How Risky is the Random-Oracle Model?

How Risky is the Random-Oracle Model?

Cached

Download Links

by Gaëtan Leurent , Phong Q. Nguyen

Citations:

BibTeX

@MISC{Leurent_howrisky,
    author = {Gaëtan Leurent and Phong Q. Nguyen},
    title = {How Risky is the Random-Oracle Model?},
    year = {}
}

Bookmark

OpenURL

Abstract

Abstract. RSA-FDH and many other schemes secure in the Random-Oracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the random-oracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Bellare and Rogaway from 1993 and 1996, and the ones implicit in IEEE P1363 and PKCS standards: for instance, we obtain a practical preimage attack on BR93 for 1024-bit digests (with complexity less than 2 30). Next, we study the security impact of hash function defects for ROM signatures. As an extreme case, we note that any hash collision would suffice to disclose the master key in the ID-based cryptosystem by Boneh et al. from FOCS ’07, and the secret key in the Rabin-Williams signature for which Bernstein proved tight security at EUROCRYPT ’08. We also remark that collisions can be found as a precomputation for any instantiation of the ROM, and this violates the security definition of the scheme in the standard model. Hence, this gives an example of a natural scheme that is proven secure in the ROM but that in insecure for any instantiation by a single function. Interestingly, for both of these schemes, a slight modification can prevent these attacks, while preserving the ROM security result. We give evidence that in the case of RSA and Rabin/Rabin-Williams, an appropriate PSS padding is more robust than all other paddings known. 1

Citations

1130	Random oracles are practical: A paradigm for designing efficient protocols - Bellare, Rogaway - 1993
711	A digital signature scheme secure against adaptive chosenmessage attacks - Goldwasser, Micali, et al. - 1988
707	How to prove yourself: Practical solutions to identification and signature problems - Fiat, Shamir - 1986
288	The exact security of digital signatures - how to sign with rsa and rabin - Bellare, Rogaway - 1996
261	Digitalized signatures and public-key functions as intractable as factorization - Rabin
206	The random oracle methodology, revisited - Canetti, Halevi
200	Optimal Asymmetric Encryption - Bellare, Rogaway - 1994
177	On Lovász’ lattice reduction and the nearest lattice point problem - Babai - 1986
150	How to break MD5 and other hash functions - Wang, Yu - 2005
123	H.: Finding collisions in the full SHA-1 - Wang, Yin, et al. - 2005
113	A sieve algorithm for the shortest lattice vector problem - Ajtai, Kumar, et al. - 2001
99	Public-key Cryptosystems from Lattice Reduction - Goldreich, Goldwasser, et al. - 1997
78	An analysis of the blockcipher-based hash functions from PGV - Black, Rogaway, et al.
73	Multicollisions in Iterated Hash Functions: Application to Cascaded Constructions - Joux
69	D.: A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost - Bellare, Micciancio - 1997
65	A modification of the RSA public-key encryption procedure - Williams - 1980
64	A Generalized Birthday Problem - Wagner
62	Using hash functions as a hedge against chosen ciphertext attack - Shoup - 2000
60	An uninstantiable random-oracle-model scheme for a hybridencryption problem - Bellare, Boldyreva, et al. - 2004
57	Efficient selective-ID secure identity based encryption without random oracles - Boneh, Boyen - 2004
51	Merkle-Damgård Revisited: How to Construct a Hash Function - Coron, Dodis, et al. - 2005
47	Another look at “provable security - Koblitz, Menezes - 2006
47	Separating random oracle proofs from complexity theoretic proofs: The non-committing encryption case - Nielsen - 2002
46	Trapdoors for hard lattices and new cryptographic constructions - Gentry, Peikert, et al. - 2008
44	Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology - Maurer, Renner, et al. - 2004
43	Multi-property-preserving hash domain extension and the EMD transform - Bellare, Ristenpart - 2006
40	Optimal security proofs for PSS and other signature schemes - Coron - 2002
29	On the (in)security of the fiat-shamir paradigm - Goldwasser, Tauman-Kalai - 2003
29	Tunnels in Hash Functions: MD5 Collisions Within a Minute,” Cryptology ePrint Archive, Report 2006/105 - Klima
18	Space-efficient identity based encryption without pairings - Boneh, Gentry, et al. - 2007
18	Flaws in applying proof methodologies to signature schemes - Stern, Pointcheval, et al. - 2002
18	A secure one-way hash function built from DES - Winternitz - 1984
17	On the power of claw-free permutations - Dodis, Reyzin - 2003
17	Discrete-log-based signatures may not be equivalent to discrete log - Paillier, Vergnaud - 2005
15	SWIFFT: a modest proposal for FFT hashing - Lyubashevsky, Micciancio, et al. - 2008
15	Finding the closest lattice vector when it’s unusually close - Klein - 2000
14	A fast signature scheme based on congruential polynomial operations - Okamoto - 1990
14	Sieve Algorithms for the Shortest Vector Problem are Practical - Nguyen, Vidick - 2008
13	Efficiency improvements for signature schemes with tight security reductions - Katz, Wang - 2003
12	Almost Uniform Density of Power Residues and the Provable Security of ESIGN - Okamoto, Stern - 2003
11	Security proof for partial-domain hash signature schemes - Coron - 2002
11	PKCS #1 v2.1: RSA cryptography standard - Laboratories - 2002
9	an Efficient and Provable Collision-Resistant Hash Function - VSH - 2006
7	On the generic insecurity of the full domain hash - Dodis, Oliveira, et al. - 2005
7	How to repair esign - Granboulan - 2003
7	Learning a Parallelepiped: Cryptanalysis of GGH - NGUYEN, REGEV
6	Proving tight security for Rabin-Williams signatures - Bernstein - 2008
6	an efficient and provable collision-resistant hash function - Contini, Lenstra, et al. - 2006
6	Hash Function and the (amplified) Boomerang Attack - Joux - 2007
6	TSH-ESIGN: Efficient digital signature scheme using trisection size hash. Submission to - Okamoto, Fujisaki, et al. - 1998