On the instantiability of hash-and-sign RSA signatures

Yevgeniy Dodis, Iftach Haitner, Aris Tentes

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The hash-and-sign RSA signature is one of the most elegant and well known signatures schemes, extensively used in a wide variety of cryptographic applications. Unfortunately, the only existing analysis of this popular signature scheme is in the random oracle model, where the resulting idealized signature is known as the RSA Full Domain Hash signature scheme (RSA-FDH). In fact, prior work has shown several "uninstantiability" results for various abstractions of RSA-FDH, where the RSA function was replaced by a family of trapdoor random permutations, or the hash function instantiating the random oracle could not be keyed. These abstractions, however, do not allow the reduction and the hash function instantiation to use the algebraic properties of RSA function, such as the multiplicative group structure of ℤ* n. n. In contrast, the multiplicative property of the RSA function is critically used in many standard model analyses of various RSA-based schemes. Motivated by closing this gap, we consider the setting where the RSA function representation is generic (i.e., black-box) but multiplicative, whereas the hash function itself is in the standard model, and can be keyed and exploit the multiplicative properties of the RSA function. This setting abstracts all known techniques for designing provably secure RSA-based signatures in the standard model, and aims to address the main limitations of prior uninstantiability results. Unfortunately, we show that it is still impossible to reduce the security of RSA-FDH to any natural assumption even in our model. Thus, our result suggests that in order to prove the security of a given instantiation of RSA-FDH, one should use a non-black box security proof, or use specific properties of the RSA group that are not captured by its multiplicative structure alone. We complement our negative result with a positive result, showing that the RSA-FDH signatures can be proven secure under the standard RSA assumption, provided that the number of signing queries is a-priori bounded.

Original languageEnglish (US)
Title of host publicationTheory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings
Pages112-132
Number of pages21
Volume7194 LNCS
DOIs
StatePublished - 2012
Event9th Theory of Cryptography Conference, TCC 2012 - Taormina, Sicily, Italy
Duration: Mar 19 2012Mar 21 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7194 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other9th Theory of Cryptography Conference, TCC 2012
CountryItaly
CityTaormina, Sicily
Period3/19/123/21/12

Fingerprint

Signature Scheme
Signature
Hash functions
Multiplicative
Hash Function
Standard Model
Security Proof
Random Permutation
Random Oracle
Random Oracle Model
Black Box
Complement
Query

Keywords

  • Black-Box Reductions
  • Full Domain Hash
  • Generic Groups
  • Hash-and-Sign
  • Random Oracle Heuristic
  • RSA Signature

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Dodis, Y., Haitner, I., & Tentes, A. (2012). On the instantiability of hash-and-sign RSA signatures. In Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings (Vol. 7194 LNCS, pp. 112-132). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7194 LNCS). https://doi.org/10.1007/978-3-642-28914-9_7

On the instantiability of hash-and-sign RSA signatures. / Dodis, Yevgeniy; Haitner, Iftach; Tentes, Aris.

Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings. Vol. 7194 LNCS 2012. p. 112-132 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7194 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y, Haitner, I & Tentes, A 2012, On the instantiability of hash-and-sign RSA signatures. in Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings. vol. 7194 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7194 LNCS, pp. 112-132, 9th Theory of Cryptography Conference, TCC 2012, Taormina, Sicily, Italy, 3/19/12. https://doi.org/10.1007/978-3-642-28914-9_7
Dodis Y, Haitner I, Tentes A. On the instantiability of hash-and-sign RSA signatures. In Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings. Vol. 7194 LNCS. 2012. p. 112-132. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-28914-9_7
Dodis, Yevgeniy ; Haitner, Iftach ; Tentes, Aris. / On the instantiability of hash-and-sign RSA signatures. Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings. Vol. 7194 LNCS 2012. pp. 112-132 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{065dd97d1d424a89bd5503e38ed190bb,
title = "On the instantiability of hash-and-sign RSA signatures",
abstract = "The hash-and-sign RSA signature is one of the most elegant and well known signatures schemes, extensively used in a wide variety of cryptographic applications. Unfortunately, the only existing analysis of this popular signature scheme is in the random oracle model, where the resulting idealized signature is known as the RSA Full Domain Hash signature scheme (RSA-FDH). In fact, prior work has shown several {"}uninstantiability{"} results for various abstractions of RSA-FDH, where the RSA function was replaced by a family of trapdoor random permutations, or the hash function instantiating the random oracle could not be keyed. These abstractions, however, do not allow the reduction and the hash function instantiation to use the algebraic properties of RSA function, such as the multiplicative group structure of ℤ* n. n. In contrast, the multiplicative property of the RSA function is critically used in many standard model analyses of various RSA-based schemes. Motivated by closing this gap, we consider the setting where the RSA function representation is generic (i.e., black-box) but multiplicative, whereas the hash function itself is in the standard model, and can be keyed and exploit the multiplicative properties of the RSA function. This setting abstracts all known techniques for designing provably secure RSA-based signatures in the standard model, and aims to address the main limitations of prior uninstantiability results. Unfortunately, we show that it is still impossible to reduce the security of RSA-FDH to any natural assumption even in our model. Thus, our result suggests that in order to prove the security of a given instantiation of RSA-FDH, one should use a non-black box security proof, or use specific properties of the RSA group that are not captured by its multiplicative structure alone. We complement our negative result with a positive result, showing that the RSA-FDH signatures can be proven secure under the standard RSA assumption, provided that the number of signing queries is a-priori bounded.",
keywords = "Black-Box Reductions, Full Domain Hash, Generic Groups, Hash-and-Sign, Random Oracle Heuristic, RSA Signature",
author = "Yevgeniy Dodis and Iftach Haitner and Aris Tentes",
year = "2012",
doi = "10.1007/978-3-642-28914-9_7",
language = "English (US)",
isbn = "9783642289132",
volume = "7194 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "112--132",
booktitle = "Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings",

}

TY - GEN

T1 - On the instantiability of hash-and-sign RSA signatures

AU - Dodis, Yevgeniy

AU - Haitner, Iftach

AU - Tentes, Aris

PY - 2012

Y1 - 2012

N2 - The hash-and-sign RSA signature is one of the most elegant and well known signatures schemes, extensively used in a wide variety of cryptographic applications. Unfortunately, the only existing analysis of this popular signature scheme is in the random oracle model, where the resulting idealized signature is known as the RSA Full Domain Hash signature scheme (RSA-FDH). In fact, prior work has shown several "uninstantiability" results for various abstractions of RSA-FDH, where the RSA function was replaced by a family of trapdoor random permutations, or the hash function instantiating the random oracle could not be keyed. These abstractions, however, do not allow the reduction and the hash function instantiation to use the algebraic properties of RSA function, such as the multiplicative group structure of ℤ* n. n. In contrast, the multiplicative property of the RSA function is critically used in many standard model analyses of various RSA-based schemes. Motivated by closing this gap, we consider the setting where the RSA function representation is generic (i.e., black-box) but multiplicative, whereas the hash function itself is in the standard model, and can be keyed and exploit the multiplicative properties of the RSA function. This setting abstracts all known techniques for designing provably secure RSA-based signatures in the standard model, and aims to address the main limitations of prior uninstantiability results. Unfortunately, we show that it is still impossible to reduce the security of RSA-FDH to any natural assumption even in our model. Thus, our result suggests that in order to prove the security of a given instantiation of RSA-FDH, one should use a non-black box security proof, or use specific properties of the RSA group that are not captured by its multiplicative structure alone. We complement our negative result with a positive result, showing that the RSA-FDH signatures can be proven secure under the standard RSA assumption, provided that the number of signing queries is a-priori bounded.

AB - The hash-and-sign RSA signature is one of the most elegant and well known signatures schemes, extensively used in a wide variety of cryptographic applications. Unfortunately, the only existing analysis of this popular signature scheme is in the random oracle model, where the resulting idealized signature is known as the RSA Full Domain Hash signature scheme (RSA-FDH). In fact, prior work has shown several "uninstantiability" results for various abstractions of RSA-FDH, where the RSA function was replaced by a family of trapdoor random permutations, or the hash function instantiating the random oracle could not be keyed. These abstractions, however, do not allow the reduction and the hash function instantiation to use the algebraic properties of RSA function, such as the multiplicative group structure of ℤ* n. n. In contrast, the multiplicative property of the RSA function is critically used in many standard model analyses of various RSA-based schemes. Motivated by closing this gap, we consider the setting where the RSA function representation is generic (i.e., black-box) but multiplicative, whereas the hash function itself is in the standard model, and can be keyed and exploit the multiplicative properties of the RSA function. This setting abstracts all known techniques for designing provably secure RSA-based signatures in the standard model, and aims to address the main limitations of prior uninstantiability results. Unfortunately, we show that it is still impossible to reduce the security of RSA-FDH to any natural assumption even in our model. Thus, our result suggests that in order to prove the security of a given instantiation of RSA-FDH, one should use a non-black box security proof, or use specific properties of the RSA group that are not captured by its multiplicative structure alone. We complement our negative result with a positive result, showing that the RSA-FDH signatures can be proven secure under the standard RSA assumption, provided that the number of signing queries is a-priori bounded.

KW - Black-Box Reductions

KW - Full Domain Hash

KW - Generic Groups

KW - Hash-and-Sign

KW - Random Oracle Heuristic

KW - RSA Signature

UR - http://www.scopus.com/inward/record.url?scp=84858315209&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84858315209&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-28914-9_7

DO - 10.1007/978-3-642-28914-9_7

M3 - Conference contribution

SN - 9783642289132

VL - 7194 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 112

EP - 132

BT - Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings

ER -