Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 2
Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 3 (Trapdoor) One-Way Functons In the followng, we consder any functon f whch s assumed to be one-way: ow Succ ( ) = Pr f ( ( y)) = y y f ( x) [ ] f = x Ths functon may be trapdoor: g s the nverse functon, avalable granted a prvate nformaton Examples: OW functon = DL Trapdoor OW functon = RSA or CD Trapdoor OW permutaton = RSA Provable Securty - Sgnatures - 4
Proof by Reducton Reducton of a problem to an attack Atk: Let be an adversary that breaks the scheme then can be used to solve Instance of Soluton of ntractable scheme unbreakable Provable Securty - Sgnatures - 5 Complexty Estmates Estmates for nteger factorng Lenstra-Verheul 2000 Modulus (bts) 512 1024 2048 4096 8192 Mps-Year (log 2 ) 13 35 66 104 156 Can be used for RSA too Lower-bounds for DL n Operatons (en log 2 ) 58 80 111 149 201 * p Provable Securty - Sgnatures - 6
Practcal Securty Adversary wthn t Algorthm aganst wthn t = T (t) Complexty theory: T polynomal Exact Securty: T explct Practcal Securty: T small (lnear) Provable Securty - Sgnatures - 7 Authentcaton Sgnature Algorthm, Verfcaton Algorthm, k s k v m σ m 0/1 Securty: mpossble to forge a vald σ wthout k s Provable Securty - Sgnatures - 8
Basc Goal Exstental Forgery: wthout the prvate key, t s computatonally mpossble to forge a vald message-sgnature par Succ ef ( ) Pr [ ( m, ) = 1 ( k ) = ( m, )] = v Provable Securty - Sgnatures - 9 Chosen-Message Attacks Chosen-Message Attacks (CMA) In the lst of message-sgnature pars, the messages are adaptvely chosen by the adversary strongest attack Provable Securty - Sgnatures - 10
Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 11 Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 12
FD Sgnature f s a trapdoor one-way permutaton onto X g, s the nverse (granted the trapdoor) s hash functon n the full doman X of f f : publc key g : prvate key ( m ) = g( ( m)) ( m, ) = ( f ( = ( m)) = dentty : Exstental Forgery = easy! = random oracle : EF-CMA = OW? Provable Securty - Sgnatures - 13 FD EF-CMA: Result Succ ef-cma () (q + q + 1) Succ ow (t ) where t = t + (q + q ) T f Succ ef cma ( t) ow ( q + q + 1) Succ ( t + ( q q ) T ) f + f Provable Securty - Sgnatures - 14
Comments: : FD Succ ef cma ( t ) ow ( q + q + 1) Succ ( t + ( q + q ) T ) f f Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres If one can break the scheme wthn tme T, one can nvert f wthn tme T (q + q + 1) (T + (q + q ) T f ) 2 56 T + 2 112 T f Provable Securty - Sgnatures - 15 FD-RSA Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres RSA (K bts) small exponent If one can break the scheme wthn tme T, one can nvert RSA wthn tme T 2 131 + 2 112 K 2 RSA: 1024 bts 2 132 (NFS: 2 80 ) 2048 bts 2 134 (NFS: 2 111 ) 4096 bts 2 136 (NFS: 2 149 ) Provable Securty - Sgnatures - 16
ESIGN ESIGN s an applcaton of the FD paradgm to a many-to-one trapdoor OW functon f Under specfc probablstc propertes, the prevous proof stll apples, but A gven y has many pre-mages The sgnng oracle chooses a random one each tme The smulator knows only one! No EF but aganst SO-CMA only Provable Securty - Sgnatures - 17 FD-RSA: Improved Reducton In the case that f s random self-reducble, the reducton may be mproved Cf. Coron 00 Succ ef cma ( t ) ow ( q + q + 1) Succ ( t + ( q + q ) T ) f f Succ ef cma q + 1 ow ( t ) Succ f ( t + ( q + q + 1) T e f ) Provable Securty - Sgnatures - 18
FD-RSA EF-CMA: Game 0 Adversary 1 (n,e) (m*, σ * ) wth permanent access to the sgnng oracle q queres the random oracle q queres One checks whether (σ * ) e mod n = (m * ) Note: t may make one more call to If the equalty holds, and m * Λ, s=1, otherwse s=0 Provable Securty - Sgnatures - 19 FD-RSA EF-CMA: Game 0 On ths probablty space, we consder event S: s = 1 In Game : S Note that Pr[S 0 ] = Succ ef-cma () Provable Securty - Sgnatures - 20
FD-RSA EF-CMA: Game 1 Any sgnng query s asked frst to the random oracle One does not modfy the probablty space, but note that q becomes q = q +q : Pr[S 1 ] = Pr[S 0 ] Provable Securty - Sgnatures - 21 FD-RSA EF-CMA: Game 2 We replace the random oracle by the usual smulaton: the lst Λ s ntally set to an empty lst any new random answer s appended One does not modfy the probablty space: Pr[S 2 ] = Pr[S 1 ] Provable Securty - Sgnatures - 22
FD-RSA EF-CMA: Game 3 One smulates the answers of, usng y *, an external data y * = (x * ) e mod n For the th query m, one flps a based con b whch s 1 wth probablty p, and 0 otherwse One chooses x, computes y = (y * ) b x e mod n and sets (m) y Then Λ (m,y,b,x), and y s the output One does not modfy the probablty space, snce f s a permutaton: Pr[S 3 ] = Pr[S 2 ] Provable Securty - Sgnatures - 23 FD-RSA EF-CMA: Game 4 One now smulates the sgnng oracle : For a query m, one looks for (m,y,b,x) Λ, and outputs x as the sgnature By constructon, (m) = y = (y * ) b x e mod n, thus the smulaton s perfect, unless b = 1. One just condtons the game by an ndependent event, b = 0, of probablty 1-p: Pr[S 4 ] Pr[S 3 ] (1-p) q Provable Securty - Sgnatures - 24
FD-RSA EF-CMA: Game 4 One s gven y * 1 (f ) (m*, σ * ) Pr[S 4 ] Succ ow (t 4 ) / p wth permanent access to the sgnng oracle smulaton the random oracle smulaton and (m * ) (y * ) b * (x * ) e mod n One checks whether (σ * ) e mod n = (m * ) Event S 4 (σ * ) e = (m * ) = (y * ) b * (x * ) e mod n Thus (σ * / x * ) e = y * mod n f b * = 1 Provable Securty - Sgnatures - 25 FD-RSA EF-CMA: Sum up Pr[S 0 ] = Succ ef-cma ( ) Pr[S 3 ] = Pr[S 2 ] = Pr[S 1 ] = Pr[S 0 ] Pr[S 4 ] Pr[S 3 ] (1-p) q Pr[S 4 ] Succ ow (t 4 ) / p Pr[S 0 ] = Succ ef-cma ( ) Pr[S 4 ] / (1-p) q Succ ow (t 4 ) / p (1-p) q Provable Securty - Sgnatures - 26
FD-RSA EF-CMA: Result Succ ef-cma ( ) Succ ow (t ) / p (1-p) q where t = t + (q + q + 1) T f Note that p p (1-p) q s maxmal for p = 1 / (q +1) and s approxmately, but less than e / (q +1) Succ ef cma q + 1 ow ( t ) Succ f ( t + ( q + q + 1) T e f ) Provable Securty - Sgnatures - 27 Succ ef Comments: : FD-RSA cma q + 1 ow ( t ) Succ f ( t + ( q + q + 1) T e Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres If one can break the scheme wthn tme T, one can nvert RSA wthn tme T (q + 1) (T + (q + q + 1) T f ) / e 2 30 T + 2 85 T f f ) Provable Securty - Sgnatures - 28
FD-RSA Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres RSA (K bts) small exponent If one can break the scheme wthn tme T, one can nvert RSA wthn tme T 2 105 + 2 85 K 2 RSA: 1024 bts 2 106 (NFS: 2 80 ) 2048 bts 2 107 (NFS: 2 111 ) 4096 bts 2 109 (NFS: 2 149 ) Provable Securty - Sgnatures - 29 Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 30
Probablstc Sgnature Scheme Bellare-Rogaway 96 m r G k = k 0 + k 1 + k 2 + 1 {0,1} k-1 X {0,1} k f : X X 0 w s t F y = 0 w s t σ = f -1 (y) k 2 k 1 k 0 Provable Securty - Sgnatures - 31 RSA-PSS n, k-bt RSA modulus (k = k 0 + k 1 + k 2 + 1) n,e : publc key d : prvate key F : k2 k0 k2 { 0,1} { 0,1} and G :{ 0,1} { 0,1} * k :{ 0,1} { 0,1} 2 k 1 w = ( m, r), s = y = 0 w s t and G( w) r, t = = y d mod n F( w) Provable Securty - Sgnatures - 32
RSA-PSS EF-CMA: Game 0 Adversary 1 (n,e) (m*, σ * ) wth permanent access to the sgnng oracle q queres the random oracles F,G, q F, q G, q queres Provable Securty - Sgnatures - 33 RSA-PSS EF-CMA: Game 0 On ths probablty space, we consder event S: (m *, σ * ) = 1 In Game : S Note that Pr[S 0 ] = Succ ef-cma ( ) (m *, σ * ) = 1 wth y = f (σ * ) = 0 w s t and r =G(w) s then t = F(w) and w = (m *,r) Provable Securty - Sgnatures - 34
RSA-PSS EF-CMA: Game 1 We replace the random oracles F, G and by the usual smulatons: the lsts Λ F, Λ G and Λ ntally set to an empty lst any new random answer s appended One does not modfy the probablty space: Pr[S 1 ] = Pr[S 0 ] Provable Securty - Sgnatures - 35 RSA-PSS EF-CMA: Game 2 One smulates the answers of (m,r) (drectly asked by the (b=1), or by (b=0)) usng y *, an external data y * = (x * ) e mod n: choose a random u n, and compute y = (y * ) b u e mod n, untl the most sgnfcant bt s 0 parse t as y = 0 w s t defne F(w) t, G(w) r s Λ F and Λ G are updated Then Λ (m,r,b,u,w), and w s the output Provable Securty - Sgnatures - 36
RSA-PSS: Game 1 to Game 2 w, s and t are unformly dstrbuted, thus t, r s and w are so too The dstrbutons are thus unchanged. A problem may occur f F(w) or G(w) have already been quered or defned. q F values for w have been quered to F by q G values for w have been quered to G by q values for w have been quered to F/G by q values for w have been defned for F and G Pr[S 2 ] - Pr[S 1 ] (q + q ) (q F + q G + q + q ) / 2 k 2 Provable Securty - Sgnatures - 37 RSA-PSS EF-CMA: Game 3 In the smulaton of n Game 2: choose a random u n, and compute y = (y * ) b u e mod n, untl the most sgnfcant bt s 0 Ths may take a long tme: we lmt t to k 2 teratons Ths makes a dfference, only f y s stll undefned after k 2 teratons: Pr[S 3 ] - Pr[S 2 ] (q + q ) / 2 k 2 Provable Securty - Sgnatures - 38
RSA-PSS EF-CMA: Game 4 One now smulates the sgnng oracle : Before smulatng t, one stops the game f the sgnature of m nvolves a par (m,r,b=1,*,*) Λ (already asked by ) Ths may only happen f there s a collson on the value of r between the q possbly defned values the q queres Pr[S 4 ] - Pr[S 3 ] q q / 2 k 1 Provable Securty - Sgnatures - 39 RSA-PSS EF-CMA: Game 5 One can smulate the sgnng oracle : Usng the same (m,r) as dd, by smulaton of : for some (u,w), (m,r,0,u,w) Λ 0 w s t = y = u e mod n (m,r)=w, F(w) = t and r G(w) = s Thus u s the sgnature. The smulaton s perfect: Pr[S 5 ] = Pr[S 4 ] Provable Securty - Sgnatures - 40
RSA-PSS EF-CMA: Game 5 Adversary 1 (n,e) (m*, σ * ) wth permanent access to the sgnng oracle smulaton the random oracles F,G, smulatons For any query (m,r) asked by, there exsts (u,w) such that s(m,r,1,u,w) Λ s0 w s t = y = y * u e mod n s(m,r)=w, F(w) = t and r G(w) = s Event S 5 (wthout chance) (σ * ) e = y = y * u e mod n Thus (σ * / u) e = y * mod n Pr[S 5 ] Succ ow (t 5 ) +1/ 2 k 2 Provable Securty - Sgnatures - 41 RSA-PSS EF-CMA: Sum up Pr[S 0 ] = Succ ef-cma () Pr[S 1 ] = Pr[S 0 ] Pr[S 2 ] - Pr[S 1 ] (q +q ) (q F +q G +q +q )/2 k 2 Pr[S 3 ] - Pr[S 2 ] (q + q ) / 2 k 2 Pr[S 4 ] - Pr[S 3 ] q q / 2 k 1 Pr[S 5 ] = Pr[S 4 ] Pr[S 5 ] Succ ow (t 5 ) + 1 / 2 k 2 Succ ef cma ( t) q + q k2 2 qq + k1 2 ( q + q + q + q + 1) + Succ ow f F ( t ) + G 1 2 5 k 2 Provable Securty - Sgnatures - 42
Succ ef cma Comments: : RSA-PSS ( t) q + q k2 2 qq + k1 2 ( q + q + q + q + 1) + Succ + ( q ) k Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres If one can break the scheme wthn tme T, one can nvert RSA wthn tme T T + (q + q ) k 2 T f T + 2 65 T f ow f F ( t G + q T ) + 1 2 2 f k 2 Provable Securty - Sgnatures - 43 RSA-PSS Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres RSA (K bts) small exponent If one can break the scheme wthn tme T, one can nvert RSA wthn tme T 2 75 + 2 65 K 2 RSA: 1024 bts 2 85 (NFS: 2 80 ) 2048 bts 2 87 (NFS: 2 111 ) 4096 bts 2 89 (NFS: 2 149 ) Provable Securty - Sgnatures - 44
Jonsson s Trck: Game 3 In the smulaton of n Game 2: choose a random u n, and compute y = (y * ) b u e mod n, untl the most sgnfcant bt s 0 Instead of lmtng each smulaton to k 2 teratons we lmt the global number to 2 (q + q ) One can show that some y may not be defned, but wth probablty 1 / 2 : for any (q + q ) Pr[S 3 ] - Pr[S 2 ] 1 / 2 Provable Securty - Sgnatures - 45 Comments: : RSA-PSS Succ ef cma ( t) q + q k2 2 qq + k1 2 ( q + q + q + q ) + Succ + 2( q ) T Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres ) + If one can break the scheme wthn tme T, one can nvert RSA wthn tme T T + 2 (q + q ) T f T + 2 56 T f ow f F ( t G + q 1 + 2 f 1 k 2 2 Provable Securty - Sgnatures - 46
RSA-PSS: Practcal Securty Securty bound: 2 75, and 2 55 hash queres and 2 30 sgnng queres RSA (K bts) small exponent If one can break the scheme wthn tme T, one can nvert RSA wthn tme T 2 75 + 2 56 K 2 RSA: 1024 bts 2 76 (NFS: 2 80 ) 2048 bts 2 78 (NFS: 2 111 ) 4096 bts 2 80 (NFS: 2 149 ) Provable Securty - Sgnatures - 47 Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 48
Schnorr Sgnature (1989), g and q: common elements x: prvate key y=g x : publc key Sgnng m: choose k q and compute r=g k as well as e=(m,r) and s = k-xe mod q σ = (e,s) Verfyng (m,σ): u = g s y e ( = g k-xe g xe ) test f e=(m,u) Provable Securty - Sgnatures - 49 Securty Proof Pontcheval Pontcheval-Stern 96 Exstental Forgery = DL problem Idea : forkng lemma (m,r) e e (e,s) (e,s ) g s y e = r = g s y e g s-s = y e -e Let α = (s-s )/(e -e) mod q Then y=g α Provable Securty - Sgnatures - 50
Forkng Lemma asks q queres (m,r ): h =(m,r ) and outputs (m *, r *, e *, s * ) such that m * = m j e * = (m *,r * ) (m *, r *, e *, s * ) = 1 wth probablty ε = Pr[Success] * = Pr[Success m = m ] = Provable Securty - Sgnatures - 51 Forkng Lemma - 2 For any, one defnes Ω = {(ω, h 1,, h -1, h, h q )} = X Y x = (ω, h 1,, h -1 ) y = (h, h q ) = Pr [Success m X Y * = m ] Z = x X Pr[Success m Y * = m ] Provable Securty - Sgnatures - 52
Splttng Lemma Assume Pr[x Z ] < ε - α Pr[ x Z ] - ε = Pr[S ] = Pr[S x Z ] Pr[x Z ] + Pr[S x Z ] Pr[x Z ] < 1 (ε - α ) + α 1 = ε Pr[X S ] = 1 - Pr[x X S ] Pr [ X S ] x 1 = 1 - Pr[S x X ] Pr[x X ] / Pr[S ] 1 - α 1 / ε Provable Securty - Sgnatures - 53 Run Forkng Lemma - 3 once: for any success and m * = m wth probablty greater than ε x Z wth probablty greater than 1 - α / ε Run a second tme wth same x but random y new success wth probablty greater than α p 1 = ( ) = Provable Securty - Sgnatures - 54
Forkng Lemma - 4 Wth α = ρ ε p = = 1 2 ( ( 1 ) ) = ( 1 ) ( ) 2 2 2 ( 1 ) ( ) / q = ( 1 ) / q = Optmal for ρ = 1/2 : p ε2 / 4 q Provable Securty - Sgnatures - 55 Forkng Lemma: Result Run once wth random (ω, h 1,, h -1, h, h q ) = (x,y ) In case of success: run agan wth same x but random y One gets two successes (m 1, r 1, e 1, s 1 ) and (m 2, r 2, e 2, s 2 ) such that (m 1, r 1 ) = (m 2, r 2 ) (m 1, r 1, e 1, s 1 ) = 1 and (m 2, r 2, e 2, s 2 ) = 1 wth probablty greater than ε 2 / 4 q Provable Securty - Sgnatures - 56
Forkng Lemma - Improvement Run untl one gets a success: on average = 1/ε teratons: for any m * = m wth prob greater than Pr[S S] ε / ε x Z wth probablty greater than 1 - α / ε Run agan wth same x, but random y untl a success: on average 1 / α tmes On average: 1 1 1 1 1 ' = + 1 T = + = q + 1 Provable Securty - Sgnatures - 57 Comments: Forkng Lemma Securty bound: 2 75, and 2 55 hash queres If one can break the scheme wthn tme T = t/ε, one can extract two tuples wthn tme T q t/ε = q T 2 130 Ths s not a practcal result: 4096 bt modul are requred Provable Securty - Sgnatures - 58
Chosen-Message Attacks The random oracle provdes an easy smulaton of the sgnng oracle. The forkng lemma apples to: Fat-Shamr Gullou-Qusquater Schnorr Provable Securty - Sgnatures - 59 Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 60
Generc Model: ECDSA =<P> and q: common elements x: prvate key Y= x.p: publc key Sgnng m: choose k q and compute R = k.p as well as r=f(r) and e=(m) and s = (e+xr)/k mod q σ = (r,s) Verfyng (m,r,s): frst 0 < r, s < q R = e s -1.P + r s -1.Y test f r=f(r ) Provable Securty - Sgnatures - 61 Non-Malleablty: : ECDSA Under some assumptons about the functon f and the hash functon, one can show In the generc model, one cannot break non-malleablty of ECDSA wth probablty sgnfcantly greater than (n+1)(n+q +1)/2q q s the number of sgnng queres n s the number of group law operatons Provable Securty - Sgnatures - 62
Malleablty: ECDSA In the descrpton of ECDSA: f(r) = x R (the frst coordnate of R) Thus f (-R) = f (R) If (m,r,s) s a vald sgnature: 0 < r, s < q and f (e s -1.P + r s -1.Y) = r Then (m,r,q-s) s a vald sgnature too: s = -s mod q and 0 < r, s < q f (e s -1.P + r s -1.Y) = f (-e s -1.P - r s -1.Y) = f (e s -1.P + r s -1.Y) = r Provable Securty - Sgnatures - 63 Comments: ECDSA owever, ths functon f satsfes the requrements of the securty theorem! The problem comes from the generc model Indeed, when one knows (P), one usually knows (-P): they are not ndependent Thus f (R) and f (-R) are not ndependent! If f random oracle: provably secure relatve to DL n the random oracle model only (KCDSA) Provable Securty - Sgnatures - 64
Generc Model The generc model should thus be used wth care: automorphsms n the group may break the genercty of the encodng Provable Securty - Sgnatures - 65 Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty - Sgnatures - 66
Generc Constructons FD: trapdoor OW permutaton Bad reducton to EF-CMA: T q T If many-to-one functon: SO-CMA only If random self-reducblty (RSR): better reducton: T q T PSS: RSR trapdoor OW permutaton Tght reducton: T T practcal securty Forkng lemma: dentfcaton scheme secure aganst passve attacks Bad reducton: T q T Provable Securty - Sgnatures - 67 Ideal Models Ideal models to be handled wth care Random oracle model: seems correct n practce Generc model: less convncng Provable Securty - Sgnatures - 68