Replacing a Random Oracle: Full Domain Hash from Indistinguishability Obfuscation
Our main result gives a way to instantiate the random oracle with a concrete hash function in “full domain hash” applications. The term full domain hash was first proposed by Bellare and Rogaway [BR93, BR96] and referred to a signature scheme from any trapdoor permutation that was part of their seminal work introducing the random oracle heuristic. Over time the term full domain hash has (informally) encompassed a broader range of notable cryptographic schemes including the Boneh-Franklin [BF01] IBE scheme and Boneh-Lynn-Shacham (BLS) [BLS01] signatures. All of the above described schemes required a hash function that had to be modeled as a random oracle to prove security. Our work utilizes recent advances in indistinguishability obfuscation to construct specific hash functions for use in these schemes. We then prove security of the original cryptosystems when instantiated with our specific hash function.
Of particular interest, our work evades the impossibility results of Dodis, Oliveira, and Pietrzak [DOP05], who showed that there can be no black-box construction of hash functions that allow Full-Domain Hash Signatures to be based on trapdoor permutations, and its extension by Dodis, Haitner, and Tentes [DHT12] to the RSA Full-Domain Hash Signatures. This indicates our techniques applying indistinguishability obfuscation may be useful for circumventing other black-box impossibility proofs.
KeywordsHash Function Signature Scheme Random Oracle Random Oracle Model Message Space
- [BR93]Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
- [CGH98]Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: STOC, pp. 209–218 (1998)Google Scholar
- [GGH+13]Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS (2013)Google Scholar
- [GGM84]Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: FOCS, pp. 464–479 (1984)Google Scholar
- [GK03]Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: FOCS, pp. 102–113 (2003)Google Scholar
- [HSW14]Hohenberger, S., Sahai, A., Waters, B.: Replacing a random oracle: Full domain hash from indistinguishability obfuscation. In: Eurocrypt (2014), Full version available at http://eprint.iacr.org/2013/509
- [KPTZ13]Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: ACM Conference on Computer and Communications Security, pp. 669–684 (2013)Google Scholar
- [KS98]Kaliski, B., Staddon, J.: PKCS #1: RSA Cryptography Specifications Version 2.0 (1998)Google Scholar
- [SW13]Sahai, A., Waters, B.: How to use indistinguishability obfuscation: Deniable encryption, and more. Cryptology ePrint Archive, Report 2013/454 (2013) (to appear in STOC, 2014), http://eprint.iacr.org/