In cryptography, the Full Domain Hash (FDH) is an RSA-based signature scheme that follows the hash-and-sign paradigm. It is provably secure (i.e., is existentially unforgeable under adaptive chosen-message attacks) in the random oracle model. FDH involves hashing a message using a function whose image size equals the size of the RSA modulus, and then raising the result to the secret RSA exponent.
In the random oracle model, if RSA is
(t',\epsilon')
(t,\epsilon)
\begin{align} t&=t'-(qhash+qsig+1) ⋅ l{O}\left(k3\right)\\ \epsilon&=\left(1+
1 | |
qsig |
qsig+1 | |
\right) |
⋅ qsig ⋅ \epsilon' \end{align}
For large
qsig
\epsilon\sim\exp(1) ⋅ qsig ⋅ \epsilon'
This means that if there exists an algorithm that can forge a new FDH signature that runs in time t, computes at most
qhash
qsig
\epsilon
\epsilon'
t'