The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme

Abstract. We introduce a new class of computational problems which we call the ``one-more-RSA-inversion'' problems. Our main result is that two problems in this class, which we call the chosen-target and known-target inversion problems, respectively, have polynomially equivalent computational complexity. We show how this leads to a proof of security for Chaum's RSA-based blind signature scheme in the random oracle model based on the assumed hardness of either of these problems. We define and prove analogous results for ``one-more-discrete-logarithm'' problems. Since the appearence of the preliminary version of this paper, the new problems we have introduced have found other uses as well.

[1]  Manuel Bronstein,et al.  Fast deterministic computation of determinants of dense matrices , 1999, ISSAC '99.

[2]  Gilles Villard,et al.  On computing the determinant and Smith form of an integer matrix , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[3]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[4]  Jean-Jacques Quisquater,et al.  A "Paradoxical" Indentity-Based Signature Scheme Resulting from Zero-Knowledge , 1988, CRYPTO.

[5]  Shai Halevi,et al.  Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[6]  Joe Kilian,et al.  Identity Escrow , 1998, CRYPTO.

[7]  Hung-Min Sun,et al.  On the Security of Some Variants of the RSA Signature Scheme , 1998, ESORICS.

[8]  Proof of Lemma 3 , 2022 .

[9]  David Pointcheval,et al.  Strengthened Security for Blind Signatures , 1998, EUROCRYPT.

[10]  Silvio Micali,et al.  Transitive Signature Schemes , 2002, CT-RSA.

[11]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[12]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[13]  Mihir Bellare,et al.  Transitive Signatures Based on Factoring and RSA , 2002, ASIACRYPT.

[14]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[15]  Mihir Bellare,et al.  The Security of Practical Two-Party RSA Signature Schemes , 2001, IACR Cryptol. ePrint Arch..

[16]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[17]  S. Weintraub,et al.  Algebra: An Approach via Module Theory , 1992 .

[18]  Chanathip Namprempre,et al.  The Power of RSA Inversion Oracles and the Security of Chaum's RSA-Based Blind Signature Scheme , 2002, Financial Cryptography.

[19]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[20]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[21]  Bernard R. McDonald,et al.  Linear Algebra over Commutative Rings , 1984 .

[22]  Rafail Ostrovsky,et al.  Security of blind digital signatures , 1997 .

[23]  J. Rosser,et al.  Approximate formulas for some functions of prime numbers , 1962 .

[24]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[25]  Jean-Sébastien Coron,et al.  On the Exact Security of Full Domain Hash , 2000, CRYPTO.

[26]  Jacques Stern,et al.  Provably Secure Blind Signature Schemes , 1996, ASIACRYPT.

[27]  David Pointcheval,et al.  New Public Key Cryptosystems Based on the Dependent-RSA Problems , 1999, EUROCRYPT.

[28]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[29]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[30]  Mihir Bellare,et al.  GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks , 2002, CRYPTO.