Random oracles are practical: A paradigm for designing efficient protocols

Authors: M. Bellare and P. Rogaway

Abstract: We argue that the random oracle model ---where all parties have access to a public random oracle--- provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol P is produced by first devising and proving correct a protocol P^R for the random oracle model, and then replacing oracle accesses by the computation of an ``appropriately chosen'' function h. This paradigm yields protocols much more efficient than standard ones while retaining many of the advantages of provable security. We illustrate these gains for problems including encryption, signatures, and zero-knowledge proofs.

Ref: Extended abstract in Proc. First Annual Conference on Computer and Communications Security, ACM, 1993. Full paper available below.

Full paper: Available as compressed postscript, postscript, or pdf. ( Help if this doesn't work).

Related work and links

Our most important schemes designed using the random oracle model are the PSS (Probabilistic Signature Scheme, for signing with RSA) and OAEP (Optimal Asymmetric Encryption Padding/Protocol, for encryption with RSA). We also used this model in the design of incremental hash functions. Following our work, the random oracle model has been used in numerous other places.