CT-ROM: Collision-Tractable Random Oracle Model

• CT-ROM is a variant of the Random Oracle Model that explicitly allows an adversary to query a collision oracle, thereby breaking collision resistance while maintaining preimage properties.
• It is used to precisely analyze cryptographic schemes like RSA-FDH by modeling how collision vulnerabilities can be exploited in security reductions.
• CT-ROM is integral for isolating the role of collision resistance in cryptographic proofs, guiding the design and assessment of secure hash function instantiations.

The Collision–Tractable Random Oracle Model (CT–@@@@1@@@@) is a weakened variant of the standard Random Oracle Model (ROM) in cryptographic security proofs. CT-ROM modifies the classical idealization of a hash function by allowing an adversary not only to query a Random Oracle (RO) but also to query an additional oracle that enables the adversary to efficiently find hash collisions. This model is pivotal for precisely identifying the role that collision resistance plays in the security of cryptographic schemes and for capturing the impact of broken collision resistance in security reductions (Tezuka et al., 2021).

1. Formal Definition and Oracles

Let $h \colon X \rightarrow Y$ denote a family of hash functions, with $|X|=2^\ell$ and $|Y|=2^k$. In the CT-ROM$_{(\ell,k)}$, an adversary $\mathcal{A}$ interacts with two idealized oracles:

• Random Oracle ($\mathrm{RO}^h$): On query $x\in X$, if $(x,y)$ exists in the internal table $\mathbb{T}_h$, $y$ is returned. Otherwise, $y$ is sampled uniformly at random from $Y$, $(x,y)$ is stored in $\mathbb{T}_h$, and $y$ is returned.
• Collision Oracle ($\mathrm{CO}^h$): On a query with no input, a uniform $(x,y)\in\mathbb{T}_h$ is selected. If there exists $x'\neq x$ with $(x',y)\in\mathbb{T}_h$, such an $x'$ is selected uniformly at random and the collision $(x, x')$ is returned. If no such $x'$ exists, it returns $\perp$.

Table 1: Oracle Access in ROM Variants

Model	Random Oracle ($\mathrm{RO}^h$)	Additional Oracle
ROM$_{(\ell,k)}$	Yes	None
CT-ROM$_{(\ell,k)}$	Yes	$\mathrm{CO}^h$ (Collision Oracle)
SPT-ROM$_{(\ell,k)}$	Yes	$\mathrm{SPO}^h$ (Second-Preimage)
FPT-ROM$_{(\ell,k)}$	Yes	$\mathrm{FPO}^h$ (First-Preimage)

The CT-ROM explicitly breaks collision resistance by equipping the adversary with a collision-finding capability, while leaving second- and first-preimage resistance idealized (Tezuka et al., 2021).

2. Security Games and Definitions

The existential-unforgeability under chosen-message attack (EUF-CMA) game for a signature scheme $$\Pi = (\textsf{KeyGen}, \textsf{Sign}, \textsf{Verify})$$ in the CT-ROM is defined as follows:

1. The challenger generates keys $(sk, vk)\leftarrow \textsf{KeyGen}(1^k)$ and gives $vk$ to $\mathcal{A}$.
2. $\mathcal{A}$ may adaptively make:
   • Signing queries on messages $m$ to receive $\sigma \leftarrow \textsf{Sign}(sk,m)$.
   • RO queries on $x$ to receive $\mathrm{RO}^h(x)$.
   • CO queries to receive $\mathrm{CO}^h()$.
3. $\mathcal{A}$ outputs $(m^*, \sigma^*)$ and wins if $\textsf{Verify}(vk, m^*, \sigma^*)=1$ and $m^*$ was not submitted to the signing oracle.

The adversary's advantage in this game is

$$\mathrm{Adv}^{\mathrm{EUF-CMA}}_{\Pi,\mathrm{CT}}(\mathcal{A}) = \Pr[\mathcal{A} \text{ wins in } \text{Game}_{\Pi}^{\mathrm{EUF-CMA-CT-ROM}}(\mathcal{A})].$$

Collision-tractability is defined via the advantage

$$\mathrm{Adv}^{\mathrm{CT-ROM}}_{\mathrm{CR}}(\mathcal{A}) = \Pr[((x,x')\leftarrow\mathcal{A}^{\mathrm{RO},\mathrm{CO}}): x\neq x' \wedge \mathrm{RO}(x) = \mathrm{RO}(x')].$$

A hash family is $(t,q,\epsilon)$–collision-tractable if a $t$–time adversary using at most $q$ RO and CO queries achieves advantage at least $\epsilon$, with $\epsilon$ non-negligible in $k$ (Tezuka et al., 2021).

3. Comparison with Related Weakened Random Oracle Models

Several weakened random oracle models (WROMs), as formalized by Numayama et al. and Tan and Wong, systematically capture the failure of specific hash function properties:

• Standard ROM$_{(\ell,k)}$: Only $\mathrm{RO}^h$ is present. Both collision and (first or second) preimage resistance are unbroken and idealized.
• CT-ROM$_{(\ell,k)}$: Adds $\mathrm{CO}^h$. Collision resistance is no longer idealized, but preimage properties are.
• SPT-ROM$_{(\ell,k)}$: Replaces $\mathrm{CO}^h$ by $\mathrm{SPO}^h(x)$, which returns $x'\neq x$ with $h(x)=h(x')$, breaking second-preimage resistance exclusively.
• FPT-ROM$_{(\ell,k)}$: Replaces $\mathrm{CO}^h$ by $\mathrm{FPO}^h(y)$, returning $x$ such that $h(x)=y$, capturing broken (first) preimage resistance only.

These distinctions allow security proofs to be precisely mapped to the minimal hash function property necessary for a scheme’s security (Tezuka et al., 2021).

4. Insecurity of RSA-FDH in the CT-ROM

The RSA Full Domain Hash (RSA-FDH) signature scheme, when analyzed in CT-ROM, is shown to be insecure due to the adversary’s access to the collision oracle.

• RSA-FDH Scheme
  • $\textsf{KeyGen}$: Standard RSA key generation $(N, e, d) \leftarrow \textsf{RSA}(1^k)$; $vk = (N, e)$, $sk = d$.
  • $\textsf{Sign}(sk, m)$: $y \leftarrow \mathrm{RO}^h(m)$; $\sigma \leftarrow y^d \mod N$.
  • $\textsf{Verify}(vk, m, \sigma)$: Accept iff $\mathrm{RO}^h(m) = \sigma^e \mod N$.

Using $\mathrm{CO}^h$, the adversary:

1. Obtains a collision $(m, m')$ with $\mathrm{RO}^h(m) = \mathrm{RO}^h(m')$ using a single CO query.
2. Queries the signing oracle for $\sigma \leftarrow \textsf{Sign}(sk, m)$.
3. Outputs the forgery $(m', \sigma)$.

Verification accepts since $\mathrm{RO}^h(m') = \sigma^e \mod N$ and $m'$ was never signed, exploiting the collision resistance failure (Tezuka et al., 2021).

The probability that $\mathrm{CO}^h$ returns $\perp$ (i.e., fails to find a collision) is bounded by

$$\Pr[\text{no collision}] = (1-2^{-k})^{2^\ell-1} \leq \exp\left( -\frac{2^\ell - 1}{2^k} \right).$$

Thus,

$$\Pr[\mathcal{A} \text{ forges}] \geq 1 - \exp\left( -\frac{2^\ell - 1}{2^k} \right).$$

A formal theorem states that, in CT-ROM$_{(\ell,k)}$, there exists a probabilistic polynomial-time adversary $\mathcal{A}$ using a single CO and a single Sign query achieving this advantage, establishing the insecurity of RSA-FDH in CT-ROM.

5. Security Implications and Modeling in Proofs

The adoption of CT-ROM isolates collision resistance as a distinct and critical hash function property in security reductions. When a proof fails in CT-ROM but holds in ROM, this pinpoints collision resistance as the property on which security truly relies. CT-ROM thus supports rigorous analysis of schemes such as RSA-FDH and related variants, clarifying that their standard reductions are only meaningful if the hash function retains collision resistance (Tezuka et al., 2021).

By contrast, the SPT-ROM and FPT-ROM enable the analogous analysis for second-preimage and (first) preimage resistance, respectively. More generalizations, such as GFPT-ROM, further refine the model to analyze advanced attacks including chosen prefix collisions.

6. Context, Significance, and Extensions

CT-ROM originated from the general framework of weakened random oracle models proposed by Liskov (SAC 2006) and formalized by Numayama et al. (PKC 2008). Its importance lies in enabling precise cryptographic reductions and exposing vulnerabilities that are masked in the standard ROM. While theoretical in construction, the CT-ROM model has direct implications for assessing real-world schemes when instantiated with potentially collision-tractable hash functions.

Subsequent work by Tan and Wong introduced the generalized first-preimage tractable ROM (GFPT-ROM) to accommodate attacks such as the chosen prefix collision attack of Stevens et al. (EUROCRYPT 2007), and further extended the methodology to other nuanced weaknesses in hash function instantiations (Tezuka et al., 2021).

These frameworks collectively enable a fine-grained and property-specific evaluation of cryptographic constructions with respect to the concrete assumptions made about the underlying hash function.