slides - Stanford Crypto Group

More documents

Recommendations

Info

The core problem: Lack of a definition Step 1: Prove security of scheme in the ROM. Step 2: Instantiate HASH via a cryptographic hash function H in an implementation. The instantiated scheme is then secure as long as H behaves “like a random oracle.” The ROM proof does not apply Cryptographers don’t mind to the strong instantiated assumptions. scheme But they like to know exactly what they are assuming. It is not clear what this means. We lack a formal DEFINITION of what it means for a hash function to behave “like a random oracle.” 1/9/13 Bellare, Stanford RWC Workshop 12
Want: Instantiable RO Paradigm Step 1: Prove security of scheme in the ROM Step 2: Instantiate HASH via a cryptographic hash function H in an implementation Step 3: Prove that the instantiated scheme is secure as long as H meets definition X. We cannot hope to find (achievable) X where this works for ALL schemes. But we would like to cover interesting sub-classes of schemes. 1/9/13 Bellare, Stanford RWC Workshop Exploiting the result of Step 1 in a blackbox way! Game-based, falsifiable definition in the standard style. Tells us when an attack on H is successful. 13
Page 1 and 2: Instantiating Random Oracles Mihir
Page 3 and 4: Contributions in brief UCE (Univers
Page 5 and 6: RSA-OAEP [BR94] Theorem: In the ROM
Page 7 and 8: ROM Critiques Step 1: Prove securit
Page 9 and 10: The debate continues … The RO par
Page 11: The core problem: Lack of a definit
Page 15 and 16: Contributions in brief UCE (Univers
Page 17 and 18: UCE x1 x x 2 n S H K H K Y 1 Y 0 :
Page 19 and 20: UCE x1 x x 2 n S H K H K Y 1 Y 0 :
Page 21 and 22: UCE: Formally is UCE-secure if is n
Page 23 and 24: UCE generalizes existing definition
Page 25 and 26: UCE generalizes existing definition
Page 27 and 28: UCE: Features and Limitations Allow
Page 29 and 30: Instantiating EwH ROM EwH D-PKE sch
Page 31 and 32: Why it works Claim 1: S is unpredic
Page 33 and 34: More instantiations in the same vei
Page 35 and 36: Multi-key UCE We also give a defini
Page 37 and 38: KDM-secure encryption [CL01,BRS02]
Page 39 and 40: Strength of UCE Is UCE too ``close
Page 41 and 42: A vision of ROM-based cryptography
Page 43 and 44: UCE hash functions from ``standard

slides - Stanford Crypto Group

Create successful ePaper yourself

Delete template?

Save as template?