Advertisement

Journal of Cryptology

, Volume 31, Issue 1, pp 276–306 | Cite as

Optimal Security Proofs for Full Domain Hash, Revisited

  • Saqib A. KakviEmail author
  • Eike Kiltz
Article

Abstract

RSA Full Domain Hash (RSA-FDH) is a digital signature scheme, secure against chosen message attacks in the random oracle model. The best known security reduction from the RSA assumption is non-tight, i.e., it loses a factor of \(q_s\), where \(q_s\) is the number of signature queries made by the adversary. It was furthermore proven by Coron (Advances in cryptology—EUROCRYPT 2002, Lecture notes in computer science, vol 2332. Springer, Berlin, pp 272–287, 2002) that a security loss of \(q_s\) is optimal and cannot possibly be improved. In this work, we uncover a subtle flaw in Coron’s impossibility result. Concretely, we show that it only holds if the underlying trapdoor permutation is certified. Since it is well known that the RSA trapdoor permutation is (for all practical parameters) not certified, this renders Coron’s impossibility result moot for RSA-FDH. Motivated by this, we revisit the question whether there is a tight security proof for RSA-FDH. Concretely, we give a new tight security reduction from a stronger assumption, the Phi-Hiding assumption introduced by Cachin et al. (Advances in Cryptology—EUROCRYPT’99. Lecture notes in computer science, vol 1592. Springer, Berlin, pp 402–414, 1999). This justifies the choice of smaller parameters in RSA-FDH, as it is commonly used in practice. All of our results (positive and negative) extend to the probabilistic signature scheme PSS (with message recovery).

Keywords

Digital signatures Full domain hash Lossiness Security reduction 

Notes

Acknowledgements

We thank Mihir Bellare, Dennis Hofheinz, and Bertram Poettering for valuable comments on an earlier draft. We also thank the Journal of Cryptography reviewers for their helpful comments. We would also like to thank the reviewer for the Journal of Cryptology for their insightful comments. This work was done while Saqib A. Kakvi was employed at Ruhr-University Bochum. The authors were supported by a Sofja Kovalevskaja Award of the Alexander von Humboldt Foundation, funded by the German Federal Ministry for Education and Research.

References

  1. 1.
    M. Abe, J. Groth, M. Ohkubo. Separating short structure-preserving signatures from non-interactive assumptions, in Advances in Cryptology—ASIACRYPT 2011, Lecture Notes in Computer Science (Springer, Berlin, 2011), pp. 628–646Google Scholar
  2. 2.
    M. Bellare, C. Namprempre, D. Pointcheval, M. Semanko, The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in V. Ashby (ed.) ACM CCS 93: 1st Conference on Computer and Communications Security (ACM Press, New York, 1993), pp. 62–73Google Scholar
  4. 4.
    M. Bellare, P. Rogaway, The exact security of digital signatures: how to sign with RSA and Rabin, in U.M. Maurer (ed) Advances in Cryptology—EUROCRYPT’96. Lecture Notes in Computer Science, vol. 1070 (Springer, Berlin, 1996), pp. 399–416Google Scholar
  5. 5.
    M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in S. Vaudenay (ed) Advances in Cryptology—EUROCRYPT 2006. Lecture Notes in Computer Science, vol. 4004 (Springer, Berlin, 2006), pp. 409–426Google Scholar
  6. 6.
    M. Bellare, M. Yung, Certifying permutations: noninteractive zero-knowledge based on any trapdoor permutation. J. Cryptol. 9(3), 149–166 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    D.J. Bernstein, Proving tight security for Rabin–Williams signatures. In N.P. Smart (ed) Advances in Cryptology—EUROCRYPT 2008. Lecture Notes in Computer Science, vol. 4965 (Springer, Berlin, 2008), pp. 70–87Google Scholar
  8. 8.
    D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in C. Boyd (ed) Advances in Cryptology—ASIACRYPT 2001. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2001), pp. 514–532Google Scholar
  9. 9.
    C. Cachin. Efficient private bidding and auctions with an oblivious third party, in ACM CCS 99: 6th Conference on Computer and Communications Security (ACM Press, New York, 1999), pp. 120–127Google Scholar
  10. 10.
    C. Cachin, S. Micali, M. Stadler, Computationally private information retrieval with polylogarithmic communication, in J. Stern (ed) Advances in Cryptology—EUROCRYPT’99. Lecture Notes in Computer Science, vol. 1592 (Springer, Berlin, 1999), pp. 402–414Google Scholar
  11. 11.
    D. Coppersmith, Finding a small root of a univariate modular equation, in U.M. Maurer (ed) Advances in Cryptology—EUROCRYPT’96. Lecture Notes in Computer Science, vol. 1070 (Springer, Berlin, 1996), pp. 155–165Google Scholar
  12. 12.
    J.-S. Coron, On the exact security of full domain hash, in M. Bellare (ed) Advances in Cryptology—CRYPTO 2000. Lecture Notes in Computer Science, vol. 1880 (Springer, BErlin, 2000), pp. 229–235Google Scholar
  13. 13.
    J.-S. Coron, Optimal security proofs for PSS and other signature schemes. Cryptology ePrint Archive, Report 2001/062, 2001. http://eprint.iacr.org/2001/062.
  14. 14.
    J.-S. Coron, Optimal security proofs for PSS and other signature schemes, in L.R. Knudsen (ed) Advances in Cryptology—EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 272–287Google Scholar
  15. 15.
    C. Gentry, P.D. Mackenzie, Z. Ramzan, Password authenticated key exchange using hidden smooth subgroups, in V. Atluri, C. Meadows, A. Juels (eds) ACM CCS Conference on Computer and Communications Security (ACM Press, New York, 2005), pp. 299–309Google Scholar
  16. 16.
    C. Gentry, C. Peikert, V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in R.E. Ladner, C. Dwork (eds) 40th Annual ACM Symposium on Theory of Computing (ACM Press, New York 2008), pp. 197–206Google Scholar
  17. 17.
    C. Gentry, Z. Ramzan, Single-database private information retrieval with constant communication rate, in L. Caires, G.F. Italiano, L. Monteiro, C. Palamidessi, M. Yung, (eds) ICALP 2005: 32nd International Colloquium on Automata, Languages and Programming.Lecture Notes in Computer Science, vol. 3580 (Springer, Berlin, 2005), pp. 803–815Google Scholar
  18. 18.
    E.-J. Goh, S. Jarecki, J. Katz, N. Wang, Efficient signature schemes with tight reductions to the Diffie–Hellman problems. J. Cryptol. 20(4), 493–514 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    B. Hemenway, R. Ostrovsky, Public-key locally-decodable codes, in D. Wagner (ed) Advances in Cryptology—CRYPTO 2008. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 126–143Google Scholar
  20. 20.
    IEEE P1363a Committee. IEEE P1363a / D9 — standard specifications for public key cryptography: Additional techniques. http://grouper.ieee.org/groups/1363/index.html/, June 2001. Draft Version 9.
  21. 21.
    S.A. Kakvi, E. Kiltz, A. May, Certifying RSA, in Advances in Cryptology—ASIACRYPT 2012. Lecture Notes in Computer Science (Springer, Berlin, 2012), pp. 404–414Google Scholar
  22. 22.
    E. Kiltz, A. O’Neill, A. Smith, Instantiability of RSA-OAEP under chosen-plaintext attack, in T. Rabin (ed) Advances in Cryptology—CRYPTO 2010. Lecture Notes in Computer Science, vol. 6223 (Springer, Berlin, 2010), pp. 295–313Google Scholar
  23. 23.
    N. Koblitz, A. Menezes, Another look at security definitions. Cryptology ePrint Archive, Report 2011/343, 2011. http://eprint.iacr.org/2011/343.
  24. 24.
    N. Koblitz, A.J. Menezes, Another look at “provable security”. J. Cryptol. 20(1), 3–37 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    A. Lysyanskaya, S. Micali, L. Reyzin, H. Shacham, Sequential aggregate signatures from trapdoor permutations, in C. Cachin, J. Camenisch (eds) Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 74–90Google Scholar
  26. 26.
    S. Micali, Computationally sound proofs (2000), pp. 1253–1298Google Scholar
  27. 27.
    P. Paillier, J.L. Villar. Trading one-wayness against chosen-ciphertext security in factoring-based encryption, in X. Lai, K. Chen (eds) Advances in Cryptology – ASIACRYPT 2006. Lecture Notes in Computer Science, vol. 4284 (Springer, Berlin, 2006), pp. 252–266Google Scholar
  28. 28.
    C. Peikert, B. Waters, Lossy trapdoor functions and their applications, in R.E. Ladner, C. Dwork (eds) 40th Annual ACM Symposium on Theory of Computing (ACM Press, New York, 2008), pp. 187–196Google Scholar
  29. 29.
    PKCS #1: RSA cryptography standard. RSA Data Security, Inc., Sept. 1998. Version 2.0Google Scholar
  30. 30.
    C. Schridde, B. Freisleben, On the validity of the phi-hiding assumption in cryptographic protocols, in J. Pieprzyk (ed) Advances in Cryptology—ASIACRYPT 2008. Lecture Notes in Computer Science, vol. 5350 (Springer, Berlin, 2008), pp. 344–354Google Scholar
  31. 31.
    N. Smart, Ecrypt II yearly report on algorithms and keysizes (2009–2010). Framework (2010), p. 116Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Paderborn UniversityPaderbornGermany
  2. 2.Ruhr-University BochumBochumGermany

Personalised recommendations