Random Oracles are Practical: A Paradigm for Designing Efficient Protocols PowerPoint PPT Presentation

presentation player overlay
1 / 26
About This Presentation
Transcript and Presenter's Notes

Title: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols


1
Random Oracles are PracticalA Paradigm for
Designing Efficient Protocols
Mihir Bellare
Phillip Rogaway
ACM CCS 1993
  • Presented by Ed Kaiser

2
Motivation (pg. 2)
  • Large gap between the theoreticians and
    practioners works and views.
  • "theoretical work gains security at cost of
    efficiency"
  • "theorists build PRFs from one-way functions,
    while in practice, one-way functions are built
    from PRFs"

3
Overview
  • Definitions
  • The Random Oracle Paradigm
  • Notation
  • Encryption
  • Polynomial Security
  • Chosen Ciphertext Security
  • Non-malleability
  • Signatures
  • Zero Knowledge
  • Instantiation Tips

4
Random Oracle Paradigm (pg. 3)
  • Find a formal definition of the problem in the
    random oracle model.
  • Devise a protocol that solves the problem.
  • Prove the protocol satisfies the definition.
  • Replace oracle accesses by computation of a real
    function (e.g., hash function).

5
Cautions on the Paradigm
  • h is not really a random function
  • instantiating R with h is only empirically secure
  • Protocol must be independent of h
  • h must resist cryptanalytic attack
  • h must hide structure as a result of its
    construction

6
Notation (pg. 5)
  • finite string space 0,1
  • infinite string space 0,1?
  • negligible function ?(k) ? kc, ? k ? kc, c gt 0
  • negligible func. class k?(1)
  • probabilistic polynomial time PPT

7
Notation Cont'd (pg. 6)Random Oracles
  • random oracle R 0,1 ? 0,1?
  • each bit of R(x) is random
  • uniform and independent
  • set of all random oracles 2?

8
Notation Cont'dOther Generators
  • random hash function H 0,1 ? 0,1k
  • trapdoor permutation generator
  • G 1k ? (f, f1, d)
  • d probabilistically generates value
  • f and f1 are permutations on d(1k)
  • Pr(f,f1,d) ? G(1k) x ? d(1k) y ? f(x)
    A(f,d,y) x must be negligible
  • e.g. RSA or modulo squaring

9
Encryption (pg. 6)Definitions
  • PPT generator G 1k ? (E, D)
  • encryption y ? ER(x)
  • decryption x ? DR(y) or ?
  • invariant DR(ER(x)) x

10
Polynomial Security (pg. 7)Old Badness
  • Bf is hard core predicate for f
  • E(x) f(r1) ... f(rx)
  • ri are randomly chosen such that Bf(ri) xi
  • encryption length is O(k x)
  • encryption effort is O(f x)
  • decryption effort is O(f1 x)

11
Polynomial Security (pg. 7)In Random Oracle Model
  • Given adversary (FR, AR), chosen plaintext
    security in this model is
  • Pr R ? 2?
  • (E,D) ? G(1k)
  • (m0,m1) ? FR(E)
  • b ? 0,1
  • y ? ER(mb)
  • AR(E,m0,m1,y) b ? ½ k?(1)

12
Polynomial Security Cont'dDefining E and D
  • 0) G 1k ? (E,D) uses G to create (f,f1,d)
  • y' y'' ? ER(x) ?r ? d(1k) f(r) R(r) ? x?
  • x ? DR(y' y'') y'' ? R(f1(y'))
  • Efficiency
  • encryption size is O(x k)
  • encryption speed is O(f)

13
Polynomial Security Cont'd (pg. 18)Proof Sketch
  • build adversary B that breaks trapdoor
    permutation from CP-adversary (F,A) that with
    AdvCP

B(,d,y) simulate R(x) if x (y) then
halt and output x flip coins and return the
result simulate E(x) (r) R(r) ? x
(m0,m1) ? FR(E) y' ? y 0,1m0 run
AR(E,m0,m1,y') output random string
event Ak
  • PrA wins AkPrAk PrA wins
    AkPrAk ½ AdvCP
  • PrA wins AkPrAk ½ ? PrAk ?
    AdvCP
  • AdvPoly ? PrAk ? AdvCP

14
Chosen Ciphertext Security (pg. 8)In Random
Oracle Model
  • Given adversary (FR,DR, AR,DR), chosen ciphertext
    security in this model is
  • Pr R ? 2?
  • (E,D) ? G(1k)
  • (m0,m1) ? FR,DR(E)
  • b ? 0,1
  • y ? ER(mb)
  • AR,DR(E,m0,m1,y) b ? ½ k?(1)

NB A must not query DR(y)
15
Chosen Ciphertext Security Cont'dDefining E and D
  • 0) G 1k ? (E,D) uses G to create (f,f1,d)
  • y' y'' y'''? ER,H(x) ?r ? d(1k) f(r)
    R(r) ? x H(r x)?
  • x ? DR,H(y' y'' y''') y'' ?
    R(f1(y')), if hash y'''
  • ? otherwise
  • Efficiency
  • encryption size is x 2k
  • encryption speed is O(f)

16
Chosen Ciphertext Security (pg. 18)Proof Sketch
B(,d,y) simulate R(x) if x (y) then
halt and output x if x has been recorded then
return result flip coins, record and return
the result simulate H(x x') similar to
above simulate E(x) (r) R(r) ? x H(r
x) simulate D(y' y'' y''') check R
has been asked d where y' (d) check H has
been asked d x where y''' H(d x) if
they havent or y'' ? R(d) ? x then return ?
return x (m0,m1) ? FR,H,DR,H(E) y' ? y
0,1m0 0,1k run AR(E,m0,m1,y') output
random string
event Ak
17
Chosen Ciphertext SecurityProof Cont'd
  • Let Lk be the event that DR,H was queried with a
    valid input yet H had not been queried with its
    portion of the input before
  • PrLk ? queries 2k
  • PrA wins Lk ? AkPrLk ? Ak ½
  • PrA wins Lk ? AkPrLk ? Ak
  • PrA wins LkPrLk
  • PrA wins Lk ? AkPrLk ? Ak ½ AdvCC
  • ? ½ queries 2k PrAk ? ½ AdvCC
  • AdvPoly ? PrAk ? AdvCC queries 2k

18
Non-Malleability (pg. 9)In Random Oracle Model
  • Given adversary (FR,AR), security in the sense of
    malleability is

Pr R ? 2? (E,D) ? G(1k) ? ? FR(E) x ?
?R(1k) y ? ER(x) y' ? AR(E,?,y) ?R(x,DR(y'))
1
Pr R ? 2? (E,D) ? G(1k) ? ? FR(E) x ?
?R(1k) y' ? AR(E,?) ?R(x,DR(y')) 1
is negligible
19
Non-Malleability Cont'dDefining E and D
  • Same description as for chosen ciphertext
  • 0) G 1k ? (E,D) uses G to create (f,f1,d)
  • y' y'' y'''? ER,H(x) ?r ? d(1k) f(r)
    R(r) ? x H(r x)?
  • x ? DR,H(y' y'' y''') y'' ?
    R(f1(y')), if hash y'''
  • ? otherwise

20
Non-Malleability Cont'd (pg. 19)Proof Sketch
  • Define AR(E,?) as

AR(E,?) x ? ?(1k) r ? d(1k) y ? (r)
R(r) ? x H(r x) y' ? A(,?,y) if
y' y then output E(0) output y'
21
Non-MalleabilityProof Cont'd
  • Derive E?(x,x') by case
  • 1) y y' ?(x,x') 0
  • 2) y ? y' and A made no call H(r' x')
  • a) y' H(r' x') Pr 2k
  • b) y' ? H(r' x') ?(x,x') 0
  • 3) else
  • a) not valid encryption ?(x,x') 0
  • b) valid encryption Pr ?3b
  • i) A made no call R(r) Pr ?3bi ?(k)
  • ii) A made call R(r) Pr ?(k)

22
Non-MalleabilityProof Cont'd
  • E?(x,x') ? PrA wins 2a 2k
  • PrA wins 3b E?(x,x') 3bi
  • PrA wins 3bii
  • ? 2k ?3b(?3bi ?(k)) ?(k)
  • E?(x,x') ? PrA wins 3b E?(x,x') 3bi
  • ? ?3b(?3bi ?(k)) ?(k)
  • So E?(x,x') - E?(x,x') ? 4?(k) 2k

23
Signatures (pg. 9)Definitions
  • Signature scheme (G, Sign, Verify)
  • G 1k ? (PK, SK)
  • signing ? ? SignR(SK, m)
  • verifying 0,1 ? VerifyR(PK, m, ?)
  • invariant VerifyR(PK, m, SignR(SK, m)) 1 ? m

24
SignaturesIn Random Oracle Model
  • Given signing adversary F, security is
  • Pr R ? 2?
  • (PK,SK) ? G(1k)
  • (m,?) ? FR,SignR(SK,)(PK)
  • VerifyR(PK, m, ?) 1
  • is negligible.

25
Signatures (pg. 10)Defining G, Sign and Verify
  • 0) G 1k ? (PK, SK) uses G to create (f,f1,d)
  • PK ? f
  • SK ? f1
  • ? ? SignR,H(SK, m) f1(H(m))
  • VerifyR,H(PK, m, ?) 1 if f(?) H(m)
  • 0 otherwise

26
Instantiation Tips (pg. 13)
  • 1) Do not instantiate based on the protocol
  • an appropriate instantiation should work for any
    protocol designed using a black box R()
  • 2) Avoid instantiations revealing internal
    structure
  • e.g. MD5(x y z) can be easily computed
    given x, MD5(x), and z
  • suggestions include
  • truncating output h(x) MD5(x)64
  • limiting input size h(x) MD5(x), x ? 400
  • non-standard use h(x) MD5(x x)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Random Oracles are Practical: A Paradigm for Designing Efficient Protocols" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!