Paper 2013/256

On the Lossiness of the Rabin Trapdoor Function

Yannick Seurin

Abstract

Lossy trapdoor functions, introduced by Peikert and Waters (STOC~'08), are functions that can be generated in two indistinguishable ways: either the function is injective, and there is a trapdoor to invert it, or the function is lossy, meaning that the size of its range is strictly smaller than the size of its domain. Kakvi and Kiltz (EUROCRYPT 2012) proved that the Full Domain Hash signature scheme based on a lossy trapdoor function has a \emph{tight} security reduction from the lossiness of the trapdoor function. Since Kiltz, O'Neill, and Smith (CRYPTO 2010) showed that the RSA trapdoor function is lossy under the Φ-Hiding assumption of Cachin, Micali, and Stadler (EUROCRYPT~'99), this implies that the RSA Full Domain Hash signature scheme has a \emph{tight} security reduction from the -Hiding assumption (for public exponents ). In this work, we consider the Rabin trapdoor function, \emph{i.e.} modular squaring over . We show that when adequately restricting its domain (either to the set of quadratic residues, or to , the set of positive integers with Jacobi symbol +1) the Rabin trapdoor function is lossy, the injective mode corresponding to Blum integers with , and the lossy mode corresponding to what we call pseudo-Blum integers with . This lossiness result holds under a natural extension of the -Hiding assumption to the case that we call the 2--Hiding assumption. We then use this result to prove that deterministic variants of Rabin-Williams Full Domain Hash signatures have a tight reduction from the 2-/4-Hiding assumption. We also show that these schemes are unlikely to have a tight reduction from the factorization problem by extending a previous ``meta-reduction'' result by Coron (EUROCRYPT 2002), later corrected by Kakvi and Kiltz (EUROCRYPT 2012). These two results therefore answer one of the main questions left open by Bernstein (EUROCRYPT 2008) in his work on Rabin-Williams signatures.

Note: An abridged version of this paper appears in the proceedings of PKC 2014. This is the full version.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
A major revision of an IACR publication in PKC 2014
DOI
10.1007/978-3-642-54631-0_22
Keywords
Rabin trapdoor functionlossy trapdoor functionPhi-Hiding assumptionprovable securityRabin-Williams signaturesmeta-reduction
Contact author(s)
yannick seurin @ m4x org
History
2014-04-15: last of 2 revisions
2013-05-08: received
See all versions
Short URL
https://ia.cr/2013/256
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2013/256,
      author = {Yannick Seurin},
      title = {On the Lossiness of the Rabin Trapdoor Function},
      howpublished = {Cryptology {ePrint} Archive, Paper 2013/256},
      year = {2013},
      doi = {10.1007/978-3-642-54631-0_22},
      url = {https://eprint.iacr.org/2013/256}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.