Designs, Codes and Cryptography

, Volume 77, Issue 2–3, pp 587–610 | Cite as

The random oracle model: a twenty-year retrospective

  • Neal Koblitz
  • Alfred J. Menezes


It has been roughly two decades since the random oracle model for reductionist security arguments was introduced and one decade since we first discussed the controversy that had arisen concerning its use. In this retrospective we argue that there is no evidence that the need for the random oracle assumption in a proof indicates the presence of a real-world security weakness in the corresponding protocol. We give several examples of attempts to avoid random oracles that have led to protocols that have security weaknesses that were not present in the original ones whose proofs required random oracles. We also argue that the willingness to use random oracles gives one the flexibility to modify certain protocols so as to reduce dependence on potentially vulnerable pseudorandom bit generators. Finally, we discuss a modified version of ECDSA, which we call ECDSA\({}^+\), that may have better real-world security than standard ECDSA, and compare it with a modified Schnorr signature. If one is willing to use the random oracle model (and the analogous generic group model), then various security arguments are known for these two schemes. If one shuns these models, then no provable security result is known for them.


Cryptography Public key Random oracle 

Mathematics Subject Classification




We would like to thank Dan Brown for valuable discussions of security reductions for ECDSA, Kenwrick Mayo for useful discussions of obfuscation constructions, Sanjit Chatterjee for thoughtful comments on an earlier draft, and Ann Hibner Koblitz for helpful editorial suggestions. We would also like to thank Dan Bernstein for informing us of the work [11] and Francisco Rodríguez-Henríquez for bringing the paper [54] to our attention. Finally, we thank the referees for their helpful comments.


  1. 1.
    Apon D., Huang Y., Katz J., Malozemoff A.: Implementing cryptographic program obfuscation, Crypto 2014 rump session (2014).
  2. 2.
    Barak B., Goldreich O., Impagliazzo R., Rudich S., Sahai A., Vadhan S., Yang K.: On the (im)possibility of obfuscating programs. J. ACM 59, 6 (2012).Google Scholar
  3. 3.
    Barwood G.: Digital signatures using elliptic curves (1997).
  4. 4.
    Beame P.W., Cook S.A., Hoover H.J.: Log depth circuits for division and related problems. SIAM J. Comput. 15, 994–1003 (1986).Google Scholar
  5. 5.
    Bellare M.: Caught in between theory and practice. In: Crypto 2014 IACR Distinguished Lecture (2014).
  6. 6.
    Bellare M., Rogaway P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM, New York (1993).Google Scholar
  7. 7.
    Bellare M., Rogaway P.: Optimal asymmetric encryption—how to encrypt with RSA. In: Advances in Cryptology—Eurocrypt’94. LNCS, vol. 950, pp. 92–111. Springer, Berlin (1994).Google Scholar
  8. 8.
    Bellare M., Boldyreva A., Palacio A.: An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In: Advances in Cryptology—Eurocrypt 2004. LNCS, vol. 3027, pp. 171–188. Springer, Berlin (2004).Google Scholar
  9. 9.
    Bellare M., Hoang V.T., Keelveedhi S.: Instantiating random oracles via UCEs. In: Advances in Cryptology—Crypto 2013 (Part II). LNCS, vol. 8042, pp. 398–415. Springer, Berlin (2013); full version available at
  10. 10.
    Bernstein D., Duif N., Lange T., Schwabe P., Yang B.-Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2, 77–89 (2012).Google Scholar
  11. 11.
    Bernstein D., Hülsing A., Lange T., Niederhagen R.: Bad directions in cryptographic hash functions, preprint (2015); available at
  12. 12.
    Blake-Wilson S., Menezes A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: Public Key Cryptography—PKC 1999. LNCS, vol. 1560, pp. 156–170. Springer, Berlin (1999).Google Scholar
  13. 13.
    Boneh D., Boyen X.: Short signatures without random oracles. In: Advances in Cryptology—Eurocrypt 2004. LNCS, vol. 3027, pp. 56–73. Springer, Berlin (2004).Google Scholar
  14. 14.
    Boneh D., DeMillo R., Lipton R.: On the importance of checking cryptographic protocols for faults. J. Cryptol. 14, 101–119 (2001).Google Scholar
  15. 15.
    Boneh D., Lynn B., Shacham H.: Short signatures from the Weil pairing. In: Advances in Cryptology—Asiacrypt 2001. LNCS, vol. 2248, pp. 514–532. Springer, Berlin (2001).Google Scholar
  16. 16.
    Boneh D., Wu D., Zimmerman W.: Immunizing multilinear maps against zeroizing attacks (2014). Available at
  17. 17.
    Boyen X., Mei Q., Waters B.: Direct chosen ciphertext security from identity-based techniques. In: 12th ACM Conference on Computer and Communications Security—CCS’05, pp. 320–329. ACM, New York (2005).Google Scholar
  18. 18.
    Brickell E., Pointcheval D., Vaudenay S., Yung M.: Design validations for discrete logarithm based signature schemes. In: Public Key Cryptography—PKC 2000. LNCS, vol. 1751, pp. 276–292. Springer, Berlin (2000).Google Scholar
  19. 19.
    Brown D.: Generic groups, collision resistance, and ECDSA. Des. Codes Cryptogr. 35, 119–152 (2005).Google Scholar
  20. 20.
    Brown D.L.: On the provable security of ECDSA. In: Blake I., Seroussi G., Smart N. (eds.) Advances in Elliptic Curve Cryptography, pp. 21–40. Cambridge University Press, Cambridge (2005).Google Scholar
  21. 21.
    Brown D., Gallant R.: The static Diffie–Hellman problem (2004).
  22. 22.
    Buterin V.L.: Critical vulnerability found in Android wallets. Accessed 11 Aug 2013.
  23. 23.
    Camenisch J., Neven G., Shelat A.: Simulatable adaptive oblivious transfer. In: Advances in Cryptology—Eurocrypt 2007. LNCS, vol. 4515, pp. 573–590. Springer, Berlin (2007).Google Scholar
  24. 24.
    Canetti R., Goldreich O., Halevi S.: The random oracle model, revisited. In: Proceedings of 30th Annual Symposium Theory of Computing, pp. 209–218, ACM, New York (1998); full version available at
  25. 25.
    Chatterjee S., Karabina K., Menezes A.: Fault attacks on pairing-based protocols revisited. IEEE Trans. Comput. (to appear); available at
  26. 26.
    Chatterjee S., Menezes A., Sarkar P.: Another look at tightness. In: Selected Areas in Cryptography—SAC 2011. LNCS, vol. 7118. Springer, Berlin (2012); available at
  27. 27.
    Cheon J.: Security analysis of the strong Diffie–Hellman problem. In: Advances in Cryptology—Eurocrypt 2006. LNCS, vol. 4004, pp. 1–11. Springer, Berlin (2006).Google Scholar
  28. 28.
    Cheon J., Han K., Lee C., Ryu, H., Stehlé D.: Cryptanalysis of the multilinear map over the integers. In: Advances in Cryptology—Eurocrypt 2015, Part I. LNCS, vol. 9056, pp. 3–12 . Springer, New York (2015).Google Scholar
  29. 29.
    Coron J.-S., Lepoint T., Tibouchi M.: Practical multilinear maps over the integers. In: Advances in Cryptology—Crypto 2013. LNCS, vol. 8042, pp. 476–493, Springer, Berlin (2013); full version available at
  30. 30.
    Coron J.-S., Lepoint T., Tibouchi M.: Cryptanalysis of two candidate fixes of multilinear maps over the integers (2014). Available at
  31. 31.
    Coron J.-S., Lepoint T., Tibouchi M.: New multilinear maps over the integers (2015). Available at
  32. 32.
    Dang Q.: Randomized hashing for digital signatures, NIST Special Pub. 800–106 (2009).
  33. 33.
    Dodis Y., Oliveira R., Pietrzak K.: On the generic insecurity of the full domain hash. In: Advances in Cryptology—Crypto 2005. LNCS, vol. 3621, pp. 449–466. Springer, Berlin (2005).Google Scholar
  34. 34.
    Fildes J.: iPhone hacker publishes secret Sony PlayStation 3 key, 6 Jan 2011.
  35. 35.
    Freire E., Hofheinz D., Paterson K., Striecks C.: Programmable hash functions in the multilinear setting. In: Advances in Cryptology—Crypto 2013. LNCS, vol. 8042, pp. 513–530. Springer, Berlin (2013); full version available at
  36. 36.
    Gallant R.: The static Diffie–Hellman problem. In: Presented at ECC (2005). Available at
  37. 37.
    Gennaro R., Halevi S., Rabin T.: Secure hash-and-sign signatures without the random oracle. In: Advances in Cryptology—Eurocrypt’99. LNCS, vol. 1592, pp. 123–139. Springer, Berlin (1999).Google Scholar
  38. 38.
    Gentry C.: Practical identity-based encryption without random oracles. In: Advances in Cryptology—Eurocrypt 2006. LNCS, vol. 4004, pp. 445–464. Springer, Berlin (2006).Google Scholar
  39. 39.
    Gentry C., Halevi S., Maji H., Sahai A.: Zeroizing without zeroes: cryptanalyzing multilinear maps without encodings of zero (2014). Available at
  40. 40.
    Goldreich O.: On post-modern cryptography (2006).
  41. 41.
    Goldwasser S., Tauman Kalai Y.: On the (in)security of the Fiat–Shamir paradigm. In: Proceedings of the 44th Annual Symposium Foundations of Computer Science, pp. 102–113. IEEE (2003); full version available at
  42. 42.
    Goldwasser S., Micali S., Rivest R.: A paradoxical solution to the signature problem. In: Proceedings of the 25th Annual IEEE Symposium on the Foundations of Computer Science, pp. 441–448 (1984).Google Scholar
  43. 43.
    Green M., Katz J., Malozemoff A., Zhou H.-S.: A unified approach to idealized model separations via indistinguishability obfuscation (2015). Available at:
  44. 44.
    Hohenberger S., Sahai A., Waters B.: Replacing a random oracle: full domain hash from indistinguishability obfuscation. In: Advances in Cryptology—Eurocrypt 2014. LNCS, vol. 8441, pp. 201–220. Springer, Berlin (2014).Google Scholar
  45. 45.
    Jao D., Yoshida K.: Boneh–Boyen signatures and the strong Diffie–Hellman problem. In: Pairing-Based Cryptography—Pairing 2009. LNCS, vol. 5671, pp. 1–16. Springer, Berlin (2009); full version available at
  46. 46.
    Koblitz N., Menezes A.: Another look at provable security. In: II Progress in Cryptology—Indocrypt 2006. LNCS, vol. 4329, pp. 148–175. Springer, Berlin (2006); available at
  47. 47.
    Koblitz N., Menezes A.: Another look at provable security. J. Cryptol. 20, 3–37 (2007); available at
  48. 48.
    Koblitz N., Menezes A.: Another look at generic groups. Adv. Math. Commun. 1, 13–28 (2007); available at
  49. 49.
    Koblitz N., Menezes A.: The brave new world of bodacious assumptions in cryptography, Not. Am. Math. Soc. 57, 357–365 (2010); available at
  50. 50.
    Koblitz N., Menezes A.: Another look at security definitions. Adv. Math. Commun. 7, 1–38 (2013); available at
  51. 51.
    Koblitz N., Menezes A.: Another look at security theorems for 1-key nested MACs. In: Open Problems in Mathematics and Computational Science, pp. 69–89. Springer, Berlin (2014).Google Scholar
  52. 52.
    Lenstra A.K., Hughes J.P., Augier M., Bos J., Kleinjung T., Wachter C.: Public keys. In: Advances in Cryptology—Crypto 2012. LNCS, vol. 7417, pp. 626–642. Springer, Berlin (2012).Google Scholar
  53. 53.
    Lysyanskaya A.: Unique signatures and verifiable random functions from the DH–DDH separation. In: Advances in Cryptology—Crypto 2002. LNCS, vol. 2442, pp. 597–612. Springer, Berlin (2002).Google Scholar
  54. 54.
    Malone-Lee J., Smart N.: Modifications of ECDSA. In: Selected Areas in Cryptography—SAC 2003. LNCS, vol. 2595, pp. 1–12. Springer, Berlin (2002).Google Scholar
  55. 55.
    Menezes A., van Oorschot P., Vanstone S.: Handbook of Applied Cryptography. CRC, Boca Raton (1996).Google Scholar
  56. 56.
    Neven G., Smart N., Warinschi B.: Hash function requirements for Schnorr signatures. J. Math. Cryptol. 3, 69–87 (2009).Google Scholar
  57. 57.
    Nielsen J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Advances in Cryptology—Crypto 2002. LNCS, vol. 2442, pp. 111–126. Springer, Berlin (2002).Google Scholar
  58. 58.
    Nguyen P., Shparlinski I.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptogr. 30, 201–217 (2003).Google Scholar
  59. 59.
    Page D., Vercauteren F.: A fault attack on pairing-based cryptography. IEEE Trans. Comput. 55, 1075–1080 (2006).Google Scholar
  60. 60.
    Paillier P., Vergnaud D.: Discrete-log-based signatures may not be equivalent to discrete log. In: Advances in Cryptology—Asiacrypt 2005. LNCS, vol. 3788, pp. 1–20. Springer, Berlin (2005).Google Scholar
  61. 61.
    Perlroth N., Larson J., Shane S.: N.S.A. able to foil basic safeguards of privacy on web. The New York Times, 5 Sept 2013.Google Scholar
  62. 62.
    Pointcheval D., Stern J.: Security proofs for signature schemes. In: Advances in Cryptology—Eurocrypt’96. LNCS, vol. 1070, pp. 387–398. Springer, Berlin (1996).Google Scholar
  63. 63.
    Pointcheval D., Stern J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13, 361–396 (2000).Google Scholar
  64. 64.
    Pornin T.: Deterministic usage of the digital signature algorithm (DSA) and elliptic curve digital signature algorithm (ECDSA), RFC 6979, IETF, August (2013).Google Scholar
  65. 65.
    Ramchen K., Waters, B.: Fully secure and fast signing from obfuscation. In: Proceedings of ACM CCS’14, pp. 659–673. ACM, New York (2014).Google Scholar
  66. 66.
    Schnorr C.P.: Efficient signature generation for smart cards. J. Cryptol. 4, 161–174 (1991).Google Scholar
  67. 67.
    Seurin Y.: On the exact security of Schnorr-type signatures in the random oracle model. In: Advances in Cryptology—Eurocrypt 2012. LNCS, vol. 7237, pp. 554–571. Springer, Berlin (2012).Google Scholar
  68. 68.
    Whelan C., Scott M.: The importance of the final exponentiation in pairings when considering fault attacks. In: Pairing-Based Cryptography—Pairing 2007. LNCS, vol. 4575, pp. 225–246. Springer, Berlin (2007).Google Scholar
  69. 69.
    Wigley J.: Removing need for rng in signatures (1997).
  70. 70.
    Zimmerman J.: How to obfuscate programs directly. In: Advances in Cryptology—Eurocrypt 2015, Part II. LNCS, vol. 9057, pp. 439–467. Springer, Berlin (2015).Google Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  1. 1.Department of MathematicsUniversity of WashingtonSeattleUSA
  2. 2.Department of Combinatorics & OptimizationUniversity of WaterlooWaterlooCanada

Personalised recommendations