The Exact Security of Digital Signatures-How to Sign with RSA and Rabin

  • Mihir Bellare
  • Phillip Rogaway
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1070)


We describe an RSA-based signing scheme which combines essentially optimal efficiency with attractive security properties. Signing takes one RSA decryption plus some hashing, verification takes one RSA encryption plus some hashing, and the size of the signature is the size of the modulus. Assuming the underlying hash functions are ideal, our schemes are not only provably secure, but are so in a tight way—an ability to forge signatures with a certain amount of computational resources implies the ability to invert RSA (on the same size modulus) with about the same computational effort. Furthermore, we provide a second scheme which maintains all of the above features and in addition provides message recovery. These ideas extend to provide schemes for Rabin signatures with analogous properties; in particular their security can be tightly related to the hardness of factoring.


Hash Function Signature Scheme Random Oracle Provable Security Cryptographic Hash Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    D. Balenson, “Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers,” IETF RFC 1423, February 1993.Google Scholar
  2. 2.
    M. Bellare and S. Micali, “How to sign given any trapdoor permutation,” JACM Vol. 39, No. 1, 214–233, January 1992.CrossRefzbMATHMathSciNetGoogle Scholar
  3. 3.
    M. Bellare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols,” Proceedings of the First Annual Conference on Computer and Communications Security, ACM, 1993.Google Scholar
  4. 4.
    M. Bbellare and P. Rogaway, “Optimal Asymmetric Encryption,” Advances in Cryptology — Eurocrypt 94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed., Springer-Verlag, 1994.Google Scholar
  5. 5.
    W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Trans. Info. Theory IT-22, 644–654, November 1976.CrossRefMathSciNetGoogle Scholar
  6. 6.
    C. Dwork and M. Naor. An efficient existentially unforgeable signature scheme and its applications. Advances in Cryptology — Crypto 94 Proceedings, Lecture Notes in Computer Science Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994.Google Scholar
  7. 7.
    T. El Gamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, Vol. 31, No. 4, July 1985.Google Scholar
  8. 8.
    A. Fiat and A. Shamir, “How to prove yourself: practical solutions to identification and signature problems,” Advances in Cryptology — Crypto 86 Proceedings, Lecture Notes in Computer Science Vol. 263, A. Odlyzko ed., Springer-Verlag, 1986.Google Scholar
  9. 9.
    S. Goldwasser, S. Micali and R. Rivest, “A digital signature scheme secure against adaptive chosen-message attacks,” SIAM Journal of Computing, 17(2):281–308, April 1988.CrossRefzbMATHMathSciNetGoogle Scholar
  10. 10.
    ISO/IEC 9796, “Information Technology Security Techniques — Digital Signature Scheme Giving Message Recovery,” International Organization for Standards, 1991.Google Scholar
  11. 11.
    M. Naor and M. Yung, “Universal one-way hash functions and their cryptographic applications,” Proceedings of the 21st Annual Symposium on Theory of Computing, ACM, 1989.Google Scholar
  12. 12.
    A. Lenstra and H. Lenstra (eds.), “The development of the number field sieve,” Lecture Notes in Mathematics, vol 1554, Springer-Verlag, 1993.Google Scholar
  13. 13.
    D. Pointcheval and J. Stern, “Security proofs for signatures,” Advances in cryptology — Eurocrypt 96 Proceedings, Lecture Notes in Computer Science, U. Maurer ed., Springer-Verlag, 1996.Google Scholar
  14. 14.
    R. Rivest, “The MD5 Message-Digest Algorithm,” IETF RFC 1321, April 1992.Google Scholar
  15. 15.
    R. Rivest, A. Shamir and L. Adleman, “A method for obtaining digital signatures and public key cryptosystems,” CACM 21 (1978).Google Scholar
  16. 16.
    RSA Data Security, Inc., “PKCS #1: RSA Encryption Standard (Version 1.4).” June 1991.Google Scholar
  17. 17.
    RSA Data Security, Inc., “PKCS #7: Cryptographic Message Syntax Standard (version 1.4).” June 1991.Google Scholar
  18. 18.
    M. Rabin, “Digital signatures,” in Foundations of secure computation, R. A. Millo et. al. eds, Academic Press, 1978.Google Scholar
  19. 19.
    M. Rabin., “Digital signatures and public key functions as intractable as factorization,” MIT Laboratory for Computer Science Report TR-212, January 1979.Google Scholar
  20. 20.
    J. Rompel, “One-Way Functions are Necessary and Sufficient for Secure Signatures,” Proceedings of the 22nd Annual Symposium on Theory of Computing, ACM, 1990.Google Scholar
  21. 21.
    H. Williams, “A modification of the RSA public key encryption procedure,” IEEE Transactions on Information Theory, Vol. IT-26, No. 6, November 1980.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Phillip Rogaway
    • 2
  1. 1.Department of Computer Science and EngineeringUniversity of California at San DiegoLa JollaUSA
  2. 2.Department of Computer ScienceUniversity of California at DavisDavisUSA

Personalised recommendations