart
    • 1
  • Hovav Shacham
    • 2
  • Thomas Shrimpton
    • 3
  1. 1.Dept. of Computer SciencesUniversity of Wisconsin–MadisonUSA
  2. 2.Dept. of Computer Science & EngineeringUC San DiegoUSA
  3. 3.Dept. of Computer SciencePortland State UniversityUSA

Personalised recommendations