Cryptography Reference
In-Depth Information
•
First, an ideal system is designed in which all parties (including the adversary)
have access to a
random function
(also known as
random oracle
).
7
This ideal
system is then proven to be secure in the sense given earlier.
•
Second, one replaces the random oracle with a “good” and “appropriately
chosen” cryptographic hash function, such as MD5 or SHA-1, and provides
all parties (again, including the adversary) with a specification of this function.
Consequently, one obtains an implementation of the ideal system in the real
world where random oracles do not exist. Due to its use of random oracles, the
design methodology is commonly referred to as
random oracle methodology
.It
yields cryptographic systems that are provably secure in the
random oracle model
.
Unfortunately, it has been shown that it is possible to construct cryptographic
systems that are provably secure in the random oracle model, but that become
insecure whenever the cryptographic hash function used in the protocol (to replace
the random oracle) is specified and nailed down. This theoretical result is worrisome,
and since its publication many researchers have started to think controversially
about the random oracle methodology in general, and the random oracle model in
particular. At least it must be noted that formal analyses in the random oracle model
are not strong security proofs (because of the underlying ideal assumptions about
the randomness properties of the cryptographic hash functions). The random oracle
model is further addressed in Section 13.3. For the purpose of this topic, we don't
consider provable security (with or without the random oracle model) as a security
notion of its own; instead we treat it as a special case of conditional security.
In the past, we have seen many examples in which people have tried to improve
the security of a cryptographic system by keeping secret its design and internal
working principles. This approach is sometimes referred to as “security through
obscurity.” Many of these systems do not work and can be broken trivially.
8
This
insight has a long tradition in cryptography, and there is a well-known cryptographic
principle—the
Kerckhoffs' principle
9
—that basically says that a cryptographic sys-
tem should be designed so as to be secure when the adversary knows all details of
the system, except for the values explicitly declared to be secret, such as a secret
cryptographic key [12]. We follow this principle in this topic, and hence we only
address cryptosystems for which we can assume that the adversary knows all of the
details of the system.
The design of a secure cryptographic system is a difficult and challenging task.
One can neither rely on intuitions regarding the “typical” state of the environment in
7
The notion of a random function is introduced in Section 13.1.
8
Note that “security through obscurity” may work well outside the realm of cryptography.
9
The principle is named after Auguste Kerckhoffs who lived from 1835 to 1903.
