Digital Signatures from Strong RSA without Prime Genera7on. David Cash Rafael Dowsley Eike Kiltz

Transcription

1 Digital Signatures from Strong RSA without Prime Genera7on David Cash Rafael Dowsley Eike Kiltz

2 Digital Signatures Digital signatures are one of mostly deployed cryptographic primi7ves.

3 Digital Signatures Digital signatures are one of mostly deployed cryptographic primi7ves. The proved- secure schemes with the best security guarantees are not nearly as efficient as the (unbroken) schemes used in prac7ce.

4 Digital Signatures Digital signatures are one of mostly deployed cryptographic primi7ves. The proved- secure schemes with the best security guarantees are not nearly as efficient as the (unbroken) schemes used in prac7ce. The best provable security evidence for the most prac7cal schemes are in the random oracle model (ROM). For instance, the RSA full domain hash [BR96]: Sign(sk=(n,d), m) = H(m) d mod n

5 Digital Signatures Digital signatures are one of mostly deployed cryptographic primi7ves. The proved- secure schemes with the best security guarantees are not nearly as efficient as the (unbroken) schemes used in prac7ce. The best provable security evidence for the most prac7cal schemes are in the random oracle model (ROM). For instance, the RSA full domain hash [BR96]: Sign(sk=(n,d), m) = H(m) d mod n Problem: In prac7ce non- random hash func7ons like SHA- 256 are used, which implies some theore7cal limita7ons of these results [CGH98,DOP05].

6 RSA- based Signatures in the Standard Model There is a line of work on designing provable secure, efficient signatures based on the (strong) RSA problem in the standard model. The aim is to decrease the efficiency gap between these solu7ons and the ones in the ROM.

7 RSA- based Signatures in the Standard Model There is a line of work on designing provable secure, efficient signatures based on the (strong) RSA problem in the standard model. The aim is to decrease the efficiency gap between these solu7ons and the ones in the ROM. In common: the signing algorithm generates primes.

8 RSA- based Signatures in the Standard Model There is a line of work on designing provable secure, efficient signatures based on the (strong) RSA problem in the standard model. The aim is to decrease the efficiency gap between these solu7ons and the ones in the ROM. In common: the signing algorithm generates primes. Genera7ng primes is expensive and it is not an intrinsic step for the signing algorithm, thus it is desirable to avoid it.

9 Our Work Strong RSA- based signature without prime genera7on for signing.

10 Our Work Strong RSA- based signature without prime genera7on for signing. Public key and signature sizes compe77ve with prior schemes, the verifica7on is much slower.

11 Our Work Strong RSA- based signature without prime genera7on for signing. Public key and signature sizes compe77ve with prior schemes, the verifica7on is much slower. Not compe77ve with ROM solu7ons.

12 Our Work Strong RSA- based signature without prime genera7on for signing. Public key and signature sizes compe77ve with prior schemes, the verifica7on is much slower. Not compe77ve with ROM solu7ons. Conceptual contribu7on towards the goal of prac7cal schemes from conserva7ve hardness assump7ons without random oracles.

13 Strong RSA Problem and Signatures Challenger Adversary (sk, pk=n=pq) y $ RSA- Keygen $ Z n * n, y

14 Strong RSA Problem and Signatures Challenger Adversary (sk, pk=n=pq) y $ RSA- Keygen $ Z n * n, y e, x Wins if x e =y mod n and e>1.

15 Strong RSA Problem and Signatures Challenger Adversary (sk, pk=n=pq) y $ RSA- Keygen $ Z n * n, y e, x Wins if x e =y mod n and e>1. Natural approach for embedding it into digital signatures: the signature is (e, x) where x is the e- th root of a value y that depends on the message.

16 Strong RSA Problem and Signatures Challenger Adversary (sk, pk=n=pq) y $ RSA- Keygen $ Z n * n, y e, x Wins if x e =y mod n and e>1. Natural approach for embedding it into digital signatures: the signature is (e, x) where x is the e- th root of a value y that depends on the message. In order to apply known techniques that prevent an adversary from assembling several signatures into a new signature, e is typically required to be prime or a product of primes.

17 Current Schemes Many exis7ng schemes [CS99,F03,HK08,Z01,Z03,CL04] use Sign(sk, m) = (H(m) 1/e mod n, e) where e is a random prime and is H some (algebraic) hash func7on.

18 Current Schemes Many exis7ng schemes [CS99,F03,HK08,Z01,Z03,CL04] use Sign(sk, m) = (H(m) 1/e mod n, e) where e is a random prime and is H some (algebraic) hash func7on. Other schemes [GHR99,HW09,HJK11] based on the strong/standard RSA problem use Sign(sk, m) = g 1/ h i(m) mod n where h i are independent hash func7ons that hash into primes.

19 Our Scheme Uses the prefix signing technique of Hohenberger- Waters [HW09].

20 Our Scheme Uses the prefix signing technique of Hohenberger- Waters [HW09]. Let p and q be large safe primes and F a be pseudorandom func7on that outputs random odds numbers.

21 Our Scheme Uses the prefix signing technique of Hohenberger- Waters [HW09]. Let p and q be large safe primes and F a be pseudorandom func7on that outputs random odds numbers. pk = (n,g,k) where n=pq, g is a random element of Z n * and k is a key for F

22 Our Scheme Uses the prefix signing technique of Hohenberger- Waters [HW09]. Let p and q be large safe primes and F a be pseudorandom func7on that outputs random odds numbers. pk = (n,g,k) where n=pq, g is a random element of Z n * and k is a key for F sk = (p,q,pk)

23 Our Scheme Uses the prefix signing technique of Hohenberger- Waters [HW09]. Let p and q be large safe primes and F a be pseudorandom func7on that outputs random odds numbers. pk = (n,g,k) where n=pq, g is a random element of Z n * and k is a key for F sk = (p,q,pk) The signature on a message m of L- bits is Sign(sk, m) = g 1/e mod n L e = F(k,m[1 i]) F(k,m i) i=1 u i=1

24 Our Scheme To verify a signature σ on a message m first compute L e = F(k,m[1 i]) F(k,m i) i=1 u i=1 Accept if σ e = g mod n

25 Our Scheme To verify a signature σ on a message m first compute L e = F(k,m[1 i]) F(k,m i) i=1 u i=1 Accept if σ e = g mod n We show that this scheme is secure against weak chosen message alacks.

26 Weak CMA Security Challenger Adversary (sk, pk) $ Keygen

27 Weak CMA Security Challenger Adversary (sk, pk) $ Keygen m 1,, m t

28 Weak CMA Security Challenger Adversary (sk, pk) $ Keygen m 1,, m t σ i $ Sign(sk, m i ) pk, σ 1,..., σ t

29 Weak CMA Security Challenger Adversary (sk, pk) $ Keygen m 1,, m t σ i $ Sign(sk, m i ) pk, σ 1,..., σ t m*, σ* Wins if Verify(pk, m*, σ*)=1 and m* was not queried.

30 CMA Security Challenger Adversary (sk, pk) $ Keygen pk

31 CMA Security Challenger Adversary (sk, pk) $ Keygen pk σ 1 $ Sign(sk, m 1 ) σ t $ Sign(sk, m t ) m 1 σ 1. m t σ t

32 CMA Security Challenger Adversary (sk, pk) $ Keygen pk σ 1 $ Sign(sk, m 1 ) σ t $ Sign(sk, m t ) m 1 σ 1. m t σ t m*, σ* Wins if Verify(pk, m*, σ*)=1 and m* was not queried.

33 CMA Security Challenger Adversary (sk, pk) $ Keygen pk σ 1 $ Sign(sk, m 1 ) σ t $ Sign(sk, m t ) m 1 σ 1. m t σ t m*, σ* Wins if Verify(pk, m*, σ*)=1 and m* was not queried. A chameleon hash func7on can be used to get from weak CMA to CMA [KR00,HW09].

34 Prefix Signing Technique [HW09] Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i])

35 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Each branch has an associated number that is determined by F.

36 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Each branch has an associated number that is determined by F. To sign a message m=0011, for instance, compute e as the product of the numbers associated with the branches in green.

37 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Let the sub- tree in green be the branches associated with the parallel signing query of the adversary.

38 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Let the sub- tree in green be the branches associated with the parallel signing query of the adversary. Exit branch: non- green, but only has green branches on path from root un7l it.

39 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Guess Let the sub- tree in green be the branches associated with the parallel signing query of the adversary. Exit branch: non- green, but only has green branches on path from root un7l it.

40 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) We also use this structure, but with F that outputs random odd numbers and based on the strong RSA problem.

41 Prefix Signing Technique [HW09] ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) We also use this structure, but with F that outputs random odd numbers and based on the strong RSA problem. We do not try to guess the exit branch.

42 Naïve Approach ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Let α be a sufficiently large integer and set the outputs of F to be large enough so that they are α- smooth with negligible probability only.

43 Naïve Approach ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Let α be a sufficiently large integer and set the outputs of F to be large enough so that they are α- smooth with negligible probability only. With overwhelming probability all exit branches are good. Very bad parameters.

44 Our Scheme ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Only require the numbers to be non- α- smooth with constant probability.

45 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) For every possible valid forgery, there should be a non- α- smooth number in its root to message path that is not in the sub- tree of queried messages.

46 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) For every possible valid forgery, there should be a non- α- smooth number in its root to message path that is not in the sub- tree of queried messages.

47 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) For every possible valid forgery, there should be a non- α- smooth number in its root to message path that is not in the sub- tree of queried messages.

48 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Adapt analysis technique from Gennaro et al. [GHR99] to analyze the probability that a non- smooth number divides the product of some random numbers.

49 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Adapt analysis technique from Gennaro et al. [GHR99] to analyze the probability that a non- smooth number divides the product of some random numbers. If the number associated with the branch in purple does not divide the product of the ones in green, then it is possible to solve the strong RSA problem.

50 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Given an strong RSA instance (n, y) and the signature query, compute g backwards: g=y green numbers mod n

51 Proof Idea ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Given a forged signature (m*, σ*), it is possible to solve the strong RSA problem if gcd(e*, green numbers)>1 e* = F(k,m*[1 i])

52 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.

53 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.

54 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.

55 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.

56 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.

57 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.

58 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.

59 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively.

60 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n e = L i=1 F(k,m[1 i]) Start analysis with the exit branches. If one of them is smooth, analyze its children and repeat this process recursively. Problem: How to deal with exit branches in the last level/non- finished recursions.

61 Smoothness Analysis ε Sign(sk, m) = g 1/e mod n L e = F(k,m[1 i]) F(k,m i) i=1 u i=1

62 Smoothness Analysis ε.. Sign(sk, m) = g 1/e mod n L e = F(k,m[1 i]) F(k,m i) i=1 u i=1

63 #Recursions 0 For each exit branch of the tree with overwhelming probability there are at most 2L 2 recursive calls. 1

64 #Recursions 0 For each exit branch of the tree with overwhelming probability there are at most 2L 2 recursive calls. Upper bound at each level: 2L. 1

65 #Recursions 0 For each exit branch of the tree with overwhelming probability there are at most 2L 2 recursive calls. Upper bound at each level: 2L. 1 Each level can have at most double the calls as the previous one.

66 #Recursions 0 For each exit branch of the tree with overwhelming probability there are at most 2L 2 recursive calls. Upper bound at each level: 2L. 1 Each level can have at most double the calls as the previous one. If the previous level had at most L calls, then the current one has at most 2L. Otherwise the previous level had between L and 2L calls and we apply the Chernoff bound to these Bernoulli random variables.

67 Smoothness Analysis In the context of ellip7c- curve signatures Coron, Handschuh and Naccache [CHN99] avoided point coun7ng by working over larger underlying fields.

68 Smoothness Analysis In the context of ellip7c- curve signatures Coron, Handschuh and Naccache [CHN99] avoided point coun7ng by working over larger underlying fields. As in our case a naïve analysis of the smoothness property would result in very bad parameters, so they only increased the size of the underlying field enough to get smooth curves with low probability.

69 Smoothness Analysis In the context of ellip7c- curve signatures Coron, Handschuh and Naccache [CHN99] avoided point coun7ng by working over larger underlying fields. As in our case a naïve analysis of the smoothness property would result in very bad parameters, so they only increased the size of the underlying field enough to get smooth curves with low probability. Iterate the protocol over many independent curves to guarantee that at least one of them is not smooth.

70 Smoothness Analysis In the context of ellip7c- curve signatures Coron, Handschuh and Naccache [CHN99] avoided point coun7ng by working over larger underlying fields. As in our case a naïve analysis of the smoothness property would result in very bad parameters, so they only increased the size of the underlying field enough to get smooth curves with low probability. Iterate the protocol over many independent curves to guarantee that at least one of them is not smooth....

71 Summary ² Our scheme does not need to generate primes while signing.

72 Summary ² Our scheme does not need to generate primes while signing. ² Public- key and signature size compe77ve with other schemes.

73 Summary ² Our scheme does not need to generate primes while signing. ² Public- key and signature size compe77ve with other schemes. ² Weakness: verifica7on performance.

74 Summary ² Our scheme does not need to generate primes while signing. ² Public- key and signature size compe77ve with other schemes. ² Weakness: verifica7on performance. ² Could be a stepping- stone to more prac7cal signatures in the standard model.

75