The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function

The Ideal-Cipher Model of a blockcipher is a well-known and widely-used model dating back to Shannon [25] and has seen frequent use in proving the security of various cryptographic objects and protocols. But very little discussion has transpired regarding the meaning of proofs conducted in this model or regarding the model's validity. In this paper, we briefly discuss the implications of proofs done in the ideal-cipher model, their show some limitations of the model analogous to recent work regarding the Random-Oracle Model [2]. In particular, we extend work by Canetti, Goldreich and Halevi [5], and a recent simplification by Maurer, Renner, and Holenstein [15], to exhibit a blockcipher-based hash function that is provably-secure in the ideal-cipher model but trivially insecure when instantiated by any blockcipher.

[1]  Robert S. Winternitz A Secure One-Way Hash Function Built from DES , 1984, 1984 IEEE Symposium on Security and Privacy.

[2]  John Black,et al.  Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption , 2002, USENIX Security Symposium.

[3]  John Black,et al.  CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions , 2000, Journal of Cryptology.

[4]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[5]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[6]  J C HENRY,et al.  New construction. , 1962, Hospital progress.

[7]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[8]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[9]  John Black,et al.  The Impossibility of Technology-Based DRM and a Modest Suggestion , 2005, J. Telecommun. High Technol. Law.

[10]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[11]  John Black,et al.  On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions , 2005, EUROCRYPT.

[12]  Charles U. Martel,et al.  Graph and Hashing Algorithms for Modern Architectures: Design and Performance , 1998, WAE.

[13]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[14]  Anand Desai,et al.  The Security of All-or-Nothing Encryption: Protecting against Exhaustive Key Search , 2000, CRYPTO.

[15]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[16]  Antoine Joux,et al.  On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit: A New Construction , 2002, FSE.

[17]  Ran Canetti,et al.  On the Random-Oracle Methodology as Applied to Length-Restricted Signature Schemes , 2004, TCC.

[18]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[19]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[20]  Daniel R. Simon,et al.  Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? , 1998, EUROCRYPT.

[21]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[22]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[23]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[24]  Rakhi C. Motwani,et al.  Collocated Dataglyphs for large-message storage and retrieval , 2004, IS&T/SPIE Electronic Imaging.

[25]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[26]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[27]  Bruce Schneier One-way hash functions , 1991 .

[28]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[29]  Silvio Micali,et al.  CS proofs , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[30]  John Black,et al.  Lessons learned: a security analysis of the Internet Chess Club , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[31]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[32]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[33]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[34]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[35]  John Black,et al.  A Study of the MD5 Attacks: Insights and Improvements , 2006, FSE.

[36]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[37]  Mihir Bellare,et al.  An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem , 2004, EUROCRYPT.

[38]  John Black,et al.  Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.

[39]  Alexander W. Dent,et al.  Adapting the Weaknesses of the Random Oracle Model to the Generic Group Model , 2002, ASIACRYPT.