Random Oracles Are Practical: a P Aradigm for Designing Eecient Protocols

We argue that the random oracle model |where all parties have access to a public random oracle| provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol P is produced by rst devising and proving correct a protocol P for the random oracle model, and then replacing oracle accesses by the computation of an \appropriately chosen" function h. This paradigm yields protocols much more e cient than standard ones while retaining many of the advantages of provable security. We illustrate these gains for problems including encryption, signatures, and zero-knowledge proofs. Department of Computer Science & Engineering, Mail Code 0114, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093. E-mail: [email protected] y Department of Computer Science, University of California at Davis, Davis, CA 95616, USA. E-mail: [email protected]