## Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology (2004)

Venue: | Theory of Cryptography - TCC 2004, Lecture Notes in Computer Science |

Citations: | 76 - 1 self |

### BibTeX

@INPROCEEDINGS{Maurer04indifferentiability,impossibility,

author = {Ueli Maurer and Renato Renner and Clemens Holenstein},

title = {Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology},

booktitle = {Theory of Cryptography - TCC 2004, Lecture Notes in Computer Science},

year = {2004},

pages = {21--39},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. The goals of this paper are three-fold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Second, we prove that indifferentiability is the necessary and sufficient condition on two systems S and T such that the security of any cryptosystem using T as a component is not affected when T is substituted by S. In contrast to indistinguishability, indifferentiability is applicable in settings where a possible adversary is assumed to have access to additional information about the internal state of the involved systems, for instance the public parameter selecting a member from a family of hash functions. Third, we state an easily verifiable criterion for a system U not to be reducible (according to our generalized definition) to another system V and, as an application, prove that a random oracle is not reducible to a weaker primitive, called asynchronous beacon, and also that an asynchronous beacon is not reducible to a finite-length random string. Each of these irreducibility results alone implies the main theorem of Canetti, Goldreich and Halevi stating that there exist cryptosystems that are secure in the random oracle model but for which replacing the random oracle by any implementation leads to an insecure cryptosystem. Key words. Indistinguishability, reductions, indifferentiability, security proofs, random oracle methodology, hash functions.

### Citations

1425 | Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...e for a system, which we will consider more closely, is the random oracle. Its importance in cryptography is due to the so called random oracle methodology, first made explicit by Bellare and Rogaway =-=[1]-=-, where the security of cryptosystems is proven under the assumption that any party has access to a random oracle. The methodology has later been used in many papers (e.g. [7, 8, 15, 11, 1, 10, 2, 14]... |

884 | How to Prove Yourself: Practical Solutions of Identification and Signature Problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...t by Bellare and Rogaway [1], where the security of cryptosystems is proven under the assumption that any party has access to a random oracle. The methodology has later been used in many papers (e.g. =-=[7, 8, 15, 11, 1, 10, 2, 14]-=-). A (binary) random oracle R can be thought of as an infinite sequence R1, R2, . . . of random bits where the nth bit Rn can be accessed in constant time. We also introduce a slightly weaker primitiv... |

670 | Universally composable security: A new paradigm for cryptographic protocols
- Canetti
- 2001
(Show Context)
Citation Context ...ecurity of cryptosystems, i.e., it needs to be specified what it means for a cryptosystem C to be at least as secure as another cryptosystem C ′ . Our definition is based on ideas proposed by Canetti =-=[3, 4]-=-, and by Pfitzmann and Waidner [12, 13] (for the case of static adversaries), adapted to our general notion of systems. Informally, a cryptosystem C is said to be at least as secure as another cryptos... |

622 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...t by Bellare and Rogaway [1], where the security of cryptosystems is proven under the assumption that any party has access to a random oracle. The methodology has later been used in many papers (e.g. =-=[7, 8, 15, 11, 1, 10, 2, 14]-=-). A (binary) random oracle R can be thought of as an infinite sequence R1, R2, . . . of random bits where the nth bit Rn can be accessed in constant time. We also introduce a slightly weaker primitiv... |

415 | Security and Composition of Multi-party Cryptographic Protocols. To appear in the Journal of Cryptology. Available from the Theory of Cryptography Library at http://philby.ucsd.edu/cryptlib
- Canetti
- 1998
(Show Context)
Citation Context ...ecurity of cryptosystems, i.e., it needs to be specified what it means for a cryptosystem C to be at least as secure as another cryptosystem C ′ . Our definition is based on ideas proposed by Canetti =-=[3, 4]-=-, and by Pfitzmann and Waidner [12, 13] (for the case of static adversaries), adapted to our general notion of systems. Informally, a cryptosystem C is said to be at least as secure as another cryptos... |

352 | The Exact Security of Digital Signatures – How to Sign with RSA and Rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...t by Bellare and Rogaway [1], where the security of cryptosystems is proven under the assumption that any party has access to a random oracle. The methodology has later been used in many papers (e.g. =-=[7, 8, 15, 11, 1, 10, 2, 14]-=-). A (binary) random oracle R can be thought of as an infinite sequence R1, R2, . . . of random bits where the nth bit Rn can be accessed in constant time. We also introduce a slightly weaker primitiv... |

257 | The Random Oracle Methodology, Revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...a class of functions). In contrast to pseudo-randomness (where the parameter is secret), no hash function can implement a random oracle in the above sense, as proved by Canetti, Goldreich, and Halevi =-=[5]-=-. In other words, there exists a cryptosystem C(·) such that C(R) is secure while C(H(F)) is insecure for any hash algorithm H. It is important to note that the formalization of this second example is... |

225 | Security proofs for signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context |

208 |
A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context |

159 | A model for asynchronous reactive systems and its application to secure message transmission
- Pfitzmann, Waidner
- 2001
(Show Context)
Citation Context ...eds to be specified what it means for a cryptosystem C to be at least as secure as another cryptosystem C ′ . Our definition is based on ideas proposed by Canetti [3, 4], and by Pfitzmann and Waidner =-=[12, 13]-=- (for the case of static adversaries), adapted to our general notion of systems. Informally, a cryptosystem C is said to be at least as secure as another cryptosystem C ′ if for all attackers A on C t... |

156 |
Provably secure and practical identification schemes and corresponding signature schemes
- Okamoto
- 1993
(Show Context)
Citation Context |

146 | Composition and Integrity Preservation of Secure Reactive Systems
- Pfitzmann, Waidner
- 2000
(Show Context)
Citation Context ...eds to be specified what it means for a cryptosystem C to be at least as secure as another cryptosystem C ′ . Our definition is based on ideas proposed by Canetti [3, 4], and by Pfitzmann and Waidner =-=[12, 13]-=- (for the case of static adversaries), adapted to our general notion of systems. Informally, a cryptosystem C is said to be at least as secure as another cryptosystem C ′ if for all attackers A on C t... |

46 | Indistinguishability of random systems
- Maurer
- 2002
(Show Context)
Citation Context ...f (cryptographic) components or resources as well as the parties interacting with them can be characterized as systems. For their representation, we will basically adapt the terminology introduced in =-=[9]-=-. A (X , Y)-system is a sequence of conditional probability distributions P Yi|X i Y i−1 (for i ∈ N) where X i := [X1, . . . , Xi] and Y i−1 := [Y1, . . . , Yi−1] and where Xi, called the ith input, a... |

46 |
CS proofs
- Micali
(Show Context)
Citation Context |

22 | On the random-oracle methodology as applied to length-restricted signature schemes - Canetti, Goldreich, et al. - 2004 |