## Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology (2003)

Venue: | Theory of Cryptography - TCC 2004, Lecture Notes in Computer Science |

Citations: | 7 - 1 self |

### BibTeX

@INPROCEEDINGS{Maurer03indifferentiability,impossibility,

author = {Ueli Maurer and Renato Renner and Clemens Holenstein},

title = {Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology},

booktitle = {Theory of Cryptography - TCC 2004, Lecture Notes in Computer Science},

year = {2003},

pages = {21--39},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

The goals of this paper are three-fold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Second, we prove that...

### Citations

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...ple for a system, which we will consider more closely, is the random oracle. Its importance in cryptography is due to the so called random oracle methodology,srst made explicit by Bellare and Rogaway =-=[1]-=-, where the security of cryptosystems is proven under the assumption that any party has access to a random oracle. The methodology has later been used in many papers (e.g. [7, 8, 15, 11, 1, 10, 2, 14]... |

831 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...t by Bellare and Rogaway [1], where the security of cryptosystems is proven under the assumption that any party has access to a random oracle. The methodology has later been used in many papers (e.g. =-=[7, 8, 15, 11, 1, 10, 2, 14-=-]). A (binary) random oracle R can be thought of as an innite sequence R 1 ; R 2 ; : : : of random bits where the nth bit R n can be accessed in constant time. We also introduce a slightly weaker prim... |

617 | Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067, 2005. Revised version of [8
- Canetti
(Show Context)
Citation Context ... security of cryptosystems, i.e., it needs to be specied what it means for a cryptosystem C to be at least as secure as another cryptosystem C 0 . Our denition is based on ideas proposed by Canetti [3=-=, 4-=-], and by Ptzmann and Waidner [12, 13] (for the case of static adversaries), adapted to our general notion of systems. Informally, a cryptosystem C is said to be at least as secure as another cryptosy... |

583 |
Efficient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ...t by Bellare and Rogaway [1], where the security of cryptosystems is proven under the assumption that any party has access to a random oracle. The methodology has later been used in many papers (e.g. =-=[7, 8, 15, 11, 1, 10, 2, 14-=-]). A (binary) random oracle R can be thought of as an innite sequence R 1 ; R 2 ; : : : of random bits where the nth bit R n can be accessed in constant time. We also introduce a slightly weaker prim... |

391 | Security and composition of multi-party cryptographic protocols
- Canetti
(Show Context)
Citation Context ... security of cryptosystems, i.e., it needs to be specied what it means for a cryptosystem C to be at least as secure as another cryptosystem C 0 . Our denition is based on ideas proposed by Canetti [3=-=, 4-=-], and by Ptzmann and Waidner [12, 13] (for the case of static adversaries), adapted to our general notion of systems. Informally, a cryptosystem C is said to be at least as secure as another cryptosy... |

329 | The exact security of digital signatures - how to sign with rsa and rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...t by Bellare and Rogaway [1], where the security of cryptosystems is proven under the assumption that any party has access to a random oracle. The methodology has later been used in many papers (e.g. =-=[7, 8, 15, 11, 1, 10, 2, 14-=-]). A (binary) random oracle R can be thought of as an innite sequence R 1 ; R 2 ; : : : of random bits where the nth bit R n can be accessed in constant time. We also introduce a slightly weaker prim... |

245 | The random oracle methodology, revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...a class of functions). In contrast to pseudo-randomness (where the parameter is secret), no hash function can implement a random oracle in the above sense, as proved by Canetti, Goldreich, and Halevi =-=[5-=-]. In other words, there exists a cryptosystem C() such that C(R) is secure while C(H(F)) is insecure for any hash algorithm H. It is important to note that the formalization of this second example is... |

209 | Security proofs for signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context |

153 | A model for asynchronous reactive systems and its application to secure message transmission
- Pfitzmann, Waidner
- 2000
(Show Context)
Citation Context ... needs to be specied what it means for a cryptosystem C to be at least as secure as another cryptosystem C 0 . Our denition is based on ideas proposed by Canetti [3, 4], and by Ptzmann and Waidner [12=-=, 13]-=- (for the case of static adversaries), adapted to our general notion of systems. Informally, a cryptosystem C is said to be at least as secure as another cryptosystem C 0 if for all attackers A on C t... |

45 |
CS proofs
- Micali
- 1994
(Show Context)
Citation Context |

37 | Indistinguishability of random systems
- Maurer
- 2002
(Show Context)
Citation Context ...f (cryptographic) components or resources as well as the parties interacting with them can be characterized as systems. For their representation, we will basically adapt the terminology introduced in =-=[9]-=-. A (X ; Y)-system is a sequence of conditional probability distributions P Y i jX i Y i 1 (for i 2 N) where X i := [X 1 ; : : : ; X i ] and Y i 1 := [Y 1 ; : : : ; Y i 1 ] and where X i , called the ... |

22 | On the random-oracle methodology as applied to length-restricted signature schemes - Canetti, Goldreich, et al. - 2004 |

17 |
Composition and Integrity Preservation of Secure Reactive Systems
- Waidner
- 2000
(Show Context)
Citation Context ... needs to be specied what it means for a cryptosystem C to be at least as secure as another cryptosystem C 0 . Our denition is based on ideas proposed by Canetti [3, 4], and by Ptzmann and Waidner [12=-=, 13]-=- (for the case of static adversaries), adapted to our general notion of systems. Informally, a cryptosystem C is said to be at least as secure as another cryptosystem C 0 if for all attackers A on C t... |

10 |
A practical zero-knowledge protocol to security microprocessors minimizing both transmission and memory
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context |

10 |
Provable Secure and Practical Identi Schemes and Corresponding Signature Schemes. CRYPTO '92
- Okamoto
(Show Context)
Citation Context |