On the Instantiability of Hash-and-Sign RSA Signatures
نویسندگان
چکیده
The hash-and-sign RSA signature is one of the most elegant and well known signatures schemes, extensively used in a wide variety of cryptographic applications. Unfortunately, the only existing analysis of this popular signature scheme is in the random oracle model, where the resulting idealized signature is known as the RSA Full Domain Hash signature scheme (RSA-FDH). In fact, prior work has shown several “uninstantiability” results for various abstractions of RSA-FDH, where the RSA function was replaced by a family of trapdoor random permutations, or the hash function instantiating the random oracle could not be keyed. These abstractions, however, do not allow the reduction and the hash function instantiation to use the algebraic properties of RSA function, such as the multiplicative group structure of Zn. In contrast, the multiplicative property of the RSA function is critically used in many standard model analyses of various RSA-based schemes. Motivated by closing this gap, we consider the setting where the RSA function representation is generic (i.e., black-box) but multiplicative, whereas the hash function itself is in the standard model, and can be keyed and exploit the multiplicative properties of the RSA function. This setting abstracts all known techniques for designing provably secure RSA-based signatures in the standard model, and aims to address the main limitations of prior uninstantiability results. Unfortunately, we show that it is still impossible to reduce the security of RSA-FDH to any natural assumption even in our model. Thus, our result suggests that in order to prove the security of a given instantiation of RSA-FDH, one should use a non-black box security proof, or use specific properties of the RSA group that are not captured by its multiplicative structure alone. We complement our negative result with a positive result, showing that the RSA-FDH signatures can be proven secure under the standard RSA assumption, provided that the number of signing queries is a-priori bounded.
منابع مشابه
Realizing Hash-and-Sign Signatures under Standard Assumptions
Currently, there are relatively few instances of “hash-and-sign” signatures in the standard model. Moreover, most current instances rely on strong and less studied assumptions such as the Strong RSA and q-Strong Diffie-Hellman assumptions. In this paper, we present a new approach for realizing hash-and-sign signatures in the standard model. In our approach, a signer associates each signature wi...
متن کاملThe RMX Transform and Digital Signatures∗
This document describes RMX, a simple message randomization scheme that when used as a front end to existing hash-then-sign signature schemes, such as RSA and DSS, frees these signatures from their current vulnerability to off-line collision attacks on the underlying hash function. We demonstrate the practicality of the approach, which requires no change to hash functions or signature algorithm...
متن کاملChameleon Hashing and Signatures
We introduce chameleon signatures that provide with an undeniable commitment of the signer to the contents of the signed document (as regular digital signatures do) but, at the same time, do not allow the recipient of the signature to disclose the contents of the signed information to any third party without the signer's consent. These signatures are closely related to \undeniable signatures", ...
متن کاملSubmission to IEEE P1363 PSS: Provably Secure Encoding Method for Digital Signatures
We describe two encoding methods: EMSA-PSS, for signing with appendix, and EMSR-PSS, for signing with message recovery. These encodings are appropriate for signatures based on the RSA or Rabin/Williams primitive. The methods are as simple and e cient as the methods in the current P1363 draft (based on X9.31 and ISO 9796), but they have better demonstrated security. In particular, treating the u...
متن کاملThe Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin
We describe an RSA-based signing scheme which combines essentially optimal e ciency with attractive security properties. Signing takes one RSA decryption plus some hashing, veri cation takes one RSA encryption plus some hashing, and the size of the signature is the size of the modulus. Assuming the underlying hash functions are ideal, our schemes are not only provably secure, but are so in a ti...
متن کامل