What is reset indifferentiability? Why practical hash functions cannot satisfy reset indifferentiability. What are the implication of reset indifferentiability.
Asked
Active
Viewed 54 times
1
-
3please add the definition of reset indifferentiability to the question, at least. – kodlu Jun 07 '22 at 16:53
1 Answers
1
Motivation
The indifferentiabilityframework is a tool to argue the security of cryptosystems under the assumption that the cryptosystem uses an idealized ideal component. Therefore, indifferentiability is often used to argue the security of hash functions. Furthermore, indifferentiability comes with a composition theorem; thus, schemes proven with indefferentiablity can be reused in arbitrary contexts and remain secure.
RSS paper: Ristenpart et al. showed that indifferentiability might not be enough for some scenarios. They consider the example of proof of storage. Namely, a storage server allows the user to verify that the files are still stored on the server and use the following challenge-response protocol: to confirm that the file $m$ is still stored on the server, the client sends a random $c$. The server responds with $H(m|c)$.
This protocol is secure in the random oracle model; however, it is not necessarily secure if one considers,s for example, an iterated hash function; it is possible to compute $H(m|c)$ without $m$ as long as the malicious server keeps some data (e.g., chaining values).
Reset indifferentiability
The authors of 2 observed that the shortcoming of the original indifferentiability is that it doesn't work for so-called "multi-stage games" where the adversary is a tuple $A = (A_i)_{i \geq 2}$, where the tuple is disjoint and doesn't necessarily share a state. Reset indefferentiability, therefore, augments the original framework by requiring that the simulator be stateless.
Consequence: The weaker version of reset indifferentiability allows one to exhibit (potentially different) simulators for each distinguished while the stronger notion requires a universal simulator. Several papers, including this one, showed several impossibility results for the strong reset indifferentiability, including the impossibility of domain extension
Marc Ilunga
- 3,188
- 1
- 9
- 22