The Random oracle model.docx

8/10/2019 The Random oracle model.docx

1/5

The Random oracle model , which was introduced in 1993 by Bella and Roway

An approach which has been hugely successful in practice, and offers a "middle ground" between

a fully-rigorous proof of security on the one hand and no proof whatsoever on the other, is to

introduce an idealized model in which to prove the security of cryptographic schemes . Though the

idealization may not be an accurate reflection of reality, we can at least derive some measure ofconfidence in the soundness of a scheme 's design from a proof within the idealized model. As

long as the model is reasonable, such proofs are certainly better than no proofs at all.

The most popular example of this approach is the random oracle model, which posits the existence

of a public, randomly-chosen function H that can be evaluated only by "querying" an oracle - which

can be thought of as a "magic box" -that returns H(x) when given input x (We will discuss in the

following section exactly how this is to be interpreted.) To differentiate things , the model we

have been using until now (where no random oracle is present ) is of ten called the "standard

model" .

No one seriously claims that a random oracle exists ( although there have been suggestions that a

random oracle could be implemented in practice using a trusted party ) . Rather, the random oracle

model provides a formal methodology that can be used to design and validate cryptographic

schemes via the following two-step approach:

1. First , a scheme is designed and proven secure in the random oracle model. That is, we assume

the world. contains a random oracle , and construct and analyze a cryptographic scheme based on

this assumption. Standard cryptographic assumptions (of the type we have seen until now) may

be utilized in the proof of security as well.

2. When we want to implement the scheme in the real world, a random oracle is not available.Instead , the random oracle H in the scheme is instantiated with a cryptographic hash function H

such as SHA-1, modified appropriately. That is , at each point where the scheme dictates that a party

should query the oracle for the value H(x), the party instead computes H(x) on its own

The hope is that the cryptographic hash function used in the second step is "sufficiently good" at

emulating a random oracle, so that the security proof given in the first step will carry over to

the real-world instantiation of the scheme. A difficulty is that there is currently no theoretical

justification for this hope, and in fact there exist (contrived) schemes that can be proven secure in

the random oracle model but are insecure no matter how the random oracle is instantiated in the

second step. Furthermore, as a practical matter it is not clear exactly what it means for a hash

function to be "good" at emulating a random oracle, nor is it clear that this is an achievable goal.

For these reasons , a proof of security for a scheme in the random oracle model should be viewed as

providing evidence that the scheme has no "inherent design flaws" but should not be taken as

a rigorous proof that any real-world instap tiation of the scheme is secure, Further discussion on

how to interpret proof s in the random oracle model is given in Section 13. 1. 2

The Random Oracle Model in Detail


2/5

Before continuing , let us pin down exactly what the random oracle model entails. A good way

to think about the random oracle model is as follows: The oracle" is simply a box that takes a

binary string as input and returns a binary string as output . The internal workings of the box are

unknown and inscrutable. Everyone - both honest parties as well as adversaries - can interact with

the box, where such interaction consists of entering a binary string x as input and receiving a

binary stringy as output; we refer to this as querying the oracle on x, and call x itself a query

made to the oracle. Queries to the oracle are assumed to be private so that if some party queries the

oracle on input x then no one else learns x, or even learns that this party queried the oracle at

all. This makes sense , because calls to the oraele correspond in reality to local (private )

evaluations of a cryptographic hash function.

It is guaranteed that the box is consistent: that is, if the box ever outputs y for a particular input

x, then it always outputs the same answer y when given the same input x again. This means

that we can view the box as implementing a function H; i.e., we simply define the function H in

terms of the input/output characteristics of the box. For convenience , we thus speak of "querying

H" rather than querying the box. No one "knows" the entire function H (except the box itself ); atbest, all that is known ate the values of H on the strings that have been explicitly queried thus far

We now discuss what it means to choose this function H at random. Any function H mapping n-bit

inputs to l(n)-bit outputs can be viewed as a table indicating for each possible input x {0, 1 }n the

corresponding output value H(x ) {0,1} l(n). Using lexicographic order for the inputs, this means

that any such function can be represented by a string of length 2n l(n ) bits, and conversely that

every string of this length can be viewed as a function mapping n-bit inputs to l(n)-bit outputs.

An immediate corollary is that there are exactly U def 2l(n)2n different functions having the

specified input and output lengths . Picking a function H of this type uniformly at random means

choosing H uniformly from among these U possibilities. In the random oracle model as we havebeen picturing it, this corresponds to initializing the oracle by choosing such an H and having the

oracle answer according to H. Note that storing the string/table representing H in any physical

device would require an ex ponential (in the input length ) number of bits, so even for

moderately-sized inputs this is not something we can hope to do in the real world

An equivalent, but often more convenient, way to think about choosing a function H uniformly at

random is to imagine generating random outputs for H "on the fly," as needed . Specifically, imagine

that the function is defined by a table of pairs {(xi , Yi) } that is initially empty. When the oracle

receives a query x it first checks whether x = Xi for some pair (xi, Yi ) in the table; if so, the

corresponding Yi is returned . Otherwise, a random string y {0, 1}l(n) is chosen, the answer y is

returned, and the oracle stores (x, y) in its table so the same output can be returned if the same

input is ever queried again. While one could imagine carrying this out in the real world, this is

further from our conception of "fixing" the function H once-and-f or-all before beginning to run

some crytographic scheme. From the point of view of the parties interacting with the oracle,

however, it is completely equivalent. We remark that viewing H as choosing output values "on the

fly" also makes things much easier (technically as well as conceptually) when His defined over an

infinite domain such as {0, 1}*


3/5

When we defined pseudorandom functions in Section 3.6. 1, we also consid ered algorithms having

oracle access to a random function. Lest there be any conf usion, we note that the usage of a

random function there is very different from the usage of a random function here. There, a

random function was used as a way of de fining what it means for a concrete keyed function to

be pseudorandom . In the random oracle model, the random function is used as part of the cons tr

uction of the primitive, and so must somehow be instantiated in the real world if we want a

concrete realization of the primitive

Mt cch tip cn cc k thnh cng trong thc t, v cung cp mt "tp trung" gia mtbng chng y nghim ngt v an ninh trn mt mt v khng c bng chng no v vickhc, l gii thiu mt m hnh l tng, trong chng minh s an ton ca chng trnhm ha. Mc d s l tng ha c th khng phn nh chnh xc thc t, t nht chng ta c thly c mt s bin php tin tng vo tnh ng n ca thit k mt chng trnh 's t mtbng chng trong cc m hnh l tng. Min l cc m hnh l hp l, bng chng nh vy lchc chn tt hn l khng c bng chng no c. Cc v d ph bin nht ca phng php ny l cc m hnh oracle ngu nhin, m tha nhn s

tn ti ca mt cng ng, ngu nhin chn chc nng H c th c nh gi ch bng cch"truy vn" mt oracle - c th c coi nh mt "hp ma thut" - tr v H (x) khi cho u vox (chng ti s tho lun trong phn sau chnh xc cch ny phi c gii thch.) phn bits vt, cc m hnh chng ti c s dng cho n nay (ni khng c oracle ngu nhin lhin ti) l mi gi l "tiu chun m hnh". Khng ai nghim tc tuyn b rng mt oracle ngu nhin tn ti (mc d c nhng kincho rng mt oracle ngu nhinc th c thc hin trong thc t s dng mt bn tin cy).Thay vo , cc m hnh oracle ngu nhin cung cp mt phng php chnh thc c th cs dng thit k cc chng trnh m ha v xc thc thng qua cch tip cn hai bc sau: 1. u tin, mt chng trnh c thit k v c chng minh an ton trong m hnh oraclengu nhin. l, chng ta gi nh trn th gii. cha mt oracle ngu nhin, v xy dng v

phn tch mt chng trnh m ha da trn gi nh ny. Gi nh mt m tiu chun (ca ccloi chng ti nhn thy cho n by gi) c th c s dng trong cc giy t chng minhbo mt tt.2. Khi chng ta mun thc hin n trong th gii thc, mt oracle ngu nhin l khng csn. Thay vo , oracle H ngu nhin trong chng trnh ny c khi to vi mt chc nngbm mt m H nh SHA-1, sa i cho ph hp. l, ti mi im m chng trnh ny niln rng mt bn nn truy vn cc oracle cho H gi tr (x), cc bn thay th tnh H (x) trnring ca mnhHy vng l cc hm bm mt m c s dng trong bc th hai l " tt" ti cnh tranh vimt oracle ngu nhin, chng minh an ninh c a ra trong cc bc u tin s thc hinqua cc instantiation th gii thc hin n. Mt kh khn l hin nay cha c bin minh l

thuyt cho nim hy vng ny, v trong thc t c tn ti (gi to) chng trnh c th cchng minh l an ton trong m hnh oracle ngu nhin nhng khng an ton khng c vn nh th no oracle ngu nhin c khi to bc th hai. Hn na, nh mt vn thc t nkhng phi l r rng chnh xc nhng g n c ngha l cho mt hm bm l "tt" thi ua mtoracle ngu nhin, cng khng phi l r rng rng y l mt mc tiu c th t c. i vinhng l do ny, mtbng chng v an ninh i vi mt chng trnh trong m hnh oraclengu nhin nn c xem nh l cung cp bng chng rng chng trnh ny khng c "l hngthit k vn c", nhng khng nn c thc hin nh l mt bng chng kht khe m bt k


4/5

instap m trong th gii thc ca chng trnh ny l an ton, tho lun su hn v cch giithch bng chng s trong m hnh oracle ngu nhin c a ra trong mc 13. 1. 2 Chi tit m hnh ngu nhin oracleTrc khi tip tc, chng ta hy ghim xung chnh xc nhng g cc m hnh oracle ngu nhini hi. Mt cch tt suy ngh v m hnh oracle ngu nhin nh sau: Cc "oracle" ch n

gin l mt hp m phi mt mt chui nh phn nh l u vo v tr v mt chui nh phnnh u ra hot ng bn trong ca hp l khng r v kh hiu mi ngi -.. c hai bn trungthc cng l k th - c th tng tc vi cc hp, ni tng tc nh vy bao gm nhp mtchui nh phn x l u vo v nhn c mt si dy nh phn nh u ra, chng ti gi y ltruy vn oracle trn x, v x gi chnh n mt truy vn thc hin cho cc oracle. truy vn oraclec gi nh l tin nu mt bn truy vn oracle trn u vo x sau khng ai khc bit x,hoc thm ch bit rng bn ny hi nhng tri tt c. iu ny c ngha, bi v cc cuc gin cc oraele tng ng trong thc t n a phng (t nhn) nh gi ca mt hm bm mtm.N c m bo rng hp ph hp: l, nu hp bao gi kt qu u ra y cho mt u vo cth x, sau n lun lun xut ra cu tr li ging y khi cho cng mt u vo x ln na. iu

ny c ngha rng chng ta c th xem cc hp nh thc hin mt chc nng H; tc l, chng tich n gin l xc nh cc chc nng H v cc c im u vo / u ra ca hp. thuntin, chng ti nh vy, ni v "truy vn H" ch khng phi l truy vn hp. Khng ai "bit"ton b chc nng H (tr cc hp ring ca mnh); lc tt nht, tt c nhng g c bit n ncc gi tr ca H trn y c hi mt cch r rng cho n nay. By gichng ta tho lun v nhng g n c ngha l la chn chc nng ny H mt cchngu nhin. Bt k u vo bn chc nng H n -bit l (n) kt qu u ra -bit c th c xemnh l mt bng ch ra cho mi u vo x {0, 1}n c gi tr u ra tngng H(x) {0,1}l(n).S dng t t in i vi cc yu t u vo, iu ny c ngha l bt k chc nng nh vyc th c biu din bi mt chui c di 2n. l(n) bit, v ngc li rng mi chui c diny c th c xem nh l mt u vo bn chc nng n-bit l(n) bit kt qu u ra. Mt

h qu trc mt l c chnh xc U( ) 2 .

2

nl n

def chc nng khc nhauc di u vo v u raquy nh. Chn mt chc nng H thuc loi ny thng nht vo cc phng tin ngu nhin chnH thng nht t trong nhng kh nng U. Trong m hnh oracle ngu nhin nh chng ta hnhdung c n, iu ny tng ng vi vic khi to oracle bng cch chn nh mt H v c cutr li oracle theo H. Lu rng gi chui / bng i din cho H bt k thit b vt l s ihi mt s m(trong thi gian u vo) cabit, do ngay c i vi u vo va phi c kchthc ny khng phi l mt ci g chng ta c th hy vng s lm g trong th gii thc Tng ng, nhng thng thun tin hn, cch suy ngh v vic chn mt chc nng H thngnht mt cch ngu nhin l tng tng to ra ngu nhin cho H "trn bay," khi cn thit. Cth, hy tng tng rng cc chc nng c xc nh bi mt bng cc cp {(xi, Yi)} m banu trng. Khi oracle nhn c mt truy vn x n trc tin kim tra xem x = Xi cho mt scp (xi, Yi) trong bng; nu nh vy, Yi tng ng c tr v. Nu khng, mt chui ngunhin y {0, 1} l (n) c chn, cc cu tr li y c tr v, v cc ca hng oracle (x, y) trongbng ca mnh nn u ra tng t c th c tr li nu cng mt u vo l bao gi truy vnmt ln na. Trong khi ngi ta c th tng tng mang ny ra trong th gii thc, iu ny lthm t quan nim ca chng ta v "sa cha" cc chc nng mt ln H -v-f-hoc tt c trckhi bt u chy mt s chng trnh crytographic. T quan im ca cc bn tng tc vioracle, tuy nhin, n l hon ton tng ng. Chng ti nhn xt rng xem H nh vic la


5/5

chn cc gi tr u ra "on the fly" cng lm cho mi th d dng hn (v mt k thut cng nhcc khi nim) khi nh ngha ca Ngi trn mt min v hn nh {0, 1} *Khi chng ta nh ngha chc nng gi ngu nhin trong phn 3.6. 1, chng ti cng xem ccthut ton c quyn truy cp n kha cnh oracle mt hm ngu nhin. S rng c th l btk conf usion, chng ti lu rng vic s dng mt hm ngu nhin c rt khc nhau t vic s

dng mt hm ngu nhin y. , mt hm ngu nhin c s dng nh mt cch depht tin nhng g n c ngha l cho mt chc nng c th keyed l gi ngu nhin. Trong mhnh oracle ngu nhin, cc chc nng ngu nhin c s dng nh l mt phn cacc khuytim tr uction ca nguyn thy, v nh vy bng cch no phi c khi to trong th giithc, nu chng ta mun c mt hin thc c th ca cc nguyn thy

Security Proofs in the Random Oracle Model

The Random oracle model.docx

Documents

Transcript of The Random oracle model.docx