On the Instantiability of Hash-and-Sign RSA Signatures

Transcription

1 On the Instantablty of Hash-and-Sgn RSA Sgnatures Yevgeny Dods Iftach Hatner Ars Tentes December 29, 2011 Abstract The hash-and-sgn RSA sgnature s one of the most elegant and well known sgnatures schemes, extensvely used n a wde varety of cryptographc applcatons. Unfortunately, the only exstng analyss of ths popular sgnature scheme s n the random oracle model, where the resultng dealzed sgnature s known as the RSA Full Doman Hash sgnature scheme (RSA-FDH). In fact, pror work has shown several unnstantablty results for varous abstractons of RSA-FDH, where the RSA functon was replaced by a famly of trapdoor random permutatons, or the hash functon nstantatng the random oracle could not be keyed. These abstractons, however, do not allow the reducton and the hash functon nstantaton to use the algebrac propertes of RSA functon, such as the multplcatve group structure of Z n. In contrast, the multplcatve property of the RSA functon s crtcally used n many standard model analyses of varous RSA-based schemes. Motvated by closng ths gap, we consder the settng where the RSA functon representaton s generc (.e., black-box) but multplcatve, whereas the hash functon tself s n the standard model, and can be keyed and explot the multplcatve propertes of the RSA functon. Ths settng abstracts all known technques for desgnng provably secure RSA-based sgnatures n the standard model, and ams to address the man lmtatons of pror unnstantablty results. Unfortunately, we show that t s stll mpossble to reduce the securty of RSA-FDH to any natural assumpton even n our model. Thus, our result suggests that n order to prove the securty of a gven nstantaton of RSA-FDH, one should use a non-black box securty proof, or use specfc propertes of the RSA group that are not captured by ts multplcatve structure alone. We complement our negatve result wth a postve result, showng that the RSA-FDH sgnatures can be proven secure under the standard RSA assumpton, provded that the number of sgnng queres s a-pror bounded. Keywords: RSA Sgnature, Hash-and-Sgn, Full Doman Hash, Random Oracle Heurstc, Generc Groups, Black-Box Reductons. Department of Computer Scence, New York, Unversty. E-mal: dods@cs.nyu.edu. School of Computer Scence, Tel Avv Unversty. E-mal: ftachh@cs.tau.ac.l. Department of Computer Scence, New York, Unversty. E-mal: tentes@cs.nyu.edu.

2 Contents 1 Introducton Our Results Our Technque Other Related Work Prelmnares Notatons Useful Lnear Algebra Facts RSA-FDH n the Generc Group Model RSA-FDH Sgnature Scheme The Generc Group Model RSA-FDH Sgnature Schemes n the Generc Group Model There Exsts No RSA-FDH wth a Weakly Black-Box Proof The Forger The Emulator Puttng t Together Provng Lemma 4.16 va the Short Descrpton Paradgm Short descrpton of Π ϕ(n) Frst attempt Reconstructng π Descrpton length Short descrpton of Π ϕ(n) The actual approach Descrpton length Reconstructng π Descrbng the soluton sets Removng the smplfyng assumpton about C Mssng Proofs A t-eu-cma-secure RSA-FDH Sgnature Scheme 35

3 1 Introducton Bellare and Rogaway [2] ntroduced the random oracle (RO) model, as a paradgm for desgnng effcent protocols. When followng ths paradgm, one frst bulds a provably secure scheme assumng that an access to a random functon s gven, and (possbly) assumng some standard hardness assumpton (e.g., factorng s hard). Then t nstantates the scheme by replacng the random functon wth some concrete hash functon (e.g., SHA-1). The ntuton underlyng ths paradgm s that a successful attack on the resultng scheme should ndcate (unexpected) weaknesses of the hash functon used. Ths paradgm (also known as the random oracle heurstc) has led to several hghly effcent and wdely used n practce constructons, such as the RSA Full Doman Hash sgnature scheme (RSA-FDH) [2] and RSA Optmal Asymmetrc Encrypton Paddng scheme (RSA-OAEP) [3]. Typcally, however, lttle s known about the provable securty of such popular schemes n the standard model. In partcular, t s unknown whether we can reduce ther securty to some natural assumpton. In ths work we revst ths queston once agan, focusng, n partcular, on the nstantablty of the RSA hash-and-sgn sgnatures. The RSA sgnature [32] s one of the most elegant and well known sgnatures schemes. It s extensvely used n a wde varety of applcatons, and serves as the bass of several exstng standards such as PKCS #1 [33]. In ts textbook form, the sgnature σ of the message m s smply σ = m d mod n, whch can be verfed by checkng f σ e m mod n, where e s the publc RSA exponent, and d = e 1 mod ϕ(n). Of course, the textbook varant s completely nsecure, as any σ s a vald sgnature of some message m = σ e mod n. The tradtonal fx, known as RSA hash-and-sgn sgnature, s to hash the message m before sgnng t usng some approprate hash functon h (.e., σ = h(m) d mod n). The key queston s how to nstantate ths functon h? Bellare and Rogaway [2] showed that n the random oracle model, where h s modeled as a truly random functon (freely avalable to all the partes ncludng the adversary), the resultng RSA hash-and-sgn sgnature (whch they called RSA Full Doman Hash, for short, RSA-FDH) s secure assumng that the (standard) RSA assumpton holds. When consderng an actual nstantaton of h, though, a moment s reflecton shows that all known securty notons for hash functons, such as collson-resstance or pseudorandomness, do not appear to help. In fact, even more esoterc notons, such as perfect one-way hash functons or verfable random functons [5], are not suffcent ether. On the other hand, no sgnfcant attacks on RSA-FDH sgnatures are known when h s nstantated usng popular cryptographc hash functons, such as SHA-1. Ths gave rse to the followng mportant queston, whch s the man focus of ths paper. Is there an nstantaton of RSA-FDH sgnature scheme (namely, of the hash functon h) that can be proven secure under a natural assumpton n the standard model? Of course, for any concrete hash functon, one can reduce the securty of RSA-FDH sgnatures to that of RSA-FDH sgnatures, whch s not very useful. So t s mportant that the assumpton used to argue the securty of the scheme should be consderably smpler than the chosen message attack on RSA sgnatures. The best case scenaro would be a reducton to the one-wayness of the RSA functon (.e., the standard RSA assumpton ), whch s ndeed what happened n the dealstc RO model. Unfortunately, we seem to be very far from ths goal. In fact, several works, whch we survey next, showed varous arguments suggestng that no such reducton s lkely to exst. 1

4 Exstng Impossblty Results. It s well known that n the general case the random oracle heurstc s false. Specfcally, there exst schemes secure n the random oracle model that cannot be nstantated by any concrete hash functon [7, 8, 27, 18, 4]. Most counter-examples of ths knd, however, are rather artfcal, and do not shed much lght on the securty of concrete schemes used n practce. The work that seems most relevant to the focus of ths paper s those of [13] and [28] descrbed below (whereas other related work s dscussed n Secton 1.3). Dods et al. [13] consdered a generalzaton of RSA-FDH sgnatures, known as (general) Full Doman Hash (FDH) sgnatures. In such sgnatures, the sgner has access to an arbtrary trapdoor permutaton f, and sets σ = f 1 (h(m)). 1 The man result of [13] rules out provng the securty of an nstantaton FDH, by reducng t to the one-wayness of f (or more generally, to any assumpton on f that s satsfed by a random trapdoor permutaton). Ther result, however, does not capture reductons that use addtonal assumptons about f. In partcular, t seems lkely that f a proof of securty of some nstantaton of RSA-FDH does exst, then t would use the algebrac propertes of the RSA functon. To demonstrate ths pont, we present (see Secton 1.1) an nstantaton of RSA- FDH under the standard RSA assumpton, that s secure as long as the number of sgnng queres s a-pror bounded. 2 Our reducton s black box, and crtcally uses the algebrac propertes of Z n. (Indeed, [13] showed that even one-tme securty of general FDH sgnatures cannot be blackbox reduced to the one-wayness of the trapdoor permutaton.) In addton, the RSA-based sgnatures [16, 10, 22], whch can be proven secure n the standard model (but, alas, no longer have the smple syntax of the RSA sgnature), crtcally use the algebrac propertes of the RSA functon. Fnally, even n the random oracle model, tghter securty bounds are sometmes acheved usng the algebrac propertes of RSA (cf., [9], as compared to the generc proofs from trapdoor permutatons [2, 12]). More recently, Paller [28] looked at the queston of nstantatng RSA-FDH usng a fxed hash functon (as opposed to a keyed famly), and showed that no such nstantaton can be blackbox reduced to the tradtonal RSA assumpton, assumng the so called RSA non-malleablty assumpton. Informally, ths assumpton states that callng the RSA nverter on arbtrary permtted nputs (n, e ) (n, e) does not help n breakng the nstance (n, e). We remark that, as observed by Paller [28], ths assumpton s false for varous reasonable nterpretatons of permtted tuples (n, e ). More sgnfcantly, although the restrcton to a fxed hash functon h s consstent wth the exstng use n practce, from a theoretcal perspectve ths assumpton s somewhat restrctve. For example, whle the result of Paller [28] rules out provng even one-tme securty of RSA-FDH, our postve result (see Secton 1.1) crcumvents ths mpossblty result by usng a keyed hash famly. 1.1 Our Results Our man result s a new negatve result regardng the nstantablty of RSA-FDH, whch addresses some of the lmtatons of the prevous negatve results of [13, 28]. To motvate ths result, we start by descrbng our already mentoned postve result. Theorem 1.1 (Informal). Under the standard RSA assumpton, for every polynomal t there exsts an nstantaton of RSA-FDH that s exstentally unforgeable aganst t(k) sgnng queres (where 1 As n the case of RSA-FDH sgnatures, FDH sgnatures are known to be secure when the hash functon s modeled as a truly random functon [2]. 2 Wth a dfferent motvaton, the same result was ndependently obtaned by [21]. 2

5 k s the securty parameter). adversary n a black-box way. Furthermore, the reducton treats the group Z n and the potental The clamed constructon s fully descrbed n Secton 6, but here we hghlght some of ts features. Frst, the result on works for bounded values of t, snce the constructed hash functon descrpton length, s polynomal (quadratc) n the number of sgnng queres. Second, our constructon uses a keyed famly of hash functons (whch s needed to overcome the mpossblty result of [28]). Thrd, the hash functon depends on the RSA modulus n and crtcally uses the multplcatve structure of the RSA functon (whch s needed to overcome one of the mpossblty result of [13]). Fnally, our reducton does not use any other propertes of the RSA functon besdes ts multplcatve homomorphsm over Z n. Formally, ths means that the reducton works gven only oracle access to the multplcaton and the nverson operatons of Z n. We now turn to our man, negatve result, whch can be nformally stated as follows: Theorem 1.2 (Informal). It s mpossble to reduce the securty of an nstantaton of RSA- FDH to a natural assumpton (and n partcular to the hardness of RSA), provded that (1) the reducton treats the potental adversary n a black-box way; (2) the publc exponent e used by the scheme s prme wth non-neglgble probablty; (3) the nstantaton only uses the multplcatve propertes of Z n, and should relatvze to any group somorphc to Z n. We now explan ths result n more detal. Frst, our result holds even f the hash functon h s allowed to be keyed, and, moreover, to depend on the RSA modulus n (whch was used n our postve result). More sgnfcantly, we allow both the hash functon and the hypothetcal securty reducton R to use the multplcatve structure of Z n. Fnally, we not only rule out reductons to the standard RSA assumpton, but also to other non-nteractve RSA-type assumptons, such as the strong RSA assumpton. However, our result also has three lmtatons, (1)-(3). Frst, and least mportant, s the assumpton that the reducton must treat the adversary n a black-box way. Ths lmtaton s met by most exstng reductons, and also qute standard n most black-box mpossblty results. Techncally, t means that the reducton should work gven oracle access to any (even neffcent) attacker breakng the securty of RSA-FDH. Second, and more sgnfcant, s the fact that our current proof reles on the fact that the nstantaton wll use a prme exponent e (at least wth non-neglgble probablty). Although ths lmtaton appears to be an odd artfact of our specfc proof technque, and also seems to be met by most known RSA nstantatons, t does leave a possblty for a secure RSA-FDH nstantaton always usng some composte exponent e. Fnally, and most sgnfcantly, we assume that the reducton treats the multplcatve RSA group Z n n a black-box manner. Ths s formalzed (see Secton 3) usng the noton of generc groups [35, 26, 24]. Informally, though, t means that nothng s assumed about a group element, apart from what was revealed through the performed group operatons (.e., multplcaton, nverse and equalty check). In partcular, an algorthm that treats Z n n a black-box way should perform equally well gven oracle access to any group somorphc to Z n (wthout knowng the somorphsm). Wth ths ntuton n mnd, we can nterpret Theorem 1.2 as an ndcaton that n order to prove the securty of a gven nstantaton of RSA-FDH, one should use a non-black box securty proof, or use propertes of the RSA group, that are not captured by the generc group abstracton. To the best of our knowledge, all known postve results on buldng RSA-type sgnatures ncludng our new postve result n Theorem 1.1, the standard model constructons of [16, 10, 22], and the random-oracle based analyss of [2, 9] treat Z n as a black-box, and only use ts multplcatve 3

6 structure. Thus, although stll restrctve, our result rules out all known technques for provng the securty of RSA-based sgnatures, whch was not the case for the prevous results of [13, 28]. Stll, the restrcton of the reducton to only use the multplcatve structure of Z n s qute sgnfcant, whch rases the queston f ths restrcton could be relaxed. Removng Generc Groups? Unfortunately, removng (or even relaxng) the above mentoned restrcton appears to be very challengng. Intutvely, wth our current technques (see more below) we must be able to construct an algorthm Forger whch, gven any (famly of) hash functon(s) h, should be able to (1) break the RSA-FDH nstantaton usng ths h, and, yet, (2) do so by only forgng the sgnature whch the reducton R must already know (so that Forger never helps R compute somethng whch R does not know to begn wth, potentally helpng R to break some hardness assumpton). In partcular, satsfyng conflctng propertes (1) and (2) seems to requre some knd of reverse-engneerng (or de-obfuscaton ) technques on h whch seem to be completely beyond our current capabltes, wthout placng any restrcton on the reductons we allow. Indeed, the ntroducton of the generc group model was precsely the step whch (a) allowed our forger to reverse engneer the gven hash functon h (so as to provably satsfy propertes (1)-(2) above), and, yet, (b) allowed the reducton to use the algebrac propertes of Z n. 1.2 Our Technque On a very hgh level, our proof follows the approach of Dods et al. [13] used to prove that there exsts no fully black-box reducton from (general) FDH sgnature schemes to the one-wayness of random functons. [13] defned an oracle Forger relatve to whch no FDH sgnature scheme s secure, yet Forger does not help nvertng a random functon. In more detal, on nput (h, {σ } [t] ), Forger checks that (1) {σ } are vald sgnatures for the messages 1,..., t (.e., f(σ ) = h() for every [t], where f s the random functon), (2) the evaluaton of h(1),..., h(t) does not query f on any element of {σ }, and (3) t s at least equal to h the descrpton sze of h. If postve, Forger returns the sgnature of 0 (.e., f 1 (h(0))). It s clear that Forger can be used to break the exstental securty of any FDH scheme: the attacker uses Sgn, the sgner of the scheme, to compute {σ } [t] for some t h, and then calls Forger on (h, {σ }), where we assume wthout loss of generalty that condton (2) above holds wth respect to ths query (otherwse, fakng a sgnature wthout Forger s easy). On the other hand, [13] showed that an effcent algorthm (wth oracle access to f, but not to Sgn) cannot provde all these sgnatures. Thus, Forger s useless n these settngs, and n partcular a black-box reducton (.e., algorthm) cannot make use of Forger for nvertng a random functon, provng the man result of [13]. Intutvely, Forger s useless for an algorthm wth no access to Sgn, for the followng reason. Fx some effcent oracle-aded algorthm R and let {0, 1} n be the doman of the random functon f. Snce a random functon s one way, the only elements that R can nvert are those elements t prevously receved as answers to ts f-queres. Hence (snce f s random), R only knows how to nvert random elements nsde {0, 1} n. Snce t takes at least t bts to descrbe t random elements n {0, 1} n (actually, t takes tn bts) and snce the evaluaton of h(1),..., h(t) does not query f on elements nsde {σ } [t], there must exst h() {h(1),..., h(t)} that R does not know how to nvert, and thus cannot provde a vald sgnature for the message. Movng to our settng, we focus for concreteness on fully black-box reductons from RSA- FDH to the hardness of RSA (.e., such reductons use the multplcatve RSA group Z n and the 4

7 adversary n a black-box way). The blackboxness n the RSA group tells us that such a reducton should work wth respect to any group somorphc to Z n. In partcular, t should work well wth respect to the group π(z n), obtaned by renamng the elements of Z n accordng to a random permutaton π over Z n (.e., a b s defned as π(π 1 (a) π 1 (b) mod n)). Gven the above understandng, the frst attempt would be to defne Forger analogously to that of [13]. Namely, on nput (n, e, h, {σ } [t] ), Forger checks that (1) σ e h() for every [t], (2) the evaluaton of h(1),..., h(t) does not compute σ for some [t], and (3) t h. If postve, Forger returns the sgnature of 0 (.e., h(0) d, for d = e 1 mod ϕ(n), where all group operatons are over the group π(z n). We would lke to argue that f π s chosen at random, then the only way to make a nonabortng query to Forger s va usng Sgn, the sgner of the scheme. It would then follow that Forger s useless for an algorthm R that has no access to Sgn (and n partcular to a black-box reducton). It turns out, however, that n our settngs such R can make non abortng calls to Forger. The ssue s that unlke n the settng of [13], R can make use of the algebrac structure of Z n to construct a non-abortng query to Forger. For nstance, R can compute {j e } j [l], and assumng some reasonable mappng M from [t = l 2 ] to {j k} j,k [l], let h() = M() e mod n and σ = M(). Snce the evaluaton of h(1),..., h(t) does not query an element of {σ } [t] ), t follows that (n, e, h, {σ } [t] ) s a non-abortng query. 3 Alternatvely, f R can break the RSA assumpton over π(z n) (say, f t knows the factorzaton of n), then t can set h() = and compute σ = h() d (usng the factorzaton of n to compute d). Fortunately, we manage to prove that a non-abortng query of R s ether degenerated (as n the frst example) or ndcates that R knows the factorzaton of n. To handle the frst case, we change Forger to dentfy and abort on degenerated queres. Where we also show that t s easy to forge a sgnature wth respect to a degenerated h (.e., h that s part of a degenerated query), even wthout the help of Forger. Namely, we show that there s no secure RSA-FDH scheme relatve to the modfed Forger. We then show that wth respect to ths modfed Forger, one can effcently extract the factorzaton of n from an algorthm that produces a non-abortng query. It follows that for any effcent algorthm R wth oracle access to Forger, there exsts an effcent algorthm, wth no access to Forger, that emulates R Forger well. In other words, we prove that Forger s useless for the class of effcent algorthms wth no oracle access to Sgn. Provng the above ntuton s the man challenge of ths work, and we acheve that usng a novel adaptaton of the Gennaro and Trevsan [15] short descrpton paradgm, descrbed below, to the generc groups realm The Gennaro and Trevsan short descrpton paradgm and ts adapton to generc groups Loosely, Gennaro and Trevsan [15] show that an effcent algorthm that nverts a random functon too well, can be used to gve a too short descrpton for a random functon (and thus cannot exst). Ths elegant approach has turned to be an extremely powerful approach for provng mpossblty results n the random functons realm, whch typcally mply black-box mpossblty results for one-way functons/permutatons based constructons. Whle the Gennaro and Trevsan paradgm 3 Note that to descrbe h t suffces to descrbe the set {j e } j [l]. Thus h O(l log n), whch s smaller than t for large enough l. 4 A sde beneft of ths proof technque, s an alternatve proof to the equvalence of RSA and factorng over generc groups, frstly proven by Aggarwal and Maurer [1] ([1], however, also prove t over generc rngs ). 5

8 (from now on, the GT paradgm) has several extensons (e.g., [17, 37, 20, 19, 31]), all are gven n the random functons realm. We would lke to apply a smlar approach for argung that an algorthm that makes a nonabortng query to Forger, can be ether used to factor n, or to compress the random permutaton π (whch defnes the group π(z n)). Snce compressng π s mpossble, t follows that a non-abortng query of such an algorthm can be used to factor n. Hence, such queres can be answered effcently, yeldng the exstence of an effcent emulator (wthout access to Forger) for any effcent algorthm. 5 Extendng the GT paradgm to our settngs nvolves many complcatons. The man part of the GT paradgm s usng the (hypothetcal) attacker to reconstruct a random functon usng (too) short advce. Ths reconstructon nvolves emulatng the attacker, where the key pont s to do ths wthout wastng nformaton : any bt used to emulate, should gve a bt of nformaton about the (random) functon. Dong the latter s qute easy for random functons; the answer to any query of the attacker gves the same amount of nformaton about the functon (.e., the nfo that t maps the query nput to the provded output). The only subtlety s that there are repeated queres (whch are clearly wasteful), but handlng such queres s easy: smply keep track of the query hstory on the emulaton. In our settng, however, thngs get much more complcated. To begn wth, there mght be non-repeatng queres whose answers yeld very lttle nformaton about the random group π(z n) (and therefore about π). For nstance, for some n s there are only four possble answers for the query a ϕ(n)/4 over π(z n). Thus, roughly speakng, the answer for ths query contans only two bts of nformaton about π. More generally, t appears that one can create much more ntrcate examples; e.g., when the answer to the query follows a very complcated dstrbuton, based on the answers gven so far. An even more challengng task s provng the dchotomy that a non-abortng query can ether be used to (effcently) factor n, or mples a (too) short descrpton of π. Handlng the above challenges requres an ntmate understandng of the algebrac structure of the group Z n, n partcular of the set of solutons for lnear equatons over ths group, and crtcally uses the fact that factorng s solvable n sub-exponental tme [11, 36]. 1.3 Other Related Work We brefly menton other known results concernng the unnstantablty of popular sgnature and encrypton schemes that can be proven secure n the random oracle model. Paller and Vergnaud [29] showed that many popular dscrete log based sgnatures (ncludng ElGamal, DSA and Schnorr) cannot be reduced to the dscrete log assumpton n the standard model, usng the so called algebrac reductons. (Smlar results also hold for related GQ sgnatures under the RSA assumpton.) Although techncally ncomparable to our generc group modelng, conceptually such reductons are related to our assumpton that the reducton can only use the multplcatve structure of a gven group. Indeed, n both cases the meta-reducton can eventually fgure out the multplcatve relatons used be the reducton R n ts queres to the attacker. The man dfference apples n the way the reducton can prepare ts queres to the attacker. Whle the generc group modelng allows the reducton R to use some hdden values related to the assumpton that R s tryng to break, algebrac reducton do not allow ths flexblty. Thus, much of the techncal dffcultes n 5 In addton, snce non-abortng queres are easy to generate assumng that RSA s easy over π(z n), the above would mmedately yeld that RSA s equvalent to factorng over (random) π(z n), and thus over generc groups. 6

9 the generc group modelng (e.g., extractng the hdden representatons computed by the reducton on the sde ) are somewhat trvalzed when restrcted to algebrac reductons. Addtonally, the results of [29] are specfc to reductons from a concrete assumpton (e.g., dscrete log), and are condtonal on another assumpton (e.g., one-more dscrete log). In contrast, our results are uncondtonal and rule out all startng assumptons, but only n the generc group model. Fnally, n the realm of factorng/rsa-based CCA encrypton, Paller and Vllar [30] and Brown et al. [6], showed unnstantablty results analogous to already-mentoned RSA sgnature result of Paller [28]. Paper Organzaton Secton 2 contans basc notaton and some basc lnear algebra facts, where n Secton 3 we formally defne RSA-FDH and ts securty n the generc group model. Our man result, regardng the mpossblty of exstentally unforgeable RSA-FDH aganst unbounded number of sgnng queres, s proven n Secton 4, where n Secton 5 we prove our man techncal lemma usng the GT short descrpton paradgm. Fnally, n Secton 6 we present our constructon of an exstentally unforgeable RSA-FDH scheme aganst a bounded number of sgnng queres. 2 Prelmnares 2.1 Notatons We use callgraphc letters to denote sets, uppercase for random varables and matrces, and lowercase for values. Gven a random varable X, X (t) = (X 1,..., X t ) conssts of t ndependent copes of X, where for a set S, S (t) = (S 1,..., S t ) denotes the t th drect product of S. For nteger n N, we let [n] = {1,, n}. Gven a matrx M U t q and a set of ndces I [q], the matrx M I U t I denotes the restrcton of M to the columns n I. We let poly denote the set of polynomal, and let ppt denote the set of probablstc algorthms (.e., Turng machnes) that run n strct polynomal tme. A functon µ: N [0, 1] s neglgble f µ(n) = n ω(1), where neg denotes the famly of neglgble functons. Throughout the text we sometmes abuse notaton and vew poly and neg also as arbtrary members of the famles they represent (e.g., we wrte f(n) = neg(n) to denote f neg and f(n) > neg(n) for f / neg). Gven a random varable X takng values n a fnte set U, we wrte x X to ndcate that x s selected accordng to X. Smlarly gven a set S U, we let s S denote that s s selected accordng to the unform dstrbuton on S. We adopt the conventon that when the same random varable occurs several tmes n an expresson, all occurrences refer to a sngle sample. For example, Pr[f(X) = X] s defned to be the probablty that when x X, we have f(x) = x. We wrte U n to denote the random varable dstrbuted unformly over {0, 1} n. A dstrbuton ensemble D = {D k } k N s of polynomal-length, f every element of D k s descrbed usng poly(k) bts. The statstcal dstance of two dstrbutons P and Q over U s defned as SD(P, Q) := 1 P (u) Q(u) 2 u U We let P denote the prme numbers, and for n N let Z n denote the group of elements n [n] that are relatvely prme to n, where multplcaton mod n s the group operaton. Let C be a crcut, then by C we denote the length of the bnary descrpton of C. 7

10 2.2 Useful Lnear Algebra Facts Defnton 2.1. Let M be an nteger matrx wth rows {v 1,..., v t }, and let e P. The rows of M are lnearly dependent f there exst not all zeros real numbers {a } [t], such that [t] a v = 0. The rows of M are lnearly dependent modulo e, f there exst not all zeros numbers n Z e {a } [t], such that [t] a v = 0 mod e. rank(m) s the maxmum number of rows of M that are lnearly ndependent. rank e (M) s the maxmum number of rows of M that are lnearly ndependent modulo e. The rank of any nteger matrx M can be effcently computed usng Gaussan Elmnaton, whch computes the reduced row Echelon form M of M such that rank(m) s the number of non zero rows of M. Smlarly we can compute rank e (M), but now every computaton s done mod e. Notce that the latter s a well defned computaton snce every element n Z e has an nverse. Moreover, the analogue of many propertes of rank(m) are also true for rank e (M), because workng mod e smply means workng n another feld (Z e nstead of Q or R). In partcular, we have the followng: Fact 2.2. The followng holds for every e P: Let M Z t l. If rank e (M) = s, then there exsts a (polynomal-tme computable) submatrx M Z s s of M wth det(m ) 0 mod e. Let M Z s s, then rank e (M) = s ff det(m) 0 mod e. 3 RSA-FDH n the Generc Group Model We start by recallng the standard noton of RSA-FDH sgnature scheme. 3.1 RSA-FDH Sgnature Scheme Defnton 3.1 (RSA-FDH). An RSA-FDH sgnature scheme Σ conssts of the followng trplet (KeyGen, Sgn, Verfy) of polynomal-tme algorthms: On securty parameter 1 k, KeyGen outputs a publc key (n, e, h), where n s a product of two prmes, e s a element n Z ϕ(n) and h s a (hash) functon, represented as an oracle-aded crcut, mappng values to Z n, and a secret key d = e 1 mod ϕ(n). On nput n N, d Z ϕ(n), a crcut h mappng values nto Z n and a message m n the doman of h, Sgn outputs the sgnature h(m) d mod n. On nput n N, e Z ϕ(n), a crcut h mappng values nto Z n, a message m n the doman of h and σ Z n, Verfy outputs one ff σ e h(m) mod n. Now let us see what t means that an RSA-FDH sgnature scheme s exstentally unforgeable under unbounded and bounded chosen message attack (EU-CMA-secure and t-eu-cma-secure): 8

11 Defnton 3.2 (securty of RSA-FDH). An oracle-aded algorthm F breaks the securty of an RSA-FDH sgnature scheme Σ = (KeyGen, Sgn, Verfy), f Pr (sk,pk) KeyGen(1 k )[(m, σ) F Sgn(sk,pk, ) (pk): (1) Verfy(σ, m, pk) = 1 Sgn was not quered on (sk, pk, m)] > neg(k) A sgnature scheme Σ s EU-CMA-secure, f no (oracle-aded) ppt breaks ts securty, where Σ s t-eu-cma-secure, f no ppt breaks ts securty when restrcted to query Sgn at most t(k) tmes. Remark 3.3 (Dscusson). Defnton 3.1 allows the hash functon h to be chosen as part of the publc key, where h needs to be descrbed as a crcut. 6 In practce, however, a fxed hash functon (e.g., SHA-1) defned over any strng s used. Snce any secure scheme (accordng to Defnton 3.2) of the type used n practce trvally yelds a secure scheme of the type consdered n Defnton 3.1, for the sake of mpossblty results t suffces to consder Defnton 3.1. Furthermore, a postve result accordng to Defntons 3.1 and 3.2, can be easly extended to output hash functons defned over all strngs: frst hash the message usng a secure collson-resstant hash functon (assumng such functon exsts), and then apply the bounded length scheme. Addtonal restrcton of Defnton 3.1 s that t requres the range of the hash functon h to be a subset of Z n, where n practce the range of h s an arbtrary subset of Z n. Notce, however, that t s easy to forge the sgnature of a gven message m wth h(m) Z n \ Z n: f h(m) = 0, ts sgnature s smply 0, otherwse gcd(h(m), n) mples a factorzaton of n, whch n turn can be used to forge the sgnature of any message. It follows that by modfyng the hash functon used n a gven RSA-FDH scheme to set h(x) = 1 whenever h(x) / Z n, one does not hurt the securty of the scheme. In partcular, for the sake of mpossblty results t suffces to consder hash functons whose range s a subset of Z n. In the followng we frst formally defne what we mean by generc group model, and then extend Defntons 3.1 and 3.2 to ths model. 3.2 The Generc Group Model There are dfferent ways to nterpret what t means to treat the multplcatve RSA group Z n n a black-box way (see Theorem 1.2). In the generc algorthm model due to Maurer [24], generc algorthms do not have a drect access to the group elements, but rather to a black box contanng each element. The only operatons allowed wth these boxes, are the group operatons (nverse and multplcaton) and comparng two boxes for equalty. The formulaton we have chosen here, whch we smply call the generc group model, s somewhat less abstract. An algorthm n our model has an oracle access to a group somorphc to Z n (specfcally, the group resultng by renamng the elements of Z n accordng to some random permutaton), through whch t can perform the group operatons. Unlke the generc algorthm model, however, n our model algorthms we do have access to the representaton of the group elements and can manpulate them. Snce any algorthm that works well n the generc algorthm model (e.g., breaks the RSA assumpton) mples an algorthm that works equally well n our model wth respect to any group somorphc to Z n, an mpossblty result n our model mples a smlar result n the model of Maurer. Namely, our model can be vewed as a model for provng mpossblty results n the generc algorthm model. 6 Alternatvely, h can descrbed as a Turng Machne runnng n tme poly(k), where k beng the securty parameter. 9

12 We formally defne our model as follows: for n N, let Π ϕ(n) be the set of all permutatons from Z n to Z n. For π Π ϕ(n), we denote wth π(z n) the group nduced by the group Z n where each element of Z n s renamed accordng to π. More specfcally, the group operatons over π(z n) are defned as follows: the nverse of a Z n s π((π 1 (a)) 1 mod n) and the (group) product of a, b π(z n) s π(π 1 (a) π 1 (b) mod n). By Π(Z n) we denote the multset of all groups π(z n), where G = {G = {G n : G n Π(Z n)} n N } (.e., G conssts of sets of groups, where each set contans a group of Π(Z n) for every n N). Abusng notaton, we vew G G as an oracle that gven as nput n N and one [resp., two elements] of G n (.e., of Z n), returns the group nverse [resp., the group product] of the element (f the oracle G s gven as nput an element outsde G n, t returns ), and let G n ( ) = G(n, ). Gven a sequence of group operatons (e.g., a b 1 ), we sometmes add the term [G n ], to ndcate that the operatons are done wth respect to the group G n. In the followng, abusng notaton agan, we wll wrte G G, where ths samplng s not well defned because G s an nfnte set. However, we can assume lazy samplng, namely for every query whch contans a new n, G n s sampled unformly at random from Π(Z n) (whch s a fnte set). 3.3 RSA-FDH Sgnature Schemes n the Generc Group Model RSA-FDH sgnature schemes over G G s defned as follows: Defnton 3.4 (RSA-FDH sgnature scheme n the generc group model). An RSA-FDH sgnature scheme Σ G n the generc group model, conssts of the followng trplet of oracle-aded ppt s (KeyGen, Sgn, Verfy): Gven oracle access to G G and nput 1 k, KeyGen G outputs a publc key (n, e, h), where n N s a product of two prmes, e Z ϕ(n) and h s a (hash) functon, represented as an oracle-aded crcut mappng values nto Z n, and a secret key d = e 1 mod ϕ(n). Gven oracle access to G G, nput n N, d Z ϕ(n), a crcut h mappng values nto Z n and a message m n the doman of h, Sgn G outputs the sgnature h G (m) d [G n ]. Gven oracle access to G G, nput n N, e Z ϕ(n), a crcut h mappng values nto Z n, a message m n the doman of h and σ Z n, Verfy G outputs one ff σ e h G (m) [G n ]. For G G, we let Σ G be the nstantaton of Σ G wth G Securty defnton The followng defnton realzes the securty of bounded and unbounded exstental unforgeablty under chosen message attack of an RSA-FDH sgnature n the generc group model, analogously to that of the standard model. Defnton 3.5 (securty of RSA-FDH sgnature n the generc group model). An oracle-aded algorthm F breaks the securty of an RSA-FDH sgnature scheme Σ G = (KeyGen, Sgn, Verfy), f Pr G G,(sk,pk) KeyGen G (1 k ) [(m, σ) F G,SgnG (sk,pk, ) (pk): Verfy G (σ, m, pk) = 1 Sgn was not quered on (sk, pk, m)] > neg(k) 10

13 A sgnature scheme Σ G s EU-CMA-secure, f no (oracle-aded) ppt breaks ts securty, where Σ G s t-eu-cma-secure, f no ppt breaks ts securty when restrcted to query Sgn at most t(k) tmes. Snce we would lke to rule out an EU-CMA-secure scheme, we ask the securty proof of the scheme to be realzed va a black-box reducton (as dscussed n the ntroducton, we have very lttle chance to rule out a general proof of securty). On the other hand, we consder a very weak form of such a reducton (whch strengthens our man mpossblty result). Defnton 3.6 (weakly black-box proof of securty of RSA-FDH). An RSA-FDH sgnature scheme Σ G = (KeyGen, Sgn, Verfy) n the generc group model has a weakly black-box proof of securty based on an assumpton X, f there exsts an oracle-aded ppt R such that f X s true, then the followng holds: let F be a (possbly unbounded) adversary that breaks the securty of Σ G (see Defnton 3.5), then for any ppt Emul there exsts a polynomal-length dstrbuton ensemble D = {D k } k N such that SD ( (x, R G,F G (1 k, x)), (x, Emul G (1 k, x)) ) > neg(k). 7 G G,x D k Remark 3.7 (A black-box proof mples a weakly black-box proof). Assumng that X s true, the above ntutvely asks that a securty breach of Σ G mples that a (slghtly) non-trval task can be performed. Specfcally, an effcent oracle-aded algorthm can use a breaker of the scheme (n a black-box way) to sample some unsamplable dstrbuton. Note that ths s a very modest demand and ndeed, t s mpled by most black-box proofs of securty one can thnk of. Consder for nstance a proof of securty R that black-box reduces the securty of a scheme Σ G to an assumpton X, say to the hardness of factorng. It follows that gven any adversary F to Σ G, the algorthm R G,F G factors ntegers too well. Assume wthout loss of generalty that R G,F G (x), f succeeds, outputs the factorzaton of the nteger x, let D k be the dstrbuton that outputs an nteger x = pq, for two randomly chosen k-bts prme, and consder the dstrbuton ξ k = (x, R G,F G (1 k, x)) G G,x Dk t nduces. Now f factorng s hard, then there s no effcent Emul such that (x, Emul G (1 k, x)) G G,x Dk s (even computatonally) close to ξ k. Namely, there s no weakly black-box proof of securty for Σ G based on factorng. Now f factorng s hard, then there s no effcent Emul such that (x, Emul G (1 k, x)) G G,x Dk s (even computatonal) close to ξ k. Namely, there s no weakly black-box proof of securty for Σ G based on factorng. 8 For completeness, we gve the followng natural adaptaton of the RSA assumpton to the generc group model. Defnton 3.8 (The RSA assumpton n the generc group model). There exsts an oracle aded ppt Gen, whch on nput 1 k outputs (n, e), where n N s a product of two prmes and gcd(e, ϕ(n)) = 1 such that the followng holds for any oracle-aded ppt A: [ ] (A G (1 k, n, e, x)) e x [G n ] = neg(k). Pr G G,(n,e) Gen G (1 k ),x Z n 7 Note that F s an adversary whch expects oracle access to Sgn and R can control the responses of these queres of F. The same does not hold for the queres of F to G. 8 Note that there nothng specfc to the hardness of factorng n the above dscusson, but rather t seems to be generc to any hardness assumpton (e.g., strong RSA). 11

14 4 There Exsts No RSA-FDH wth a Weakly Black-Box Proof In ths secton we prove the man result of ths paper. Theorem 4.1 (Theorem 1.2, restated). Let Σ G = (KeyGen, Sgn, Verfy) be an RSA-FDH sgnature scheme n the generc group model n whch Pr G G,(n,e,h) KeyGen G (1 k ) [e P] > neg(k). If ΣG has a weakly black-box proof of securty based on (an assumpton) X, then X s false. The proof of Theorem 4.1 mmedately follows from the next lemma: Lemma 4.2. Let Σ G be as n Theorem 4.1, then there exst a famly of oracles Forger = {Forger G } G G and oracle-aded ppt s F and Emul, such that the followng hold: 1. For every G G, F G,Forger G breaks the securty of Σ G. 2. For any oracle-aded ppt A and polynomal-length dstrbuton ensemble D = {D k } k N : ( ) SD (x, A G,Forger G(1 k, x)), (x, Emul G (1 k, x, desc(a))) = neg(k), G G,x D k where desc(a) denotes the descrpton of the Turng Machne A. Before provng Lemma 4.2, let us frst use t for provng Theorem 4.1. Proof of Theorem 4.1. Let Σ G be an RSA-FDH scheme wth Pr G G,(n,e,h) KeyGen G (1 k )[e P] > neg(k). Assume that Σ G has a weakly black-box proof of securty based on (an assumpton) X and let R be the algorthm guaranteed by ths proof. Let Emul be the algorthm guaranteed by Lemma 4.2 wth respect to Σ G. Lemma 4.2 yelds that ( SD (x, R G,Forger G(1 k, x)), (x, Emul G (1 k, x, desc( R)) ) = neg(k) G G,x D k for any polynomal-length dstrbuton ensemble D = {D k }, where R G,Forger G ( ) = R G,F Forger G ( ). Lettng F G ( ) = F G,Forger G ( ) and Emul G R ( ) = Emul G (, desc( R)), t follows that ( ) SD (x, R G, F G (1 k, x)), (x, Emul G R(1 k, x)) = neg(k) G G,x D k for any polynomal-length dstrbuton ensemble D, yeldng that X s false. The rest of ths secton s devoted for provng Lemma 4.2. We fnd t more convenent, however, to prove a varant of Lemma 4.2 n whch the emulator should work for any (polynomal-sze) famly of crcuts. Namely, we prove the followng lemma (n the followng statement we only focus on the part that changed comparng to the orgnal statement): Lemma 4.3 (non unform varant of Lemma 4.2). 2. The followng holds for any (no nput) polynomal-sze famly of oracle-aded crcuts {C k } k N : SD ( C G,Forger G k, Emul G (1 k, desc(c k )) ) G G where C G,Forger G k denotes the output of C k gven access to G and Forger G, and desc(c k ) denotes the descrpton of C k. 12

15 It s easy to see that the non-unform lemma above yelds the unform Lemma 4.2. In Secton 4.1 we defne the famly of oracles Forger and the effcent algorthm F that uses Forger to break any RSA-FDH scheme, n Secton 4.2 we defne the emulator Emul, where n Secton 4.3 we put thngs together to prove Lemma The Forger Recall (see Secton 1.2) that Forger has to abort on degenerated queres essentally those queres that are easy to produce over any group n Π(Z n). To determne whether a query (n, e, h, {σ } [t] ) s degenerated, we measure the complexty of the values {h()} [t], 9 as a functon of the group queres done through ther evaluatons. Snce the actual representaton of these values s meanngless, we only focus on ther representaton as functons of the hardwred terms the values used n the evaluaton of {h()} that frst appear as an nput to a group oracle call. Note that any group element used n the evaluaton of {h()}, can be expressed usng (only) these hardwred terms. To formally carry the above dscusson, we descrbe the evaluaton of {h()} as a computaton over the followng group. Defnton 4.4 (The group Symb). The elements of Symb are equvalence classes over the set of all fnte strngs u a 1 1,, ua k k, where the u s are n N and the a s are n Z. The strngs c = u a ua k k and c = u a u a k k are n the same equvalence class, f for every w N t holds that [k]: u =w a = [k ]: u =w a. We dentfy a group element of Symb, wth any strng of ts equvalence class. The unt element of Symb s the class dentfed by the empty strng ε (or by etc), where c c s the equvalence class dentfed by the strng c c and fnally c 1 s the class dentfed by the strng u a u a k k. We naturally dentfy an element u a ua k k Symb wth an element of a gven group V that contans {u } [k], by dentfyng t wth the result of the sequence of operatons t nduces over V (.e., u 1 u 1 2 wth respect to V = Z n, s dentfed wth u 1 u 1 2 mod n). To avod confuson over whch group a sequence of operatons s taken, we typcally suffx the sequence wth the term [V ], ndcatng that t s done over the group V. It s clear that for any two strngs u and u that dentfy the same element of Symb (.e., belong to the same equvalence class), t holds that u u [V ] for any Abelan group V contanng u and u. Next we use the above termnology to syntactcally descrbe the computaton of an oracle-aded crcut C, where we start by defnng the hardwred terms determned by C s computaton. To smplfy notatons, we assume that a crcut evaluates ts gates one-by-one, and that ts descrpton determnes ths evaluaton order. Defnton 4.5 (hardwred terms). Let C be an oracle-aded crcut, G G and n N. The terms of C wth respect to G n, denoted Terms C,G,n, are those values that appear ether as nput or as the answers to non-bottom queres of C to G n (.e., G n returns a non-bottom value). The hardwred terms of C wth respect to G n, denoted HardWred C,G,n are those element nsde Terms C,G,n that frst appear as nputs to non-bottom queres to G n. Fnally, the answer terms are those terms that appear as answers to non-bottom queres (mght ntersect HardWred C,G,n ). We assume that the elements of each of the above sets are ordered accordng to the evaluaton order. 9 We actually mean {h G ()} [t], but for notatonal convenence we wll sometmes omt the superscrpt G from h. 13

16 We next use the syntax of the group Symb, to present any term as an expresson of the hardwred terms. Defnton 4.6 (canoncal form). Let C, G and n be as n Defnton 4.5. The canoncal form of u Terms C,G,n wth respect to (C, G, n), denoted Can C,G,n (u), s recursvely defned as follows: f u HardWred C,G,n, let Can C,G,n (u) be the element u 1 Symb. If u frst appears as an output of a query G n (u, u ), let Can C,G,n (u) = Can C,G,n (u ) Can C,G,n (u ) [Symb]. Smlarly, f u frst appears as an output of G n (u ), we let Can C,G,n (u) = Can C,G,n (u ) 1 [Symb]. Let {v } [l] = HardWred C,G,n. respect to (C, G, n), can be unquely wrtten as [l] va Note that the canoncal form of any u Terms C,G,n wth [Symb], where a mght be non zero, only f the hardwred term v appears before u does (n the evaluaton order of C G ). Fnally, the canoncal forms of a set of terms, wth respect to (C, G, n), s compactly represented usng the followng matrx. Defnton 4.7 (canoncal-form matrx). Let C, G and n be as n Defnton 4.5, let {v } [l] = HardWred C,G,n and let W = {u } [t] Terms C,G,n. The matrx M G,n,C (W) Z t l s defned as {a j } [t],j [l], assumng that Can C,G,n (u ) = j [l] va j j [Symb] for every [t]. We actually care for the rank of the canoncal-form matrx of the terms output by a crcut C, whch shows f there exsts an output term whch can be expressed as a product of powers of the other output terms. Ths would mply that f we know the e-th roots of the latter then we can compute the e-th root of the former. Jumpng forward, we wll explot ths property of the canoncal-form matrx to see f a query s degenerated. We are fnally ready to defne Forger G. Algorthm 4.8 (Forger G ). Input: q = (n, e, h, {σ } [t] ), where n, e and {σ } [t] are ntegers, and h s an oracle-aded crcut. Operaton: 1. If e / P, h (= desc(h) ) > t or for some [t] h G () / Z n or h G () σ e [G n ], return. 2. Let M = M G,n,H ({h()} [t] ) accordng to Defnton 4.7, where H s the oracle-aded crcut that frst evaluates h G (1),..., h G (t) and then queres G n on the answers (say askng for ther nverses). If rank e M < t, return. 3. Return (h G (0)) d [G n ], where d = e 1 mod ϕ(n) That s, Forger G frst checks that {σ } [t] are vald sgnatures for the messages {1,..., t} (wth respect to G and the publc key (n, e, h)) and that forgng a sgnature for ths publc key s not easy (reflected by rank e M = t). If satsfed, Forger G forges a sgnature for 0. Below we descrbe the ppt F that uses Forger G for breakng the securty of Σ G. 14

17 4.1.1 The breaker F The strategy of the algorthm F that uses Forger for breakng the securty of Σ G s smple: on nput (n, e, h) t would lke to use Forger on (n, e, h, {σ = Sgn G (n, e, )} [t] ) to forge the sgnature of 0. It mght be the case, however, that Forger returns bottom on such nput. Hence, F frst checks by hmself (wthout usng Sgn or Forger) whether Forger wll return bottom on ths nput. If postve, t uses a straghtforward approach (see below) for forgng a message k [t], wthout usng Forger at all. Algorthm 4.9 (F ). Input: pk = (n, e, h) Oracles: G G n, Sgn G (sk, pk, ) and Forger G. Operaton: 1. Let t = h and let M = M G,n,H ({h G ()} [t] ) accordng to Defnton 4.7, where H s as n Algorthm 4.8 (wth respect to ths h and t). 2. If rank e (M) = t, return Forger G (n, e, h, {Sgn G (sk, pk, )} [t] ). Otherwse, (a) Usng Gaussan Elmnaton fnd k [t] and a set {λ [e]} [t]\{k}, such that for every j [l] t holds that M kj [t]\{k} λ M j mod e. [G n ], where {v } [l] = HardWred H,G,n (see Def- (b) Let γ = j [l] v(m kj [t]\{k} λ M j )/e j nton 4.5). (c) For every [t] \ {k}, let σ = Sgn G (sk, pk, ) ( h G () d [G n ]). (d) Return σ k = γ [t]\{k} σλ [G n ] The followng clam s mmedate. Clam For every G G, F G,Forger G breaks the securty of Σ G. Proof. Let (n, e, h) be the publc key of Σ G wth respect to to some G G wth e P. Assume that rank(m) < t n the executon of F (otherwse the proof s mmedate). In such a case, Step 3.(a) s guaranteed to succeed (and can be performed n polynomal tme). It follows that σk e γe h() λ [G n ] γ e [t]\{k} v λ M j j [G n ] [t]\{k} j [l] [t]\{k} λ M j γ e vj [G n ] j [l] γ e h(k) j [l] γ e h(k) γ e [G n ] h(k) [G n ]. v M kj+ [t]\{k} λ M j j [G n ] 15