How Risky Is the Random-Oracle Model?

Authors:
Gaëtan Leurent;Phong Q. Nguyen
Affiliations:
DGA and ENS, France;INRIA and ENS, France
Venue:
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Year:
2009

Citing 0
Cited 10

Provably Secure Code-Based Threshold Ring Signatures

Cryptography and Coding '09 Proceedings of the 12th IMA International Conference on Cryptography and Coding
Provably secure multi-proxy signature scheme with revocation in the standard model

Computer Communications
Security of encryption schemes in weakened random oracle models

PKC'10 Proceedings of the 13th international conference on Practice and Theory in Public Key Cryptography
Bonsai trees, or how to delegate a lattice basis

EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles

PQCrypto'10 Proceedings of the Third international conference on Post-Quantum Cryptography
Public key encryption without random oracle made truly practical

ICICS'09 Proceedings of the 11th international conference on Information and Communications Security
Public key encryption without random oracle made truly practical

Computers and Electrical Engineering
Improved known-key distinguishers on Feistel-SP ciphers and application to camellia

ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Efficient and strongly unforgeable identity-based signature scheme from lattices in the standard model

Security and Communication Networks
Cryptanalysis vs. provable security

Inscrypt'11 Proceedings of the 7th international conference on Information Security and Cryptology

Quantified Score

Hi-index	0.00

Visualization

Abstract

RSA-FDH and many other schemes secure in the Random-Oracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the random-oracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Bellare and Rogaway from 1993 and 1996, and the ones implicit in IEEE P1363 and PKCS standards: for instance, we obtain a 267 preimage attack on BR93 for 1024-bit digests. Next, we study the security impact of hash function defects for ROM signatures. As an extreme case, we note that any hash collision would suffice to disclose the master key in the ID-based cryptosystem by Boneh et al. from FOCS '07, and the secret key in the Rabin-Williams signature for which Bernstein proved tight security at EUROCRYPT '08. Interestingly, for both of these schemes, a slight modification can prevent these attacks, while preserving the ROM security result. We give evidence that in the case of RSA and Rabin/Rabin-Williams, an appropriate PSS padding is more robust than all other paddings known.