3

I'm currently working on a proof in the random oracle model, where a single random oracle is used in multiple places. Each use is domain-separated so I was thinking of representing it as multiple random oracles for simplicity.

  1. Is this valid for the proof? I can't see why it wouldn't be but I can't find anything about it.

  2. Will this add any additional distinguishing behaviours? e.g in a game based proof would this add an extra probability somewhere?

  3. If this is allowed are there any papers I could read that utilise this technique?

Rohit Gupta
  • 489
  • 2
  • 5
  • 10
Matthew
  • 33
  • 4

2 Answers2

4

Link only answer: https://eprint.iacr.org/2020/241 Titled: Separate Your Domains: NIST PQC KEMs, Oracle Cloning and Read-Only Indifferentiability

Abstract:

It is convenient and common for schemes in the random oracle model to assume access to multiple random oracles (ROs), leaving to implementations the task —we call it oracle cloning— of constructing them from a single RO. The first part of the paper is a case study of oracle cloning in KEM submissions to the NIST Post-Quantum Cryptography standardization process. We give key-recovery attacks on some submissions arising from mistakes in oracle cloning, and find other submissions using oracle cloning methods whose validity is unclear. Motivated by this, the second part of the paper gives a theoretical treatment of oracle cloning. We give a definition of what is an “oracle cloning method” and what it means for such a method to “work,” in a framework we call read-only indifferentiability, a simple variant of classical indifferentiability that yields security not only for usage in single-stage games but also in multi-stage ones. We formalize domain separation, and specify and study many oracle cloning methods, including common domain-separating ones, giving some general results to justify (prove read-only indifferentiability of) certain classes of methods. We are not only able to validate the oracle cloning methods used in many of the unbroken NIST PQC KEMs, but also able to specify and validate oracle cloning methods that may be useful beyond that

DannyNiu
  • 10,640
  • 2
  • 27
  • 64
4

The paper "Separate Your Domains: NIST PQC KEMs, Oracle Cloning and Read-Only Indifferentiability" by Bellare, Davis, and Günther is a great reference for your question.

A few highlights:

  • They formalize the notion of "oracle cloning": simulating multiple independent oracles for a single one. Domain separation is one technique to achieve this.
  • They survey Oracle cloning techniques in PQC submission and find many broken schemes due to broken oracle cloning practices, which might interest your exploration of proofs.

Oracle cloning: the task of creating some scheme $R$ based on a (publicly accessible) ideal scheme $S$ so $R$ is as good as some other ideal scheme $T$ is a natural fit for indifferentiability. However, the original indifferentiability cannot guarantee composition in multi-stage games where no state is shared between the different stage adversaries. So, the paper introduces another notion of indifferentiability, Read-Only Indifferentiability, which allows for a static readable state.

The paper goes on to capture cloning techniques as functors and proves the security of some cloning techniques. Due to indifferentiability, these results are composable in that any appropriately cloned random oracle behaves as good as a fresh random oracle in any context.

Marc Ilunga
  • 4,042
  • 1
  • 13
  • 24