Paper 2013/256
On the Lossiness of the Rabin Trapdoor Function
Yannick Seurin
Abstract
Lossy trapdoor functions, introduced by Peikert and Waters (STOC~'08), are functions that can be generated in two indistinguishable ways: either the function is injective, and there is a trapdoor to invert it, or the function is lossy, meaning that the size of its range is strictly smaller than the size of its domain. Kiltz, O'Neill, and Smith (CRYPTO 2010) showed that the RSA trapdoor function is lossy under the $\Phi$-Hiding assumption of Cachin, Micali, and Stadler (EUROCRYPT~'99) and used this result to provide a security proof for the RSA-OAEP encryption scheme in the standard model. More recently, Kakvi and Kiltz (EUROCRYPT 2012) used the lossiness of RSA to show that the RSA Full Domain Hash signature scheme has a \emph{tight} security reduction from the $\Phi$-Hiding assumption. In this work, we consider the Rabin trapdoor function, \emph{i.e.} modular squaring over $\mathbb{Z}_{N}^*$. We show that when adequately restricting its domain (either to the set $\mathbb{QR}_{N}$ of quadratic residues, or to $(\mathbb{J}_{N})^+$, the set of positive integers $1\le x\le (N-1)/2$ with Jacobi symbol +1) the Rabin trapdoor function is lossy, the injective mode corresponding to Blum integers $N=pq$ with $p,q\equiv 3\bmod 4$, and the lossy mode corresponding to what we call pseudo-Blum integers $N=pq$ with $p,q\equiv 1 \bmod 4$. This lossiness result holds under a natural extension of the $\Phi$-Hiding assumption to the case $e=2$ that we call the 2-$\Phi/4$-Hiding assumption. We then use this result to prove that deterministic variants of Rabin-Williams Full Domain Hash signatures have a tight reduction from the 2-$\Phi$/4-Hiding assumption, therefore answering one of the main questions left open by Bernstein (EUROCRYPT 2008) in his work on Rabin-Williams signatures.
Metadata
- Available format(s)
- Category
- Public-key cryptography
- Publication info
- Published elsewhere. Unknown where it was published
- Keywords
- Rabin trapdoor functionlossy trapdoor functionPhi-Hiding assumptionprovable securityRabin-Williams signatures
- Contact author(s)
- yannick seurin @ m4x org
- History
- 2014-04-15: last of 2 revisions
- 2013-05-08: received
- See all versions
- Short URL
- https://ia.cr/2013/256
- License
-
CC BY