{"author":[{"full_name":"Dodis, Yevgeniy","first_name":"Yevgeniy","last_name":"Dodis"},{"first_name":"Roberto","last_name":"Oliveira","full_name":"Oliveira, Roberto"},{"full_name":"Krzysztof Pietrzak","first_name":"Krzysztof Z","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654"}],"date_updated":"2021-01-12T07:41:50Z","date_created":"2018-12-11T12:02:03Z","title":"On the generic insecurity of the full domain hash","page":"449 - 466","_id":"3212","day":"12","year":"2005","quality_controlled":0,"doi":"10.1007/11535218_27","intvolume":" 3621","alternative_title":["LNCS"],"publist_id":"3470","type":"conference","publication_status":"published","extern":1,"volume":3621,"citation":{"chicago":"Dodis, Yevgeniy, Roberto Oliveira, and Krzysztof Z Pietrzak. “On the Generic Insecurity of the Full Domain Hash,” 3621:449–66. Springer, 2005. https://doi.org/10.1007/11535218_27.","ama":"Dodis Y, Oliveira R, Pietrzak KZ. On the generic insecurity of the full domain hash. In: Vol 3621. Springer; 2005:449-466. doi:10.1007/11535218_27","apa":"Dodis, Y., Oliveira, R., & Pietrzak, K. Z. (2005). On the generic insecurity of the full domain hash (Vol. 3621, pp. 449–466). Presented at the CRYPTO: International Cryptology Conference, Springer. https://doi.org/10.1007/11535218_27","ieee":"Y. Dodis, R. Oliveira, and K. Z. Pietrzak, “On the generic insecurity of the full domain hash,” presented at the CRYPTO: International Cryptology Conference, 2005, vol. 3621, pp. 449–466.","short":"Y. Dodis, R. Oliveira, K.Z. Pietrzak, in:, Springer, 2005, pp. 449–466.","ista":"Dodis Y, Oliveira R, Pietrzak KZ. 2005. On the generic insecurity of the full domain hash. CRYPTO: International Cryptology Conference, LNCS, vol. 3621, 449–466.","mla":"Dodis, Yevgeniy, et al. On the Generic Insecurity of the Full Domain Hash. Vol. 3621, Springer, 2005, pp. 449–66, doi:10.1007/11535218_27."},"publisher":"Springer","month":"09","abstract":[{"lang":"eng","text":"The Full-Domain Hash (FDH) signature scheme [3] forms one the most basic usages of random oracles. It works with a family F of trapdoor permutations (TDP), where the signature of m is computed as f−1(h(m)) (here f ∈R F and h is modelled as a random oracle). It is known to be existentially unforgeable for any TDP family F [3], although a much tighter security reduction is known for a restrictive class of TDP’s [10,14] — namely, those induced by a family of claw-free permutations (CFP) pairs. The latter result was shown [11] to match the best possible “black-box” security reduction in the random oracle model, irrespective of the TDP family F (e.g., RSA) one might use.\nIn this work we investigate the question if it is possible to instantiate the random oracle h with a “real” family of hash functions H such that the corresponding schemes can be proven secure in the standard model, under some natural assumption on the family F. Our main result rules out the existence of such instantiations for any assumption on F which (1) is satisfied by a family of random permutations; and (2) does not allow the attacker to invert f ∈R F on an a-priori unbounded number of points. Moreover, this holds even if the choice of H can arbitrarily depend on f. As an immediate corollary, we rule out instantiating FDH based on general claw-free permutations, which shows that in order to prove the security of FDH in the standard model one must utilize significantly more structure on F than what is sufficient for the best proof of security in the random oracle model."}],"status":"public","date_published":"2005-09-12T00:00:00Z","acknowledgement":"Supported by NSF CAREER Award CCR-0133806 and TC Grant No.CCR-0311095. Supported by the Swiss National Science Foundation, project No. 200020-103847/1","conference":{"name":"CRYPTO: International Cryptology Conference"}}