几个基本的密码学概念

什么是cryptographic oracle：
http://security.stackexchange.com/questions/10617/what-is-a-cryptographic-oracle

An oracle is an individual who knows the personal cell phone number of a god. This enables him (or her) to obtain some
information which is usually considered as out of reach of mere mortals, such as glimpses of the future. In cryptography, that's the same, except that no deity is involved:
an oracle is any system which can give some extra information on a system, which otherwise would not be available.
For instance, consider asymmetric encryption with RSA. The standard I link to states how a piece of data should
be encrypted with a public key. In particular, the encryption begins with a padding operation, in which the piece of data is first expanded by adding a header, so that the padded data length matches the RSA public key length. The header should begin
with the two bytes

0x00 0x02

, followed by at least eight random non-zero bytes, and then another

0x00

. Once the data has been padded, it is time to apply the mathematical operation which is at the core of the RSA operation (modular
exponentiation). Details of the padding are important for security.
The encryption result is an integer modulo the RSA modulus, a big integer which is part of the public key. For a 1024-bit RSA key, the modulus n is an integer value greater than 21023,
but smaller than 21024. A properly encrypted data chunk, with RSA, yields an integer value between 1 and n-1. However, the padding implies some structure, as shown above. The decrypting party MUST find, upon decryption,
a properly formed PKCS#1 header, beginning with the

0x00 0x02

bytes, followed by at least eight non-zero bytes, and there must be a

0x00

which marks the end of the header. Therefore, not all integers between 1 and n-1 are
valid RSA-encrypted message (less than 1 every 65000 such integers would yield a proper padding upon decryption).
Knowing whether a given integer modulo n would yield, upon decryption, a valid padding structure, is supposed to be infeasible for whoever does not know the private key. The private
key owner (the deity) obtains that information, and much more: if the decryption works, the private key owner actually gets the message, which is the point of decryption. Assume that there is an entity, somewhere, who can tell you whether a given
integer modulo n is a validly encrypted piece of data with RSA; that entity would not give you the full decryption result, it would just tell you whether decryption would work or not. That's a one-bit information, a reduced glimpse of what the deity
would obtain. The entity is your oracle: it returns parts of the information what is normally available only to the private key owner.
It turns out that, given access to such an oracle, it is possible to rebuild the private key,
by sending specially crafted integers modulo n (it takes a million or so of such values, and quite a bit of mathematics, but it can be done). It also turns out that most SSL/TLS implementation
of that time (that was in 1999) were involuntarily acting as oracles: if you sent, as a client, an invalidly RSA-encrypted ClientKeyExchange message, the server was responding with a specific error message ("duh, your ClientKeyExchange message stinks"), whereas
if decryption worked, the server was keeping on with the protocol, using whatever value it decrypted (usually unknown to the client if the client sent a random value, so the protocol failed later on, but the client could see the difference between a valid
and an invalid padding). Therefore, with such an implementation, an attacker could (after a million or so of failed connections) rebuild the server private key, which is usually considered to be a bad thing.
That's what oracles are:
a mathematical description of a data leak, to be used in security proofs. In the case of RSA, this demonstrates that knowing whether a value has a proper padding or not is somehow equivalent to learning the private key (if you know the private
key you can attempt the decryption and see the padding for yourself; the Bleichenbacher attack shows that it also works the other way round).
以及：

An oracle is something which can immediately (

O(1)

) give you the answer to some problem, usually an infeasible or impossible problem. For example, a "Halting-problem Oracle" could
tell you immediately whether a certain program on a certain input halts or not, even though the halting problem is uncomputable to us mere mortals. However, we can sometimes
prove some useful properties by pretending certain oracles exist.
In cryptographic papers, for instance, oracles are most often used to show that, even if our attackers had access to some seemingly-impossibile oracle, they stillwouldn't have
any (significant) advantage to breaking our security. For example, one important property of encryption algorithms (called resistance to known plaintext attacks) is
that if an attacker is given a message encrypted with your key

m'

and they want to know the original message

m

(or figure out your key), then giving them another message

n

and its encryption with your key

n'

should
not help them do so in any way whatsoever.
Taking this to the extreme (chosen plaintext attack): give an attacker an oracle who can encrypt
or decrypt any message with your key except for

m

and

m'

. Even under these extreme conditions, we'd want to show for our encryption that the attacker with the oracle will have no advantage in finding

m

(or
your key) than the attacker without the oracle. This would mean our encryption is safe from chosen-plaintext attacks.

Random Oracle则是另外一个概念：

In cryptography, a random oracle is an oracle (a
theoretical black box) that responds to every unique query with
a (truly) randomresponse chosen uniformly from
its output domain. If a query is repeated it responds the same way every time that query is submitted.

Stated differently, a random oracle is a random mathematical function,
that is, a function mapping each possible query to a (fixed) random response from its output domain.

Random oracles are a mathematical abstraction used in cryptographic proofs. They are typically used when the cryptographic
hash functions in the method cannot be proven to possess the mathematical properties required by the proof.
A system that is proven secure when every hash function is replaced by a random oracle is described as being secure in the random oracle model, as opposed to secure in the standard
model.

Applications[edit]

In practice, random oracles are typically used as an ideal replacement for cryptographic
hash functions in schemes where strong randomness assumptions are needed of the hash function's output. Such a proof generally shows that a system or a protocol is secure by showing that an attacker must require impossible behavior from the oracle,
or solve some mathematical problem believed hard, in order to break the protocol. Not all uses of cryptographic hash functions require random oracles: schemes that require only some property or properties that have a definition in the standard model (such
as collision resistance, preimage
resistance, second preimage resistance, etc.) can often be proven
secure in the standard model (e.g., the Cramer–Shoup cryptosystem).

Random oracles have long been considered in computational complexity theory (e.g.
Bennett & Gill[1]), and many schemes
have been proven secure in the random oracle model, for example OAEP and PSS.
Fiat and Shamir (1986)[2] showed a
major application of random oracles – the removal of interaction from protocols for the creation of signatures. Impagliazzo and Rudich (1989)[3]showed
the limitation of random oracles – namely that their existence alone is not sufficient for secret-key exchange. Bellare and Rogaway (1993) [4] advocated
their use in cryptographic constructions. In this definition, the random oracle produces a bit-string of infinite length which can be truncated to the length desired.

When a random oracle is used within a security proof, it is made available to all players, including the adversary or adversaries. A single oracle may be treated as multiple oracles by pre-pending a fixed bit-string to the beginning of each query (e.g., queries
formatted as "1|x" or "0|x" can be considered as calls to two separate random oracles, similarly "00|x", "01|x", "10|x" and "11|x" can be used to represent calls to four separate random oracles).

Limitations[edit]

No function computable by a finite algorithm can implement a true random oracle (which by definition requires an infinite description).

In fact, certain artificial signature and encryption schemes are known which are proven
secure in the random oracle model, but which are trivially insecure when any real function is substituted for the random oracle.[5][6] Nonetheless,
for any more natural protocol a proof of security in the random oracle model gives very strong evidence of the security of the protocol.[citation
needed]

In general, if a protocol is proven secure, attacks to that protocol must either be outside what was proven, or break one of the assumptions in the proof; for instance if the proof relies on the hardness of integer
factorization, to break this assumption one must discover a fast integer factorization algorithm. Instead, to break the random oracle assumption, one must discover some unknown and undesirable property of the actual hash function; for good hash functions
where such properties are believed unlikely, the considered protocol can be considered secure.

Standard model (cryptography)

In cryptography the standard model is the model of computation in which the adversary is
only limited by the amount of time and computational power available. Other names used are bare model and plain model.

Cryptographic schemes are usually based on complexity assumptions, which state
that some problems, such as factorization, cannot be solved in polynomial
time. Schemes which can be proven secure using only complexity assumptions are said to be secure in
the standard model. Security proofs are notoriously difficult to achieve in the standard model, so in many proofs, cryptographic primitives are replaced by idealized versions. The most usual example of this technique, known as the random
oracle model,[1][2] involves
replacing a cryptographic hash function with a genuinely random function. Another example is the generic
group model,[3][4] where
the adversary is given access to a randomly chosen encoding of a group, instead of the finite
field or elliptic curve groups used in practice.

Other models used invoke trusted third parties to perform some task without cheating -- for example, the public
key infrastructure (PKI) model requires a certificate authority, which if it were dishonest,
could produce fake certificates and use them to forge signatures, or mount a man
in the middle attack to read encrypted messages. Other examples of this type are the common
random string model and the common reference string model, where it is assumed
that all parties have access to some string chosen uniformly at random or a string chosen according to some other probability distribution respectively. These models are often used for Non-interactive
zero-knowledge proofs (NIZK). In some applications, such as the Dolev-Dwork-Naor encryption scheme,[5] it
makes sense for a particular party to generate the common reference string, while in other applications, the common reference string must be generated by a trusted third party. Collectively, these models are referred to as models with special setup assumptions.