## Random Oracles and Auxiliary Input ⋆

Citations: | 9 - 0 self |

### BibTeX

@MISC{Unruh_randomoracles,

author = {Dominique Unruh},

title = {Random Oracles and Auxiliary Input ⋆},

year = {}

}

### OpenURL

### Abstract

Abstract. We introduce a variant of the random oracle model where oracle-dependent auxiliary input is allowed. In this setting, the adversary gets an auxiliary input that can contain information about the random oracle. Using simple examples we show that this model should be preferred over the classical variant where the auxiliary input is independent of the random oracle. In the presence of oracle-dependent auxiliary input, the most important proof technique in the random oracle model—lazy sampling—does not apply directly. We present a theorem and a variant of the lazy sampling technique that allows one to perform proofs in the new model almost as easily as in the old one. As an application of our approach and to illustrate how existing proofs can be adapted, we prove that

### Citations

1443 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, P
- 1993
(Show Context)
Citation Context ... . . . . . . . . . 23 ⋆ This is the full version of a paper appearing at CRYPTO 2007 ⋆⋆ Part of this work was done while the author was at the IAKS, University of Karlsruhe, Germanys1 Introduction In =-=[BR93]-=- the following heuristic was advocated as a practical way to design cryptographic protocols: 1 To prove the security of a cryptographic scheme, one first introduces a random oracle O, i.e., a randomly... |

260 | The random oracle methodology, revisited
- Canetti, Goldreich, et al.
(Show Context)
Citation Context ...f functions) H. The random oracle heuristic now states that if the scheme using O is secure, the scheme using H is secure as well. Unfortunately, a counter-example to this heuristic has been given in =-=[CGH98]-=-. It was shown that there exist public key encryption and signature schemes that are secure in the random oracle model but lose their security when instantiated with any function or family of function... |

139 | RSA{OAEP is Secure under the RSA Assumption
- Fujisaki, Okamoto, et al.
- 2001
(Show Context)
Citation Context ...ences, we use the following convention: The proof 9 Note that there are two proofs in [FOPS04], one in Section 4 and one in the appendix. The proof in the appendix is that from the conference version =-=[FOPS01]-=-. We choose the proof from Section 4 as our guideline, since it comes with more formal details and therefore seems better suited to show the applicability of our technique. 24sfrom [FOPS04] is given a... |

83 | Conditionally-perfect secrecy and a provably-secure randomized cipher - Maurer |

80 | A uniform-complexity treatment of encryption and zero-knowledge
- Goldreich
- 1993
(Show Context)
Citation Context ...auxiliary input, namely to model information gained from prior executions of cryptographic protocols on the same data, and thus to allow for composability, is preserved by this uniform approach. (See =-=[Gol93]-=- for a detailed analysis.) The main disadvantage of the uniform approach is that definitions and proofs get more complicated due to the presence of another machine. This is why the nonuniform auxiliar... |

68 | Lower Bounds on the Efficiency of Generic Cryptographic Constructions - Gennaro, Trevisan - 2000 |

63 |
Lower bound for discrimination information in terms of variation
- Kullback
- 1967
(Show Context)
Citation Context ...′ ≤ ε by Lemma 6. By definition of J(G|F ), this implies that the results of the queries made by G are only ε away from the maximum possible entropy |G| · log #Range. This implies using a result from =-=[Kul67]-=- that the statistical distance between those query-results and the uniform distribution is bounded by � ε/2, even when given the results of the queries made by F and the auxiliary input zO . This is f... |

54 | On Deniabililty in the Common Reference String and Random Oracle Models
- Pass
- 2003
(Show Context)
Citation Context ...curity when instantiated with any function or family of functions. Nonetheless, the random oracle heuristic still is an important design guideline for implementing cryptographic schemes. Furthermore, =-=[Pas03]-=- pointed out that zero-knowledge proofs in the random oracle model can lose their deniability when instantiated with a fixed function. In contrast to the result of [CGH98], this happens even for natur... |

48 | Oblivious Transfer with a Memory-Bounded Receiver - Cachin, Crépeau, et al. - 1998 |

43 | Unconditional security against memory-bounded adversaries - Cachin, Maurer - 1997 |

33 |
Optimal asymmetric encryption—how to encrypt with RSA
- BELLARE, ROGAWAY
- 1995
(Show Context)
Citation Context ...hemes that are shown to be secure in the standard model. As a consequence, schemes used in practise are often based on the random oracle heuristic, e.g., the RSA-OAEP encryption scheme, introduced in =-=[BR95]-=- and standardised in [PKC02], is one of the most widely used public-key encryption schemes, and its security is based on the random oracle heuristic. In the light of the results of [CGH98] and [Pas03]... |

24 | A note on negligible functions
- Bellare
(Show Context)
Citation Context ...-domain one-way. Hence µp := µ p(k)(k) is negligible for all integer polynomials p. We say that a function µ asymptotically dominates a function ν if for all sufficiently large k we have µ(k) ≥ ν(k). =-=[Bel02]-=- proves that for any countable set S of negligible functions, there is a negligible function µ ∗ that asymptotically dominates all µ ∈ S. Therefore, there is a negligible function µ ∗ , that asymptoti... |

22 | U.: Tight security proofs for the bounded-storage model. In: 34th STOC. (2002) 341{350 See also preliminary journal version, entitled \Optimal Randomizer E±ciency in the Bounded-Storage Model
- Dziembowski, Maurer
- 2002
(Show Context)
Citation Context ...ds achieved in the bounded-storage model are better than those presented here. In particular, there are protocols in the bounded storage model that are secure given a random source of polynomial size =-=[DM02]-=-, while our results are—at least with the present bounds—only useful if the domain of the random oracle has superpolynomial size (cf. the exact bounds given by Theorem 2). It would be interesting to k... |

22 | Formalizing human ignorance: Collision-resistant hashing without the keys, 2006. Cryptology ePrint Archive: Report 2006/281
- Rogaway
(Show Context)
Citation Context ...wever, the function may depend on the security parameter. Otherwise a property like collision-resistance trivially cannot be fulfilled by a single function, even against uniform adversaries. See also =-=[Rog06]-=- in this context. 5sis useful in the context of oracle-dependent auxiliary input, since some reduction proofs with presampling tend to introduce superpolynomial adversaries. As an application of our t... |

19 |
Very strong one-way functions and pseudo-random generators exist relative to a random oracle. (manuscript
- Impagliazzo
- 1996
(Show Context)
Citation Context ...nctions in Section 3. However, their proof is specific to the property of one-wayness and does not generalise to our setting. According to [GGKT05], a similar result was shown for random functions in =-=[Imp96]-=-. However, their proofs apply only to the one-wayness of the random oracle, while our results imply that many more cryptographic properties of the random oracle are preserved in the presence of oracle... |

6 | Zero Knowledge in the Random Oracle Model, Revisited
- Wee
- 2009
(Show Context)
Citation Context ... evidence that RSA-OAEP as used in practical application (i.e., with the random oracle instantiated with a fixed function H), is secure even in the presence of an auxiliary input. 1.2 Related work In =-=[Wee06]-=-, the problem of composition of zero-knowledge proofs in the random-oracle model is investigated. It is shown that to guarantee sequential composition, oracle-dependent auxiliary input is necessary. T... |

5 |
PKCS #1: RSA cryptography standard, version 2.1
- Laboratories
- 2002
(Show Context)
Citation Context ...secure in the standard model. As a consequence, schemes used in practise are often based on the random oracle heuristic, e.g., the RSA-OAEP encryption scheme, introduced in [BR95] and standardised in =-=[PKC02]-=-, is one of the most widely used public-key encryption schemes, and its security is based on the random oracle heuristic. In the light of the results of [CGH98] and [Pas03], and of the practical impor... |