We argue that the random oracle model -- where all parties have access to a public random oracle -- provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol P is produced by first devising and proving correct a protocol P R for the random oracle model, and then replacing oracle accesses by the computation of an "appropriately chosen" function h. This paradigm yields protocols much more efficient than standard ones while retaining many of the advantages of provable security. We illustrate these gains for problems including encryption, signatures, and zero-knowledge proofs.

Given an arbitrary k-bit to k-bit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme can be proven semantically secure assuming the hash function is \ideal. " Moreover, a slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she \knows " the corresponding plaintexts|such ascheme is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack.

The Cipher Block Chaining -- Message Authentication Code (CBC MAC) specifies that a message x = x 1 \Delta \Delta \Delta xm be authenticated among parties who share a secret key a by tagging x with a prefix of f (m) a (x) def = f a (f a (\Delta \Delta \Delta f a (f a (x 1 )\Phix 2 )\Phi \Delta \Delta \Delta \Phix m\Gamma1 )\Phix m ) ; where f is some underlying block cipher (eg. f = DES). This method is a pervasively used international and U.S. standard. We provide its first formal justification, showing the following general lemma: that cipher block chaining a pseudorandom function gives a pseudorandom function. Underlying our results is a technical lemma of independent interest, bounding the success probability of a computationally unbounded adversary in distinguishing between a random ml-bit to l-bit function and the CBC MAC of a random l-bit to l-bit function. Advanced Networking Laboratory, IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, NY 10598, USA. e-m...

Given an arbitrary k-bit to k-bit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(r x ), where r x is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme can be proven semantically secure assuming the hash function is "ideal." Moreover, a slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she "knows" the corresponding plaintexts---such a scheme is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack. Advanced Networking Laboratory, IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, NY 10598, USA. e-mail: mihir@watson.ibm.com y Department of Computer Science, University of California at Davis, Davis, CA 95616, USA. e-mail: rogaway@cs.ucdavis.edu 1 Introduction Asymmetric (i.e. public key) encryption is a go...