Random oracle: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 03:44, 7 September 2024 edit Dimawik (talk \| contribs) Extended confirmed users 2,446 edits →Domain separation: article exists ← Previous edit		Latest revision as of 10:10, 31 July 2025 edit undo 195.52.181.120 (talk) clarified
(7 intermediate revisions by 7 users not shown)
Line 1: {{Short description\|Cryptographic model of a random function}} {{for\|random replies to random questions\|Internet Oracle}} In [[cryptography]], a '''random oracle''' is an [[oracle machine\|oracle]] (a theoretical [[black box (systems)\|black box]]) that responds to every ''unique query'' with a (truly) [[random]] response chosen [[uniform distribution (discrete)\|uniformly]] from its output ___domain. If a query is repeated, it responds the [[Deterministic algorithm \| same way]] every time that query is submitted. Stated differently, a random oracle is a [[mathematical function]] chosen uniformly at random, that is, a function mapping each possible query to a (fixed) random response from its output ___domain. Random oracles first appeared in the context of complexity theory, in which they were used to argue that complexity class separations may face relativization barriers, with the most prominent case being the [[P vs NP problem]], two classes shown in 1981 to be distinct relative to a random oracle [[almost surely]].<ref name="bennett-gill">{{cite journal\|first1=Charles\|last1=Bennett\|first2=John\|last2=Gill\|title= Relative to a Random Oracle A, N^A != NP^A != coNP^A with Probability 1\|journal=SIAM Journal on Computing\|year=1981\|pages=96–113\|doi=10.1137/0210008\|doi-access=free}}</ref> They made their way into cryptography by the publication of [[Mihir Bellare]] and [[Phillip Rogaway]] in 1993, which introduced them as a formal cryptographic model to be used in reduction proofs.<ref name="bellrog">{{cite ~~journal~~book\|first1=Mihir\|last1=Bellare\|author-link=Mihir Bellare\|first2=Phillip\|last2=Rogaway\|~~author-link2~~title=~~Phillip~~Proceedings of the 1st ACM conference on Computer and communications security - CCS '93 ~~Rogaway~~\|~~title~~chapter=Random ~~Oracles~~oracles are ~~Practical~~practical: A ~~Paradigm~~paradigm for ~~Designing~~designing ~~Efficient~~efficient protocols ~~Protocols~~\|~~journal~~author-link2=~~ACM~~Phillip ~~Conference on Computer~~Rogaway ~~and Communications Security~~\|year=1993\|pages=62–73\|doi=10.1145/168588.168596 \|s2cid=3047274 \|doi-access=free\|isbn=0-89791-629-8 }}</ref> They are typically used when the proof cannot be carried out using weaker assumptions on the [[cryptographic hash function]]. A system that is proven secure when every hash function is replaced by a random oracle is described as being secure in the '''random oracle model''', asa ~~opposed~~differentiation tofrom being secure in the [[Standard model (cryptography)\|standard model of cryptography]]. == Applications == Line 23 ⟶ 24: == Domain separation == {{main\|~~___domain~~Domain separation}} A single oracle may be treated as multiple oracles by pre-pending a fixed bit-string to the beginning of each query (e.g., queries formatted as "1\|\|x" or "0\|\|x" can be considered as calls to two separate random oracles, similarly "00\|\|x", "01\|\|x", "10\|\|x" and "11\|\|x" can be used to represent calls to four separate random oracles). This practice is usually called [[___domain separation]]. ''Oracle cloning'' is the re-use of the once-constructed random oracle within the same proof (this in practice corresponds to the multiple uses of the same [[cryptographic hash]] within one algorithm for different purposes).{{sfn\|Bellare\|Davis\|Günther\|2020\|p=3}} Oracle cloning with improper ___domain separation breaks security proofs and can lead to successful attacks.{{sfn\|Bellare\|Davis\|Günther\|2020\|p=4}} == Limitations ==