[Resource Topic] 2015/140: The Random Oracle Model: A Twenty-Year Retrospective

Welcome to the resource topic for 2015/140

Title:
The Random Oracle Model: A Twenty-Year Retrospective

Authors: Neal Koblitz, Alfred Menezes

Abstract:

It has been roughly two decades since the random oracle model for security reductions was introduced and one decade since we first discussed the controversy that had arisen concerning its use. In this retrospective we argue that there is no evidence that the need for the random oracle assumption in a proof indicates the presence of a real-world security weakness in the corresponding protocol. We give several examples of attempts to avoid random oracles that have led to protocols that have security weaknesses that were not present in the original ones whose proofs required random oracles. We also argue that the willingness to use random oracles gives one the flexibility to modify certain protocols so as to reduce dependence on potentially vulnerable pseudorandom bit generators. Finally, we discuss a modified version of ECDSA, which we call ECDSA+, that may have better real-world security than standard ECDSA, and compare it with a modified Schnorr signature. If one is willing to use the random oracle model (and the analogous generic group model), then various security reductions are known for these two schemes. If one shuns these models, then no provable security result is known for them.

ePrint: https://eprint.iacr.org/2015/140

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .