Random oracle

For random replies to random questions, see Internet Oracle.

In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every unique query with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time that query is submitted.

Stated differently, a random oracle is a mathematical function chosen uniformly at random, that is, a function mapping each possible query to a (fixed) random response from its output domain.

Random oracles first appeared in the context of complexity theory, in which they were used to argue that complexity class separations may face relativization barriers, with the most prominent case being the P vs NP problem, two classes shown in 1981 to be distinct relative to a random oracle almost surely.[1] They made their way into cryptography by the publication of Mihir Bellare and Phillip Rogaway in 1993, which introduced them as a formal cryptographic model to be used in reduction proofs.[2]

They are typically used when the proof cannot be carried out using weaker assumptions on the cryptographic hash function. A system that is proven secure when every hash function is replaced by a random oracle is described as being secure in the random oracle model, as opposed to secure in the standard model of cryptography.

Applications

Random oracles are typically used as an idealised replacement for cryptographic hash functions in schemes where strong randomness assumptions are needed of the hash function's output. Such a proof often shows that a system or a protocol is secure by showing that an attacker must require impossible behavior from the oracle, or solve some mathematical problem believed hard in order to break it. However, it only proves such properties in the random oracle model, making sure no major design flaws are present. It is in general not true that such a proof implies the same properties in the standard model. Still, a proof in the random oracle model is considered better than no formal security proof at all.[3]

Not all uses of cryptographic hash functions require random oracles: schemes that require only one or more properties having a definition in the standard model (such as collision resistance, preimage resistance, second preimage resistance, etc.) can often be proven secure in the standard model (e.g., the Cramer–Shoup cryptosystem).

Random oracles have long been considered in computational complexity theory,[4] and many schemes have been proven secure in the random oracle model, for example Optimal Asymmetric Encryption Padding, RSA-FDH and PSS. In 1986, Amos Fiat and Adi Shamir[5] showed a major application of random oracles – the removal of interaction from protocols for the creation of signatures.

In 1989, Russell Impagliazzo and Steven Rudich[6] showed the limitation of random oracles – namely that their existence alone is not sufficient for secret-key exchange.

In 1993, Mihir Bellare and Phillip Rogaway[2] were the first to advocate their use in cryptographic constructions. In their definition, the random oracle produces a bit-string of infinite length which can be truncated to the length desired.

When a random oracle is used within a security proof, it is made available to all players, including the adversary or adversaries.

Domain separation

Main article: Domain separation

A single oracle may be treated as multiple oracles by pre-pending a fixed bit-string to the beginning of each query (e.g., queries formatted as "1|x" or "0|x" can be considered as calls to two separate random oracles, similarly "00|x", "01|x", "10|x" and "11|x" can be used to represent calls to four separate random oracles). This practice is usually called domain separation. Oracle cloning is the re-use of the once-constructed random oracle within the same proof (this in practice corresponds to the multiple uses of the same cryptographic hash within one algorithm for different purposes).[7] Oracle cloning with improper domain separation breaks security proofs and can lead to successful attacks.[8]

Limitations

According to the Church–Turing thesis, no function computable by a finite algorithm can implement a true random oracle (which by definition requires an infinite description because it has infinitely many possible inputs, and its outputs are all independent from each other and need to be individually specified by any description).

In fact, certain contrived signature and encryption schemes are known which are proven secure in the random oracle model, but which are trivially insecure when any real function is substituted for the random oracle.[9][10] Nonetheless, for any more natural protocol a proof of security in the random oracle model gives very strong evidence of the practical security of the protocol.[11]

In general, if a protocol is proven secure, attacks to that protocol must either be outside what was proven, or break one of the assumptions in the proof; for instance if the proof relies on the hardness of integer factorization, to break this assumption one must discover a fast integer factorization algorithm. Instead, to break the random oracle assumption, one must discover some unknown and undesirable property of the actual hash function; for good hash functions where such properties are believed unlikely, the considered protocol can be considered secure.

Random oracle hypothesis

Although the Baker–Gill–Solovay theorem[12] showed that there exists an oracle A such that PA = NPA, subsequent work by Bennett and Gill,[13] showed that for a random oracle B (a function from {0,1}n to {0,1} such that each input element maps to each of 0 or 1 with probability 1/2, independently of the mapping of all other inputs), PB ⊊ NPB with probability 1. Similar separations, as well as the fact that random oracles separate classes with probability 0 or 1 (as a consequence of the Kolmogorov's zero–one law), led to the creation of the Random Oracle Hypothesis, that two "acceptable" complexity classes C1 and C2 are equal if and only if they are equal (with probability 1) under a random oracle (the acceptability of a complexity class is defined in BG81[13]). This hypothesis was later shown to be false, as the two acceptable complexity classes IP and PSPACE were shown to be equal[14] despite IPA ⊊ PSPACEA for a random oracle A with probability 1.[15]

Ideal cipher

An ideal cipher is a random permutation oracle that is used to model an idealized block cipher. A random permutation decrypts each ciphertext block into one and only one plaintext block and vice versa, so there is a one-to-one correspondence. Some cryptographic proofs make not only the "forward" permutation available to all players, but also the "reverse" permutation.

Recent works showed that an ideal cipher can be constructed from a random oracle using 10-round[16] or even 8-round[17] Feistel networks.

Ideal permutation

An ideal permutation is an idealized object sometimes used in cryptography to model the behaviour of a permutation whose outputs are indistinguishable from those of a random permutation. In the ideal permutation model, an additional oracle access is given to the ideal permutation and its inverse. The ideal permutation model can be seen as a special case of the ideal cipher model where access is given to only a single permutation, instead of a family of permutations as in the case of the ideal cipher model.

Quantum-accessible random oracles

Post-quantum cryptography studies quantum attacks on classical cryptographic schemes. As a random oracle is an abstraction of a hash function, it makes sense to assume that a quantum attacker can access the random oracle in quantum superposition.[18] Many of the classical security proofs break down in that quantum random oracle model and need to be revised.

See also

References

  1. ^ Bennett, Charles; Gill, John (1981). "Relative to a Random Oracle A, N^A != NP^A != coNP^A with Probability 1". SIAM Journal on Computing: 96–113. doi:10.1137/0210008.
  2. ^ a b Bellare, Mihir; Rogaway, Phillip (1993). "Random Oracles are Practical: A Paradigm for Designing Efficient Protocols". ACM Conference on Computer and Communications Security: 62–73. doi:10.1145/168588.168596. S2CID 3047274.
  3. ^ Katz, Jonathan; Lindell, Yehuda (2015). Introduction to Modern Cryptography (2 ed.). Boca Raton: Chapman & Hall/CRC. pp. 174–175, 179–181. ISBN 978-1-4665-7027-6.
  4. ^ Bennett, Charles H.; Gill, John (1981), "Relative to a Random Oracle A, P^A != NP^A != co-NP^A with Probability 1", SIAM Journal on Computing, 10 (1): 96–113, doi:10.1137/0210008, ISSN 1095-7111
  5. ^ Fiat, Amos; Shamir, Adi (1986). "How to Prove Yourself: Practical Solutions to Identification and Signature Problems". CRYPTO. pp. 186–194.
  6. ^ Impagliazzo, Russell; Rudich, Steven (1989). "Limits on the Provable Consequences of One-Way Permutations". STOC: 44–61.
  7. ^ Bellare, Davis & Günther 2020, p. 3.
  8. ^ Bellare, Davis & Günther 2020, p. 4.
  9. ^ Ran Canetti, Oded Goldreich and Shai Halevi, The Random Oracle Methodology Revisited, STOC 1998, pp. 209–218 (PS and PDF).
  10. ^ Craig Gentry and Zulfikar Ramzan. "Eliminating Random Permutation Oracles in the Even-Mansour Cipher". 2004.
  11. ^ Koblitz, Neal; Menezes, Alfred J. (2015). "The Random Oracle Model: A Twenty-Year Retrospective" (PDF). Another Look. Archived from the original (PDF) on 2 April 2015. Retrieved 6 March 2015.
  12. ^ Baker, Theodore; Gill, John; Solovay, Robert (1975). "Relativizations of the P =? NP Question". SIAM J. Comput. 4 (4). SIAM: 431–442. doi:10.1137/0204037.
  13. ^ a b Bennett, Charles; Gill, John (1981). "Relative to a Random Oracle A, P != NP != co-NP with Probability 1". SIAM J. Comput. 10 (1). SIAM: 96–113. doi:10.1137/0210008.
  14. ^ Shamir, Adi (October 1992). "IP = PSPACE". Journal of the ACM. 39 (4): 869–877. doi:10.1145/146585.146609. S2CID 315182.
  15. ^ Chang, Richard; Chor, Benny; Goldreich, Oded; Hartmanis, Juris; Hastad, Johan; Ranjan, Desh; Rohatgi, Pankaj (August 1994). "The Random Oracle Hypothesis is False". Journal of Computer and System Sciences. 49 (1): 24–39. doi:10.1016/S0022-0000(05)80084-4. ISSN 0022-0000.
  16. ^ Dachman-Soled, Dana; Katz, Jonathan; Thiruvengadam, Aishwarya (2016). "10-Round Feistel is Indifferentiable from an Ideal Cipher". EUROCRYPT 2016. Springer. pp. 649–678. doi:10.1007/978-3-662-49896-5_23.
  17. ^ Dai, Yuanxi; Steinberger, John (2016). "Indifferentiability of 8-Round Feistel Networks". CRYPTO 2016. Springer.
  18. ^ Dan Boneh, Özgür Dagdelen, Marc Fischlin, Anja Lehmann, Christian Schaffner, and Mark Zhandry (2011). "Random oracles in a quantum world". Advances in Cryptology – ASIACRYPT 2011. Lecture Notes in Computer Science. Vol. 7073. Springer. pp. 41–69. arXiv:1008.0931. doi:10.1007/978-3-642-25385-0_3. ISBN 978-3-642-25384-3.{{cite conference}}: CS1 maint: multiple names: authors list (link)

Sources

Read other articles:

Aero Dili

Aero Dili IATA ICAO Kode panggil 8G DTL AERODILI Didirikan3 Juli 2017; 6 tahun lalu (2017-07-03)Mulai beroperasi30 Agustus 2018; 5 tahun lalu (2018-08-30)PenghubungBandar Udara Internasional Presiden Nicolau LobatoKota fokus Bandar Udara Internasional Ngurah Rai Bandar Udara Oecusse Bandar Udara Suai Bandar Udara Baucau Armada3Tujuan4Kantor pusatTimor Plaza, Dili, East TimorTokoh utamaLourenço de Oliveira; Dexter Leopard; Hilman ZaidanKaryawan60Situs webwww.aerodili.com Aero Dili m...

 

Anne-Lise Dufour-Tonini

Pour les articles homonymes, voir Dufour. Anne-Lise Dufour-Tonini Anne-Lise Dufour-Tonini en 2018. Fonctions Maire de Denain En fonction depuis le 14 mai 2011(12 ans, 10 mois et 21 jours) Élection 14 mai 2011 Réélection 29 mars 201428 mai 2020 Prédécesseur Patrick Roy Sénatrice française 4 juillet – 1er octobre 2017(2 mois et 27 jours) Élection 25 septembre 2011 Circonscription Nord Groupe politique SOC Prédécesseur Marie-Christine Blandin Députée fran�...

 

Kucing bulu pendek britania

Bulu pendek britania Asal  Inggris Standar ras TICA standar FIFe standar WCF standar CFA standar FFE standar ACF standar CCA standar AACE standar ACFA/CAA standar Lainnya CCCofA: standar Kucing domestik (Felis catus) Kucing bulu pendek britania adalah salah satu ras kucing tertua yang nenek moyang dipercayai memiliki hubungan dengan bangsa Romawi yang pernah dahulu menguasai Inggris. Kucing ini adalah kucing berbadan sedang dengan bulu yang pendek. Selain itu, kucing ini juga banyak men...

Marciano Norman

Marciano Norman Kepala Badan Intelijen Negara ke-14Masa jabatan19 Oktober 2011 – 8 Juli 2015PresidenSusilo Bambang YudhoyonoJoko WidodoPendahuluSutantoPenggantiSutiyoso Informasi pribadiLahir28 Oktober 1954 (umur 69)Banjarmasin, Kalimantan SelatanSuami/istriTriwattyAnak5Orang tuaNorman Sasono (ayah)Atina Priatman (ibu)KerabatTirto Adhi Soerjo (kakek buyut)Alma materAKABRI (1978)ProfesiTentaraKarier militerPihakIndonesiaDinas/cabang TNI Angkatan DaratMasa dinas1978–2...

 

Пижама порно

В статье не хватает ссылок на источники (см. рекомендации по поиску). Информация должна быть проверяема, иначе она может быть удалена. Вы можете отредактировать статью, добавив ссылки на авторитетные источники в виде сносок. (1 ноября 2020) Pidżama PornoПижама порно Основная инфор...

 

Serbs in Austria

Serbs in AustriaSerben in ÖsterreichСрби у Аустрији / Srbi u Austriji Serbian church in ViennaTotal population500,000 (2010), Serbian origins[1] 122,364 (2020), Serbian citizenships[2]Regions with significant populationsVienna, Salzburg, Graz, LinzLanguagesSerbian and Austrian German (Austro-Bavarian)ReligionSerbian Orthodox ChurchRelated ethnic groupsSerbian diaspora Part of a series onSerbs Native Serbia Vojvodina Kosovo and Metohija Bosnia and Herzegovina Mon...

コルク

この記事は検証可能な参考文献や出典が全く示されていないか、不十分です。出典を追加して記事の信頼性向上にご協力ください。(このテンプレートの使い方)出典検索?: コルク – ニュース · 書籍 · スカラー · CiNii · J-STAGE · NDL · dlib.jp · ジャパンサーチ · TWL(2017年4月) コルクを打ち抜いて作った瓶の栓 コルク(木栓、�...

 

2016年美國總統選舉

2016年美國總統選舉 ← 2012 2016年11月8日 2020 → 538個選舉人團席位獲勝需270票民意調查投票率55.7%[1][2] ▲ 0.8 %   获提名人 唐納·川普 希拉莉·克林頓 政党 共和黨 民主党 家鄉州 紐約州 紐約州 竞选搭档 迈克·彭斯 蒂姆·凱恩 选举人票 304[3][4][註 1] 227[5] 胜出州/省 30 + 緬-2 20 + DC 民選得票 62,984,828[6] 65,853,514[6]...

 

Aslan Pasha Mosque

Aslan Pasha Mosqueτζαμί Ασλάν ΠασάReligionAffiliationIslamLocationShown within GreeceGeographic coordinates39°40′24.8″N 20°51′36.9″E / 39.673556°N 20.860250°E / 39.673556; 20.860250ArchitectureTypemosque The Aslan Pasha Mosque (Greek: Τζαμί Ασλάν Πασά, romanized: Tzamí Aslán Pasá) is an Ottoman-built mosque in the city of Ioannina, Greece. The mosque was built in 1618 in the city's castle,[1] replacing the Church ...

Ken Gibson (loyalist)

Northern Irish politician Ken GibsonKen Gibson with VPP rosette, 1974BornKenneth GibsonEast Belfast, Northern IrelandNationalityBritishOccupationManual workerKnown forChairman of the Volunteer Political Party (VPP)Spokesman and Chief of Staff of the Ulster Volunteer Force (UVF) Kenneth Gibson was a Northern Irish politician who was the Chairman of the Volunteer Political Party (VPP), which he had helped to form in 1974. He also served as a spokesman and Chief of Staff of the loyalist par...

 

Alain Badiou

French writer and philosopher (born 1937) Alain BadiouAlain Badiou, 2012Born (1937-01-17) 17 January 1937 (age 87)Rabat, French MoroccoEducationÉcole Normale Supérieure (B.A., M.A.)EraContemporary philosophyRegionWestern philosophySchoolContinental philosophyMaoism[1]MarxismModern Platonism[2]InstitutionsUniversity of ReimsUniversity of Paris VIIIÉcole normale supérieureMain interestsSet theory, category theory, topos theory, history of philosophy, philosophy of mathe...

 

Conduttività ionica equivalente

La conduttività ionica equivalente (o conduttanza specifica equivalente), simboleggiata con la lettera greca maiuscola Λ, è definita come la conduttività ionica relativa ad un grammo equivalente di elettrolita contenuto tra gli elettrodi di una cella conduttometrica; tali elettrodi devono essere paralleli, disposti alla distanza reciproca di 1 cm e hanno la superficie di 1 cm2.[1] La conduttività ionica equivalente si può esprimere come: Λ = γ η {\displaysty...

Oath of office of the president of the United States

Oath taken by a new president of the United States Chief Justice John Roberts administering the presidential oath of office to Joe Biden on January 20, 2021. The oath of office of the president of the United States is the oath or affirmation that the president of the United States takes upon assuming office. The wording of the oath is specified in Article II, Section One, Clause 8, of the United States Constitution, and a new president must take it before exercising or carrying out any offici...

 

Assistant Secretary of the Navy (Manpower and Reserve Affairs)

Civilian office in the US Department of the Navy Assistant Secretary of the Navy forManpower and Reserve AffairsSeal of the Department of the NavyIncumbentFranklin R. Parkersince January 18, 2023StyleMr. SecretaryThe Honorable(formal address in writing)Reports toSecretary of the NavyUnder Secretary of the NavySeatThe Pentagon, Arlington County, Virginia, United StatesNominatorThe President with Senate advice and consentTerm lengthNo fixed termConstituting instrument10. U.S.C. § 8016Form...

 

Al-Wazeeriya

Al-WazeeriyaLingkunganNegaraArab SaudiProvinsiProvinsi MakkahPemerintahan • Wali kotaHani Abu Ras[1] • Gubernur kotaMish'al Al-SaudKetinggian12 m (39 ft)Zona waktuUTC+3 (AST) • Musim panas (DST)ASTKode pos(5 kode digit dimulai dari 23; e.g. 23434)Kode area telepon+966-12Situs webwww.jeddah.gov.sa/english/index.php Al-Wazeeriya adalah sebuah permukiman padat penduduk di kota Jeddah di Provinsi Makkah, tepatnya di sebelah barat Arab Saudi.&#...

Business park

Area of land in which many office buildings are grouped togetherNot to be confused with Industrial park or Science park. For a property containing a group of businesses, see serviced office. An office park in Santa Barbara County, California, United States A business park or office park is a designated area of land in which many office buildings are grouped together. These types of developments are often located in suburban areas where land and building costs are more affordable, and are typi...

 

1938 British Empire Games

Multi-sport event in Sydney, Australia III British Empire GamesHost citySydney, AustraliaNations15Athletes464Events71Opening5 February 1938Closing12 February 1938Opened byJohn Loder, 2nd Baron WakehurstMain venueSydney Cricket Ground← IIIV → The 1938 British Empire Games was the third British Empire Games, the event that evolved to become the Commonwealth Games. Held in Sydney, Australia from 5–12 February 1938, they were timed to coincide with Sydney's sesqui-centenar...

 

USS Pursuit (AM-108)

US Navy minesweeper For other ships with the same name, see USS Pursuit. History United States NameUSS Pursuit BuilderWinslow Marine Railway and Shipbuilding Company, Winslow, Washington Laid down12 November 1941 Launched12 June 1942 Commissioned30 April 1943 Decommissioned30 April 1947 Recommissioned15 February 1950 Decommissioned30 June 1960 ReclassifiedAGS–17, August 1951 Stricken1 July 1960 Honours andawards8 battle stars (World War II) General characteristics Class and typeAuk-class mi...

凯文·马丁 (冰壶运动员)

  关于名为凯文·马丁的其他人物,請見「凯文·马丁」。 凯文·马丁(英語:Kevin Martin,1966年7月31日—),加拿大男子冰壶运动员。他曾代表加拿大获得2002年冬季奥运会男子冰壶银牌和2010年冬季奥运会男子冰壶金牌。[1] 参考资料 ^ Kevin MARTIN. International Olympic Committee. [2021-04-09]. (原始内容存档于2018-03-23).  查论编 奥林匹克运动会冰壶比赛男子冠军�...

 

2001 WTA Tour

Women's tennis circuit This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: 2001 WTA Tour – news · newspapers · books · scholar · JSTOR (January 2016) (Learn how and when to remove this message) 2001 WTA TourLindsay Davenport finished the year as WTA world No. 1 for the second time in her career, though Jennifer ...