Random Oracles

1
Random Oracles

• Motivation, Definition
• Proof Methodology, Intuition
• A sample proof of security using RO

2
Motivation

• Luby and Rackoff proved that using Feistel
  Networks one can construct pseudo-random
  permutations from pseudo-random functions.
• Conversely, if One needs a practical protocol for
  one-way function, an ideal choice to start from
  is DES

3
contd...

• This implies the cryptographic systems may be
  perceived as generators of One-way Trapdoor
  function.
• Reverse Abstraction.

4
Definition

• A random oracle R is a map from 0, 1 to
  0, 1a chosen by selecting each bit of R(x)
  uniformly and independently, for every x.
• Practical difficulties
• No system can produce infinite length output
• No PPT algorithm can achieve a truly random
  function even for finite length output(???)

5
Proof Methodology verbatim BR93

• ? is a protocol problem
• Find a formal definition for ? in the model of
  computation in which all parties share a random
  oracle R
• Device an efficient protocol p for ? in this
  random oracle model
• prove that p satisfies definition for ?

6
final step

• Replace oracle access to R by computation of h

7
Intuition

• We have a cryptosystem and we need to prove the
  security of it. The concrete instantiation
  precludes us from making any mathematical
  properties about the system. So we replace the
  randomly behaving functions with Random Oracles
  to exploit the abstract nature of them

8
Pre-Condition

• ? and p should be independent of the hash
  function we use! Why??
• A simple counter example

9
Concretising the Methodology Proof of security
of OAEP in the RO model

• A detour into Adaptive chosen cipher-text attack
• Description of OAEP scheme
• Resilience of OEAP in the RO Model for 5
  different attcks
• Attack Game G1
• G2
• G3
• G4
• G5

10
Adaptive Chosen Cipher Text Attack (In the Random
Oracle Scenario)

• Adversary makes a series of arbitrary queries to
  a decryption oracle. The oracle decrypts the
  messages and passes on the plaintexts to the
  adversary. (It is not required that the input
  ciphertexts are computed using the encryption
  algorithm)
• The adversary prepares two messages x0, x1, and
  gives these to an encryption oracle. The
  encryption oracle chooses b e 0, 1 at random en

11
contd...

• crypts xb, and gives the resulting target
  ciphertext y to the adversary.
• The adversary continues to submit ciphertexts y
  to the decryption oracle, subject only to the
  restriction that y ? y
• The adversary outputs b representing its guess
  of b

12
OAEP

• The General scheme makes use of a one-way
  trapdoor permutation. Let f be the permutation,
  acting on k-bit strings, and g its inverse. The
  scheme also makes use of two parameters k0 and k1
  ,which should satisfy k0 k1 lt k. It should also
  be the case that 2-k0 and 2-k1are negligible
  quantities.
• The scheme encrypts messages
• x ? 0, 1n, where n k - k0 - k1

13
OAEP

• The scheme also makes use of three functions
• G 0, 1k0 ? 0, 1n
• H 0, 1nk0 ? 0, 1k1 H 0, 1nk1 ?
  0, 1k0
• These three functions will be modeled as
  independent random oracles in the security
  analysis.

14
OAEPKey Generation

• This simply runs the generator for the one-way
  trapdoor permutation scheme, obtaining f and g.
  The public key is f, and the private key is g.

15
OAEPEncryption

• Given a plaintext x, the encryption algorithm
  randomly chooses r ?? 0, 1k0 , and then
  computes
• s ? 0, 1nk1 , t ? 0, 1k0 , w ? 0, 1k , y ?
  0, 1k
• as follows
• s (G(r) ? x) H?(rx),
• t H(s) ?r,
• w s t,
• y f(w)
• The ciphertext is y.

16
OAEPDecryption

• Given a ciphertext y, the decryption algorithm
  computes
• s ? 0, 1nk1 , t ? 0, 1k0 , w ? 0, 1k , r
  ?? 0, 1k0, x ? 0, 1n , c ?? 0, 1k1
• as follows
• w g(y), s w0nk1-1,
• t wnk1-1k, r H(s) ?t,
• x G(r) ?s0n-1, c snnk1-1
• If c H?(rx), then the algorithm outputs the
  cleartext x otherwise, the algorithm rejects the
  ciphertext.

17
Proof of security in the Random Oracle Model

• Strategy
• The attack is perceived as a game that adversary
  plays against the honest party through Decryption
  Oracle
• G0 is the original game success of which implies
  the insecurity of the model.
• We define a sequence of games G1, G2, G3, G4, G5
• For each of these games Si denote the event that
  the adversary is successful i.e. bb
• We show that for 1? i ?5, the quantity PrSi-1
  - PrSi is negligible
• From the definition of G5, show that PrS5 ½

18
Definitions

• Note that any ciphertext y implicitly defines
  values w, s, t, r, x and c through the decryption
  oracle.
• Let w, s, t, r, x, c be the corresponding
  implicitly defined values for y.
• Also note that x xb and c H?(r x)
• We define sets SG, SH and SH? be the set of
  values at which A queried G, H and H?. Note that
  the set SH? is a set of pairs (r, x)
• We view these sets incrementally growing as the
  attack proceeds-elements are added to these only
  when a random oracle is queries by A.

19
More definitions

• qG, qH and qH? be the bound on the number of
  queries made by A to the oracles G, H and H?
  respectively, and let qD bound the number of
  decryption oracle queries
• As view is the sequence of random variable
• View lt X0, X1,, X qGqHqH? qD1gt
• X0 consists of As coin tosses and the public key
  of the encryption scheme.
• Xi for i ? 1 consists of a response to either a
  random oracle query, a decryption oracle query,
  or the encryption oracle query.

20
Last set of definitions

• ith such query is a function of lt X0, X1,, X
  i-1gt (why?)
• The adversarys final output b? is a function of
  View
• At any fixed point in time, A has made some
  number, say m, queries, and we define
• CurrentView lt X0, X1,, X mgt
• WLOG, we assume if A queried H?(rx), then it
  already queried G(r)

21
G0

• The original attack game.
• S0 is the event that b b

22
G1

• We modify the original game G0 like this.
• Given a ciphertext y, the new decryption oracle
  computes w, s, t, r, x, c as in the decryption.
• If G0 rejects, so does G1
• In addition, the new oracle also rejects if (r,
  x) ? S
• In practice
• Decryption oracle computes r and if r ? SG then
  it rejects without querying G(r)
• If r ?SG, then x is computed and checks whether
  (r, x) ? SH?. If not it rejects without querying
  H?(rx)

23
How different is G1from G0?

• Let F1 be the event that a ciphertext is rejected
  in G1 that would not have been rejected under the
  rules of game G0.

24
Computing Probability of F1 is computing PrS0
- PrS1

• If r r and x x then we must have c ? c.
  In this case, the ciphertext is anyway rejected
  in G0 and is not part of the event F1. So assume
  that x ? x or r ? r. So now the encryption
  oracle has made the query H?(r x) but not
  H?(r x).
• So, if A has not made the query H?(r x), the
  value of H?(r x) is independent of CurrentView,
  and hence independent of c, which is a function
  of CurrentView and H. Therefore, the probability
  that c H?(r x) is 1/2-k1

25
What has Random Oracle given us?

• How is c is dependent on CurrentView?
• Then how is H?(r x) is independent from
  CurrentView?
• What happens when the Oracle is instantiated?
• Probability that c H?(r x) is 1/2-k1 . Hence
  G1 is only negligibly different from G0
• The result of this step PrS0 - PrS1 ? qD /
  2k1

26
G2

• Game G2 works quite like G1.
• If G1 rejects, so does G2. But the G2 also
  rejects if s ? SH
• How different is G2 from G1?
• Let F2 be the event that ciphertext is rejected
  in G2 that would not have been rejected under the
  rules of game G1
• Consider a ciphertext y ? y with s ? SH
  submitted to the decryption oracle. We need to
  find out the probability that y will not be
  rejected in G1

27
G2

• We need to consider two cases s s and s ? s
• Case 1 s s.
• s s and y ? y implies t ? t. Further, s s
  and t ? t implies that r ? r. If this
  ciphertext is rejected under G2 and will not be
  rejected under the rules of G1, it must be the
  case that H?(rx) H?(rx)
• What is the probability for this?

28
G2

• We need to consider two cases s s and s ? s
• Case 1 s s.
• s s and y ? y implies t ? t. Further, s s
  and t ? t implies that r ? r. If this
  ciphertext is rejected under G2 and will not be
  rejected under the rules of G1, it must be the
  case that H?(rx) H?(rx)
• What is the probability for this?
• qH?/2k1

29
G2

• Case 2 s ? s.
• In this case, the oracle was never queried at s
  by either A, the encryption oracle or the
  decryption oracle.
• Hence s is not in view, this implies that t is
  not in view. This implies that r is independent
  of CurrentView.
• Now we need to find the probability that G1 does
  not reject for this ciphertext. For that r should
  be in SG.
• What is the probability for it?

30
G2

• Case 2 s ? s.
• In this case, the oracle was never queried at s
  by either A, the encryption oracle or the
  decryption oracle.
• Hence s is not in view, this implies that t is
  not in view. This implies that r is independent
  of CurrentView.
• Now we need to find the probability that G1 does
  not reject for this ciphertext. For that r should
  be in SG.
• What is the probability for it? qG/ 2k0
• This implies that PrS1 - PrS2 is negligible.

31
G3Getting rid of the trapdoor function in the
decryption Oracle

• Given y.
• The decryption oracle iterates through all pairs
  (r?, x? ) ? SH. For each of these, it can compute
  y?, using the encryption equations.
• Now reject if y? y at any time, it stops and
  output x?
• If the iteration stopped without finding y, it
  rejects.
• Easy to see that G3 is same as G2. Only the
  computational and space complexity at the
  decryption oracle differs.

32
G4, G5

• Structurally similar reductions are performed to
  G3 to get G4 and later to G4 to get G5.
• PrS5 is proven to be ½
• Also PrS4 - PrS5 ? InvAdv (f) qG/2k0
• (Exploiting the uniformity and independence of
  the random oracles)

33
Conclusion

• This leads to the result that
• PrS0- ½ ? InvAdv (f) (qD1) qG /2k0
  (qH? qD)/ 2k1
• By choice of indices k0 and k1 the last two terms
  are negligible.
• So the security of the whole model relies on the
  non-invertibility of the trapdoor function.