Abstract
We introduce the notion of a universal random oracle. Analogously to a classical random oracle it idealizes hash functions as random functions. However, as opposed to a classical random oracle which is created freshly and independently for each adversary, the universal random oracle should provide security of a cryptographic protocol against all adversaries simultaneously. This should even hold if the adversary now depends on the random function. This reflects better the idea that the strong hash functions like SHA-2 and SHA-3 are fixed before the adversary decides upon the attack strategy.
Besides formalizing the notion of the universal random oracle model we show that the model is asymptotically equivalent to Unruh’s auxiliary-input random oracle model (Crypto 2007). In Unruh’s model the adversary receives some inefficiently computed information about the random oracle as extra input. Noteworthy, while security in the universal random oracle model implies security in the auxiliary-input random oracle model tightly, the converse implication introduces an inevitable security loss. This implies that the universal random oracle model provides stronger guarantees in terms of concrete security. Validating the model we finally show, via a direct proof with concrete security, that a universal random oracle is one-way.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Bellare, M., Boldyreva, A., Palacio, A.: An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 171–188. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_11
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 1993, pp. 62–73. ACM Press (1993). https://doi.org/10.1145/168588.168596
Buldas, A., Laur, S., Niitsoo, M.: Oracle separation in the non-uniform model. In: Pieprzyk, J., Zhang, F. (eds.) ProvSec 2009. LNCS, vol. 5848, pp. 230–244. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04642-1_19
Buldas, A., Niitsoo, M.: Black-box separations and their adaptability to the non-uniform model. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 152–167. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39059-3_11
Camenisch, J., Drijvers, M., Gagliardoni, T., Lehmann, A., Neven, G.: The wonderful world of global random oracles. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 280–312. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_11
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press (2001). https://doi.org/10.1109/SFCS.2001.959888
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004). https://doi.org/10.1145/1008731.1008734
Canetti, R., Jain, A., Scafuro, A.: Practical UC security with a global random oracle. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 597–608. ACM Press (2014). https://doi.org/10.1145/2660267.2660374
Coretti, S., Dodis, Y., Guo, S., Steinberger, J.: Random oracles and non-uniformity. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 227–258. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_9
Dodis, Y., Guo, S., Katz, J.: Fixing cracks in the concrete: random oracles with auxiliary input, revisited. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 473–495. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_16
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: 41st FOCS, pp. 305–313. IEEE Computer Society Press (2000). https://doi.org/10.1109/SFCS.2000.892119
Goldreich, O.: Foundations of Cryptography: Basic Tools, vol. 1. Cambridge University Press, Cambridge (2001)
Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: 44th FOCS, pp. 102–115. IEEE Computer Society Press (2003). https://doi.org/10.1109/SFCS.2003.1238185
Haitner, I., Hoch, J.J., Reingold, O., Segev, G.: Finding collisions in interactive protocols - tight lower bounds on the round and communication complexities of statistically hiding commitments. SIAM J. Comput. 44(1), 193–242 (2015). https://doi.org/10.1137/130938438
Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: 21st ACM STOC, pp. 44–61. ACM Press (1989). https://doi.org/10.1145/73007.73012
Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_8
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000). https://doi.org/10.1007/s001450010003
Unruh, D.: Random oracles and auxiliary input. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 205–223. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_12
Acknowledgments
We thank the anonymous reviewers for valuable comments. Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) − SFB 1119 − 236615297 and by the German Federal Ministry of Education and Research and the Hessian Ministry of Higher Education, Research, Science and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Defining Universal Random Oracles
A Defining Universal Random Oracles
In this section we present an alternative definition for UROM and argue why it is inappropriate, motivating also our definition of UROM (Definition 3 on page 7).
The Naive Approach. We start with the straightforward adoption of the idea to make the adversary depend on the random oracle by splitting the success probabilities for the experiment \(\textsf {Game}\) and the random oracle \(\mathcal {O}\), stating that the random oracle should work for all adversaries:
A security game \(\textsf {Game}\) is secure in the naive UROM if
We next argue that that there is a game which is trivially insecure when considered in the plain random oracle model, but provably secure according to naive UROM. This is counterintuitive because we expect universal random oracles to provide stronger security guarantees compared to the classical ROM. Let \(\mathcal {O}\) be length-preserving and the domain size of the random oracle be \(d(\lambda )=\lambda \). The game is defined as:
where we interpret the \(\lambda \)-bits output of \((0^\lambda )\) as an integer between 0 and \(2^{\lambda }-1\). We ignore here for simplicity that this integer reduced \(\bmod {\lambda ^2}\) is only statistically close to a random number between 0 and \(\lambda ^2-1\), and from now on calculate with a probability of \(\frac{1}{\lambda ^2}\) that the experiment \(\textsf {Game}\) returns 1 and the adversary wins.
First note that this experiment \(\textsf {Game}\) is insecure in the standard random oracle mode (Definition 2 on page 7), because the trivial adversary who does nothing wins with non-negligible probability has a success probability of at least \(\frac{1}{\lambda ^2}\), where the probability is over the choice of \(\mathcal {O}\) only. We next show that it is secure in the naive UROM, though. To this end we first negate the security statement of the naive UROM and consider the complementary probability. That is, we have to show:
We first note that the experiment is independent of the adversary, such that we can simplify the statement to:
Next observe that the experiment is deterministic, once \(\mathcal {O}\) is chosen randomly “on the outside”. This means that we can restrict ourselves to negligible functions \(\varepsilon _\mathcal {O}\) which only take on values 0 and 1, and also drop the probability over \(\textsf {Game}\) and instead use the output of the game directly:
It suffices now to show that, with probability 0 over the choice of \(\mathcal {O}\), experiment \(\textsf {Game}\) outputs 1 for infinitely many security parameters \(\lambda \). If the game only outputs 1 finitely often for a fixed oracle \(\mathcal {O}\), say, up to a bound \(\varLambda \in \mathbb {N}\), then we can consider the binary-valued negligible function \(\varepsilon _\mathcal {O}^\varLambda (\lambda )=1\) if \(\lambda \le \varLambda \), and 0 elsewhere. For this function the game’s output would not exceed the bound \(\varepsilon _\mathcal {O}^\varLambda (\lambda )\) for any \(\lambda \). In other words, it suffices to show that the (deterministic) experiment \(\textsf {Game}\) outputs 1 for infinitely many security parameters:
We next apply the Borel-Cantelli lemma to show that this is indeed the case. Let \(E_\lambda \) describe the event that the game is won for security parameter \(\lambda \). Then \({\mathbb {P}}_{\mathcal {O}}\left[ E_\lambda \right] =\frac{1}{\lambda ^2}\) over the choice of the random oracle \(\mathcal {O}\). Therefore, since the hyperharmonic series converges,
The Borel-Cantelli lemma now tells us that the probability that infinitely many \(E_\lambda \) happen is 0. Therefore, the game is indeed secure in the naive \(\textsf {UROM}\).
Towards the Sophisticated UROM. Let us recap what goes wrong with the naive approach above. Borel-Cantelli tells us that for a random oracle \(\mathcal {O}\) the probabilities of \(\textsf {Game}\) outputting 1 become small such that the adversary will only be successful on finitely many security parameters (with probability 1). This yields a fundamental, yet from a cryptographic perspective somewhat counterintuitive property of adversaries: An adversary might be only successful on finitely many security parameters (except with probability 0), even though the adversary has a polynomial success probability for each individual security parameter!
The difference to the ordinary random oracle model is that, there, we rather state security in reverse order, i.e., for a given security parameter \(\lambda \) the probability of an adversary breaking the game for random oracle \(\mathcal {O}\) is negligible. We would like to resurrect this behavior while preserving the idea of having a universal random oracle. The approach is basically to move out the quantification over all security parameters (\(\forall \lambda \)) out of the probability for oracle \(\mathcal {O}\). This, however, means that the preceding quantification over the adversary and the negligible function (\(\forall A\exists \varepsilon \forall \lambda \)) needs to be moved outside of \({\mathbb {P}}_{\mathcal {O}}\left[ \cdot \right] \) as well. But this infringes with our idea of the universal random oracle model where the adversary may depend on \(\mathcal {O}\). To re-install this property we only move out a bound \(s(\lambda )\) on the adversary’s size, and still quantify over all adversaries of this maximal size \(s(\lambda )\). This yields our definition of the universal random oracle model (Definition 3):
The outer negligible function \(\varepsilon _s(\lambda )\) now becomes necessary since for fixed \(\lambda \) we only consider oracle \(\mathcal {O}\) of restricted input and output size, determined by the size bound of the adversary and the fixed game.
Besides the equivalence to the auxiliary-input random oracle model and the immediate implication that security in this version of the UROM implies security for ordinary random oracles, we can also discuss directly why our counter example for the naive approach is also labeled as insecure. Recall that \(\textsf {Game}^\mathcal {O}(\lambda )\) outputs 1 if \(\mathcal {O}(0^\lambda )\equiv 0\bmod {\lambda ^2}\). Then for any given parameter \(\lambda \) we have \({\mathbb {P}}_{\mathcal {O}}\left[ \textsf {Game}^\mathcal {O}(\lambda )=0\right] \le 1-\frac{1}{\lambda ^2}\). It follows that there is no negligible bound \(\varepsilon _s(\lambda )\) such that this probability at least \(1-\varepsilon _s(\lambda )\).
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Fischlin, M., Rohrbach, F., Schmalz, T. (2022). A Random Oracle for All of Us. In: Batina, L., Daemen, J. (eds) Progress in Cryptology - AFRICACRYPT 2022. AFRICACRYPT 2022. Lecture Notes in Computer Science, vol 13503. Springer, Cham. https://doi.org/10.1007/978-3-031-17433-9_20
Download citation
DOI: https://doi.org/10.1007/978-3-031-17433-9_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17432-2
Online ISBN: 978-3-031-17433-9
eBook Packages: Computer ScienceComputer Science (R0)