Optimal Security Proofs for Full Domain Hash, Revisited

  • Saqib A. Kakvi
  • Eike Kiltz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7237)


RSA Full Domain Hash (RSA-FDH) is a digital signature scheme, secure again chosen message attacks in the random oracle model. The best known security reduction from the RSA assumption is nontight, i.e., it loses a factor of q s , where q s is the number of signature queries made by the adversary. It was furthermore proved by Coron (EUROCRYPT 2002) that a security loss of q s is optimal and cannot possibly be improved. In this work we uncover a subtle flaw in Coron’s impossibility result. Concretely, we show that it only holds if the underlying trapdoor permutation is certified. Since it is well known that the RSA trapdoor permutation is (for all practical parameters) not certified, this renders Coron’s impossibility result moot for RSA-FDH. Motivated by this, we revisit the question whether there is a tight security proof for RSA-FDH. Concretely, we give a new tight security reduction from a stronger assumption, the Phi-Hiding assumption introduced by Cachin et al (EUROCRYPT 1999). This justifies the choice of smaller parameters in RSA-FDH, as it is commonly used in practice. All of our results (positive and negative) extend to the probabilistic signature scheme PSS.


Signature Scheme Random Oracle Security Proof Random Oracle Model Digital Signature Scheme 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. Journal of Cryptology 16(3), 185–215 (2003)MathSciNetzbMATHCrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993: 1st Conference on Computer and Communications Security, pp. 62–73. ACM Press (November 1993)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: The Exact Security of Digital Signatures - How to Sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Yung, M.: Certifying permutations: Noninteractive zero-knowledge based on any trapdoor permutation. Journal of Cryptology 9(3), 149–166 (1996)MathSciNetzbMATHCrossRefGoogle Scholar
  6. 6.
    Bernstein, D.J.: Proving Tight Security for Rabin-Williams Signatures. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 70–87. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Cachin, C.: Efficient private bidding and auctions with an oblivious third party. In: ACM CCS 1999: 6th Conference on Computer and Communications Security, pp. 120–127. ACM Press (November 1999)Google Scholar
  8. 8.
    Cachin, C., Micali, S., Stadler, M.A.: Computationally Private Information Retrieval with Polylogarithmic Communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 402–414. Springer, Heidelberg (1999)Google Scholar
  9. 9.
    Chatterjee, S., Menezes, A., Sarkar, P.: Another look at tightness. Cryptology ePrint Archive, Report 2011/442 (2011),
  10. 10.
    Coppersmith, D.: Finding a Small Root of a Univariate Modular Equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)Google Scholar
  11. 11.
    Coron, J.-S.: On the Exact Security of Full Domain Hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  12. 12.
    Coron, J.-S.: Optimal security proofs for pss and other signature schemes. Cryptology ePrint Archive, Report 2001/062 (2001),
  13. 13.
    Coron, J.-S.: Optimal Security Proofs for PSS and Other Signature Schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Gentry, C., Mackenzie, P.D., Ramzan, Z.: Password authenticated key exchange using hidden smooth subgroups. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM CCS 2005: 12th Conference on Computer and Communications Security, pp. 299–309. ACM Press (November 2005)Google Scholar
  15. 15.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th Annual ACM Symposium on Theory of Computing, pp. 197–206. ACM Press (May 2008)Google Scholar
  16. 16.
    Gentry, C., Ramzan, Z.: Single-Database Private Information Retrieval with Constant Communication Rate. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 803–815. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. 17.
    Goh, E.-J., Jarecki, S., Katz, J., Wang, N.: Efficient signature schemes with tight reductions to the Diffie-Hellman problems. Journal of Cryptology 20(4), 493–514 (2007)MathSciNetzbMATHCrossRefGoogle Scholar
  18. 18.
    Hemenway, B., Ostrovsky, R.: Public-Key Locally-Decodable Codes. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 126–143. Springer, Heidelberg (2008)Google Scholar
  19. 19.
    IEEE P1363a Committee. IEEE P1363a / D9 — standard specifications for public key cryptography: Additional techniques, Draft Version 9 (June 2001),
  20. 20.
    Kiltz, E., O’Neill, A., Smith, A.: Instantiability of RSA-OAEP under Chosen-Plaintext Attack. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 295–313. Springer, Heidelberg (2010)Google Scholar
  21. 21.
    Koblitz, N., Menezes, A.J.: Another look at “provable security”. Journal of Cryptology 20(1), 3–37 (2007)MathSciNetzbMATHCrossRefGoogle Scholar
  22. 22.
    Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential Aggregate Signatures from Trapdoor Permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  23. 23.
    Micali, S.: Computationally sound proofs. SIAM J. Comput. 30, 1253–1298 (2000)MathSciNetzbMATHCrossRefGoogle Scholar
  24. 24.
    Paillier, P., Villar, J.L.: Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 252–266. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  25. 25.
    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Ladner, R.E., Dwork, C. (eds.) 40th Annual ACM Symposium on Theory of Computing, pp. 187–196. ACM Press (May 2008)Google Scholar
  26. 26.
    PKCS #1: RSA cryptography standard. RSA Data Security, Inc., Version 2.0 ( September 1998)Google Scholar
  27. 27.
    Schridde, C., Freisleben, B.: On the Validity of the Φ-Hiding Assumption in Cryptographic Protocols. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 344–354. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  28. 28.
    Smart, N.: Ecrypt ii yearly report on algorithms and keysizes (2009-2010). Framework, p. 116 (March 2010)Google Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Saqib A. Kakvi
    • 1
  • Eike Kiltz
    • 1
  1. 1.Faculty of Mathematics, Horst Görtz Institute for IT SecurityRuhr University BochumGermany

Personalised recommendations