Fact-checked by Grok 2 weeks ago

Random oracle

In , a random oracle is a theoretical construct modeling a as a black-box that, for any distinct input, produces a uniformly random output from its range, with consistent responses to repeated queries on the same input. This idealization assumes the oracle maps from binary strings of arbitrary length to infinite random bit strings, where each bit is chosen independently and uniformly at random, providing a publicly accessible random function to all parties, including adversaries. The random oracle model was introduced by Mihir Bellare and Phillip Rogaway in 1993 as a to bridge the gap between theoretical provable and practical . In this model, cryptographic protocols—such as public-key encryption schemes, digital signatures, and zero-knowledge proofs—are first proven secure assuming access to the random oracle, then implemented by replacing oracle calls with evaluations of a practical like or SHA-1. This approach enables the construction of efficient protocols that are heuristically , as the random oracle's ideal properties simplify security reductions while mimicking the collision-resistant and one-way behaviors of real hash functions. Key applications of the random oracle model include the Fiat-Shamir heuristic for transforming interactive zero-knowledge proofs into non-interactive signatures, which underpins widely used schemes like , and the design of hybrid encryption protocols combining symmetric and asymmetric primitives. It has facilitated proofs for protocols in scenarios where standard-model constructions are inefficient or infeasible, such as full-domain hash signatures and certain identification schemes. Despite its utility, the random oracle model has notable limitations, as security proofs in this idealized setting do not always translate to the real world when the oracle is instantiated with an actual . In 2000, Ran Canetti, , and Shai Halevi demonstrated that there exist and schemes provably secure in the random oracle model but completely insecure under any concrete implementation, highlighting a fundamental mismatch between the model and practice. This critique, centered on the concept of correlation intractability—which no efficient function family can satisfy—has led to ongoing research into more realistic models, such as the or programmable s, though the random oracle remains a valuable tool in cryptographic design.

Definition and Properties

Definition

A random oracle is a foundational concept in and , originating in through the work of Bennett and Gill, who in 1981 showed that relative to a random oracle A, the classes P^A, NP^A, and \mathit{coNP}^A are distinct with probability 1. In , the random oracle is typically a random membership oracle (answering yes/no randomly for each input). This idea was later adapted to by Bellare and Rogaway in 1993, who employed it as an idealized abstraction for hash functions to facilitate of protocols. Conceptually, a random oracle functions as a black-box that, upon receiving a query on an input, produces an output drawn uniformly at random from a fixed if the input is , while ensuring deterministic consistency by returning the previously generated value for any repeated query on the same input. This behavior models an oracle that embodies perfect randomness without any structural bias or predictability across its entire input space. Formally, it is specified as an O: \{0,1\}^* \to \{0,1\}^\infty, such that for each unique x \in \{0,1\}^*, O(x) is an infinite binary string where each bit is chosen independently and uniformly at random from \{0,1\}. Cryptographic protocols typically use finite prefixes of these outputs, effectively modeling fixed-length hash functions. Unlike s, which can be evaluated by Turing machines in finite time, a random oracle defies efficient by any , as realizing its infinite independent random outputs requires unbounded true randomness that no polynomial-time computable function can approximate universally.

Properties

The random oracle O exhibits unpredictability as a core property, ensuring that for any distinct inputs x_1 and x_2, the outputs O(x_1) and O(x_2) are chosen independently with each bit uniform at random. This means that no adversary can predict the first m bits of O(x) for an unqueried x with probability greater than $2^{-m}, for any m, even after observing outputs for other inputs (including longer prefixes). Complementing unpredictability is consistency, whereby O(x) always returns the same value whenever the same input x is queried, regardless of the querier or the number of prior queries. This deterministic for repeated inputs simulates the fixed of a while maintaining across distinct inputs, allowing all parties in a —including adversaries—to access the same responses. The collision behavior of a random oracle closely mimics that of an ideal hash . Specifically, for distinct x \neq y, the full outputs O(x) and O(y) collide with probability 0, but the first n bits collide with probability exactly $2^{-n}, as the bits are drawn independently and uniformly. This property is formalized as: \Pr[O(x)_{[1..n]} = O(y)_{[1..n]} \mid x \neq y] = 2^{-n} where O(z)_{[1..n]} denotes the prefix of length n. Such low collision probability for prefixes underpins the oracle's utility in modeling collision-resistant primitives without requiring computational assumptions. In theoretical analyses, query efficiency ensures that the random oracle remains effective even under adversarial scrutiny. Adversaries are restricted to making at most polynomially many queries (in the security parameter), and each response is generated freshly random for unqueried inputs while preserving consistency. This bounded interaction preserves the oracle's randomness properties, enabling security proofs for protocols where hash functions are replaced by oracle calls, without the responses becoming distinguishable from true randomness.

Formal Model

Random Oracle Model

The random oracle model is a theoretical framework in where hash functions are idealized as random —publicly accessible functions that, upon each unique query, return a uniformly random output from its range, while maintaining consistency for repeated queries. In this model, cryptographic schemes are designed and analyzed assuming all parties, including adversaries, can interact with the oracle through queries, enabling formal proofs that bridge theoretical ideals with practical implementations. Security in the random oracle model is typically established via notions of indistinguishability, where a scheme is proven secure if no efficient adversary can distinguish its behavior from an ideal system with non-negligible probability, even when granted access. For instance, existential unforgeability of schemes—ensuring an adversary cannot produce a valid for a new message after adaptively querying the signer—can be proven in this model by reducing to solving an underlying hard problem, such as the . The proof relies on simulation techniques, like the forking lemma, where a successful is "forked" by replaying the attack with a modified response to extract solutions to the hard problem. The model's power lies in reducing a scheme's security to computational assumptions: an adversary breaking the scheme must either distinguish the random oracle from a truly (which is computationally infeasible) or solve the underlying hard problem. This allows proofs for otherwise insecure constructions, such as those using the Fiat-Shamir heuristic to transform identification protocols into signatures. Introduced by Mihir Bellare and Phillip Rogaway in 1993, the random oracle model provided a paradigm for designing efficient protocols, notably applied to prove chosen-ciphertext for the OAEP encryption padding scheme in their subsequent work. This framework has since become foundational for analyzing a wide range of protocols, including digital signatures and mechanisms.

Indifferentiability

Indifferentiability is a cryptographic notion that extends the concept of indistinguishability to scenarios where an adversary interacts with both the private output of a and its public interfaces, such as underlying . Introduced by Maurer, Renner, and Holenstein in , it provides a framework for assessing when a constructed can securely replace an ideal one, like a random , in larger protocols. In the context of random oracles, a construction F: \mathcal{H} \to \mathcal{RO} is indifferentiable from a random oracle if, for any efficient h \in \mathcal{H}, no efficient distinguisher can tell F(h) apart from a true random oracle, even with to both F(h) and h. This notion is particularly relevant for modeling real-world hash functions as approximations of ideal random oracles, ensuring that structural flaws in the construction do not enable distinguishers to exploit interactions between the hash and its building blocks. Formally, indifferentiability requires that for any probabilistic polynomial-time distinguisher D making q queries in time t, there exists an efficient simulator S such that the distinguishing advantage is bounded by \epsilon(q, t), where \epsilon is negligible in the security parameter. The advantage is defined as the absolute difference in probabilities that D outputs 1 when interacting with the real system versus the ideal system simulated via S. This bound captures the computational feasibility of simulation, ensuring that any attempt to distinguish relies on breaking the underlying primitive's security. For instance, in hash function constructions, the simulator must mimic responses to queries on the compression function while maintaining consistency with the hash outputs. A seminal result by Coron, Dodis, Malinaud, and Puniya in 2005 established that the Merkle-Damgård construction, when augmented with a prefix-free encoding and using a function secure in the random oracle model, achieves indifferentiability from a random oracle. Specifically, they proved that the prefix-free Merkle-Damgård construction \pi^f with an function f is (t_D, t_S, q, \epsilon)-indifferentiable, where the simulator runs in time t_S = \ell \cdot O(q^2) and \epsilon = 2^{-n} \cdot \ell^2 \cdot O(q^2), with \ell the maximum message length in blocks and n the output length. This holds under conditions that the compression function resists generic attacks, such as those exploiting length extensions. The result highlights how indifferentiability bridges idealized assumptions to practical designs by quantifying the security loss due to the construction's structure. The implications of indifferentiability extend to transferring security proofs from the random oracle model to the for protocols using indifferentiable functions. For example, the sponge construction underlying has been shown to be indifferentiable from a random oracle when instantiated with a , allowing ROM-based proofs for SHA-3-integrated schemes to hold with only a security loss. This transfer property ensures that indifferentiable hashes behave indistinguishably from random oracles in single-stage protocols, preserving properties like and second preimage resistance up to the bound \epsilon.

Applications

Hash Function Modeling

In cryptographic practice, hash functions such as SHA-256 are idealized as random oracles in security proofs, where they are modeled as black-box functions that produce uniformly random and independent outputs for distinct inputs upon each query, while remaining consistent for repeated queries. This modeling assumes that the hash function behaves unpredictably like a truly random mapping from its input domain to a fixed-size output domain, typically {0,1}^n for n-bit outputs. This idealization simplifies the analysis of key hash function properties, including (hardness of finding two distinct inputs mapping to the same output), preimage resistance (hardness of inverting a given output to find an input), and second-preimage resistance (hardness of finding a different input mapping to the same output as a given input). In the random oracle model, these properties hold with overwhelming probability against efficient adversaries; for instance, the probability of finding a collision after q queries is approximately q^2 / 2^{n+1}, establishing a bound that scales with the output length n. Such analysis allows cryptographers to derive tight reductions without needing to scrutinize the internal structure of specific s, focusing instead on protocol-level . A prominent example is the Full-Domain Hash (FDH) signature scheme, where a m is hashed via the to produce H(m) in the full domain of a (e.g., ), and the signature is the inverse applied to H(m). proofs in the random oracle model reduce to the hardness of inverting the , enabling efficient and provably secure signatures under this idealization. However, real hash functions are deterministic algorithms that can be computed efficiently, contrasting with the non-computable of a true random , which introduces a gap in the proofs. These proofs remain valid for practical purposes as long as no attacks exploit the deterministic structure of the in ways unique to the oracle model. This modeling approach underpins security analyses for broader protocols relying on es, such as digital signatures.

Security Proofs for Protocols

The random oracle model plays a central role in proving the security of various cryptographic protocols by idealizing hash functions as unpredictable, uniformly random mappings, allowing reductions from protocol breaks to underlying computational assumptions. One seminal application is the Fiat-Shamir heuristic, introduced by Fiat and Shamir in 1986, which converts three-round public-coin interactive identification schemes into non-interactive digital signature schemes. In this transformation, the verifier's random challenge is replaced by the output of a hash function applied to the commitment and message; modeling this hash as a random oracle enables proofs of security against existential forgery under adaptive chosen-message attacks. The proof relies on the extractor simulating the random oracle to rewind the adversary and extract the underlying secret witness from the identification scheme, demonstrating that any forgery implies either inverting a hard problem (such as the discrete logarithm) or non-negligibly distinguishing the oracle from random, the latter being impossible by definition. This technique has been applied to construct provably secure signature schemes, such as the Probabilistic Signature Scheme (PSS) for RSA, developed by Bellare and Rogaway in 1996. PSS incorporates randomized padding with hash functions modeled as random oracles to achieve tight security bounds against existential forgery, reducing directly to the RSA assumption with optimal efficiency. Similarly, for public-key encryption, the Optimal Asymmetric Encryption Padding (OAEP) scheme, also by Bellare and Rogaway from 1994, uses two rounds of random-oracle hashing to pad messages before applying a trapdoor permutation like RSA, proving semantic security against adaptive chosen-ciphertext attacks in the random oracle model. In both cases, the proof technique involves a reduction where an adversary breaking the scheme's security (e.g., forging a signature or decrypting a ciphertext) is used to construct an oracle-querying algorithm that either solves the underlying hard problem or requires an infeasible number of oracle queries to succeed with non-negligible probability, establishing the protocol's security under the idealized model. Beyond constructive proofs, the random oracle model has been employed to explore foundational separations in . In their 1989 work, Impagliazzo and Rudich demonstrated limits on black-box constructions by showing that assuming one-way permutations exist but public-key encryption does not (under a complexity assumption believed false), any black-box proof of public-key encryption from one-way functions in the random oracle model would contradict this separation. This result highlights the model's power and limitations, providing evidence that random oracles enable proofs for protocols that may not hold in the without idealized assumptions.

Variants

Domain Separation

Domain separation is a technique employed in the random oracle model () to enable a single random oracle to function as multiple independent oracles, which is essential for cryptographic protocols that require distinct random functions for different operations. This approach partitions the input domain of the oracle by associating unique identifiers with each intended use, thereby preventing cross-interactions that could compromise security proofs assuming independence. The standard method involves prepending or appending a unique bit-string or separation tag (DST) to the inputs of the . For instance, to simulate two oracles H_0 and H_1 from a single oracle H, one defines H_0(x) = H(0 \| x) and H_1(x) = H(1 \| x), where \| denotes and the prefixes (e.g., the bit 0 or 1) are distinct and fixed for each . Similarly, in practice, DSTs are often human-readable strings, such as application-specific identifiers or URIs encoded in followed by a byte, ensuring no overlap between domains. This preserves the randomness and properties of the model while allowing efficient implementation with a single . The primary purpose of domain separation is to maintain the analytical independence required in ROM-based security proofs, where different protocol components (e.g., key derivation and ) are modeled as separate to avoid unintended correlations that could enable attacks. Without it, a shared might allow adversaries to link outputs across uses, invalidating proofs that rely on disjoint random behaviors. However, improper domain separation poses significant risks, including vulnerability to attacks where an adversary exploits overlaps to or recover secrets. For example, counterexamples in submissions, such as key recovery attacks on schemes like BIG QUAKE and Round2 due to flawed , demonstrate how failures in separation can break security even when ROM proofs hold. A representative application appears in schemes, where domain separation distinguishes message hashing from nonce generation; in the MQDSS , unique prefixes ensure that the oracle calls for signing the message do not interfere with those for producing ephemeral s, upholding unforgeability.

Ideal Cipher

The ideal cipher model treats a as a family of independent random permutations E_k: \{0,1\}^b \to \{0,1\}^b, one for each possible key k \in \{0,1\}^\kappa, where the entire family is chosen uniformly at random from all such possible families, totaling (2^b!)^{2^\kappa} possibilities. This model, originally introduced by in , provides an idealized setting for analyzing symmetric encryption primitives, assuming against adversaries with unlimited computational power. Unlike the random oracle model, which involves infinite random functions, the ideal cipher is finite and enforces bijectivity for each key, ensuring invertibility. In the ideal cipher model, adversaries gain to both the forward E_k(m) and the decryption E_k^{-1}(c) for inputs of their , typically under a fixed key in single-key protocols, though multi-key arises in related-key scenarios. This dual distinguishes the model from one-way functions and enables proofs for modes requiring decryption, such as oracles. The model facilitates rigorous security analyses by abstracting away structural weaknesses in real ciphers, like related-key attacks in . Constructions realizing an ideal cipher from random oracles often rely on multi-round Feistel s, where round functions are derived from the oracle via domain separation. The foundational Luby-Rackoff result (1988) demonstrated that a 4-round Feistel using pseudorandom functions yields a pseudorandom permutation, which extends to the random oracle model since oracles are ideal pseudorandom functions. Refinements by Patarin and collaborators (2016) proved that a 10-round variant achieves full indifferentiability from an ideal cipher, incorporating the key into round functions via oracle queries like F_{i,k}(x) = H(\langle i \rangle \| k \| x), where H is the random oracle and \langle i \rangle encodes the round index. Further 8-round variants (2016) provide similar indifferentiability guarantees under restricted query models, reducing overhead while maintaining security bounds of O(q^{12}/2^b) for q queries. The ideal cipher model finds widespread application in proving the security of modes of operation, such as Cipher Block Chaining (), where the underlying cipher (e.g., ) is assumed to behave as an ideal family of permutations to establish against chosen-plaintext attacks. For instance, CBC encryption with a random achieves indistinguishability from random strings up to O(q^2 / 2^b) advantage in this model, justifying its use in standards like TLS despite real-world caveats like padding oracles. This abstraction allows focusing on mode-specific vulnerabilities without analyzing the cipher's internal structure.

Ideal Permutation

The ideal permutation model in assumes the existence of a fixed, publicly chosen \pi: \{0,1\}^n \to \{0,1\}^n, to which the adversary has oracle access for both direction \pi and the \pi^{-1}. This setup models a keyless where each query to \pi yields a uniformly random output consistent with prior queries, ensuring bijectivity across the entire . The model simplifies analysis by treating the permutation as truly random, fixed at the experiment's outset, and accessible to all parties without secret keys. This model represents a special case of the cipher model, where the latter involves a keyed of $2^\kappa independent random permutations over \{0,1\}^n, but the ideal permutation eliminates the , akin to a single permutation with a fixed or public . Consequently, it is particularly suited for constructions that do not require key-dependent variability, focusing instead on the inherent properties of a single bijective . While briefly applicable to certain cipher constructions like Luby-Rackoff schemes, which achieve indifferentiability from a random permutation using multiple rounds, the ideal permutation primarily supports keyless . The ideal permutation finds prominent use in permutation-based cryptographic designs, such as the sponge construction underlying (based on the Keccak permutation), where security proofs assume the underlying is ideal to establish properties like and preimage resistance up to the bound. In this context, the sponge absorbs input into a via the and squeezes output, with indifferentiability from a proven under the ideal assumption, providing a c-bit security level against generic attacks. Similarly, it serves as a foundational primitive for tweakable block , exemplified by the Even-Mansour construction, which builds a keyed from a single public by XORing keys before and after application. Under the ideal permutation assumption, numerous modes and protocols demonstrate provable , including the sponge's indifferentiability from a random oracle up to approximately $2^{c/2} queries and the Even-Mansour cipher's beyond the bound in multi-user settings. These proofs highlight the model's utility in establishing tight bounds for symmetric primitives, emphasizing resistance to attacks when the permutation behaves randomly.

Quantum-Accessible Random Oracles

In the quantum-accessible random oracle model (QROM), the random oracle is extended to allow quantum adversaries to submit queries in superposition, enabling them to leverage quantum algorithms such as Grover's search or the Brassard-Høyer-Tapp (BHT) collision-finding algorithm to extract information more efficiently than classical adversaries. This adaptation addresses gaps in by modeling realistic quantum attacks on hash functions idealized as oracles, where the adversary's can entangle multiple inputs and measure outcomes to probe the oracle's behavior. Classical proofs in the random oracle model () often fail under quantum access, as quantum queries permit faster extraction of structural information; for instance, finding a collision in an n-bit output random function requires only O(2^{n/3}) quantum queries using the BHT algorithm, compared to the classical bound of O(2^{n/2}), potentially invalidating reductions that assume higher query thresholds. This shift necessitates revised analyses, as quantum superposition queries can simulate parallel evaluations without the exponential cost of classical parallelism, leading to tighter bounds on adversary success probabilities in idealized models. To counter these challenges, the QROM formalizes quantum interactions, with foundational results for in QROM, such as recording quantum queries to simulate responses without collapsing superpositions. Seminal work by Zhandry introduced tools for proving in QROM. Research on indifferentiability in QROM, initiated around 2016, has advanced considerably by 2025, supporting proofs for post-quantum protocols such as CRYSTALS-Dilithium against key recovery attacks and multi-signature schemes, with recent techniques like 'reprogram-after-measure' enabling tighter reductions. These advancements support post-quantum protocols but highlight ongoing needs for robust instantiations beyond idealized assumptions.

Limitations and Hypothesis

Limitations

The random oracle model posits an idealized that behaves as a truly random , but no real-world can fully emulate this due to its non-computable nature. According to the Church-Turing thesis, any must be describable by a finite , whereas a random oracle requires generating independent random outputs for every possible input, which is impossible for a . As noted in the foundational work introducing the model, real hash functions like cannot replicate a random oracle because they possess short descriptions and inherent structure, limiting their . A significant drawback is that security proofs in the random oracle model do not guarantee when the oracle is replaced by a concrete , leading to potential proof breakdowns. Seminal counterexamples demonstrate the existence of and schemes that are provably secure in the random oracle model but become insecure under any instantiation with a real ensemble. Canetti, Goldreich, and Halevi (1998) constructed such artificial schemes to illustrate this gap. Over-reliance on the random oracle model can encourage the design of schemes with structural weaknesses that only appear secure due to the idealization, potentially overlooking vulnerabilities in practical implementations. This has prompted recommendations to prioritize proofs in the , where holds against arbitrary polynomial-time adversaries without idealized assumptions, whenever feasible, as the random oracle provides only evidence rather than rigorous guarantees. Such proofs in the random oracle model are often described as artificial, deriving from the model's unique programmability features—like the adversary's ability to query and observe random responses—that do not translate to computable functions, thus distinguishing them from natural proofs in the that offer broader confidence in real-world .

Random Oracle Hypothesis

The random oracle hypothesis, formulated by Bennett and Gill in their study of relativized complexity classes, posits that if two complexity classes C_1 and C_2 coincide (or are separated) relative to almost every —specifically, with probability 1 over a randomly —then they coincide (or are separated) unconditionally in the unrelativized setting. This conjecture aimed to bridge relativized results with absolute ones, suggesting that random s provide a robust model for predicting non-oracle behavior in structural , where relations among classes like , , and are central. The hypothesis was decisively refuted through a involving interactive proofs and space-bounded computation. Unconditionally, the class of languages with interactive proofs verifiable in polynomial time, denoted IP, equals PSPACE, as established by Shamir using arithmetization techniques to simulate polynomial-space computations via interactive protocols. However, relative to a random oracle A, IP^A ≠ PSPACE^A holds with probability 1, as shown by et al., who demonstrated that random oracles introduce separations not present in the base case, with co-NP^A not contained in IP^A for almost all such A. This disparity arises because the proof of IP = PSPACE relies on non-relativizing elements, such as the interaction structure in the arithmetization, which fails to preserve under random oracle relativization. The disproof has profound implications for , highlighting the limitations of relativizing proof techniques and reinforcing known barriers to resolving longstanding open problems. For instance, it underscores why oracle separations—such as those relative to random oracles—do not necessarily imply absolute separations, complicating efforts to settle questions like P versus NP, where both equality and inequality hold in different relativized worlds. In , the result questions the universality of relativizing methods in analyses, revealing that proofs in the random oracle model may overlook non-relativizing phenomena essential to real-world , though the model remains useful for idealized assumptions. Overall, it emphasizes the need for innovative, non-relativizing approaches to advance both theoretical and applied computational boundaries.

References

  1. [1]
    [PDF] Random Oracles are Practical: A Paradigm for Designing Efficient ...
    We argue that the random oracle model —where all parties have access to a public random oracle— provides a bridge between cryptographic theory and cryptographic ...<|control11|><|separator|>
  2. [2]
    https://arxiv.org/pdf/cs/0010019.pdf
  3. [3]
    Relative to a Random Oracle A, P A ≠ N ⁢ P A ≠ c o
    Let A be a language chosen randomly by tossing a fair coin for each string x to determine whether x belongs to A.
  4. [4]
    The Random Oracle Methodology, Revisited
    Paper 1998/011. The Random Oracle Methodology, Revisited. Ran Canetti, Oded Goldreich, and Shai Halevi. Abstract. We take a critical look at the ...
  5. [5]
    [PDF] Security Proofs for Signature Schemes
    Abstract. In this paper, we address the question of providing security proofs for sig- nature schemes in the so-called random oracle model [1].
  6. [6]
    [PDF] Optimal Asymmetric Encryption How to Encrypt with RSA - UCSD CSE
    Nov 19, 1995 · Bellare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols,” Proceedings of the First Annual Conference ...
  7. [7]
    [PDF] Indifferentiability, Impossibility Results on Reductions, and ...
    Abstract. The goals of this paper are three-fold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of ...
  8. [8]
    [PDF] Merkle Damgard Revisited: how to Construct a hash Function - CSRC
    Coron, Y. Dodis, C. Malinaud and P. Puniya, Merkle-Damgård Revisited : how to Construct a Hash Function, Proceedings of Crypto 2005. 14. I. Damgård, A ...
  9. [9]
    [PDF] On the Indifferentiability of the Sponge Construction - Keccak Team
    We have proven that the sponge construction calling a random transformation or permutation is indifferentiable from a random oracle and obtained concrete bounds ...
  10. [10]
    [PDF] the random oracle model: a twenty-year retrospective
    Apr 28, 2015 · The first major assault on the validity of the random oracle model was the widely-cited paper [25] by Canetti, Goldreich, and Halevi, who ...
  11. [11]
    [PDF] How To Prove Yourself: - Practical Solutions to Identification
    Amos Fiat and Adi Shamir. Department of Applied Mathematics. The Weizmann Institute of Science. Rehovot 76100, Israel. Abstract. In this paper we describe ...Missing: original | Show results with:original
  12. [12]
    [PDF] The Exact Security of Digital Signatures How to Sign with RSA and ...
    Mar 14, 1996 · We begin by looking at current practice. Then we consider the full domain hash scheme of [3] which is provable, and discuss its exact security.
  13. [13]
    Limits on the provable consequences of one-way permutations
    We present strong evidence that the implication, “if one-way permutations exist, then secure secret key agreement is possible”, is not provable by standard ...
  14. [14]
    Separate Your Domains: NIST PQC KEMs, Oracle Cloning and ...
    Feb 25, 2020 · It is convenient and common for schemes in the random oracle model to assume access to multiple random oracles (ROs), leaving to implementations ...
  15. [15]
    RFC 9380 - Hashing to Elliptic Curves - IETF Datatracker
    Domain Separation. Cryptographic protocols proven secure in the random-oracle model are often analyzed under the assumption that the random oracle only ...
  16. [16]
    [PDF] Cryptographic sponge functions - Keccak Team
    Jan 14, 2011 · ... random oracles, a single random oracle can be used to implement multiple random oracles using the mechanism of domain separation . It ...
  17. [17]
    [PDF] The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher ...
    Jul 1, 2005 · This means that an ideal cipher is a finite object while the random oracle is an infinite one. The ideal-cipher model has been used in a variety ...
  18. [18]
    [PDF] On the Relation Between the Ideal Cipher and the Random Oracle ...
    The Random Oracle Model and the Ideal Cipher Model are two of the most popular idealized models in cryptography. It is a fun- damentally important practical and ...
  19. [19]
    How to Build an Ideal Cipher: The Indifferentiability of the Feistel ...
    Abstract. This paper provides the first provably secure construction of an invertible random permutation (and of an ideal cipher) from a public random ...
  20. [20]
    [PDF] Indifferentiability of 8-Round Feistel Networks
    Abstract. We prove that a balanced 8-round Feistel network is indifferentiable from a random permu- tation, improving on previous 10-round results by ...
  21. [21]
    [PDF] New proofs for old modes - Cryptology ePrint Archive
    Mar 13, 2008 · The first quantitative security proof for a block cipher mode is the analysis of CBCMAC of [BKR94]. Security proofs for the encryption modes ...
  22. [22]
    Non-Uniform Bounds in the Random-Permutation, Ideal-Cipher, and ...
    Mar 1, 2018 · Abstract. The random-permutation model (RPM) and the ideal-cipher model (ICM) are idealized models that offer a simple and intuitive way to ...<|control11|><|separator|>
  23. [23]
    Secure Identity-Based Encryption in the Quantum Random Oracle Model
    ### Summary of Introduction and Key Contributions on Quantum Random Oracle Model (QROM)
  24. [24]
    [quant-ph/9705002] Quantum Algorithm for the Collision Problem
    May 1, 1997 · In this note, we give a quantum algorithm that finds collisions in arbitrary r-to-one functions after only O((N/r)^(1/3)) expected evaluations of the function.
  25. [25]
    IP = PSPACE | Journal of the ACM
    IP = SPACE: simplified proof. Lund et al. [1] have proved that PH is contained in IP. Shamir [2] improved this technique and proved that PSPACE = IP. In this ...
  26. [26]
    The random oracle hypothesis is false - ScienceDirect
    The Random Oracle Hypothesis, attributed to Bennett and Gill, essentially states that the relationships between complexity classes which hold for almost all ...
  27. [27]
    [PDF] The Role of Relativization in Complexity Theory 1 Introduction
    Relativization in complexity theory involves giving machines access to an oracle set, where the class is relativized by applying the class's criteria to ...<|separator|>