Careful with Composition: Limitations of the Indifferentiability Framework

  • Thomas Ristenpart
  • Hovav Shacham
  • Thomas Shrimpton
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6632)


We exhibit a hash-based storage auditing scheme which is provably secure in the random-oracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem from [27] applies to any cryptosystem. We characterize the uncovered limitations of indifferentiability by showing that the formalizations used thus far implicitly exclude security notions captured by experiments that have multiple, disjoint adversarial stages. Examples include deterministic public-key encryption (PKE), password-based cryptography, hash function nonmalleability, and more. We formalize a stronger notion, reset indifferentiability, that enables a composition theorem covering such multi-stage security notions, but our results show that practical hash constructions cannot be reset indifferentiable. We finish by giving direct security proofs for several important PKE schemes.

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Thomas Ristenpart
    • 1
  • Hovav Shacham
    • 2
  • Thomas Shrimpton
    • 3
  1. 1.Dept. of Computer SciencesUniversity of Wisconsin–MadisonUSA
  2. 2.Dept. of Computer Science & EngineeringUC San DiegoUSA
  3. 3.Dept. of Computer SciencePortland State UniversityUSA

Personalised recommendations