Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I\'m not sure I understand really the implications of proofs of security in the

ID: 650878 • Letter: I

Question

I'm not sure I understand really the implications of proofs of security in the random oracle model. Does a proof of security in ROM translate to a reduction of security of the crypto-system to the security of the hash function in the standard model? If not, then this would imply that the meaning of the ROM proof in the SM depends on the particular algorithm and it would seem almost impossible to say anything general about implications of proofs like this. However, people seem to put a lot of effort in producing proofs of security in ROM so perhaps these proofs do have some value (I just don't exactly understand what, and it would seem extremely hard to point out any general implications). Textbooks tend to be typically quite vague at explaining this.

A very much related question: Does anyone have any insight to whether there is some general reason why proofs of CCA security are expected to be hard (if they even exist) in SM?

By the way, are random oracles really impossible to have in reality? True randomness could be produced by quantum phenomena, so why not use that?

Explanation / Answer

If you can show a reduction of a security property of your protocol to the security of a hash function is the standard model, you do not need the random oracle assumption. So a proof in the ROM does not have any general (positive) meaning in the SM; hence why it is controversial. About the only general thing you can say is that some (arguably highly contrived) protocols that are secure in the ROM are insecure in the SM with a concrete hash function.

The value of a ROM proof is that it still narrows the range of attacks possible on a protocol. Unlike an unproven protocol where it could break in any number of ways, a ROM protocol will only break if the hash function does not live up our theoretic expectations of it. Further, no "natural" protocol that is secure in the ROM has ever been broken.

There is a good discussion in Katz-Lindell. Basically their conclusions is, a ROM protocol is better than no proof. A SM protocol should be preferred up to a reasonable decrease in efficiency.

A RO needs to return the same output value if queried on the same input. That is essentially why quantum randomness does not work.

Related Questions

I\'m new to web development. From looking at popular open-source frameworks for
Question #652061
I\'m new to web programming. I\'m more experienced and comfortable with client-s
Question #651436
I\'m new to world of static analysis and am trying to build a new analysis of C
Question #657245
I\'m newer to computer science so I haven\'t learn it much yet. I didn\'t get th
Question #3793132
I\'m not 100% sure this is approriate here, but I figure the area of study is pa
Question #660852
I\'m not 110% sure exactly what I mean by this question. It was sparked by a fri
Question #1263967
I\'m not a Cryptography expert, but i\'ve seen this topic sometimes on the Web:
Question #649922
I\'m not a native speaker and I would really appreciate it if you can help me wi
Question #1821188
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I\'m not sure I have the correct verbage in my question, so let me explain: What
Next
I\'m not sure about the first question thou !! What is biotechnology? List some

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.