The Power of RSA Inversion Oracles and the Security of Chaum's RSA-Based Blind Signature Scheme

Blind signatures are the central cryptographic component of digital cash schemes. In this paper, we investigate the security of the first such scheme proposed, namely Chaum's RSA-based blind signature scheme, in the random-oracle model. This leads us to formulate and investigate a new class of RSA-related computational problems which we call the "one-more-RSA-inversion" problems. Our main result is that two problems in this class which we call the chosen-target and knowntarget inversion problems, have polynomially-equivalent computational complexity. This leads to a proof of security for Chaum's scheme in the random oracle model based on the assumed hardness of either of these problems.

[1]  Jean-Sébastien Coron,et al.  On the Exact Security of Full Domain Hash , 2000, CRYPTO.

[2]  David Pointcheval,et al.  New Public Key Cryptosystems Based on the Dependent-RSA Problems , 1999, EUROCRYPT.

[3]  Jacques Stern,et al.  Provably Secure Blind Signature Schemes , 1996, ASIACRYPT.

[4]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[5]  Manuel Bronstein,et al.  Fast deterministic computation of determinants of dense matrices , 1999, ISSAC '99.

[6]  Gilles Villard,et al.  On computing the determinant and Smith form of an integer matrix , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[7]  Hung-Min Sun,et al.  On the Security of Some Variants of the RSA Signature Scheme , 1998, ESORICS.

[8]  Dieter Gollmann,et al.  Computer Security — ESORICS 98 , 1998, Lecture Notes in Computer Science.

[9]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[10]  Shai Halevi,et al.  Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[11]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[12]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[13]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[14]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[15]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[16]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[17]  Mihir Bellare Advances in Cryptology — CRYPTO 2000 , 2000, Lecture Notes in Computer Science.

[18]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[19]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[20]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[21]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[22]  Rafail Ostrovsky,et al.  Security of blind digital signatures , 1997 .

[23]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[24]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[25]  Rafail Ostrovsky,et al.  Security of Blind Digital Signatures (Extended Abstract) , 1997, CRYPTO.

[26]  David Pointcheval,et al.  Strengthened Security for Blind Signatures , 1998, EUROCRYPT.

[27]  Kwangjo Kim,et al.  Advances in Cryptology — ASIACRYPT '96 , 1996, Lecture Notes in Computer Science.

[28]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .