Standard Model, Random Oracle Model and Ideal Cipher Model

• Standard Model

Security dependents complexity-theoretic hardness assumptions. (e.g. factoring the product of large primes, discrete log is intractible in certain sufficiently large groups, AES is a good pseudo-random permutation (PRP))

• Random Oracle Model

In the random oracle model we have a public random function, accessible to all parties, which is typically accepts any string from { 0 , 1 } ∗ \{0,1\}^* {0,1}∗ and outputs $n$ bits.

For each element in its domain, the corresponding $n$-bits output is uniform and independent from all other outputs.

Random oracles do not exist in practice. But it is always instantiated with cryptographic hash functions such as SHA-1

• Ideal Cipher Model

Blockciphers are a common building block for cryptographic protocols.

In the standard model the associated assumption for blockciphers is that they are “pseudo-random permutations” (PRPs).

By this we mean (informally) that an $n$-bit blockcipher under a secret randomly-chosen keyis computationally indistinguishable from a randomly-chosen $n$-bit permutati on.

Proofs conducted using this assumption typically give reductions showing that if an adversary breaks some scheme, then there exists an associated adversary that can efficiently distinguish the underlying blockcipher from random.

(FSE 05)The Ideal-Cipher Model, Revisited_An Uninstantiable Blockcipher-Based Hash Function