Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Correcting Subverted Random Oracles

Alexander Russell, Qiang Tang, Moti Yung, Hong-Sheng Zhou, Jiadong Zhu

TL;DR

This paper addresses the challenge of subverted random oracles in cryptography, where an adversary corrupts a hash function on a negligible fraction of inputs. It introduces crooked indifferentiability and a simple correction construction using public randomness to transform the subverted oracle into a function indistinguishable from a random oracle, formalized as $ ilde{h}_R(x)= ilde{h}_0igl(igoplus_{i=1}^{ ext{poly}(n)} ilde{h}_i(xoxplus r_i)igr)$ with $ ext{poly}(n)$ terms. The authors prove a replacement theorem: the corrected oracle can replace an unsubverted random oracle in cryptographic constructions, preserving security even under kleptographic subversion. The work has practical impact for defending PoW blockchains, system initialization, and digital signatures against backdoors, and it outlines future directions for extending crooked indifferentiability to larger error tolerances and other primitives.

Abstract

The random oracle methodology has proven to be a powerful tool for designing and reasoning about cryptographic schemes. In this paper, we focus on the basic problem of correcting faulty or adversarially corrupted random oracles, so that they can be confidently applied for such cryptographic purposes. We prove that a simple construction can transform a "subverted" random oracle which disagrees with the original one at a small fraction of inputs into an object that is indifferentiable from a random function, even if the adversary is made aware of all randomness used in the transformation. Our results permit future designers of cryptographic primitives in typical kleptographic settings (i.e., those permitting adversaries that subvert or replace basic cryptographic algorithms) to use random oracles as a trusted black box.

Correcting Subverted Random Oracles

TL;DR

This paper addresses the challenge of subverted random oracles in cryptography, where an adversary corrupts a hash function on a negligible fraction of inputs. It introduces crooked indifferentiability and a simple correction construction using public randomness to transform the subverted oracle into a function indistinguishable from a random oracle, formalized as with terms. The authors prove a replacement theorem: the corrected oracle can replace an unsubverted random oracle in cryptographic constructions, preserving security even under kleptographic subversion. The work has practical impact for defending PoW blockchains, system initialization, and digital signatures against backdoors, and it outlines future directions for extending crooked indifferentiability to larger error tolerances and other primitives.

Abstract

The random oracle methodology has proven to be a powerful tool for designing and reasoning about cryptographic schemes. In this paper, we focus on the basic problem of correcting faulty or adversarially corrupted random oracles, so that they can be confidently applied for such cryptographic purposes. We prove that a simple construction can transform a "subverted" random oracle which disagrees with the original one at a small fraction of inputs into an object that is indifferentiable from a random function, even if the adversary is made aware of all randomness used in the transformation. Our results permit future designers of cryptographic primitives in typical kleptographic settings (i.e., those permitting adversaries that subvert or replace basic cryptographic algorithms) to use random oracles as a trusted black box.
Paper Structure (24 sections, 33 theorems, 60 equations, 5 figures, 1 table)

This paper contains 24 sections, 33 theorems, 60 equations, 5 figures, 1 table.

Table of Contents

  1. Introduction
  2. Our contributions
  3. Related Work
  4. The Model: Crooked Indifferentiability
  5. Preliminary: Indifferentiability
  6. Defining indifferentiability.
  7. Replacement.
  8. Crooked indifferentiability
  9. Crooked indifferentiability for random oracles.
  10. Replacement with crooked indifferentiability.
  11. Restrictions (of using crooked indifferentiability).
  12. The Construction
  13. Domain extension.
  14. Security Proof
  15. The simulator
  16. ...and 9 more sections

Key Result

Theorem 1

Let $\mathcal{P}\xspace$ be a cryptosystem with oracle access to an ideal primitive $\mathcal{F}\xspace$. Let $\mathit{C}$ be an algorithm such that $\mathit{C}^{\mathcal{G}\xspace}$ is indifferentiable from $\mathcal{F}\xspace$. Then cryptosystem $\mathcal{P}\xspace$ is at least as secure in the $\

Figures (5)

  • Figure 1: The indifferentiability notion: the distinguisher $\mathcal{D}\xspace$ either interacts with algorithm $\mathit{C}$ and ideal primitive $\mathcal{G}\xspace$, or with ideal primitive $\mathcal{F}\xspace$ and simulator $\mathcal{S}\xspace$. Algorithm $\mathit{C}$ has oracle access to $\mathcal{G}\xspace$, while simulator $\mathcal{S}\xspace$ has oracle access to $\mathcal{F}\xspace$.
  • Figure 2: The environment $\mathcal{E}\xspace$ interacts with cryptosystem $\mathcal{P}\xspace$ and attacker $\mathcal{A}\xspace$. In the $\mathcal{G}\xspace$ model (left), $\mathcal{P}\xspace$ has oracle access to $\mathit{C}$ whereas $\mathcal{A}\xspace$ has oracle access to $\mathcal{G}\xspace$. In the $\mathcal{F}\xspace$ model, both $\mathcal{P}\xspace$ and $\mathcal{S}_\mathcal{A}\xspace\xspace$ have oracle access to $\mathcal{F}\xspace$.
  • Figure 3: The $H$-crooked indifferentiability notion: the distinguisher $\widehat{\mathcal{D}\xspace}\xspace$, in the first phase, manufactures and publishes a subverted implementation denoted as $\tilde{H}$, for ideal primitive $H$; then in the second phase, a random string $R$ is published; after that, in the third phase, algorithm $\mathit{C}$, and simulator $\mathcal{S}\xspace$ are developed; the $H$-crooked-distinguisher $\widehat{\mathcal{D}\xspace}\xspace$, in the last phase, either interacting with algorithm $\mathit{C}$ and ideal primitive $H$, or with ideal primitive $\mathcal{F}\xspace$ and simulator $\mathcal{S}\xspace$, return a decision bit. Here, algorithm $\mathit{C}$ has oracle access to $\tilde{H}$, while simulator $\mathcal{S}\xspace$ has oracle access to $\mathcal{F}\xspace$ and $\tilde{H}$.
  • Figure 4: The environment $\widehat{\mathcal{E}\xspace}\xspace$ interacts with cryptosystem $\mathcal{P}\xspace$ and attacker $\mathcal{A}\xspace$: In the $\mathcal{G}\xspace$ model (left), $\mathcal{P}\xspace$ has oracle accesses to $\mathit{C}$ whereas $\mathcal{A}\xspace$ has oracle accesses to $\mathcal{G}\xspace$; the algorithm $\mathit{C}$ has oracle accesses to the subverted $\tilde{\mathcal{G}\xspace}$. In the $\mathcal{F}\xspace$ model, both $\mathcal{P}\xspace$ and $\mathcal{S}_\mathcal{A}\xspace\xspace$ have oracle accesses to $\mathcal{F}\xspace$. In addition, in both $\mathcal{G}\xspace$ and $\mathcal{F}\xspace$ models, randomness $R$ is publicly available to all entities.
  • Figure 5: Construction of attacker $\mathcal{S}_\mathcal{A}\xspace\xspace$ from attacker $\mathcal{A}\xspace$ and simulator $\mathcal{S}\xspace$

Theorems & Definitions (75)

  • Definition 1: Indifferentiability TCC:MauRenHol04C:CDMP05
  • Definition 2
  • Theorem 1: TCC:MauRenHol04C:CDMP05
  • Definition 3: $H$-crooked indifferentiability
  • Definition 4: Abbreviated $H$-crooked indifferentiability
  • Definition 5
  • Theorem 2
  • proof
  • Theorem 3
  • Definition 6: Constellation
  • ...and 65 more