Modeling Random Oracles under Unpredictable Queries

Transcription

1 Modeling Random Oracles under Unpredictable Queries Pooya Farsim 1 and Arno Mittelbac 2 1 ENS, CNRS & INRIA, PSL Researc University, Paris, France 2 Darmstadt University of Tecnology, Germany pooya.farsim@gmail.com arno.mittelbac@cased.de Abstract. In recent work, Bellare, Hoang, and Keelveedi (CRYPTO 2013) introduced a new abstraction called Universal Computational Extractors (UCEs), and sowed ow tey can replace random oracles (ROs) across a wide range of cryptosystems. We formulate a new framework, called Interactive Computational Extractors (ICEs), tat extends UCEs by viewing tem as models of ROs under unpredictable (aka. ig-entropy) queries. We overcome a number of limitations of UCEs in te new framework, and in particular prove te adaptive RKA and semi-adaptive KDM securities of a igly efficient symmetric encryption sceme using ICEs under key offsets. We sow bot negative and positive feasibility results for ICEs. On te negative side, we demonstrate ICE attacks on te HMAC and NMAC constructions. On te positive side we sow tat: 1) ROs are indeed ICE secure, tereby confirming te structural soundness of our definition and enabling a finer layered approac to protocol design in te RO model; and 2) a modified version of Liskov s Zipper Has is ICE secure wit respect to an underlying fixed-input-lengt RO, for appropriately restricted classes of adversaries. Tis brings te first result closer to practice by moving away from variable-input-lengt ROs. Our security proofs employ tecniques from indifferentiability in multi-stage settings. Keywords. Random oracle, Unpredictability, UCE, RKA security, KDM security, Zipper Has, Indifferentiability, Multi-stage security. 1 Introduction 1.1 Background Since teir formal introduction by Bellare and Rogaway [BR93], random oracles (ROs) ave found many applications across a wide range of cryptograpic protocols. However, due to an uninstantiability result of Canetti, Goldreic, and Halevi [CGH98], wic sows tat certain (artificial) protocols become insecure as soon as te random oracle is replaced by any concrete as function, reliance on ROs as also become somewat debatable. Two lines of researc ave been directed at dealing wit suc uninstantiability results. One is to construct standard-model counterparts of cryptograpic primitives designed in te RO model (ROM). Tis approac comes wit te drawback tat te resulting cryptosystems often tend to be complex and acieve a lower level of security and/or efficiency. A second, more modular, approac aims to formulate abstractions of te proof-centric properties of random oracles suc as extractability, programability, or non-malleability [Can97,CD09,Nie02,CD08,BCFW09]. Assuming tat a as function meets te introduced model, one proceeds to sow tat it can safely replace te random oracle in a protocol. Tese formalizations, owever, ave only been successful to a limited extent, and te question of finding a flexible and general framework tat could be applied across a broad range of security goals and protocols remained open until recently. 1.2 UCE security Bellare, Hoang, and Keelveedi (BHK) [BHK13a] revisit te above questions and present a powerful framework called Universal Computational Extractors (UCEs) tat allow to securely instantiate random oracles in an

2 interesting and diverse set of applications. Tese include, among oter tings, security under key-dependentmessage (KDM) attacks, security under related-key attacks (RKAs), simultaneous ard-core bits, point function obfuscators, garbling scemes, proofs of storage, deterministic encryption, and message-locked encryption, tereby going far beyond wat was previously possible. Beind UCEs lies a new way to model te indistinguisability of a keyed as function from a random oracle. Indeed, tere are two direct ways to (incorrectly) model te security of a as function: (1) Provide te adversary wit te as key and ask it to distinguis an oracle implementing te as function from one implementing te random oracle. Tis approac immediately fails as tis game can be trivially won wit te knowledge of te as key by computing a as value and cecking te answer against te oracle s answer for te same query. (2) Adopt te above approac, but now ide te as key. Tis leads to PRF security for wic feasibility results are known but is not useful in te context of asing as te as key is typically publicly known. BHK overcome te above sortcomings by splitting te attacker into two parts and constraining te communication between te two. Te first UCE attacker does not get to see te as key, but as oracle access to eiter te as function under a random key or te random oracle according to a random bit. Te second attacker, on te oter and, does get to see te as key, but can no longer access te oracle, and it as to guess te bit; see Figure 1 (left). Te two stages of te adversary can communicate only in restricted ways since arbitrary communication would lead to an attack similar to tat given above for formulation (1). More formally, for a keyed as function H, UCE security is defined via a two-stage game consisting of algoritms S and D, called te source and te distinguiser respectively, as follows. In te first stage, te source is given access to an oracle Has tat depending on a random bit b implements eiter te random oracle or te concrete as function H under a random as key k. Te source terminates by outputting some leakage L, wic is ten communicated to te second-stage distinguiser D. In addition to leakage L, te distinguiser also gets te as key k as input. Te distinguiser s task is to guess b, i.e., guess weter te source was talking to te random oracle or te as function. Te UCE advantage of te pair (S, D) is defined as usual to be te probability of correctly guessing te bit b scaled away from one-alf. We refer te reader to te original work [BHK13b] for an excellent overview of tis approac to modeling as-function security. To see tat witout furter restrictions UCE security cannot be acieved, consider a source tat leaks one of its oracle queries togeter wit te corresponding oracle answer to te distinguiser. Te distinguiser ten simply recomputes te as value on te queried point te distinguiser knows te as key and compares it to te leaked value. In teir original work, BHK [BHK13a] define two restrictions on sources: computational unpredictability and computational reset security. In te computational unpredictability game, it is required tat wen te source is run wit a random oracle its leakage does not computationally reveal any of its queries. Tis is formalized by requiring tat te probability of any efficient predictor P in guessing a query of S wen given L is negligible. Te class of computationally unpredictable sources is denoted by S cup, and te resulting UCE security UCE[S cup ] (aka. UCE1) of a as function is defined by requiring te advantage of any efficient pair (S, D) wit an unpredictable S S cup in te UCE game to be negligible. Reset security imposes a weaker restriction on te source class and leads to te stronger UCE2 notion. UCE security as been te subject of many recent studies. Brzuska, Farsim, and Mittelbac (BFM) [BFM14] sow tat, under new cryptograpic assumptions, tese restrictions are insufficient for a feasible definition. More precisely, assuming te existence of indistinguisability obfuscators [BGI + 01,GGH + 13], BFM sow tat te UCE[S cup ] security of any as function can be broken in polynomial time. To overcome tis attack, BFM [BFM14] (and subsequently BHK in an updated version of teir paper [BHK13b]) propose a statistical notion of unpredictability wereby te predictor can even run in unbounded time. Following te attack, BHK also refine te UCE notions based on computational unpredictability and introduce te classes of bounded 2

3 Has b (k, ) Has b (, ) S(1 ) D(k) D 1 (1 ) D 2 (1 ) b 0 Fig. 1. Te interactions in te UCE game (left) and te ICE game (rigt). parallel and split sources. 3 BFM sow tat security against bounded parallel source is also infeasible [BFM14], and recently attacks against split sources ave also been sown [BST15]. On te positive side, Brzuska and Mittelbac [BM14b,BM15] sow ow to construct UCEs for te class of strongly unpredictable and statistically unpredictable sources for bounded number of queries. Bellare, Hoang, and Keelveedi [BHK14] develop domain extenders for UCEs, and Bellare and Hoang [BH15] construct deterministic PKEs from UCEs for statistically unpredictable sources and lossy trapdoor functions. BFM [BFM14] ave sown tat te existence of obfuscation-based attacks against statistically unpredictable sources violates well-known impossibility results. A number of recent works ave sown ow to use UCEs as RO replacements in oter protocols [MH14,BK15,DGG + 15]. Despite te above advances, and irrespective of te restrictions imposed on sources, te UCE framework is intrinsically limited in a number of aspects: it only allows te source to place Has queries wic are independent of te as key; after leakage is communicated from te source to te distinguiser no furter Has oracle queries can be made, and ence as queries are inerently non-adaptive; UCEs cannot model unkeyed as functions nor as functions wit weak keys were te key does not come from te uniform distribution. Motivated by tese sortcomings, and te ultimate goal of basing te security of igly efficient and practical protocols on well-defined and feasible properties of random oracles, we set out to formalize an enanced framework for te study ROM protocols. 1.3 Interactive computational extractors Given te development of UCEs, defining an extended model wic meets te above-mentioned specifications is an intricate task. Indeed, well before te emergence of obfuscation-based attacks, BHK [BHK13b, page 9] warned tat extending UCEs to an interactive setting is a dangerous pat to tread. As an example, assume tat we introduce a bi-directional communication cannel between te distinguiser and te source so tat our adaptivity targets are met. Tis extension can be sown to fall prey to somewat non-trivial attacks tat utilize general-purpose multi-party computation (MPC) protocols. Suppose te source S olds a random input x wose as is y, and D olds k. Te two parties ten run an MPC protocol to compute te Boolean value y = H(k, x). Te distinguiser finally returns tis value as its guess. Tis attack would meet any reasonable notion of computational unpredictability since te security of te MPC protocol would ensure tat te parties learn no more tan wat can be deduced from teir individual private inputs. 4 Allowing as queries to depend on te as key k is also callenging since similarly to approac (1) above access to bot k and te as oracle would trivialize te notion. For similar reasons, formulating a UCE-like model for unkeyed as functions is also non-trivial. As we sall see, oter forms of attacks also arise tat sould be ruled out for a feasible model. Te ICE framework. Let us call an input (k, x), consisting of te as key k and a domain point x, to a as function a full input. One way to view UCEs is tat tey adopt te indistinguisability-based approac (1) above, but restrict as queries so tat full inputs remain idden from te attacker(s). It is 3 Suc computational UCE notions are intrinsically needed for applications suc as simultaneous ad-core bits and deterministic PKEs. 4 Tis can be viewed as an interactive analogue of BFM s attack [BFM14]. 3

4 clear tat suc idden queries are not meaningful in te presence of a single adversary any adversary knows its own queries and ence UCEs come wit two adversaries. Unpredictability togeter wit denial of oracle access to D ensures tat te x components of full inputs remain idden from D. On te oter and, te k components of full inputs remain idden from S as te source is denied access to k (and no communication from D to S is allowed). As a result, full inputs (k, x) remain idden from bot parties involved in a UCE attack. Tis perspective allows us to build on UCEs and extend tem as follows. In our new framework, wic we call Interactive Computational Extractors (ICEs), 5 a general mecanism for te joint generation of full inputs is enabled and adversarial restrictions tat formalize wat it means for full as inputs to ave ig entropy are imposed. We let two distinguisers (D 1, D 2 ) to take part in an attack, and allow tem to communicate via a bi-directional cannel. Bot distinguisers get access to a callenge as oracle, wic depending on a callenge bit implements eiter te real as function or a (keyed) random oracle. To enable te two parties to make idden queries, we introduce a sared write-only tape tat bot D 1 and D 2 can write onto. Wen a distinguiser queries te as oracle, te (real or ideal) as of te full contents of te tape is returned. In contrast to UCEs, D 1 or D 2 can generate a as key and peraps modify it trougout te attack. Tis attack scenario is symmetric for D 1 and D 2 and, witout loss of generality, te game terminates by D 2 outputting wit a bit. (Our formal definition, owever, comes wit a sligtly more general return statement.) For a class C of distinguisers, we define ICE[C] security by demanding tat te probability of guessing te callenge bit for any D = (D 1, D 2 ) C is negligibly close to 1/2. See Figure 1 (rigt) for a summary of tis interaction. Entropic queries. Similarly to UCEs, te ICE notion cannot be acieved witout constraining te way te two distinguisers communicate. Te main restriction tat we introduce is analogous to statistical unpredictability for UCEs: we demand te statistical unpredictability of full inputs to te as function, including te as key k, from eac distinguiser s point of view. We coose a statistical, rater tan a computational, notion so tat our definitions do not become subject to te interactive versions of te attacks igligted in [BFM14]. 6 More precisely, we require tat wen te as oracle implements a keyed random oracle, no (possibly unbounded) predictor can guess a full input (k, x) used to compute a as value wen it is provided wit a distinguiser s view consisting of its inputs, random coins, and all incoming messages and oracle responses. Since our framework allows oracle access to bot parties, unlike UCEs te two distinguisers can implicitly communicate via as patterns as follows. Suppose D 2 wants to leak a bit d to D 1. Algoritm D 2 starts by writing a random string onto te second alf of te input and ands over te attack to D 1. Algoritm D 1 writes a random value to te first alf of te input, calls Has to receive a first as value 1, and ands over te attack back to D 2. Now algoritm D 2, according to te value of d, eiter modifies te contents of te second alf of te input tape or leaves tem uncanged. D 1 can recover d by obtaining a second as value 2 and cecking if ( 1 = 2 ). Te two distinguisers can also communicate via a bit-fixing attack: D 2 samples many (unpredictable) random values x conditioned on its as value beginning wit bit d, wic D 1 can ten recover via a as query. In our unpredictability definition te predictor gets to see all as responses, and ence if tere are any repetitions tey will be seen by te predictor. Unpredictability will terefore ensure tat suc repetition patterns will not leak any of te queries. Sometimes, owever, we need to explicitly disallow any repeat queries to enable a security proof to go troug. In suc a scenario, we can ensure tat tere is no leakage via as patterns eiter. Repeat-freeness appears in oter related settings suc as related-key attacks or correlated-input asing [BK03,GOR11]. 5 In UCEs, universal refers to te fact tat extraction sould work wit respect to universal (i.e., all admissible) sources. Analogously, interactive in ICEs refers to te fact tat extraction sould work for sources tat can interact. 6 Tis is also motivated by impossibility results for statistically secure two-party protocols. 4

5 1.4 Applications BHK [BHK13a] use UCEs to sow tat te encryption sceme of Black, Rogaway, and Srimpton (BRS) [BRS03] is secure under related-key attacks (RKAs) and key-dependent-message (KDM) attacks as long as te related keys/key-dependent messages are derived non-adaptively at te onset and witout access to te as key or previous cipertexts. 7 As we sall see, ICE encompasses UCE as a special case, and te BRS sceme can also be instantiated under te above models using ICEs. We can owever also obtain feasibility results tat are outside te reac of UCEs. A practically relevant and desirable level of RKA security is tat corresponding to key offsets (te so-called xor-rka security [LRW02,BK09]). We sow tat ICEs are sufficient to prove te full xor-rka security of te BRS sceme. Our formal result is more general and applies to te larger class of split functions tat take te form φ(k 1 K 2 ) = φ 1 (K 1 ) φ 2 (K 2 ). (Suc functions ave been used to build RKA-secure PRFs [BC10], and also appear in oter related contexts [CG14,LL12].) In addition to acieving stronger security guarantees, ICEs allow instantiating te BRS sceme using unkeyed as functions, wic is arguably closer to te original formulation of BRS. 8 We also strengten te attainable KDM security guarantees for BRS by sowing tat adversaries can coose key-dependent messages adaptively based on te as key and also semi-adaptively depending on previous cipertexts. We prove tat ICEs are adaptively correlated-input secure [GOR11] and tat tey relate well to oter standard security properties of random oracles, suc as pseudorandomness, randomness extraction, and one-way security (see Appendix B). We leave it as open questions to see if full RKA beyond xor offsets or full KDM security can be establised using extractor-like notaions. 1.5 Instantiations BHK sow tat random oracles fulfill teir strongest proposed UCE notion, namely UCE security wit respect to computationally unpredictable sources. 9 We prove tat random oracles are also ICE secure. Te significance of tese results are twofold [BHK13a]: (1) tere are no generic attacks on ICEs and te model is structurally sound; and (2) a layered approac to security analysis can be enabled, wereby one first proves te security of a sceme under an ICE assumption and ten applies te RO model feasibility result. Te latter is akin to security analyses carried out in te generic group model. Practical as functions, owever, are not monolitic objects and often follow an iterative procedure to convert a fixed-input-lengt random oracle (FIL-RO) into a variable-input-lengt random oracle (VIL-RO). Tis, in turn, raises te question weter or not te above result can be brougt closer to practice by demonstrating positive feasibility results for VIL-ICEs in te FIL-RO model. A seemingly immediate way to establis tis result would be to start wit a as function tat is known to be indifferentiable from a VIL RO (e.g., te HMAC or te NMAC construction), and ten apply te RO feasibility result above to conclude. Tis argument, owever, fails as te ICE game is multi-staged and indifferentiability does not necessarily guarantee composition in suc settings [RSS11]. Motivated by te above observations, we sow bot positive and negative feasibility results for ICEs. On te negative side, we sow tat te indifferentiable HMAC and NMAC constructions are provably ICE insecure in te FIL-RO model. On te positive side, and building on Mittelbac s tecniques [Mit14], we prove tat a keyed version of Liskov s Zipper Has [Lis07] is ICE secure (as a VIL as function) under te assumption tat te underlying compression function is a FIL-RO. Zipper Has can be seen as a variant of te classical Merkle Damgård [Dam90,Mer90] construction were te message blocks are processed twice in te forward and backward directions. Hence our results strengten te VIL-RO feasibility result above, and also provide formal evidence for te (intuitive) added security guarantees tat multi-pass as functions seem 7 Recall tat in RKA security te adversary can see encryptions of messages under keys φ(k) for a random K and functions φ of its coice. In KDM security te adversary can see encryptions of φ(k), under a random key K, for φ s of its coice. 8 BRS [BRS03] analyze teir sceme in te unkeyed RO model, wic translates to unkeyed instantiations in practice. 9 Note tat tis does not contradict te BFM attack as ROs do not ave succinct descriptions. 5

6 to offer over teir single-pass counterparts. For instance, combined wit our RKA and KDM results, we may conclude tat Zipper Has can be safely used witin te BRS sceme wit no adverse affects on its security. Te above analysis can be furter strengtened in at least two directions. First, one can weaken te underlying assumption and assume tat te compression function underlying Zipper Has is only a FIL-ICE (rater tan a FIL-RO). To tis end, BHK [BHK14] give domain extenders for UCEs. Second, and motivated by te standard-model realizations of ICEs and UCEs, we ask if tese primitives can be based on plausible ardness assumptions. Brzuska and Mittelbac [BM14a,BM15] ave recently sown positive results for UCEs wit respect to restricted classes of sources. 2 Notation We denote te security parameter by λ N, wic is implicitly given to all algoritms (if not explicitly stated so) in te unary representation 1 λ. By {0, 1} l we denote te set of all bit strings of lengt l and {0, 1} is te set of all finite-lengt bit strings. For x, y {0, 1} we denote teir concatenation by x y, te lengt of x by x, te it bit of x by x[i], and te substring of x formed using bits i to j by x[i..j]. We denote te empty string by ε. For X a finite set, X denotes its cardinality, and x $ X denotes te action of sampling x uniformly at random from X. If Q is a list and x a string ten Q : x denotes te list obtained by appending x to Q. Similarly, If Q 1 and Q 2 are lists, ten Q 1 : Q 2 denotes te concatenated list. Unless stated oterwise, algoritms are assumed to be randomized. We call an algoritm efficient or PPT if it runs in time polynomial in te security parameter. By y A(x; r) we denote tat y was output by algoritm A on input x and randomness r. If A is randomized and no randomness is specified, ten we assume tat A is run wit fresly sampled uniform random coins, and write y $ A(x). We use Coins[A] to denote te polynomially long string of random coins r used by a PPT macine A. We say a function negl(λ) is negligible if negl(λ) λ ω(1). Has functions. In te line wit [BHK13a], we consider te following (simplified) formalization of as functions. A as function consists of five PPT algoritms H := (H.Kg, H.Ev, H.kl, H.il, H.ol) as follows. Te key-generation algoritm H.Kg gets te security parameter 1 λ as input and outputs a key k {0, 1} H.kl(λ), were H.kl(λ) is te key-lengt function. Algoritm H.il(λ) outputs te lengt of admissible inputs, wic could take te special value denoting te variable-lengt input space {0, 1}. Algoritm H.ol(λ) outputs te lengt of admissible outputs, wic we assumed to be a fixed polynomial function of te security parameter. Te deterministic evaluation algoritm H.Ev takes as input te security parameter 1 λ, a key k, a point x {0, 1} H.il(λ), and generates a as value H.Ev(1 λ, k, x) {0, 1} H.ol(λ). To ease notation, we often suppress te security parameter and simply write H.Ev(k, x). 3 Te ICE Framework In tis section we precisely define te ICE framework. We refer te reader to te introduction for a ig-level overview of te model. Te ICE game. Let H = (H.Kg, H.Ev, H.kl, H.il, H.ol) be a as function and let D = (D 1, D 2 ) be a pair of algoritms. We define te ICE advantage of D against H as Adv ice H,D(λ) := 2 Pr [ ICE D H (λ) ] 1, were game ICE D H (λ) is sown in Figure 2. As mentioned in te introduction, we may assume, witout loss of generality, tat te game termites by D 2 outputting a bit. However, in order to preserve te symmetry of te definition (wic will simplify our adversarial restrictions later on) and for added generality, we let te distinguisers jointly guess te callenge bit by computing b 1 b 2, were b i is D i s guess. Te interaction terminates wen bot distinguisers return non- values for b 1 and b 2. For a class C of distinguisers, we define ICE[C] security by requiring te advantage of any adversary D C to be negligible in te ICE game. We require (D 1, D 2 ) not to leave any superfluous blank spaces on te joint tape. Tat is, a Write call must ensure tat before te Has oracle is called tere do not exist indices i < j suc tat x[i] = ε x[j] or 6

7 Main ICE D H (λ) 1 : b $ {0, 1}; L 1 1 λ 2 : wile b 1 = b 2 = do 3 : (b 1, L 2) $ D Write,Has 1 (L 1) 4 : (b 2, L 1) $ D Write,Has 2 (L 2) 5 : return (b 1 b 2 = b) Write(j, v) (k, x)[j..j + v 1] v Has() if b = 1 ten T [k, x] H.Ev(k, x) elseif T [k, x] = ten T [k, x] $ {0, 1} H.ol(λ) return T [k, x] Fig. 2. Te ICE game wit respect to as function H and distinguisers D = (D 1, D 2). We ave omitted te initialization of various variables for readability. k[i] = ε k[j]. We also demand tat te full inputs (k, x) are valid in te sense tat prior to a Has call k {0, 1} H.kl(λ) and x {0, 1} H.il(λ). Altoug te distinguisers D 1 and D 2 are in general stateful algoritms, we omit te explicit andling of state values from te inputs and outputs of D i. Restrictions. As discussed in te introduction, te ICE model is not feasible unless additional restrictions on te distinguisers are imposed. We formulate our restrictions as joint properties of (D 1, D 2 ). Before presenting our main restrictions corresponding to ig-entropy queries, we give a set of basic classes tat will be useful in studying ICEs. As an example, for polynomials w, q, and r we define C w,q,r i to be te set of all (D 1, D 2 ) suc tat wen (D 1, D 2 ) is run in te ICE game conditioned on b = 0 (i.e., wit respect to te random oracle), te distinguiser D i places at most w(λ) queries to Write, at most q(λ) queries to Has, and terminates after at most r(λ) invocations. We formalize a number of oter notions below and omit te preamble Te set of all (D 1, D 2 ) suc tat wen (D 1, D 2 ) is run in ICE wit b = 0, we ave wit overwelming probability tat from teir definitions. Note tat te classes below depend on i {1, 2}. For classes Ci label will be using trougout tis paper. we define C label := C label 1 C label 2. In te following table we present several restrictions tat we Class C w,q,r i C poly i C ppt i C 0 i Ci ε Ci 0-k Ci 1-k C dist i C sup i Description D i places at most w(λ) queries to Write, at most q(λ) queries to Has, and terminates after at most r(λ) invocations. D i makes polynomially many oracle queries. D i runs in polynomial time on eac invocation and terminates after a polynomial number of rounds. D i sets b i := 0 in all invocations. D i sets L 3 i := ε in all invocations. D i never writes onto te k part of te tape. On its first invocation, D i writes a random k onto te k-part of te tape. In subsequent invocations, D i never writes onto te k-part of te tape. D i makes distinct queries to Has. Tat is, for lists Q 1 and Q 2 defined in Figure 3, te combined list Q 1 : Q 2 is repetition-free. Note tat Ci dist = C3 i dist = C dist. Te probability tat any (possibly unbounded) predictor P can guess a full query of D i is negligible. We call tis te class of statistically unpredictable D i. See Figure 3 for te formal definition. Class C cup i is te computational analogue, were P is restricted to be ppt. 7

8 Main Pred P i,d(λ) 1 : L 1 1 λ 2 : wile b 1 = b 2 = do 3 : k 1; (b 1, L 2) $ D Write,Has 1 (L 1) 4 : Lk i Lk i : L i 5 : k 2; (b 2, L 1) $ D Write,Has 2 (L 2) 6 : (k, x) $ P (Coins[D i], A i, Lk i) 7 : return (k, x) Q 1 : Q 2 Write(j, v) (k, x)[j..j + v 1] v Has() if T [k, x] = ten T [k, x] $ {0, 1} H.ol(λ) Q k Q k : (k, x) A k A k : T [k, x] return T [k, x] Fig. 3. Te unpredictability game. An example: UCE witin ICE. We describe ow UCEs can be captured witin te ICE framework. Since ICE is more expressive a framework, we need to (drastically) restrict te distinguisers. In modeling UCEs, we identify te UCE distinguiser wit D 1 and te UCE source wit D 2. All parties typically run in polynomial time and ence we restrict to C ppt := C ppt 1 C ppt 2. In UCEs, te source queries Has on an unknown as key. Te distinguiser, on te oter and, gets to see te as key. Tus, we let D 1 (wic represents te distinguiser) write a random k to te joint input and ten and te attack to D 2 on te first invocation, i.e., D C1 1-k. We furter restrict to C1, ε as a UCE distinguiser does not leak. Since te UCE game only as a single round, we also restrict to C 1,0,2 1 (one round is used to write te k). Finally, te source does not take part in decision making and cannot modify te as key: UCEs are modeled by ICE[C uce ] were C uce := C ppt C 1-k 1 C ε 1 C 1,0,2 1 C 0 2 C 0-k 2. Note tat te above models UCEs witout any additional restrictions on te source classes. Suc requirements can be added on top by appropriately restricting C uce. Unpredictability. We now formally define wat we mean by a D tat as unpredictable (aka. ig-entropy) queries. We focus on a statistical notion of unpredictability [BFM14,BST15]. 10 We say D = (D 1, D 2 ) is statistically unpredictable for te distinguiser i, and write D C sup i, if te advantage of any unbounded predictor P defined by ] Adv pred i,d,p [Pred (λ) := Pr P i,d(λ), is negligible, were game Pred P i,d(λ) is sown in Figure 3. Note tat te predicator only gets to see te as responses for distinguiser D i tese are witin D i s view and as to guess a query made by eiter distinguiser in te concatenated list Q 1 : Q 2. It is easy to ceck tat UCE security wit respect to statistically unpredictable sources is equivalent to ICE[C uce C sup ] security. Remark. Since predictor P receives te full view of a distinguiser D i, it can perfectly simulate a run of D i in te ICE game wit respect to a random implementation of te as oracle, witout any need to see te view of te partner distinguiser D 3 i. We will rely on tis observation in our proofs. 4 Example Applications In tis section we demonstrate two example use cases of ICEs. Furter applications are given in Appendix B and summarized in Table 2 below. Tese applications serve to demonstrate tat many properties of random oracles tat are useful in analyses of ROM cryptosystems can be modeled in a unified way witin te ICE framework. 10 We empasize tat computational notions are still valuable as combined wit our feasibility results, tey would enable easier and more modular security proofs in te RO model. 8

9 Goal/Model Class Used/Acieved Split RKA C C sup C2 0 Split KDM C C sup C1 0 Split/claw-free CIH C C sup C2 0 Extractor C C sup C1 0 C ε C 1,1,2 Weak PRF C C sup C 0 1 C ε C poly,poly,1 poly-regular OWF C C sup C 0 1 C 1,1,1 VIL-ROM FIL-ROM C ppt C cup and C poly C sup ; bot contain C C sup C C cup, wic contains C C sup Table 2. Distinguiser classes used (above) and sown feasibility for (below). Here C := C ppt C dist C 1-k 1 C 0-k 2 C ε Split RKA security We sow tat te symmetric encryption sceme proposed by Black, Rogaway, and Srimpton (BRS) [BRS03] is secure against related-key attacks (RKAs) wen instantiated wit an ICE-secure as function. Te encryption algoritm of te BRS sceme is implemented via Enc H (K, M; R) := (R, M H(K R)), for a as function H, randomness R and key K. Recall tat in an RKA, an adversary can obtain encryptions of messages of its coice under correlated keys (e.g., under K and K 1). See Appendix A for te formal definition. Split related-key derivation (RKD) functions φ decompose into two sub-rkd functions φ 1 and φ 2 tat are applied in parallel to two (fixed) sub-strings of te key: φ(k 1 K 2 ) = φ 1 (K 1 ) φ 2 (K 2 ). 11 Split functions capture many RKA cases of interest including te case of xoring constants into keys. Witout te minimal assumption tat φ s ave unpredictable outputs (i.e., te guessing probability of te outputs of φ(k) over randomly cosen K is negligible) RKA security is not acievable [BK03]. In our proof, we will require a sligtly stronger condition tat te sub-rkd functions φ 1 (K 1 ) and φ 2 (K 2 ) are individually unpredictable. (See Appendix A for te formal definition.) Note tat offsetting keys via xor enjoys tis property as xor induces a permutation over te two alves of te key. BHK [BHK13a], by interpreting encryption randomness as as keys, sow tat BRS is selectively RKA secure using a multi-key extension of UCE[S cup ]. In contrast, te adversary in our model retains its capability to adaptively query RKD functions of its coice depending bot on te as key and te cipertexts tat it as previously seen. For tis result, altoug ICE[C ppt C sup ] is sufficient, te assumption can be fine-tuned to ICE[C] were C := C ppt C sup C dist C1 1-k C2 0-k C2 0 C2 ε. We defer te formal proof to Appendix A and give a detailed outline ere. Te ICE adversary. Given an RKA adversary A, we construct an ICE adversary (D 1, D 2 ), were D 1 andles te left components of A s RKA queries and D 2 andles te rigt components as follows. D 1 (L 1 ) : On initial invocation, generate a as key k, a random K 1, and a random bit b. Store tese values and write k onto te k-part of te tape. Run A(k) to get an RKA query ((φ 1, φ 2 ), M 0, M 1 ). Output (b 1, L 2 ) := (, φ 2 ). Proceed as follows in subsequent invocations. Generate and store a random R and write φ 1 (K 1 ) onto te 1st segment (out of tree segments) of te x-part of te tape and R onto its 3rd segment. Query Has to get H. Recover R and resume A on (R, H M b ) to get a new RKA query ((φ 1, φ 2 ), M 0, M 1 ), or a bit b. If A outputs a bit b, return (b 1, L 2 ) := (b = b, ε) and terminate. Else output (b 1, L 2 ) := (, φ 2 ). 11 For simplicity we assume tat tese are just te left and rigt alves of te key. Our proof will owever also apply to any two substrings of super-logaritmic lengts. 9

10 D 2 (L 2 ) : Wen initially invoked, generate a random K 2 and store it. In all invocations (including te first), recover φ 2 from L 2. If φ 2 = ε, return (b 2, L 1 ) := (0, ε) and terminate. Else write φ 2 (K 2 ) onto te 2nd segment of te x-part of te tape. Output (b 2, L 1 ) := (0, ε). Unpredictability. We sow tat D C for class C as defined above. To tis end, we only prove membersip in C sup C dist as oter cases follow via syntactic cecks. Tis follows from te following two observations: (1) Te Has queries are distinct wit overwelming probability since before eac query a fres random value R is written onto te joint tape. (2) Te functions φ 1 and φ 2 are run on independently cosen substrings of te key. Since tey are assumed to be individually statistically unpredictable, D 1 observing independently generated random strings corresponding to as values never gets to know te contents of te tape written by D 2, and vice versa, D 2 never gets to know wat is written on to te tape by D KDM security Wen te random oracle in te BRS sceme is instantiated wit an ICE-secure as function, we are able to sow tat te BRS sceme resists a partially adaptive form of KDM security for split key-dependent-message derivation (KDMD) functions φ. As for RKD functions, suc KDMD functions consist of sub-kdmd functions φ 1 and φ 2 of te form φ(k 1 K 2 ) := φ 1 (K 1 ) φ 2 (K 2 ). Te adaptivity level tat we can tolerate is as follows. In an initial pase of te attack, te adversary can fully adaptively query split KDMD functions tat do not depend on K 2. Tat is, for tese functions φ 2 (K 2 ) is constant and independent of K 2 and its value can be predicted. In a second pase of te attack, te adversary can query split KDMD functions of its coice as long as eiter φ 1 (K 1 ) is constant or φ 1 (K 1 ) was used in te first pase. (We empasize tat tese functions are not required to be unpredictable.) Tis model is strong enoug to imply IND-CPA security (witout any restrictions), a case tat could not be treated using UCEs. Te ICE adversary. Let A be a KDM adversary against te BRS sceme in te model above. Our ICE[C ppt C sup C dist ] adversary corresponding to A is as follows, were for simplicity we ave assumed te lengts of keys, randomness and messages are all l. (Te ICE class can be furter restricted as is sown in Table 2.) In tis reduction, D 1 faitfully runs te first stage of te attack, wile D 2 runs its second stage. To answer KDM queries, D 2 relies on te omomorpic property tat H (x 1 x 2 ) = H (x 1 0 x2 ) (0 x1 x 2 ). D 1 (L 1 ) : Wen initially invoked, generate a random k, K 1 and b and store tem. Write k to te k-part and K 1 to te 1st (out of tree) segments of te x-part of te tape. (Te segments are of lengts l/2, l/2 and l corresponding to K 1, K 2 and R respectively.) Output (, ε). On te second invocation, run A(k) and answer its KDM queries ((φ 0 1, φ 0 2), (φ 1 1, φ 1 2)) as follows. Write a fres random value R onto te 3rd segment of te x-part of te tape. Call Has to get H, and resume A on (R, H (φ 1 (K 1 ) M 2 )), were M 2 := φ 2 (0 l/2 ) is te rigt K 2 -independent part of te message. Continue tis process until A decides to proceed to its second stage. Let st A denote A s state. Generate sufficiently many copies (R 1, C 1),..., (R q, C q) of eac of te KDM queries made in te first pase. Let List 1 denote te corresponding list of queried φ b 1. Return (0, (b, st A, (R 1, C 1),..., (R q, C q), List 1 )) and terminate. D 2 (L 2 ) : Wen initially invoked, generate a random K 2, store it, and write it to te 2nd segment of te x-part of te tape. Hand te attack back to D 1, by outputting (, ε). On te second invocation, parse L 2 appropriately as above. Resume A on st A and answer its KDM queries ((φ 0 1, φ 0 2), (φ 1 1, φ 1 2)) as follows. If φ b 1 List 1 pick a fres cipertext (R, C ) corresponding to φ b 1 and complete te cipertext preparation by setting C C (0 l/2 φ b 2(K 2 )). Oterwise generate a random R, write it onto te 3rd segment of te x-part of te tape, query Has to get H, and set C H (φ b 1(0 l/2 ) φ b 2(K 2 )). Resume A on (R, C; st A ) and continue in tis manner until A outputs a bit b. Return (b = b, ε) and terminate. Unpredictability. D s queries are distinct wit overwelming probability as fres randomness R is written on te tape before eac query. Trougout te attack, and wen te as oracle implements a random function, K 2 remains idden from D 1 as D 1 only sees distinct random values as as responses. Key K 1 also remains idden from D 2 as te (incomplete) cipertext components received from D 1 are random strings. Hence D C ppt C sup C dist. 10

11 5 Feasibility In tis section we start by sowing tat random oracles are ICE secure wit respect to interesting distinguiser classes (in particular, wit respect to te restrictions needed for te presented applications). We ten consider te ICE security of practical as constructions built from fix-input-lengt (FIL) ROs. In particular, we look at a keyed variant of Liskov s Zipper Has [Lis07] and sow tat it acieves ICE security in te FIL-RO model. Interestingly, we sow tat bot HMAC and NMAC constructions [BCK96], wic were recently sown to be UCE secure in FIL-ROM [Mit14], fail to be ICE secure. Tis result yields a natural counterexample to te composability of HMAC in multi-stage settings, similarly to tat given by Ristenpart, Sacam, and Srimpton in [RSS11]. Furtermore, it provides a separation between ICE and UCE. Our results also demonstrate tat Zipper Has can provide a iger level of security compared to HMAC wen used in multi-stage settings. 5.1 ICEs from random oracles BHK [BHK13b] sow tat UCE-secure as functions can be provably constructed in te RO model. Te pilosopical justifications of tis result are tat tere are no structural weaknesses in te definitional framework, and more importantly, a layered approac to protocol design in te RO model can be enabled [BHK13b]. We sow tat ICEs also enjoy RO feasibility. Let H.kl( ) and H.ol( ) be two arbitrary functions as in te syntax of a as function. Let R be a family of variable-input-lengt (VIL) ROs (i.e., wit domain {0, 1} ) and range {0, 1} H.ol(λ). We construct te required as function H R by defining te key-generation algoritm H.Kg(1 λ ) to return a random k $ {0, 1} H.kl(λ) and te evaluation algoritm H.Ev R (k, x) to return R(k x). Our first feasibility result is as follows. Teorem 1 (ICE feasibility in ROM). Te VIL as function H R constructed above is ICE[C] secure in te VIL-RO model for R for te following (incomparable) classes of adversaries: C := C poly C sup and C := C ppt C cup. Te proof of tis teorem is similar to te proof of [BHK13b, Teorem 6.1] for UCEs, and we give te details in Appendix C. Intuitively, we rely on unpredictability of queries to simulate te random oracles used in te construction and implicit in te ICE game independently. Interestingly, distinctness of queries will not be needed in tis proof and we do not restrict te classes to C dist. We note tat te above classes include all tose needed for te applications, as listed in Table 2. We also note tat tis teorem generalizes te feasibility of UCEs for unpredictable sources in ROM [BHK13b] as it can be easily verified tat C uce C cup 2 C ppt C cup and C uce C sup 2 C ppt C sup. 5.2 VIL-ICEs from ideal compression Practical variable-input-lengt (VIL) as functions are not monolitic objects. Tey often follow iterative modes of caining tat convert a fix-input-lengt (FIL) compression function to one tat accepts variable-lengt inputs. Tis design principle as been successfully validated via te indifferentiability framework of Maurer, Renner, and Holenstein [MRH04,CDMP05], wereby an indifferentiable as-function construction is sown to securely compose wen used in place of a random oracle. As pointed out in [RSS11], te indifferentiability framework only guarantees composition in single-stage environments. Te ICE and UCE games, owever, are inerently multi-staged and lie outside te reac of (plain) indifferentiability. Mittelbac [Mit14] develops new tecniques to extend te reac of (plain) indifferentiability to certain classes of multi-stage games. In particular, e sows tat te HMAC and NMAC constructions are UCE secure. Interestingly, we sow tat tese results do not carry over to te ICE model: HMAC and NMAC provably fail to be ICE secure. On te oter and, we build on Mittelbac s tecniques to prove tat a variant of Zipper Has [Lis07] is provably ICE secure. 11

12 k ipad m 1 m 2 m l IV replaced by k 1 for NMAC k opad IV H.Ev (k, m) replaced by k 2 for NMAC Fig. 4. Te HMAC construction. If te dased boxes are excanged for independent keys k 1 and k 2, we obtain NMAC. Here we are ignoring padding. Attacks on HMAC and NMAC. Te HMAC and NMAC constructions are sown in Figure 4. If we denote te iterated compression function used in HMAC by, ten it is easily seen tat key k is only used on te outer -evaluations. Consider an ICE distinguiser D 1 wic olds k, computes te values y 1 := (k ipad, IV) and y 2 := (k opad, IV) and sends tem to distinguiser D 2. Given (y 1, y 2 ), distinguiser D 2 can compute te HMAC values for any x {0, 1} under k. Tus, in order to win te ICE game, D 2 simply cooses a random x and writes it on te input tape, and calls Has to receive a value y. It ten locally recomputes H.Ev (k, x) using te compression function and values (y 1, y 2 ). If te results matc, it outputs 1, and else it outputs 0. It is easily seen tat tis adversary wins ICE wit overwelming probability. Furtermore, given (y 1, y 2 ), te as key k remains statistically idden from D 2 (as te number of queries is bounded by a polynomial). Value x, being random, also remains statistically idden from D 1. Formally, tis attack breaks ICE[C] for C := C ppt C sup C 1,1,1 C 1-k 1 C 0 1 C 0-k 2 C ε 2. Zipper Has. Te above attack raises te question if any iterative as function can be ICE[C] secure for a meaningful class of distinguisers C. We sow tat a ybrid construction of a keyed version of Liskov s Zipper Has construction [Lis07] and copped Merkle Damgård (cop-md) of Coron et al. [CDMP05] is ICE secure. Zipper Has can be regarded as a basic Merkle Damgård sceme were te message is processed twice, te second time in reversed block order. cop-md refers to te construction were a as value consists only of te first alf of te output bits of te final compression function. Our ybrid construction results from adding te cop step to Zipper Has. Furtermore, we consider a keyed variant of Zipper Has by prepending te as key to te message. We assume tat key lengt matces block lengt, wic means tat te first and last evaluations of te compression function operate on te as key. We denote tis keyed variant of Zipper Has by cop-kzip. Figure 5 sows a scematic diagram of te construction, and Appendix D.1 gives furter details. Teorem 2 (Zipper Has s ICE security). Te VIL as function cop-kzip constructed above is ICE[C] secure in te FIL-RO model for : {0, 1} µ {0, 1} n {0, 1} n for te class C := C poly C sup C dist C 1-k 1 C 0 1 C 0-k 2 C ε 2. An analogous result olds for polynomial-time distinguisers tat are only computationally unpredictable. In Appendix D.2 we give te proof, were we also present a self-contained introduction to te unsplittability tecnique [Mit14]. Appendix D.3 contains te full security analysis. Note tat class C above contains tat class used to attack HMAC and ence cop-kzip provably acieves a iger level of security in multi-stage games. We note tat te reac of te above feasibility result includes all applications scenarios listed in Table 2. In particular, cop-kzip can security replace te random oracle in tese applications. For tis also note tat we can easily drop C 0 1 by requesting tat in te last round D 1 12

13 k m 1 m l m l m 1 k IV g H.Ev(k, m) Fig. 5. Te Zipper Has construction merged wit cop-md [CDMP05] and keyed wit k. Te final node g corresponds to te projection to te first alf of te output of. outputs a guess for b wic D 2 ecoes. Wit te oter restrictions present tis cange is witout loss of generality. Tis result cannot be strengtened for te (large) adversarial classes tat were used in Teorem 1. To see tis, consider two distinguisers tat engage in a distributed computation of cop-kzip as values as follows. Distinguiser D 1 knows k and m 1 and D 2 knows m 2, were message m := m 1 m 2 is being ased. Distinguiser D 1 computes an intermediate as digest using (k, m 1 ) and forwards it to D 2. Distinguiser D 2 now computes anoter iteration of te as using m 2 and forwards te result to D 1. Distinguiser D 1 can now complete te as computation using its knowledge of (k, m 1 ) and te intermediate as digest tat it receives. A straigtforward generalization of tis attack also rules out multi-pass variants of cop-kzip (were messages are processed multiple times in te forward and backward directions), including tose wose number of passes is not fixed a priori and can depend on te number of message blocks. Tis is due to te fact tat te number of rounds in an ICE attack is not fixed. Tis, in turn, raises te question if ICE[C poly C sup ] is feasible in te FIL-RO model. We conclude te paper wit a candidate construction tat we conjecture to reac tis level of security. Mix Has. Let : {0, 1} n {0, 1} n {0, 1} n be a compression function. Let m := m 1 m l ({0, 1} n ) l be a message wit l blocks of lengt n eac. Let Mix (m) denote te transformation tat maps m to M := i j M i,j were M i,j := (m i, m j ) for 1 i < j l. (Terefore M as l(l 1)/2 blocks.) Now let k {0, 1} n be a as key and define MixHas (k, m) := HMAC (0 n, Mix (k m)). Note tat MixHas places Θ(l 2 ) calls to its compression function. 12 Te design rationale beind MixHas is as follows. All intermediate digests values M i,j are needed in order to successfully compute a as value. Tese values, owever, consist of all pairs (m i, m j ) compressed troug. Since is a monolitic object, M i,j cannot be computed in a distributed way, a strategy tat was used in all previous attacks. In oter words, one of te distinguisers as to know (k, m) in full and ence will violate unpredictability. To see tis, suppose D 1 does not know m j in full and D 2 does not know m i in full for some i < j. Ten tere is no way for tese parties to learn M i,j := (m i, m j ) witout one of tem explicitly quarrying on (m i, m j ). Tis owever means tat bot m i and m j are known to te quarrying party, wic leads to a contradiction. We leave a formal analysis of MixHas in te FIL-RO model for as future work. Acknowledgments Te autors would like to tank Cristina Brzuska for taking part in te early stages of tis work. Pooya Farsim was supported in part by grant ANR-14-CE (Project EnBid). References [BC10] Miir Bellare and David Cas. Pseudorandom functions and permutations provably secure against relatedkey attacks. In Tal Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages Springer, Heidelberg, August Indeed, MixHas is a (igly) offline function: for α [0, 1], it requires space rougly nl 1 α bits after a fraction α of te nl(l + 1)/2 bits are processed. 13

14 [BCFW09] Alexandra Boldyreva, David Cas, Marc Fisclin, and Bogdan Warinsci. Foundations of non-malleable as and one-way functions. In Mitsuru Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS, pages Springer, Heidelberg, December [BCK96] Miir Bellare, Ran Canetti, and Hugo Krawczyk. Keying as functions for message autentication. In Neal Koblitz, editor, CRYPTO 96, volume 1109 of LNCS, pages Springer, Heidelberg, August [BFM14] Cristina Brzuska, Pooya Farsim, and Arno Mittelbac. Indistinguisability obfuscation and UCEs: Te case of computationally unpredictable sources. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS, pages Springer, Heidelberg, August [BG81] C. H. Bennett and J. Gill. Relative to a random oracle A, P A NP A conp A wit probability 1. SIAM Journal on Computing, 10(1):96 113, [BGI + 01] Boaz Barak, Oded Goldreic, Russell Impagliazzo, Steven Rudic, Amit Saai, Salil P. Vadan, and Ke Yang. On te (im)possibility of obfuscating programs. In Joe Kilian, editor, CRYPTO 2001, volume 2139 of LNCS, pages Springer, Heidelberg, August [BH15] Miir Bellare and Viet Tung Hoang. Resisting randomness subversion: Fast deterministic and edged publickey encryption in te standard model. In Elisabet Oswald and Marc Fisclin, editors, EUROCRYPT 2015, Part II, volume 9057 of LNCS, pages Springer, Heidelberg, April [BHK13a] Miir Bellare, Viet Tung Hoang, and Sriram Keelveedi. Instantiating random oracles via UCEs. In Ran Canetti and Juan A. Garay, editors, CRYPTO 2013, Part II, volume 8043 of LNCS, pages Springer, Heidelberg, August [BHK13b] Miir Bellare, Viet Tung Hoang, and Sriram Keelveedi. Instantiating random oracles via UCEs. Cryptology eprint Arcive, Report 2013/424, ttp://eprint.iacr.org/2013/424. [BHK14] [BK03] [BK09] [BK15] [BM14a] [BM14b] [BM15] [BR93] [BRS03] [BST15] [Can97] [CD08] [CD09] Miir Bellare, Viet Tung Hoang, and Sriram Keelveedi. Cryptograpy from compression functions: Te UCE bridge to te ROM. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS, pages Springer, Heidelberg, August Miir Bellare and Tadayosi Kono. A teoretical treatment of related-key attacks: RKA-PRPs, RKA- PRFs, and applications. In Eli Biam, editor, EUROCRYPT 2003, volume 2656 of LNCS, pages Springer, Heidelberg, May Alex Biryukov and Dmitry Kovratovic. Related-key cryptanalysis of te full AES-192 and AES-256. In Mitsuru Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS, pages Springer, Heidelberg, December Miir Bellare and Sriram Keelveedi. Interactive message-locked encryption and secure deduplication. In Jonatan Katz, editor, PKC 2015, volume 9020 of LNCS, pages Springer, Heidelberg, Marc / April Cristina Brzuska and Arno Mittelbac. Indistinguisability obfuscation versus multi-bit point obfuscation wit auxiliary input. In Palas Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, Part II, volume 8874 of LNCS, pages Springer, Heidelberg, December Cristina Brzuska and Arno Mittelbac. Using indistinguisability obfuscation via UCEs. In Palas Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, Part II, volume 8874 of LNCS, pages Springer, Heidelberg, December Cristina Brzuska and Arno Mittelbac. Universal computational extractors and te superfluous padding assumption for indistinguisability obfuscation. Cryptology eprint Arcive, Report 2015/581, ttp://eprint.iacr.org/. Miir Bellare and Pillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In V. Asby, editor, ACM CCS 93, pages ACM Press, November Jon Black, Pillip Rogaway, and Tomas Srimpton. Encryption-sceme security in te presence of key-dependent messages. In Kaisa Nyberg and Howard M. Heys, editors, SAC 2002, volume 2595 of LNCS, pages Springer, Heidelberg, August Miir Bellare, Igors Stepanovs, and Stefano Tessaro. Contention in cryptoland: Obfuscation, leakage and UCE. Cryptology eprint Arcive, Report 2015/487, ttp://eprint.iacr.org/2015/487. Ran Canetti. Towards realizing random oracles: Has functions tat ide all partial information. In Burton S. Kaliski Jr., editor, CRYPTO 97, volume 1294 of LNCS, pages Springer, Heidelberg, August Ran Canetti and Ronny Ramzi Dakdouk. Extractable perfectly one-way functions. In Luca Aceto, Ivan Damgård, Leslie Ann Goldberg, Magnús M. Halldórsson, Anna Ingólfsdóttir, and Igor Walukiewicz, editors, ICALP 2008, Part II, volume 5126 of LNCS, pages Springer, Heidelberg, July Ran Canetti and Ronny Ramzi Dakdouk. Towards a teory of extractable functions. In Omer Reingold, editor, TCC 2009, volume 5444 of LNCS, pages Springer, Heidelberg, Marc