The ideal cipher model is a method of designing systems which are provably secure. It bases these security proofs on the idea that if a cipher (almost always a block cipher) is completely and totally secure (an 'ideal' cipher), then some certain properties follow as a consequence of this - for example, that the system cannot be broken with less than a certain amount of effort, under any circumstances. It is, in some ways, quite similar to the random oracle model, but, as I will discuss, it is significantly less useful than that model.

One problem with models like the ideal cipher model is that when most people see 'such-and-such is provably secure', they assume that means, provably secure in some real-world way. However, the assumption that a cipher is ideal is a major stretch (at best). Many ciphers, like DES, 3DES, and TEA, while relatively secure, are most certainly not ideal ciphers. Which means the proof does not hold, and, basically, anything can happen. Even with ciphers that are believed to be strong, like AES or Twofish, we don't know (and cannot prove) that these ciphers are ideal. It's likely that they are not, but one can hope that they are enough like an ideal cipher that it doesn't matter. But when it comes to security work, all you can get with hope and a dollar is a cup of coffee.

As if that wasn't bad enough, sometimes the proofs will make other (usually unstated) assumptions; usually ones where the designers didn't even consider the possibility of an event occurring. For example, RMAC, which was designed in the ideal cipher model, can actually be attacked in about half the time one would expect due to a simple and fairly obvious flaw (which was, in fact, first found by yours truly). This flaw can be exploited no matter how good the cipher is, as long as some sucker is willing to authenticate the same message twice with the same key (which is not, in the world of cryptanalysis, an unreasonable assumption at all).

So, to sum things up, the ideal cipher model is not too great, and, at this time, it is being questioned strongly by researchers whether it is a useful model at all, given the false impressions of security it often leads to. There is a strong push toward proofs which are based around assuming that the cipher is a pseudo-random permutation, which is a much less stringent requirement.

Log in or register to write something here or to contact authors.