Annual International Conference on the Theory and Applications of Cryptographic Techniques

EUROCRYPT 2012: Advances in Cryptology – EUROCRYPT 2012 pp 537-553

Optimal Security Proofs for Full Domain Hash, Revisited

  • Saqib A. Kakvi
  • Eike Kiltz
Conference paper

DOI: 10.1007/978-3-642-29011-4_32

Volume 7237 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Kakvi S.A., Kiltz E. (2012) Optimal Security Proofs for Full Domain Hash, Revisited. In: Pointcheval D., Johansson T. (eds) Advances in Cryptology – EUROCRYPT 2012. EUROCRYPT 2012. Lecture Notes in Computer Science, vol 7237. Springer, Berlin, Heidelberg


RSA Full Domain Hash (RSA-FDH) is a digital signature scheme, secure again chosen message attacks in the random oracle model. The best known security reduction from the RSA assumption is nontight, i.e., it loses a factor of qs, where qs is the number of signature queries made by the adversary. It was furthermore proved by Coron (EUROCRYPT 2002) that a security loss of qs is optimal and cannot possibly be improved. In this work we uncover a subtle flaw in Coron’s impossibility result. Concretely, we show that it only holds if the underlying trapdoor permutation is certified. Since it is well known that the RSA trapdoor permutation is (for all practical parameters) not certified, this renders Coron’s impossibility result moot for RSA-FDH. Motivated by this, we revisit the question whether there is a tight security proof for RSA-FDH. Concretely, we give a new tight security reduction from a stronger assumption, the Phi-Hiding assumption introduced by Cachin et al (EUROCRYPT 1999). This justifies the choice of smaller parameters in RSA-FDH, as it is commonly used in practice. All of our results (positive and negative) extend to the probabilistic signature scheme PSS.

Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Saqib A. Kakvi
    • 1
  • Eike Kiltz
    • 1
  1. 1.Faculty of Mathematics, Horst Görtz Institute for IT SecurityRuhr University BochumGermany