On the Generic Insecurity of the Full Domain Hash

  • Yevgeniy Dodis
  • Roberto Oliveira
  • Krzysztof Pietrzak
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3621)


The Full-Domain Hash (FDH) signature scheme forms [3] one the most basic usages of random oracles. It works with a family \(\mathcal{F}\) of trapdoor permutations (TDP), where the signature of m is computed as f − − 1(h(m)) (here \({f} \in_{\mathcal{R}} \mathcal{F}\) and h is modelled as a random oracle). It is known to be existentially unforgeable for any TDP family \(\mathcal{F}\) [3], although a much tighter security reduction is known for a restrictive class of TDP’s [10,14]— namely, those induced by a family of claw-free permutations (CFP) pairs. The latter result was shown [11] to match the best possible “black-box” security reduction in the random oracle model, irrespective of the TDP family \(\mathcal{F}\) (e.g., RSA) one might use.

In this work we investigate the question if it is possible to instantiate the random oracle h with a “real” family of hash functions \(\mathcal{H}\) such that the corresponding schemes can be proven secure in the standard model, under some natural assumption on the family \(\mathcal{F}\). Our main result rules out the existence of such instantiations for any assumption on \(\mathcal{F}\) which (1) is satisfied by a family of random permutations; and (2) does not allow the attacker to invert \({f} \in_{\mathcal{R}} \mathcal{F}\) on an a-priori unbounded number of points. Moreover, this holds even if the choice of \(\mathcal{H}\) can arbitrarily depend on f. As an immediate corollary, we rule out instantiating FDH based on general claw-free permutations, which shows that in order to prove the security of FDH in the standard model one must utilize significantly more structure on \(\mathcal{F}\) than what is sufficient for the best proof of security in the random oracle model.


Hash Function Signature Scheme Random Permutation Random Oracle Random Oracle Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    PKCS #1 v2.1, RSA Cryptography Standard (draft), document available at
  2. 2.
    Bellare, M., Boldyreva, A., Palacio, A.: An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 171–188. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: ACM CCS 1993, pp. 62–73 (1993)Google Scholar
  4. 4.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The One-More-RSA-Inversion Problems and the Security of Chaum’s Blind Signature Scheme. J. of Cryptology 16(3), 185–215 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Boldyreva, A., Fischlin, M.: Analysis of Random Oracle Instantiation Scenarios for OAEP and Other Practical Schemes. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 412–429. Springer, Heidelberg (2005)Google Scholar
  6. 6.
    Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively Secure Multi-Party Computation. In: STOC 1996, pp. 22–24 (1996)Google Scholar
  7. 7.
    Canetti, R., Goldreich, O., Halevi, S.: The Random Oracle Methodology, Revisited. In: STOC 1998, pp. 209–218 (1998)Google Scholar
  8. 8.
    Canetti, R., Goldreich, O., Halevi, S.: On the Random Oracle Methodology as Applied to Length-Restricted Signature Schemes. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 40–57. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Canetti, R., Micciancio, D., Reingold, O.: Perfectly One-Way Probabilistic Hash Functions. In: STOC 1998, pp. 131–140 (1998)Google Scholar
  10. 10.
    Coron, J.-S.: On the Exact Security of Full Domain Hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  11. 11.
    Coron, J.-S.: Optimal Security Proofs for PSS and other Signature Schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Damgård, I.B.: Collision-Free Hash Functions and Public-Key Signature Schemes. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203–216. Springer, Heidelberg (1988)Google Scholar
  13. 13.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory 22, 644–654 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Dodis, Y., Reyzin, L.: On the Power of Claw-Free Permutations. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 55–73. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  16. 16.
    Gennaro, R., Gertner, Y., Katz, J.: Lower Bounds on the Efficiency of Encryption and Digital Signature Schemes. In: STOC 2003, pp. 417–425 (2003)Google Scholar
  17. 17.
    Gennaro, R., Trevisan, L.: Lower Bounds on the Efficiency of Generic Cryptographic Constructions. In: FOCS 2000, pp. 305–313 (2000)Google Scholar
  18. 18.
    Gertner, Y., Malkin, T., Reingold, O.: On the Impossibility of Basing Trapdoor Functions on Trapdoor Predicates. In: FOCS 2001, pp. 126–135 (2001)Google Scholar
  19. 19.
    Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The Relationship Between Public-Key Encryption and Oblivious Transfer. In: FOCS 2000, pp. 325–335 (2000)Google Scholar
  20. 20.
    Goldwasser, S., Tauman, Y.: On the (In)security of the Fiat-Shamir Paradigm. In: FOCS 2003, pp. 102–114 (2003)Google Scholar
  21. 21.
    Hsiao, C.-Y., Reyzin, L.: Finding Collisions on a Public Road, or do Secure Hash Functions Need Secret Coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 92–105. Springer, Heidelberg (2004)Google Scholar
  22. 22.
    Impagliazzo, R., Rudich, S.: Limits on the Provable Consequences of One-Way Permutations. In: STOC 1989, pp. 44–61 (1989)Google Scholar
  23. 23.
    Kim, J.H., Simon, D.R., Tetali, P.: Limits on the Efficiency of One-Way Permutation-Based Hash Functions. In: FOCS 1999, pp. 535–542 (1999)Google Scholar
  24. 24.
    Lynn, B., Prabhakaran, M., Sahai, A.: Positive Results and Techniques for Obfuscation. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 20–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Micali, S., Rabin, M., Vadhan, S.: Verifiable Random Functions. In: FOCS 1999, pp. 120–130 (1999)Google Scholar
  26. 26.
    Nielsen, J.B.: Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-Committing Encryption Case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  27. 27.
    Simon, D.: Finding Collisions on a One-Way Street: Can Secure Hash Functions be Based on General Assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  28. 28.
    Wee, H.: On Obfuscating Point Functions. In: STOC 2005, pp. 523–532 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Yevgeniy Dodis
    • 1
  • Roberto Oliveira
    • 2
  • Krzysztof Pietrzak
    • 3
  1. 1.New York University 
  2. 2.IBM T.J. Watson Research Center 
  3. 3.ETH Zürich 

Personalised recommendations