Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Similar documents
John Hancock enters the 21th century Digital signature schemes. Table of contents

Katz, Lindell Introduction to Modern Cryptrography

Digital Signatures. Adam O Neill based on

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Digital signature schemes

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Transitive Signatures Based on Non-adaptive Standard Signatures

II. Digital signatures

Hash-based signatures & Hash-and-sign without collision-resistance

Lecture V : Public Key Cryptography

Schnorr Signature. Schnorr Signature. October 31, 2012

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Short Signatures Without Random Oracles

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

Digital Signatures. p1.

Foundations of Cryptography

Authentication. Chapter Message Authentication

Algorithmic Number Theory and Public-key Cryptography

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Introduction to Cryptography

Uninstantiability of Full-Domain Hash

Digital Signatures from Strong RSA without Prime Genera7on. David Cash Rafael Dowsley Eike Kiltz

SIS-based Signatures

VI. The Fiat-Shamir Heuristic

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

1 Number Theory Basics

ECS 189A Final Cryptography Spring 2011

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

PSS Is Secure against Random Fault Attacks

Hash-based Signatures. Andreas Hülsing

XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Q B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h

Short Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model)

Lecture 16: Public Key Encryption:II

Comparing With RSA. 1 ucl Crypto Group

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Hash-based Signatures

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Chapter 8 Public-key Cryptography and Digital Signatures

Week : Public Key Cryptosystem and Digital Signatures

Threshold RSA for Dynamic and Ad-Hoc Groups

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

RSA and Rabin Signatures Signcryption

Lecture 1. Crypto Background

Cryptographical Security in the Quantum Random Oracle Model

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

Introduction to Elliptic Curve Cryptography

Secure Hash-and-Sign Signatures Without the Random Oracle

Short Signatures from the Weil Pairing

Block Ciphers/Pseudorandom Permutations

CPSC 467: Cryptography and Computer Security

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Lecture 18: Message Authentication Codes & Digital Signa

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Tightly-Secure Signatures From Lossy Identification Schemes

An update on Hash-based Signatures. Andreas Hülsing

10 Concrete candidates for public key crypto

Lecture 22: RSA Encryption. RSA Encryption

Short Signatures From Diffie-Hellman: Realizing Short Public Key

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Mitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song

ASYMMETRIC ENCRYPTION

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Some Security Comparisons of GOST R and ECDSA Signature Schemes

1 Cryptographic hash functions

1 Cryptographic hash functions

El Gamal A DDH based encryption scheme. Table of contents

Cryptography IV: Asymmetric Ciphers

Provable security. Michel Abdalla

Efficient Identity-based Encryption Without Random Oracles

Cryptographic Hardness Assumptions

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Lecture 1: Introduction to Public key cryptography

A Security Proof of KCDSA using an extended Random Oracle Model

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Random Oracle Reducibility

2 Message authentication codes (MACs)

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

A survey on quantum-secure cryptographic systems

Optimal Security Proofs for Full Domain Hash, Revisited

Leftovers from Lecture 3

Design Validations for Discrete Logarithm Based Signature Schemes

MATH 158 FINAL EXAM 20 DECEMBER 2016

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Constructing Provably-Secure Identity-Based Signature Schemes

Semantic Security of RSA. Semantic Security

Synchronized Aggregate Signatures from the RSA Assumption

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Transcription:

Digital Signature Schemes and the Random Oracle Model A. Hülsing

Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1

Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg PAGE 2

Definition: Digital Signature (formally) Let M be the message space. A digital signature scheme DSig = (KeyGen, Sign, Verify) is a triple of PPT algorithms KeyGen 1 k : upon input of a security parameter 1 k outputs a private signing key sk and a public verification key pk, Sign sk, M : outputs a signature σ under sk for message M, if M M, Verify pk, M, σ : outputs 1 iff σ is a valid signature on M under pk, such that the following correctness condition is fulfilled: pk, sk KeyGen 1 k, M M : Verify pk, M, Sign sk, M = 1. PAGE 3

Attack goals Consider adversary A Full break (FB): A can compute the secret key. Universal forgery (UU): A can forge a signature for any given message. A can efficiently answer any signing query. Selective forgery (SU): A can forge a signature for some message of its choice. In this case A commits itself to a message before the attack starts. Existential forgery (EU): A can forge a signature for one, arbitrary message. A might output a forgery for any message for which it did not learn the signature from an oracle during the attack. PAGE 4

Attack Models Key-only attack (KOA): A only gets the public key for which it has to forge a signature. Random message attack (RMA): A learns the public key and the signatures on a set of random messages. Adaptively chosen message attack (CMA): A learns the public key and is allowed to adaptively ask for the signatures on messages of its choice. PAGE 5

Existential unforgeability under adaptive chosen message attacks PK, 1 n SK M i q s (σ i, M i ) SIGN (σ*, M*) Success if M* M i, Ɐ i [0, q] and Verify(pk,σ*,M*) = Accept PAGE 6

Reduction Problem Transform Problem q s PK, 1 n M i Implement SIGN SIGN (σ i, M i ) Solution Extract Solution (σ*, M*) PAGE 7

Why security reductions? Current RSA signature standards so far unbroken Vulnerabilities might exist! (And existed for previous proposals) Might be possible to forge RSA signatures without solving RSA problem or factoring! PAGE 8

What could possibly go wrong? PAGE 9

RSA Let (N, e, d) GenRSA(1 k ) be a PPT algorithm that outputs a modulus N that is the product of two k-bit primes (except possibly with negligible probability), along with an integer e > 0 with gcd(e, φ(n)) = 1 and an integer d > 0 satisfying ed = 1 mod φ N. For any (N, e, d) GenRSA(1 k ) and any y Z N we have (y d ) e = y de de mod φ N = y = y 1 = y mod N PAGE 10

RSA Assumption Definition 1. We say that the RSA problem is hard relative to GenRSA if for all PPT algorithms A, the following is negligible: Pr[(N, e, d) GenRSA(1 k ); y Z N ; x A(N, e, y): x e = y mod N]. PAGE 11

A simple RSA Signature (a.k.a. textbook RSA) KeyGen 1 k : Run N, e, d GenRSA 1 k. Return (pk, sk) with pk = N, e, sk = d. Sign sk, M : Return σ = (M d mod N) Verify pk, M, σ : Return 1 iff σ e mod N == M PAGE 12

Some RSA properties Public function: P x = x e mod N Secret function: S x = x d mod N Reciprocal property (RP): P S = S P = Id Multiplicative property (MP): x, y Z N : S xy = S x S(y) PAGE 13

Existential forgery under KOA Given public key pk = N, e Choose random σ Z N. Apply public function: P σ = σ e mod N = M Return signature-message pair σ, M. PAGE 14

Universal forgery under CMA Given public key pk = N, e To create a forgery on a given message M: 1. Choose two messages x, y Z N such that xy = M mod N 2. Ask for signatures σ x of x and σ y of y 3. Output forgery (σ x σ y, M) PAGE 15

Universal forgery under CMA: The Blinding Attack Given public key pk = N, e To create a forgery on any given message M: 1. Sample random r Z N 2. Ask for signature σ on r e M mod N 3. Output forgery σ r mod N, M Recall σ = (r e M) d = r ed M d = rm d mod N Hence σ r = Md mod N PAGE 16

A slightly better RSA Signature Assume Hashfunction H: {0, 1} {0, 1} n for e.g. n = 160 (like with SHA1) KeyGen 1 k : Run N, e, d GenRSA 1 k. Return (pk, sk) with pk = N, e, sk = d. Sign sk, M : Pad with suff. zeros that μ M = (0 0 H M ) Z N Return σ = μ M d mod N Verify pk, M, σ : Return 1 iff σ e mod N == μ M = (0 0 H M ) PAGE 17

B-smooth B-smooth: An integer is B-smooth if all its prime factors are smaller than B. PAGE 18

Remember Index Calculus? Given public key pk = N, e 1. Select a bound y and let S = (p 1,..., p l ) be the list of primes smaller than y. 2. Find at least l + 1 messages M i such that each μ M i = (0 0 H M i ) is a product of primes in S (i.e. y smooth). 3. Express one μ M j as a multiplicative combination of the other μ M i by solving a linear system given by the exponent vectors of the μ M i with respect to the primes in S. 4. Ask for the signatures on all M i, i j and forge signature on M j. PAGE 19

Step 3 Recall μ M i = (0 0 H M i ) l 1. We can write M i, 1 i τ: μ M i = j=1 2. Associate with μ M i length l vector V i v i,1 mod e,, v i,l mod e p j v i,j 3. τ l + 1 and there are only l linearly independent length l vectors: We can express one vector as combination of others mod e. Let this be V τ = τ 1 i=1 β i V i + eγ ; for some Γ = (γ 1,, γ l ) 4. Hence, μ M τ = ( l j=1 p j γ j ) e τ 1 i=1 μ M i β i PAGE 20

Step 4 1. Ask for signatures σ i = μ M i d mod N on M i for 1 i < τ 2. Compute: σ = μ M τ d = l j=1 p j γ j τ 1 i=1 μ M i d βi mod N 3. Output forgery (σ, M τ ) PAGE 21

Summing up Original attack (Misarsky, PKC 98) works even for more complicated paddings (ISO/IEC 9796-2) Attack only works for small n! (Complexity depends on l and probability that an n-bit number is y-smooth). But using SHA-1 (n = 160) the attack takes much less than 2 50 operations! There are many ways to make mistakes... (Similar attacks apply to encryption!) That s why we want security reductions PAGE 22

The Random Oracle Model PAGE 23

Standard model vs. idealized model Standard model: Assume building block has property P (e.g., collision resistance). Use property in reduction. Idealized model: Assume a building block behaves perfectly (e.g. hash function behaves like truely random function). Replace building block by an oracle in reduction. PAGE 24

Reduction Problem Transform Problem PK, 1 n M i q s Implement SIGN SIGN (σ i, M i ) Solution Extract Solution (σ*, M*) PAGE 25

Random Oracle Model (ROM) Idealized Model Perfectly Random Function M j H(M j ) M j H(M j ) RO PAGE 26

How to implement RO? (In theory) Lazy Sampling : Keep list of (xi, yi) Given M j, search for x i = Mj If x i = Mj exists, return y i Else sample new y from Domain, using uniform distribution Add (M j, y) to table Return y RO PAGE 27

ROM security Take scheme that uses cryptographic hash For proof, replace hash by RO Different flavors: Random function vs. Programmable RO Heuristic security argument Allows to verify construction Worked for Natural schemes so far However: Artificial counter examples exist! PAGE 28

Full Domain Hash Signature Scheme PAGE 29

Trapdoor (One-way) Permutation F pk, x = π(x) F sk, y = π 1 (y) Computing π 1 (y) without knowledge of sk computationally hard PAGE 30

RSA Trapdoor (One-way) Permutation N, e, d GenRSA 1 k ; pk = N, e ; sk = d F pk, x = x e mod N F sk, y = y d mod N Computing π 1 (y) without knowledge of sk computationally hard if RSA Assumption holds PAGE 31

Generic FDH: Sign M y = H(M) σ = F sk, y = π 1 (y) σ = Sign sk, M = π 1 (H M ) = F(sk, H M ) PAGE 32

Generic FDH: Verify M y = H(M) y = F pk, σ = π(σ) Verify pk, M, σ : check y = H M == π σ = F pk, σ = y PAGE 33

RSA-PFDH Randomized FDH Simplified RSA-PSS Standardized in PKCS #1 v2 (slightly different randomization) Tight Reduction from RSA Assumption in ROM PAGE 34

RSA-PFDH Assume Hashfunction H: {0, 1} Z N KeyGen 1 k : Run N, e, d GenRSA 1 k. Return (pk, sk) with pk = N, e, sk = d. Sign sk, M : Sample r $ U κ ; Compute y = H(r M) Return σ = (r, y d mod N) Verify pk, M, σ : Return 1 iff σ e mod N == H(r M) PAGE 35

RSA-PFDH Security If the RSA Assumption holds, RSA-PFDH is existentially unforgeable under adaptive chosen message attacks in the ROM. PAGE 36

Proof TODO: Show that any forger A against RSA-PFDH can be used to break the RSA Assumption with approx. the same time and success probability. Given a forger A against RSA-PFDH with success probability ε, we construct an oracle Machine M A that succeeds with probability ε/4. PAGE 37

Reduction N, e, y Transform Problem pk, 1 n M i Implement SIGN SIGN (σ i, M i ) M j H(M j ) RO x: x e = y mod N Extract Solution (σ*, M*) PAGE 38

Reduction: Transform Problem N, e, y Transform Problem pk = (N, e) pk, 1 n N, e, y M i Implement SIGN SIGN (σ i, M i ) M j H(M j ) RO x: x e = y mod N Extract Solution (σ*, M*) PAGE 39

The RO trick Simulate RO such that you can answer SIGN-queries. PAGE 40

Reduction: Implement SIGN N, e, y Transform Problem pk = (N, e) pk, 1 n N, e, y M i Implement SIGN SIGN (σ i, M i ) M j H(M j ) RO x: x e = y mod N Extract Solution (σ*, M*) PAGE 41

Implement SIGN Simulate RO Keep table of tripples (,, ) When A asks for H(r M): 1. If there is an entry ((r M), x, z) in table, return z 2. If list L M already exists, go to 3. Otherwise, choose q s values r M,1,, r M,qs {0, 1} κ and store them in a list L M. 3. If r L M then let i be such that r = r M,i. Choose random x M,i Z N and return the answer z = x M,i e mod N. Store (r M, x M,i, z) in the table. (RP) 4. If r L M, choose random x Z N and return the answer z = yx e mod N. Store (r M, x, z) in the table. PAGE 42

Implement SIGN When A requests some message M to be signed for the i th time: let r M,i be the i th value in L M and compute z = H(r M,i M) using RO. Let (r M, x M,i, z) be the corresponding entry in the RO table. Output signature (r M,i, x M,i ). PAGE 43

Observation All SIGN queries can be answered! SIGN queries are answered using hash H(r M,i M = z = x M,i e mod N Signature (r M,i, x M,i ) known by programming RO All other hash queries are answered with H(r M = z = yx e mod N (with high probability). Signature not known! BUT: Allows to extract solution from forgery! Note: Any A with non-negl. success probability has to query RO for digest of forgery message! PAGE 44

Reduction: Extract Solution N, e, y Implement SIGN Transform Problem SIGN M i (σ i, M i ) pk = (N, e) pk, 1 n N, e, y q s q H M j H(M j ) RO x: x e = y mod N Extract Solution (σ*, M*) PAGE 45

Reduction: Extract Solution If A outputs a forgery (M, (r, σ )): If r L M abort. Else, let (r M, x, z) be the corresponding entry of the table. Output σ x mod N. Note: σ x e = σ e x e = H r M x e = yxe x e = y mod N σ x = e y mod N PAGE 46

Analysis Transform Problem: Succeeds always Generates exactly matching distribution Implement SIGN / RO: Succeeds always (we choose r) Generates exactly matching distribution: RO: Outputs are uniform in Z N SIGN: Follows from RO Extract Solution: Succeeds iff A succeeds AND r L M p = Pr r L M = (1 2 κ ) q s Setting κ = log 2 q s : p 1 4 assuming q s 2 PAGE 47

What have we shown? We can turn any forger A against RSA-PFDH with success probability ε into an algorithm M A that solves the RSA problem with probability ε/4. In reverse: If there exists no algorithm to solve the RSA problem with probability ε then there exists no forger against RSA- PFDH that succeeds with probability 4ε. As proof is in ROM we have to add... As long as the used hash function behaves like a RO. PAGE 48

How to implement RO? (In practice) Formerly: Use hash function + PRG E.g. SHA2 in couter mode / SHA2-HMAC in counter mode keyed with SHA2(M) Today: Use XOF E.g. SHAKE128 RO PAGE 49

Conclusion Ad Hoc constructions problematic Blinding / Index Calculus Proofs (even in ROM) allow to check construction There is one standardized RSA Sig with proof Similar situation for DSA (ROM proof) PAGE 50

Thank you! Questions? PAGE 51

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback