 I've been threatened and I've been told that I'm not allowed to sing, so I'll have to speak now. My boss approves, yes. So I'll be talking about optimal security proofs for full domain hash revisited. This was joint work between myself and Ike Kiltz. So let's start off with a brief introduction. So RSA full domain hash was introduced by Belar and Rogaway and arguably it's one of the most important signature schemes based on RSA. So it bears repeating, so we'll just have a quick look at it. So we start off up here with our key generation. You pick two random primes of appropriate order. Multiply them to get your modulus. You take an exponent in z5n star, mea culpa. Pick a hash function from zero one to star up to zn. Public key is NEH and your secret key is PQ, your prime factors. Signing is pretty simple. You just take a hash of a message, the ETH root modulo n, and that's your signature. So given the message signature pair, you can verify it easily just by taking the ETH power of the message modulo n and comparing it to the hash of m. If it is, then we return one and we accept the signature. Otherwise we turn zero and we reject it. Hey, RSA full domain hash signatures are unique. This is quite a nice property and we'll need this later. So what we'd like is a tight security proof. That means we'd like it to be tightly secure, unforgeable in the chosen message check scenario. And this sort of helps us picking parameters in practice and tightness is important to help us with this as we heard earlier. Sadly, all the known proofs are non-tight. And as we heard in practice, people use 1024-bit moduli. What does this mean in theory? What can we theoretically guarantee? So if we get a little bit more formal now, if we assume that it's T epsilon prime hard to invert RSA, then RSA full domain hash is QH, which is the number of hash queries, QS, which is the number of signature queries, and T epsilon secure. And this is the basic statement of every theorem. So what would we like? Ideally, well, we'd like to have a security loss here, which is the security of RSA full domain hash divided by the security of RSA, to be, well, order of one, which means we get about the full 1024 bits of security. Like I said, we don't have that. So what do we have? Originally, Belar and Rogaway had a proof which was in the order of the number of hash queries, which is about 2 to the 60. And that means, equivalently, it's about a secure as inverting RSA with the 200-bit modulus, which isn't exactly ideal. Coron in 2000 improved it, and he got it down to 2 to the 30, which is the number of signature queries, and we're getting to about 500-bit equivalent moduli. Wow. Not ideal again. And so what Belar and Rogway did is they kind of looked at RSA, they tweaked it a little bit, and they came up with the probabilistic signature scheme, PSS. This is a completely different scheme, and it does have a tight reduction, and here we do get the full sort of 1024 bits. So this sort of begs the question, is there something inherent in RSA full domain hash that we just can't have it secure? Is there just something we haven't seen yet? Well, a decade ago in Amsterdam in Europe 2002, Coron answered this, and he showed that this loss factor here of QS is optimal and we can't do anything better than that. So are we basically just flogging a dead horse at this point? Well, not quite. This is sort of where we step in. We revisit this impossibility and optimality result, and it turns out there's a very subtle flaw in the proof of this result, and the specific flaw is it doesn't hold for small exponents E. So we took a look at these small exponents, and we saw that we could get a tight proof in this area where Coron's proof falls down. The proof is to the phi-hiding assumption, which is normal, which is normally to the RSA assumption, but the phi-hiding is a stronger assumption than the RSA. We'll see a little bit of that later. We then do some generalizations and a few extensions, so there's a bit of stuff to go through now. All right, so Coron's theorem basically states very informally is that if there's a reduction from RSA full domain hash to inverting RSA with the security loss less than QS, then we can efficiently invert RSA. Seems simple enough. So what do we have? We have a reduction here, and it gets in an RSA instance, and it has to output a solution which would be this very X here. And how does the reduction achieve this? Well, it has some help. It interacts with a forger F here, and it simulates to the UFCMA game and uses a forger to help it invert RSA. First of all, it takes this here, which is a public key, sends it over to the forger. There's some communication. They have a nice little chat, and we get a forgery m star sigma star. And then using this forgery, we can then compute this X, and everybody's happy. So what we do now is we build an inverter around all of this. That just encompasses everything. And what the inverter will do is it will simulate the forger using the signature paradigm of Goldwasser et al. Essentially what it will do, it will ask the reduction for a signature on some message, rewind the reduction, and then submit that very signature as a forgery. Now, why does this work? If you recall, I mentioned that RSA full domain hash signatures are unique, so there's exactly one valid forgery for every message. So this all works, and it's all good. But sort of the problem is, why does this have to necessarily be a valid RSA key? I mean, why is the reduction restricted to this? Why can't it do something funny and change the key and embed some other numbers in there which would allow it to compute the X better? And when this happens, we don't really know what goes on anymore. In particular, the signatures might not be unique anymore, but the whole sort of protocol isn't well defined. We're not sure what happens. So this is where the reduction sort of falls down, but the good news is we can correct this. We can fix it. What we need is we need certified RSA, which means that the forgery gets this extra public function certified. And what exactly... Well, this leads to the question that is RSA certified and what does it mean to be certified? Well, we say RSA is certified. If we're given any public key, N and E, we can in polynomial time decide if the RSA function, E power modulo N, is a permutation. This concept of certified trapdoor permutation was dealt with by Belar and Jung in 2003. So for RSA, what does this mean? Well, it boils down to a small decision. We need to decide where the exponent, E divides phi of N, where phi is the Euler-Toschian function, or if the GCD of E and phi of N is equal to 1. It's a bit of a simple case, but we'll see why it's important just to see these verses. Well, for a large enough prime that's for a prime E greater than N, this is easy to decide, because this prime is larger than phi of N, therefore it cannot divide phi of N. So we know that that's easy there, but that's a huge prime. It's thought to be hard for E smaller than N to the 0.25, and we'll get to that in a moment, but if we just take that on-phase value for now, we basically have something like this. So we have a value of E increasing from here, and here we have our modulus N, and so in this area here, we know it's certified. Over here, well, I'm not really sure what's going on. And over here, we have lossiness, although to be fair, this was the state when the paper was written. Now, I could kill this myself, and Alexander Mai do actually have a certification procedure for prime E's in this range, so we do know a bit more, but that's future work. So we need to look a little bit more into the lossiness, which is the sort of area we exploit in the... the gap in the proof comes in and we exploit this area. I mean, a function is said to be lossy if we have an alternative key generation algorithm that outputs what we call lossy keys. These lossy keys are indistinguishable from the real keys, and in particular, they define a function where the range is smaller than the domain. For RSA, this would be when E divides phi of n, and we can see that the function is now E to 1. So RSA was shown to be lossy under the phi-hiding assumption by Kils O'Neill and Smith at Crypto 2010, and the phi-hiding assumption itself was introduced by Kashin Mikhali and Stadler in 1999. What basically the phi-hiding assumption states is that if given an n and a prime E, which is less than n to the 0.25, it's hard to distinguish between E divides phi of n and GCD E and phi of n is equal to 1, which is exactly the cases we need to distinguish. So we'll now have a look at our main result and how we use this. So our main theorem very informally states that if the phi-hiding is T''' hard, then RSA full domain hash is QHQSTE, again, the number of hash queries, number of signature queries, secure. For any QHQS with T approximately equal to T' and epsilon approximately equal to 2' prime, just I'll quickly sketch out the proof, and the full proof is in the paper where you can read it. So the first game, Game 0, we have the standard UFCMA experiment, nothing fancy there. We then switch to Game 1, where we simulate H such that we don't need the secret keys for signing anymore, and in particular we achieve this by knowing exactly one signature for every message that is queried. In Game 2, we switch our key generation from real to lossy. This goes completely unnoticed by the adversary, and notice now that the signatures are no longer unique. Specifically, they have exactly E-valid signatures per message. And then what this means is that when we get a forgery, we have a very good probability of collision in the RSA function, specifically 1 minus 1 over E, and this allows us to factor, and in particular that allows us to break phi-hiding. The final security loss is approximately to, it's a little less than 2, which is order of 1, which is sort of what we set out for in the beginning of this talk. If I could just take you back a little. We have this right now, and if we can assume that phi-hiding is as hard as solving RSA, or as hard as factoring at least, then we can... Well, we now do have an ideal-ish security losses order of 1, and we do get the full 10, 24 bits of security that we'd wanted before. So there's still hope, and it still seems to work. Now I'm going to give a few extensions and generalizations we did, and some of this content doesn't appear in the proceedings version, but will appear in the full version of this paper. So firstly, our main theorem extends to any certified trapdoor permutation. So you can build TDP full-domain hash, as long as TDP is a certified trapdoor permutation, and you get essentially the same results as previously. We can further extend this as correlated in his paper, that we can extend from any certified unique signature scheme, which is a signature scheme with unique signatures, and there's this efficient polynomial-time certification procedure that proves this, and to any hard problem, pi. And then we show that if we have these certified unique signature schemes, then this QS bound, you're not going to beat it, because of the certification. But I'll just gloss over those and I'll move to the more interesting extensions we have. Our results actually surprisingly extend to the probabilistic signature scheme as well. In particular, we have quite an interesting result when we extended to probabilistic signatures with message recovery, which I'll just show the signing algorithm briefly. You have a message, concatenate with some randomness, and essentially you just run this two-step FISTO network, and you combine the two outputs, and you take the inverse of under the function, which for our, say, is the E through the modulo n. So most particularly, we have some padding of size k1 bits, and we have some randomness here, which we add to our message. And our results come out like this. One of the five hiding problems is t' epsilon prime hard. Then RSA PSS with message recovery is QHQS t' epsilon secure, where we have t' t' and epsilon equal to 2' epsilon prime plus this small factor here. So why do we even use these message recovery type signatures? Well, we're trying to reduce bandwidth, minimize communication. Normally, you have to send a message and a signature, but with this, we only need to send what we call the enhanced signature. What you do is, and what that allows the receiver to do is we have a recover function as part of the scheme, which replaces the verify, and the recover function will recover the message and verify the signature, and if the signature is valid, it will give you the message. Otherwise, it will output some special failure symbol. So how do we measure these sort of how good it is or how much space we're saving? We use what we call the overhead, and that's essentially the difference in size between the message and the enhanced signature. And what does this mean? Well, there we go. Bala and Rogaway, well, they needed 160 bits of randomness and 160 bits of padding because of their proof, giving them a total overhead of 320 bits. Koron improved this and required less randomness, and as you saw with our proof, it's completely independent of the randomness, so we can completely omit the randomness, giving us with 160 bits of padding. This 160 bits comes from the birthday paradox which we get from wanting 80-bit security. And what seems to be kind of interesting is that now PSSR signatures are comparable to BLS signatures, which is quite an interesting thing we found. So just to sum up my talk now, we revisited Koron's proof and we found the small flaw and we corrected it. We have a tight security proof now for our, say, full domain hash to the file-hiding assumption. We showed some extensions to certified trapdoor permutations and some generalizations, and we have extensions to PSS and PSS with message recovery. Thank you for your attention. I'll be happy to take questions now. We have plenty of time for questions. Then let's thank this... Oh, sorry. Yes. I believe I just said in the beginning we need to have E as prime. What you can do with a composite E, you need to know the prime factorization of E, and then just treat it as multiple instances with each prime factor. That's how you can treat the composite case, but it's not really a good way to go around it. E has to be prime. Comparable with BLS. So the size of the signatures, the overhead you get, it's not really a direct comparison. Obviously, no. But when you look purely at communication bandwidth required, you start to get to comparable numbers for AD bit security, because you have 160 bits there for BLS and 160 bits here for the PSSR, which is the size over the message, as opposed to where in BLS it's slightly different, where you have the message and the signatures still. It's just an interesting comparison we found as we came up with these numbers. You have any? For PSS, the reduction from the standard reduction, let's say from RSA or something, that was already tied. Is it the running time that you improved? So what is the point of going to fight hiding? Yeah, that was already tied. Yeah, that was already tied. That's agreed. But you see, as a result of the exact formulation of the reduction, you get these values here. So Corona improved the randomness even more. And the reason to go to fight hiding is that we can do away completely with randomness. Also, it's not the running time, it's not the reduction, it's the randomness. It's the randomness that we reduced and the overhead in the signature, the message recovery. Okay, then let's, thanks, keep again.