This paper probably helps answering part of your question : http://www.iacr.org/archive/crypto2000/18800229/18800229.pdf Note that you can't replace a random oracle by SHA256 but you might have better luck with HMAC-SHA256 (https://eprint.iacr.org/2013/382.pdf)
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography