Class #7-#9 - Random Oracle Methodolgy: Why and Why Not. -------------------------------------------------------- We have seen in previous term how to build CCA2 semantically secure encryption schemes based on trapdoor functions (via NIZK), as well as based on smooth hash proofs. Namely, can base schemes on the presumed intractability of factoring integers, DDH problem,etc. Similarily, we also know how to build digital signature schemes which are secure against CMA based on the existence of one-way functions. Still, {\it people} often consider this schemes too {\it complicated}. An alterantive model in which to design schemes has been proposed, which is called the random-oracle-methodology. This name was coined by Bellare and Rogaway. The idea behind the ROM METHODOLOGY is the following. -------------- A. Lets ASSUME there exists an oracle H: {0,1}^* \rightarrow {0,1}^k such that 1. It is PUBLIC: everyone may in unit time get the value of H(x) for x of choice. 2. It is TRULY RANDOM. Namely, it may be modeled as follows. H maintains a list L = {(x_i,y_i) where y_i = H(x_i)}. This list is initially empty. When H receives a request x_i, it searches the list for x_i. If it finds it, it retuns y_i. Otherwise, a new y is chosen at random in {0,1}^k and (x_i,y) is stored at L. B. Then DESIGN a crypto scheme (enc, signature, whatever) assuming H exists, and prove it is secure. In practice, today people replace H by SHA1 (tomorrow SHA256). Overall the design methodlogy then is to the following: 1. Design and Prove in ROM 2. Instantiate H with concrete implementation. 3. Publish a `provably secure' scheme... Good questions to ask: - ---------------------- Does design methodology imply security in the real world always? Does it imply security in the real world at least for some applications? Does it imply security in the real world at least for some schemes solving some applications? In the next 4-5 lectures we will First: - ----- show how people (MANY people) design and prove schemes secure in the ROM Examples of such schemes will include: -Enc semantically secure against CCA2, under trapdoor function (RSA ) -Digital Signature secure against CMA, under trapdoor function (RSA) -Hybrid Encryption scehme semanticaly secure against CCA. -Methods to Convert ID schemes into non-interactive signature schemes Second: - ------ show counter examples to the ROM methodology. Namely, show particulat schemes for - -CCA2 secure Enc, - -CMA secure signatures, - -CCA secure hybrid encryption, and - -ID schemes convertible to digital signature schemes which although are provably secure in the ROM, are provably impossible to instantiate with ANY implementation of the ROM in the real world. We will formally define what we mean by `an instantiation'. Obviously this makes the random oracle model a tad controversial. However it does not mean that all schemes with random oracles fail (naturally one can take a secure scheme and plant a RO artificially...) For the record, there are are remaining graces: 1. schemes designed with this paradigm in mind are often simpler for humans to code and also more efficient (assuming that implementing H is more efficient). Thus, it is worth investing effort in trying to find an H for which one may PROVE that such scheme is provably secure (for those schemes for which this is possible). 2. at least you have a proof against certain kind of attacks (black-box). Third: ------- Interesting question to ask is, why cant we take a pseudo-random function, `obfuscate it' and use it as a random oracle? To answer this we will: - -define what it means to obfuscate a program - -show that not all programs can be obfuscated What DOES it mean? Can't obfuscate everything. What DOESNT it mean? There may be something that we can still obfuscate. Indeed, Fourth ------ There have been some proposals of real functions which capture some properies that the random oracle has, under various computational assumptions. Notably, the `perfect hash functions' of Canetti, Canetti-Micciancio-Reingold, and Hotek Wee which we will describe . There are several variants of them. These functions may be thought of as abuscation of point-functions (under a computational assumptions). The functions which take on a random value at one (secret) location and are 0 everywhere else. Beware, these `perfect hash functions' are not good realizations for all schemes proved secure with RO (as we shall proved before some schemes can not be realized securely in the real world) ! However, we will show an example of an encryption scheme which is semanticlly security in ROM, and for which replacing RO with the perfect-hash-function will yield a provably secure scheme. Interesting question: --------------------- Can you propose a candidate transformation from `ID to SIG' (or any other round reduction technique) and a function which (under whatever complexity assumption) can be proved to make this transformation secure. Let us begin in the beginning. How do proofs in the ROM work? I must say that to my taste these proofs are quite disappointing. In a nutshell, these proofs do not only rely on the fact that H gives `random looking' or `unpredictable' things, but on the fact that the adversary in any presumed attack is restricted to learning about the oracle by making { \bf explicit } queries to an {\bf external} oracle. Thus, in the security proof when we are running the presumed adversary to get a contradiction, we get not only to see all his queries to the external oracle, but also to answer them in a way which will be advantagous for the proof (something that clearly cannot happen in the real world.) These advantages in proving security clearly do not translate to the real wold. Think of Sha1, we cannot say that the only thing an adversary can do to learn about sha-1(x) it to actually compute it. Example 1: ------------ Lets us design an encryption scheme (G,E,D) which is CCA2 semantically secure in the ROM. As an initial step we design an encryption scheme (G,E,D) which is semantically secure in the ROM. We all know the following scheme for sending 1 bit. Let G(1^k): output (f,f^{-1}) where f is a trapdoor function. Output PK=f and SK = f^{-1} Let E(b,PK): choose r at random in domain of f, set c= (f(r),B(r) xor b) where B is a hard core for f. (e.g. B is the inner product function) In general can hide log k bits in a hard-core function, but this is it. Here is the proposal in the ROM. Let H: {0,1}^k \rightarrow \{0,1\}^k. Let G'(1^l): run (pk,sk) = G(1^k). Output pk'=(pk,H) and sk'=sk E'(m,f): choose r at random in domain of f, set c = (f(r), H(r) xor m) D'((a,b),f^{-1}): let r= f^-1(a) and m= b xor H(r). Note: H(r) could actually be even longer than security parameterk, and thus work for arbitrarily long messages. Indeed lets assume Make |H(r)| = |m| = l > k. CLAIM: (G,E',D') is semantically secure in the ROM if f is chosen from a trapdoor permutation family. PROOF: Suppose there exist an adv A that can find m0,m1 such that on challenge ciphertext c in E(m_b), the Prob (A(c) = b) >1/2 +epsilon (probs all taken over the choices of G', E', D' and H). First observation is that if A never queries H(r) this is impossible as A would have no information on b. Let Q be a r.v = 1 if A queries H(r) at some point and 0 otherwise Then, Prob(A(c) =b) = prob (A(c) =1 | Q=1) Pr (Q=1) + prob (A(c) =1 | Q=0) Pr (Q=0) = prob (A(c) =1 | Q=1) Pr (Q=1) + 1/2 (1-Pr(Q=1) = prob(Q=1) [Pr(A(c)=1| Q=1) -1/2) + 1/2 < prob(Q=1)1/2 + 1/2 To complete the proof, need to show that Pr(Q=1), i.e the probability that the Adv queries H at r, is negligible. This is formally shown as follows: We will construct an algorithm B s.t. B^A inverts f (and get a contradiction) All this of course WITHOUT USING ANY ORACLES H (in the proof). B input: f,y in range of f output: x s.t. f(x) =y 0. Let L = empty. 1. Run adversary algorithm A on PK:f . For any x that A makes to oracle, If (x,> is not in L, then B simply simulates H for A by returning and puting in L. 2. Finally, A(f) outputs m0,m1 (challenge messages). 3. Choose c a random string in {0,1}^l and give challenge ciphertext (y,c) to A. 4. Run A (f, (y,c)), for every query r made by A to H, check if f(r) = y output r and halt, othewise return random l-bit string. Note: B gives A a prefect simulation of the real semantic-security game with a true RO, untill such a time (if it even happends) that A asks for r s.t f(r) =y. obsevere that c in the real world is c=H(r)\xor m_b whereas here in B's execution c was a random string. But, till A does not query H on r, the value of H(r) is truly random so choosing c at random is a perfect simulation till when A queries H on r (if it does), Finally, B succeeds in inverting f, exactly when the random variable Q =1, namely when A asks for H(r). So, if f is a OWF, algorithm B's probability of inverting is negligible and so is the prob(Q=1), so the above analysis can be completed. Lets extend this to a scheme which is secure against CCA2 now. ------------------------------------------------------------- Lets assume Fq is is a field. And let assume that H maps elements from the domain of a trapdoor function to F_q^3 . Namely, H(x) = (a,b,c). If the messages are as before of length l>=k, then q=2^l. Let Mac_a,b(m) = am+b Note that given (m,Mac_a,b(m)) the probability of an all powerful adversary finding (m', t') such that t' = Mac_a,b(m') is negligible (information theoretically). Here is the scheme G: as before E(f,m): choose r at random in {0,1}^k. Let H(r)= (a,b,c) in F^3_k output (f(r), c+m, Mac_a,b(c+m)) D(f^{-1}, (y,p,t)): let r = f^{-1}(y). Let (a,b,c) = H(r). If Mac_a,b(p) = t output m=c-p, else reject Claim: This scheme is semantically secure against CCA2 attack in the ROM. ------ Proof: ------ (this time will bound prob of success of adversary to the number of queries q_d he asks from the decryption query and q the size of the finite field above) Again let A be the adversary. This time, he can ask for values of the oracle H on x of its choice, and he can also ask for the result of D on (y_i,p_i,t_i) of his choice. After asking questions, he chooses m0,m1 and recieves a challenge ciphertext. Let r be the random value used to construct the challenge ciphertext (y,p,t). Namely y=f(r). Lets define H(r) = (a*,b*,c*). Let Q be the event that if A asks for the value of H on r, and 0 otherwise. Let D be the event that A asks for ciphertext (y,p',t') where y is the same as in the challenge, t'=a*p'+b*, and (p',t') != (p,t). Clearly, A can only gain information about m, if either Q or D take place. So, in a similar way to how we argued before the prob( A(y,p,t) = m_b) = 1/2 + 1/2prob (Q or D) Observations: - -While A does not ask for H(r), then the only information A has about (a*,b*) is that Mac_a*,b*(p) = t, which implies that prob(D=1 as long as A didnt ask for H(r)) <= 1/q < 1/2^k by our choice of q. So, lets define Q_1: event that if A asks for H(r) first D_1: even that A asks for (y,p',t') such that a*p'+b* = t' first. By above, prob (D1) <1/q (number of queries to dec oracle) = (1/q) q_d . We get then that prob (A ((y,p,t) =m_b) <= 1/2 + 1/2prob(Q1=1) +1/2prob(D1=1) <= 1/2 + 1/2(1/q)q_d + 1/d prob(Q1=1). Need now just to bound prob(Q1=1) For this construct an algorithm B to invert f which uses A as subroutine. B: input: f,y output:r s.t. f(r)=y maintain 2 lists S_H of (r,a,b,c) s.t. H(r) =(a,b,c) S_Y of (y,a,b,c) s.t. H(f^{-1}(y)) = (a,b,c) start with both lists empty run A -If A asks query r_i to H with random triplets (a_i,b_i, c_i) in F_q , store (r_i,a_i,b_i,c_i) in list S_H, except when f(r_i)=y, output r_i and halt -If A asks query (y_i,p_i,t_i), then if y=y_i halt; if there is an (r_i,a_i,b_i.c_i) in S_H s.t. f(r_i) =y_i answer according to it; if the query is already in S_y answer according to it; otherwise choose random (a,b,c) in F_q^3 and decrypt using it stroring (y_i,a,b,c) in S_y. Finally say A outputs m0,m1, choose p,t in F_q at random, give A the challenge ciphertext (y,p,t). Run A answering questions as above till it halts.. Note now that B succeeds in inerting f when A asks query r_i=r (provided it hasnt halted yet, which happends if it asked y_i=y before). Namely, when Q1=1. The simulation is perfect untill Q=1 or D=1 i.e till Q1=1. Finally note that if prob (algorithm suceeds)< negligble , this means that prob (Q1=1) is negligble. Example 2: Signatures in the random oracle model (FDH). ------------------------------------------------------- Suppose families of trapdoor permutation exist. Then can define the following digital signature scheme (G,Sign, Verify) in the random oracle model which is called FDH (full domain hash). Let G(1^k) choose a pair of function and its trapdoor (f,f^{-1}) and set Vk = f and Sk=f^{-1} where Vk stands for the verifying key and Sk stands for the signing key. Let H denote the random oracle, H:{0,1}^* --> Domain of f. Let Sign(f^{-1},m): output f^{-1} (H(m)) Let Verify(f,m,s): if f(s) = H(m) then output TRUE, else output FALSE. Claim: ------ If there exist families of trapdoor permutations then FDH is existentially secure against CMA in the random oracle model . Pf: Suppose not. There exists an adv PPT A, such that under CMA, A finds forgery (m,f^-1(H(m)) with prob epsilon. A (Vk) may ask before forgery 2 types of queries. Type 1: ask for the value of H on m_i Type 2: ask for the value of Sign on m_i. We will assume wlog, that - -for all Type 2 queries m_i, A first ask for Type 1 query on m_i, - -Prior to A outputing a forgery of message m, it asked for the value of H(m) - -A never asks H the same query twice. We present now an algorithm I for inverting a random trapdoor permutation, on a random element in its domain . I will use A as a subroutine, and we will show that prob of I's success is epsilon/2q_H where q_H is an upper bound on the number of Type 1 queries that A asks I: input: f,y output: f^-1(y) or fail 1. Let Vk=f and run A(Vk). 2, Choose at random an index 1<=j<=q, and initialize list L_H to be empty.. 3. On Type 1 query m_i. If i != j, choose x_i, output y_i=f(x_i), and let L_H = L_H U {(m_i,x_i)}. If i = j, output y. 4. On Type 2 query m_i. If i != j, look up in L_H (m_i,x_i) and answer x_i. If i = j, output fail and abort. 5. Finally A outputs a forgery (m,s). If m=m_i, output s, else output fail and abort. First observe that until an abort happends, the simulation of A's run is perfectly equal to what happends when A runs in a random oracle. So, note that the probability of getting through the simulation without aborting, is the probability that A forges the signature of the j-th message. Since j is chosen at random, then for any stratgey of the adversary (in choosing which message to forge) the probability that A forges the signature of the j-th message is epsilon/_Hq. QED. It turns out that if you choose RSA trapdoor permutation family (or any one which is random self reducible...) you chould show an inversion algorithm I whose success probability was espilon/q_S >From Random Oracle to Real World - ------------------------------- What does it mean to instantiate the random oracle in the real world. Interpetation 1: Replace H by one fixed function f defined on {0,1}^* ---------------- Let f be the fixed function. Show signature scheme (or an encryption scheme) such that the scheme is secure in the ROM but not once H is replaced by f. Interpetation 2: ---------------- Replace H by a family of functions F such that at setup time, a random f in F is chosen. Namely, the order of quantifiers is that first fix cryptographic scheme in ROM, then you choose random function in F and give its code to all the users to use instead of H when implementing the cryptographic scheme. Interpetation 3 (silvio): -------------------------- Replace H by family of functions as above, except make the requirement that the description of the function H is bigger than the `relevant input' size made to the cryptographic application. What may this `relevant inputs' be? Say, be example: - -if the cryptographic application is SIGNATURES, then the relevant input is the message. And thus we require |H| > |message|. - -if the cryptographic application is ENCRYPTION secure agaist CMA, then the relevant input is the max (message size, ciphertext size). - -if the cryptographic application is an INTERACTIVE PROTOCOL, than the relevant input is the total size of verifier's messages. Intuition: can use CS proofs to show that a counter example to interpetation 2 also implies a counter example to interpetation 3. FACT 0: There exist cryptographic application (SIGN/ENCRYPTION) which is secure in the ROM (if one-way function/trapdoor permutation exist), which can not be instantiated in the real world (under interpetation 1) by any fixed function. FACT 1: If any secure signature scheme exists, then there exist a SIGNATURE scheme which is provably secure in the ROM and yet (under interpetation 2) can not be instantiated in the real world by any family of functions PF: Take any secure signature scheme in the random oracle world (KeyGen, Sign, Verify). Modify it to obtain (KeyGen,Sign', Verify) where Sign(sk,M): Let k=security parameter. 1. parse M as a program P followed by 1^s. If it doesnt parse this way, just run Sign'(M). 2. Let t=|P| (the size of P) 3. Run P(i) for i=1,...,2t+k (each time run P(i) for s steps. If it doesn't halt within these number of steps, output 0. If there exist an i such that P(i) != H(i) where H is the ranom oracle, then run Sign(M), else output secret key sk. Note1: ------- The modified scheme is secure in the ROM iff the orginal signature scheme was secure in the random oracle model, since prob(that there exists a program P s.t. P(i)=H(i) for i+1,...,2|P|+k) = SUM_t=1 to infinity prob(that there exists a program P of size t s.t. P(i)=H(i) for i=1,...,2t+k) <= SUM_t SUM_{all programs} prob_H(program P of size t s.t. P(i)=H(i) for i=1,...,2t+k)= SUM_t 2^t 2^{2t+k} = 1/2^k (SUM_t (1/2^t)) which converges to 1/2^k. Note 2: ------- When H is implemented by a family of functions then indeed just feed to the chosen message attack a message such that M parses as a program M FACT 2: If any secure encryption scheme exist, then there exist a ENCRYPTION scheme which is provably secure in the ROM and yet (under interpetation 2) can not be instantiated in the real world by any family of functions. Pf: same idea as before. Take (KeyGen, Enc, Dec). Modify the Enc algorithm to Enc':parse M etc (as above), and if P(i) = H(i) for all i = 1,...,2|P|+k (having run s steps) then output (1,M) otherwise output Enc(M)). Modify the Dec algorithm to Dec'(c): if c=(1,M), parse M as above and again if P(i) = H(i) for all i = 1,...,2|P|+k (having run s steps) output secret decryption key dk. NEXT TIME: ------------ FACT 3: If any secure ID schemes exist, then there exists an secure ID scheme for which the Fiat Shamir methodlogy fails to trasnform into a secure SIGNATURE scheme in the real world (under interpetation 2 and 3) by any family of functions. COROLLARY 3: If any secure signature scheme exists, then there exist a SIGNATURE scheme which is provably secure in the ROM and yet (under interpetation 3) can not be instantiated in the real world by any family of functions FACT 4: There is a TASK (not a scheme) which under CDH can be implemented in the ROM but cannot be instantiated in the real world (under interpetation 2) by any family of functions. The task is `key-verifiable, ciphertext-verifiable CCA2 secure hybrid encryption'. Thats a mouth full... What does it mean? OBFUSCATION !!!