Abstract
We take a critical look at the relationship between the security of cryptographic schemes in the Random Oracle Model, and the security of the schemes that result from implementing the random oracle by so called "cryptographic hash functions".The main result of this article is a negative one: There exist signature and encryption schemes that are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes. In the process of devising the above schemes, we consider possible definitions for the notion of a "good implementation" of a random oracle, pointing out limitations and challenges.
- Barak, B. 2001. How to go beyond the black-box simulation barrier. In Proceedings of the 42nd Annual Symposium on Foundations of Computer Science. IEEE Computer Society Press, Los Alamitos, Calif., 106--115.]] Google Scholar
- Barak, B. 2002. Constant-round coin-tossing with a man in the middle or realizing the shared random string model. In Proceedings of the 43rd Annual Symposium on Foundations of Computer Science. IEEE Computer Society Press, Los Alamitos, Calif., 345--355.]] Google Scholar
- Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., and Yang, K. 2001. On the (im)possibility of software obfuscation. In Advances in Cryptology---CRYPTO '01. Lecture Notes in Computer Science, vol. 2139. Springer-Verlag, New York, 1--18.]] Google Scholar
- Bellare, M., and Rogaway, P. 1993. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st Conference on Computer and Communications Security. ACM, New York, 62--73.]] Google Scholar
- Bellare, M., and Rogaway, P. 1996. The exact security of digital signatures: How to sign with RSA and Rabin. In Advances in Cryptology---EUROCRYPT'96. Lecture Notes in Computer Science, vol. 1070. Springer-Verlag, New York, 399--416.]] Google Scholar
- Blum, M., and Micali, S. 1984. How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13, 850--864.]] Google Scholar
- Canetti, R. 1997. Towards realizing random oracles: Hash functions that hide all partial information. In Advances in Cryptology---CRYPTO'97. Lecture Notes in Computer Science, vol. 1294. Springer-Verlag, New York, 455--469.]] Google Scholar
- Canetti, R., Feige, U., Goldreich, O., and Naor, M. 1996. Adaptively secure computation. In Proceedings of the 28th Annual Symposium on Theory of Computing. ACM, New York, (Longer version in MIT-LCS-TR #682, 1996).]] Google Scholar
- Canetti, R., Goldreich, O., and Halevi, S. 1998a. The random oracle methodology, revisited (preliminary version). In Proceedings of the 30th Annual ACM Symposium on the Theory of Computing. ACM, New York, 209--218. (TR version(s) available on-line from http://eprint.iacr.org/1998/011 and http://xxx.lanl.gov/abs/cs.CR/0010019.)]] Google Scholar
- Canetti, R., Micciancio, D., and Reingold, O. 1998b. Perfectly one-way probabilistic hashing. In Proceedings of the 30th Annual ACM Symposium on the Theory of Computing. ACM, New York, 131--140.]] Google Scholar
- Damgård, I. B. 1987. Collision free hash functions and public key signature schemes. In Advances in Cryptology---EUROCRYPT'87. Lecture Notes in Computer Science, vol. 304. Springer-Verlag, New York, 203--216.]]Google Scholar
- Dwork, C., Naor, M., Reingold, O., and Stockmeyer, L. 2003. Magic functions. J. ACM 50, 6 (Nov.), 852--921.]] Google Scholar
- Fiat, A., and Shamir, A. 1986. How to prove yourself. Practical solutions to identification and signature problems. In Advances in Cryptology---CRYPTO'86. Lecture Notes in Computer Science, vol. 263. Springer-Verlag, New York, 186--189.]] Google Scholar
- Gennaro, R., Halevi, S., and Rabin, T. 1999. Secure hash-and-sign signatures without the random oracle. In Advances in Cryptology---EUROCRYPT'99. Lecture Notes in Computer Science, vol. 1592. Springer-Verlag, New York, 123--139.]] Google Scholar
- Goldreich, O. 1993. A uniform complexity treatment of encryption and zero-knowledge. J. Crypt. 6, 1, 21--53.]]Google Scholar
- Goldreich, O. 1999. Encryption schemes---Fragments of a chapter. Available from http://www.wisdom.weizmann.ac.il/∼oded/foc-vol2.html.]]Google Scholar
- Goldreich, O. 2002. The GGM construction does NOT yield correlation intractable function ensembles. ECCC TR02-047, http://www.eccc.uni-trier.de/eccc/.]]Google Scholar
- Goldreich, O., Goldwasser, S., and Micali, S. 1986. How to construct random functions. J. ACM 33, 4, 210--217.]] Google Scholar
- Goldreich, O., and Krawczyk, H. 1996. On the composition of zero-knowledge proof systems. SIAM J. Comput. 25, 1, 169--192.]] Google Scholar
- Goldwasser, S., and Micali, S. 1984. Probabilistic encryption. J. Comput. Syst. Sci. 28, 2 (Apr.), 270--299.]]Google Scholar
- Goldwasser, S., Micali, S., and Rivest, R. 1988. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17, 2 (Apr.), 281--308.]] Google Scholar
- Guillou, L., and Quisquater, J. 1988. A practical zero-knowledge protocol fitted to security microprocessors minimizing both transmission and memory. In Advances in Cryptology---EUROCRYPT'88. Lecture Notes in Computer Science, vol. 330. Springer-Verlag, New York, 123--128.]] Google Scholar
- Hada, S., and Tanaka, T. 1999. A relationship between one-wayness and correlation intractability. In Proceedings of the 2nd International Workshop on Practice and Theory in Public Key Cryptography (PKC'99). Lecture Notes in Computer Science, vol. 1560. Springer-Verlag, New York, 82--96.]] Google Scholar
- Impagliazzo, R., and Rudich, S. 1989. Limits on the provable consequences of one-way permutations. In Proceedings of the 21st Annual ACM Symposium on Theory of Computing. ACM, New York, 44--61.]] Google Scholar
- Kilian, J. 1992. A note on efficient zero-knowledge proofs and arguments. In Proceedings of the 24th Annual ACM Symposium on the Theory of Computing. ACM, New York, 723--732.]] Google Scholar
- Micali, S. 2000. Computationally sound proofs. SIAM J. Comput. 30, 4, 1253--1298. (Preliminary version in 35th FOCS, 1994.)]] Google Scholar
- Naor, M., and Nissim, K. 1999. Computationally sound proofs: Reducing the number of random oracle calls. Manuscript.]]Google Scholar
- Naor, M., and Yung, M. 1989. Universal one-way hash functions and their cryptographic applications. In Proceedings of the 21st Annual ACM Symposium on Theory of Computing. ACM, New York, 33--43.]] Google Scholar
- Nielsen, J. 2002. Separating random oracle proofs from complexity theoretic proofs: The non-committing encryption case. In Advances in Cryptology---CRYPTO'02. Lecture Notes in Computer Science, vol. 2442. Springer-Verlag, New York, 111--126.]] Google Scholar
- Nissim, K. 1999. Two results regarding correlation intractability. Manuscript.]]Google Scholar
- Okamoto, T. 1992. Provably secure and practical identification scheme and corresponding signature scheme. In Advances in Cryptology---CRYPTO'92. Lecture Notes in Computer Science, vol. 740. Springer-Verlag, New York, 31--53.]] Google Scholar
- Pointcheval, D., and Stern, J. 1996. Security proofs for signature schemes. In Advances in Cryptology---EUROCRYPT'96. Lecture Notes in Computer Science, vol. 1070. Springer-Verlag, New York, 387--398.]] Google Scholar
- Rompel, J. 1990. One-way functions are necessary and sufficient for secure signatures. In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing. ACM, New York, 387--394.]] Google Scholar
- Schnorr, C. 1991. Efficient signature generation by smart cards. J. Cryptology 4, 3, 161--174.]]Google Scholar
- Yao, A. 1982. Theory and applications of trapdoor functions. In Proceedings of the 23rd Annual Symposium on Foundations of Computer Science. IEEE Computer Society Press, Los Alamitos, Calif., 80--91.]]Google Scholar
Index Terms
- The random oracle methodology, revisited
Recommendations
Secure public-key encryption scheme without random oracles
Since the first practical and secure public-key encryption scheme without random oracles proposed by Cramer and Shoup in 1998, Cramer-Shoup's scheme and its variants remained the only practical and secure public-key encryption scheme without random ...
Designated verifier proxy signature scheme without random oracles
In a designated verifier proxy signature scheme, one can delegate his or her signing capability to another user in such a way that the latter can sign messages on behalf of the former, but the validity of the resulting signatures can only be verified by ...
Random oracle reducibility
CRYPTO'11: Proceedings of the 31st annual conference on Advances in cryptologyWe discuss a reduction notion relating the random oracles in two cryptographic schemes A and B. Basically, the random oracle of scheme B reduces to the one of scheme A if any hash function instantiation of the random oracle (possibly still oracle based) ...
Comments