The Random Oracle Model and the Ideal Cipher Model Are Equivalent
نویسندگان
چکیده
The Random Oracle Model and the Ideal Cipher Model are two well known idealised models of computation for proving the security of cryptosystems. At Crypto 2005, Coron et al. showed that security in the random oracle model implies security in the ideal cipher model; namely they showed that a random oracle can be replaced by a block cipher-based construction, and the resulting scheme remains secure in the ideal cipher model. The other direction was left as an open problem, i.e. constructing an ideal cipher from a random oracle. In this paper we solve this open problem and show that the Feistel construction with 6 rounds is enough to obtain an ideal cipher; we also show that 5 rounds are insufficient by providing a simple attack. This contrasts with the classical Luby-Rackoff result that 4 rounds are necessary and sufficient to obtain a (strong) pseudo-random permutation from a pseudo-random function.
منابع مشابه
On the Relation Between the Ideal Cipher and the Random Oracle Models
The Random Oracle Model and the Ideal Cipher Model are two of the most popular idealized models in cryptography. It is a fundamentally important practical and theoretical problem to compare the relative strengths of these models and to see how they relate to each other. Recently, Coron et al. [8] proved that one can securely instantiate a random oracle in the ideal cipher model. In this paper, ...
متن کاملShort Signatures with Message Recovery in the Random Oracle Model
Granboulan [4] proposed the signature scheme in the ideal cipher model named OPSSR that achieves the lower bound for message expansion. In this paper, we propose a scheme which can give the security equivalent to that of OPSSR in the random permutation model that is weaker than the ideal cipher model. We also show exact security proof. We extend our scheme to the multi key setting. By the resul...
متن کاملNotes in Computer Science 5157
The Random Oracle Model and the Ideal Cipher Model are two well known idealised models of computation for proving the security of cryptosystems. At Crypto 2005, Coron et al. showed that security in the random oracle model implies security in the ideal cipher model; namely they showed that a random oracle can be replaced by a block cipher-based construction, and the resulting scheme remains secu...
متن کاملSome Plausible Constructions of Double-Block-Length Hash Functions
In this article, it is discussed how to construct a compression function with 2n-bit output using a component function with n-bit output. The component function is either a smaller compression function or a block cipher. Some constructions are presented which compose collision-resistant hash functions: Any collision-finding attack on them is at most as efficient as a birthday attack in the rand...
متن کاملA Domain Extender for the Ideal Cipher
We describe the first domain extender for ideal ciphers, i.e. we show a construction that is indifferentiable from a 2n-bit ideal cipher, given a n-bit ideal cipher. Our construction is based on a 3round Feistel, and is more efficient than first building a n-bit random oracle from a n-bit ideal cipher (as in [6]) and then a 2n-bit ideal cipher from a n-bit random oracle (as in [7], using a 6-ro...
متن کامل