The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Similar documents
Semantic Security of RSA. Semantic Security

Symmetric Encryption

The Cramer-Shoup Cryptosystem

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

ASYMMETRIC ENCRYPTION

Random Oracles in a Quantum World

Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes

RSA-OAEP and Cramer-Shoup

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

5199/IOC5063 Theory of Cryptology, 2014 Fall

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

ECS 189A Final Cryptography Spring 2011

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Chosen-Ciphertext Security without Redundancy

Random Oracles and Auxiliary Input

1 Number Theory Basics

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Q B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h

OAEP Reconsidered. Victor Shoup. IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland

CPA-Security. Definition: A private-key encryption scheme

Digital Signatures. Adam O Neill based on

Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms

Chosen Ciphertext Security with Optimal Ciphertext Overhead

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

Provable security. Michel Abdalla

Lecture 14 - CCA Security

Notes for Lecture 9. 1 Combining Encryption and Authentication

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Public-Key Encryption

RSA and Rabin Signatures Signcryption

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

A survey on quantum-secure cryptographic systems

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Uninstantiability of Full-Domain Hash

A New Paradigm of Hybrid Encryption Scheme

Lecture 7: CPA Security, MACs, OWFs

f (x) f (x) easy easy

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

RSA OAEP is Secure under the RSA Assumption

CS 6260 Applied Cryptography

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Random Oracles and Auxiliary Input

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University

On Post-Quantum Cryptography

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Modern Cryptography Lecture 4

Lectures 2+3: Provable Security

March 19: Zero-Knowledge (cont.) and Signatures

Secure and Practical Identity-Based Encryption

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Extending Oblivious Transfers Efficiently

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

10 Concrete candidates for public key crypto

Post-quantum security models for authenticated encryption

Extractable Perfectly One-way Functions

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

On the CCA1-Security of Elgamal and Damgård s Elgamal

Random Oracles in a Quantum World

Cryptographical Security in the Quantum Random Oracle Model

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Perfectly-Crafted Swiss Army Knives in Theory

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

Authentication. Chapter Message Authentication

Introduction to Cybersecurity Cryptography (Part 4)

Simple SK-ID-KEM 1. 1 Introduction

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 9 - Symmetric Encryption

Type-based Proxy Re-encryption and its Construction

A Strong Identity Based Key-Insulated Cryptosystem

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

How to Encrypt with the LPN Problem

Public Key Cryptography

Efficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE

Chapter 11 : Private-Key Encryption

Relations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions

On the Selective-Opening Security of DHIES

Towards RSA-OAEP without Random Oracles

How to Enhance the Security of Public-Key. Encryption at Minimum Cost 3. NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa Japan

CRYPTANALYSIS OF COMPACT-LWE

Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

The Random Oracle Model and the Ideal Cipher Model are Equivalent

Block ciphers And modes of operation. Table of contents

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Week : Public Key Cryptosystem and Digital Signatures

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Random Oracle Reducibility

Katz, Lindell Introduction to Modern Cryptrography

Lecture 10 - MAC s continued, hash & MAC

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Transcription:

1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography Examples where f is a trapdoor permutation Encryption: E h (x) = f(r) h(r) x for r R domain(f)andh:{0,1}* {0,1} Signatures: S h (x) = f 1 (h(x)) for h:{0,1}* range(f) Such heuristic constructions cannot be proven secure under standard cryptographic assumptions But can be proven secure in the random oracle model 1

Random Oracle Model 3 If h is a random oracle, then for each x, h(x) is drawn uniformly at random from the range of h If range of h is {0,1} then each bit of h(x) is chosen randomly h(x) returns the same value if invoked twice Strategy for using random oracles to solve problem Define in the model of computation in which all parties (including the adversary) share a random oracle h Develop an efficient protocol P for in this model Prove that P satisfies Replace oracle accesses to h by computation of some hash function that seems good enough IND-CPA and IND-CCA in the RO Model 4 Let H denote the set of all functions h:{0,1}* {0,1} l We modify the definition of encryption so that encryption and decryption take a random h as an oracle We denote this by AE = K, E h, D h The adversary A is also given h as an oracle Experiment h R H (pk, sk) K() return b Experiment h R H (pk, sk) K() return b 2

IND-CPA Encryption in the RO Model 5 Let h: {0,1}* {0,1} l Consider the following encryption scheme with plaintext space {0,1} l Let AE = K, E, D be a deterministic asymmetric encryption scheme Definition: r R Plaintexts(pk) return Experiment (pk, sk) K () M R Plaintexts(pk) return if M = M return 1 else return 0 IND-CPA in the RO Model 6 Proposition: where t = O(t). Proof: Given an IND-CPA attacker A, we build a OWF attacker B. B, on input (pk, C), implements h and for A. For any h(r) query by A or B: If E pk (r) = C, then halt and return r. If h(r) was previously queried, output same response. Otherwise B generates y R {0,1} l and saves (r, y). For any query, implement encryption faithfully. Except for query i, 1 i q e, chosen randomly, where B responds with (C, y) where y R {0,1} l. 3

IND-CCA Encryption in the RO Model 7 Let h 1 : {0,1}* {0,1} l 1 and h2 : {0,1}* {0,1} l 2 Consider the following encryption scheme with plaintext space {0,1} l 1 Let AE = K, E, D be a deterministic asymmetric encryption scheme r R Plaintexts(pk) return C 1, C 2, C 3 if (h 2 (r, M) = C 3 ) then return M else return IND-CCA in the RO Model 8 Proposition: where t = O(t). Proof: Given an IND-CCA attacker A, we build a OWF attacker B. B, on input (pk, C), implements h 1, h 2, and for A. For any h 1 (r) query by A or B: If E pk (r) = C, then halt and return r. If h 1 (r) was previously queried, output same response. Otherwise B generates y R {0,1} l 1 and saves (r, y). For any h 2 (r, M) query by A or B: If E pk (r) = C, then halt and return r. If h 2 (r, M) was previously queried, output same response. Otherwise B generates y R {0,1} l 2 and saves ((r, M), y). 4

IND-CCA in the RO Model 9 For any Whenever A queries If A previously queried h 1 (r) and h 2 (r, M) for r and M satisfying C 1 = E pk (r), C 2 = M h 1 (r), and C 3 = h 2 (r, M), then return M Otherwise abort query, implement it faithfully. Except for query i, 1 i q e, chosen randomly, where B responds with (C, y, z) where y R {0,1} l 1 and z R {0,1} l 2. Unfortunately, this is no longer indistinguishable to A. So, we need to quantify the probability that A distinguishes the simulation as such. IND-CCA in the RO Model 10 A distinguishes the simulation if it queries C 3 = h 2 (D sk (C 1 ), C 2 h 1 (D sk (C 1 ))) without first querying h 2 (D sk (C 1 ), C 2 h 1 (D sk (C 1 ))) where Simulated does not aborts on such a query, but real If q d oracle queries are made in total, then the probability of this happening is at most q d 2 l 2. If A does not distinguish the simulation, then B wins with probability at least 5

RSA-OAEP 11 RSA-OAEP is a standardized asymmetric encryption algorithm using the RSA permutation RSA-OAEP is IND-CCA secure, in the random oracle model, based on the one-wayness of the RSA permutation The reduction is not tight, however It was standardized under the belief that a tight reduction (in the RO model) to the one-wayness of RSA was shown This turned out to be false, and so while a reduction has been shown, the best known reduction is not tight RSA-OAEP 12 Let RSA N,e denote the RSA permutation on k bits with public key (N, e), and RSA N,d its inverse Let G: {0,1} k 0 {0,1} k k 0 and H: {0,1} k k 0 {0,1} k 0 denote hash functions (random oracles) Let [M] k1 denote k 1 least significant bits of M, and [M] n denote n most significant bits of M Plaintext space is {0,1} n, where k = n + k 0 + k 1 E N,e (m): r R {0,1} k 0 s G(r) (m, 0 k 1 ) t r H(s) c RSA N,e (s, t) return c D N,d (c): (s, t) R RSA N,d (c) r t H(s) M s G(r) if ([M] k1 = 0 k 1 ) then return [M] n else return 6

Instantiating a Random Oracle 13 Once we ve proved something in the random oracle model, we then have to instantiate the random oracle in practice There s no rigorous way to do it, and many potential stumbling blocks E.g., MD5: {0,1}* {0,1} 128 was thought to be one-way and collision resistant, and is a natural choice for a random oracle But x y z: MD5(x y z) can be computed from x, MD5(x) and z Some purely heuristic advice: choose one or more of these A hash function with truncated output (e.g., first 64 bits of MD5) A hash with its input length restricted (e.g., MD5 on inputs < 400 bits) A hash function used in some nonstandard way (e.g., MD5(x x)) Example: the first 64 bits of h((x x) C) for fixed random C 7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback