On the generic insecurity of the full domain hash

Yevgeniy Dodis, Roberto Oliveira, Krzysztof Pietrzak

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The Full-Domain Hash (FDH) signature scheme [3] forms one the most basic usages of random oracles. It works with a family F of trapdoor permutations (TDP), where the signature of m is computed as f -1(h(m)) (here f ∈ R F and h is modelled as a random oracle). It is known to be existentially unforgeable for any TDP family F [3], although a much tighter security reduction is known for a restrictive class of TDP's [10,14] - namely, those induced by a family of claw-free permutations (CFP) pairs. The latter result was shown [11] to match the best possible "black-box" security reduction in the random oracle model, irrespective of the TDP family F (e.g., RSA) one might use. In this work we investigate the question if it is possible to instantiate the random oracle h with a "real" family of hash functions H such that the corresponding schemes can be proven secure in the standard model, under some natural assumption on the family T. Our main result rules out the existence of such instantiations for any assumption on T which (1) is satisfied by a family of random permutations; and (2) does not allow the attacker to invert f ∈ R F on an a-priori unbounded number of points. Moreover, this holds even if the choice of H can arbitrarily depend on f. As an immediate corollary, we rule out instantiating FDH based on general claw-free permutations, which shows that in order to prove the security of FDH in the standard model one must utilize significantly more structure on F than what is sufficient for the best proof of security in the random oracle model.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings
Pages449-466
Number of pages18
Volume3621 LNCS
StatePublished - 2006
Event25th Annual International Cryptology Conference, CRYPTO 2005 - Santa Barbara, CA, United States
Duration: Aug 14 2005Aug 18 2005

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume3621 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other25th Annual International Cryptology Conference, CRYPTO 2005
CountryUnited States
CitySanta Barbara, CA
Period8/14/058/18/05

Fingerprint

Hoof and Claw
Permutation
Random Oracle
Claw-free
Random Oracle Model
Hash functions
Standard Model
Random Permutation
Invert
Hash Function
Signature Scheme
Family
Black Box
Corollary
Signature
Sufficient

ASJC Scopus subject areas

  • Computer Science(all)
  • Biochemistry, Genetics and Molecular Biology(all)
  • Theoretical Computer Science

Cite this

Dodis, Y., Oliveira, R., & Pietrzak, K. (2006). On the generic insecurity of the full domain hash. In Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings (Vol. 3621 LNCS, pp. 449-466). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3621 LNCS).

On the generic insecurity of the full domain hash. / Dodis, Yevgeniy; Oliveira, Roberto; Pietrzak, Krzysztof.

Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings. Vol. 3621 LNCS 2006. p. 449-466 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3621 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y, Oliveira, R & Pietrzak, K 2006, On the generic insecurity of the full domain hash. in Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings. vol. 3621 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 3621 LNCS, pp. 449-466, 25th Annual International Cryptology Conference, CRYPTO 2005, Santa Barbara, CA, United States, 8/14/05.
Dodis Y, Oliveira R, Pietrzak K. On the generic insecurity of the full domain hash. In Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings. Vol. 3621 LNCS. 2006. p. 449-466. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
Dodis, Yevgeniy ; Oliveira, Roberto ; Pietrzak, Krzysztof. / On the generic insecurity of the full domain hash. Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings. Vol. 3621 LNCS 2006. pp. 449-466 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{e4d42eeafe8e43fa8489f1b9b9969de4,
title = "On the generic insecurity of the full domain hash",
abstract = "The Full-Domain Hash (FDH) signature scheme [3] forms one the most basic usages of random oracles. It works with a family F of trapdoor permutations (TDP), where the signature of m is computed as f -1(h(m)) (here f ∈ R F and h is modelled as a random oracle). It is known to be existentially unforgeable for any TDP family F [3], although a much tighter security reduction is known for a restrictive class of TDP's [10,14] - namely, those induced by a family of claw-free permutations (CFP) pairs. The latter result was shown [11] to match the best possible {"}black-box{"} security reduction in the random oracle model, irrespective of the TDP family F (e.g., RSA) one might use. In this work we investigate the question if it is possible to instantiate the random oracle h with a {"}real{"} family of hash functions H such that the corresponding schemes can be proven secure in the standard model, under some natural assumption on the family T. Our main result rules out the existence of such instantiations for any assumption on T which (1) is satisfied by a family of random permutations; and (2) does not allow the attacker to invert f ∈ R F on an a-priori unbounded number of points. Moreover, this holds even if the choice of H can arbitrarily depend on f. As an immediate corollary, we rule out instantiating FDH based on general claw-free permutations, which shows that in order to prove the security of FDH in the standard model one must utilize significantly more structure on F than what is sufficient for the best proof of security in the random oracle model.",
author = "Yevgeniy Dodis and Roberto Oliveira and Krzysztof Pietrzak",
year = "2006",
language = "English (US)",
isbn = "3540281142",
volume = "3621 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "449--466",
booktitle = "Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings",

}

TY - GEN

T1 - On the generic insecurity of the full domain hash

AU - Dodis, Yevgeniy

AU - Oliveira, Roberto

AU - Pietrzak, Krzysztof

PY - 2006

Y1 - 2006

N2 - The Full-Domain Hash (FDH) signature scheme [3] forms one the most basic usages of random oracles. It works with a family F of trapdoor permutations (TDP), where the signature of m is computed as f -1(h(m)) (here f ∈ R F and h is modelled as a random oracle). It is known to be existentially unforgeable for any TDP family F [3], although a much tighter security reduction is known for a restrictive class of TDP's [10,14] - namely, those induced by a family of claw-free permutations (CFP) pairs. The latter result was shown [11] to match the best possible "black-box" security reduction in the random oracle model, irrespective of the TDP family F (e.g., RSA) one might use. In this work we investigate the question if it is possible to instantiate the random oracle h with a "real" family of hash functions H such that the corresponding schemes can be proven secure in the standard model, under some natural assumption on the family T. Our main result rules out the existence of such instantiations for any assumption on T which (1) is satisfied by a family of random permutations; and (2) does not allow the attacker to invert f ∈ R F on an a-priori unbounded number of points. Moreover, this holds even if the choice of H can arbitrarily depend on f. As an immediate corollary, we rule out instantiating FDH based on general claw-free permutations, which shows that in order to prove the security of FDH in the standard model one must utilize significantly more structure on F than what is sufficient for the best proof of security in the random oracle model.

AB - The Full-Domain Hash (FDH) signature scheme [3] forms one the most basic usages of random oracles. It works with a family F of trapdoor permutations (TDP), where the signature of m is computed as f -1(h(m)) (here f ∈ R F and h is modelled as a random oracle). It is known to be existentially unforgeable for any TDP family F [3], although a much tighter security reduction is known for a restrictive class of TDP's [10,14] - namely, those induced by a family of claw-free permutations (CFP) pairs. The latter result was shown [11] to match the best possible "black-box" security reduction in the random oracle model, irrespective of the TDP family F (e.g., RSA) one might use. In this work we investigate the question if it is possible to instantiate the random oracle h with a "real" family of hash functions H such that the corresponding schemes can be proven secure in the standard model, under some natural assumption on the family T. Our main result rules out the existence of such instantiations for any assumption on T which (1) is satisfied by a family of random permutations; and (2) does not allow the attacker to invert f ∈ R F on an a-priori unbounded number of points. Moreover, this holds even if the choice of H can arbitrarily depend on f. As an immediate corollary, we rule out instantiating FDH based on general claw-free permutations, which shows that in order to prove the security of FDH in the standard model one must utilize significantly more structure on F than what is sufficient for the best proof of security in the random oracle model.

UR - http://www.scopus.com/inward/record.url?scp=33745155794&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33745155794&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:33745155794

SN - 3540281142

SN - 9783540281146

VL - 3621 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 449

EP - 466

BT - Advances in Cryptology - CRYPTO 2005 - 25th Annual International Cryptology Conference, Proceedings

ER -