Re: [Cfrg] On using ROs for analyzing randomness extraction functions
canetti <canetti@watson.ibm.com> Sat, 29 October 2005 05:17 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVj5W-0001n1-2g; Sat, 29 Oct 2005 01:17:06 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVj5T-0001mw-HE for cfrg@megatron.ietf.org; Sat, 29 Oct 2005 01:17:03 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA11508 for <cfrg@ietf.org>; Sat, 29 Oct 2005 01:16:46 -0400 (EDT)
Received: from igw2.watson.ibm.com ([129.34.20.6]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVjJB-0008Je-H8 for cfrg@ietf.org; Sat, 29 Oct 2005 01:31:13 -0400
Received: from sp1n294en1.watson.ibm.com (sp1n294en1.watson.ibm.com [129.34.20.40]) by igw2.watson.ibm.com (8.12.11/8.13.1/8.13.1-2005-04-25 igw) with ESMTP id j9T5Il3h021396; Sat, 29 Oct 2005 01:18:47 -0400
Received: from sp1n294en1.watson.ibm.com (localhost [127.0.0.1]) by sp1n294en1.watson.ibm.com (8.11.7-20030924/8.11.7/01-14-2004_2) with ESMTP id j9T5Grn42092; Sat, 29 Oct 2005 01:16:53 -0400
Received: from mgsmtp00.watson.ibm.com (mgsmtp00.watson.ibm.com [9.2.40.58]) by sp1n294en1.watson.ibm.com (8.11.7-20030924/8.11.7/01-14-2004_1) with ESMTP id j9T5GrN42090; Sat, 29 Oct 2005 01:16:53 -0400
Received: from prf.watson.ibm.com (prf.watson.ibm.com [9.2.16.112]) by mgsmtp00.watson.ibm.com (8.12.11/8.12.11/2005/09/01) with ESMTP id j9T5Gq94009816; Sat, 29 Oct 2005 01:16:52 -0400
Received: from localhost (canetti@localhost) by prf.watson.ibm.com (AIX5.1/8.11.6p2/8.11.0/03-06-2002) with ESMTP id j9T5Gmd70650; Sat, 29 Oct 2005 01:16:52 -0400
Date: Sat, 29 Oct 2005 01:16:48 -0400
From: canetti <canetti@watson.ibm.com>
To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
Subject: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
In-Reply-To: <200510282114.j9SLEarq012372@taverner.CS.Berkeley.EDU>
Message-ID: <Pine.A41.4.58.0510290053020.30282@prf.watson.ibm.com>
References: <200510282114.j9SLEarq012372@taverner.CS.Berkeley.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bdc523f9a54890b8a30dd6fd53d5d024
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
David,
I think our takes on this are not as different as it might seem.
We agree that randomness extraction when the input distribution depends on
the definition of the extraction function H is impossible in general.
we also agree that we should not stop here, but rather try to get around
this by somehow finding a meaningful way to assume that the input
distribution does not depend on the definition of H. we differ in how to
make this assumption: You seem satisfied with using the RO abstraction.
To me, this abstraction seems unsatisfactory, since it does not allow me
to *precisely state what it is that I'm assuming*. I'm not talking here
about proving anything, just on precise statement of the "non
dependence" assumption. (It sounds great in English, but does it really
mean?)
This is why I'd rather make an explicit, well-defined assumption within
the standard model. Note: I'm not claiming that I have such an assumption
formulated. I also agree that this would probably end up being much more
messy than the RO stuff. But I think it's worth it here to not take the
"easy way out" and try to formulate those things precisely. In some cases,
such as FDH, the RO seems indispensable (as pointed out by Ilya). I have
a strong feeling that in our case it is dispensable.)
Ran
PS - forgot to agree before - this discussion is indeed very insteresting
and illuminating.
On Fri, 28 Oct 2005, David Wagner wrote:
> Ran Canetti writes:
> >More concretely, regarding the problem of "deterministic computational
> >randomness extraction" - namely, coming up with a public function H that
> >turns inputs with high computational entropy into pseudorandom values. We
> >know that if the distribution of inputs to H can depend on the definition
> >of H then this task is impossible.
> >
> >One way to get around this impossibility is to model H as a RO. Then
> >ofcourse this problem becomes not only doable but also trivial: almost any
> >way of feeding the input to the RO will be equally as secure as any other
> >way. But, alas, this doesnt change the fact that the task is impossible
> >in reality... in particular, we have learned nothing regarding which
> >constructions are better than others.
>
> I guess I have a different take on this. I wouldn't say that the RO
> model proves security for some task is impossible in practice. Rather,
> I would say that the RO model idealization implicitly assumes that the
> source does not depend on H in any way. Consequently, in any real world
> protocol, we have an obligation to convince ourselves that the source
> does not depend on ("is independent of" / "does not interact badly with")
> the hash function if we want the RO security proofs to mean anything.
> The RO model cannot help us with the latter obligation; that's something
> we have to assess heuristically via some other kind of reasoning. But in
> many cases the "no bad interactions" hypothesis looks very plausible
> (even if we cannot prove it), and in such cases one would expect the RO
> model to form good evidence for security in real life.
>
> Let me try an analogy. When we analyze "hash-then-sign" (FDH signatures)
> in the RO model, our RO idealization implicitly assumes that the
> trapdoor permutation is independent of the choice of H. That's an
> assumption that is never proved; and one has to look at the real world
> scheme and guess whether the assumption is met. But if we take, say,
> a FDH signature where we hash with SHA256 and then sign with raw RSA, it
> boggles the imagination that there could be any bad interaction between
> SHA256 and RSA. Consequently, the "no bad interactions" looks like a
> fairly plausible assumption, even though it is not something we know how
> to prove. We wouldn't say that the "hash-then-sign" task is impossible in
> reality, even though it is true that there do exist (contrived-looking)
> trapdoor permutations that interact with SHA256 badly enough to make
> "hash-then-sign" insecure with those trapdoor permutations.
>
> So the random oracle model, and the assumptions needed to make it
> meaningful, doesn't seem so bad to me in this setting.
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
>
_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] On using ROs for analyzing randomness extr… David Wagner
- Re: [Cfrg] On using ROs for analyzing randomness … Jack Lloyd
- [Cfrg] On using ROs for analyzing randomness extr… David Wagner
- Re: [Cfrg] On using ROs for analyzing randomness … Jack Lloyd
- RE: [Cfrg] On using ROs for analyzing randomness … Ilya Mironov
- Re: [Cfrg] On using ROs for analyzing randomness … canetti
- Re: [Cfrg] On using ROs for analyzing randomness … John Wilkinson
- Re: [Cfrg] On using ROs for analyzing randomness … D. J. Bernstein
- Re: [Cfrg] On using ROs for analyzing randomness … John Wilkinson
- Re: [Cfrg] On using ROs for analyzing randomness … D. J. Bernstein
- Re: [Cfrg] On using ROs for analyzing randomness … John Wilkinson
- Re: [Cfrg] On using ROs for analyzing randomness … D. J. Bernstein
- Re: [Cfrg] On using ROs for analyzing randomness … canetti