How to Simulate Random Oracles with Auxiliary Input

The *random oracle model* (ROM) allows us to optimistically reason about security properties of cryptographic hash functions, and has been hugely influential in designing practical cryptosystems. But it is overly optimistic against non-uniform adversaries, and often suggests security properties and security levels unachievable by any real hash function. To reconcile with this discrepancy, Unruh [CRYPTO ’07] proposed the *auxiliary-input random oracle model* (AI-ROM), where a non-uniform attack