Random oracle

Random oracle

In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every query with a (truly) random response chosen uniformly from its output domain, except that for any specific query, it responds the same way every time it receives that query. Put another way, a random oracle is a mathematical function mapping every possible query to a random response from its output domain.

Random oracles are a mathematical abstraction used in cryptographic proofs; they are typically used when no known implementable function provides the mathematical properties required by the proof. A system that is proven secure using such a proof is described as being secure in the "random oracle model", as opposed to secure in the standard model. In practice, random oracles are typically used to model cryptographic hash functions in schemes where strong randomness assumptions are needed of the hash function's output. Such a proof generally shows that a system or a protocol is secure by showing that an attacker must require impossible behavior from the oracle, or solve some mathematical problem believed hard, in order to break the protocol. Not all uses of cryptographic hash functions require random oracles: schemes which require only the property of collision resistance can be proven secure in the standard model (e.g., the Cramer-Shoup cryptosystem).

Random oracles have long been considered in Complexity Theory (e.g. Bennett & Gill [ Charles H. Bennett and John Gill: Relative to a Random Oracle A, P^A != NP^A != co-NP^A with Probability 1. SIAM J. Computing 10(1): 96-113 (1981)] ). Fiat and Shamir (1986) [ Amos Fiat and Adi Shamir: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. CRYPTO 1986: pp. 186-194 ] showed a major application of random oracles - the removal of interaction from protocols for the creation of signatures. Impagliazzo and Rudich (1989) [ Russell Impagliazzo and Steven Rudich: Limits on the Provable Consequences of One-Way Permutations STOC 1989: pp. 44-61] showed the limitation of random oracles - namely that their existence alone is not sufficient for secret-key exchange.Bellare and Rogaway (1993) [Mihir Bellare and Phillip Rogaway, Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, ACM Conference on Computer and Communications Security 1993, pp. 62–73 [http://www.cs.ucsd.edu/users/mihir/papers/ro.html (PS and PDF)] .] advocated their use in cryptographic constructions. In this definition, the random oracle produces a bit-string of infinite length which can be truncated to the length desired. When a random oracle is used within a security proof, it is made available to all players, including the adversary or adversaries. A single oracle may be treated as multiple oracles by pre-pending a fixed bit-string to the beginning of each query (e.g., queries formatted as "1|x" or "0|x" can be considered as calls to two separate random oracles, similarly "00|x", "01|x", "10|x" and "11|x" can be used to represent calls to four separate random oracles).

No real function can implement a true random oracle. In fact, certain artificial signature and encryption schemes are known which are proven secure in the random oracle model, but which are trivially insecure when any real function is substituted for the random oracle. [Ran Canetti, Oded Goldreich and Shai Halevi, The Random Oracle Methodology Revisited, STOC 1998, pp. 209–218 [http://arxiv.org/abs/cs.CR/0010019 (PS and PDF)] .] Nonetheless, for any more natural protocol a proof of security in the random oracle model gives very strong evidence that an attack which does not break the other assumptions of the proof, if any (such as the hardness of integer factorization) must discover some unknown and undesirable property of the hash function used in the protocol to work. Many schemes have been proven secure in the random oracle model, for example OAEP and PSS.

ee also

* Topics in cryptography
* Oracle machine
* Standard Model (cryptography)

References

External links

* [http://research.cyber.ee/~lipmaa/crypto/link/rom/ The Random Oracle Model] — link farm maintained by Helger Lipmaa


Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Oracle machine — In complexity theory and computability theory, an oracle machine is an abstract machine used to study decision problems. It can be visualized as a Turing machine with a black box, called an oracle, which is able to decide certain decision… …   Wikipedia

  • Oracle (disambiguation) — An oracle In Greek and Roman polytheism was an agency or medium, usually a priest or a priestess, through which the gods were supposed to speak or prophesy. In generalized usage, an oracle can also be: divine revelation in Christianity Urim and… …   Wikipedia

  • Random function — A random function is a function chosen at random from a finite family of functions. Typically, the family consists of the set of all maps from the domain to the image set. Thus, a random function can be considered to map each input independently… …   Wikipedia

  • Oracle (DBMS) — Oracle Datenbank Basisdaten Entwickler: Oracle Aktuelle Version: 11g (10. Juli 2007) …   Deutsch Wikipedia

  • Oracle Database — Oracle Datenbank Basisdaten Entwickler: Oracle Aktuelle Version: 11g (10. Juli 2007) …   Deutsch Wikipedia

  • Random self-reducibility — (RSR): A good algorithm for the average case implies a good algorithm for the worst case. RSR is the ability to solve all instances of a problem by solving a large fraction of the instances.DefinitionIf a function f evaluating any instance x can… …   Wikipedia

  • Algorithmically random sequence — Intuitively, an algorithmically random sequence (or random sequence) is an infinite sequence of binary digits that appears random to any algorithm. The definition applies equally well to sequences on any finite set of characters. Random sequences …   Wikipedia

  • Zufallsorakel — Ein Zufallsorakel (englisch random oracle) wird in der Kryptologie verwendet um eine ideale kryptologische Hashfunktion zu modellieren. Die Hashfunktion wird dabei durch Zugriff auf ein Orakel ausgewertet. Das Zufallsorakel gibt zu jeder Eingabe… …   Deutsch Wikipedia

  • Forking lemma — The forking lemma is any of a number of related lemmas in cryptography research. The lemma states that if an adversary (typically a probabilistic Turing machine), on inputs drawn from some distribution, produces an output that has some property… …   Wikipedia

  • Advantage (cryptography) — In cryptography, an adversary s advantage is a measure of how successfully it can attack a cryptographic algorithm, by distinguishing it from an idealized version of that type of algorithm. Note that in this context, the adversary is itself an… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”