Revision as of 18:39, 19 November 2004 edit Hu (talk \| contribs) Extended confirmed users 14,980 edits m Removed stub template ← Previous edit		Revision as of 01:57, 9 February 2005 edit undo Arvindn (talk \| contribs) Extended confirmed users 4,332 edits you can have unconditionally secure crypto protocols, you know... Next edit →
Line 5: *If the oracle hasn't been given the query ''x'' before it generates a [[random]] response which has uniform probability of being chosen from anywhere in the oracle's output ___domain. No real hash function can implement a true random oracle. In fact, certain very artificial protocols have been constructed which are proven secure in the random oracle model, but which are trivially insecure when any real hash function is substituted for the random oracle. Nonetheless, for any more natural protocol a proof of security in the random oracle gives very strong evidence that an attack which does not break the other assumptions of the proof, if any (such as the hardness of [[integer factorization]]) must discover some unknown and undesirable property of the hash function used in the protocol to work. ==See also==

Random oracle: Difference between revisions