1

I'm trying to understand exactly how the random oracle model differs from the standard model. In many proofs & applications there are some assumptions that some randomness is sampled (i.e. a bit $b \leftarrow\{0,1\}$).

My question is: given the ability to sample a single bit at random, can't we use that to construct a random oracle? Suppose we want to simulate a random function $H:\{0,1\}^m \rightarrow \{0,1\}^n$. Just sample $n$ bits for the output, and keep a log so that all future queries are consistent.

Ella Rose
  • 19,603
  • 6
  • 53
  • 101
Andy Dienes
  • 105
  • 3
  • The ‘random oracle model’ is not so much a model for a hash function, but more of a model for how adversaries are structured: in terms of an oracle for a hash function. Does https://crypto.stackexchange.com/a/68298 help? – Squeamish Ossifrage Nov 08 '19 at 02:22
  • I may not have phrased my question precisely. Basically I mean why do we get to sample elements from a set uniformly at random in the standard model of computation? As in, where does the randomness 'come from' if not a random oracle? It seems to me that with the ability to sample a single bit comes the ability to simulate a random oracle. – Andy Dienes Nov 08 '19 at 02:28
  • @AndyDienes ‘Security in the random oracle model’ or ‘ROM theorems’ are about transforming (say) a signature forger which takes as a parameter an oracle for the hash function, into an algorithm that (say) computes discrete logs, by constructing a specially crafted hash function that (a) has the correct distribution, but (b) does the bookkeeping to extract a discrete log out of whatever magic it is the forger is doing. That's why I say it's a model for adversaries more than just a model for hash functions. Did you try reading the answer I linked? – Squeamish Ossifrage Nov 08 '19 at 02:41
  • For example, consider RSA-FDH with MD5 (with $\operatorname{MD5}(m)$ expanded into a full domain however you like). A signature is a bit string representing an integer $s$ such that $s^3 \equiv H(m) \pmod n$. A forger that is generic in terms of the hash function $H$ can be turned into an algorithm for computing cube roots modulo $n$ by feeding it a specially crafted hash function. But there's a forger that works without computing cube roots modulo $n$—instead, it exploits a collision in MD5. So it only works when the hash function is actually MD5—this forger is not a ROM adversary. – Squeamish Ossifrage Nov 08 '19 at 02:45
  • 1
    @SqueamishOssifrage Ok, but drop all notions of adversarial models, security, and hash functions. On a very basic level, it seems to me that "access to a random bit" implies "access to a random function." I don't understand how some probabilistic Turing machine $\mathcal{A}$ is existentially different from $\mathcal{A}^H$ given access to a random function. – Andy Dienes Nov 08 '19 at 02:56
  • The point of the random oracle model is that it's about modeling adversaries against cryptosystems with hash functions. Take away reductions about adversaries and hash functions, and there's nothing left. – Squeamish Ossifrage Nov 08 '19 at 02:57
  • (Crucially, of course, the signing oracle to which the adversary has also access uses the same hash oracle internally as we pass to the adversary; in general, everyone has to agree on the hash function, otherwise the signature scheme simply wouldn't work! So it doesn't work to just let the adversary flip coins, and let the signer flip coins, and let anyone else flip coins, because they have to be the same coins for everyone.) – Squeamish Ossifrage Nov 08 '19 at 03:32
  • Ah, that last point makes more sense to me I think? That might mean that for any protocol $\Pi(\mathcal{A}^H, \mathcal{B})$, there is a PPT simulator $\mathcal{A}'$ such that $\Pi(\mathcal{A}', \mathcal{B})$ is statistically equivalent to $\Pi(\mathcal{A}^H, \mathcal{B})$. However, this breaks down when $\mathcal{B}$ also gets $H$, since it has to be the same function. – Andy Dienes Nov 08 '19 at 15:19
  • I'm not sure what $\mathcal B$ is supposed to be, but if you want to play the (say) signature forgery game (EUF-CMA), you can run the adversary $A$ with two oracles: 1. a hash function $H$, which you can implement by flipping coins to fill a book of answers for each request, and 2. a signing oracle $S_H$, which computes signatures using $H$ (e.g., $S_H\colon m \mapsto H(m)^d \bmod n$). The ‘random oracle model’ is that $A$ has exactly that structure—$A(H, S_H)$—and so you can also run $A$ with a specially crafted $H$ (and $S_H$) provided the distribution on $H$ is uniform. – Squeamish Ossifrage Nov 08 '19 at 15:33
  • Specifically, the theorem is: If an adversary is structured as $A(H, S)$, then there is a way to specially craft a hash oracle and signing oracle—which do extra bookkeeping, and swap notes—so that (a) the hash oracle still has uniform distribution and the signing oracle still makes valid signatures, and (b) running the adversary yields enough information in the books kept by the specially crafted oracles to solve some other problem (e.g., computing cube roots modulo $n$). The proof involves the special crafting of the oracles—see https://crypto.stackexchange.com/a/68298 for details. – Squeamish Ossifrage Nov 08 '19 at 15:37
  • The MD5-based forger, of course, doesn't work this way—it only works if you run it as $A(\operatorname{MD5}, S_{\operatorname{MD5}})$, whereas a ROM forger $A(H, S_H)$ works with high probability when $H$ is uniformly distributed. – Squeamish Ossifrage Nov 08 '19 at 15:45
  • I think the core difference between a RO and a random sample is that the same input has to produce the same output. Random sampling does not give you that. And that is the tricky part: If an algorithm is deterministic (only way to ensure the same input is matched to the same output), there can not be random sampling. The concepts contradict each other. – tylo Nov 10 '19 at 15:42

1 Answers1

1

My question is: given the ability to sample a single bit at random, can't we use that to construct a random oracle? Suppose we want to simulate a random function $H:\{0,1\}^m \rightarrow \{0,1\}^n$. Just sample $n$ bits for the output, and keep a log so that all future queries are consistent.

Sure. You could design a signature scheme where there is a central party—a gnome sitting in a standard box flipping coins—and everyone on the planet has a telephone line directly to the gnome that cannot be intercepted so that everyone gets the same values from the gnome. That's not a particularly practical way to design a cryptosystem—we might like to be able to sign and verify messages offline, for example—but more importantly, it's not really what the random oracle model is about.

The random oracle model is not a just model for hash functions, but a model for adversaries. Let's take an example: in the signature game EUF-CMA—existential unforgeability under chosen-message attack—an adversary $A$ is by definition a random algorithm with access to a signing oracle and a public key: $A(S, \mathit{pk})$. The adversary wins if they can find any $(m, \sigma)$ pair that passes signature verification for any message $m$ they did not pass to the signing oracle $S$. This is sometimes called the ‘standard model’.

In the random oracle model, we consider a family of signature schemes indexed by a uniform random choice of function $H$. To make it clear that it depends on the hash function, we might label the signing oracle $S_H$. For example, in RSA-FDH signature, a public key is a large integer $n$ and a signature on a message $m$ is an integer $\sigma$ such that $$\sigma^3 \equiv H(m) \pmod n.$$ The signing oracle for a legitimate user is typically defined by $$S_H(m) := H(m)^d \pmod n,$$ where the secret exponent $d$ solves $3d \equiv 1 \pmod{\lambda(n)}$. Then, in the random oracle model, the adversary gets not just a signing oracle and public key as in $A(S, n)$ in the ‘standard model’, but also the hash oracle as in $A(H, S_H, n)$.

A ROM theorem is a statement of the following form:

  • If there is a random algorithm $A(H, S_H, n)$ which, when $H$ is uniformly distributed, returns a forgery with high probability, then there is an algorithm $A'(y, n)$ which, when $y$ is uniformly distributed, returns a cube root of $y$ modulo $n$ with high probability.

The proof of the theorem is a definition of the algorithm $A'$, which constructs a hash oracle and signing oracle that have the correct distribution to fool the forger, but additionally do enough bookkeeping to extract a cube root out of whatever computations the forger does—without using the secret knowledge of $d$ that the legitimate user would have.

Obviously, internally the random algorithm $A'$ will involve flipping coins just like you described, to implement the hash oracle and the signing oracle. See my earlier ROM answer for details of the proof, and for more background, history, and literature references; see also the standard Bellare & Rogaway paper for the original proof of the RSA-FDH theorem in particular.

In other words, the random oracle model is an assumption about how adversaries are structured. Rather than using the somewhat confusing term ‘random oracle model’, some authors prefer to say that the theorem quoted above is simply a theorem about $H$-generic adversaries, meaning adversaries that are defined generically in terms of an arbitrary hash function rather than adversaries that exploit details of a particular hash function like collisions in MD5.

MD5-specific forgers have been exhibited, of course—for example, they figured prominently in an international incident of industrial sabotage by the United States and Israel against Iran—but they do not contradict this theorem, because such forgers only work with extremely low probability when $H$ is uniformly distributed. In other words, if an RSA-FDH signature scheme instantiated with MD5 goes bad, it's not because the fancy math of RSA-FDH went bad—rather, it's because MD5 went bad, and there's a good chance that using SHAKE128 instead will be fine.

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
  • When the OP requests that you "drop all notions of adversarial models, security, and hash functions," this answer seems the very opposite. – Paul Uszak Nov 08 '19 at 23:50
  • @PaulUszak I addressed the part about sampling bits—how, yes, it obviously is a thing you can do, but it's not really what the random oracle model is about. Satisfied? – Squeamish Ossifrage Nov 09 '19 at 02:45