Abstract
The popular random-oracle-based signature schemes, such as Probabilistic Signature Scheme (PSS) and Full Domain Hash (FDH), output a signature of the form 〈f -1(y),pub〉, where y somehow depends on the message signed (and pub) and f is some public trapdoor permutation (typically RSA). Interestingly, all these signature schemes can be proven asymptotically secure for an arbitrary trapdoor permutation f, but their exact security seems to be significantly better for special trapdoor permutations like RSA. This leads to two natural questions: (1) can the asymptotic security analysis be improved with general trapdoor permutations?; and, if not, (2) what general cryptographic assumption on f— enjoyed by specific functions like RSA — is “responsible” for the improved security?
We answer both these questions. First, we show that if f is a “blackbox” trapdoor permutation, then the poor exact security is unavoidable. More specifically, the “security loss” for general trapdoor permutations is Ω(q hash), where q hash is the number of random oracle queries made by the adversary (which could be quite large). On the other hand, we show that all the security bene.ts of the RSA-based variants come into effect once f comes from a family of claw-free permutation pairs. Our results signifucantly narrow the current “gap” between general trapdoor permutations and RSA to the “gap” between trapdoor permutations and claw-free permutations. Additionally, they can be viewed as the first security/efficiency separation between these basic cryptographic primitives. In other words, while it was already believed that certain cryptographic objects can be built from claw-free permutations but not from general trapdoor permutations, we show that certain important schemes (like FDH and PSS) provably work with either, but enjoy a much better tradeo. between security and efficiency when deployed with claw-free permutations.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Mihir Bellare and Silvio Micali. How to sign given any trapdoor function. In Goldwasser [Gol88], pages 200–215.
Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st ACM Conference on Computer and Communication Security, pages 62–73, November 1993. Revised version available from http://www.cs.ucsd.edu/~mihir/.
Mihir Bellare and Phillip Rogaway. The exact security of digital signatures: How to sign with RSA and Rabin. In Ueli Maurer, editor, Advances in Cryptology-EUROCRYPT 96, volume 1070 of Lecture Notes in Computer Science, pages 399–416. Springer-Verlag, 12-16 May 1996. Revised version appears in http://www-cse.ucsd.edu/users/mihir/papers/crypto-papers.html.
Jean-Sébastian Coron. On the exact security of full domain hash. In Mihir Bellare, editor, Advances in Cryptology-CRYPTO 2000, volume 1880 of Lecture Notes in Computer Science, pages 229–235. Springer-Verlag, 20–24 August 2000.
Jean-Sébastian Coron. Optimal security proofs for PSS and other signature schemes. In Lars Knudsen, editor, Advances in Cryptology-EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science, pages 272–287. Springer-Verlag, 28 April-2 May 2002.
Ivan Damgård. Collision-free hash functions and public-key signature schemes. In David Chaum and Wyn L. Price, editors, Advances in Cryptology-EUROCRYPT 87, volume 304 of Lecture Notes in Computer Science. Springer-Verlag, 1988, 13-15 April 1987.
Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Andrew M. Odlyzko, editor, Advances in Cryptology-CRYPTO’ 86, volume 263 of Lecture Notes in Computer Science, pages 186–194. Springer-Verlag, 1987, 11-15 August 1986.
Rosario Gennaro, Yael Gertner, and Jonathan Katz. Bounds on the efficiency of encryption and digital signatures. Technical Report 2002-22, DIMACS: Center for Discrete Mathematics and Theoretical Computer Science, 2002. Available from http://dimacs.rutgers.edu/TechnicalReports/2002.html.
Sha. Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281-308, April 1988.
Yael Gertner, Tal Malkin, and Omer Reingold. On the impossibility of basing trapdoor functions on trapdoor predicates. In 42nd Annual Symposium on Foundations of Computer Science, Las Vegas, Nevada, October 2001. IEEE.
Sha. Goldwasser, editor. Advances in Cryptology-CRYPTO’ 88, volume 403 of Lecture Notes in Computer Science. Springer-Verlag, 1990, 21-25 August 1988.
Louis Claude Guillou and Jean-Jacques Quisquater. A “paradoxical” indentity-based signature scheme resulting from zero-knowledge. In Goldwasser [Gol88], pages 216–231.
Rosario Gennaro and Luca Trevisan. Lower bounds on the efficiency of generic cryptographic constructions. In 41st Annual Symposium on Foundations of Computer Science, Redondo Beach, California, November 2000. IEEE.
Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of one-way permutations. In [ACM89], pages 44–61.
Hugo Krawczyk and Tal Rabin. Chameleon signatures. In Network and Distributed System Security Symposium, pages 143–154. The Internet Society, 2000.
Jeong Han Kim, Daniel R. Simon, and Prasad Tetali. Limits on the efficiency of one-way permutation-based hash functions. In 40th Annual Symposium on Foundations of Computer Science, New York, October 1999. IEEE.
Silvio Micali. A secure and efficient digital signature algorithm. Technical Report MIT/LCS/TM-501, Massachusetts Institute of Technology, Cambridge, MA, March 1994.
Silvio Micali and Leonid Reyzin. Improving the exact security of digital signature schemes.Journal of Cryptology, 15:1–18, 2002. au]NY89._Moni Naor and Moti Yung. Universal one-way hash functions and their cryptographic applications. In [ACM89], pages 33–43.
Heidroon Ong and Claus P. Schnorr. Fast signature generation with a Fiat Shamir-like scheme. In I. B. Damgård, editor, Advances in Cryptology-EUROCRYPT 90, volume 473 of Lecture Notes in Computer Science, pages 432–440. Springer-Verlag, 1991, 21-24 May 1990.
Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Jacques Stern, editor, Advances in Cryptology-EUROCRYPT’99, volume 1592 of Lecture Notes in Computer Science. Springer-Verlag, 2-6 May 1999.
John Rompel. One-way functions are necessary and suficient for secure signatures. In Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing, pages 387–394, Baltimore, Maryland, 14-16 May 1990.
Daniel R. Simon. Finding collisions on a one-way street: Can secure hash functions be based on general assumptions. In Kaisa Nyberg, editor, Advances in Cryptology-EUROCRYPT 98, volume 1403 of Lecture Notes in Computer Science. Springer-Verlag, May 31-June 4 1998.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Dodis, Y., Reyzin, L. (2003). On the Power of Claw-Free Permutations. In: Cimato, S., Persiano, G., Galdi, C. (eds) Security in Communication Networks. SCN 2002. Lecture Notes in Computer Science, vol 2576. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36413-7_5
Download citation
DOI: https://doi.org/10.1007/3-540-36413-7_5
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00420-2
Online ISBN: 978-3-540-36413-9
eBook Packages: Springer Book Archive