Random Oracles - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Random Oracles

Description:

Luby and Rackoff proved that using Feistel Networks one can construct pseudo ... Proof Methodology [verbatim BR93] ? is a protocol problem ... – PowerPoint PPT presentation

Number of Views:19
Avg rating:3.0/5.0
Slides: 34
Provided by: Informatio367
Category:

less

Transcript and Presenter's Notes

Title: Random Oracles


1
Random Oracles
  • Motivation, Definition
  • Proof Methodology, Intuition
  • A sample proof of security using RO

2
Motivation
  • Luby and Rackoff proved that using Feistel
    Networks one can construct pseudo-random
    permutations from pseudo-random functions.
  • Conversely, if One needs a practical protocol for
    one-way function, an ideal choice to start from
    is DES

3
contd...
  • This implies the cryptographic systems may be
    perceived as generators of One-way Trapdoor
    function.
  • Reverse Abstraction.

4
Definition
  • A random oracle R is a map from 0, 1 to
    0, 1a chosen by selecting each bit of R(x)
    uniformly and independently, for every x.
  • Practical difficulties
  • No system can produce infinite length output
  • No PPT algorithm can achieve a truly random
    function even for finite length output(???)

5
Proof Methodology verbatim BR93
  • ? is a protocol problem
  • Find a formal definition for ? in the model of
    computation in which all parties share a random
    oracle R
  • Device an efficient protocol p for ? in this
    random oracle model
  • prove that p satisfies definition for ?

6
final step
  • Replace oracle access to R by computation of h

7
Intuition
  • We have a cryptosystem and we need to prove the
    security of it. The concrete instantiation
    precludes us from making any mathematical
    properties about the system. So we replace the
    randomly behaving functions with Random Oracles
    to exploit the abstract nature of them

8
Pre-Condition
  • ? and p should be independent of the hash
    function we use! Why??
  • A simple counter example

9
Concretising the Methodology Proof of security
of OAEP in the RO model
  • A detour into Adaptive chosen cipher-text attack
  • Description of OAEP scheme
  • Resilience of OEAP in the RO Model for 5
    different attcks
  • Attack Game G1
  • G2
  • G3
  • G4
  • G5

10
Adaptive Chosen Cipher Text Attack (In the Random
Oracle Scenario)
  • Adversary makes a series of arbitrary queries to
    a decryption oracle. The oracle decrypts the
    messages and passes on the plaintexts to the
    adversary. (It is not required that the input
    ciphertexts are computed using the encryption
    algorithm)
  • The adversary prepares two messages x0, x1, and
    gives these to an encryption oracle. The
    encryption oracle chooses b e 0, 1 at random en

11
contd...
  • crypts xb, and gives the resulting target
    ciphertext y to the adversary.
  • The adversary continues to submit ciphertexts y
    to the decryption oracle, subject only to the
    restriction that y ? y
  • The adversary outputs b representing its guess
    of b

12
OAEP
  • The General scheme makes use of a one-way
    trapdoor permutation. Let f be the permutation,
    acting on k-bit strings, and g its inverse. The
    scheme also makes use of two parameters k0 and k1
    ,which should satisfy k0 k1 lt k. It should also
    be the case that 2-k0 and 2-k1are negligible
    quantities.
  • The scheme encrypts messages
  • x ? 0, 1n, where n k - k0 - k1

13
OAEP
  • The scheme also makes use of three functions
  • G 0, 1k0 ? 0, 1n
  • H 0, 1nk0 ? 0, 1k1 H 0, 1nk1 ?
    0, 1k0
  • These three functions will be modeled as
    independent random oracles in the security
    analysis.

14
OAEPKey Generation
  • This simply runs the generator for the one-way
    trapdoor permutation scheme, obtaining f and g.
    The public key is f, and the private key is g.

15
OAEPEncryption
  • Given a plaintext x, the encryption algorithm
    randomly chooses r ?? 0, 1k0 , and then
    computes
  • s ? 0, 1nk1 , t ? 0, 1k0 , w ? 0, 1k , y ?
    0, 1k
  • as follows
  • s (G(r) ? x) H?(rx),
  • t H(s) ?r,
  • w s t,
  • y f(w)
  • The ciphertext is y.

16
OAEPDecryption
  • Given a ciphertext y, the decryption algorithm
    computes
  • s ? 0, 1nk1 , t ? 0, 1k0 , w ? 0, 1k , r
    ?? 0, 1k0, x ? 0, 1n , c ?? 0, 1k1
  • as follows
  • w g(y), s w0nk1-1,
  • t wnk1-1k, r H(s) ?t,
  • x G(r) ?s0n-1, c snnk1-1
  • If c H?(rx), then the algorithm outputs the
    cleartext x otherwise, the algorithm rejects the
    ciphertext.

17
Proof of security in the Random Oracle Model
  • Strategy
  • The attack is perceived as a game that adversary
    plays against the honest party through Decryption
    Oracle
  • G0 is the original game success of which implies
    the insecurity of the model.
  • We define a sequence of games G1, G2, G3, G4, G5
  • For each of these games Si denote the event that
    the adversary is successful i.e. bb
  • We show that for 1? i ?5, the quantity PrSi-1
    - PrSi is negligible
  • From the definition of G5, show that PrS5 ½

18
Definitions
  • Note that any ciphertext y implicitly defines
    values w, s, t, r, x and c through the decryption
    oracle.
  • Let w, s, t, r, x, c be the corresponding
    implicitly defined values for y.
  • Also note that x xb and c H?(r x)
  • We define sets SG, SH and SH? be the set of
    values at which A queried G, H and H?. Note that
    the set SH? is a set of pairs (r, x)
  • We view these sets incrementally growing as the
    attack proceeds-elements are added to these only
    when a random oracle is queries by A.

19
More definitions
  • qG, qH and qH? be the bound on the number of
    queries made by A to the oracles G, H and H?
    respectively, and let qD bound the number of
    decryption oracle queries
  • As view is the sequence of random variable
  • View lt X0, X1,, X qGqHqH? qD1gt
  • X0 consists of As coin tosses and the public key
    of the encryption scheme.
  • Xi for i ? 1 consists of a response to either a
    random oracle query, a decryption oracle query,
    or the encryption oracle query.

20
Last set of definitions
  • ith such query is a function of lt X0, X1,, X
    i-1gt (why?)
  • The adversarys final output b? is a function of
    View
  • At any fixed point in time, A has made some
    number, say m, queries, and we define
  • CurrentView lt X0, X1,, X mgt
  • WLOG, we assume if A queried H?(rx), then it
    already queried G(r)

21
G0
  • The original attack game.
  • S0 is the event that b b

22
G1
  • We modify the original game G0 like this.
  • Given a ciphertext y, the new decryption oracle
    computes w, s, t, r, x, c as in the decryption.
  • If G0 rejects, so does G1
  • In addition, the new oracle also rejects if (r,
    x) ? S
  • In practice
  • Decryption oracle computes r and if r ? SG then
    it rejects without querying G(r)
  • If r ?SG, then x is computed and checks whether
    (r, x) ? SH?. If not it rejects without querying
    H?(rx)

23
How different is G1from G0?
  • Let F1 be the event that a ciphertext is rejected
    in G1 that would not have been rejected under the
    rules of game G0.

24
Computing Probability of F1 is computing PrS0
- PrS1
  • If r r and x x then we must have c ? c.
    In this case, the ciphertext is anyway rejected
    in G0 and is not part of the event F1. So assume
    that x ? x or r ? r. So now the encryption
    oracle has made the query H?(r x) but not
    H?(r x).
  • So, if A has not made the query H?(r x), the
    value of H?(r x) is independent of CurrentView,
    and hence independent of c, which is a function
    of CurrentView and H. Therefore, the probability
    that c H?(r x) is 1/2-k1

25
What has Random Oracle given us?
  • How is c is dependent on CurrentView?
  • Then how is H?(r x) is independent from
    CurrentView?
  • What happens when the Oracle is instantiated?
  • Probability that c H?(r x) is 1/2-k1 . Hence
    G1 is only negligibly different from G0
  • The result of this step PrS0 - PrS1 ? qD /
    2k1

26
G2
  • Game G2 works quite like G1.
  • If G1 rejects, so does G2. But the G2 also
    rejects if s ? SH
  • How different is G2 from G1?
  • Let F2 be the event that ciphertext is rejected
    in G2 that would not have been rejected under the
    rules of game G1
  • Consider a ciphertext y ? y with s ? SH
    submitted to the decryption oracle. We need to
    find out the probability that y will not be
    rejected in G1

27
G2
  • We need to consider two cases s s and s ? s
  • Case 1 s s.
  • s s and y ? y implies t ? t. Further, s s
    and t ? t implies that r ? r. If this
    ciphertext is rejected under G2 and will not be
    rejected under the rules of G1, it must be the
    case that H?(rx) H?(rx)
  • What is the probability for this?

28
G2
  • We need to consider two cases s s and s ? s
  • Case 1 s s.
  • s s and y ? y implies t ? t. Further, s s
    and t ? t implies that r ? r. If this
    ciphertext is rejected under G2 and will not be
    rejected under the rules of G1, it must be the
    case that H?(rx) H?(rx)
  • What is the probability for this?
  • qH?/2k1

29
G2
  • Case 2 s ? s.
  • In this case, the oracle was never queried at s
    by either A, the encryption oracle or the
    decryption oracle.
  • Hence s is not in view, this implies that t is
    not in view. This implies that r is independent
    of CurrentView.
  • Now we need to find the probability that G1 does
    not reject for this ciphertext. For that r should
    be in SG.
  • What is the probability for it?

30
G2
  • Case 2 s ? s.
  • In this case, the oracle was never queried at s
    by either A, the encryption oracle or the
    decryption oracle.
  • Hence s is not in view, this implies that t is
    not in view. This implies that r is independent
    of CurrentView.
  • Now we need to find the probability that G1 does
    not reject for this ciphertext. For that r should
    be in SG.
  • What is the probability for it? qG/ 2k0
  • This implies that PrS1 - PrS2 is negligible.

31
G3Getting rid of the trapdoor function in the
decryption Oracle
  • Given y.
  • The decryption oracle iterates through all pairs
    (r?, x? ) ? SH. For each of these, it can compute
    y?, using the encryption equations.
  • Now reject if y? y at any time, it stops and
    output x?
  • If the iteration stopped without finding y, it
    rejects.
  • Easy to see that G3 is same as G2. Only the
    computational and space complexity at the
    decryption oracle differs.

32
G4, G5
  • Structurally similar reductions are performed to
    G3 to get G4 and later to G4 to get G5.
  • PrS5 is proven to be ½
  • Also PrS4 - PrS5 ? InvAdv (f) qG/2k0
  • (Exploiting the uniformity and independence of
    the random oracles)

33
Conclusion
  • This leads to the result that
  • PrS0- ½ ? InvAdv (f) (qD1) qG /2k0
    (qH? qD)/ 2k1
  • By choice of indices k0 and k1 the last two terms
    are negligible.
  • So the security of the whole model relies on the
    non-invertibility of the trapdoor function.
Write a Comment
User Comments (0)
About PowerShow.com