Provably Secure Code-Based Threshold Ring Signatures
Cryptography and Coding '09 Proceedings of the 12th IMA International Conference on Cryptography and Coding
Provably secure multi-proxy signature scheme with revocation in the standard model
Computer Communications
Security of encryption schemes in weakened random oracle models
PKC'10 Proceedings of the 13th international conference on Practice and Theory in Public Key Cryptography
Bonsai trees, or how to delegate a lattice basis
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
PQCrypto'10 Proceedings of the Third international conference on Post-Quantum Cryptography
Public key encryption without random oracle made truly practical
ICICS'09 Proceedings of the 11th international conference on Information and Communications Security
Public key encryption without random oracle made truly practical
Computers and Electrical Engineering
Improved known-key distinguishers on Feistel-SP ciphers and application to camellia
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Security and Communication Networks
Cryptanalysis vs. provable security
Inscrypt'11 Proceedings of the 7th international conference on Information Security and Cryptology
Hi-index | 0.00 |
RSA-FDH and many other schemes secure in the Random-Oracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the random-oracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Bellare and Rogaway from 1993 and 1996, and the ones implicit in IEEE P1363 and PKCS standards: for instance, we obtain a 267 preimage attack on BR93 for 1024-bit digests. Next, we study the security impact of hash function defects for ROM signatures. As an extreme case, we note that any hash collision would suffice to disclose the master key in the ID-based cryptosystem by Boneh et al. from FOCS '07, and the secret key in the Rabin-Williams signature for which Bernstein proved tight security at EUROCRYPT '08. Interestingly, for both of these schemes, a slight modification can prevent these attacks, while preserving the ROM security result. We give evidence that in the case of RSA and Rabin/Rabin-Williams, an appropriate PSS padding is more robust than all other paddings known.