On the power of claw-free permutations

Yevgeniy Dodis, Leonid Reyzin

Research output: Contribution to journalArticle

Abstract

The popular random-oracle-based signature schemes, such as Probabilistic Signature Scheme (PSS) and Full Domain Hash (FDH), output a signature of the form 〈f-1(y),pub〉, where y somehow depends on the message signed (and pub) and f is some public trapdoor permutation (typically RSA). Interestingly, all these signature schemes can be proven asymptotically secure for an arbitrary trapdoor permutation f, but their exact security seems to be significantly better for special trap-door permutations like RSA. This leads to two natural questions: (1) can the asymptotic security analysis be improved with general trapdoor permutations?; and, if not, (2) what general cryptographic assumption on f - enjoyed by specific functions like RSA - is "responsible" for the improved security? We answer both these questions. First, we show that if f is a "black-box" trapdoor permutation, then the poor exact security is unavoidable. More specifically, the "security loss" for general trapdoor permutations is Ω(qhash), where qhash is the number of random oracle queries made by the adversary (which could be quite large). On the other hand, we show that all the security benefits of the RSA-based variants come into effect once f comes from a family of claw-free permutation pairs. Our results significantly narrow the current "gap" between general trapdoor permutations and RSA to the "gap" between trapdoor permutations and claw-free permutations. Additionally, they can be viewed as the first security/efficiency separation between these basic cryptographic primitives. In other words, while it was already believed that certain cryptographic objects can be built from claw-free permutations but not from general trapdoor permutations, we show that certain important schemes (like FDH and PSS) provably work with either, but enjoy a much better tradeoff between security and efficiency when deployed with claw-free permutations.

Original languageEnglish (US)
Pages (from-to)55-73
Number of pages19
JournalLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume2576
StatePublished - 2003

Fingerprint

Claw-free
Hoof and Claw
Permutation
Signature Scheme
Random Oracle
Security Analysis
Signed
Black Box
Trap
Asymptotic Analysis

ASJC Scopus subject areas

  • Biochemistry, Genetics and Molecular Biology(all)
  • Computer Science(all)
  • Theoretical Computer Science

Cite this

@article{899e2b52106040dd904b2b4151f8a798,
title = "On the power of claw-free permutations",
abstract = "The popular random-oracle-based signature schemes, such as Probabilistic Signature Scheme (PSS) and Full Domain Hash (FDH), output a signature of the form 〈f-1(y),pub〉, where y somehow depends on the message signed (and pub) and f is some public trapdoor permutation (typically RSA). Interestingly, all these signature schemes can be proven asymptotically secure for an arbitrary trapdoor permutation f, but their exact security seems to be significantly better for special trap-door permutations like RSA. This leads to two natural questions: (1) can the asymptotic security analysis be improved with general trapdoor permutations?; and, if not, (2) what general cryptographic assumption on f - enjoyed by specific functions like RSA - is {"}responsible{"} for the improved security? We answer both these questions. First, we show that if f is a {"}black-box{"} trapdoor permutation, then the poor exact security is unavoidable. More specifically, the {"}security loss{"} for general trapdoor permutations is Ω(qhash), where qhash is the number of random oracle queries made by the adversary (which could be quite large). On the other hand, we show that all the security benefits of the RSA-based variants come into effect once f comes from a family of claw-free permutation pairs. Our results significantly narrow the current {"}gap{"} between general trapdoor permutations and RSA to the {"}gap{"} between trapdoor permutations and claw-free permutations. Additionally, they can be viewed as the first security/efficiency separation between these basic cryptographic primitives. In other words, while it was already believed that certain cryptographic objects can be built from claw-free permutations but not from general trapdoor permutations, we show that certain important schemes (like FDH and PSS) provably work with either, but enjoy a much better tradeoff between security and efficiency when deployed with claw-free permutations.",
author = "Yevgeniy Dodis and Leonid Reyzin",
year = "2003",
language = "English (US)",
volume = "2576",
pages = "55--73",
journal = "Lecture Notes in Computer Science",
issn = "0302-9743",
publisher = "Springer Verlag",

}

TY - JOUR

T1 - On the power of claw-free permutations

AU - Dodis, Yevgeniy

AU - Reyzin, Leonid

PY - 2003

Y1 - 2003

N2 - The popular random-oracle-based signature schemes, such as Probabilistic Signature Scheme (PSS) and Full Domain Hash (FDH), output a signature of the form 〈f-1(y),pub〉, where y somehow depends on the message signed (and pub) and f is some public trapdoor permutation (typically RSA). Interestingly, all these signature schemes can be proven asymptotically secure for an arbitrary trapdoor permutation f, but their exact security seems to be significantly better for special trap-door permutations like RSA. This leads to two natural questions: (1) can the asymptotic security analysis be improved with general trapdoor permutations?; and, if not, (2) what general cryptographic assumption on f - enjoyed by specific functions like RSA - is "responsible" for the improved security? We answer both these questions. First, we show that if f is a "black-box" trapdoor permutation, then the poor exact security is unavoidable. More specifically, the "security loss" for general trapdoor permutations is Ω(qhash), where qhash is the number of random oracle queries made by the adversary (which could be quite large). On the other hand, we show that all the security benefits of the RSA-based variants come into effect once f comes from a family of claw-free permutation pairs. Our results significantly narrow the current "gap" between general trapdoor permutations and RSA to the "gap" between trapdoor permutations and claw-free permutations. Additionally, they can be viewed as the first security/efficiency separation between these basic cryptographic primitives. In other words, while it was already believed that certain cryptographic objects can be built from claw-free permutations but not from general trapdoor permutations, we show that certain important schemes (like FDH and PSS) provably work with either, but enjoy a much better tradeoff between security and efficiency when deployed with claw-free permutations.

AB - The popular random-oracle-based signature schemes, such as Probabilistic Signature Scheme (PSS) and Full Domain Hash (FDH), output a signature of the form 〈f-1(y),pub〉, where y somehow depends on the message signed (and pub) and f is some public trapdoor permutation (typically RSA). Interestingly, all these signature schemes can be proven asymptotically secure for an arbitrary trapdoor permutation f, but their exact security seems to be significantly better for special trap-door permutations like RSA. This leads to two natural questions: (1) can the asymptotic security analysis be improved with general trapdoor permutations?; and, if not, (2) what general cryptographic assumption on f - enjoyed by specific functions like RSA - is "responsible" for the improved security? We answer both these questions. First, we show that if f is a "black-box" trapdoor permutation, then the poor exact security is unavoidable. More specifically, the "security loss" for general trapdoor permutations is Ω(qhash), where qhash is the number of random oracle queries made by the adversary (which could be quite large). On the other hand, we show that all the security benefits of the RSA-based variants come into effect once f comes from a family of claw-free permutation pairs. Our results significantly narrow the current "gap" between general trapdoor permutations and RSA to the "gap" between trapdoor permutations and claw-free permutations. Additionally, they can be viewed as the first security/efficiency separation between these basic cryptographic primitives. In other words, while it was already believed that certain cryptographic objects can be built from claw-free permutations but not from general trapdoor permutations, we show that certain important schemes (like FDH and PSS) provably work with either, but enjoy a much better tradeoff between security and efficiency when deployed with claw-free permutations.

UR - http://www.scopus.com/inward/record.url?scp=35248859171&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=35248859171&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:35248859171

VL - 2576

SP - 55

EP - 73

JO - Lecture Notes in Computer Science

JF - Lecture Notes in Computer Science

SN - 0302-9743

ER -