Full Domain Hash

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In cryptography, the Full Domain Hash (FDH) is an RSA-based signature scheme that follows the hash-and-sign paradigm. It is provably secure (i.e., is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model. FDH involves hashing a message using a function whose image size equals the size of the RSA modulus, and then raising the result to the secret RSA exponent.

Exact security of full domain hash[edit]

In the random oracle model, if RSA is -secure, then the full domain hash RSA signature scheme is -secure where,

.

For large this boils down to .

This means that if there exists an algorithm that can forge a new FDH signature that runs in time t, computes at most hashes, asks for at most signatures and succeeds with probability , then there must also exist an algorithm that breaks RSA with probability in time .

References[edit]

  • Jean-Sébastien Coron(AF): On the Exact Security of Full Domain Hash. CRYPTO 2000: pp. 229–235 (PDF)
  • Mihir Bellare, Phillip Rogaway: The Exact Security of Digital Signatures - How to Sign with RSA and Rabin. EUROCRYPT 1996: pp. 399–416 (PDF)