Instantiating Random Oracles via UCEs. - Internet Archive Scholar

This paper provides a (standard-model) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. ... We can take existing, natural and efficient ROM schemes and show that the instantiated scheme resulting from replacing the RO with a UCE function is secure in the standard model. ... Under the random-oracle paradigm of Bellare and Rogaway (BR93) [14] , a "real-world" or instantiated scheme is obtained by implementing the RO of the overlying ROM scheme via a cryptographic hash function ...

doi:10.1007/978-3-642-40084-1_23 fatcat:e76gn6dieve75ghdzzcuofghmu

It is well known that the random oracle model is not sound in the sense that there exist cryptographic systems that are secure in the random oracle model but when instantiated by any family of hash functions ... First, we present a random oracle separation for bitencryption; namely, we show that there exists a bit-encryption protocol secure in the random oracle model but completely insecure when the random oracle ... in the random oracle model but insecure in the standard model when instantiated with a (poly, )-ensemble. ...

doi:10.1007/978-3-319-44618-9_31 fatcat:4hh3ho73hnfb7gyjmc4fbgjye4

The paradigm consists of (1) Showing that a VIL UCE function can instantiate the VIL RO in the scheme, and (2) Constructing the VIL UCE function given a FIL random oracle. ... Our suggested UCE-based paradigm to move schemes from the VIL-ROM to the FIL-ROM has two steps: (1) Show that instantiating the VIL random oracle in the scheme with a VIL UCE function preserves security ... When the challenge bit b is 1 (the "real" case) the oracle responds via H.Ev under hk[i]. When b = 0 (the "random" case) it responds via the ith random-oracle procedure. ...

doi:10.1007/978-3-662-44371-2_10 fatcat:alsyh5vaaff6zpplv7mb256wje

As our negative results, we show difficulties of instantiating the random oracle in the Fujisaki-Okamoto (FO) construction (PKC'99) with a UCE, by exhibiting pairs of CPA secure PKE and a UCE for which ... kinds of cryptographic primitives in the standard model whose (efficient) constructions were only known in the random oracle model. ... The authors would like to thank Pooya Farshim for giving us a detailed overview of their attack [12] on UCE security using indistinguishability obfuscation. ...

doi:10.1007/978-3-642-54631-0_4 fatcat:m2opqcuys5c4xewszq2lynml3m

We start by showing that the Encrypt-with-Hash transform of Bellare, Boldyreva and O'Neill (CRYPTO 2007) for converting randomized public-key encryption schemes to deterministic ones is not instantiable ... Our results call for a re-assessment of scheme design in the random-oracle model and highlight the need for new transforms that do not suffer from iO-based attacks. ... Once a scheme is designed and analyzed in the random-oracle model, one instantiates the oracle via a concrete hash function, tacitly assuming that it has a "RO-like" behavior. ...

doi:10.1007/978-3-662-46497-7_17 fatcat:x4kztrpkyrgm7clzws2z26oic4

However, it is well known that no hash function realizes a random oracle and no real compression function realizes an ideal one. ... This notion formalizes that a family of functions "behaves like a random oracle" for "real-world" protocols while avoiding the general impossibility results. ... However, it is well known [CGH04 ] that no hash function realizes a random oracle; hence, once the random oracle is instantiated the security proof degenerates to a heuristic security argument. ...

doi:10.1007/978-3-319-98113-0_5 fatcat:rr7ayxvne5a3jj3smumueoem3i

In recent work, Bellare, Hoang, and Keelveedhi (CRYPTO 2013) introduced a new abstraction called Universal Computational Extractors (UCEs), and showed how they can replace random oracles (ROs) across a ... We formulate a new framework, called Interactive Computational Extractors (ICEs), that extends UCEs by viewing them as models of ROs under unpredictable (aka. high-entropy) queries. ... Instantiations BHK show that random oracles fulfill their strongest proposed UCE notion, namely UCE security with respect to computationally unpredictable sources. 9 We prove that random oracles are ...

doi:10.1007/978-3-662-52993-5_23 fatcat:wwoqkjlj3zgrhesxmnqnuidodq

Random oracles are powerful cryptographic objects. ... However, due to an uninstantiability result of Canetti, Goldreich, and Halevi (STOC 1998) random oracles have become somewhat controversial. ... Various instantiations of source S 1 now simply recover these packets and leak them via their own leakage. ...

doi:10.1007/978-3-662-44371-2_11 fatcat:r3cxk4frozaodgqx3mkw4r7lsy

When the hash function is a random oracle, they showed EwH achieves full IND security. Achieving full IND security in the standard model however seemed out of reach. ... A general framework to obtain RO un-instantiability results via iO is given in [38] but it applies to single-stage games and thus doesn't yield a result for D-PKE. ... UCE[S sup ] and UCE[S srs ] families may be efficiently instantiated via HMAC-SHA-256 [8, 45] or superefficiently via [9] , which we will exploit for efficient schemes. ...

doi:10.1007/978-3-662-46803-6_21 fatcat:22ld7gamxzhbnicgdfbi37c244

There exist two formulations of the Random Oracle Model, one assumes that random oracles are local to the protocol execution. ... Ideally given a functionality for unpredictable signatures F Sig we would like to be able to construct a UC protocol emulating a UC functionality for F vrf in the random oracle model. ... ) sense, thus they are extensively used in any UC-secure protocol. ...

doi:10.4230/dagrep.9.1.88 dblp:journals/dagstuhl-reports/CamenischKLS19 fatcat:j2dfgtcoxnbvtgpu7mtxdehequ

For many cryptographic primitives and in particular for correlation-secure hash functions all known constructions are in the random-oracle model. ... Our construction suffices to instantiate q-query correlation-secure hash functions and to extract polynomially many hardcore bits from any one-way function. ... On a high-level, our construction is a de facto instantiation of a random oracle. ...

doi:10.1007/978-3-662-45608-8_7 fatcat:6mvjrtuypff3xanz27v2qcxirq

Our psPRP result instantiates the round functions in the Naor-Reingold (NR) construction with a secure UCE hash function. ... For correlation intractability, we instead instantiate them from a (public) random function, and replace the pairwise-independent permutations in the NR construction with (almost) O(k 2 )-wise independent ... Second, even if we instantiate H from a random oracle (which gives a good UCE [BHK13] ), the result is useful, as this would give us a simple instantiation of a (seeded) permutation in applications which ...

doi:10.1007/978-3-319-78372-7_21 fatcat:7ynancgdffdsrgeiwjr4nohfue

We call a blind signature protocol modular if the π S protocol does not use the signing key except via oracle access to Sign(sk, ·). ... random function. ...

doi:10.1007/978-3-642-32009-5_7 fatcat:zbk7wnq4tfbtlkajqgfkz222qy

Several constructions require a random oracle with range ID.CS(ivk), which is Z N \ {0}, which we can easily build. Bounds for concrete instantiations. ... Signature sizes and unforgeability (that is, UF, not UUF) bounds obtained by constructing concrete signature schemes from the GQ scheme via the transforms in this paper can be obtained by instantiating ... Given this, other calls of the algorithms of the starting scheme to the random oracle can be simulated directly in the proof via the random oracle available to the constructed adversaries. ...

doi:10.1007/978-3-662-53890-6_15 fatcat:o47tc6xsrre6te7gb7j3ncj7am

., making it random and accessible, as an oracle, to all parties. ... To start with, we provide efficient constructions of UCEs from psPRPs for both reset-secure and unpredictable sources, thus showing that most applications of the UCE framework admit instantiations from ... Instantiating random oracles via UCEs. In Ran Canetti and Juan A. Garay, editors, CRYPTO 2013, Part II, volume 8043 of LNCS, pages 398-415. Springer, Heidelberg, August 2013. BHK14. ...

doi:10.1007/978-3-319-56614-6_14 fatcat:2d7xhdjlnfedzcsdq22pcqyt24

Instantiating Random Oracles via UCEs [chapter]

Preserved Fulltext

A Unified Approach to Idealized Model Separations via Indistinguishability Obfuscation [chapter]

Preserved Fulltext

Cryptography from Compression Functions: The UCE Bridge to the ROM [chapter]

Preserved Fulltext

Chosen Ciphertext Security via UCE [chapter]

Preserved Fulltext

Random-Oracle Uninstantiability from Indistinguishability Obfuscation [chapter]

Preserved Fulltext

Security Definitions for Hash Functions: Combining UCE and Indifferentiability [chapter]

Preserved Fulltext

Modeling Random Oracles Under Unpredictable Queries [chapter]

Preserved Fulltext

Indistinguishability Obfuscation and UCEs: The Case of Computationally Unpredictable Sources [chapter]

Preserved Fulltext

Resisting Randomness Subversion: Fast Deterministic and Hedged Public-Key Encryption in the Standard Model [chapter]

Preserved Fulltext

Practical Yet Composably Secure Cryptographic Protocols (Dagstuhl Seminar 19042)

Preserved Fulltext

Using Indistinguishability Obfuscation via UCEs [chapter]

Preserved Fulltext

Naor-Reingold Goes Public: The Complexity of Known-Key Security [chapter]

Preserved Fulltext

Must You Know the Code of f to Securely Compute f? [chapter]

Preserved Fulltext

From Identification to Signatures, Tightly: A Framework and Generic Transforms [chapter]

Preserved Fulltext

Public-Seed Pseudorandom Permutations [chapter]

Preserved Fulltext