Optimal Security Proofs for PSS and Other Signature Schemes

  • Jean-Sébastien Coron
Conference paper

DOI: 10.1007/3-540-46035-7_18

Volume 2332 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Coron JS. (2002) Optimal Security Proofs for PSS and Other Signature Schemes. In: Knudsen L.R. (eds) Advances in Cryptology — EUROCRYPT 2002. EUROCRYPT 2002. Lecture Notes in Computer Science, vol 2332. Springer, Berlin, Heidelberg

Abstract

The Probabilistic Signature Scheme (PSS) designed by Bellare and Rogaway is a signature scheme provably secure against chosen message attacks in the random oracle model, whose security can be tightly related to the security of RSA. We derive a new security proof for PSS in which a much shorter random salt is used to achieve the same security level, namely we show that log2qsig bits suffice, where qsig is the number of signature queries made by the attacker. When PSS is used with message recovery, a better bandwidth is obtained because longer messages can now be recovered. In this paper, we also introduce a new technique for proving that the security proof of a signature scheme is optimal. In particular, we show that the size of the random salt that we have obtained for PSS is optimal: if less than log2qsig bits are used, then PSS is still provably secure but it cannot have a tight security proof. Our technique applies to other signature schemes such as the Full Domain Hash scheme and Gennaro-Halevi-Rabin’s scheme, whose security proofs are shown to be optimal.

Key-words

Probabilistic Signature Scheme Provable Security 
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  1. 1.Gemplus Card InternationalIssy-les-MoulineauxFrance