Security Analysis of the Gennaro-Halevi-Rabin Signature Scheme

  • Jean-Sébastien Coron
  • David Naccache
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1807)


We exhibit an attack against a signature scheme recently proposed by Gennaro, Halevi and Rabin [9]. The scheme’s security is based on two assumptions namely the strong RSA assumption and the existence of a division-intractable hash-function. For the latter, the authors conjectured a security level exponential in the hash-function’s digest size whereas our attack is sub-exponential with respect to the digest size. Moreover, since the new attack is optimal, the length of the hash function can now be rigorously fixed. In particular, to get a security level equivalent to 1024-bit RSA, one should use a digest size of approximately 1024 bits instead of the 512 bits suggested in [9].


Hash Function Signature Scheme Security Level Random Oracle Common Multiple 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    E. Bach and R. Peralta, Asymptotic semismoothness probabilities, Mathematics of computation, vol. 65, no. 216, pp. 1701–1715, 1996.zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    N. Barić and B. Pfitzmann, Collision-free accumulators and fail-stop signature scheme without trees, proceedings of Eurocrypt’97, LNCS vol. 1233, Springer-Verlag, 1997, pp. 480–494.Google Scholar
  3. 3.
    M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols. Proceedings of the First Annual Conference on Computer and Commmunications Security, ACM, 1993.Google Scholar
  4. 4.
    R. Brent, An improved Monte Carlo factorization algorithm, Nordisk Tidskrift för Informationsbehandling (BIT) 20 (1980) pp. 176–184.zbMATHMathSciNetGoogle Scholar
  5. 5.
    E. Canfield, P. Erdös and C. Pomerance, On a problem of Oppenheim concerning ‘Factorisatio Numerorum’, J. Number Theory, vol. 17, 1983, PP. 1–28.zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    J.S. Coron and D. Naccache, Security analysis of the Gennaro-Halevi-Rabin signature scheme, full version of this paper, available at, 2000.
  7. 7.
    K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude, Arkiv för matematik, astronomi och fysik, vol. 22A, no. 10, pp. 1–14, 1930.Google Scholar
  8. 8.
    G. Hardy and E. Wright, An introduction to the theory of numbers, Fifth edition, Oxford, 1979, pp. 354–359, 368–370.Google Scholar
  9. 9.
    R. Gennaro, S. Halevi and T. Rabin, Secure hash-and-sign signatures without the random oracle, proceedings of Eurocrypt’99, LNCS vol. 1592, Springer-Verlag, 1999, pp. 123–139.Google Scholar
  10. 10.
    A. Ivić and G. Tenenbaum, Local densities over integers free of large prime factors, Quart. J. Math. Oxford (2), 37 (1986), pp. 401–417.CrossRefzbMATHGoogle Scholar
  11. 11.
    H. W. Lenstra, Jr., Factoring integers with elliptic curves, Ann. of Math. (2) 126 (1987) pp. 649–673.CrossRefMathSciNetGoogle Scholar
  12. 12.
    M.I.R.A.C.L. library, Shamus Software Ltd., 94 Shangan Road, Ballymun, Dublin, Ireland.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  • David Naccache
    • 2
  1. 1.Ecole Normale SupérieureParisFrance
  2. 2.Gemplus Card InternationalIssy-les-MoulineauxFrance

Personalised recommendations