## Prashant PuniyaThe Random Oracle Methodology

### BibTeX

@MISC{Coron_prashantpuniyathe,

author = {Jean-sebastien Coron and Yevgeniy Dodis and Cecile Malinaud},

title = {Prashant PuniyaThe Random Oracle Methodology},

year = {}

}

### OpenURL

### Abstract

♦ “Paradigm for designing secure and efficient protocols ” (BR’93). ♦ Assume existence of a publicly accessible ideal random function and prove protocol security. ♦ Replace ideal random function by an actual “secure hash function ” (such as SHA-1) to deploy protocol. ♦ Hope that nothing breaks down! Is SHA-1 Really Random? ♦ Is SHA-1 obscure enough to successfully replace a random oracle? ♦ No. Practical hash functions usually iteratively apply a fixed length compression function to the input (called the Merkle Damgard construction). f f f

### Citations

1344 | Random oracles are practical: A paradigm for designing efcient protocols
- Bellare, Rogaway
(Show Context)
Citation Context ...ply include a secret key k as part of the input of the hash function, and take for example MAC(k, m) = H(k‖m). It is easy to see that this construction is secure when H is modelled as a random oracle =-=[4]-=-, as no adversary can output a MAC forgery except with negligible probability. However, this MAC scheme is completely insecure for any Merkle-Damg˚ard construction considered so far (including Merkle-... |

628 | Universally Composable Security: A New Paradigm for Cryptographic Protocols
- Canetti
- 2001
(Show Context)
Citation Context ...guishability, when one or more oracles are publicly available, such as random oracles or ideal ciphers. This notion is based on ideas from the Universal Composition framework introduced by Canetti in =-=[10]-=- and on the model of Pfitzmann and Waidner [29]. The indifferentiability notion in [24] is given in the framework of random systems providing interfaces to other systems, but equivalently we use this ... |

330 | The exact security of digital signatures - how to sign with rsa and rabin - Bellare, Rogaway - 1996 |

290 |
A design principle for hash functions
- Damgard
- 1990
(Show Context)
Citation Context ...main extender for the random oracle, which is an interesting result of independent interest. We remark that domain extenders are well studied for such primitives as collision-resistant hash functions =-=[14, 26]-=-, pseudorandom functions [8], MACs [1,25] and universal one-way hash functions [7,31]. Although the above works also showed that some variants of Merkle-Damg˚ard yield secure domain extenders for the ... |

286 | How to Construct Pseudorandom Permutations from Pseudorandom Functions - Luby, Rackoff - 1988 |

241 | Optimal asymmetric encryption - Bellare, Rogaway - 1994 |

154 | M.: A model for asynchronous reactive systems and its application to secure message transmission
- Pfitzmann, Waidner
- 2001
(Show Context)
Citation Context ...icly available, such as random oracles or ideal ciphers. This notion is based on ideas from the Universal Composition framework introduced by Canetti in [10] and on the model of Pfitzmann and Waidner =-=[29]-=-. The indifferentiability notion in [24] is given in the framework of random systems providing interfaces to other systems, but equivalently we use this notion in the framework of Interactive Turing M... |

144 | The security of cipher block chaining
- Bellare, Kilian, et al.
- 1994
(Show Context)
Citation Context ...x-free, then the plain MD construction is secure. Namely, prefix-free encoding enables to eliminate the message expansion attack described previously. This “fix” is similar to the fix for the CBC-MAC =-=[3]-=-, which is also insecure in its plain form. Thus, the plain MD construction can be safely used for any application of the random oracle H where the length of the inputs is fixed or where one uses doma... |

104 | Black-box analysis of the block-cipher-based hash-function construction from
- Black, Rogaway, et al.
- 2002
(Show Context)
Citation Context ...ollision-resistant hash function H from an ideal block cipher was explicitly considered by Preneel, Govaerts and Vandewalle in [30], and latter formalized and extended by Black, Rogaway and Shrimpton =-=[9]-=-. Specifically, the authors of [9] actually considered 64 block-cipher variants of the Merkle-Damg˚ard transform (which included the Davies-Meyer variant among them), and formally showed that exactly ... |

97 |
Collision-Resistant Hashing: Towards Making UOWHFs Practical
- Bellare, Rogaway
- 1997
(Show Context)
Citation Context ...rest. We remark that domain extenders are well studied for such primitives as collision-resistant hash functions [14, 26], pseudorandom functions [8], MACs [1,25] and universal one-way hash functions =-=[7,31]-=-. Although the above works also showed that some variants of Merkle-Damg˚ard yield secure domain extenders for the corresponding primitive in question, these results are not sufficient to claim a doma... |

92 | Pseudorandom functions revisited: The cascade construction and its concrete security
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...believe that a good design criteria for hash-functions should eliminate all possible generic attacks. It is well known that for the particular case of MACs one should use the HMAC nested construction =-=[8]-=- in order to avoid the previous message expansion attack. However, there may exist other applications and protocols which may be secure when the hash function H is seen as a monolithic hash function, ... |

80 | Oded Goldreich, and Shai Halevi, The Random Oracle Methodology - Canetti |

77 | MerkleDamg revisited: How to construct a hash function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ...ementable in practice changes to the plain Merkle-Damg˚ard construction, which would satisfy our security definition. Our results. This paper is a modified version of a paper to appear at Crypto 2005 =-=[13]-=-. First, we give a satisfactory definition of what it means to implement an arbitrary-length hash-function that resists all possible generic attacks. Intuitively, an iterative hash-function should beh... |

75 | Separating random oracle proofs from complexity theoretic proofs: The noncommitting encryption case - Nielsen - 2002 |

73 | C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology
- Maurer, Renner, et al.
(Show Context)
Citation Context ...s. We provide a formal definition of what is means to emulate a random oracle H from a fixedlength building block f or E. Our definition is based on the indifferentiability framework of Maurer et al. =-=[24]-=-. The key property of this definition is that if a particular construction of H from f (or E) meets this definition, then any application proven secure assuming H is a random oracle would remain secur... |

72 |
Hash functions based on block ciphers: A synthetic approach
- Preneel, Govaerts, et al.
- 1994
(Show Context)
Citation Context ...uction considered so far (including Merkle-Damg˚ard strengthening used in current hash functions such as SHA-1, and any of the 64 block-cipher based variants of iterative hash-functions considered in =-=[30,9]-=-), no matter which (ideal) compression function f (or a block cipher E) is used. Namely, given MAC(k, m) = H(k‖m), one can extend the message m with any single arbitrary block y and deduce MAC(k, m‖y)... |

48 |
One Way Hash Functions and
- Merkle
- 1989
(Show Context)
Citation Context ...main extender for the random oracle, which is an interesting result of independent interest. We remark that domain extenders are well studied for such primitives as collision-resistant hash functions =-=[14, 26]-=-, pseudorandom functions [8], MACs [1,25] and universal one-way hash functions [7,31]. Although the above works also showed that some variants of Merkle-Damg˚ard yield secure domain extenders for the ... |

45 | A Composition Theorem for Universal One-Way Hash Functions
- Shoup
- 2000
(Show Context)
Citation Context ...rest. We remark that domain extenders are well studied for such primitives as collision-resistant hash functions [14, 26], pseudorandom functions [8], MACs [1,25] and universal one-way hash functions =-=[7,31]-=-. Although the above works also showed that some variants of Merkle-Damg˚ard yield secure domain extenders for the corresponding primitive in question, these results are not sufficient to claim a doma... |

44 | Y.T.: On the (In)security of the Fiat-Shamir Paradigm - Goldwasser, Kalai - 2003 |

41 | The random oracle methodology - Canetti, Goldreich, et al. - 1985 |

29 | Design principles for iterated hash functions. Cryptology ePrint Archive, Report 2004/253
- Lucks
- 2004
(Show Context)
Citation Context ...s “fix” is similar to the method used by Dodis et al. [15] to overcome the problem of using plain MD chaining for randomness extraction from high-entropy distributions, and to the suggestion of Lucks =-=[23]-=- to increase the resilience of plain MD chaining to multi-collision attacks. It is also already used in practice in the design of hash functions SHA-348 and SHA224 [18] (both obtained by dropping some... |

26 | Constructing VIL-MACs from FIL-MACs: Message authentication under weakened assumptions
- An, Bellare
- 1999
(Show Context)
Citation Context ...is an interesting result of independent interest. We remark that domain extenders are well studied for such primitives as collision-resistant hash functions [14, 26], pseudorandom functions [8], MACs =-=[1,25]-=- and universal one-way hash functions [7,31]. Although the above works also showed that some variants of Merkle-Damg˚ard yield secure domain extenders for the corresponding primitive in question, thes... |

26 |
Secure Hash Standard. Federal Information Processing Standards Publication
- FIPS
- 2002
(Show Context)
Citation Context ...-length building block, such as a fixed-length compression function or a block cipher, and then iterating this building block in some manner to extend the input domain arbitrarily. For example, SHA-1 =-=[17]-=-, MD5 [19], as well as all the other hash function we know of, are constructed by applying some variant of the Merkle-Damg˚ard construction to an underlying compression function f : {0, 1} n+κ → {0, 1... |

25 |
A secure one-way hash function built from DES
- Winternitz
- 1984
(Show Context)
Citation Context ...xact details will not matter for our discussion). The fixed-length compression function f can either be constructed from scratch or made out of a block-cipher E via the Davies-Meyer construction (see =-=[32]-=- and Figure 9): f(x, y) = Ey(x) ⊕ x. For example, the SHA-1 compression function was designed specifically for hashing, but a block-cipher can nevertheless be derived from it, as illustrated in [21]. ... |

13 | Single-Key AIL-MACs from Any FIL-MAC - Maurer, Sjödin |

9 |
Randomness Extraction and Key Derivation Using
- Dodis, Gennaro, et al.
- 2004
(Show Context)
Citation Context ...ing a fraction of the output of the plain MerkleDamg˚ard construction MD f , one obtains a construction indifferentiable from a random oracle. This “fix” is similar to the method used by Dodis et al. =-=[15]-=- to overcome the problem of using plain MD chaining for randomness extraction from high-entropy distributions, and to the suggestion of Lucks [23] to increase the resilience of plain MD chaining to mu... |

8 |
The MD5 message-digest algorithm, Internet Request for Comments 1321
- RFC
- 1992
(Show Context)
Citation Context ...ilding block, such as a fixed-length compression function or a block cipher, and then iterating this building block in some manner to extend the input domain arbitrarily. For example, SHA-1 [17], MD5 =-=[19]-=-, as well as all the other hash function we know of, are constructed by applying some variant of the Merkle-Damg˚ard construction to an underlying compression function f : {0, 1} n+κ → {0, 1} n (see F... |

6 |
Boldyreva and Adriana Palacio. An Uninstantiable Random-OracleModel Scheme for a Hybrid-Encryption Problem
- Bellare, Alexandra
- 2004
(Show Context)
Citation Context ...Damg˚ard construction are the following. (1) Prefix-Free Encoding : we show that if the inputs to the plain MD construction are guaranteed to be prefix-free, then the plain MD construction is secure. =-=(2)-=- Dropping Some Output Bits : we show that by dropping a non-trivial number of output bits from the plain MD chaining, we get a secure random oracle H even if the input is not encoded in the prefix-fre... |

5 | On the Generic Insecurity - Dodis, Oliveira, et al. - 2005 |