Content deleted Content added
No edit summary |
No edit summary |
||
Line 3:
When a random oracle is given a query ''x'' it does the following:
*If the oracle has been given the query ''x'' before it responds with the same value it gave the last time.
*If the oracle hasn't been given the query ''x'' before it generates a [[random]] response which has uniform probability of being chosen from anywhere in the [[oracle]]'s output ___domain.
No real hash function can implement a true random oracle. In fact, certain very artificial protocols have been constructed which are proven secure in the random oracle model, but which are trivially insecure when any real hash function is substituted for the random oracle. Nonetheless, for any more natural protocol a proof of security in the random oracle gives very strong evidence that an attack which does not break the other assumptions of the proof, if any (such as the hardness of [[integer factorization]]) must discover some unknown and undesirable property of the hash function used in the protocol to work. Many schemes have been proven secure in the random oracle model, for example [[Optimal_Asymmetric_Encryption_Padding|OAEP]] and [[Probabilistic_Signature_Scheme|PSS]].
| |||