The one-more-RSA-inversion problems and the security of Chaum's blind signature scheme (Q1402372)

From MaRDI portal
Revision as of 19:28, 10 December 2024 by Import241208061232 (talk | contribs) (Normalize DOI.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
scientific article
Language Label Description Also known as
English
The one-more-RSA-inversion problems and the security of Chaum's blind signature scheme
scientific article

    Statements

    The one-more-RSA-inversion problems and the security of Chaum's blind signature scheme (English)
    0 references
    0 references
    0 references
    0 references
    0 references
    27 August 2003
    0 references
    A new useful class of computational problems for public-key cryptology is introduced and studied. There are two well-known functions which are associated with RSA public key protocol \(\text{RSA}_{N,e}(x)= x^e\bmod N\) and \(\text{RSA}^{-1}_{N,e}(y)= y^d\bmod N\), where \(x\), \(y\) are natural integers, \(e\) is an encryption parameter, \(d\) is a decryption parameter, \(ed\equiv 1\bmod \varphi(N)\). The function \(\text{RSA}^{-1}\) is called RSA-inverse. The adversary has access to an oracle for the inverse RSA function in a given target point \(y\). The oracle returns \(y^d\text{\,mod\,}N\) without revealing the integer \(d\). The problems are as follows. In the known-target inversion problem, the adversary, to win, must output the inverses of all given target points, using a number of decryption oracle queries that is one fewer than the number of target points. In the chosen-target inversion problem, the adversary can choose to invert any number of target points and wins as long as the number of decryption oracle queries that it makes is strictly fewer than the number of target points it correctly inverts. The main result is that these two problems have polynomially equivalent complexity. It is shown how this leads to a proof of security for Chaum's RSA-based blind signature scheme. Analogous results are proved for ``one-more-discrete-logarithm'' problems.
    0 references
    Blind digital signature schemes
    0 references
    Digital cash
    0 references
    RSA
    0 references

    Identifiers