Ideal proof models

In Subsection 1.3.3, we provided a security reduction from the Flexible RSA problem to EUF- CMA breaking the GHR signature scheme without making any assumptions on the ingredients of the scheme (group Z×_N, the hash function Ψ, etc...); we say that the provided security reduction stands in the standard model. Such proofs are usually difficult to obtain even when the design is extremely simple, e.g. RSA-FDH [Bellare & Rogaway, 1996]. This explains why cryptographers resort to idealizing some components of the scheme in question and providing a security proof from the presumed hard problem to breaking the scheme with respect to a generic adversary, i.e. an adversary accessing the idealized object through an oracle. Such proofs do not provide any insights about the real security of the scheme in the standard model as there exist many designs that are proven secure in idealized settings but insecure in the standard model. However, they provide strong evidence that the scheme in question is secure provided the underlying problem is hard or the adversary does not exploit special properties of the idealized setting.

The random oracle model (ROM). This is a mathematical abstraction used to model a random

hash function. It consists of a theoretical black box that responds to every query with a uniformly chosen random string from the output domain, with the exception of giving the same answer to the same query. A way of simulating the random oracle can be achieved by picking a random elementy from the given range for every query x, and storing the pair (x, y) in a history list Hist so that if the same query x is solicited, the reply would be y. Random oracles proved useful in cryptography and they were first considered by Fiat and Shamir in [Fiat & Shamir, 1986] to remove interaction from 3-round public-coin identifi- cation schemes. Later, they were used by Bellare and Rogaway in [Bellare & Rogaway, 1993] to provide generic constructions of encryption and signature schemes. As previously mentioned, there are schemes that are proven secure in the ROM but insecure in the stan- dard model. We note for instance the result of Goldwasser and Tauman Kalai [Goldwasser & Tauman Kalai, 2003] that exhibit secure 3-round public-coin identification schemes for which the transformation of Fiat and Shamir in [Fiat & Shamir, 1986] yields insecure digital signature schemes for any hash function used in the transformation. This contrasts the work of Pointcheval and Stern [Pointcheval & Stern, 2000] which proved that the Fiat-Shamir methodology always produces EUF-CMA secure digital signatures in the ROM. The result in [Goldwasser & Tauman Kalai, 2003] is strengthened by the work of Paillier and Vergnaud [Paillier & Vergnaud, 2005] which show that some signatures from the Fiat-Shamir paradigm cannot even be UUF-KOA secure in the standard model. Finally, we finish this paragraph by citing a recent positive result about ROM, namely an implementation of a hash function into elliptic curves which is indifferentiable from a random oracle. We refer to [Coron & Icart, 2009] for further details.

The generic group model. A generic model of a group was first introduced by Nechaev [Nechaev,

1994]. Shoup [Shoup, 1997] later improved these results and applied this model to cryptog- raphy. In this model, one assumes that operations in a group can be performed only by means of an oracle. More specifically, suppose thatG is an (additive) group of prime order q. Then G is isomorphic to the additive group Zq and for any non-identity elementP ∈ G,

one can construct an efficient isomorphism sendingi_{∈ Z}q toiP , using some version of the

repeated squaring algorithm to perform the scalar multiplication in polynomial time. In a generic group, one assumes that instead of having explicit formulas for the group element iP , we rather have an “encoding” σ(i) _{∈ S ⊂ {0, 1}}∗ _{that represents the element iP . A}

generic algorithm_{A will then consult the oracle for two types of queries:}

1. Given an integer i _{∈ Z}q, A requests the encoding of iP : the oracle will then select

randomly a valueσ(i), to represent the element iP , from the given set of bit strings. 2. Given two encodingsσ(i) and σ(j),_{A requests (without knowing necessarily i and j)}

the encoding ofσ(i± j). Again the oracle responds with a randomly chosen bit-string. The only condition on the oracle responses is that if the same group element is queried a

second time, the same corresponding encoding must be returned.

One of the important results of this model is the analysis of complexity assumptions in group- based cryptography. For instance, Shoup gave in [Shoup, 1997] lower bounds for solving the discrete logarithm problem and some other related problems. Finally, a security proof in this model assures the absence of an adversary who behaves generically with respect to the given group. However, it does not rule out the existence of a successful adversary for a specific group [Dent, 2002; Stern et al., 2002].

The ideal cipher model. It consists in considering a block cipher as a random permutation. A

random permutationE takes a pair (k, x) and returns y = E(k, x) which is random in the considered range. Of coursex = E−1_{(k, y). To simulate such a permutation, one proceeds}

as follows. For any new pair (k, x), pick y at random from the output domain such that (k, x, y) /_{∈ Hist[E], set E(k, x) = y and return y, and finally update the history Hist[E] with} the record(k, x, y). Such a simulation looks similar to the random oracle model simulation. In fact, equivalence between the ROM and the ideal cipher was left as an open problem until recently where Coron et al. [Coron et al., 2005] showed that security in the ROM implies security in the ideal cipher model; namely they showed that a random oracle can be replaced by a block cipher-based construction, and the resulting scheme remains secure in the ideal cipher model. The other direction was solved three years later in [Coron et al., 2008], however recent works regard the paper in question as incorrect.