## On the relation between the ideal cipher and the random oracle models (2006)

### Cached

### Download Links

- [www.cs.nyu.edu]
- [cs.nyu.edu]
- [cs.nyu.edu]
- [www.cs.nyu.edu]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | In: TCC 2006. LNCS |

Citations: | 6 - 2 self |

### BibTeX

@ARTICLE{Dodis06onthe,

author = {Yevgeniy Dodis and Prashant Puniya},

title = {On the relation between the ideal cipher and the random oracle models},

journal = {In: TCC 2006. LNCS},

year = {2006},

pages = {184--206}

}

### OpenURL

### Abstract

Abstract. The Random Oracle Model and the Ideal Cipher Model are two of the most popular idealized models in cryptography. It is a fundamentally important practical and theoretical problem to compare the relative strengths of these models and to see how they relate to each other. Recently, Coron et al. [8] proved that one can securely instantiate a random oracle in the ideal cipher model. In this paper, we investigate if it is possible to instantiate an ideal block cipher in the random oracle model, which is a considerably more challenging question. We conjecture that the Luby-Rackoff construction [19] with a sufficient number of rounds should suffice to show this implication. This does not follow from the famous Luby-Rackoff result [19] showing that 4 rounds are enough to turn a pseudorandom function into a pseudorandom permutation, since the results of the intermediate rounds are known to everybody. As a partial step toward resolving this conjecture, we show that random oracles imply ideal ciphers in the honest-but-curious model, where all the participants are assumed to follow the protocol, but keep all their intermediate results. Namely, we show that the Luby-Rackoff construction with a superlogarithmic number of rounds can be used to instantiate the ideal block cipher in any honest-but-curious cryptosystem, and result in a similar honest-but-curious cryptosystem in the random oracle model. We also show that securely instantiating the ideal cipher using the Luby Rackoff construction with upto a logarithmic number of rounds is equivalent in the honest-but-curious and malicious models. 1

### Citations

1443 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, P
- 1993
(Show Context)
Citation Context ...ere proposed to strike a balance between these two conflicting requirements. Random Oracle Model. One of these was the formalization of the well known Random Oracle Model (ROM) by Bellare and Rogaway =-=[3]-=-. In this model, we ⋆ Supported in part by NSF career award CCR-0133806 and NSF grant CCR-0311095.sassume the existence of a publicly accessible ideal random function and prove protocol security based... |

896 | How to prove yourself: Practical solutions to identification and signature problems, proceeding
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...istence of a publicly accessible ideal random function and prove protocol security based on this assumption. As was shown by a huge body of literature (for a small set of representative examples, see =-=[3, 6, 4, 15, 24, 25]-=-), the ROM often allows one to design very simple, intuitive and efficient protocols for many tasks, while simultaneously providing a seemingly convincing security guarantee for such practical constru... |

358 | The Exact Security of Digital Signatures { How to Sign with RSA and Rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...istence of a publicly accessible ideal random function and prove protocol security based on this assumption. As was shown by a huge body of literature (for a small set of representative examples, see =-=[3, 6, 4, 15, 24, 25]-=-), the ROM often allows one to design very simple, intuitive and efficient protocols for many tasks, while simultaneously providing a seemingly convincing security guarantee for such practical constru... |

321 |
A design principle for hash functions
- Damg̊ard
- 1989
(Show Context)
Citation Context ...cle, as it seems plausible that one can construct “unstructured” functions from permutations. In [8], a formal proof of this conjecture was given. The authors analyzed the MerkleDamg˚ard construction =-=[12, 21]-=- for extending the domain of a random function in the indifferentiability scenario. The Merkle-Damg˚ard construction is the basis of almost all practical hash functions, such as SHA or MD5. It was sho... |

260 | The random oracle methodology, revisited
- Canetti, Goldreich, et al.
(Show Context)
Citation Context ... theory such security proofs in the ROM have came under scrutiny, after a series of results showed artificial schemes that are provably secure in the ROM, but are uninstantiable in the standard model =-=[10, 22, 16, 11, 2]-=-. Still, none of these results directly attack any of the widely used cryptographic schemes, such as OAEP [6] or PSS [4], that rely on secure hash functions. In particular, all the practical applicati... |

251 | Optimal asymmetric encryption
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...istence of a publicly accessible ideal random function and prove protocol security based on this assumption. As was shown by a huge body of literature (for a small set of representative examples, see =-=[3, 6, 4, 15, 24, 25]-=-), the ROM often allows one to design very simple, intuitive and efficient protocols for many tasks, while simultaneously providing a seemingly convincing security guarantee for such practical constru... |

115 | Black-box analysis of the block-cipher-based hash-function constructions from PGV
- Black, Rogaway, et al.
(Show Context)
Citation Context ...pher with a practical block cipher construction, such as AES. Although the ICM is not as popular as the random oracle model, there are still several examples of schemes where this model has been used =-=[5, 13, 14, 17, 18]-=-. Several questions have been raised regarding security in the ideal cipher model. Existing block cipher constructions, such as DES, AES etc. are vulnerable to related key attacks and have distinguish... |

84 | An uninstantiable random-oraclemodel scheme for a hybrid encryption problem
- Bellare, Boldyreva, et al.
- 2004
(Show Context)
Citation Context ... theory such security proofs in the ROM have came under scrutiny, after a series of results showed artificial schemes that are provably secure in the ROM, but are uninstantiable in the standard model =-=[10, 22, 16, 11, 2]-=-. Still, none of these results directly attack any of the widely used cryptographic schemes, such as OAEP [6] or PSS [4], that rely on secure hash functions. In particular, all the practical applicati... |

84 | Merkle-Damg̊ard revisited: How to construct a hash function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ...s in cryptography. It is a fundamentally important practical and theoretical problem to compare the relative strengths of these models and to see how they relate to each other. Recently, Coron et al. =-=[8]-=- proved that one can securely instantiate a random oracle in the ideal cipher model. In this paper, we investigate if it is possible to instantiate an ideal block cipher in the random oracle model, wh... |

54 | A construction of a cipher from a single pseudorandom permutation
- Even, Mansour
- 1997
(Show Context)
Citation Context ...pher with a practical block cipher construction, such as AES. Although the ICM is not as popular as the random oracle model, there are still several examples of schemes where this model has been used =-=[5, 13, 14, 17, 18]-=-. Several questions have been raised regarding security in the ideal cipher model. Existing block cipher constructions, such as DES, AES etc. are vulnerable to related key attacks and have distinguish... |

23 | The security of All-or-Nothing Encryption: Protecting Against Exhaustive Key Search
- Desai
- 2000
(Show Context)
Citation Context ...pher with a practical block cipher construction, such as AES. Although the ICM is not as popular as the random oracle model, there are still several examples of schemes where this model has been used =-=[5, 13, 14, 17, 18]-=-. Several questions have been raised regarding security in the ideal cipher model. Existing block cipher constructions, such as DES, AES etc. are vulnerable to related key attacks and have distinguish... |

22 |
On the random-oracle methodology as applied to length-restricted signature schemes
- Canetti, Goldreich, et al.
- 2004
(Show Context)
Citation Context ... theory such security proofs in the ROM have came under scrutiny, after a series of results showed artificial schemes that are provably secure in the ROM, but are uninstantiable in the standard model =-=[10, 22, 16, 11, 2]-=-. Still, none of these results directly attack any of the widely used cryptographic schemes, such as OAEP [6] or PSS [4], that rely on secure hash functions. In particular, all the practical applicati... |

16 | The ideal-cipher model, revisited: An uninstantiable blockcipherbased hash function. Cryptology ePrint Archive
- Black
- 2005
(Show Context)
Citation Context ...se these constructions to instantiate the ideal block cipher. As in the case of the random oracle model, uninstantiable schemes that are secure in the ideal cipher model have also been presented (see =-=[1]-=-). But, all these problems withstanding, the ideal cipher model does provide security against generic attacks that do not exploit weaknesses of the underlying block cipher.sComparing The Models. From ... |

2 |
private communication
- Coron
- 2006
(Show Context)
Citation Context ...ts for Constant Rounds Finally, we mention that one does need to use sufficient number of rounds of the Feistel permutation in the construction, to have any hope of proving it indifferentiable. Coron =-=[7]-=- showed that for less than 6 rounds the LR-construction is not indifferentiable from a random permutation. Theorem 5 ([7]). Let Cπ,k be the k round LR-construction of a random permutation π, with numb... |

1 | Equivalence Between the Random Oracle Model and the Random Cipher Model, Dagstuhl Seminar 02391: Cryptography - Coron, Joux, et al. - 2002 |