Cryptography Reference
In-Depth Information
better than no proof at all. Anyway, it does not seem unreasonable to use
the random oracle model,
since that is the only way we know of to justify the
security of ordinary RSA signatures
.”
25
That such
realpolitik
of mathematical
proof has become has become more or less the norm is attested to by the
significant proportion of conference papers that today justify their results
under the ROM framework.
26
The discussion within the community over the epistemological status
of the ROM implies that the move to frame cryptography within compu-
tational complexity is not without its own paradoxes and problems. Cryp-
tographic theory and practice remain populated by highly useful objects
eluding mathematical characterization, whose certification is simply a
function of the collective experience of the community. Even within the
provable security framework, proof is a variegated affair: primitives may
be based on the assumption of the computational intractability of several
number-theoretic problems, including integer factorization, RSA, quadratic
residuosity, discrete logarithms over finite groups or elliptic curves, Diffie-
Hellman, and so on.
27
Yet, as Bellare points out, “in the bulk of cases, we
do not know how to compare the assumptions underlying various proofs
of security.”
28
Thus, instead of neatly falling under the single, all-encom-
passing model of analytical proof suggested by the “provable security”
label, cryptography exhibits a wide range of modes of persuasion that
cannot be easily ranked. I argue that such a state of affairs does not testify
to some disciplinary methodological shortcomings but rather is inevitable
given the breadth of cryptography's intellectual ambitions and the wide
range of real-world artifacts, protocols, and sign systems it seeks to engage
with.
Indeed, I even suggest the controversy has had beneficial consequences,
insofar as it has provided the occasion for the community's first sustained
discussion of the models that inform its mathematical practices. In fact,
until then, the community had not even recognized its reliance on models,
as articulated by Rogaway:
When you are working within the Random Oracle model, you are working within
a specific model, and a not-so-realistic one at that. What is often not recognized is
that when you are working within the standard model, you are
also
working within
a specific model, and a not-so-realistic one. The standard model
also
abstracts away
key aspects of the real world
—
like the fact that real computation takes time, uses
power, and leaks radiation. There
is
a big gap between the Random Oracle model
and reality (hash functions
aren't
like random oracles)
—
and there is
also
a big gap
between the standard model and reality.
29
