Full Domain Hash

In cryptography, the Full Domain Hash (FDH) is an RSA-based signature scheme that follows the hash-and-sign paradigm. It is provably secure (i.e., is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model. FDH involves hashing a message using a function whose image size equals the size of the RSA modulus, and then raising the result to the secret RSA exponent.

In the random oracle model, if RSA is ${\displaystyle (t',\epsilon ')}${\displaystyle (t',\epsilon ')}-secure, then the full domain hash RSA signature scheme is ${\displaystyle (t,\epsilon )}${\displaystyle (t,\epsilon )}-secure where,

${\displaystyle {\begin{aligned}t&=t'-(q_{\text{hash}}+q_{\text{sig}}+1)\cdot {\mathcal {O}}\left(k^{3}\right)\\\epsilon &=\left(1+{\frac {1}{q_{\text{sig}}}}\right)^{q_{\text{sig}}+1}\cdot q_{\text{sig}}\cdot \epsilon '\end{aligned}}}${\displaystyle {\begin{aligned}t&=t'-(q_{\text{hash}}+q_{\text{sig}}+1)\cdot {\mathcal {O}}\left(k^{3}\right)\\\epsilon &=\left(1+{\frac {1}{q_{\text{sig}}}}\right)^{q_{\text{sig}}+1}\cdot q_{\text{sig}}\cdot \epsilon '\end{aligned}}}.

For large ${\displaystyle q_{\text{sig}}}${\displaystyle q_{\text{sig}}} this reduces to ${\displaystyle \epsilon \sim \exp(1)\cdot q_{\text{sig}}\cdot \epsilon '}${\displaystyle \epsilon \sim \exp(1)\cdot q_{\text{sig}}\cdot \epsilon '}.

This means that if there exists an algorithm that can forge a new FDH signature that runs in time t, computes at most ${\displaystyle q_{\text{hash}}}${\displaystyle q_{\text{hash}}} hashes, asks for at most ${\displaystyle q_{\text{sig}}}${\displaystyle q_{\text{sig}}} signatures and succeeds with probability ${\displaystyle \epsilon }${\displaystyle \epsilon }, then there must also exist an algorithm that breaks RSA with probability ${\displaystyle \epsilon '}${\displaystyle \epsilon '} in time ${\displaystyle t'}${\displaystyle t'}.

• Jean-Sébastien Coron(AF): On the Exact Security of Full Domain Hash. CRYPTO 2000: pp. 229–235 (PDF)
• Mihir Bellare, Phillip Rogaway: The Exact Security of Digital Signatures - How to Sign with RSA and Rabin. EUROCRYPT 1996: pp. 399–416 (PDF)

• Digital signature schemes
• Theory of cryptography
• Cryptography stubs

• Articles with short description
• Short description is different from Wikidata
• All stub articles