Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
Signature schemes based on the strong RSA assumption
ACM Transactions on Information and System Security (TISSEC)
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
On the Exact Security of Full Domain Hash
CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Lower bounds on the efficiency of generic cryptographic constructions
FOCS '00 Proceedings of the 41st Annual Symposium on Foundations of Computer Science
On the (In)security of the Fiat-Shamir Paradigm
FOCS '03 Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science
The random oracle methodology, revisited
Journal of the ACM (JACM)
Bounds on the Efficiency of Generic Cryptographic Constructions
SIAM Journal on Computing
A computational introduction to number theory and algebra
A computational introduction to number theory and algebra
FOCS '07 Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
Compression from Collisions, or Why CRHF Combiners Have a Long Output
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
On the (Im)Possibility of Key Dependent Encryption
TCC '09 Proceedings of the 6th Theory of Cryptography Conference on Theory of Cryptography
Breaking RSA Generically Is Equivalent to Factoring
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Short and Stateless Signatures from the RSA Assumption
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Riemann's hypothesis and tests for primality
Journal of Computer and System Sciences
Lower bounds for discrete logarithms and related problems
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Secure hash-and-sign signatures without the random oracle
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
One-way permutations, interactive hashing and statistically hiding commitments
TCC'07 Proceedings of the 4th conference on Theory of cryptography
On the power of claw-free permutations
SCN'02 Proceedings of the 3rd international conference on Security in communication networks
Trading one-wayness against chosen-ciphertext security in factoring-based encryption
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Efficient CCA-secure public-key encryption schemes from RSA-related assumptions
INDOCRYPT'06 Proceedings of the 7th international conference on Cryptology in India
Discrete-Log-Based signatures may not be equivalent to discrete log
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Analysis of random oracle instantiation scenarios for OAEP and other practical schemes
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
On the generic insecurity of the full domain hash
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Impossibility proofs for RSA signatures in the standard model
CT-RSA'07 Proceedings of the 7th Cryptographers' track at the RSA conference on Topics in Cryptology
Abstract models of computation in cryptography
IMA'05 Proceedings of the 10th international conference on Cryptography and Coding
Short signatures from weaker assumptions
ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Black-box reductions and separations in cryptography
AFRICACRYPT'12 Proceedings of the 5th international conference on Cryptology in Africa
Barriers in cryptography with weak, correlated and leaky sources
Proceedings of the 4th conference on Innovations in Theoretical Computer Science
Why “fiat-shamir for proofs” lacks a proof
TCC'13 Proceedings of the 10th theory of cryptography conference on Theory of Cryptography
Hi-index | 0.00 |
The hash-and-sign RSA signature is one of the most elegant and well known signatures schemes, extensively used in a wide variety of cryptographic applications. Unfortunately, the only existing analysis of this popular signature scheme is in the random oracle model, where the resulting idealized signature is known as the RSA Full Domain Hash signature scheme (RSA-FDH). In fact, prior work has shown several "uninstantiability" results for various abstractions of RSA-FDH, where the RSA function was replaced by a family of trapdoor random permutations, or the hash function instantiating the random oracle could not be keyed. These abstractions, however, do not allow the reduction and the hash function instantiation to use the algebraic properties of RSA function, such as the multiplicative group structure of ℤn* . n. In contrast, the multiplicative property of the RSA function is critically used in many standard model analyses of various RSA-based schemes. Motivated by closing this gap, we consider the setting where the RSA function representation is generic (i.e., black-box) but multiplicative, whereas the hash function itself is in the standard model, and can be keyed and exploit the multiplicative properties of the RSA function. This setting abstracts all known techniques for designing provably secure RSA-based signatures in the standard model, and aims to address the main limitations of prior uninstantiability results. Unfortunately, we show that it is still impossible to reduce the security of RSA-FDH to any natural assumption even in our model. Thus, our result suggests that in order to prove the security of a given instantiation of RSA-FDH, one should use a non-black box security proof, or use specific properties of the RSA group that are not captured by its multiplicative structure alone. We complement our negative result with a positive result, showing that the RSA-FDH signatures can be proven secure under the standard RSA assumption, provided that the number of signing queries is a-priori bounded.