Davies-Meyer Merkle-Damg̊ard Revisited: Variants of Indifferentiability and Random Oracles

In this paper, we discuss the security of cryptosystems that use hash function DM-MD that is Davies-Meyer Merkle-Damg̊ard with ideal cipher E. DM-MD is not indifferentiable from random oracle (RO) due to the extension attack and the inverse attack. From the indifferentiability theory, there is some cryptosystem that is secure in the RO model but insecure when RO is replaced with DM-MD . However, this does not imply that any cryptosystem secure in the RO model is insecure when RO is replaced with DM-MD . Therefore, we analyze the security of cryptosystems with DM-MD by using two approaches. The first approach uses weakened random oracle (WRO). Since the extension attack and the inverse attack can be applied to DM-MD but not to RO, we define WRO such that these attacks can be applied, and analyze the security of cryptosystems with DM-MD by using WRO. We propose the extension attack and inverse attack simulatable random oracle (EIRO) to which these attacks can be applied. We prove that DM-MD is indifferentiable from EIRO. This implies that any cryptosystem secure in the EIRO model is secure when EIRO is replaced with DM-MD . We prove that RSA-KEM, FDH, PSS, Fiat-Shamir and so on are secure in the EIRO model. Therefore these cryptosystems are secure when using DM-MD . Moreover, we prove that EIRO is equivalent to DM-MD . Therefore, the only differences between RO and DM-MD lie in the extension attack and the inverse attack. We also prove that FDH, PSS, Fiat-Shamir and so on are secure when using an output length extension (OLE) algorithm (KDF1 (MGF1), KDF2 and KDF3) with DM-MD . The second approach uses a variant of the theory, denoted indifferentiability with condition, which is proposed in this paper. While the original indifferentiability theory deals with any cryptosystem, the indifferentiability with condition deals with cryptosystems that satisfy some condition. As an example, we consider cryptosystems that satisfy the condition “prefix-free” (PF cryptosystems) (e.g. OAEP, OAEP+, SAEP, SAEP+ and so on). We show that if DM-MD is indifferentiable from RO with the condition “prefix-free”, PF cryptosystems are secure when using DM-MD . By using the previous result: “the hash function (DM-MD with prefix-free padding) is indifferentiable from RO”, we can prove that DM-MD is indifferentiable from RO with the condition “prefix-free” by a simple and clear proof. Therefore, PF cryptosystems are secure when using DM-MD . Similarly, PF cryptosystems are secure when using an OLE algorithm (KDF1, KDF2 and KDF3) with DM-MD .