Random Oracle Instantiation in Distributed Protocols Using Trusted Platform Modules

The random oracle model is an idealized theoretical model that has been successfully used for designing many cryptographic algorithms and protocols. Unfortunately, a series of results has shown that proofs of security in the idealized random oracle model do not translate into security in the standard model (basically synonymous with "real systems"), so the reasoning that protocols designed using random oracles are secure on real systems is heuristic at best, and fundamentally flawed at worst. In this paper, we consider how architectural changes taking place in real systems today, specifically the introduction of the trusted platform module, affect the realizability of random oracles. In particular, we show how a TPM that is only trivially enhanced from real, standard TPMs can leverage one of its most powerful capabilities - the capability of keeping secrets from the host in which it resides - in order to provide functionality that is indistinguishable from a true random oracle to any polynomial time adversary. In addition to a careful description of how this works, we provide security proofs based on assumptions of TPM security, and provide concrete performance estimates through benchmarks using a current TPM. To prove the security of our TPM-based scheme, we formally define and prove properties about a cryptographic primitive which we call a "hybrid pseudorandom function" that may be of independent interest.

[1]  Victor Shoup,et al.  OAEP Reconsidered , 2001, CRYPTO.

[2]  Ran Canetti,et al.  Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information , 1997, CRYPTO.

[3]  Mihir Bellare,et al.  An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem , 2004, EUROCRYPT.

[4]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[5]  Marc Fischlin The Cramer-Shoup Strong-RSASignature Scheme Revisited , 2003, Public Key Cryptography.

[6]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[7]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[8]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[9]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[10]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[11]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[12]  Siani Pearson,et al.  Trusted Computing Platforms: TCPA Technology in Context , 2002 .

[13]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[14]  Jongsung Kim,et al.  On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract) , 2006, SCN.