Resource-Restricted Indifferentiability

  • Grégory Demay
  • Peter Gaži
  • Martin Hirt
  • Ueli Maurer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7881)


A major general paradigm in cryptography is the following argument: Whatever an adversary could do in the real world, it could just as well do in the ideal world. The standard interpretation of “just as well” is that the translation from the real to the ideal world, usually called a simulator, is achieved by a probabilistic polynomial-time algorithm. This means that a polynomial blow-up of the adversary’s time and memory requirements is considered acceptable.

In certain contexts this interpretation of “just as well” is inadequate, for example if the concrete amount of memory used by the adversary is relevant. The example of Ristenpart et al. (Eurocrypt 2011), for which the original indifferentiability notion introduced by Maurer et al. (Eurocrypt 2004) is shown to be insufficient, turns out to be exactly of this type. It requires a fine-grained statement about the adversary’s memory capacity, calling for a generalized treatment of indifferentiability where specific resource requirements can be taken into account by modeling them explicitly.

We provide such treatment and employ the new indifferentiability notion to prove lower bounds on the memory required by any simulator in a domain extension construction of a public random function. In particular, for simulators without memory, even domain extension by a single bit turns out to be impossible. Moreover, for the construction of a random oracle from an ideal compression function, memory roughly linear in the length of the longest query is required. This also implies the impossibility of such domain extension in any multi-party setting with potential individual misbehavior by parties (i.e., no central adversary).


  1. [AKL+09]
    Alwen, J., Katz, J., Lindell, Y., Persiano, G., Shelat, A., Visconti, I.: Collusion-free multiparty computation in the mediated model. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 524–540. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  2. [AKMZ12]
    Alwen, J., Katz, J., Maurer, U., Zikas, V.: Collusion-preserving computation. In: Safavi-Naini, R. (ed.) CRYPTO 2012. LNCS, vol. 7417, pp. 124–143. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  3. [AMP10]
    Andreeva, E., Mennink, B., Preneel, B.: On the Indifferentiability of the Grøstl Hash Function. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 88–105. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. [BDPVA08a]
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak specifications. In: Submission to NIST (Round 1) (2008)Google Scholar
  5. [BDPVA08b]
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. [BPW04]
    Backes, M., Pfitzmann, B., Waidner, M.: A general composition theorem for secure reactive systems. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 336–354. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  8. [BT94]
    Benaloh, J., Tuinstra, D.: Receipt-free secret-ballot elections. In: STOC 1994: Proceedings of the 26th Annual ACM Symposium on Theory of Computing, pp. 544–553. ACM, New York (1994)Google Scholar
  9. [Can01]
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS 2001: Proceedings of the 42nd IEEE Annual Symposium on Foundations of Computer Science, pp. 136–145. IEEE Computer Society Press (October 2001), Full version at
  10. [CDMP05]
    Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård Revisited: How to Construct a Hash Function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. [CG96]
    Canetti, R., Gennaro, R.: Incoercible multiparty computation. In: FOCS 1996: Proceedings of the 37th IEEE Annual Symposium on Foundations of Computer Science, pp. 504–513. IEEE Computer Society (1996)Google Scholar
  12. [CGH98]
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: STOC 1998: Proceedings of the 30th Annual ACM Symposium on Theory of Computing, pp. 209–218. ACM (1998)Google Scholar
  13. [CK11]
    Csiszár, I., Körner, J.: Information theory: coding theorems for discrete memoryless systems, 2nd edn. Cambridge University Press (2011)Google Scholar
  14. [CN08]
    Chang, D., Nandi, M.: Improved Indifferentiability Security Analysis of chopMD Hash Function. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 429–443. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. [CPS08]
    Coron, J.-S., Patarin, J., Seurin, Y.: The random oracle model and the ideal cipher model are equivalent. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 1–20. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. [CV12]
    Canetti, R., Vald, M.: Universally composable security with local adversaries. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 281–301. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  17. [DRRS09]
    Dodis, Y., Reyzin, L., Rivest, R., Shen, E.: Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 104–121. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. [DRS09]
    Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging Merkle-Damgård for Practical Applications. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 371–388. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. [DRST12]
    Dodis, Y., Ristenpart, T., Steinberger, J., Tessaro, S.: To Hash or Not to Hash Again (In)Differentiability Results for H 2 and HMAC. In: Safavi-Naini, R. (ed.) CRYPTO 2012. LNCS, vol. 7417, pp. 348–366. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  20. [Fan61]
    Fano, R.: Transmission of Information: A Statistical Theory of Communications. The MIT Press, Cambridge (1961)Google Scholar
  21. [HKT11]
    Holenstein, T., Künzler, R., Tessaro, S.: The equivalence of the random oracle model and the ideal cipher model, revisited. In: Proceedings of the 43rd Annual ACM Symposium on Theory of Computing, pp. 89–98. ACM, New York (2011)Google Scholar
  22. [HT04]
    Halpern, J., Teague, V.: Rational secret sharing and multiparty computation. In: STOC 2004: Proceedings of the 36th Annual ACM Symposium on Theory of Computing, pp. 623–632. ACM, New York (2004)Google Scholar
  23. [HU05]
    Hofheinz, D., Unruh, D.: Comparing two notions of simulatability. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 86–103. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  24. [LMs05]
    Lepinksi, M., Micali, S., Shelat, A.: Collusion-free protocols. In: STOC 2005: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, pp. 543–552. ACM, New York (2005)Google Scholar
  25. [Mau02]
    Maurer, U.: Indistinguishability of random systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  26. [Mau11]
    Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  27. [MR11]
    Maurer, U., Renner, R.: Abstract cryptography. In: Chazelle, B. (ed.) The Second Symposium on Innovations in Computer Science, ICS 2011, pp. 1–21. Tsinghua University Press (January 2011)Google Scholar
  28. [MRH04]
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  29. [MRT12]
    Maurer, U., Rüedlinger, A., Tackmann, B.: Confidentiality and integrity: A constructive perspective. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 209–229. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  30. [RSS11]
    Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with composition: Limitations of the indifferentiability framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Grégory Demay
    • 1
  • Peter Gaži
    • 1
  • Martin Hirt
    • 1
  • Ueli Maurer
    • 1
  1. 1.Department of Computer ScienceETH ZurichSwitzerland

Personalised recommendations