Comment by less_less
5 months ago
This is a really cool result, and I'm looking forward to reading Part 3.
My view on the ROM is that cryptographic proofs (the ones we are able to actually do) always rule out only some attacks but not out others. A standard model (non-ROM) proof will still be under some assumption about lattices or elliptic curves or AES or whatever, will be valid only under a certain model of the attacker's capabilities and goals, and will often have tightness issues (where the parameters or probability of success on the "proved" system will be worse than with the assumption). Even a tight unconditional proof (such as for the one-time pad) assumes a certain model of the attacker's goals and capabilities.
The ROM is another axis of this: a ROM proof rules out attacks that treat the hash function as a random oracle. Since hash functions are designed to have as few non-ROM properties as possible, and since most real attacks on cryptosystems either break the hash or treat it as a random oracle, ruling out those attacks can usually give you some confidence. But if your cryptosystem is itself making use of non-ROM properties of the hash, then it gives you a lot less confidence, and that's the situation of this new KRS result.
I'm also looking forward to part 3.
A good counterpoint to some of the concerns in the series is https://cacr.uwaterloo.ca/techreports/2015/cacr2015-01.pdf. This article shows "several examples of attempts to avoid random oracles that have led to protocols that have security weaknesses".
Of course, that article is only focused on more classical constructions and not on the newer SNARKS/SNARG/STARK and other constructions in the zero knowledge zoo. So there isn't really a disagreement, but we probably shouldn't ditch random oracle based constructs in use today.