1

In security proofs,

I have seen the random oracle model and the standard model.

If I prove security in the random oracle model, does this mean that if I use SHA-3, assuming sha-3 cannot be broken, that the protocol is secure under sha-3?

Are there any caveats to proving security in the random oracle model and real-life?

WeCanBeFriends
  • 1,303
  • 11
  • 20
  • I realize I just linked you to this in your other question, but does https://crypto.stackexchange.com/a/68298 help? Briefly, there technically exist contrived protocols with high security in the random oracle model and zero security when instantiated with SHA-3, but they are pathological contraptions of complexity-theoretic sleight-of-hand. And of course SHA-3 could go bad like MD5 or SHA-1. In real protocols, random oracle model proofs serve to justify security against attacks other than those exploiting MD5 or SHA-1 going bad. – Squeamish Ossifrage May 31 '19 at 22:27
  • Thank you, your brief explanation about real protocols answers my question – WeCanBeFriends May 31 '19 at 22:37
  • 2
    The main question to ask yourself here is: what does it mean that the protocol is secure under sha-3? A protocol is not secure under a primitive, it is secure under an assumption. So what you really want is that your protocol is secure under some assumption about sha-3. Then the question becomes: which one? – Geoffroy Couteau Jun 03 '19 at 08:14

0 Answers0