The Random oracle model.docx

download The Random oracle model.docx

of 5

Transcript of The Random oracle model.docx

  • 8/10/2019 The Random oracle model.docx

    1/5

    The Random oracle model , which was introduced in 1993 by Bella and Roway

    An approach which has been hugely successful in practice, and offers a "middle ground" between

    a fully-rigorous proof of security on the one hand and no proof whatsoever on the other, is to

    introduce an idealized model in which to prove the security of cryptographic schemes . Though the

    idealization may not be an accurate reflection of reality, we can at least derive some measure ofconfidence in the soundness of a scheme 's design from a proof within the idealized model. As

    long as the model is reasonable, such proofs are certainly better than no proofs at all.

    The most popular example of this approach is the random oracle model, which posits the existence

    of a public, randomly-chosen function H that can be evaluated only by "querying" an oracle - which

    can be thought of as a "magic box" -that returns H(x) when given input x (We will discuss in the

    following section exactly how this is to be interpreted.) To differentiate things , the model we

    have been using until now (where no random oracle is present ) is of ten called the "standard

    model" .

    No one seriously claims that a random oracle exists ( although there have been suggestions that a

    random oracle could be implemented in practice using a trusted party ) . Rather, the random oracle

    model provides a formal methodology that can be used to design and validate cryptographic

    schemes via the following two-step approach:

    1. First , a scheme is designed and proven secure in the random oracle model. That is, we assume

    the world. contains a random oracle , and construct and analyze a cryptographic scheme based on

    this assumption. Standard cryptographic assumptions (of the type we have seen until now) may

    be utilized in the proof of security as well.

    2. When we want to implement the scheme in the real world, a random oracle is not available.Instead , the random oracle H in the scheme is instantiated with a cryptographic hash function H

    such as SHA-1, modified appropriately. That is , at each point where the scheme dictates that a party

    should query the oracle for the value H(x), the party instead computes H(x) on its own

    The hope is that the cryptographic hash function used in the second step is "sufficiently good" at

    emulating a random oracle, so that the security proof given in the first step will carry over to

    the real-world instantiation of the scheme. A difficulty is that there is currently no theoretical

    justification for this hope, and in fact there exist (contrived) schemes that can be proven secure in

    the random oracle model but are insecure no matter how the random oracle is instantiated in the

    second step. Furthermore, as a practical matter it is not clear exactly what it means for a hash

    function to be "good" at emulating a random oracle, nor is it clear that this is an achievable goal.

    For these reasons , a proof of security for a scheme in the random oracle model should be viewed as

    providing evidence that the scheme has no "inherent design flaws" but should not be taken as

    a rigorous proof that any real-world instap tiation of the scheme is secure, Further discussion on

    how to interpret proof s in the random oracle model is given in Section 13. 1. 2

    The Random Oracle Model in Detail

  • 8/10/2019 The Random oracle model.docx

    2/5

    Before continuing , let us pin down exactly what the random oracle model entails. A good way

    to think about the random oracle model is as follows: The oracle" is simply a box that takes a

    binary string as input and returns a binary string as output . The internal workings of the box are

    unknown and inscrutable. Everyone - both honest parties as well as adversaries - can interact with

    the box, where such interaction consists of entering a binary string x as input and receiving a

    binary stringy as output; we refer to this as querying the oracle on x, and call x itself a query

    made to the oracle. Queries to the oracle are assumed to be private so that if some party queries the

    oracle on input x then no one else learns x, or even learns that this party queried the oracle at

    all. This makes sense , because calls to the oraele correspond in reality to local (private )

    evaluations of a cryptographic hash function.

    It is guaranteed that the box is consistent: that is, if the box ever outputs y for a particular input

    x, then it always outputs the same answer y when given the same input x again. This means

    that we can view the box as implementing a function H; i.e., we simply define the function H in

    terms of the input/output characteristics of the box. For convenience , we thus speak of "querying

    H" rather than querying the box. No one "knows" the entire function H (except the box itself ); atbest, all that is known ate the values of H on the strings that have been explicitly queried thus far

    We now discuss what it means to choose this function H at random. Any function H mapping n-bit

    inputs to l(n)-bit outputs can be viewed as a table indicating for each possible input x {0, 1 }n the

    corresponding output value H(x ) {0,1} l(n). Using lexicographic order for the inputs, this means

    that any such function can be represented by a string of length 2n l(n ) bits, and conversely that

    every string of this length can be viewed as a function mapping n-bit inputs to l(n)-bit outputs.

    An immediate corollary is that there are exactly U def 2l(n)2n different functions having the

    specified input and output lengths . Picking a function H of this type uniformly at random means

    choosing H uniformly from among these U possibilities. In the random oracle model as we havebeen picturing it, this corresponds to initializing the oracle by choosing such an H and having the

    oracle answer according to H. Note that storing the string/table representing H in any physical

    device would require an ex ponential (in the input length ) number of bits, so even for

    moderately-sized inputs this is not something we can hope to do in the real world

    An equivalent, but often more convenient, way to think about choosing a function H uniformly at

    random is to imagine generating random outputs for H "on the fly," as needed . Specifically, imagine

    that the function is defined by a table of pairs {(xi , Yi) } that is initially empty. When the oracle

    receives a query x it first checks whether x = Xi for some pair (xi, Yi ) in the table; if so, the

    corresponding Yi is returned . Otherwise, a random string y {0, 1}l(n) is chosen, the answer y is

    returned, and the oracle stores (x, y) in its table so the same output can be returned if the same

    input is ever queried again. While one could imagine carrying this out in the real world, this is

    further from our conception of "fixing" the function H once-and-f or-all before beginning to run

    some crytographic scheme. From the point of view of the parties interacting with the oracle,

    however, it is completely equivalent. We remark that viewing H as choosing output values "on the

    fly" also makes things much easier (technically as well as conceptually) when His defined over an

    infinite domain such as {0, 1}*

  • 8/10/2019 The Random oracle model.docx

    3/5

    When we defined pseudorandom functions in Section 3.6. 1, we also consid ered algorithms having

    oracle access to a random function. Lest there be any conf usion, we note that the usage of a

    random function there is very different from the usage of a random function here. There, a

    random function was used as a way of de fining what it means for a concrete keyed function to

    be pseudorandom . In the random oracle model, the random function is used as part of the cons tr

    uction of the primitive, and so must somehow be instantiated in the real world if we want a

    concrete realization of the primitive

    Mt cch tip cn cc k thnh cng trong thc t, v cung cp mt "tp trung" gia mtbng chng y nghim ngt v an ninh trn mt mt v khng c bng chng no v vickhc, l gii thiu mt m hnh l tng, trong chng minh s an ton ca chng trnhm ha. Mc d s l tng ha c th khng phn nh chnh xc thc t, t nht chng ta c thly c mt s bin php tin tng vo tnh ng n ca thit k mt chng trnh 's t mtbng chng trong cc m hnh l tng. Min l cc m hnh l hp l, bng chng nh vy lchc chn tt hn l khng c bng chng no c. Cc v d ph bin nht ca phng php ny l cc m hnh oracle ngu nhin, m tha nhn s

    tn ti ca mt cng ng, ngu nhin chn chc nng H c th c nh gi ch bng cch"truy vn" mt oracle - c th c coi nh mt "hp ma thut" - tr v H (x) khi cho u vox (chng ti s tho lun trong phn sau chnh xc cch ny phi c gii thch.) phn bits vt, cc m hnh chng ti c s dng cho n nay (ni khng c oracle ngu nhin lhin ti) l mi gi l "tiu chun m hnh". Khng ai nghim tc tuyn b rng mt oracle ngu nhin tn ti (mc d c nhng kincho rng mt oracle ngu nhinc th c thc hin trong thc t s dng mt bn tin cy).Thay vo , cc m hnh oracle ngu nhin cung cp mt phng php chnh thc c th cs dng thit k cc chng trnh m ha v xc thc thng qua cch tip cn hai bc sau: 1. u tin, mt chng trnh c thit k v c chng minh an ton trong m hnh oraclengu nhin. l, chng ta gi nh trn th gii. cha mt oracle ngu nhin, v xy dng v

    phn tch mt chng trnh m ha da trn gi nh ny. Gi nh mt m tiu chun (ca ccloi chng ti nhn thy cho n by gi) c th c s dng trong cc giy t chng minhbo mt tt.2. Khi chng ta mun thc hin n trong th gii thc, mt oracle ngu nhin l khng csn. Thay vo , oracle H ngu nhin trong chng trnh ny c khi to vi mt chc nngbm mt m H nh SHA-1, sa i cho ph hp. l, ti mi im m chng trnh ny niln rng mt bn nn truy vn cc oracle cho H gi tr (x), cc bn thay th tnh H (x) trnring ca mnhHy vng l cc hm bm mt m c s dng trong bc th hai l " tt" ti cnh tranh vimt oracle ngu nhin, chng minh an ninh c a ra trong cc bc u tin s thc hinqua cc instantiation th gii thc hin n. Mt kh khn l hin nay cha c bin minh l

    thuyt cho nim hy vng ny, v trong thc t c tn ti (gi to) chng trnh c th cchng minh l an ton trong m hnh oracle ngu nhin nhng khng an ton khng c vn nh th no oracle ngu nhin c khi to bc th hai. Hn na, nh mt vn thc t nkhng phi l r rng chnh xc nhng g n c ngha l cho mt hm bm l "tt" thi ua mtoracle ngu nhin, cng khng phi l r rng rng y l mt mc tiu c th t c. i vinhng l do ny, mtbng chng v an ninh i vi mt chng trnh trong m hnh oraclengu nhin nn c xem nh l cung cp bng chng rng chng trnh ny khng c "l hngthit k vn c", nhng khng nn c thc hin nh l mt bng chng kht khe m bt k

  • 8/10/2019 The Random oracle model.docx

    4/5

    instap m trong th gii thc ca chng trnh ny l an ton, tho lun su hn v cch giithch bng chng s trong m hnh oracle ngu nhin c a ra trong mc 13. 1. 2 Chi tit m hnh ngu nhin oracleTrc khi tip tc, chng ta hy ghim xung chnh xc nhng g cc m hnh oracle ngu nhini hi. Mt cch tt suy ngh v m hnh oracle ngu nhin nh sau: Cc "oracle" ch n

    gin l mt hp m phi mt mt chui nh phn nh l u vo v tr v mt chui nh phnnh u ra hot ng bn trong ca hp l khng r v kh hiu mi ngi -.. c hai bn trungthc cng l k th - c th tng tc vi cc hp, ni tng tc nh vy bao gm nhp mtchui nh phn x l u vo v nhn c mt si dy nh phn nh u ra, chng ti gi y ltruy vn oracle trn x, v x gi chnh n mt truy vn thc hin cho cc oracle. truy vn oraclec gi nh l tin nu mt bn truy vn oracle trn u vo x sau khng ai khc bit x,hoc thm ch bit rng bn ny hi nhng tri tt c. iu ny c ngha, bi v cc cuc gin cc oraele tng ng trong thc t n a phng (t nhn) nh gi ca mt hm bm mtm.N c m bo rng hp ph hp: l, nu hp bao gi kt qu u ra y cho mt u vo cth x, sau n lun lun xut ra cu tr li ging y khi cho cng mt u vo x ln na. iu

    ny c ngha rng chng ta c th xem cc hp nh thc hin mt chc nng H; tc l, chng tich n gin l xc nh cc chc nng H v cc c im u vo / u ra ca hp. thuntin, chng ti nh vy, ni v "truy vn H" ch khng phi l truy vn hp. Khng ai "bit"ton b chc nng H (tr cc hp ring ca mnh); lc tt nht, tt c nhng g c bit n ncc gi tr ca H trn y c hi mt cch r rng cho n nay. By gichng ta tho lun v nhng g n c ngha l la chn chc nng ny H mt cchngu nhin. Bt k u vo bn chc nng H n -bit l (n) kt qu u ra -bit c th c xemnh l mt bng ch ra cho mi u vo x {0, 1}n c gi tr u ra tngng H(x) {0,1}l(n).S dng t t in i vi cc yu t u vo, iu ny c ngha l bt k chc nng nh vyc th c biu din bi mt chui c di 2n. l(n) bit, v ngc li rng mi chui c diny c th c xem nh l mt u vo bn chc nng n-bit l(n) bit kt qu u ra. Mt

    h qu trc mt l c chnh xc U( ) 2 .

    2

    nl n

    def chc nng khc nhauc di u vo v u raquy nh. Chn mt chc nng H thuc loi ny thng nht vo cc phng tin ngu nhin chnH thng nht t trong nhng kh nng U. Trong m hnh oracle ngu nhin nh chng ta hnhdung c n, iu ny tng ng vi vic khi to oracle bng cch chn nh mt H v c cutr li oracle theo H. Lu rng gi chui / bng i din cho H bt k thit b vt l s ihi mt s m(trong thi gian u vo) cabit, do ngay c i vi u vo va phi c kchthc ny khng phi l mt ci g chng ta c th hy vng s lm g trong th gii thc Tng ng, nhng thng thun tin hn, cch suy ngh v vic chn mt chc nng H thngnht mt cch ngu nhin l tng tng to ra ngu nhin cho H "trn bay," khi cn thit. Cth, hy tng tng rng cc chc nng c xc nh bi mt bng cc cp {(xi, Yi)} m banu trng. Khi oracle nhn c mt truy vn x n trc tin kim tra xem x = Xi cho mt scp (xi, Yi) trong bng; nu nh vy, Yi tng ng c tr v. Nu khng, mt chui ngunhin y {0, 1} l (n) c chn, cc cu tr li y c tr v, v cc ca hng oracle (x, y) trongbng ca mnh nn u ra tng t c th c tr li nu cng mt u vo l bao gi truy vnmt ln na. Trong khi ngi ta c th tng tng mang ny ra trong th gii thc, iu ny lthm t quan nim ca chng ta v "sa cha" cc chc nng mt ln H -v-f-hoc tt c trckhi bt u chy mt s chng trnh crytographic. T quan im ca cc bn tng tc vioracle, tuy nhin, n l hon ton tng ng. Chng ti nhn xt rng xem H nh vic la

  • 8/10/2019 The Random oracle model.docx

    5/5

    chn cc gi tr u ra "on the fly" cng lm cho mi th d dng hn (v mt k thut cng nhcc khi nim) khi nh ngha ca Ngi trn mt min v hn nh {0, 1} *Khi chng ta nh ngha chc nng gi ngu nhin trong phn 3.6. 1, chng ti cng xem ccthut ton c quyn truy cp n kha cnh oracle mt hm ngu nhin. S rng c th l btk conf usion, chng ti lu rng vic s dng mt hm ngu nhin c rt khc nhau t vic s

    dng mt hm ngu nhin y. , mt hm ngu nhin c s dng nh mt cch depht tin nhng g n c ngha l cho mt chc nng c th keyed l gi ngu nhin. Trong mhnh oracle ngu nhin, cc chc nng ngu nhin c s dng nh l mt phn cacc khuytim tr uction ca nguyn thy, v nh vy bng cch no phi c khi to trong th giithc, nu chng ta mun c mt hin thc c th ca cc nguyn thy

    Security Proofs in the Random Oracle Model