Skip to main content

A Random Oracle for All of Us

  • Conference paper
  • First Online:
Progress in Cryptology - AFRICACRYPT 2022 (AFRICACRYPT 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13503))

Included in the following conference series:

  • 531 Accesses

Abstract

We introduce the notion of a universal random oracle. Analogously to a classical random oracle it idealizes hash functions as random functions. However, as opposed to a classical random oracle which is created freshly and independently for each adversary, the universal random oracle should provide security of a cryptographic protocol against all adversaries simultaneously. This should even hold if the adversary now depends on the random function. This reflects better the idea that the strong hash functions like SHA-2 and SHA-3 are fixed before the adversary decides upon the attack strategy.

Besides formalizing the notion of the universal random oracle model we show that the model is asymptotically equivalent to Unruh’s auxiliary-input random oracle model (Crypto 2007). In Unruh’s model the adversary receives some inefficiently computed information about the random oracle as extra input. Noteworthy, while security in the universal random oracle model implies security in the auxiliary-input random oracle model tightly, the converse implication introduces an inevitable security loss. This implies that the universal random oracle model provides stronger guarantees in terms of concrete security. Validating the model we finally show, via a direct proof with concrete security, that a universal random oracle is one-way.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Bellare, M., Boldyreva, A., Palacio, A.: An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 171–188. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_11

    Chapter  Google Scholar 

  2. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 1993, pp. 62–73. ACM Press (1993). https://doi.org/10.1145/168588.168596

  3. Buldas, A., Laur, S., Niitsoo, M.: Oracle separation in the non-uniform model. In: Pieprzyk, J., Zhang, F. (eds.) ProvSec 2009. LNCS, vol. 5848, pp. 230–244. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04642-1_19

    Chapter  Google Scholar 

  4. Buldas, A., Niitsoo, M.: Black-box separations and their adaptability to the non-uniform model. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 152–167. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39059-3_11

    Chapter  MATH  Google Scholar 

  5. Camenisch, J., Drijvers, M., Gagliardoni, T., Lehmann, A., Neven, G.: The wonderful world of global random oracles. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 280–312. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_11

    Chapter  Google Scholar 

  6. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press (2001). https://doi.org/10.1109/SFCS.2001.959888

  7. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004). https://doi.org/10.1145/1008731.1008734

  8. Canetti, R., Jain, A., Scafuro, A.: Practical UC security with a global random oracle. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 597–608. ACM Press (2014). https://doi.org/10.1145/2660267.2660374

  9. Coretti, S., Dodis, Y., Guo, S., Steinberger, J.: Random oracles and non-uniformity. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 227–258. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_9

    Chapter  Google Scholar 

  10. Dodis, Y., Guo, S., Katz, J.: Fixing cracks in the concrete: random oracles with auxiliary input, revisited. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 473–495. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_16

    Chapter  Google Scholar 

  11. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  12. Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: 41st FOCS, pp. 305–313. IEEE Computer Society Press (2000). https://doi.org/10.1109/SFCS.2000.892119

  13. Goldreich, O.: Foundations of Cryptography: Basic Tools, vol. 1. Cambridge University Press, Cambridge (2001)

    Book  Google Scholar 

  14. Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: 44th FOCS, pp. 102–115. IEEE Computer Society Press (2003). https://doi.org/10.1109/SFCS.2003.1238185

  15. Haitner, I., Hoch, J.J., Reingold, O., Segev, G.: Finding collisions in interactive protocols - tight lower bounds on the round and communication complexities of statistically hiding commitments. SIAM J. Comput. 44(1), 193–242 (2015). https://doi.org/10.1137/130938438

    Article  MathSciNet  MATH  Google Scholar 

  16. Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: 21st ACM STOC, pp. 44–61. ACM Press (1989). https://doi.org/10.1145/73007.73012

  17. Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_8

    Chapter  Google Scholar 

  18. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000). https://doi.org/10.1007/s001450010003

    Article  MATH  Google Scholar 

  19. Unruh, D.: Random oracles and auxiliary input. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 205–223. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_12

    Chapter  Google Scholar 

Download references

Acknowledgments

We thank the anonymous reviewers for valuable comments. Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) − SFB 1119 − 236615297 and by the German Federal Ministry of Education and Research and the Hessian Ministry of Higher Education, Research, Science and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Felix Rohrbach .

Editor information

Editors and Affiliations

A Defining Universal Random Oracles

A Defining Universal Random Oracles

In this section we present an alternative definition for UROM and argue why it is inappropriate, motivating also our definition of UROM (Definition 3 on page 7).

The Naive Approach. We start with the straightforward adoption of the idea to make the adversary depend on the random oracle by splitting the success probabilities for the experiment \(\textsf {Game}\) and the random oracle \(\mathcal {O}\), stating that the random oracle should work for all adversaries:

A security game \(\textsf {Game}\) is secure in the naive UROM if

$$\begin{aligned} {\mathbb {P}}_{\mathcal {O}}\left[ \begin{array}{c} \forall A_\mathcal {O}\in SIZE \left( poly (\lambda )\right) \\ \exists \varepsilon _{A,\mathcal {O}}\in negl \; \forall \lambda \end{array} :\; {\mathbb {P}}_{\textsf {Game}}\left[ \textsf {Game}^{A_{\mathcal {O}}^\mathcal {O},\mathcal {O}}(\lambda )\right] \le \varepsilon _{A,\mathcal {O}}(\lambda )\right] =1. \end{aligned}$$

We next argue that that there is a game which is trivially insecure when considered in the plain random oracle model, but provably secure according to naive UROM. This is counterintuitive because we expect universal random oracles to provide stronger security guarantees compared to the classical ROM. Let \(\mathcal {O}\) be length-preserving and the domain size of the random oracle be \(d(\lambda )=\lambda \). The game is defined as:

$$\begin{aligned} \textsf {Game}^{A_\mathcal {O}^\mathcal {O},\mathcal {O}}(=)1 \quad :\iff \quad \mathcal {O}(0^\lambda )\equiv 0\bmod {\lambda ^2}, \end{aligned}$$

where we interpret the \(\lambda \)-bits output of \((0^\lambda )\) as an integer between 0 and \(2^{\lambda }-1\). We ignore here for simplicity that this integer reduced \(\bmod {\lambda ^2}\) is only statistically close to a random number between 0 and \(\lambda ^2-1\), and from now on calculate with a probability of \(\frac{1}{\lambda ^2}\) that the experiment \(\textsf {Game}\) returns 1 and the adversary wins.

First note that this experiment \(\textsf {Game}\) is insecure in the standard random oracle mode (Definition 2 on page 7), because the trivial adversary who does nothing wins with non-negligible probability has a success probability of at least \(\frac{1}{\lambda ^2}\), where the probability is over the choice of \(\mathcal {O}\) only. We next show that it is secure in the naive UROM, though. To this end we first negate the security statement of the naive UROM and consider the complementary probability. That is, we have to show:

$$\begin{aligned} {\mathbb {P}}_{\mathcal {O}}\left[ \begin{array}{c} \exists A_\mathcal {O}\in SIZE \left( poly (\lambda )\right) \\ \forall \varepsilon _{A,\mathcal {O}}\in negl \; \exists \lambda \end{array} :\; {\mathbb {P}}_{\textsf {Game}}\left[ \textsf {Game}^{A_{\mathcal {O}}^\mathcal {O},\mathcal {O}}(\lambda )\right] > \varepsilon _{A,\mathcal {O}}(\lambda )\right] =0. \end{aligned}$$

We first note that the experiment is independent of the adversary, such that we can simplify the statement to:

$$ {\mathbb {P}}_{\mathcal {O}}\left[ \forall \varepsilon _{\mathcal {O}}\in negl \; \exists \lambda :\; {\mathbb {P}}_{\textsf {Game}}\left[ \textsf {Game}^{\mathcal {O}}({\lambda })\right] > \varepsilon _{\mathcal {O}}(\lambda )\right] =0. $$

Next observe that the experiment is deterministic, once \(\mathcal {O}\) is chosen randomly “on the outside”. This means that we can restrict ourselves to negligible functions \(\varepsilon _\mathcal {O}\) which only take on values 0 and 1, and also drop the probability over \(\textsf {Game}\) and instead use the output of the game directly:

$$ {\mathbb {P}}_{\mathcal {O}}\left[ \forall \varepsilon _{\mathcal {O}}\in negl , \varepsilon _\mathcal {O}:\mathbb {N}\rightarrow \{0,1\}\; \exists \lambda :\; {\textsf {Game}^{\mathcal {O}}{(\lambda )}}> \varepsilon _{\mathcal {O}}(\lambda )\right] =0. $$

It suffices now to show that, with probability 0 over the choice of \(\mathcal {O}\), experiment \(\textsf {Game}\) outputs 1 for infinitely many security parameters \(\lambda \). If the game only outputs 1 finitely often for a fixed oracle \(\mathcal {O}\), say, up to a bound \(\varLambda \in \mathbb {N}\), then we can consider the binary-valued negligible function \(\varepsilon _\mathcal {O}^\varLambda (\lambda )=1\) if \(\lambda \le \varLambda \), and 0 elsewhere. For this function the game’s output would not exceed the bound \(\varepsilon _\mathcal {O}^\varLambda (\lambda )\) for any \(\lambda \). In other words, it suffices to show that the (deterministic) experiment \(\textsf {Game}\) outputs 1 for infinitely many security parameters:

$$ {\mathbb {P}}_{\mathcal {O}}\left[ \text {for infinitely many }\lambda \in \mathbb {N}: \textsf {Game}^{\mathcal {O}}(\lambda )=1\right] =0. $$

We next apply the Borel-Cantelli lemma to show that this is indeed the case. Let \(E_\lambda \) describe the event that the game is won for security parameter \(\lambda \). Then \({\mathbb {P}}_{\mathcal {O}}\left[ E_\lambda \right] =\frac{1}{\lambda ^2}\) over the choice of the random oracle \(\mathcal {O}\). Therefore, since the hyperharmonic series converges,

$$\begin{aligned} \sum _{\lambda =1}^{\infty }{\mathbb {P}}\left[ E_\lambda \right] <\infty . \end{aligned}$$

The Borel-Cantelli lemma now tells us that the probability that infinitely many \(E_\lambda \) happen is 0. Therefore, the game is indeed secure in the naive \(\textsf {UROM}\).

Towards the Sophisticated UROM. Let us recap what goes wrong with the naive approach above. Borel-Cantelli tells us that for a random oracle \(\mathcal {O}\) the probabilities of \(\textsf {Game}\) outputting 1 become small such that the adversary will only be successful on finitely many security parameters (with probability 1). This yields a fundamental, yet from a cryptographic perspective somewhat counterintuitive property of adversaries: An adversary might be only successful on finitely many security parameters (except with probability 0), even though the adversary has a polynomial success probability for each individual security parameter!

The difference to the ordinary random oracle model is that, there, we rather state security in reverse order, i.e., for a given security parameter \(\lambda \) the probability of an adversary breaking the game for random oracle \(\mathcal {O}\) is negligible. We would like to resurrect this behavior while preserving the idea of having a universal random oracle. The approach is basically to move out the quantification over all security parameters (\(\forall \lambda \)) out of the probability for oracle \(\mathcal {O}\). This, however, means that the preceding quantification over the adversary and the negligible function (\(\forall A\exists \varepsilon \forall \lambda \)) needs to be moved outside of \({\mathbb {P}}_{\mathcal {O}}\left[ \cdot \right] \) as well. But this infringes with our idea of the universal random oracle model where the adversary may depend on \(\mathcal {O}\). To re-install this property we only move out a bound \(s(\lambda )\) on the adversary’s size, and still quantify over all adversaries of this maximal size \(s(\lambda )\). This yields our definition of the universal random oracle model (Definition 3):

$$\begin{aligned}&\forall s\in \text {poly }\; \exists \varepsilon _{s}\in negl \; \forall \lambda \in \mathbb {N}:\nonumber \\&\quad {\mathbb {P}}_{\mathcal {O}}\left[ \forall A_{\mathcal {O}}\in SIZE \left( s(\lambda )\right) :{\mathbb {P}}_{\textsf {Game}}\left[ \textsf {Game}^{A_{\mathcal {O}}^\mathcal {O},\mathcal {O}}(\lambda )\right] \le \varepsilon _s(\lambda )\right] \ge 1 - \varepsilon _s(\lambda ). \end{aligned}$$
(4)

The outer negligible function \(\varepsilon _s(\lambda )\) now becomes necessary since for fixed \(\lambda \) we only consider oracle \(\mathcal {O}\) of restricted input and output size, determined by the size bound of the adversary and the fixed game.

Besides the equivalence to the auxiliary-input random oracle model and the immediate implication that security in this version of the UROM implies security for ordinary random oracles, we can also discuss directly why our counter example for the naive approach is also labeled as insecure. Recall that \(\textsf {Game}^\mathcal {O}(\lambda )\) outputs 1 if \(\mathcal {O}(0^\lambda )\equiv 0\bmod {\lambda ^2}\). Then for any given parameter \(\lambda \) we have \({\mathbb {P}}_{\mathcal {O}}\left[ \textsf {Game}^\mathcal {O}(\lambda )=0\right] \le 1-\frac{1}{\lambda ^2}\). It follows that there is no negligible bound \(\varepsilon _s(\lambda )\) such that this probability at least \(1-\varepsilon _s(\lambda )\).

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fischlin, M., Rohrbach, F., Schmalz, T. (2022). A Random Oracle for All of Us. In: Batina, L., Daemen, J. (eds) Progress in Cryptology - AFRICACRYPT 2022. AFRICACRYPT 2022. Lecture Notes in Computer Science, vol 13503. Springer, Cham. https://doi.org/10.1007/978-3-031-17433-9_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17433-9_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17432-2

  • Online ISBN: 978-3-031-17433-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics