John Hancock enters the 21th century Digital signature schemes. Table of contents

Transcription

1 John Hancock enters the 21th century Digital signature schemes Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents

2 From last time: Good news and bad There is no known function H for which hashed RSA signature schemes are known to be secure. However, hashed RSA is provable secure under an idealize model when H is modeled as a random oracle that maps inputs uniformly onto Z N.Inthiscasetheschemeis called RSA full-domain hash (RSA-FDH). This provides a heuristic justification of the scheme when H is a random-looking hash functions. Algorithm GenRSA Recall GenRSA Input: Length n; parameter t Output: N, e, d as described below (N, p, q) GenModulus(1 n )* (N) :=(p 1)(q 1) find e such that gcd(e, (N)) = 1 compute d := [e 1 mod (N)]** return N, e, d *N = pq with p, qn-bit primes. **Such an integer d exists since e is invertible modulo (N).

3 And recall what RSA is hard relative to GenRSA means The RSA experiment RSA-inv A,GenRSA (n): 1. Run GenRSA(1 n ) to obtain (N, e, d). 2. Choose y Z N. 3. A is given N, e, y, and outputs x 2 Z N. 4. The output of the experiment is defined to be 1 if x e = y mod N, and 0 otherwise. Definition We say that the RSA problem is hard relative to GenRSA if for all probabilistic polynomial-time algorithms A there exists a negligible function negl such that Pr[RSA-inv A,GenRSA (n) = 1] apple negl(n). Security of RSA-FDH Theorem If the RSA problem is hard relative to GenRSA and H is modeled as a random oracle, then Construction 12.6 is secure. Proof. Let =(Gen, Sign, Vrfy) denote Construction 12.6, and let A be a PPT adversary against the Sig-forge A, (n) experiment. Assume WLOG that if A requests a signature on a message m or outputs a forgery (m, ) then it previously queried m to H. Let q(n) be a polynomial upper bound on the number of queries A makes to H on security parameter n; weassumea makes exactly q(n) queriestoh.

4 Steps of the Sig-forge A, (n) experiment Let =(Gen, Sign, Vrfy) be a signature scheme. The signature experiment Sig-forge A, (n) : 1. GenRSA(1 n ) is run to obtain N, e, d). A random function H : {0, 1}! Z N is chosen. 2. The adversary A is given (pk, sk) andmayqueryh as well ass a signing oracle Sign hn,di that, on input m, returns := [H(m) d mod N]. 3. The adversary then outputs (m, ) where it had not previously requested a signature on M. The output of the experiment is defined to be 1 if and only if e = H(m) mod N. Definition A signature scheme =(Gen, Sign, Vrfy) is existentially unforgeable under an adaptive chosen-message attack if for all PPT adversaries A, there exists a negligible function negl such that Pr[Sig-forge A, (n) = 1] apple negl(n). A modified Sig-forge 0 A, (n) experiment We define a modified experiment Sig-forge 0 A, (n) that guesses as to which queried message corresponds to the eventual forgery. The modified signature experiment Sig-forge 0 A, (n) : 1. Choose uniform j 2 {0,...,q}. 2. GenRSA(1 n ) is run to obtain N, e, d). A random function H : {0, 1}! Z N is chosen. 3. The adversary A is given (pk, sk) andmayqueryh as well ass a signing oracle Sign hn,di that, on input m, returns := [H(m) d mod N]. 4. The adversary then outputs (m, ) where it had not previously requested a signature on M. Leti be such that m = m 1.The output of the experiment is defined to be 1 if and only if e = H(m) mod N and j = i. *Since j is uniform the probability that i = j is exactly 1/q and Pr[Sig-forge 0 A, (n) =1]= 1 q(n) Pr[Sig-forge A, (n) =1].

5 A further modification of the Sig-forge A, (n) experiment Consider a further modification of our experiment Sig-forge 00 A, (n) in which the experiment is aborted if A ever requests a signature on the message m j. This does not change the probability that the output of the experiment is 1, since if A ever requests a signature on M j it cannot output a forgery on m j.thus, Pr[Sig-forge 00 A, (n) = 1] = Pr[Sig-forge 0 A, (n) = 1] = Pr[Sig-forge A, (n) = 1]. q(n) Construction of A 0 solving the RSA problem The Adversary is given (N, e, y). 1. Run A on the public key pk = hn, ei. Storetriples(,, ) inatable initially empty. Entry (m i, i, y i )indicatesthata 0 has set H(m i )=y i,and e i = y i mod N. 2. When A makes its ith random-oracle query H(m i ), answer: If i = j, returny. Else choose uniform i 2 Z N, compute y i := [ i e return y i and store (m i, i, y i ). When A requests a signature on m = m i,answer: mod N], If i = j, thena 0 aborts. If i 6= j, thereisanentry(m i, i, y i )inthetable.return i. 3. When A outputs (m, ), then if m = m j and e = y mod N, then output.

6 A 0 world view Note that A s point of view when run as subroutine of A 0 is identical to its view in Sig-forge 00 A, (n). All Sign-oracle queries are answered correctly, and each random-oracle query is answered by a uniform element of Z N : The query H(m j )isansweredwithy, a uniform element of Z N. Queries H(M i )withi 6= j are answer with y i =[ i e mod N], where i is uniform in Z N. Since exponentiation by e is one-to-one, the y i are uniformly distributed as well. When Sig-forge 00 A, (n) outputs 1, j = i and e = H(m) mod N. Inthis case, A does not abort and e = H(m i )=y mod N. Thus, is the desired inverse. We assumed that RSA is hard relative to GenRSA, so left term below negligible Pr[RSA-inv A,GenRSA (n) = 1] = Pr[Sig-forge 00 A, (n) = 1] = Pr[Sig-forge A 0,GenRSA (n) = 1] q(n)