Abstract
We exhibit a hash-based storage auditing scheme which is provably secure in the random-oracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem from [27] applies to any cryptosystem. We characterize the uncovered limitations of indifferentiability by showing that the formalizations used thus far implicitly exclude security notions captured by experiments that have multiple, disjoint adversarial stages. Examples include deterministic public-key encryption (PKE), password-based cryptography, hash function nonmalleability, and more. We formalize a stronger notion, reset indifferentiability, that enables a composition theorem covering such multi-stage security notions, but our results show that practical hash constructions cannot be reset indifferentiable. We finish by giving direct security proofs for several important PKE schemes. © 2011 International Association for Cryptologic Research.
Cite
CITATION STYLE
Ristenpart, T., Shacham, H., & Shrimpton, T. (2011). Careful with composition: Limitations of the indifferentiability framework. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 6632 LNCS, pp. 487–506). https://doi.org/10.1007/978-3-642-20465-4_27
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
