How to Confirm Cryptosystems Security: The Original Merkle-Damgård Is Still Alive!

  • Yusuke Naito
  • Kazuki Yoneyama
  • Lei Wang
  • Kazuo Ohta
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5912)


At Crypto 2005, Coron et al. showed that Merkle-Damgård hash function (MDHF) with a fixed input length random oracle is not indifferentiable from a random oracle RO due to the extension attack. Namely MDHF does not behave like RO. This result implies that there exists some cryptosystem secure in the RO model but insecure under MDHF. However, this does not imply that no cryptosystem is secure under MDHF. This fact motivates us to establish a criteria methodology for confirming cryptosystems security under MDHF.

In this paper, we confirm cryptosystems security by using the following approach:
  1. 1

    Find a variant, \(\widetilde{\mathsf{RO}}\), of RO which leaks the information needed to realize the extension attack.

  2. 1

    Prove that MDHF is indifferentiable from \(\widetilde{\mathsf{RO}}\).

  3. 1

    Prove cryptosystems security in the \(\widetilde{\mathsf{RO}}\) model.

From the indifferentiability framework, a cryptosystem secure in the \(\widetilde{\mathsf{RO}}\) model is also secure under MDHF. Thus we concentrate on finding \(\widetilde{\mathsf{RO}}\), which is weaker than RO.

We propose the Traceable Random Oracle (TRO) which leaks enough information to permit the extension attack. By using TRO, we can easily confirm the security of OAEP and variants of OAEP. However, there are several practical cryptosystems whose security cannot be confirmed by TRO (e.g. RSA-KEM). This is because TRO leaks information that is irrelevant to the extension attack. Therefore, we propose another \(\widetilde{\mathsf{RO}}\), the Extension Attack Simulatable Random Oracle, ERO, that leaks just the information needed for the extension attack. Fortunately, ERO is necessary and sufficient to confirm the security of cryptosystems under MDHF. This means that the security of any cryptosystem under MDHF is equivalent to that under the ERO model. We prove that RSA-KEM is secure in the ERO model.


Indifferentiability Merkle-Damgård hash function Variants of Random Oracle Cryptosystems Security 


  1. 1.
    An, J.H., Bellare, M.: Constructing vil-macsfrom fil-macs: Message authentication under weakened assumptions. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 252–269. Springer, Heidelberg (1999)Google Scholar
  2. 2.
    Bellare, M., Ristenpart, T.: Multi-property-preserving hash domain extension and the EMD transform. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 299–314. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  5. 5.
    Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-damgård revisited: How to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)Google Scholar
  6. 6.
    Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  7. 7.
    Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging merkle-damgård for practical applications. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 371–388. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Hirose, S., Park, J.H., Yun, A.: A Simple Variant of the Merkle-Damgård Scheme with a Permutation. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 113–129. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Maurer, U.M., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)Google Scholar
  10. 10.
    Merkle, R.C.: One way hash functions and des. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  11. 11.
    Shoup, V.: A proposal for an iso standard for public key encryption, version 2.1 (2001)Google Scholar
  12. 12.
    Tsudik, G.: Message authentication with one-way hash functions. In: INFOCOM, pp. 2055–2059 (1992)Google Scholar
  13. 13.
    Yoneyama, K., Miyagawa, S., Ohta, K.: Leaky random oracle (extended abstract). In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 226–240. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Yusuke Naito
    • 1
  • Kazuki Yoneyama
    • 2
  • Lei Wang
    • 3
  • Kazuo Ohta
    • 3
  1. 1.Mitsubishi Electric Corporation 
  2. 2.NTT Corporation 
  3. 3.The University of Electro-Communications 

Personalised recommendations