# The equivalence of the random oracle model and the ideal cipher model, revisited

@article{Holenstein2011TheEO,
title={The equivalence of the random oracle model and the ideal cipher model, revisited},
author={Thomas Holenstein and Robin K{\"u}nzler and Stefano Tessaro},
journal={ArXiv},
year={2011},
volume={abs/1011.1264}
}
• Published 4 November 2010
• Mathematics, Computer Science
• ArXiv
We consider the cryptographic problem of constructing an invertible random permutation from a public random function (i.e., which can be accessed by the adversary). This goal is formalized by the notion of indifferentiability of Maurer et al. (TCC 2004). This is the natural extension to the public setting of the well-studied problem of building random permutations from random functions, which was first solved by Luby and Rackoff (Siam J. Comput., '88) using the so-called Feistel construction…
How to Build an Ideal Cipher: The Indifferentiability of the Feistel Construction
• Mathematics, Computer Science
Journal of Cryptology
• 2014
This paper provides the first provably secure construction of an invertible random permutation (and of an ideal cipher) from a public random function that can be evaluated by all parties in the
How to Construct an Ideal Cipher from a Small Set of Public Permutations
• Computer Science, Mathematics
ASIACRYPT
• 2013
We show how to construct an ideal cipher with n-bit blocks and n-bit keys i.e. a set of 2 n public n-bit permutations from a small constant number of n-bit random public permutations. The
On the Provable Security of the Iterated Even-Mansour Cipher Against Related-Key and Chosen-Key Attacks
• Mathematics, Computer Science
EUROCRYPT
• 2015
It is proved that for a linear key-schedule, three rounds yield a cipher which is secure against xor-induced related-key attacks up to $$\mathcal {O} (2^{\frac{n}{2}})$$ queries of the adversary, whereas for a nonlinear key-Schedule, one round is sufficient to obtain a similar security bound.
Optimally Secure Block Ciphers from Ideal Primitives
A generic method to enhance a block cipher, initially only secure as a PRP, to additionally withstand related-key attacks without substantial loss in terms of concrete security.
Indifferentiability Results and Proofs for Some Popular Cryptographic Constructions
A simple yet rigorous proof technique for proving indifferentiability theorems is used, a generalization of the indistinguishability proof technique used by Bernstein in [Ber05] to prove the security of the Cipher Block Chaining (CBC) construction.
On Reducing Cryptographic Assumptions
The main result is the first construction of an ideal cipher that is indifferentiable from a random oracles, which implies that (in a well-defined sense) the random oracle model and the ideal cipher model are equivalent.
On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel Construction
• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2011
It is shown that the Feistel construction with six rounds and random round functions is publicly indifferentiable from a random invertible permutation (a result that is not known to hold for full indifferentiability) and that sequential indifferentiability (seq-indifferentiability for short) implies correlation intractability.
On the Impossibility of Basing Public-Coin One-Way Permutations on Trapdoor Permutations
It is shown that there is no black-box construction of a OWP from a TDP, even if the TDP is ideally secure, where, roughly speaking, ideal security of a TSP corresponds to security satisfied by random permutations and thus captures major security notions of TDPs such as one-wayness, claw-freeness, security under correlated inputs, etc.
Beyond-Birthday-Bound Secure Cryptographic Permutations from Ideal Ciphers with Long Keys
• Computer Science
IACR Trans. Symmetric Cryptol.
• 2020
This paper shows that a 5-round version of Coron et al.
On the Impact of Known-Key Attacks on Hash Functions
• Mathematics, Computer Science
ASIACRYPT
• 2015
This work presents and formalizes the weak cipher model, which captures the case a blockcipher has a certain weakness but is perfectly random otherwise, and applies it to PGV compression functions and the GrOstl based on two permutations and Shrimpton-Stam based on three permutations compression functions, and shows that these designs do not seriously succumb to any differential known-key attack known to date.

## References

SHOWING 1-10 OF 31 REFERENCES
On the Relation Between the Ideal Cipher and the Random Oracle Models
• Mathematics, Computer Science
TCC
• 2006
It is shown that the Luby-Rackoff construction with a superlogarithmic number of rounds can be used to instantiate the ideal block cipher in any honest- but-curious cryptosystem, and result in a similar honest-but-c curious cryptos system in the random oracle model.
The Random Oracle Model and the Ideal Cipher Model Are Equivalent
• Mathematics, Computer Science
CRYPTO
• 2008
This paper shows that the Feistel construction with 6 rounds is enough to obtain an ideal cipher and shows that 5 rounds are insufficient by providing a simple attack, which contrasts with the classical Luby-Rackoff result.
Merkle-Damgård Revisited: How to Construct a Hash Function
• Computer Science
CRYPTO
• 2005
It is shown that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle-Damgard transformation — does not satisfy a new security notion for hash-functions, stronger than collision-resistance.
The random oracle methodology, revisited
• Mathematics, Computer Science
JACM
• 2004
There exist signature and encryption schemes that are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes.
Indistinguishability of Random Systems
• U. Maurer
• Mathematics, Computer Science
EUROCRYPT
• 2002
A general framework for proving the indistinguishability of two random systems is proposed, based on the concept of the equivalence of two systems, conditioned on certain events, and an efficient construction of a quasi-random function is given which can be used as a building block in cryptographic systems based on pseudorandom functions.
• Computer Science, Mathematics
ASIACRYPT
• 2009
A new lemma on the indistinguishability of systems extending Maurer's theory of random systems is proposed, which implies that for blockciphers with smaller key space than message space (e.g. DES), longer cascades improve the security of the encryption up to a certain limit.
Random oracles are practical: a paradigm for designing efficient protocols
• Computer Science
CCS '93
• 1993
It is argued that the random oracles model—where all parties have access to a public random oracle—provides a bridge between cryptographic theory and cryptographic practice, and yields protocols much more efficient than standard ones while retaining many of the advantages of provable security.
Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV
• Mathematics, Computer Science
CRYPTO
• 2002
It is suggested that proving black-box bounds, of the style given here, is a feasible and useful step for understanding the security of any block-cipher-based hash-function construction.
Optimal Asymmetric Encryption
• Computer Science
EUROCRYPT
• 1994
A slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she “knows” the corresponding plaintexts—such a scheme is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack.
A Design Principle for Hash Functions
Apart from suggesting a generally sound design principle for hash functions, the results give a unified view of several apparently unrelated constructions of hash functions proposed earlier, and suggests changes to other proposed constructions to make a proof of security potentially easier.