Revision as of 10:10, 19 November 2004 edit Matt Crypto (talk \| contribs) 23,089 edits m External lnks, I think ← Previous edit		Revision as of 18:21, 19 November 2004 edit undo 217.95.33.183 (talk) No edit summary Next edit →
Line 1: A '''random oracle''' is a theoretical model of a perfect [[cryptographic hash function]]. It is used in proofs that indicate that [[cryptography\|cryptographic]] systems or protocols are secure by showing that an attacker must either consider how the hash function works, or solve some other problem believed hard, in order to break the protocol. When a random oracle is given a query ''x'' it does the following,: If the oracle has been given the query ''x'' before it responds with the same value it gave the last time. If the oracle hasn't been given the query ''x'' before it generates a [[random]] response which has uniform probability of being chosen from anywhere in the oracle's output ___domain. No real hash function can ~~implements~~implement a true random oracle. In fact, certain very artificial protocols have been constructed which are proven secure in the random oracle model, but which are trivially insecure when any real hash function is substituted for the random oracle. Nonetheless, for any more natural protocol a proof of security in the random oracle gives very strong evidence that an attack which does not break the other assumptions of the proof (such as the hardness of [[integer factorization]]) must discover some unknown and undesirable property of the hash function used in the protocol to work. ==See also==

Random oracle: Difference between revisions