Provable Security Signatures

Similar documents
Lecture 4: Universal Hash Functions/Streaming Cont d

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00

Hash functions : MAC / HMAC

Introduction to Algorithms

Cryptanalysis of pairing-free certificateless authenticated key agreement protocol

RSA /2002/13(08) , ); , ) RSA RSA : RSA RSA [2] , [1,4]

On the Instantiability of Hash-and-Sign RSA Signatures

Finding Malleability in NTRUSign

Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

Secure and practical identity-based encryption

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

G /G Advanced Cryptography 12/9/2009. Lecture 14

Attacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction

6.842 Randomness and Computation February 18, Lecture 4

Lecture 10: May 6, 2013

Errors for Linear Systems

Introduction to Algorithms

Finding Primitive Roots Pseudo-Deterministically

A Robust Method for Calculating the Correlation Coefficient

Password Based Key Exchange With Mutual Authentication

Singular Value Decomposition: Theory and Applications

Lectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix

Calculation of time complexity (3%)

18.1 Introduction and Recap

Stanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7

Comments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards

Confined Guessing: New Signatures From Standard Assumptions

Durban Watson for Testing the Lack-of-Fit of Polynomial Regression Models without Replications

Chapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems

Hashing. Alexandra Stefan

Efficient Ring Signatures Without Random Oracles

Lecture 2: Gram-Schmidt Vectors and the LLL Algorithm

VARIATION OF CONSTANT SUM CONSTRAINT FOR INTEGER MODEL WITH NON UNIFORM VARIABLES

Lecture 3: Shannon s Theorem

Algebraic properties of polynomial iterates

Section 3.6 Complex Zeros

Constant-Size Structure-Preserving Signatures Generic Constructions and Simple Assumptions

On a CCA2-secure variant of McEliece in the standard model

Aggregate Message Authentication Codes

Numerical Heat and Mass Transfer

Notes on Frequency Estimation in Data Streams

Circular chosen-ciphertext security with compact ciphertexts

Born and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares

A 2D Bounded Linear Program (H,c) 2D Linear Programming

The Geometry of Logit and Probit

MATH 829: Introduction to Data Mining and Analysis The EM algorithm (part 2)

On the Multicriteria Integer Network Flow Problem

Lecture Space-Bounded Derandomization

Tornado and Luby Transform Codes. Ashish Khisti Presentation October 22, 2003

Problem Set 9 Solutions

Generic Hardness of the Multiple Discrete Logarithm Problem

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens

Computing Correlated Equilibria in Multi-Player Games

MDL-Based Unsupervised Attribute Ranking

3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X

Estimation: Part 2. Chapter GREG estimation

Digital Signatures. Adam O Neill based on

12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA. 4. Tensor product

Post-Quantum EPID Group Signatures from Symmetric Primitives

Lecture 4. Instructor: Haipeng Luo

Grover s Algorithm + Quantum Zeno Effect + Vaidman

TAIL BOUNDS FOR SUMS OF GEOMETRIC AND EXPONENTIAL VARIABLES

Some Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM

Learning Theory: Lecture Notes

Lecture 3 January 31, 2017

Applied Stochastic Processes

College of Computer & Information Science Fall 2009 Northeastern University 20 October 2009

Lecture Notes on Linear Regression

Information-Theoretic Timed-Release Security: Key-Agreement, Encryption, and Authentication Codes

Lecture 17 : Stochastic Processes II

Randomness and Computation

Appendix B. The Finite Difference Scheme

Cryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with n-bit Block and n-bit Key

Algebraic partitioning: Fully compact and (almost) tightly secure cryptography

Application of Nonbinary LDPC Codes for Communication over Fading Channels Using Higher Order Modulations

Generalized Linear Methods

= z 20 z n. (k 20) + 4 z k = 4

Cryptanalysis of Threshold Proxy Signature Schemes 1)

A Threshold Digital Signature Issuing Scheme without Secret Communication

Leakage-Resilient Identification Schemes from Zero-Knowledge Proofs of Storage

A New Biometric Identity Based Encryption Scheme

A note on almost sure behavior of randomly weighted sums of φ-mixing random variables with φ-mixing weights

Lecture 12: Classification

8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS

The Minimum Universal Cost Flow in an Infeasible Flow Network

The Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction

Exercises of Chapter 2

Cryptographic Protocols

Strongly Unforgeable Proxy Re-Signature Schemes in the Standard model

VQ widely used in coding speech, image, and video

Expected Value and Variance

Econ107 Applied Econometrics Topic 3: Classical Model (Studenmund, Chapter 4)

Sketching Sampled Data Streams

a b a In case b 0, a being divisible by b is the same as to say that

Finding Dense Subgraphs in G(n, 1/2)

Copyright 2017 by Taylor Enterprises, Inc., All Rights Reserved. Adjusted Control Limits for P Charts. Dr. Wayne A. Taylor

Additional Codes using Finite Difference Method. 1 HJB Equation for Consumption-Saving Problem Without Uncertainty

Parametric fractional imputation for missing data analysis. Jae Kwang Kim Survey Working Group Seminar March 29, 2010

The lower and upper bounds on Perron root of nonnegative irreducible matrices

Lecture 4: November 17, Part 1 Single Buffer Management

Transcription:

Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 2

Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 3 (Trapdoor) One-Way Functons In the followng, we consder any functon f whch s assumed to be one-way: ow Succ ( ) = Pr f ( ( y)) = y y f ( x) [ ] f = x Ths functon may be trapdoor: g s the nverse functon, avalable granted a prvate nformaton Examples: OW functon = DL Trapdoor OW functon = RSA or CD Trapdoor OW permutaton = RSA Provable Securty - Sgnatures - 4

Proof by Reducton Reducton of a problem to an attack Atk: Let be an adversary that breaks the scheme then can be used to solve Instance of Soluton of ntractable scheme unbreakable Provable Securty - Sgnatures - 5 Complexty Estmates Estmates for nteger factorng Lenstra-Verheul 2000 Modulus (bts) 512 1024 2048 4096 8192 Mps-Year (log 2 ) 13 35 66 104 156 Can be used for RSA too Lower-bounds for DL n Operatons (en log 2 ) 58 80 111 149 201 * p Provable Securty - Sgnatures - 6

Practcal Securty Adversary wthn t Algorthm aganst wthn t = T (t) Complexty theory: T polynomal Exact Securty: T explct Practcal Securty: T small (lnear) Provable Securty - Sgnatures - 7 Authentcaton Sgnature Algorthm, Verfcaton Algorthm, k s k v m σ m 0/1 Securty: mpossble to forge a vald σ wthout k s Provable Securty - Sgnatures - 8

Basc Goal Exstental Forgery: wthout the prvate key, t s computatonally mpossble to forge a vald message-sgnature par Succ ef ( ) Pr [ ( m, ) = 1 ( k ) = ( m, )] = v Provable Securty - Sgnatures - 9 Chosen-Message Attacks Chosen-Message Attacks (CMA) In the lst of message-sgnature pars, the messages are adaptvely chosen by the adversary strongest attack Provable Securty - Sgnatures - 10

Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 11 Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 12

FD Sgnature f s a trapdoor one-way permutaton onto X g, s the nverse (granted the trapdoor) s hash functon n the full doman X of f f : publc key g : prvate key ( m ) = g( ( m)) ( m, ) = ( f ( = ( m)) = dentty : Exstental Forgery = easy! = random oracle : EF-CMA = OW? Provable Securty - Sgnatures - 13 FD EF-CMA: Result Succ ef-cma () (q + q + 1) Succ ow (t ) where t = t + (q + q ) T f Succ ef cma ( t) ow ( q + q + 1) Succ ( t + ( q q ) T ) f + f Provable Securty - Sgnatures - 14

Comments: : FD Succ ef cma ( t ) ow ( q + q + 1) Succ ( t + ( q + q ) T ) f f Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres If one can break the scheme wthn tme T, one can nvert f wthn tme T (q + q + 1) (T + (q + q ) T f ) 2 56 T + 2 112 T f Provable Securty - Sgnatures - 15 FD-RSA Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres RSA (K bts) small exponent If one can break the scheme wthn tme T, one can nvert RSA wthn tme T 2 131 + 2 112 K 2 RSA: 1024 bts 2 132 (NFS: 2 80 ) 2048 bts 2 134 (NFS: 2 111 ) 4096 bts 2 136 (NFS: 2 149 ) Provable Securty - Sgnatures - 16

ESIGN ESIGN s an applcaton of the FD paradgm to a many-to-one trapdoor OW functon f Under specfc probablstc propertes, the prevous proof stll apples, but A gven y has many pre-mages The sgnng oracle chooses a random one each tme The smulator knows only one! No EF but aganst SO-CMA only Provable Securty - Sgnatures - 17 FD-RSA: Improved Reducton In the case that f s random self-reducble, the reducton may be mproved Cf. Coron 00 Succ ef cma ( t ) ow ( q + q + 1) Succ ( t + ( q + q ) T ) f f Succ ef cma q + 1 ow ( t ) Succ f ( t + ( q + q + 1) T e f ) Provable Securty - Sgnatures - 18

FD-RSA EF-CMA: Game 0 Adversary 1 (n,e) (m*, σ * ) wth permanent access to the sgnng oracle q queres the random oracle q queres One checks whether (σ * ) e mod n = (m * ) Note: t may make one more call to If the equalty holds, and m * Λ, s=1, otherwse s=0 Provable Securty - Sgnatures - 19 FD-RSA EF-CMA: Game 0 On ths probablty space, we consder event S: s = 1 In Game : S Note that Pr[S 0 ] = Succ ef-cma () Provable Securty - Sgnatures - 20

FD-RSA EF-CMA: Game 1 Any sgnng query s asked frst to the random oracle One does not modfy the probablty space, but note that q becomes q = q +q : Pr[S 1 ] = Pr[S 0 ] Provable Securty - Sgnatures - 21 FD-RSA EF-CMA: Game 2 We replace the random oracle by the usual smulaton: the lst Λ s ntally set to an empty lst any new random answer s appended One does not modfy the probablty space: Pr[S 2 ] = Pr[S 1 ] Provable Securty - Sgnatures - 22

FD-RSA EF-CMA: Game 3 One smulates the answers of, usng y *, an external data y * = (x * ) e mod n For the th query m, one flps a based con b whch s 1 wth probablty p, and 0 otherwse One chooses x, computes y = (y * ) b x e mod n and sets (m) y Then Λ (m,y,b,x), and y s the output One does not modfy the probablty space, snce f s a permutaton: Pr[S 3 ] = Pr[S 2 ] Provable Securty - Sgnatures - 23 FD-RSA EF-CMA: Game 4 One now smulates the sgnng oracle : For a query m, one looks for (m,y,b,x) Λ, and outputs x as the sgnature By constructon, (m) = y = (y * ) b x e mod n, thus the smulaton s perfect, unless b = 1. One just condtons the game by an ndependent event, b = 0, of probablty 1-p: Pr[S 4 ] Pr[S 3 ] (1-p) q Provable Securty - Sgnatures - 24

FD-RSA EF-CMA: Game 4 One s gven y * 1 (f ) (m*, σ * ) Pr[S 4 ] Succ ow (t 4 ) / p wth permanent access to the sgnng oracle smulaton the random oracle smulaton and (m * ) (y * ) b * (x * ) e mod n One checks whether (σ * ) e mod n = (m * ) Event S 4 (σ * ) e = (m * ) = (y * ) b * (x * ) e mod n Thus (σ * / x * ) e = y * mod n f b * = 1 Provable Securty - Sgnatures - 25 FD-RSA EF-CMA: Sum up Pr[S 0 ] = Succ ef-cma ( ) Pr[S 3 ] = Pr[S 2 ] = Pr[S 1 ] = Pr[S 0 ] Pr[S 4 ] Pr[S 3 ] (1-p) q Pr[S 4 ] Succ ow (t 4 ) / p Pr[S 0 ] = Succ ef-cma ( ) Pr[S 4 ] / (1-p) q Succ ow (t 4 ) / p (1-p) q Provable Securty - Sgnatures - 26

FD-RSA EF-CMA: Result Succ ef-cma ( ) Succ ow (t ) / p (1-p) q where t = t + (q + q + 1) T f Note that p p (1-p) q s maxmal for p = 1 / (q +1) and s approxmately, but less than e / (q +1) Succ ef cma q + 1 ow ( t ) Succ f ( t + ( q + q + 1) T e f ) Provable Securty - Sgnatures - 27 Succ ef Comments: : FD-RSA cma q + 1 ow ( t ) Succ f ( t + ( q + q + 1) T e Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres If one can break the scheme wthn tme T, one can nvert RSA wthn tme T (q + 1) (T + (q + q + 1) T f ) / e 2 30 T + 2 85 T f f ) Provable Securty - Sgnatures - 28

FD-RSA Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres RSA (K bts) small exponent If one can break the scheme wthn tme T, one can nvert RSA wthn tme T 2 105 + 2 85 K 2 RSA: 1024 bts 2 106 (NFS: 2 80 ) 2048 bts 2 107 (NFS: 2 111 ) 4096 bts 2 109 (NFS: 2 149 ) Provable Securty - Sgnatures - 29 Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 30

Probablstc Sgnature Scheme Bellare-Rogaway 96 m r G k = k 0 + k 1 + k 2 + 1 {0,1} k-1 X {0,1} k f : X X 0 w s t F y = 0 w s t σ = f -1 (y) k 2 k 1 k 0 Provable Securty - Sgnatures - 31 RSA-PSS n, k-bt RSA modulus (k = k 0 + k 1 + k 2 + 1) n,e : publc key d : prvate key F : k2 k0 k2 { 0,1} { 0,1} and G :{ 0,1} { 0,1} * k :{ 0,1} { 0,1} 2 k 1 w = ( m, r), s = y = 0 w s t and G( w) r, t = = y d mod n F( w) Provable Securty - Sgnatures - 32

RSA-PSS EF-CMA: Game 0 Adversary 1 (n,e) (m*, σ * ) wth permanent access to the sgnng oracle q queres the random oracles F,G, q F, q G, q queres Provable Securty - Sgnatures - 33 RSA-PSS EF-CMA: Game 0 On ths probablty space, we consder event S: (m *, σ * ) = 1 In Game : S Note that Pr[S 0 ] = Succ ef-cma ( ) (m *, σ * ) = 1 wth y = f (σ * ) = 0 w s t and r =G(w) s then t = F(w) and w = (m *,r) Provable Securty - Sgnatures - 34

RSA-PSS EF-CMA: Game 1 We replace the random oracles F, G and by the usual smulatons: the lsts Λ F, Λ G and Λ ntally set to an empty lst any new random answer s appended One does not modfy the probablty space: Pr[S 1 ] = Pr[S 0 ] Provable Securty - Sgnatures - 35 RSA-PSS EF-CMA: Game 2 One smulates the answers of (m,r) (drectly asked by the (b=1), or by (b=0)) usng y *, an external data y * = (x * ) e mod n: choose a random u n, and compute y = (y * ) b u e mod n, untl the most sgnfcant bt s 0 parse t as y = 0 w s t defne F(w) t, G(w) r s Λ F and Λ G are updated Then Λ (m,r,b,u,w), and w s the output Provable Securty - Sgnatures - 36

RSA-PSS: Game 1 to Game 2 w, s and t are unformly dstrbuted, thus t, r s and w are so too The dstrbutons are thus unchanged. A problem may occur f F(w) or G(w) have already been quered or defned. q F values for w have been quered to F by q G values for w have been quered to G by q values for w have been quered to F/G by q values for w have been defned for F and G Pr[S 2 ] - Pr[S 1 ] (q + q ) (q F + q G + q + q ) / 2 k 2 Provable Securty - Sgnatures - 37 RSA-PSS EF-CMA: Game 3 In the smulaton of n Game 2: choose a random u n, and compute y = (y * ) b u e mod n, untl the most sgnfcant bt s 0 Ths may take a long tme: we lmt t to k 2 teratons Ths makes a dfference, only f y s stll undefned after k 2 teratons: Pr[S 3 ] - Pr[S 2 ] (q + q ) / 2 k 2 Provable Securty - Sgnatures - 38

RSA-PSS EF-CMA: Game 4 One now smulates the sgnng oracle : Before smulatng t, one stops the game f the sgnature of m nvolves a par (m,r,b=1,*,*) Λ (already asked by ) Ths may only happen f there s a collson on the value of r between the q possbly defned values the q queres Pr[S 4 ] - Pr[S 3 ] q q / 2 k 1 Provable Securty - Sgnatures - 39 RSA-PSS EF-CMA: Game 5 One can smulate the sgnng oracle : Usng the same (m,r) as dd, by smulaton of : for some (u,w), (m,r,0,u,w) Λ 0 w s t = y = u e mod n (m,r)=w, F(w) = t and r G(w) = s Thus u s the sgnature. The smulaton s perfect: Pr[S 5 ] = Pr[S 4 ] Provable Securty - Sgnatures - 40

RSA-PSS EF-CMA: Game 5 Adversary 1 (n,e) (m*, σ * ) wth permanent access to the sgnng oracle smulaton the random oracles F,G, smulatons For any query (m,r) asked by, there exsts (u,w) such that s(m,r,1,u,w) Λ s0 w s t = y = y * u e mod n s(m,r)=w, F(w) = t and r G(w) = s Event S 5 (wthout chance) (σ * ) e = y = y * u e mod n Thus (σ * / u) e = y * mod n Pr[S 5 ] Succ ow (t 5 ) +1/ 2 k 2 Provable Securty - Sgnatures - 41 RSA-PSS EF-CMA: Sum up Pr[S 0 ] = Succ ef-cma () Pr[S 1 ] = Pr[S 0 ] Pr[S 2 ] - Pr[S 1 ] (q +q ) (q F +q G +q +q )/2 k 2 Pr[S 3 ] - Pr[S 2 ] (q + q ) / 2 k 2 Pr[S 4 ] - Pr[S 3 ] q q / 2 k 1 Pr[S 5 ] = Pr[S 4 ] Pr[S 5 ] Succ ow (t 5 ) + 1 / 2 k 2 Succ ef cma ( t) q + q k2 2 qq + k1 2 ( q + q + q + q + 1) + Succ ow f F ( t ) + G 1 2 5 k 2 Provable Securty - Sgnatures - 42

Succ ef cma Comments: : RSA-PSS ( t) q + q k2 2 qq + k1 2 ( q + q + q + q + 1) + Succ + ( q ) k Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres If one can break the scheme wthn tme T, one can nvert RSA wthn tme T T + (q + q ) k 2 T f T + 2 65 T f ow f F ( t G + q T ) + 1 2 2 f k 2 Provable Securty - Sgnatures - 43 RSA-PSS Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres RSA (K bts) small exponent If one can break the scheme wthn tme T, one can nvert RSA wthn tme T 2 75 + 2 65 K 2 RSA: 1024 bts 2 85 (NFS: 2 80 ) 2048 bts 2 87 (NFS: 2 111 ) 4096 bts 2 89 (NFS: 2 149 ) Provable Securty - Sgnatures - 44

Jonsson s Trck: Game 3 In the smulaton of n Game 2: choose a random u n, and compute y = (y * ) b u e mod n, untl the most sgnfcant bt s 0 Instead of lmtng each smulaton to k 2 teratons we lmt the global number to 2 (q + q ) One can show that some y may not be defned, but wth probablty 1 / 2 : for any (q + q ) Pr[S 3 ] - Pr[S 2 ] 1 / 2 Provable Securty - Sgnatures - 45 Comments: : RSA-PSS Succ ef cma ( t) q + q k2 2 qq + k1 2 ( q + q + q + q ) + Succ + 2( q ) T Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres ) + If one can break the scheme wthn tme T, one can nvert RSA wthn tme T T + 2 (q + q ) T f T + 2 56 T f ow f F ( t G + q 1 + 2 f 1 k 2 2 Provable Securty - Sgnatures - 46

RSA-PSS: Practcal Securty Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres RSA (K bts) small exponent If one can break the scheme wthn tme T, one can nvert RSA wthn tme T 2 75 + 2 56 K 2 RSA: 1024 bts 2 76 (NFS: 2 80 ) 2048 bts 2 78 (NFS: 2 111 ) 4096 bts 2 80 (NFS: 2 149 ) Provable Securty - Sgnatures - 47 Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 48

Schnorr Sgnature (1989), g and q: common elements x: prvate key y=g x : publc key Sgnng m: choose k q and compute r=g k as well as e=(m,r) and s = k-xe mod q σ = (e,s) Verfyng (m,σ): u = g s y e ( = g k-xe g xe ) test f e=(m,u) Provable Securty - Sgnatures - 49 Securty Proof Pontcheval Pontcheval-Stern 96 Exstental Forgery = DL problem Idea : forkng lemma (m,r) e e (e,s) (e,s ) g s y e = r = g s y e g s-s = y e -e Let α = (s-s )/(e -e) mod q Then y=g α Provable Securty - Sgnatures - 50

Forkng Lemma asks q queres (m,r ): h =(m,r ) and outputs (m *, r *, e *, s * ) such that m * = m j e * = (m *,r * ) (m *, r *, e *, s * ) = 1 wth probablty ε = Pr[Success] * = Pr[Success m = m ] = Provable Securty - Sgnatures - 51 Forkng Lemma - 2 For any, one defnes Ω = {(ω, h 1,, h -1, h, h q )} = X Y x = (ω, h 1,, h -1 ) y = (h, h q ) = Pr [Success m X Y * = m ] Z = x X Pr[Success m Y * = m ] Provable Securty - Sgnatures - 52

Splttng Lemma Assume Pr[x Z ] < ε - α Pr[ x Z ] - ε = Pr[S ] = Pr[S x Z ] Pr[x Z ] + Pr[S x Z ] Pr[x Z ] < 1 (ε - α ) + α 1 = ε Pr[X S ] = 1 - Pr[x X S ] Pr [ X S ] x 1 = 1 - Pr[S x X ] Pr[x X ] / Pr[S ] 1 - α 1 / ε Provable Securty - Sgnatures - 53 Run Forkng Lemma - 3 once: for any success and m * = m wth probablty greater than ε x Z wth probablty greater than 1 - α / ε Run a second tme wth same x but random y new success wth probablty greater than α p 1 = ( ) = Provable Securty - Sgnatures - 54

Forkng Lemma - 4 Wth α = ρ ε p = = 1 2 ( ( 1 ) ) = ( 1 ) ( ) 2 2 2 ( 1 ) ( ) / q = ( 1 ) / q = Optmal for ρ = 1/2 : p ε2 / 4 q Provable Securty - Sgnatures - 55 Forkng Lemma: Result Run once wth random (ω, h 1,, h -1, h, h q ) = (x,y ) In case of success: run agan wth same x but random y One gets two successes (m 1, r 1, e 1, s 1 ) and (m 2, r 2, e 2, s 2 ) such that (m 1, r 1 ) = (m 2, r 2 ) (m 1, r 1, e 1, s 1 ) = 1 and (m 2, r 2, e 2, s 2 ) = 1 wth probablty greater than ε 2 / 4 q Provable Securty - Sgnatures - 56

Forkng Lemma - Improvement Run untl one gets a success: on average = 1/ε teratons: for any m * = m wth prob greater than Pr[S S] ε / ε x Z wth probablty greater than 1 - α / ε Run agan wth same x, but random y untl a success: on average 1 / α tmes On average: 1 1 1 1 1 ' = + 1 T = + = q + 1 Provable Securty - Sgnatures - 57 Comments: Forkng Lemma Securty bound: 2 75, and 2 55 hash queres If one can break the scheme wthn tme T = t/ε, one can extract two tuples wthn tme T q t/ε = q T 2 130 Ths s not a practcal result: 4096 bt modul are requred Provable Securty - Sgnatures - 58

Chosen-Message Attacks The random oracle provdes an easy smulaton of the sgnng oracle. The forkng lemma apples to: Fat-Shamr Gullou-Qusquater Schnorr Provable Securty - Sgnatures - 59 Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 60

Generc Model: ECDSA =<P> and q: common elements x: prvate key Y= x.p: publc key Sgnng m: choose k q and compute R = k.p as well as r=f(r) and e=(m) and s = (e+xr)/k mod q σ = (r,s) Verfyng (m,r,s): frst 0 < r, s < q R = e s -1.P + r s -1.Y test f r=f(r ) Provable Securty - Sgnatures - 61 Non-Malleablty: : ECDSA Under some assumptons about the functon f and the hash functon, one can show In the generc model, one cannot break non-malleablty of ECDSA wth probablty sgnfcantly greater than (n+1)(n+q +1)/2q q s the number of sgnng queres n s the number of group law operatons Provable Securty - Sgnatures - 62

Malleablty: ECDSA In the descrpton of ECDSA: f(r) = x R (the frst coordnate of R) Thus f (-R) = f (R) If (m,r,s) s a vald sgnature: 0 < r, s < q and f (e s -1.P + r s -1.Y) = r Then (m,r,q-s) s a vald sgnature too: s = -s mod q and 0 < r, s < q f (e s -1.P + r s -1.Y) = f (-e s -1.P - r s -1.Y) = f (e s -1.P + r s -1.Y) = r Provable Securty - Sgnatures - 63 Comments: ECDSA owever, ths functon f satsfes the requrements of the securty theorem! The problem comes from the generc model Indeed, when one knows (P), one usually knows (-P): they are not ndependent Thus f (R) and f (-R) are not ndependent! If f random oracle: provably secure relatve to DL n the random oracle model only (KCDSA) Provable Securty - Sgnatures - 64

Generc Model The generc model should thus be used wth care: automorphsms n the group may break the genercty of the encodng Provable Securty - Sgnatures - 65 Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 66

Generc Constructons FD: trapdoor OW permutaton Bad reducton to EF-CMA: T q T If many-to-one functon: SO-CMA only If random self-reducblty (RSR): better reducton: T q T PSS: RSR trapdoor OW permutaton Tght reducton: T T practcal securty Forkng lemma: dentfcaton scheme secure aganst passve attacks Bad reducton: T q T Provable Securty - Sgnatures - 67 Ideal Models Ideal models to be handled wth care Random oracle model: seems correct n practce Generc model: less convncng Provable Securty - Sgnatures - 68

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback