COMP443-13randomoracle-screen.pdf

Modern Cryptography

Chapter 13

Alptekin K¨up¸c¨u

Computer Science and Engineering Ko¸c University

Main Topics

Random Oracle Model

Proof Methodology

Advantages/Disadvantages Uses of Random Oracles Schemes Secure in ROM

CCA-Secure PKE Digital Signatures

Currently-Known Schemes

Most of the currently-known schemes in thestandard model do not satisfy stronger security definitions such as CCA-security.

The schemes known to satisfy strong security definitions are mostly

inefficient.

Theinefficiency is decided mostly by companies, not the users.

Most of theefficient schemes in use today have no security proofs at all.

Or they have security proofs in theRandom Oracle Model.

Random Oracle Model

The Random Oracle Model isjust a proof methodology. It does not correspond to any real-world instantiations.

Proofs in the Random Oracle Model:

Adversary is given access to a Random Oracle.

Challenger needs to simulate this Random Oracle.

Challenger may pick the return values of the Random Oracle as she wants, as long as the values are distributed in a uniformly-random fashion.

Also, the same output needs to be returned for the same query. Random Oracles are indeed deterministic but random functions.

Since the challenger simulates the Random Oracle, she gets to learn all the queries the adversary makes.

If an adversary did not query the Random Oracle on valuex, then

the valueRO(x) is completely random from his point of view.

Random Oracle Model

The Random Oracle Model isjust a proof methodology. It does not correspond to any real-world instantiations.

Proofs in the Random Oracle Model:

Adversary is given access to a Random Oracle.

Challenger needs to simulate this Random Oracle.

Challenger may pick the return values of the Random Oracle as she wants, as long as the values are distributed in a uniformly-random fashion.

Also, the same output needs to be returned for the same query. Random Oracles are indeed deterministic but random functions.

Since the challenger simulates the Random Oracle, she gets to learn all the queries the adversary makes.

If an adversary did not query the Random Oracle on valuex, then

the valueRO(x) is completely random from his point of view.

Random Oracle

A Random Oracle is a deterministic function.

No one knows the actual function that the Random Oracle computes.

But everyone has access to it; it is public.

Ideal Random Oracle definition requiresexponential space and time.

Being deterministic, the Random Oracle always returns the same output when given the same input.

Random Oracle can be thought as the following algorithm:

1 Keep a database, initially empty. 2 _{On inputx, search the database forx.}

1 Ifx is not in the database, pick a random valuey and store

<x,y >in the database.

2 Ifx is in the database, retrieve the correspondingy.

3 _Outputy.

Random Oracle

A Random Oracle is a deterministic function.

No one knows the actual function that the Random Oracle computes.

But everyone has access to it; it is public.

Ideal Random Oracle definition requiresexponential space and time.

Being deterministic, the Random Oracle always returns the same output when given the same input.

Random Oracle can be thought as the following algorithm:

1 Keep a database, initially empty. 2 _{On inputx, search the database forx.}

1 Ifx is not in the database, pick a random valuey and store

<x,y >in the database.

2 Ifx is in the database, retrieve the correspondingy.

3 _Outputy.

Random Oracle

A Random Oracle is a deterministic function.

No one knows the actual function that the Random Oracle computes.

But everyone has access to it; it is public.

Ideal Random Oracle definition requiresexponential space and time.

Being deterministic, the Random Oracle always returns the same output when given the same input.

Random Oracle can be thought as the following algorithm:

1 Keep a database, initially empty. 2 _{On inputx, search the database forx.}

1 Ifx is not in the database, pick a random valuey and store

<x,y >in the database.

2 Ifx is in the database, retrieve the correspondingy.

3 _Outputy.

Random Oracle

A Random Oracle is a deterministic function.

No one knows the actual function that the Random Oracle computes.

But everyone has access to it; it is public.

Ideal Random Oracle definition requiresexponential space and time.

Being deterministic, the Random Oracle always returns the same output when given the same input.

Random Oracle can be thought as the following algorithm:

1 Keep a database, initially empty. 2 _{On inputx, search the database forx.}

1 Ifx is not in the database, pick a random valuey and store

<x,y >in the database.

2 Ifx is in the database, retrieve the correspondingy.

3 _Outputy.

Random Oracle

A Random Oracle is a deterministic function.

No one knows the actual function that the Random Oracle computes.

But everyone has access to it; it is public.

Ideal Random Oracle definition requiresexponential space and time.

Being deterministic, the Random Oracle always returns the same output when given the same input.

Random Oracle can be thought as the following algorithm:

1 Keep a database, initially empty. 2 _{On inputx, search the database forx.}

1 Ifx is not in the database, pick a random valuey and store

<x,y >in the database.

2 Ifx is in the database, retrieve the correspondingy.

3 _Outputy.

Random Oracle

A Random Oracle is a deterministic function.

No one knows the actual function that the Random Oracle computes.

But everyone has access to it; it is public.

Ideal Random Oracle definition requiresexponential space and time.

Being deterministic, the Random Oracle always returns the same output when given the same input.

Random Oracle can be thought as the following algorithm:

1 Keep a database, initially empty. 2 _{On inputx, search the database forx.}

1 Ifx is not in the database, pick a random valuey and store

<x,y >in the database.

2 Ifx is in the database, retrieve the correspondingy.

3 _Outputy.

Random Oracle

A Random Oracle is a deterministic function.

No one knows the actual function that the Random Oracle computes.

But everyone has access to it; it is public.

Ideal Random Oracle definition requiresexponential space and time.

Being deterministic, the Random Oracle always returns the same output when given the same input.

Random Oracle can be thought as the following algorithm:

1 Keep a database, initially empty.

2 _{On inputx, search the database forx.}

1 Ifx is not in the database, pick a random valuey and store

<x,y >in the database.

2 Ifx is in the database, retrieve the correspondingy.

3 _Outputy.

Random Oracle

A Random Oracle is a deterministic function.

No one knows the actual function that the Random Oracle computes.

But everyone has access to it; it is public.

Ideal Random Oracle definition requiresexponential space and time.

Being deterministic, the Random Oracle always returns the same output when given the same input.

Random Oracle can be thought as the following algorithm:

1 Keep a database, initially empty. 2 _{On inputx, search the database forx.}

1 Ifx is not in the database, pick a random valuey and store

<x,y >in the database.

2 Ifx is in the database, retrieve the correspondingy. 3 _Outputy.

Random Oracle

A Random Oracle is a deterministic function.

No one knows the actual function that the Random Oracle computes.

But everyone has access to it; it is public.

Ideal Random Oracle definition requiresexponential space and time.

Being deterministic, the Random Oracle always returns the same output when given the same input.

Random Oracle can be thought as the following algorithm:

1 Keep a database, initially empty. 2 _{On inputx, search the database forx.}

1 Ifx is not in the database, pick a random valuey and store

<x,y >in the database.

2 Ifx is in the database, retrieve the correspondingy. 3 _Outputy.

Random Oracle

A Random Oracle is a deterministic function.

No one knows the actual function that the Random Oracle computes.

But everyone has access to it; it is public.

Ideal Random Oracle definition requiresexponential space and time.

Being deterministic, the Random Oracle always returns the same output when given the same input.

Random Oracle can be thought as the following algorithm:

1 Keep a database, initially empty. 2 _{On inputx, search the database forx.}

1 Ifx is not in the database, pick a random valuey and store

<x,y >in the database.

2 Ifx is in the database, retrieve the correspondingy.

3 _Outputy.

Random Oracle

A Random Oracle is a deterministic function.

No one knows the actual function that the Random Oracle computes.

But everyone has access to it; it is public.

Ideal Random Oracle definition requiresexponential space and time.

Being deterministic, the Random Oracle always returns the same output when given the same input.

Random Oracle can be thought as the following algorithm:

1 Keep a database, initially empty. 2 _{On inputx, search the database forx.}

1 Ifx is not in the database, pick a random valuey and store

<x,y >in the database.

2 Ifx is in the database, retrieve the correspondingy. 3 _Outputy.

Security Definitions in the Standard Model

All the security definitions in the standard model follow this paradigm:

1 _{Define a game for a protocol Π asGameA,Π.}

2 _{Define what it means for the adversary to win the game.} 3 Calculate the inherent probability of winning for the adversary. 4 Define the adversary’s advantage as Pr[win]−Pr[inherent]. 5 Require that the adversary’s advantage is negligible in the

security parameter for all PPT adversaries.

6 The probabilities are over the random choices of the protocol

and the adversary.

Security Definitions in the Standard Model

All the security definitions in the standard model follow this paradigm:

1 _{Define a game for a protocol Π asGameA,Π.}

2 _{Define what it means for the adversary to win the game.} 3 Calculate the inherent probability of winning for the adversary. 4 Define the adversary’s advantage as Pr[win]−Pr[inherent]. 5 Require that the adversary’s advantage is negligible in the

security parameter for all PPT adversaries.

6 The probabilities are over the random choices of the protocol

and the adversary.

Security Definitions in the Random Oracle Model

All the security definitions in the Random Oracle model follow this paradigm:

1 Define a game for a protocol Π asGame

ARO_,ΠRO. Notice that

both the protocol and the adversary are given access to the

same Random Oracle.

2 Define what it means for the adversary to win the game. 3 _{Calculate the inherent probability of winning for the adversary.} 4 _{Define the adversary’s advantage as Pr[win]}−_{Pr[inherent].} 5 Require that the adversary’s advantage is negligible in the

security parameter for all PPT adversaries.

6 The probabilities are over the random choices of the protocol

and the adversary, and the Random Oracle.

Security Definitions in the Random Oracle Model

All the security definitions in the Random Oracle model follow this paradigm:

1 Define a game for a protocol Π asGame

ARO_,ΠRO. Notice that

both the protocol and the adversary are given access to the

same Random Oracle.

2 Define what it means for the adversary to win the game. 3 _{Calculate the inherent probability of winning for the adversary.} 4 _{Define the adversary’s advantage as Pr[win]}−_{Pr[inherent].} 5 Require that the adversary’s advantage is negligible in the

security parameter for all PPT adversaries.

6 The probabilities are over the random choices of the protocol

and the adversary, and the Random Oracle.

Security Definitions in the Random Oracle Model

All the security definitions in the Random Oracle model follow this paradigm:

1 Define a game for a protocol Π asGame

ARO_,ΠRO. Notice that

both the protocol and the adversary are given access to the

same Random Oracle.

2 Define what it means for the adversary to win the game. 3 _{Calculate the inherent probability of winning for the adversary.} 4 _{Define the adversary’s advantage as Pr[win]}−_{Pr[inherent].} 5 Require that the adversary’s advantage is negligible in the

security parameter for all PPT adversaries.

6 _{The probabilities are over the random choices of the protocol}

and the adversary, and the Random Oracle.

Disadvantages of ROM

In the real world, it seems there are no Random Oracles. Mostly, Random Oracles are instantiated using hash functions, but hash functions are fixed and known functions, rather thanunknown oracles.

In the real world, the parties running the protocol cannot decide on the output of the Random Oracle, or seethe queries of an adversary, as the challenger did in the proof. There are (unnatural) schemes that are proven secure in the Random Oracle Model, while they are proven insecure in the standard model, regardless of how the Random Oracle is

instantiated. Thus a proof in the Random Oracle Model does

not imply security in the real world.

Disadvantages of ROM

In the real world, it seems there are no Random Oracles. Mostly, Random Oracles are instantiated using hash functions, but hash functions are fixed and known functions, rather thanunknown oracles.

In the real world, the parties running the protocol cannot decide on the output of the Random Oracle, or seethe queries of an adversary, as the challenger did in the proof.

There are (unnatural) schemes that are proven secure in the Random Oracle Model, while they are proven insecure in the standard model, regardless of how the Random Oracle is

instantiated. Thus a proof in the Random Oracle Model does

not imply security in the real world.

Disadvantages of ROM

In the real world, it seems there are no Random Oracles. Mostly, Random Oracles are instantiated using hash functions, but hash functions are fixed and known functions, rather thanunknown oracles.

In the real world, the parties running the protocol cannot decide on the output of the Random Oracle, or seethe queries of an adversary, as the challenger did in the proof. There are (unnatural) schemes that are proven secure in the Random Oracle Model, while they are proven insecure in the standard model, regardless of how the Random Oracle is

instantiated. Thus a proof in the Random Oracle Model does

not imply security in the real world.

Advantages of ROM

A proof in the Random Oracle Model is better than no proof, since it “means” that if the scheme is broken, this must be because of the instantiation of the Random Oracle, and hence the hash function needs to be replaced by a better one.

Even though schemes that are secure in the Random Oracle Model have been widely used due to their efficiency, there has not been many attacks on such schemes.

Random Oracle Model is widely-known and accepted in the cryptography community.

Uses of Random Oracles

A Random Oracle can be used to construct:

1 One-way function

2 _{Collision-resistant hash function}

3 _{Pseudo-random function Fk(x) =RO(k} ||_x)

Note that we cannot restrict the adversary to use any unkeyed function as an oracle, meaning that the adversary needs to “evaluate” the function to obtain the result. However unintuitive, there may be a way for the adversary to obtain the output of a function without explicitly evaluating the function, once he has the definition of that function.

Uses of Random Oracles

A Random Oracle can be used to construct:

1 One-way function

2 _{Collision-resistant hash function}

3 _{Pseudo-random function Fk(x) =RO(k} ||_x)

Note that we cannot restrict the adversary to use any unkeyed function as an oracle, meaning that the adversary needs to “evaluate” the function to obtain the result. However unintuitive, there may be a way for the adversary to obtain the output of a function without explicitly evaluating the function, once he has the definition of that function.

RSA in ROM

EncN,e(m) picks randomr ←ZN∗, setsc1 =re mod N and

c2=RO(r)⊕m, and outputsc = (c1,c2)

CPA-secureby reduction to RSA assumption and one-time pad, in

the ROM. (p.470)

EncN,e(m) picks randomr ←ZN∗, sets c1 =re mod N and

c2=Enc_RO(r)0 (m), and outputsc = (c1,c2)

Generalization of above. BUT

CCA-secureby reduction to RSA assumption andCCA-security of

Enc0, in the ROM. (p.474)

RSA in ROM

EncN,e(m) picks randomr ←ZN∗, setsc1 =re mod N and

c2=RO(r)⊕m, and outputsc = (c1,c2)

CPA-secureby reduction to RSA assumption and one-time pad, in

the ROM. (p.470)

EncN,e(m) picks randomr ←ZN∗, sets c1=re mod N and

c2=Enc_RO(r)0 (m), and outputsc = (c1,c2)

Generalization of above. BUT

CCA-secureby reduction to RSA assumption andCCA-security of

Enc0, in the ROM. (p.474)

Full-Domain Hash

Remember hash-and-sign RSA:

Sign_N,d(m)→H(m)d _{mod N}

Existentially unforgeable under adaptive chosen message attack whenH is modeled as a Random Oracle. (p.484)

Note thatH(m) must return a random element inZ_N∗, not just any random string. Hence, we need a special hash function named “full-domain hash” here.

TODO Next

Solve all exercises at the end of chapter 13. Hard ones are: 3, 5, 6, 7.

We are done with the whole textbook. Are we done yet?

NO. As the name of your book suggests, we have only finished an

introductionto modern cryptography, with the hope that you can

now read many papers and improve yourselves.

What next then?

Zero-Knowledge Proofs, Commitments, Secure Multi-Party Computation, Oblivious Transfer, Setup Assumptions (e.g., Chosen-Reference String–public parameters–, Chosen-Random String, Tamper-Proof Hardware), Universal Composability Framework, . . .