Proving Tight Security for Rabin-Williams Signatures

This paper proves “tight security in the random-oracle model relative to factorization” for the lowest-cost signature systems available today: every hash-generic signature-forging attack can be converted, with negligible loss of efficiency and effectiveness, into an algorithm to factor the public key. The most surprising system is the “fixed unstructured B = 0 Rabin/Williams” system, which has a tight security proof despite hashing unrandomized messages. At a lower level, the three main accomplishments of the paper are (1) a “B ≥ 1” proof that handles some of the lowest-cost signature systems by pushing an idea of Katz and Wang beyond the “claw-free permutation pair” context; (2) a new expository structure, elaborating upon an idea of Koblitz and Menezes; and (3) a proof that uses a new idea and that breaks through the “B ≥ 1” barrier. B, number of bits of hash randomization large B B = 1 B = 0: no random bits in hash input Variable unstructured Rabin/Williams tight security (1996 Bellare/Rogaway) no security (easy attack) no security (easy attack) Variable principal Rabin/Williams tight security (this paper) loose security loose security∗ Variable RSA tight security (1996 Bellare/Rogaway) loose security (1993 Bellare/Rogaway) loose security (1993 Bellare/Rogaway) Fixed RSA tight security (1996 Bellare/Rogaway) tight security (2003 Katz/Wang) loose security (1993 Bellare/Rogaway) Fixed principal Rabin/Williams tight security (this paper) tight security (this paper) loose security∗ Fixed unstructured Rabin/Williams tight security (1996 Bellare/Rogaway) tight security (this paper) tight security (this paper) Table 1. Proven lower bounds on “security in the random-oracle model” relative to roots (for RSA) or factorization (for Rabin/Williams). 1996 Bellare/Rogaway proved tight security for RSA and outlined a proof for unstructured Rabin/Williams, but specifically prohibited principal Rabin/ Williams and required large B. 1999 Kurosawa/Ogata claimed tight security for principal B = 0 Rabin/Williams (starred entries in the table), but the Kurosawa/Ogata “proof” has a fatal flaw and the “theorem” appears unsalvageable. 2003 Katz/Wang introduced a new proof allowing B as small as 1 for “claw-free permutation pairs,” but “claw-free permutation pairs” are not general enough to cover Rabin/Williams. This paper generalizes the Katz/Wang idea to cover Rabin/ Williams, and introduces a new security proof covering fixed unstructured B = 0 Rabin/Williams. 2 Daniel J. Bernstein