John Hancock enters the 21th century Digital signature schemes. Table of contents

Similar documents
Katz, Lindell Introduction to Modern Cryptrography

Constructing secure MACs Message authentication in action. Table of contents

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

II. Digital signatures

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

1 Number Theory Basics

Transitive Signatures Based on Non-adaptive Standard Signatures

Katz, Lindell Introduction to Modern Cryptrography

Block Ciphers/Pseudorandom Permutations

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

CSC 5930/9010 Modern Cryptography: Number Theory

Avoiding collisions Cryptographic hash functions. Table of contents

VI. The Fiat-Shamir Heuristic

Digital Signatures. Adam O Neill based on

El Gamal A DDH based encryption scheme. Table of contents

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Chapter 11 : Private-Key Encryption

Digital signature schemes

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Authentication. Chapter Message Authentication

Digital Signatures. p1.

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Threshold RSA for Dynamic and Ad-Hoc Groups

CPA-Security. Definition: A private-key encryption scheme

Schnorr Signature. Schnorr Signature. October 31, 2012

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Q B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h

Cryptographic Hardness Assumptions

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

PSS Is Secure against Random Fault Attacks

Digital Signatures from Strong RSA without Prime Genera7on. David Cash Rafael Dowsley Eike Kiltz

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Foundations of Cryptography

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Lecture 18: Message Authentication Codes & Digital Signa

Block ciphers And modes of operation. Table of contents

Secure Hash-and-Sign Signatures Without the Random Oracle

XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Uninstantiability of Full-Domain Hash

A Security Proof of KCDSA using an extended Random Oracle Model

Tightly-Secure Signatures From Lossy Identification Schemes

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Lecture 22: RSA Encryption. RSA Encryption

SIS-based Signatures

1 Basic Number Theory

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

RSA and Rabin Signatures Signcryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

10 Concrete candidates for public key crypto

New Approach for Selectively Convertible Undeniable Signature Schemes

Homework 7 Solutions

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Short Signatures Without Random Oracles

Cryptographic Solutions for Data Integrity in the Cloud

Introduction to Elliptic Curve Cryptography

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Lecture 7: CPA Security, MACs, OWFs

Lecture 1: Introduction to Public key cryptography

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

Advanced Topics in Cryptography

ECS 189A Final Cryptography Spring 2011

5199/IOC5063 Theory of Cryptology, 2014 Fall

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Public Key Cryptography

Synchronized Aggregate Signatures from the RSA Assumption

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Efficient Identity-Based Encryption Without Random Oracles

BEYOND POST QUANTUM CRYPTOGRAPHY

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

A short identity-based proxy ring signature scheme from RSA

Anonymous Proxy Signature with Restricted Traceability

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Algorithmic Number Theory and Public-key Cryptography

Cryptography IV: Asymmetric Ciphers

Comparing With RSA. 1 ucl Crypto Group

Chapter 8 Public-key Cryptography and Digital Signatures

Cryptographical Security in the Quantum Random Oracle Model

1 Rabin Squaring Function and the Factoring Assumption

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Short Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model)

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Introduction to Cryptography

CPSC 467: Cryptography and Computer Security

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lecture 1. Crypto Background

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

CPSC 467b: Cryptography and Computer Security

Evaluation Report on the ECDSA signature scheme

Lecture V : Public Key Cryptography

MATH 158 FINAL EXAM 20 DECEMBER 2016

Short Signatures From Diffie-Hellman: Realizing Short Public Key

Improved Security for Linearly Homomorphic Signatures: A Generic Framework

Applied cryptography

Sampling Lattice Trapdoors

March 19: Zero-Knowledge (cont.) and Signatures

A Strong Identity Based Key-Insulated Cryptosystem

Transcription:

John Hancock enters the 21th century Digital signature schemes Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents

From last time: Good news and bad There is no known function H for which hashed RSA signature schemes are known to be secure. However, hashed RSA is provable secure under an idealize model when H is modeled as a random oracle that maps inputs uniformly onto Z N.Inthiscasetheschemeis called RSA full-domain hash (RSA-FDH). This provides a heuristic justification of the scheme when H is a random-looking hash functions. Algorithm 8.47. GenRSA Recall GenRSA Input: Length n; parameter t Output: N, e, d as described below (N, p, q) GenModulus(1 n )* (N) :=(p 1)(q 1) find e such that gcd(e, (N)) = 1 compute d := [e 1 mod (N)]** return N, e, d *N = pq with p, qn-bit primes. **Such an integer d exists since e is invertible modulo (N).

And recall what RSA is hard relative to GenRSA means The RSA experiment RSA-inv A,GenRSA (n): 1. Run GenRSA(1 n ) to obtain (N, e, d). 2. Choose y Z N. 3. A is given N, e, y, and outputs x 2 Z N. 4. The output of the experiment is defined to be 1 if x e = y mod N, and 0 otherwise. Definition 8.46. We say that the RSA problem is hard relative to GenRSA if for all probabilistic polynomial-time algorithms A there exists a negligible function negl such that Pr[RSA-inv A,GenRSA (n) = 1] apple negl(n). Security of RSA-FDH Theorem 12.7. If the RSA problem is hard relative to GenRSA and H is modeled as a random oracle, then Construction 12.6 is secure. Proof. Let =(Gen, Sign, Vrfy) denote Construction 12.6, and let A be a PPT adversary against the Sig-forge A, (n) experiment. Assume WLOG that if A requests a signature on a message m or outputs a forgery (m, ) then it previously queried m to H. Let q(n) be a polynomial upper bound on the number of queries A makes to H on security parameter n; weassumea makes exactly q(n) queriestoh.

Steps of the Sig-forge A, (n) experiment Let =(Gen, Sign, Vrfy) be a signature scheme. The signature experiment Sig-forge A, (n) : 1. GenRSA(1 n ) is run to obtain N, e, d). A random function H : {0, 1}! Z N is chosen. 2. The adversary A is given (pk, sk) andmayqueryh as well ass a signing oracle Sign hn,di that, on input m, returns := [H(m) d mod N]. 3. The adversary then outputs (m, ) where it had not previously requested a signature on M. The output of the experiment is defined to be 1 if and only if e = H(m) mod N. Definition 12.2. A signature scheme =(Gen, Sign, Vrfy) is existentially unforgeable under an adaptive chosen-message attack if for all PPT adversaries A, there exists a negligible function negl such that Pr[Sig-forge A, (n) = 1] apple negl(n). A modified Sig-forge 0 A, (n) experiment We define a modified experiment Sig-forge 0 A, (n) that guesses as to which queried message corresponds to the eventual forgery. The modified signature experiment Sig-forge 0 A, (n) : 1. Choose uniform j 2 {0,...,q}. 2. GenRSA(1 n ) is run to obtain N, e, d). A random function H : {0, 1}! Z N is chosen. 3. The adversary A is given (pk, sk) andmayqueryh as well ass a signing oracle Sign hn,di that, on input m, returns := [H(m) d mod N]. 4. The adversary then outputs (m, ) where it had not previously requested a signature on M. Leti be such that m = m 1.The output of the experiment is defined to be 1 if and only if e = H(m) mod N and j = i. *Since j is uniform the probability that i = j is exactly 1/q and Pr[Sig-forge 0 A, (n) =1]= 1 q(n) Pr[Sig-forge A, (n) =1].

A further modification of the Sig-forge A, (n) experiment Consider a further modification of our experiment Sig-forge 00 A, (n) in which the experiment is aborted if A ever requests a signature on the message m j. This does not change the probability that the output of the experiment is 1, since if A ever requests a signature on M j it cannot output a forgery on m j.thus, Pr[Sig-forge 00 A, (n) = 1] = Pr[Sig-forge 0 A, (n) = 1] = Pr[Sig-forge A, (n) = 1]. q(n) Construction of A 0 solving the RSA problem The Adversary is given (N, e, y). 1. Run A on the public key pk = hn, ei. Storetriples(,, ) inatable initially empty. Entry (m i, i, y i )indicatesthata 0 has set H(m i )=y i,and e i = y i mod N. 2. When A makes its ith random-oracle query H(m i ), answer: If i = j, returny. Else choose uniform i 2 Z N, compute y i := [ i e return y i and store (m i, i, y i ). When A requests a signature on m = m i,answer: mod N], If i = j, thena 0 aborts. If i 6= j, thereisanentry(m i, i, y i )inthetable.return i. 3. When A outputs (m, ), then if m = m j and e = y mod N, then output.

A 0 world view Note that A s point of view when run as subroutine of A 0 is identical to its view in Sig-forge 00 A, (n). All Sign-oracle queries are answered correctly, and each random-oracle query is answered by a uniform element of Z N : The query H(m j )isansweredwithy, a uniform element of Z N. Queries H(M i )withi 6= j are answer with y i =[ i e mod N], where i is uniform in Z N. Since exponentiation by e is one-to-one, the y i are uniformly distributed as well. When Sig-forge 00 A, (n) outputs 1, j = i and e = H(m) mod N. Inthis case, A does not abort and e = H(m i )=y mod N. Thus, is the desired inverse. We assumed that RSA is hard relative to GenRSA, so left term below negligible Pr[RSA-inv A,GenRSA (n) = 1] = Pr[Sig-forge 00 A, (n) = 1] = Pr[Sig-forge A 0,GenRSA (n) = 1] q(n)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback