On the Power of Claw-Free Permutations
The popular random-oracle-based signature schemes, such as Probabilistic Signature Scheme (PSS) and Full Domain Hash (FDH), output a signature of the form 〈f -1(y),pub〉, where y somehow depends on the message signed (and pub) and f is some public trapdoor permutation (typically RSA). Interestingly, all these signature schemes can be proven asymptotically secure for an arbitrary trapdoor permutation f, but their exact security seems to be significantly better for special trapdoor permutations like RSA. This leads to two natural questions: (1) can the asymptotic security analysis be improved with general trapdoor permutations?; and, if not, (2) what general cryptographic assumption on f— enjoyed by specific functions like RSA — is “responsible” for the improved security?
We answer both these questions. First, we show that if f is a “blackbox” trapdoor permutation, then the poor exact security is unavoidable. More specifically, the “security loss” for general trapdoor permutations is Ω(q hash), where q hash is the number of random oracle queries made by the adversary (which could be quite large). On the other hand, we show that all the security bene.ts of the RSA-based variants come into effect once f comes from a family of claw-free permutation pairs. Our results signifucantly narrow the current “gap” between general trapdoor permutations and RSA to the “gap” between trapdoor permutations and claw-free permutations. Additionally, they can be viewed as the first security/efficiency separation between these basic cryptographic primitives. In other words, while it was already believed that certain cryptographic objects can be built from claw-free permutations but not from general trapdoor permutations, we show that certain important schemes (like FDH and PSS) provably work with either, but enjoy a much better tradeo. between security and efficiency when deployed with claw-free permutations.
KeywordsSignature Scheme Random Oracle Random Oracle Model Digital Signature Scheme Signing Query
Unable to display preview. Download preview PDF.
- BM88.Mihir Bellare and Silvio Micali. How to sign given any trapdoor function. In Goldwasser [Gol88], pages 200–215.Google Scholar
- BR93.Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st ACM Conference on Computer and Communication Security, pages 62–73, November 1993. Revised version available from http://www.cs.ucsd.edu/~mihir/.
- BR96.Mihir Bellare and Phillip Rogaway. The exact security of digital signatures: How to sign with RSA and Rabin. In Ueli Maurer, editor, Advances in Cryptology-EUROCRYPT 96, volume 1070 of Lecture Notes in Computer Science, pages 399–416. Springer-Verlag, 12-16 May 1996. Revised version appears in http://www-cse.ucsd.edu/users/mihir/papers/crypto-papers.html.Google Scholar
- Cor00.Jean-Sébastian Coron. On the exact security of full domain hash. In Mihir Bellare, editor, Advances in Cryptology-CRYPTO 2000, volume 1880 of Lecture Notes in Computer Science, pages 229–235. Springer-Verlag, 20–24 August 2000.Google Scholar
- Dam87.Ivan Damgård. Collision-free hash functions and public-key signature schemes. In David Chaum and Wyn L. Price, editors, Advances in Cryptology-EUROCRYPT 87, volume 304 of Lecture Notes in Computer Science. Springer-Verlag, 1988, 13-15 April 1987.Google Scholar
- FS86.Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Andrew M. Odlyzko, editor, Advances in Cryptology-CRYPTO’ 86, volume 263 of Lecture Notes in Computer Science, pages 186–194. Springer-Verlag, 1987, 11-15 August 1986.Google Scholar
- GGK02.Rosario Gennaro, Yael Gertner, and Jonathan Katz. Bounds on the efficiency of encryption and digital signatures. Technical Report 2002-22, DIMACS: Center for Discrete Mathematics and Theoretical Computer Science, 2002. Available from http://dimacs.rutgers.edu/TechnicalReports/2002.html.
- GMR88.Sha. Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281-308, April 1988.Google Scholar
- GMR01.Yael Gertner, Tal Malkin, and Omer Reingold. On the impossibility of basing trapdoor functions on trapdoor predicates. In 42nd Annual Symposium on Foundations of Computer Science, Las Vegas, Nevada, October 2001. IEEE.Google Scholar
- GQ88.Louis Claude Guillou and Jean-Jacques Quisquater. A “paradoxical” indentity-based signature scheme resulting from zero-knowledge. In Goldwasser [Gol88], pages 216–231.Google Scholar
- GT00.Rosario Gennaro and Luca Trevisan. Lower bounds on the efficiency of generic cryptographic constructions. In 41st Annual Symposium on Foundations of Computer Science, Redondo Beach, California, November 2000. IEEE.Google Scholar
- IR89.Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of one-way permutations. In [ACM89], pages 44–61.Google Scholar
- KR00.Hugo Krawczyk and Tal Rabin. Chameleon signatures. In Network and Distributed System Security Symposium, pages 143–154. The Internet Society, 2000.Google Scholar
- KST99.Jeong Han Kim, Daniel R. Simon, and Prasad Tetali. Limits on the efficiency of one-way permutation-based hash functions. In 40th Annual Symposium on Foundations of Computer Science, New York, October 1999. IEEE.Google Scholar
- Mic94.Silvio Micali. A secure and efficient digital signature algorithm. Technical Report MIT/LCS/TM-501, Massachusetts Institute of Technology, Cambridge, MA, March 1994.Google Scholar
- OS90.Heidroon Ong and Claus P. Schnorr. Fast signature generation with a Fiat Shamir-like scheme. In I. B. Damgård, editor, Advances in Cryptology-EUROCRYPT 90, volume 473 of Lecture Notes in Computer Science, pages 432–440. Springer-Verlag, 1991, 21-24 May 1990.Google Scholar
- Pai99.Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Jacques Stern, editor, Advances in Cryptology-EUROCRYPT’99, volume 1592 of Lecture Notes in Computer Science. Springer-Verlag, 2-6 May 1999.Google Scholar
- Rom90.John Rompel. One-way functions are necessary and suficient for secure signatures. In Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing, pages 387–394, Baltimore, Maryland, 14-16 May 1990.Google Scholar
- Sim98.Daniel R. Simon. Finding collisions on a one-way street: Can secure hash functions be based on general assumptions. In Kaisa Nyberg, editor, Advances in Cryptology-EUROCRYPT 98, volume 1403 of Lecture Notes in Computer Science. Springer-Verlag, May 31-June 4 1998.Google Scholar