provable safety under stochastic prediction model:
For the first time, scholars such as Goldwasser have systematically expounded the idea of provable security, the encryption and signature scheme with provable security [44,48] is given, however, the proven security of the above scheme is at the cost of the serious sacrifice of efficiency, therefore, although the above scheme is of great significance in theory, it is not practical. In the 1993, the Bellare and Rogaway two scholars [49] formally presented the Stochastic Prediction model (Random Oraclemodel,rom) methodology, which made the proven security methodology in the past purely theoretical research make great progress in practical application field. A large number of fast and efficient security solutions have been proposed, and at the same time, also produced a "specific security (concrete or exact)", the significance is that we no longer only to meet the security of the asymptotic, but can accurately obtain a more accurate security measures. The practical proof security theory has been widely accepted by academia and industry. Reduction is the most commonly used tool or inference method to prove the security theory, in the provable security solution, first of all, to establish a security model, in order to prove the security of the scheme needs to establish a challenge algorithm C (simulation challenger role). The algorithm C sums up a complex security problem as a mathematical problem (such as large number decomposition, solving discrete logarithm, CDH difficult problem, etc.), and the general statement in ROM is as follows:
① first formally defines the security of the scheme, assuming that within the probability polynomial time (PPT) The adversary can destroy the scheme security (such as forged signature) with the probability of not being ignored;
② then the simulator C provides a simulated environment (ROM) that is indistinguishable from the actual environment for the adversary, answering all the predictions of the adversary (the simulated adversary can get all the attacking conditions);
③ Finally, use the results of adversary attacks (such as the existence of a forged signature) to try to solve mathematical problems.
In which, the algorithm C is to embed a random instance of the difficult problem into the attacker's simulation, but challenger C does not know the private key involved in the difficult problem, in order to simulate all the inquiries of the attacker or conceal the fact that the private key is not known (that is, simulate a real attack environment), Makes the attack think that you're interacting with a real challenger,
algorithm C requires some special ability to make up for the ignorance of the private key, this ability is realized by stochastic prophecy in the construction process.
in the process of proving, the hash function is regarded as a random function, that is, the Stochastic prophecy machine。 Anyone can get the value of a hash function by asking for a random oracle, so that by controlling the prophecy, C can use the attacker's ability to solve mathematical problems by providing a real attack environment. The proof model obtained by the above nature of the prophetic machine is called the Stochastic Prediction Model (ROM).
provable security under the standard Model
The program security shown in ROM does not guarantee the security of the program in real life. At present, there are many ROM is verifiable safe, but the specific application can not construct a corresponding example. It is of great practical significance to testify security in Standard Model. In the standard model, the algorithm is still to make up the ignorance of the private key by the prediction machine, the difference is that the internal mapping of the prediction machine is not randomly specified, it must conform to the function relation in the specific scheme, which increases the difficulty of the scheme design. Although ROM methodology is not an absolute proof of actual scheme security, it can be used as a necessary basic security test for any practical scheme, and ROM methodology may at least eliminate many security risks. Using the ROM design simple and effective protocol, can resist many unknown attacks [54]. Some scholars still insist on proving scheme security in the standard model, and think that although the safe scheme is very effective in ROM, the hash function is considered as a completely random ideal model, which is a very strong hypothesis, and the scheme in ROM There is no causal relationship between security and security implemented through hash functions. For example, some signatures and encryption schemes are safe in ROM, but are not safe in practical applications.
Non-certificate public key cryptography research from Infinite pairs _ Liu Wenhao
"Many researchers have expressed doubts about the wisdom of relying on the random Oracle model." In particular, Canetti et al.[19] proved this there are signature and encryption schemes that are secure in the random CLE model, but insecure for any instantiation of the standard Oracle. "
Form: "An efficient and provably‐secure certificateless signature scheme without bilinear pairings"
stochastic Oracle Model:
In the security certificate, the stochastic Oracle model is usually the idealized surrogate of the Greek function in reality. A hash function is a function that is entered as an arbitrary length and is output to a fixed length, but it also satisfies some other characteristics, such as one-way, collision resistance, and so on. The concept of stochastic prophecy originates from Fiat and Shamir[111] 's idea of looking at the hash function as a random function, and then further by the researcher Bellare and Rogaway [65] into the stochastic prediction model.
Under the stochastic Oracle model, a scheme is usually designed and proved to be safe, while in the actual execution of the scheme, a random predictor in the scheme is replaced with a specific hash function. It should be pointed out that the scheme of proving security under the stochastic Oracle model may not be safe in actual implementation. Researchers Canetti,goldreich and halevi[112,113] have given examples of this.
Standard ModelModels that do not rely on random prophecies are called standard models. Generally refers to the design of the scheme (if the use of a hash function) in the proof, only the actual use of the Greek function can be implemented, then can be considered a standard model. The first standard model to prove the security of efficient public-key cryptography in 1998 by Cramer and Shoup[101], and then most of the interest of researchers to design the standard model to prove the security of the program. Related research Wang Yongtao based on attribute cipher system
• Standard Model (Standardmodel) Standard Model, the adversary is limited by the time and the computational ability, and there is no other hypothesis, if the cryptography scheme can be reduced to the problem of difficulty, then the attribution is based on the standard model, and the scheme has the provable security under the Standard Model. However, in practice, it is difficult to establish security in the standard model, which is difficult to prove the security model. Therefore, in order to reduce the difficulty of proving, it is often necessary to add other assumptions in the process of security reduction, which is the stochastic Oracle model to be discussed below.
• Stochastic Prediction Model 122 (Random Oracle model) random prediction models on top of the security model, we add a random oracle hypothesis for hashing functions. Security under this assumption is also referred to as provable security under the stochastic Oracle model. The stochastic Oracle model, a model abstracted from the hash function, is a proven method that is widely used in provable security. A random Oracle is a hash function that we can interpret as a perfect hash function: 1 consistency: For the same input, the output is necessarily the same; 2) computable: The output can be calculated in polynomial time and 3 uniformly distributed: the output of the prophetic machine is evenly distributed in the value space without collision.
In the stochastic Oracle model, it is assumed that the adversary does not exploit the weakness of the hash function to attack the cryptography scheme. In other words, even if the actual hash function in the scheme is replaced by a random oracle, the adversary can still succeed.
The
Random Oracle, although widely used and proved by cryptography, provides great convenience for proving security, but there is still controversy about the validity of the safety proof under the stochastic Oracle model. Stochastic prophecy is an overly ideal assumption, requiring the adversary not to exploit the weakness of the hash function to attack the scheme. In reality, there is no such a perfect hash function, so some schemes that are safe under the random Oracle model are no longer secure after using the real hash function. However, the safety proof of the stochastic Oracle model can meet the safety requirement except the hash function, and most of the provable security schemes are based on the stochastic Oracle model. Therefore, the stochastic Oracle model is still considered to be the most successful application in the proven security.
