Full Domain Hash

From HandWiki
Short description: Cryptographic signature scheme

In cryptography, the Full Domain Hash (FDH) is an RSA-based signature scheme that follows the hash-and-sign paradigm. It is provably secure (i.e., is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model. FDH involves hashing a message using a function whose image size equals the size of the RSA modulus, and then raising the result to the secret RSA exponent.

Exact security of full domain hash

In the random oracle model, if RSA is [math]\displaystyle{ (t', \epsilon') }[/math]-secure, then the full domain hash RSA signature scheme is [math]\displaystyle{ (t, \epsilon) }[/math]-secure where,

[math]\displaystyle{ \begin{align} t &= t' - (q_\text{hash} + q_\text{sig} + 1) \cdot \mathcal{O}\left(k^3\right) \\ \epsilon &= \left(1 + \frac{1}{q_\text{sig}}\right)^{q_\text{sig} + 1} \cdot q_\text{sig} \cdot \epsilon' \end{align} }[/math].

For large [math]\displaystyle{ q_\text{sig} }[/math] this reduces to [math]\displaystyle{ \epsilon \sim \exp(1)\cdot q_\text{sig} \cdot \epsilon' }[/math].

This means that if there exists an algorithm that can forge a new FDH signature that runs in time t, computes at most [math]\displaystyle{ q_\text{hash} }[/math] hashes, asks for at most [math]\displaystyle{ q_\text{sig} }[/math] signatures and succeeds with probability [math]\displaystyle{ \epsilon }[/math], then there must also exist an algorithm that breaks RSA with probability [math]\displaystyle{ \epsilon' }[/math] in time [math]\displaystyle{ t' }[/math].

References

  • Jean-Sébastien Coron(AF): On the Exact Security of Full Domain Hash. CRYPTO 2000: pp. 229–235 (PDF)
  • Mihir Bellare, Phillip Rogaway: The Exact Security of Digital Signatures - How to Sign with RSA and Rabin. EUROCRYPT 1996: pp. 399–416 (PDF)