Security Analysis of the Gennaro-Halevi-Rabin Signature Scheme
نویسندگان
چکیده
We exhibit an attack against a signature scheme recently proposed by Gennaro, Halevi and Rabin [9]. The scheme’s security is based on two assumptions namely the strong RSA assumption and the existence of a division-intractable hash-function. For the latter, the authors conjectured a security level exponential in the hash-function’s digest size whereas our attack is sub-exponential with respect to the digest size. Moreover, since the new attack is optimal, the length of the hash function can now be rigorously fixed. In particular, to get a security level equivalent to 1024-bit RSA, one should use a digest size of approximately 1024 bits instead of the 512 bits suggested in [9].
منابع مشابه
On the Exact Security of Full Domain Hash
The Full Domain Hash (FDH) scheme is a RSA-based signature scheme in which the message is hashed onto the full domain of the RSA function. The FDH scheme is provably secure in the random oracle model, assuming that inverting RSA is hard. In this paper we exhibit a slightly different proof which provides a tighter security reduction. This in turn improves the efficiency of the scheme since small...
متن کاملA Practical and Tightly Secure Signature Scheme Without Hash Function
In 1999, two signature schemes based on the flexible RSA problem (a.k.a. strong RSA problem) were independently introduced: the Gennaro-Halevi-Rabin (GHR) signature scheme and the Cramer-Shoup (CS) signature scheme. Remarkably, these schemes meet the highest security notion in the standard model. They however differ in their implementation. The CS scheme and its subsequent variants and extensio...
متن کاملEfficient Transformation of Well Known Signature Schemes into Designated Confirmer Signature schemes
Since designated confirmer signature schemes were introduced by Chaum and formalized by Okamoto, a number of attempts have been made to design efficient and secure designated confirmer signature schemes. Yet, there has been a consistent gap in security claims and analysis between all generic theoretical proposals and any concrete implementation proposal one can envision using in practice. In th...
متن کاملTwin Signatures : an Alternativeto the Hash - and - Sign
This paper introduces a simple alternative to the hash-and-sign paradigm, from the security point of view but for signing short messages, called twinning. A twin signature is obtained by signing twice a short message by a signature scheme. Analysis of the concept in diierent settings yields the following results: { We prove that no generic algorithm can eeciently forge a twin DSA signature. Alt...
متن کاملImproved Security for Linearly Homomorphic Signatures: A Generic Framework
We propose a general framework that converts (ordinary) signature schemes having certain properties into linearly homomorphic signature schemes, i.e., schemes that allow authentication of linear functions on signed data. The security of the homomorphic scheme follows from the same computational assumption as is used to prove security of the underlying signature scheme. We show that the followin...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2000