Forum: Mikrocontroller und Digitale Elektronik Crypto - Problem

I have to solve the following problem and I am trying to do it since 
more then two weeks, but I have no idea how to solve it. It is an 
assignment for my study and I have to hand in tomorrow, unfortunately I 
am not able to solve it.
So my question, can somebody help me? with some good hints or solutions?

Here is the question:
\textbf{13.10 (Probabilistic full domain hash).} Consider the following 
signature scheme $\mathcal{S} = (G,S,V)$ with the message space 
$\mathcal{M}$, and using a hash function $H: \mathcal{M} \times 
\mathcal{R} \rightarrow \mathbb{Z}_n$:
\begin{equation}
\begin{split}
G():= \{(n,d) \xleftarrow[]{R} RSAGen(\ell,e), \quad pk:=(n,e), \quad 
sk:=(n,d), \quad output (pk,sk)\};\\
S(sk,m) := \{r \xleftarrow[]{R} \mathcal{R}, \quad y \leftarrow H(m,r), 
\quad \sigma \leftarrow y^d \in \mathbb{Z}_n, \quad output (\sigma, 
r)\};\\
V(pk,m,(\sigma,r)) := \{y \leftarrow H(m,r), \quad accept \; if \; y = 
\sigma^e \; and \; reject \; otherwise \}.
\end{split}
\end{equation}

Show that this signature is secure if the RSA assumption holds for 
$(\ell,e)$, the quantity $1/|\mathcal{R}|$ is negligible, and H is 
modeled as a random oracle. Moreover, the reduction to inverting RSA is 
tight.\\
\textbf{Disscusion:} While $\Sm'_{RSA-FDH}$, from Section 13.5, also has 
a tight reduction, the construction here does not use a PRF. The cost is 
that signatures are longer because r is included in the signature.


Thank you very much.