Proving Tight Security for Rabin-Williams Signatures [chapter]

Daniel J. Bernstein
Advances in Cryptology – EUROCRYPT 2008  
This paper proves "tight security in the random-oracle model relative to factorization" for the lowest-cost signature systems available today: every hash-generic signature-forging attack can be converted, with negligible loss of efficiency and effectiveness, into an algorithm to factor the public key. The most surprising system is the "fixed unstructured B = 0 Rabin/Williams" system, which has a tight security proof despite hashing unrandomized messages. At a lower level, the three main
more » ... shments of the paper are (1) a "B ≥ 1" proof that handles some of the lowest-cost signature systems by pushing an idea of Katz and Wang beyond the "claw-free permutation pair" context; (2) a new expository structure, elaborating upon an idea of Koblitz and Menezes; and (3) a proof that uses a new idea and that breaks through the "B ≥ 1" barrier.
doi:10.1007/978-3-540-78967-3_5 dblp:conf/eurocrypt/Bernstein08 fatcat:uhxpjg44bzgq7lmt33fvx7va4e