• Programme
• Writing talks and theses
• Theses topics
• Teaching
  • Winter 2017
  • Summer 2017
  • IPEC Winter 2017
  • Winter 2016/2017
  • IPEC Summer 2016
  • Summer 2016
  • IPEC Winter 2016
  • Winter 2015/2016
  • IPEC Summer 2015
  • Summer 2015
  • IPEC Winter 2015
  • Winter 2014/2015
  • IPEC Summer 2014
  • Summer 2014
  • IPEC Winter 2014
  • Winter 2013/2014
  • IPEC Summer 2013
  • Summer 2013
  • IPEC Winter 2013
  • Winter 2012/2013
  • IPEC Summer 2012
  • Summer 2012
  • IPEC Winter 2012
  • Winter 2011/2012
  • Cryptography
  • Advanced cryptography: light-weight cryptography
  • Seminar Mobile Security
  • Seminar Advanced Topics in Cryptography
  • Oberseminar Computer Security, Winter 2011/2012
  • IPEC Summer 2011
  • Summer 2011
  • IPEC Winter 2011
  • Winter 2010/2011
  • IPEC Summer 2010
  • Summer 2010
  • IPEC Winter 2010
  • Winter 2009/2010
  • IPEC Summer 2009
  • Summer 2009
  • IPEC Winter 2009
  • Winter 2008/2009
  • IPEC Summer 2008
  • Summer 2008
  • IPEC Winter 2008
  • Winter 2007/2008
  • IPEC Summer 2007
  • Summer 2007
  • IPEC Winter 2007
  • Winter 2006/2007
  • IPEC Summer 2006
  • Summer 2006
  • IPEC Winter 2006
  • Winter 2005/2006
• Special events
• crypt@b-it
• Schüler-Krypto

Optimal Security Proofs for Full Domain Hash, Revisited

Eike Kiltz (Ruhr-Universität Bochum)

Thursday 19 January 2012, 15.00, b-it 1.25 (cosec meeting room)

RSA Full Domain Hash (RSA-FDH) is a digital signature scheme, secure
again chosen message attacks in the random oracle model. The best
known security reduction from the RSA assumption is non-tight, i.e.,
it loses a factor of q_s, where q_s is the number of signature queries
made by the adversary. It was furthermore proved by Coron (EUROCRYPT
2002) that a security loss of q_s is optimal and cannot possibly be
improved.

In this work we uncover a subtle flaw in Coron's impossibility
result. Concretely, we show that it only holds if the underlying
trapdoor permutation is certified. Since it is well known that the RSA
trapdoor permutation is (for all practical parameters) not certified,
this renders Coron's impossibility result moot for RSA-FDH. Motivated
by this, we revisit the question whether there is a tight security
proof for RSA-FDH. Concretely, we give a new tight security reduction
from a stronger assumption, the Phi-Hiding assumption introduced by
Cachin et al (EUROCRYPT 1999). This justifies the choice of smaller
parameters in RSA-FDH, as it is commonly used in practice.

Joint work with Saqib Kakvi. To appear at EUROCRYPT 2012.