** Reference:**
* Advances in Cryptology - EUROCRYPT '99.*
Lecture Notes in Computer Science, vol. 1592, Pages 123-139,
Springer-Verlag, 1999.

** Abstract: **
We present a new signature scheme which is existentially unforgeable
under chosen message attacks, assuming some variant of the RSA conjecture.
This scheme is not based on "signature trees", and instead it uses the
so called "hash-and-sign" paradigm. It is unique in that the assumptions
made on the cryptographic hash function in use are well defined and
reasonable (although non-standard).
In particular, we do not model this function as a random oracle.

We construct our proof of security in steps. First we describe and prove a construction which operates in the random oracle model. Then we show that the random oracle in this construction can be replaced by a hash function which satisfies some strong (but well defined!) computational assumptions. Finally, we demonstrate that these assumptions are reasonable, by proving that a function satisfying them exists under standard intractability assumptions.

** Keywords: **
Digital Signatures, RSA, Hash and Sign, The Random Oracle Paradigm,
Smooth Numbers, Chameleon Hashing.

** Availability: **
Paper available as
Gzipped PostScript (65 Kbyte).

Shai Halevi's home page.