# The equivalence of the random oracle model and the ideal cipher model, revisited

@article{Holenstein2011TheEO, title={The equivalence of the random oracle model and the ideal cipher model, revisited}, author={Thomas Holenstein and Robin K{\"u}nzler and Stefano Tessaro}, journal={ArXiv}, year={2011}, volume={abs/1011.1264} }

We consider the cryptographic problem of constructing an invertible random permutation from a public random function (i.e., which can be accessed by the adversary). This goal is formalized by the notion of indifferentiability of Maurer et al. (TCC 2004). This is the natural extension to the public setting of the well-studied problem of building random permutations from random functions, which was first solved by Luby and Rackoff (Siam J. Comput., '88) using the so-called Feistel construction…

## Figures and Topics from this paper

## 79 Citations

How to Build an Ideal Cipher: The Indifferentiability of the Feistel Construction

- Mathematics, Computer ScienceJournal of Cryptology
- 2014

This paper provides the first provably secure construction of an invertible random permutation (and of an ideal cipher) from a public random function that can be evaluated by all parties in the…

How to Construct an Ideal Cipher from a Small Set of Public Permutations

- Computer Science, MathematicsASIACRYPT
- 2013

We show how to construct an ideal cipher with n-bit blocks and n-bit keys i.e. a set of 2 n public n-bit permutations from a small constant number of n-bit random public permutations. The…

On the Provable Security of the Iterated Even-Mansour Cipher Against Related-Key and Chosen-Key Attacks

- Mathematics, Computer ScienceEUROCRYPT
- 2015

It is proved that for a linear key-schedule, three rounds yield a cipher which is secure against xor-induced related-key attacks up to \( \mathcal {O} (2^{\frac{n}{2}})\) queries of the adversary, whereas for a nonlinear key-Schedule, one round is sufficient to obtain a similar security bound.

Optimally Secure Block Ciphers from Ideal Primitives

- Mathematics, Computer ScienceASIACRYPT
- 2015

A generic method to enhance a block cipher, initially only secure as a PRP, to additionally withstand related-key attacks without substantial loss in terms of concrete security.

Indifferentiability Results and Proofs for Some Popular Cryptographic Constructions

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2014

A simple yet rigorous proof technique for proving indifferentiability theorems is used, a generalization of the indistinguishability proof technique used by Bernstein in [Ber05] to prove the security of the Cipher Block Chaining (CBC) construction.

On Reducing Cryptographic Assumptions

- Computer Science
- 2014

The main result is the first construction of an ideal cipher that is indifferentiable from a random oracles, which implies that (in a well-defined sense) the random oracle model and the ideal cipher model are equivalent.

On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel Construction

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2011

It is shown that the Feistel construction with six rounds and random round functions is publicly indifferentiable from a random invertible permutation (a result that is not known to hold for full indifferentiability) and that sequential indifferentiability (seq-indifferentiability for short) implies correlation intractability.

On the Impossibility of Basing Public-Coin One-Way Permutations on Trapdoor Permutations

- Computer ScienceTCC
- 2014

It is shown that there is no black-box construction of a OWP from a TDP, even if the TDP is ideally secure, where, roughly speaking, ideal security of a TSP corresponds to security satisfied by random permutations and thus captures major security notions of TDPs such as one-wayness, claw-freeness, security under correlated inputs, etc.

Beyond-Birthday-Bound Secure Cryptographic Permutations from Ideal Ciphers with Long Keys

- Computer ScienceIACR Trans. Symmetric Cryptol.
- 2020

This paper shows that a 5-round version of Coron et al.

On the Impact of Known-Key Attacks on Hash Functions

- Mathematics, Computer ScienceASIACRYPT
- 2015

This work presents and formalizes the weak cipher model, which captures the case a blockcipher has a certain weakness but is perfectly random otherwise, and applies it to PGV compression functions and the GrOstl based on two permutations and Shrimpton-Stam based on three permutations compression functions, and shows that these designs do not seriously succumb to any differential known-key attack known to date.

## References

SHOWING 1-10 OF 31 REFERENCES

On the Relation Between the Ideal Cipher and the Random Oracle Models

- Mathematics, Computer ScienceTCC
- 2006

It is shown that the Luby-Rackoff construction with a superlogarithmic number of rounds can be used to instantiate the ideal block cipher in any honest- but-curious cryptosystem, and result in a similar honest-but-c curious cryptos system in the random oracle model.

The Random Oracle Model and the Ideal Cipher Model Are Equivalent

- Mathematics, Computer ScienceCRYPTO
- 2008

This paper shows that the Feistel construction with 6 rounds is enough to obtain an ideal cipher and shows that 5 rounds are insufficient by providing a simple attack, which contrasts with the classical Luby-Rackoff result.

Merkle-Damgård Revisited: How to Construct a Hash Function

- Computer ScienceCRYPTO
- 2005

It is shown that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle-Damgard transformation — does not satisfy a new security notion for hash-functions, stronger than collision-resistance.

The random oracle methodology, revisited

- Mathematics, Computer ScienceJACM
- 2004

There exist signature and encryption schemes that are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes.

Indistinguishability of Random Systems

- Mathematics, Computer ScienceEUROCRYPT
- 2002

A general framework for proving the indistinguishability of two random systems is proposed, based on the concept of the equivalence of two systems, conditioned on certain events, and an efficient construction of a quasi-random function is given which can be used as a building block in cryptographic systems based on pseudorandom functions.

Cascade Encryption Revisited

- Computer Science, MathematicsASIACRYPT
- 2009

A new lemma on the indistinguishability of systems extending Maurer's theory of random systems is proposed, which implies that for blockciphers with smaller key space than message space (e.g. DES), longer cascades improve the security of the encryption up to a certain limit.

Random oracles are practical: a paradigm for designing efficient protocols

- Computer ScienceCCS '93
- 1993

It is argued that the random oracles model—where all parties have access to a public random oracle—provides a bridge between cryptographic theory and cryptographic practice, and yields protocols much more efficient than standard ones while retaining many of the advantages of provable security.

Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV

- Mathematics, Computer ScienceCRYPTO
- 2002

It is suggested that proving black-box bounds, of the style given here, is a feasible and useful step for understanding the security of any block-cipher-based hash-function construction.

Optimal Asymmetric Encryption

- Computer ScienceEUROCRYPT
- 1994

A slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she “knows” the corresponding plaintexts—such a scheme is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack.

A Design Principle for Hash Functions

- Mathematics, Computer ScienceCRYPTO
- 1989

Apart from suggesting a generally sound design principle for hash functions, the results give a unified view of several apparently unrelated constructions of hash functions proposed earlier, and suggests changes to other proposed constructions to make a proof of security potentially easier.