How to Prove the Security of Practical Cryptosystems with Merkle-Damgård Hashing by Adopting Indifferentiability

In this paper, we show that major cryptosystems such as FDH, OAEP, and RSA-KEM are secure under a hash function MD with Merkle-Damg̊ard (MD) construction that uses a random oracle compression function h. First, we propose two new ideal primitives called Traceable Random Oracle (T RO) and Extension Attack Simulatable Random Oracle (ERO) which are weaker than a random oracle (RO). Second, we show that MD is indifferentiable from LRO, T RO and ERO, where LRO is Leaky Random Oracle proposed by Yoneyama et al. This result means that if a cryptosystem is secure in these models, then the cryptosystem is secure under MD following the indifferentiability theory proposed by Maurer et al. Finally, we prove that OAEP is secure in the T RO model and RSAKEM is secure in the ERO model. Since it is also known that FDH is secure in the LRO model, as a result, major cryptosystems, FDH, OAEP and RSA-KEM, are secure under MD, though MD is not indifferentiable from RO.