In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every unique query with a (truly) random response chosen uniformly from its output domain. If a query is repeated it responds the same way every time that query is submitted.
Stated differently, a random oracle is a random mathematical function, that is, a function mapping each possible query to a (fixed) random response from its output domain.
Random oracles as a mathematical abstraction were firstly used in rigorous cryptographic proofs in the work by Mihir Bellare and Phillip Rogaway (1993). Since that they are typically used when the cryptographic hash functions in the method cannot be proven to possess the mathematical properties required by the proof. A system that is proven secure when every hash function is replaced by a random oracle is described as being secure in the random oracle model, as opposed to secure in the standard model.
In practice, random oracles are typically used as an ideal replacement for cryptographic hash functions in schemes where strong randomness assumptions are needed of the hash function's output. Such a proof generally shows that a system or a protocol is secure by showing that an attacker must require impossible behavior from the oracle, or solve some mathematical problem believed hard, in order to break the protocol. Not all uses of cryptographic hash functions require random oracles: schemes that require only some property or properties that have a definition in the standard model (such as collision resistance, preimage resistance, second preimage resistance, etc.) can often be proven secure in the standard model (e.g., the Cramer–Shoup cryptosystem).
Random oracles have long been considered in computational complexity theory (e.g. Bennett & Gill), and many schemes have been proven secure in the random oracle model, for example OAEP, RSA-FDH and PSS. Fiat and Shamir (1986) showed a major application of random oracles – the removal of interaction from protocols for the creation of signatures. Impagliazzo and Rudich (1989) showed the limitation of random oracles – namely that their existence alone is not sufficient for secret-key exchange. Bellare and Rogaway in 1993 firstly advocated their use in cryptographic constructions. In this definition, the random oracle produces a bit-string of infinite length which can be truncated to the length desired.
When a random oracle is used within a security proof, it is made available to all players, including the adversary or adversaries. A single oracle may be treated as multiple oracles by pre-pending a fixed bit-string to the beginning of each query (e.g., queries formatted as "1|x" or "0|x" can be considered as calls to two separate random oracles, similarly "00|x", "01|x", "10|x" and "11|x" can be used to represent calls to four separate random oracles).
No function computable by a finite algorithm can implement a true random oracle (which by definition requires an infinite description).
In fact, certain artificial signature and encryption schemes are known which are proven secure in the random oracle model, but which are trivially insecure when any real function is substituted for the random oracle. Nonetheless, for any more natural protocol a proof of security in the random oracle model gives very strong evidence of the practical security of the protocol.
In general, if a protocol is proven secure, attacks to that protocol must either be outside what was proven, or break one of the assumptions in the proof; for instance if the proof relies on the hardness of integer factorization, to break this assumption one must discover a fast integer factorization algorithm. Instead, to break the random oracle assumption, one must discover some unknown and undesirable property of the actual hash function; for good hash functions where such properties are believed unlikely, the considered protocol can be considered secure.
An ideal cipher is a random permutation oracle that is used to model an idealized block cipher. A random permutation decrypts each ciphertext block into one and only one plaintext block and vice versa, so there is a one-to-one correspondence. Some cryptographic proofs make not only the "forward" permutation available to all players, but also the "reverse" permutation.
- Mihir Bellare and Phillip Rogaway, Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, ACM Conference on Computer and Communications Security 1993, pp. 62–73 (PS and PDF).
- Bennett, Charles H.; Gill, John (1981), "Relative to a Random Oracle A, P^A != NP^A != co-NP^A with Probability 1", SIAM Journal on Computing 10 (1): 96–113, doi:10.1137/0210008, ISSN 1095-7111
- Amos Fiat and Adi Shamir: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. CRYPTO 1986: pp. 186–194
- Russell Impagliazzo and Steven Rudich: Limits on the Provable Consequences of One-Way Permutations STOC 1989: pp. 44–61
- Ran Canetti, Oded Goldreich and Shai Halevi, The Random Oracle Methodology Revisited, STOC 1998, pp. 209–218 (PS and PDF).
- Craig Gentry and Zulfikar Ramzan. "Eliminating Random Permutation Oracles in the Even-Mansour Cipher". 2004.
- Koblitz, Neal; Menezes, Alfred J. (2015). "The Random Oracle Model: A Twenty-Year Retrospective". Another Look. Retrieved 6 March 2015.
- Holenstein, Thomas; Künzler, Robin; Tessaro, Stefano (2011). "The equivalence of the random oracle model and the ideal cipher model, revisited". STOC '11. ACM. pp. 89–98. doi:10.1145/1993636.1993650.