Impossibility Proofs for RSA Signatures in the Standard Model
It is well-known that RSA signatures such as FDH, PSS or PSS-R are as secure as RSA is hard to invert in the random oracle (RO) model. Such proofs, however, have never been discovered in the standard model. This paper provides an explanation of this gap by pointing out a strong impossibility of equivalence between inverting RSA and any form of unforgeability for a wide class of RSA signatures. In particular, our impossibility results explicitly assume that the public key is made of a single RSA instance, that hash functions involved in the signature padding are unkeyed and that key generation fulfils a natural property which we call instance-non-malleability. Beyond showing that any RSA-based signature scheme of that type black-box separates the RO model from the standard model in a strong sense, our work leaves the real-life security of well-known signatures in a state of uncertainty.
KeywordsSignature Scheme Random Oracle Probabilistic Algorithm Impossibility Result Random Oracle Model
Unable to display preview. Download preview PDF.
- 4.Fischlin, M., Boldyreva, A.: Analysis of Random Oracle Instantiation Scenarios for OAEP and Other Practical Schemes. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 412–429. Springer, Heidelberg (2005)Google Scholar
- 5.Brown, D.R.L.: Unprovable security of RSA-OAEP in the standard model (2006), Available at: http://eprint.iacr.org/2006/223
- 8.Dodis, Y., Oliveira, R., Pietrzak, K.: On the Generic Insecurity of the Full Domain Hash. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 449–466. Springer, Heidelberg (2005)Google Scholar
- 9.Dwork, C., Naor, M.: An efficient existentially unforgeable signature scheme and its applications. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 234–246. Springer, Heidelberg (1994)Google Scholar
- 10.Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
- 12.IEEE P1363a Committee. IEEE P1363a / D9 — Standard specifications for public key cryptography: Additional techniques (2001), Draft Version 9, Document available at: http://grouper.ieee.org/groups/1363/index.html/
- 14.Paillier, P.: Instance-non-malleable RSA-based cryptography (2006), Available at: http://eprint.iacr.org/2006/
- 17.PKCS #1 v2.1: RSA cryptography standard (draft), RSA Data Security Inc. (September 2005), Document available at: http://www.rsasecurity.com/rsalabs/pkcs/
- 18.Rabin, M.O.: Digital signatures and public key functions as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT (January 1979)Google Scholar
- 19.Tompa, M., Woll, H.: Random self-reducibility and zero-knowledge interactive proofs of possession of information. UCSD TR CS92-244 (1992)Google Scholar
- 21.Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology, 1st edn. John Wiley & Sons, Chichester (2005)Google Scholar