Optimal Security Proofs for PSS and Other Signature Schemes

  • Jean-Sébastien Coron
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2332)


The Probabilistic Signature Scheme (PSS) designed by Bellare and Rogaway is a signature scheme provably secure against chosen message attacks in the random oracle model, whose security can be tightly related to the security of RSA. We derive a new security proof for PSS in which a much shorter random salt is used to achieve the same security level, namely we show that log2 q sig bits suffice, where q sig is the number of signature queries made by the attacker. When PSS is used with message recovery, a better bandwidth is obtained because longer messages can now be recovered. In this paper, we also introduce a new technique for proving that the security proof of a signature scheme is optimal. In particular, we show that the size of the random salt that we have obtained for PSS is optimal: if less than log2 q sig bits are used, then PSS is still provably secure but it cannot have a tight security proof. Our technique applies to other signature schemes such as the Full Domain Hash scheme and Gennaro-Halevi-Rabin’s scheme, whose security proofs are shown to be optimal.


Probabilistic Signature Scheme Provable Security 


  1. 1.
    M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols. Proceedings of the First Annual Conference on Computer and Commmunications Security, ACM, 1993.Google Scholar
  2. 2.
    M. Bellare and P. Rogaway, The exact security of digital signatures-How to sign with RSA and Rabin. Proceedings of Eurocrypt’96, LNCS vol. 1070, Springer-Verlag, 1996, pp. 399–416.Google Scholar
  3. 3.
    D. Boneh and R. Venkatesan, Breaking RSA may not be equivalent to factoring. Proceedings of Eurocrypt’ 98, LNCS vol. 1403, Springer-Verlag, 1998, pp. 59–71.Google Scholar
  4. 4.
    R. Canetti, O. Goldreich and S. Halevi, The random oracle methodology, revisited, STOC’ 98, ACM, 1998.Google Scholar
  5. 5.
    J.S. Coron, On the exact security of Full Domain Hash, Proceedings of Crypto 2000, LNCS vol. 1880, Springer-Verlag, 2000, pp. 229–235.Google Scholar
  6. 6.
    J.S. Coron, Security proofs for PSS and other signature schemes, Cryptology ePrint Archive, Report 2001/062, 2001.
  7. 7.
    R. Cramer and I. Damgård, New generation of secure and practical RSA-based signatures, Proceedings of Crypto’96, LNCS vol. 1109, Springer-Verlag, 1996, pp. 173–185.Google Scholar
  8. 8.
    R. Cramer and V. Shoup, Signature schemes based on the Strong RSA Assumption, May 9, 2000, revision of the extended abstract in Proc. 6th ACM Conf. on Computer and Communications Security, 1999; To appear, ACM Transactions on Information and System Security (ACM TISSEC). Available at
  9. 9.
    W. Diffie and M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, IT-22, 6, pp. 644–654, 1976.CrossRefMathSciNetGoogle Scholar
  10. 10.
    C. Dwork and M. Naor, An efficient existentially unforgeable signature scheme and its applications, In J. of Cryptology, 11(3), Summer 1998, pp. 187–208.zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    FIPS 186, Digital signature standard, Federal Information Processing Standards Publication 186, U.S. Department of Commerce/NIST, 1994.Google Scholar
  12. 12.
    R. Gennaro, S. Halevi and T. Rabin, Secure hash-and-sign signatures without the random oracle, proceedings of Eurocrypt’ 99, LNCS vol. 1592, Springer-Verlag, 1999, pp. 123–139.Google Scholar
  13. 13.
    S. Goldwasser, S. Micali and R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks, SIAM Journal of computing, 17(2), pp. 281–308, April 1988.Google Scholar
  14. 14.
    IEEE P1363a, Standard Specifications For Public Key Cryptography: Additional Techniques, available at
  15. 15.
    A. Lenstra and H. Lenstra (eds.), The development of the number field sieve, Lecture Notes in Mathematics, vol 1554, Springer-Verlag, 1993.Google Scholar
  16. 16.
    K. Ohta and T. Okamoto, On concrete security treatment of signatures derived from identification. Prooceedings of Crypto’ 98, Lecture Notes in Computer Science vol. 1462, Springer-Verlag, 1998, pp. 354–369.Google Scholar
  17. 17.
    P. Paillier, Public-key cryptosystems based on composite degree residuosity classes. Proceedings of Eurocrypt’99, Lecture Notes is Computer Science vol. 1592, Springer-Verlag, 1999, pp. 223–238.Google Scholar
  18. 18.
    PKCS #1 v2.1, RSA Cryptography Standard (draft), available at
  19. 19.
    D. Pointcheval and J. Stern, Security proofs for signature schemes. Proceedings of Eurocrypt’96, LNCS vol. 1070, Springer-Verlag, pp. 387–398.Google Scholar
  20. 20.
    R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, CACM 21, 1978.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  1. 1.Gemplus Card InternationalIssy-les-MoulineauxFrance

Personalised recommendations