We argue that the random oracle model ---where all parties have access to a public randomoracle--- provides a bridge between cryptographic theory and cryptographic practice. In theparadigm we suggest, a practical protocol P is produced by first devising and proving correct aprotocol PRfor the random oracle model, and then replacing oracle accesses by the computationof an "appropriately chosen" function h. This paradigm yields protocols much more efficientthan standard ones while...