On the Power of Claw-Free Permutations

  • Yevgeniy Dodis
  • Leonid Reyzin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2576)


The popular random-oracle-based signature schemes, such as Probabilistic Signature Scheme (PSS) and Full Domain Hash (FDH), output a signature of the form 〈f -1(y),pub〉, where y somehow depends on the message signed (and pub) and f is some public trapdoor permutation (typically RSA). Interestingly, all these signature schemes can be proven asymptotically secure for an arbitrary trapdoor permutation f, but their exact security seems to be significantly better for special trapdoor permutations like RSA. This leads to two natural questions: (1) can the asymptotic security analysis be improved with general trapdoor permutations?; and, if not, (2) what general cryptographic assumption on f— enjoyed by specific functions like RSA — is “responsible” for the improved security?

We answer both these questions. First, we show that if f is a “blackbox” trapdoor permutation, then the poor exact security is unavoidable. More specifically, the “security loss” for general trapdoor permutations is Ω(q hash), where q hash is the number of random oracle queries made by the adversary (which could be quite large). On the other hand, we show that all the security bene.ts of the RSA-based variants come into effect once f comes from a family of claw-free permutation pairs. Our results signifucantly narrow the current “gap” between general trapdoor permutations and RSA to the “gap” between trapdoor permutations and claw-free permutations. Additionally, they can be viewed as the first security/efficiency separation between these basic cryptographic primitives. In other words, while it was already believed that certain cryptographic objects can be built from claw-free permutations but not from general trapdoor permutations, we show that certain important schemes (like FDH and PSS) provably work with either, but enjoy a much better tradeo. between security and efficiency when deployed with claw-free permutations.


Signature Scheme Random Oracle Random Oracle Model Digital Signature Scheme Signing Query 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. BM88.
    Mihir Bellare and Silvio Micali. How to sign given any trapdoor function. In Goldwasser [Gol88], pages 200–215.Google Scholar
  2. BR93.
    Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st ACM Conference on Computer and Communication Security, pages 62–73, November 1993. Revised version available from
  3. BR96.
    Mihir Bellare and Phillip Rogaway. The exact security of digital signatures: How to sign with RSA and Rabin. In Ueli Maurer, editor, Advances in Cryptology-EUROCRYPT 96, volume 1070 of Lecture Notes in Computer Science, pages 399–416. Springer-Verlag, 12-16 May 1996. Revised version appears in Scholar
  4. Cor00.
    Jean-Sébastian Coron. On the exact security of full domain hash. In Mihir Bellare, editor, Advances in Cryptology-CRYPTO 2000, volume 1880 of Lecture Notes in Computer Science, pages 229–235. Springer-Verlag, 20–24 August 2000.Google Scholar
  5. Cor02.
    Jean-Sébastian Coron. Optimal security proofs for PSS and other signature schemes. In Lars Knudsen, editor, Advances in Cryptology-EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science, pages 272–287. Springer-Verlag, 28 April-2 May 2002.CrossRefGoogle Scholar
  6. Dam87.
    Ivan Damgård. Collision-free hash functions and public-key signature schemes. In David Chaum and Wyn L. Price, editors, Advances in Cryptology-EUROCRYPT 87, volume 304 of Lecture Notes in Computer Science. Springer-Verlag, 1988, 13-15 April 1987.Google Scholar
  7. FS86.
    Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Andrew M. Odlyzko, editor, Advances in Cryptology-CRYPTO’ 86, volume 263 of Lecture Notes in Computer Science, pages 186–194. Springer-Verlag, 1987, 11-15 August 1986.Google Scholar
  8. GGK02.
    Rosario Gennaro, Yael Gertner, and Jonathan Katz. Bounds on the efficiency of encryption and digital signatures. Technical Report 2002-22, DIMACS: Center for Discrete Mathematics and Theoretical Computer Science, 2002. Available from
  9. GMR88.
    Sha. Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281-308, April 1988.Google Scholar
  10. GMR01.
    Yael Gertner, Tal Malkin, and Omer Reingold. On the impossibility of basing trapdoor functions on trapdoor predicates. In 42nd Annual Symposium on Foundations of Computer Science, Las Vegas, Nevada, October 2001. IEEE.Google Scholar
  11. Gol88.
    Sha. Goldwasser, editor. Advances in Cryptology-CRYPTO’ 88, volume 403 of Lecture Notes in Computer Science. Springer-Verlag, 1990, 21-25 August 1988.zbMATHGoogle Scholar
  12. GQ88.
    Louis Claude Guillou and Jean-Jacques Quisquater. A “paradoxical” indentity-based signature scheme resulting from zero-knowledge. In Goldwasser [Gol88], pages 216–231.Google Scholar
  13. GT00.
    Rosario Gennaro and Luca Trevisan. Lower bounds on the efficiency of generic cryptographic constructions. In 41st Annual Symposium on Foundations of Computer Science, Redondo Beach, California, November 2000. IEEE.Google Scholar
  14. IR89.
    Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of one-way permutations. In [ACM89], pages 44–61.Google Scholar
  15. KR00.
    Hugo Krawczyk and Tal Rabin. Chameleon signatures. In Network and Distributed System Security Symposium, pages 143–154. The Internet Society, 2000.Google Scholar
  16. KST99.
    Jeong Han Kim, Daniel R. Simon, and Prasad Tetali. Limits on the efficiency of one-way permutation-based hash functions. In 40th Annual Symposium on Foundations of Computer Science, New York, October 1999. IEEE.Google Scholar
  17. Mic94.
    Silvio Micali. A secure and efficient digital signature algorithm. Technical Report MIT/LCS/TM-501, Massachusetts Institute of Technology, Cambridge, MA, March 1994.Google Scholar
  18. MR02.
    Silvio Micali and Leonid Reyzin. Improving the exact security of digital signature schemes.Journal of Cryptology, 15:1–18, 2002. au]NY89._Moni Naor and Moti Yung. Universal one-way hash functions and their cryptographic applications. In [ACM89], pages 33–43.MathSciNetGoogle Scholar
  19. OS90.
    Heidroon Ong and Claus P. Schnorr. Fast signature generation with a Fiat Shamir-like scheme. In I. B. Damgård, editor, Advances in Cryptology-EUROCRYPT 90, volume 473 of Lecture Notes in Computer Science, pages 432–440. Springer-Verlag, 1991, 21-24 May 1990.Google Scholar
  20. Pai99.
    Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Jacques Stern, editor, Advances in Cryptology-EUROCRYPT’99, volume 1592 of Lecture Notes in Computer Science. Springer-Verlag, 2-6 May 1999.Google Scholar
  21. Rom90.
    John Rompel. One-way functions are necessary and suficient for secure signatures. In Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing, pages 387–394, Baltimore, Maryland, 14-16 May 1990.Google Scholar
  22. Sim98.
    Daniel R. Simon. Finding collisions on a one-way street: Can secure hash functions be based on general assumptions. In Kaisa Nyberg, editor, Advances in Cryptology-EUROCRYPT 98, volume 1403 of Lecture Notes in Computer Science. Springer-Verlag, May 31-June 4 1998.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Yevgeniy Dodis
    • 1
  • Leonid Reyzin
    • 2
  1. 1.New York University Computer ScienceNew YorkUSA
  2. 2.Boston University Computer ScienceBostonUSA

Personalised recommendations