Here is an example that I use in The Joy of Cryptography textbook.
Consider the following symmetric-key encryption scheme, where $H$ is a function with input and output length equal to the security parameter.
To encrypt plaintext $M$ under key $K$:
- sample random block $R$
- interpret $M$ as a Python program, and run it on input $R$ for at most $|M|$ steps
- if the output of the program equals $H(R)$ then output $K \| M$
- otherwise, encrypt $M$ using standard CBC mode encryption with key $K$
This construction is CPA-secure when $H$ is a random oracle, and here is a sketch of the proof.
Consider the moment that an adversary asks for an encryption of $M$ in the CPA security game.
The game chooses $R$ at random, so with all but negligible probability, the adversary has not yet queried the random oracle at $R$.
Thus the output $H(R)$ is a fresh random value, and independent of the output of Python program $M(R)$, so the two values equal with only negligible probability.
In summary, the scheme enters line 4 and behaves exactly like CBC encryption (which is CPA-secure) with all but negligible probability.
On the other hand, if $H$ is any standard-model function, then the scheme is insecure.
The adversary just asks for an encryption of a Python implementation of $H$, and the resulting ciphertext will contain the key $K$.
(Technically speaking, take a Python implementation of $H$ and pad its source code with comments until $M$ is long enough so that the $H$-implementation halts in $|M|$ steps. The reason the scheme "runs $M$ for at most $|M|$ steps" is just to gracefully deal with the fact that not all Python programs halt. Alternatively, replace "Python program" with "boolean circuit" and you don't have to worry about non-halting behavior because a boolean circuit always "halts.")
