Take a sneak peek at the new NIST.gov and let us know what you think!
(Please note: some content may not be complete on the beta site.).
NIST Authors in Bold
|Author(s):||Dong H. Chang; Moti Yung;|
|Title:||Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications|
|Published:||April 16, 2012|
|Abstract:||In the last few years, the need to design new cryptographic hash functions has led to the intense study of when desired hash multi-properties are preserved or assured under compositions and domain extensions. In this area, it is important to identify the exact notions and provide often complex proofs of the resulting properties. Getting this analysis right (as part of provable security studies) is, in fact, analogous to cryptanalysis. We note that it is important and quite subtle to get indeed the "right" notions and properties, and "right" proofs in this relatively young area. Specifically, the security notion we deal with is "adaptive preimage resistance" (APR) which was introduced by Lee and Park in  as an extension of "preimage resistance" (PR). In Eurocrypt 2010, in turn, Lee and Steinberger  already used the APR security notion to prove "preimage awareness" and "indifferentiable security" of their new double-piped mode of operation. They claimed that if HP is collision-resistant and APR, then F(M) = R(HP (M)) is indifferentiable from a variable output length (VIL) random oracle F, where HP is a function based on an ideal primitive P and R is a fixed input length (FIL) random oracle. However, as we show in the current work, the above statement is not correct. First in our studies, we give a counterexample to the above. Secondly, we describe a new requirement on HP (called "admissibility") so that the above statement is correct. Thirdly, we show that APR is, in fact, not a strengthened notion of preimage resistance (PR). Fourthly, we explain the relation between preimage awareness and CR+APR+(our new requirement). Finally, we show that a polynomial-based mode of operation  satisfies our new requirement; namely, the polynomial-based mode of operation with fixed-input-length random oracles is indifferentiable from a variable-input-length random oracle (as originally claimed, but based on the refined arguments and subtleties presented here).|
|Citation:||IACR Cryptology ePrint Archive|
|Keywords:||Adaptive Preimage Resistance, Preimage Awareness, Indifferentiability|
|Research Areas:||Computer Security, Cybersecurity, Information Technology, Math|
|PDF version:||Click here to retrieve PDF version of paper (281KB)|