Abstract
The Probabilistic Signature Scheme (PSS) designed by Bellare and Rogaway is a signature scheme provably secure against chosen message attacks in the random oracle model, whose security can be tightly related to the security of RSA. We derive a new security proof for PSS in which a much shorter random salt is used to achieve the same security level, namely we show that log2 q sig bits suffice, where q sig is the number of signature queries made by the attacker. When PSS is used with message recovery, a better bandwidth is obtained because longer messages can now be recovered. In this paper, we also introduce a new technique for proving that the security proof of a signature scheme is optimal. In particular, we show that the size of the random salt that we have obtained for PSS is optimal: if less than log2 q sig bits are used, then PSS is still provably secure but it cannot have a tight security proof. Our technique applies to other signature schemes such as the Full Domain Hash scheme and Gennaro-Halevi-Rabin’s scheme, whose security proofs are shown to be optimal.
Chapter PDF
Similar content being viewed by others
References
M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols. Proceedings of the First Annual Conference on Computer and Commmunications Security, ACM, 1993.
M. Bellare and P. Rogaway, The exact security of digital signatures-How to sign with RSA and Rabin. Proceedings of Eurocrypt’96, LNCS vol. 1070, Springer-Verlag, 1996, pp. 399–416.
D. Boneh and R. Venkatesan, Breaking RSA may not be equivalent to factoring. Proceedings of Eurocrypt’ 98, LNCS vol. 1403, Springer-Verlag, 1998, pp. 59–71.
R. Canetti, O. Goldreich and S. Halevi, The random oracle methodology, revisited, STOC’ 98, ACM, 1998.
J.S. Coron, On the exact security of Full Domain Hash, Proceedings of Crypto 2000, LNCS vol. 1880, Springer-Verlag, 2000, pp. 229–235.
J.S. Coron, Security proofs for PSS and other signature schemes, Cryptology ePrint Archive, Report 2001/062, 2001. http://eprint.iacr.org
R. Cramer and I. Damgård, New generation of secure and practical RSA-based signatures, Proceedings of Crypto’96, LNCS vol. 1109, Springer-Verlag, 1996, pp. 173–185.
R. Cramer and V. Shoup, Signature schemes based on the Strong RSA Assumption, May 9, 2000, revision of the extended abstract in Proc. 6th ACM Conf. on Computer and Communications Security, 1999; To appear, ACM Transactions on Information and System Security (ACM TISSEC). Available at http://www.shoup.net/
W. Diffie and M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, IT-22, 6, pp. 644–654, 1976.
C. Dwork and M. Naor, An efficient existentially unforgeable signature scheme and its applications, In J. of Cryptology, 11(3), Summer 1998, pp. 187–208.
FIPS 186, Digital signature standard, Federal Information Processing Standards Publication 186, U.S. Department of Commerce/NIST, 1994.
R. Gennaro, S. Halevi and T. Rabin, Secure hash-and-sign signatures without the random oracle, proceedings of Eurocrypt’ 99, LNCS vol. 1592, Springer-Verlag, 1999, pp. 123–139.
S. Goldwasser, S. Micali and R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks, SIAM Journal of computing, 17(2), pp. 281–308, April 1988.
IEEE P1363a, Standard Specifications For Public Key Cryptography: Additional Techniques, available at http://www.manta.ieee.org/groups/1363
A. Lenstra and H. Lenstra (eds.), The development of the number field sieve, Lecture Notes in Mathematics, vol 1554, Springer-Verlag, 1993.
K. Ohta and T. Okamoto, On concrete security treatment of signatures derived from identification. Prooceedings of Crypto’ 98, Lecture Notes in Computer Science vol. 1462, Springer-Verlag, 1998, pp. 354–369.
P. Paillier, Public-key cryptosystems based on composite degree residuosity classes. Proceedings of Eurocrypt’99, Lecture Notes is Computer Science vol. 1592, Springer-Verlag, 1999, pp. 223–238.
PKCS #1 v2.1, RSA Cryptography Standard (draft), available at http://www.rsasecurity.com/rsalabs/pkcs.
D. Pointcheval and J. Stern, Security proofs for signature schemes. Proceedings of Eurocrypt’96, LNCS vol. 1070, Springer-Verlag, pp. 387–398.
R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, CACM 21, 1978.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Coron, JS. (2002). Optimal Security Proofs for PSS and Other Signature Schemes. In: Knudsen, L.R. (eds) Advances in Cryptology — EUROCRYPT 2002. EUROCRYPT 2002. Lecture Notes in Computer Science, vol 2332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-46035-7_18
Download citation
DOI: https://doi.org/10.1007/3-540-46035-7_18
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-43553-2
Online ISBN: 978-3-540-46035-0
eBook Packages: Springer Book Archive