Non-adaptive programmability of random oracle

Rishiraj Bhattacharyya; Pratyay Mukherjee

doi:10.1016/j.tcs.2015.05.026

Non-adaptive programmability of random oracle

Rishiraj Bhattacharyya^*, Pratyay Mukherjee

^*Corresponding author for this work

Computer Science

Research output: Contribution to journal › Article › peer-review

4 Citations (Scopus)

Abstract

Random Oracles serve as an important heuristic for proving security of many popular and important cryptographic primitives. But, at the same time they are criticized due to the impossibility of practical instantiation. Programmability is one of the most important features behind the power of Random Oracles. Unfortunately, in the standard hash functions, the feature of programmability is limited. In recent years, there have been endeavors to restrict programmability of random oracles. However, we observe that the existing models allow adaptive programming, that is, the reduction can program the random oracle adaptively in the online phase of the security game depending on the query received from the adversary, and thus are quite far from the standard model.In this paper, we introduce a new feature called non-adaptive programmability of random oracles, where the reduction can program the random oracle only in the pre-processing phase. In particular, it might non-adaptively program the RO by setting a regular function as a post-processor on the oracle output. We call this new model Non-Adaptively-Programmable Random Oracle (NAPRO) and we show that this model is actually equivalent to so-called Non-Programmable Random Oracle (NPRO) introduced by Fischlin et al. [8], hence too restrictive.However, we also propose a slightly stronger model, called Weak-Non-Adaptively-Programmable Random Oracle (WNAPRO), where in addition to non-adaptive programming, the reduction is allowed to adaptively extract some "auxiliary information" from the RO and this "auxiliary information" interestingly plays crucial role in the security proof allowing several important RO proofs to go through! In particular we prove the following results in WNAPRO model.1.RSA-Full-Domain Hash signature scheme (RSA-FDH), and Boneh-Franklin ID-based encryption scheme (BF-IDE) are secure in the WNAPRO model. This is in sharp contrast to strong blackbox proofs of FDH schemes, where full programmability seems to be necessary.2.Shoup's Trapdoor-permutation based Key-encapsulation Mechanism (TDP-KEM) cannot be proven secure via blackbox reduction from ideal trapdoor-permutations in the WNAPRO model.

Original language	English
Pages (from-to)	97-114
Number of pages	18
Journal	Theoretical Computer Science
Volume	592
DOIs	https://doi.org/10.1016/j.tcs.2015.05.026
Publication status	Published - 9 Aug 2015

Bibliographical note

Funding Information:
We thank Ivan Dåmgard and Vipul Goyal for useful discussions at the beginning of this work. Part of this work was done when both authors were associated with the Centre of Excellence in Cryptology of Indian Statistical Institute, Kolkata, and were supported by Ministry of Defense of Government of India. Rishiraj was a member of ARIC team of ENS-Lyon, France when the results were finalized and submitted.

Publisher Copyright:
© 2015 Elsevier B.V.

Keywords

Programmability
Random oracle
RSA-FDH
TDP-KEM

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1016/j.tcs.2015.05.026

Cite this

@article{3fc47fb89b9c434cb283e45962a95c9e,

title = "Non-adaptive programmability of random oracle",

abstract = "Random Oracles serve as an important heuristic for proving security of many popular and important cryptographic primitives. But, at the same time they are criticized due to the impossibility of practical instantiation. Programmability is one of the most important features behind the power of Random Oracles. Unfortunately, in the standard hash functions, the feature of programmability is limited. In recent years, there have been endeavors to restrict programmability of random oracles. However, we observe that the existing models allow adaptive programming, that is, the reduction can program the random oracle adaptively in the online phase of the security game depending on the query received from the adversary, and thus are quite far from the standard model.In this paper, we introduce a new feature called non-adaptive programmability of random oracles, where the reduction can program the random oracle only in the pre-processing phase. In particular, it might non-adaptively program the RO by setting a regular function as a post-processor on the oracle output. We call this new model Non-Adaptively-Programmable Random Oracle (NAPRO) and we show that this model is actually equivalent to so-called Non-Programmable Random Oracle (NPRO) introduced by Fischlin et al. [8], hence too restrictive.However, we also propose a slightly stronger model, called Weak-Non-Adaptively-Programmable Random Oracle (WNAPRO), where in addition to non-adaptive programming, the reduction is allowed to adaptively extract some {"}auxiliary information{"} from the RO and this {"}auxiliary information{"} interestingly plays crucial role in the security proof allowing several important RO proofs to go through! In particular we prove the following results in WNAPRO model.1.RSA-Full-Domain Hash signature scheme (RSA-FDH), and Boneh-Franklin ID-based encryption scheme (BF-IDE) are secure in the WNAPRO model. This is in sharp contrast to strong blackbox proofs of FDH schemes, where full programmability seems to be necessary.2.Shoup's Trapdoor-permutation based Key-encapsulation Mechanism (TDP-KEM) cannot be proven secure via blackbox reduction from ideal trapdoor-permutations in the WNAPRO model.",

keywords = "Programmability, Random oracle, RSA-FDH, TDP-KEM",

author = "Rishiraj Bhattacharyya and Pratyay Mukherjee",

note = "Funding Information: We thank Ivan D{\aa}mgard and Vipul Goyal for useful discussions at the beginning of this work. Part of this work was done when both authors were associated with the Centre of Excellence in Cryptology of Indian Statistical Institute, Kolkata, and were supported by Ministry of Defense of Government of India. Rishiraj was a member of ARIC team of ENS-Lyon, France when the results were finalized and submitted. Publisher Copyright: {\textcopyright} 2015 Elsevier B.V.",

year = "2015",

month = aug,

day = "9",

doi = "10.1016/j.tcs.2015.05.026",

language = "English",

volume = "592",

pages = "97--114",

journal = "Theoretical Computer Science",

issn = "0304-3975",

publisher = "Elsevier",

}

TY - JOUR

T1 - Non-adaptive programmability of random oracle

AU - Bhattacharyya, Rishiraj

AU - Mukherjee, Pratyay

N1 - Funding Information: We thank Ivan Dåmgard and Vipul Goyal for useful discussions at the beginning of this work. Part of this work was done when both authors were associated with the Centre of Excellence in Cryptology of Indian Statistical Institute, Kolkata, and were supported by Ministry of Defense of Government of India. Rishiraj was a member of ARIC team of ENS-Lyon, France when the results were finalized and submitted. Publisher Copyright: © 2015 Elsevier B.V.

PY - 2015/8/9

Y1 - 2015/8/9

N2 - Random Oracles serve as an important heuristic for proving security of many popular and important cryptographic primitives. But, at the same time they are criticized due to the impossibility of practical instantiation. Programmability is one of the most important features behind the power of Random Oracles. Unfortunately, in the standard hash functions, the feature of programmability is limited. In recent years, there have been endeavors to restrict programmability of random oracles. However, we observe that the existing models allow adaptive programming, that is, the reduction can program the random oracle adaptively in the online phase of the security game depending on the query received from the adversary, and thus are quite far from the standard model.In this paper, we introduce a new feature called non-adaptive programmability of random oracles, where the reduction can program the random oracle only in the pre-processing phase. In particular, it might non-adaptively program the RO by setting a regular function as a post-processor on the oracle output. We call this new model Non-Adaptively-Programmable Random Oracle (NAPRO) and we show that this model is actually equivalent to so-called Non-Programmable Random Oracle (NPRO) introduced by Fischlin et al. [8], hence too restrictive.However, we also propose a slightly stronger model, called Weak-Non-Adaptively-Programmable Random Oracle (WNAPRO), where in addition to non-adaptive programming, the reduction is allowed to adaptively extract some "auxiliary information" from the RO and this "auxiliary information" interestingly plays crucial role in the security proof allowing several important RO proofs to go through! In particular we prove the following results in WNAPRO model.1.RSA-Full-Domain Hash signature scheme (RSA-FDH), and Boneh-Franklin ID-based encryption scheme (BF-IDE) are secure in the WNAPRO model. This is in sharp contrast to strong blackbox proofs of FDH schemes, where full programmability seems to be necessary.2.Shoup's Trapdoor-permutation based Key-encapsulation Mechanism (TDP-KEM) cannot be proven secure via blackbox reduction from ideal trapdoor-permutations in the WNAPRO model.

AB - Random Oracles serve as an important heuristic for proving security of many popular and important cryptographic primitives. But, at the same time they are criticized due to the impossibility of practical instantiation. Programmability is one of the most important features behind the power of Random Oracles. Unfortunately, in the standard hash functions, the feature of programmability is limited. In recent years, there have been endeavors to restrict programmability of random oracles. However, we observe that the existing models allow adaptive programming, that is, the reduction can program the random oracle adaptively in the online phase of the security game depending on the query received from the adversary, and thus are quite far from the standard model.In this paper, we introduce a new feature called non-adaptive programmability of random oracles, where the reduction can program the random oracle only in the pre-processing phase. In particular, it might non-adaptively program the RO by setting a regular function as a post-processor on the oracle output. We call this new model Non-Adaptively-Programmable Random Oracle (NAPRO) and we show that this model is actually equivalent to so-called Non-Programmable Random Oracle (NPRO) introduced by Fischlin et al. [8], hence too restrictive.However, we also propose a slightly stronger model, called Weak-Non-Adaptively-Programmable Random Oracle (WNAPRO), where in addition to non-adaptive programming, the reduction is allowed to adaptively extract some "auxiliary information" from the RO and this "auxiliary information" interestingly plays crucial role in the security proof allowing several important RO proofs to go through! In particular we prove the following results in WNAPRO model.1.RSA-Full-Domain Hash signature scheme (RSA-FDH), and Boneh-Franklin ID-based encryption scheme (BF-IDE) are secure in the WNAPRO model. This is in sharp contrast to strong blackbox proofs of FDH schemes, where full programmability seems to be necessary.2.Shoup's Trapdoor-permutation based Key-encapsulation Mechanism (TDP-KEM) cannot be proven secure via blackbox reduction from ideal trapdoor-permutations in the WNAPRO model.

KW - Programmability

KW - Random oracle

KW - RSA-FDH

KW - TDP-KEM

UR - http://www.scopus.com/inward/record.url?scp=84944900898&partnerID=8YFLogxK

U2 - 10.1016/j.tcs.2015.05.026

DO - 10.1016/j.tcs.2015.05.026

M3 - Article

AN - SCOPUS:84944900898

SN - 0304-3975

VL - 592

SP - 97

EP - 114

JO - Theoretical Computer Science

JF - Theoretical Computer Science

ER -

Non-adaptive programmability of random oracle

Abstract

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this