Security of Practical Cryptosystems Using Merkle-Damgård Hash Function in the Ideal Cipher Model

  • Yusuke Naito
  • Kazuki Yoneyama
  • Lei Wang
  • Kazuo Ohta
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6980)


In this paper, we clarify the security of practical cryptosystems with hash functions based on key derivation functions (KDFs). We use the indifferentiability framework in order to discuss the security because the indifferentiability from Random Oracle (and its variants) guarantees that cryptosystems remain secure even if Random Oracles (ROs) are instantiated with hash functions. Though previous works on the indifferentiability of Merkle-Damgård (MD) hash functions focus on stand-alone hash functions, there is no work which focuses on MD hash functions with KDFs. Many cryptosystems need longer output lengths of hash functions than stand-alone hash functions and KDFs are used to generate longer digests as specified in PKCS #1 v2.1 and IEEE P1363. Specifically, we obtain the following results. We denote the MD hash function using Stam’s type-II compression function by MD-SCFII and MD-SCFII with KDFs by KDF-MD-SCFII.

  • Cryptosystems secure in the pub-RO model (FDH, PSS, Fiat-Shamir, and so on): Dodis et al. proposed the indifferentiability from pub-RO to prove the security of these cryptosystems using MD-SCFII while did not consider the KDF structures. So we propose a different framework, indifferentiability from privleak-RO. Using this framework and their result, we show that these cryptosystems using KDF-MD-SCFIIs are secure.

  • Encryption schemes secure in the RO model (OAEP, RSA-KEM, PSEC-KEM, ECIES-KEM and so on): The encryption schemes are secure in the “fixed inputl length” RO model because the input lengths of ROs from the encryption schemes are fixed. We show that this fact guarantees the security of the encryption schemes using KDF-MD-SCFII.


Hash Function Encryption Scheme Random Oracle Compression Function Random Oracle Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abe, M., Kiltz, E., Okamoto, T.: Chosen Ciphertext Security with Optimal Ciphertext Overhead. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 355–371. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: The Exact Security of Digital Signatures - How to Sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  5. 5.
    Black, J.A., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 103–118. Springer, Heidelberg (2002)Google Scholar
  6. 6.
    Boneh, D.: Simplified OAEP for the RSA and Rabin Functions. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 275–291. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Boneh, D., Lynn, B., Shacham, H.: Short Signatures from the Weil Pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Boneh, D., Boyen, X.: Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Canetti, R., Goldreich, O., Halevi, S.: The Random Oracle Methodology, Revisited (Preliminary Version). In: STOC, pp. 209–218 (1998)Google Scholar
  10. 10.
    Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. J. Cryptology 20(4), 265–294 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Chevallier-Mames, B., Phan, D.H., Pointcheval, D.: Optimal Asymmetric Encryption and Signature Paddings. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 254–268. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Coron, J.-S.: Optimal Security Proofs for PSS and Other Signature Schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård Revisited: How to Construct a Hash Function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. 14.
    Coron, J.-S., Joye, M., Naccache, D., Paillier, P.: Universal Padding Schemes for RSA. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 226–241. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  15. 15.
    Dodis, Y., Freedman, M.J., Jarecki, S., Walfish, S.: Versatile padding schemes for joint signature and encryption. In: ACM Conference on Computer and Communications Security, pp. 344–353 (2004)Google Scholar
  16. 16.
    Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging Merkle-Damgård for Practical Applications. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 371–388. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging Merkle-Damgård for Practical Applications. ePrint 2009/177 (2009)Google Scholar
  18. 18.
    Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature ProblemsGoogle Scholar
  19. 19.
    IEEE. P1363: Standard specifcations for public-key cryptographyGoogle Scholar
  20. 20.
    Komano, Y., Ohta, K.: Efficient Universal Padding Techniques for Multiplicative Trapdoor One-Way Permutation. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 366–382. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    RSA Laboratories. PKCS #1 v2.1: RSA cryptography standard (June 14, 2002)Google Scholar
  22. 22.
    Maurer, U.M., Renner, R.S., Holenstein, C.: Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  23. 23.
    Naito, Y., Yoneyama, K., Wang, L., Ohta, K.: How to Confirm Cryptosystems Security: The Original Merkle-Damgård Is Still Alive! In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 382–398. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  24. 24.
    National Institute of Standards and Technoloty. FIPS PUB 180-3 Secure Hash Standard. In: FIPS PUB (2008)Google Scholar
  25. 25.
    Phan, D.H., Pointcheval, D.: OAEP 3-Round:A Generic and Secure Asymmetric Encryption Padding. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 63–77. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  26. 26.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash Functions Based on Block Ciphers: A Synthetic Approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  27. 27.
    Shoup, V.: A Proposal for an ISO Standard for Public Key Encryption (version 2.1) (2001)Google Scholar
  28. 28.
    Shoup, V.: OAEP reconsidered. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 239–259. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  29. 29.
    Stam, M.: Blockcipher-Based Hashing Revisited. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 67–83. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  30. 30.
    Yoneyama, K., Miyagawa, S., Ohta, K.: Leaky Random Oracle (Extended Abstract). In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 226–240. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Yusuke Naito
    • 1
  • Kazuki Yoneyama
    • 2
  • Lei Wang
    • 3
  • Kazuo Ohta
    • 3
  1. 1.Mitsubishi Electoric CorporationJapan
  2. 2.NTT Information Sharing Platform LaboratoriesJapan
  3. 3.The University of Electro-CommunicationsJapan

Personalised recommendations