On the Impossibility of Proving Security of Strong-RSA Signatures via the RSA Assumption

We pose a question whether or not the standard RSA assumption is sufficient to prove the security of the strong RSA-based (SRSA-based, for short) signatures. In this paper, we show a negative circumstantial evidence for the question. Namely, several SRSA-based signatures cannot be proven to be sEUF-CMA, or even EUF-KOA, under the RSA assumption as far as a modulus-preserving algebraic reduction is concerned. Our result is obtained as an important application of the adaptive pseudo-free group introduced by Catalano, Fiore and Warinschi that can be regarded as an abstract framework of signatures. We in fact show that the adaptive pseudo-freeness of the RSA group \(\mathbb{Z}_N^\times\) cannot be proven from the RSA assumption via such reductions.

[1]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[2]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[3]  Masayuki Abe,et al.  Topics in Cryptology CT-RSA 2007 , 2007 .

[4]  A. Maximov,et al.  Fast computation of large distributions and its cryptographic applications , 2005 .

[5]  Martijn Stam Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions , 2008, CRYPTO.

[6]  Jacques Stern,et al.  Twin signatures: an alternative to the hash-and-sign paradigm , 2001, CCS '01.

[7]  Shingo Hasegawa,et al.  On the pseudo-freeness and the CDH assumption , 2009, International Journal of Information Security.

[8]  Yehuda Lindell,et al.  More Efficient Constant-Round Multi-Party Computation from BMR and SHE , 2016, IACR Cryptol. ePrint Arch..

[9]  Brent Waters,et al.  Short and Stateless Signatures from the RSA Assumption , 2009, CRYPTO.

[10]  U. Maurer,et al.  The Equivalence of Strong RSA and Factoring in the Generic Ring Model of Computation , 2011 .

[11]  Jacob C. N. Schuldt,et al.  On the Impossibility of Constructing Efficient Key Encapsulation and Programmable Hash Functions in Prime Order Groups , 2012, CRYPTO.

[12]  Jens Groth,et al.  Separating Short Structure-Preserving Signatures from Non-interactive Assumptions , 2011, ASIACRYPT.

[13]  Eike Kiltz,et al.  Programmable Hash Functions and Their Applications , 2008, Journal of Cryptology.

[14]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[15]  Ronald L. Rivest On the Notion of Pseudo-Free Groups , 2004, TCC.

[16]  Jorge Luis Villar,et al.  Trading One-Wayness Against Chosen-Ciphertext Security in Factoring-Based Encryption , 2006, ASIACRYPT.

[17]  Mahabir Prasad Jhanwar,et al.  Sampling from Signed Quadratic Residues: RSA Group Is Pseudofree , 2009, INDOCRYPT.

[18]  Jorge Luis Villar Optimal Reductions of Some Decisional Problems to the Rank Problem , 2012, ASIACRYPT.

[19]  Bimal Roy,et al.  Progress in Cryptology - INDOCRYPT 2009, 10th International Conference on Cryptology in India, New Delhi, India, December 13-16, 2009. Proceedings , 2009, INDOCRYPT.

[20]  Bogdan Warinschi,et al.  Adaptive Pseudo-Free Groups and Applications , 2011, IACR Cryptol. ePrint Arch..

[21]  Marc Joye,et al.  How (Not) to design strong-RSA signatures , 2011, Des. Codes Cryptogr..

[22]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[23]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[24]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[25]  Marc Joye,et al.  A Practical and Tightly Secure Signature Scheme Without Hash Function , 2007, CT-RSA.

[26]  Shai Halevi Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.

[27]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation , 2012, IACR Cryptol. ePrint Arch..

[28]  Kenneth G. Paterson Advances in Cryptology - EUROCRYPT 2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings , 2011, EUROCRYPT.

[29]  Sven Schäge,et al.  Twin Signature Schemes, Revisited , 2009, ProvSec.

[30]  Pascal Paillier,et al.  Impossibility Proofs for RSA Signatures in the Standard Model , 2007, CT-RSA.

[31]  Yvo Desmedt Public Key Cryptography — PKC 2003 , 2002, Lecture Notes in Computer Science.

[32]  John P. Steinberger,et al.  The preimage security of double-block-length compression functions , 2011, IACR Cryptol. ePrint Arch..

[33]  Huafei Zhu A Formal Proof of Zhu's Signature Scheme , 2003, IACR Cryptol. ePrint Arch..

[34]  Martijn Stam,et al.  Understanding Adaptivity: Random Systems Revisited , 2012, ASIACRYPT.

[35]  Marc Fischlin The Cramer-Shoup Strong-RSASignature Scheme Revisited , 2003, Public Key Cryptography.

[36]  Shai Halevi,et al.  Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[37]  Masayuki Fukumitsu,et al.  Toward Separating the Strong Adaptive Pseudo-freeness from the Strong RSA Assumption , 2013, ACISP.

[38]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[39]  Masayuki Abe,et al.  Group to Group Commitments Do Not Shrink , 2012, EUROCRYPT.

[40]  Manindra Agrawal,et al.  PRIMES is in P , 2004 .

[41]  Adi Shamir,et al.  On the generation of cryptographically strong pseudorandom sequences , 1981, TOCS.

[42]  Daniele Micciancio The RSA Group is Pseudo-Free , 2009, Journal of Cryptology.

[43]  Kefei Chen,et al.  Advances in Cryptology - ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, December 3-7, 2006, Proceedings , 2006, ASIACRYPT.

[44]  Masayuki Fukumitsu,et al.  The RSA Group Is Adaptive Pseudo-Free under the RSA Assumption , 2014, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[45]  Yannick Seurin,et al.  On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model , 2012, IACR Cryptol. ePrint Arch..

[46]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[47]  Emmanuel Bresson,et al.  Separation Results on the "One-More" Computational Problems , 2008, CT-RSA.

[48]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[49]  Ran Canetti,et al.  Advances in Cryptology – CRYPTO 2012 , 2012, Lecture Notes in Computer Science.

[50]  Pascal Paillier,et al.  Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log , 2005, ASIACRYPT.

[51]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[52]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[53]  Sven Schäge,et al.  Tight Proofs for Signature Schemes without Random Oracles , 2011, EUROCRYPT.

[54]  Tal Malkin Topics in Cryptology - CT-RSA 2008, The Cryptographers' Track at the RSA Conference 2008, San Francisco, CA, USA, April 8-11, 2008. Proceedings , 2008, CT-RSA.

[55]  Raghav Bhaskar,et al.  Improved Bounds on Security Reductions for Discrete Log Based Signatures , 2008, CRYPTO.