How to prove yourself: practical solutions to identification and signature problems
Proceedings on Advances in cryptology---CRYPTO '86
A digital signature scheme secure against adaptive chosen-message attacks
SIAM Journal on Computing - Special issue on cryptography
Universal one-way hash functions and their cryptographic applications
STOC '89 Proceedings of the twenty-first annual ACM symposium on Theory of computing
Limits on the provable consequences of one-way permutations
STOC '89 Proceedings of the twenty-first annual ACM symposium on Theory of computing
One-way functions are necessary and sufficient for secure signatures
STOC '90 Proceedings of the twenty-second annual ACM symposium on Theory of computing
Fast signature generation with a Fiat Shamir—like scheme
EUROCRYPT '90 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
Optimal Security Proofs for PSS and Other Signature Schemes
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Limits on the Efficiency of One-Way Permutation-Based Hash Functions
FOCS '99 Proceedings of the 40th Annual Symposium on Foundations of Computer Science
Lower bounds on the efficiency of generic cryptographic constructions
FOCS '00 Proceedings of the 41st Annual Symposium on Foundations of Computer Science
On the Impossibility of Basing Trapdoor Functions on Trapdoor Predicates
FOCS '01 Proceedings of the 42nd IEEE symposium on Foundations of Computer Science
The exact security of digital signatures-how to sign with RSA and Rabin
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Strong Key-Insulated Signature Schemes
PKC '03 Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography: Public Key Cryptography
Efficiency improvements for signature schemes with tight security reductions
Proceedings of the 10th ACM conference on Computer and communications security
Versatile padding schemes for joint signature and encryption
Proceedings of the 11th ACM conference on Computer and communications security
Trapdoors for hard lattices and new cryptographic constructions
STOC '08 Proceedings of the fortieth annual ACM symposium on Theory of computing
SCN'02 Proceedings of the 3rd international conference on Security in communication networks
Discrete-Log-Based signatures may not be equivalent to discrete log
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
A generic scheme based on trapdoor one-way permutations with signatures as short as possible
PKC'05 Proceedings of the 8th international conference on Theory and Practice in Public Key Cryptography
Optimal asymmetric encryption and signature paddings
ACNS'05 Proceedings of the Third international conference on Applied Cryptography and Network Security
On the generic insecurity of the full domain hash
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
A practical optimal padding for signature schemes
CT-RSA'07 Proceedings of the 7th Cryptographers' track at the RSA conference on Topics in Cryptology
Mercurial commitments: minimal assumptions and efficient constructions
TCC'06 Proceedings of the Third conference on Theory of Cryptography
Random oracles in a quantum world
ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
On the instantiability of hash-and-sign RSA signatures
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
On the exact security of schnorr-type signatures in the random oracle model
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Hi-index | 0.00 |
The popular random-oracle-based signature schemes, such as Probabilistic Signature Scheme (PSS) and Full Domain Hash (FDH), output a signature of the form 〈f-1(y), pub〉, where y somehow depends on the message signed (and pub) and f is some public trapdoor permutation (typically RSA). Interestingly, all these signature schemes can be proven asymptotically secure for an arbitrary trapdoor permutation f, but their exact security seems to be significantly better for special trapdoor permutations like RSA. This leads to two natural questions: (1) can the asymptotic security analysis be improved with general trapdoor permutations?; and, if not, (2) what general cryptographic assumption on f -- enjoyed by specific functions like RSA -- is "responsible" for the improved security? We answer both these questions. First, we show that if f is a blackbox trapdoor permutation, then the poor exact security is unavoidable. More specifically, the security loss for general trapdoor permutations is Ω(qhash), where qhash is the number of random oracle queries made by the adversary (which could be quite large). On the other hand, we show that all the security benefits of the RSA-based variants come into effect once f comes from a family of claw-free permutation pairs. Our results significantly narrow the current "gap" between general trapdoor permutations and RSA to the "gap" between trapdoor permutations and claw-free permutations. Additionally, they can be viewed as the first security/efficiency separation between these basic cryptographic primitives. In other words, while it was already believed that certain cryptographic objects can be built from claw-free permutations but not from general trapdoor permutations, we show that certain important schemes (like FDH and PSS) provably work with either, but enjoy a much better tradeoff between security and efficiency when deployed with claw-free permutations.