In the random oracle model, if RSA is ${\displaystyle (t',\epsilon ')}$-secure, then the full domain hash RSA signature scheme is ${\displaystyle (t,\epsilon )}$-secure where,

${\displaystyle {\begin{aligned}t&=t'-(q_{\text{hash}}+q_{\text{sig}}+1)\cdot {\mathcal {O}}\left(k^{3}\right)\\\epsilon &=\left(1+{\frac {1}{q_{\text{sig}}}}\right)^{q_{\text{sig}}+1}\cdot q_{\text{sig}}\cdot \epsilon '\end{aligned}}}$.

For large ${\displaystyle q_{\text{sig}}}$ this reduces to ${\displaystyle \epsilon \sim \exp(1)\cdot q_{\text{sig}}\cdot \epsilon '}$.

This means that if there exists an algorithm that can forge a new FDH signature that runs in time t, computes at most ${\displaystyle q_{\text{hash}}}$ hashes, asks for at most ${\displaystyle q_{\text{sig}}}$ signatures and succeeds with probability ${\displaystyle \epsilon }$, then there must also exist an algorithm that breaks RSA with probability ${\displaystyle \epsilon '}$ in time ${\displaystyle t'}$.