2

In this answer, it is stated

It has actually been shown (by Canetti, Goldreich and Halevi) that random oracles cannot exist "in all generality" in the following sense: it is possible to build pathological signature and asymmetric encryption schemes, which are secure when they internally use a random oracle, but which are insecure whenever an actual computable function is used instead of the mythical gnome-in-the-box.

I tried reading the actual paper but I am quite lost. Is there some intuition/simple example that one can provide for a cryptographic task that is secure if random oracles exist but fails when one uses a computable function instead of the random oracle?

kodlu
  • 22,423
  • 2
  • 27
  • 57
user1936752
  • 737
  • 1
  • 4
  • 16
  • Possible duplicate of https://crypto.stackexchange.com/questions/32978/explanation-of-protocol-secure-under-random-oracle-but-insecure-with-any-hash-fu ? – Mikero Jan 05 '24 at 02:40

1 Answers1

3

I have also not been satisfied with the "classic" counterexamples of random oracle instantiability. I came up with the following for the upcoming version of my book, and am happy to give a sneak preview here.

Consider the following symmetric-key encryption scheme, parameterized by hash function $H : \{0,1\}^\lambda \to \{0,1\}^\lambda$:

$\textsf{Enc}(K,M)$:

  • $R \gets \{0,1\}^\lambda$
  • interpreting $M$ as the encoding of a boolean circuit, test whether $M(R) = H(R)$
    • if so, set $S = K$
    • else, set $S \gets \{0,1\}^\lambda$
  • encrypt $M$ under CBC mode using $S$ as the IV; output the result.

You can show the following about this encryption scheme:

  • If $H$ is modeled as a random oracle, then the construction is CPA-secure. With overwhelming probability, $\textsf{Enc}$ chooses an $R$ that no one has ever queried to the random oracle, so $H(R)$ is independent of whatever $M(R)$ is. With overwhelming probability, $\textsf{Enc}$ behaves just like random-IV CBC mode, which is CPA-secure.

  • If $H$ is any public, efficiently computable function, then the construction is not CPA-secure (not even one-time secure). The attack is obvious: ask for an encryption where the plaintext is a boolean circuit that implements $H$. The resulting ciphertext will contain the encryption scheme's key.

Mikero
  • 13,187
  • 2
  • 33
  • 51