Revision as of 11:32, 30 October 2004 edit Matt Crypto (talk \| contribs) 23,089 edits m ref2 ← Previous edit		Revision as of 23:21, 10 November 2004 edit undo Ciphergoth2 (talk \| contribs) 186 edits Try to get across the real "meat" of what the random oracle model is all about. Next edit →
Line 1: A '''random oracle''' is a theoretical model of a perfect [[cryptographic hash function]]. ~~Although~~ ~~not~~It is used in ~~practice,~~proofs itthat isindicate ~~often~~that ~~used~~[[cryptography\|cryptographic]] tosystems ~~build~~or aprotocols ~~'random~~are ~~oracle~~secure ~~model'~~by inshowing ~~theoretical~~that ~~[[cryptography]]~~an ~~papers~~attacker asmust ~~part~~either ofconsider ~~attempts~~how tothe ~~prove~~hash ~~the~~function ~~security~~works, ofor asolve ~~cryptographic~~some other problem believed hard, in order to break the ~~system~~protocol. When a random oracle is given a query ''x'' it does the following, If the oracle has been given the query ''x'' before it responds with the same value it gave the last time. If the oracle hasn't been given the query ''x'' before it generates a [[random]] response which has uniform probability of being chosen from anywhere in the oracle's output ___domain. No real hash function can implements a true random oracle. In fact, certain very artificial protocols have been constructed which are proven secure in the random oracle model, but which are trivially insecure when any real hash function is substituted for the random oracle. Nonetheless, for any more natural protocol a proof of security in the random oracle gives very strong evidence that an attack which does not break the other assumptions of the proof (such as the hardness of [[integer factorization]]) must discover some unknown and undesirable property of the hash function used in the protocol to work. ==See also==

Random oracle: Difference between revisions