Weakened Random Oracle Models with Target Prefix

  • Masayuki TezukaEmail author
  • Yusuke Yoshida
  • Keisuke Tanaka
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11359)


Weakened random oracle models (WROMs) are variants of the random oracle model (ROM). The WROMs have the random oracle and the additional oracle which breaks some property of a hash function. Analyzing the security of cryptographic schemes in WROMs, we can specify the property of a hash function on which the security of cryptographic schemes depends.

Liskov (SAC’06) proposed WROMs and later Numayama et al. (PKC’08) formalized them as CT-ROM, SPT-ROM, and FPT-ROM. In each model, there is the additional oracle to break collision resistance, second preimage resistance, preimage resistance respectively. Tan and Wong (ACISP’12) proposed the generalized FPT-ROM (GFPT-ROM) which intended to capture the chosen prefix collision attack suggested by Stevens et al. (EUROCRYPT’07).

In this paper, in order to analyze the security of cryptographic schemes more precisely, we formalize GFPT-ROM and propose additional three WROMs which capture the chosen prefix collision attack and its variants. In particular, we focus on signature schemes such as RSA-FDH, its variants, and DSA, in order to understand essential roles of WROMs in their security proofs.


Weakened random oracle model WROM RSA-FDH DSA Chosen prefix collision attack 



We are grateful to Kazuo Ohta (University of Electro-Communications) and Shiho Moriai (National Institute of Information and Communications Technology) for giving us the opportunity to do this research. We would also like to thank anonymous referees for their constructive comments.


  1. 1.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS 1993, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, November 3–5, 1993, pp. 62–73 (1993)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995). Scholar
  3. 3.
    Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). Scholar
  4. 4.
    Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002). Scholar
  5. 5.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). Scholar
  6. 6.
    Jager, T., Kakvi, S.A., May, A.: On the security of the PKCS#1 v1.5 signature scheme. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15–19, 2018, pp. 1195–1208 (2018)Google Scholar
  7. 7.
    Jonsson, J., Moriarty, K., Kaliski, B., Rusch, A.: PKCS# 1: RSA cryptography specifications version 2.2. RFC 8017, RFC Editor, United States (2016)Google Scholar
  8. 8.
    Kawachi, A., Numayama, A., Tanaka, K., Xagawa, K.: Security of encryption schemes in weakened random oracle models. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 403–419. Springer, Heidelberg (2010). Scholar
  9. 9.
    Kerry, C.F., Romine, C.: FIPS PUB 186–4 Digital Signature Standard (DSS) (2013)Google Scholar
  10. 10.
    Liskov, M.: Constructing an ideal hash function from weak ideal compression functions. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 358–375. Springer, Heidelberg (2007). Scholar
  11. 11.
    Numayama, A., Isshiki, T., Tanaka, K.: Security of digital signature schemes in weakened random oracle models. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 268–287. Springer, Heidelberg (2008). Scholar
  12. 12.
    Pasini, S., Vaudenay, S.: Hash-and-sign with weak hashing made secure. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 338–354. Springer, Heidelberg (2007). Scholar
  13. 13.
    Rivest, R.: The MD5 Message-Digest Algorithm. RFC 1321, RFC Editor, United States (1992)Google Scholar
  14. 14.
    Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). Scholar
  15. 15.
    Stevens, M., Lenstra, A., de Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007). Scholar
  16. 16.
    Stevens, M., et al.: Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009). Scholar
  17. 17.
    Tan, X., Wong, D.S.: Generalized first pre-image tractable random oracle model and signature schemes. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 247–260. Springer, Heidelberg (2012). Scholar
  18. 18.
    Unruh, D.: Random oracles and auxiliary input. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 205–223. Springer, Heidelberg (2007). Scholar
  19. 19.
    U.S. Department of Commerce/National Institute of Standards and Technology. FIPS PUB 180–2, Secure Hash Standard (SHS) (2002)Google Scholar
  20. 20.
    Vaudenay, S.: The security of DSA and ECDSA. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 309–323. Springer, Heidelberg (2003). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Masayuki Tezuka
    • 1
    Email author
  • Yusuke Yoshida
    • 1
  • Keisuke Tanaka
    • 1
  1. 1.Tokyo Institute of TechnologyTokyoJapan

Personalised recommendations