digital signature schemes and the random oracle model · show that any forger a against rsa-pfdh...
TRANSCRIPT
Definition: Digital Signature (formally)
Let 𝓜 be the message space. A digital signature scheme DSig =
(KeyGen, Sign, Verify) is a triple of PPT algorithms
• 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏𝒌 : upon input of a security parameter 𝟏𝒌 outputs a
private signing key 𝒔𝒌 and a public verification key 𝒑𝒌,
• 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : outputs a signature 𝛔 under 𝒔𝒌 for message 𝑴,
if𝑴 ∈𝓜,
• 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴, 𝝈 : outputs 1 iff 𝛔 is a valid signature on
𝑴 under 𝒑𝒌,
such that the following correctness condition is fulfilled:
∀ 𝒑𝒌, 𝒔𝒌 ← 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏𝒌 , ∀ 𝑴 ∈ 𝓜 :
𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴, 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 = 𝟏.
PAGE 34-12-2017
Attack goals
Consider adversary 𝑨
• Full break (FB): 𝐴 can compute the secret key.
• Universal forgery (UU): 𝐴 can forge a signature for any
given message. 𝐴 can efficiently answer any signing
query.
• Selective forgery (SU): 𝐴 can forge a signature for
some message of its choice. In this case 𝐴 commits itself
to a message before the attack starts.
• Existential forgery (EU): 𝐴 can forge a signature for
one, arbitrary message. 𝐴 might output a forgery for any
message for which it did not learn the signature from an
oracle during the attack.
PAGE 44-12-2017
Attack Models
• Key-only attack (KOA): 𝐴 only gets the public key for
which it has to forge a signature.
• Random message attack (RMA): 𝐴 learns the public
key and the signatures on a set of random messages.
• Adaptively chosen message attack (CMA): 𝐴 learns
the public key and is allowed to adaptively ask for the
signatures on messages of its choice.
PAGE 54-12-2017
Existential unforgeability under adaptive
chosen message attacks
PAGE 64-12-2017
PK, 1n
SIGN
SK
Mi
(σi, Mi)
(σ*, M*) Success if M* ≠ Mi , Ɐ i ∈ [0, q] and
Verify(pk,σ*,M*) = Accept
𝑞𝑠
Reduction
PAGE 74-12-2017
PK, 1n
Mi
(σi, Mi)
(σ*, M*)
Problem
Solution
Implement
SIGNSIGN
Transform Problem
Extract Solution
𝑞𝑠
Why security reductions?
• Current RSA signature standards so far unbroken
• Vulnerabilities might exist! (And existed for previous
proposals)
• Might be possible to forge RSA signatures without
solving RSA problem or factoring!
PAGE 84-12-2017
RSA
Let (𝐍, 𝐞, 𝐝) ⟵ 𝐆𝐞𝐧𝐑𝐒𝐀(𝟏𝒌) be a PPT algorithm that
outputs a modulus 𝑵 that is the product of two 𝒌-bit primes
(except possibly with negligible probability), along with an
integer 𝒆 > 𝟎 with 𝐠𝐜𝐝(𝒆,𝝓(𝑵)) = 𝟏 and an integer 𝒅 > 𝟎satisfying 𝒆𝒅 = 𝟏𝐦𝐨𝐝 𝝓 𝑵 .
For any (𝐍, 𝐞, 𝐝) ⟵ 𝐆𝐞𝐧𝐑𝐒𝐀(𝟏𝒌) and any 𝒚 ∈ ℤ𝑵∗ we have
(𝒚𝒅)𝒆= 𝒚𝒅𝒆 = 𝒚𝒅𝒆𝐦𝐨𝐝 𝝓 𝑵 = 𝒚𝟏 = 𝒚𝐦𝐨𝐝 𝑵
PAGE 104-12-2017
RSA Assumption
Definition 1. We say that the RSA problem is hard relative
to 𝐆𝐞𝐧𝐑𝐒𝐀 if for all PPT algorithms A, the following is
negligible:
𝑷𝒓[(𝑵, 𝒆, 𝒅) ← 𝐆𝐞𝐧𝐑𝐒𝐀(𝟏𝒌); 𝒚 ← ℤ𝑵∗ ;
𝒙 ← 𝑨(𝑵, 𝒆, 𝒚): 𝒙𝒆 = 𝒚𝐦𝐨𝐝 𝑵].
PAGE 114-12-2017
A simple RSA Signature (a.k.a. textbook RSA)
𝐊𝐞𝐲𝐆𝐞𝐧 𝟏𝒌 : Run 𝑵, 𝒆, 𝒅 ← 𝐆𝐞𝐧𝐑𝐒𝐀 𝟏𝒌 .
Return (𝒑𝒌, 𝒔𝒌) with 𝒑𝒌 = 𝑵, 𝒆 , 𝒔𝒌 = 𝒅.
𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Return 𝛔 = (𝑴𝑑 𝐦𝐨𝐝 𝑵)
𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴, 𝝈 : Return 1 iff 𝝈𝒆𝐦𝐨𝐝 𝑵 == 𝑴
PAGE 124-12-2017
Some RSA properties
• Public function:
𝑷 𝒙 = 𝒙𝒆 mod 𝑵
• Secret function:
𝑺 𝒙 = 𝒙𝒅 mod 𝑵
• Reciprocal property (RP):
𝑷 ∘ 𝑺 = 𝑺 ∘ 𝑷 = 𝑰𝒅
• Multiplicative property (MP):
∀𝒙, 𝒚 ∈ ℤ𝑵: 𝑺 𝒙𝒚 = 𝑺 𝒙 𝑺(𝒚)
PAGE 134-12-2017
Existential forgery under KOA
Given public key 𝒑𝒌 = 𝑵, 𝒆
• Choose random 𝝈 ∈ ℤ𝑵.
• Apply public function:
𝑷 𝝈 = 𝝈𝒆𝐦𝐨𝐝 𝑵 = 𝑴
• Return signature-message pair 𝝈,𝑴 .
PAGE 144-12-2017
Universal forgery under CMA
Given public key 𝒑𝒌 = 𝑵, 𝒆
To create a forgery on a given message 𝑴:
1. Choose two messages 𝐱, 𝐲 ∈ ℤ𝑵 such that
𝒙𝒚 = 𝑴𝐦𝐨𝐝 𝑵
2. Ask for signatures 𝝈𝒙 of 𝒙 and 𝝈𝒚 of 𝒚
3. Output forgery (𝝈𝒙𝝈𝒚,𝑴)
PAGE 154-12-2017
Universal forgery under CMA:
The Blinding Attack
Given public key 𝒑𝒌 = 𝑵, 𝒆
To create a forgery on any given message 𝑴:
1. Sample random 𝒓 ∈ ℤ𝑵∗
2. Ask for signature 𝝈 on 𝒓𝒆𝑴𝐦𝐨𝐝 𝑵
3. Output forgery 𝝈
𝒓𝐦𝐨𝐝 𝑵,𝑴
Recall 𝝈 = (𝒓𝒆𝑴)𝒅= 𝒓𝒆𝒅𝑴𝒅 = 𝒓𝑴𝒅𝐦𝐨𝐝 𝑵
Hence𝝈
𝒓= 𝑴𝒅𝐦𝐨𝐝 𝑵
PAGE 164-12-2017
A slightly better RSA Signature
Assume Hashfunction 𝑯: {𝟎, 𝟏}∗→ {𝟎, 𝟏}𝒏 for e.g. 𝒏 = 𝟏𝟔𝟎(like with SHA1)
𝐊𝐞𝐲𝐆𝐞𝐧 𝟏𝒌 : Run 𝑵, 𝒆, 𝒅 ← 𝐆𝐞𝐧𝐑𝐒𝐀 𝟏𝒌 .
Return (𝒑𝒌, 𝒔𝒌) with 𝒑𝒌 = 𝑵, 𝒆 , 𝒔𝒌 = 𝒅.
𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Pad with suff. zeros that
𝛍 𝑴 = (𝟎…𝟎||𝑯 𝑴 ) ∈ ℤ𝑵∗
Return 𝛔 = 𝛍 𝑴 𝑑 𝐦𝐨𝐝 𝑵
𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴, 𝝈 : Return 1 iff
𝝈𝒆𝐦𝐨𝐝 𝑵 == 𝛍 𝑴 = (𝟎…𝟎||𝑯 𝑴 )
PAGE 174-12-2017
B-smooth
B-smooth: An integer is B-smooth if all its prime factors
are smaller than B.
PAGE 184-12-2017
Remember Index Calculus?
Given public key 𝒑𝒌 = 𝑵, 𝒆
1. Select a bound 𝒚 and let 𝑺 = (𝒑𝟏, . . . , 𝒑𝒍) be the list of
primes smaller than 𝒚.
2. Find at least 𝒍 + 𝟏 messages 𝑴𝒊 such that each
𝛍 𝑴𝒊 = (𝟎…𝟎||𝑯 𝑴𝒊 ) is a product of primes in 𝑺 (i.e.
𝒚–smooth).
3. Express one 𝛍 𝑴𝒋 as a multiplicative combination of
the other 𝛍 𝑴𝒊 by solving a linear system given by the
exponent vectors of the 𝛍 𝑴𝒊 with respect to the
primes in 𝑺.
4. Ask for the signatures on all 𝑴𝒊, 𝒊 ≠ 𝒋 and forge
signature on 𝑴𝒋.
PAGE 194-12-2017
Step 3
Recall 𝛍 𝑴𝒊 = (𝟎…𝟎||𝑯 𝑴𝒊 )
1. We can write ∀𝑴𝒊, 𝟏 ≤ 𝒊 ≤ 𝝉: 𝛍 𝑴𝒊 = 𝒋=𝟏𝒍 𝒑𝒋𝒗𝒊,𝒋
2. Associate with 𝛍 𝑴𝒊 length 𝒍 vector
𝑽𝒊 𝒗𝒊,𝟏𝐦𝐨𝐝 𝒆,… , 𝒗𝒊,𝒍𝐦𝐨𝐝 𝒆
3. 𝝉 ≥ 𝒍 + 1 and there are only 𝒍 linearly independent
length 𝒍 vectors: We can express one vector as
combination of others mod e. Let this be
𝑽𝝉 = 𝒊=𝟏𝝉−𝟏𝜷𝒊𝑽𝒊 + 𝒆𝚪 ; for some 𝚪 = (𝜸𝟏, … , 𝜸𝒍)
4. Hence,
𝛍 𝑴𝝉 = (
𝒋=𝟏
𝒍
𝒑𝒋𝜸𝒋)𝒆
𝒊=𝟏
𝝉−𝟏
𝛍 𝑴𝒊𝜷𝒊
PAGE 204-12-2017
Step 4
1. Ask for signatures 𝝈𝒊 = 𝛍 𝑴𝒊𝒅𝐦𝐨𝐝 𝑵
on 𝑴𝒊 for 𝟏 ≤ 𝒊 < 𝝉
2. Compute:
𝝈 ∗ = 𝛍 𝑴𝝉𝒅 =
𝒋=𝟏
𝒍
𝒑𝒋𝜸𝒋
𝒊=𝟏
𝝉−𝟏
𝛍 𝑴𝒊𝒅 𝜷𝒊𝐦𝐨𝐝 𝑵
3. Output forgery (𝝈 ∗,𝑴𝝉)
PAGE 214-12-2017
Summing up
• Original attack (Misarsky, PKC’98) works even for more
complicated paddings (ISO/IEC 9796-2)
• Attack only works for small 𝒏! (Complexity depends on 𝒍and probability that an 𝒏-bit number is 𝒚-smooth).
• But using SHA-1 (𝒏 = 𝟏𝟔𝟎) the attack takes much less
than 𝟐𝟓𝟎 operations!
There are many ways to make mistakes...
(Similar attacks apply to encryption!)
That‘s why we want security reductions
PAGE 224-12-2017
Standard model vs. idealized model
Standard model:
Assume building block has property P (e.g., collision
resistance). Use property in reduction.
Idealized model:
Assume a building block behaves perfectly (e.g. hash
function behaves like truely random function). Replace
building block by an oracle in reduction.
PAGE 244-12-2017
Reduction
PAGE 254-12-2017
PK, 1n
Mi
(σi, Mi)
(σ*, M*)
Problem
Solution
Implement
SIGNSIGN
Transform Problem
Extract Solution
𝑞𝑠
Random Oracle Model (ROM)
• Idealized Model
• Perfectly Random Function
PAGE 264-12-2017
Mj
Mj
H(Mj)
H(Mj)
RO
How to implement RO? (In theory)
”Lazy Sampling”:
• Keep list of (𝒙𝒊, 𝒚𝒊)
• Given 𝑴𝒋, search for 𝒙𝒊 = 𝑴𝒋
• If 𝒙𝒊 = 𝑴𝒋 exists, return 𝒚𝒊• Else sample new 𝒚 from Domain,
using uniform distribution
• Add (𝑴𝒋, 𝒚) to table
• Return 𝒚
PAGE 274-12-2017
RO
ROM security
• Take scheme that uses cryptographic hash
• For proof, replace hash by RO
• Different flavors:
Random function vs. Programmable RO
Heuristic security argument
Allows to verify construction
Worked for ”Natural schemes” so far
However: Artificial counter examples exist!
PAGE 284-12-2017
Trapdoor (One-way) Permutation
PAGE 304-12-2017
𝑭 𝒑𝒌, 𝒙 = 𝝅(𝒙)
𝑭 𝒔𝒌, 𝒚 = 𝝅−𝟏(𝒚)
Computing 𝝅−𝟏(𝒚)without knowledge of sk
computationally hard
RSA Trapdoor (One-way) Permutation
PAGE 314-12-2017
𝑭 𝒑𝒌, 𝒙 = 𝒙𝒆𝒎𝒐𝒅 𝑵
𝑭 𝒔𝒌, 𝒚 = 𝒚𝒅𝒎𝒐𝒅 𝑵
Computing 𝝅−𝟏(𝒚)without knowledge of sk
computationally hard if
RSA Assumption holds
𝒑𝒌 = 𝑵, 𝒆 ; 𝒔𝒌 = 𝒅𝑵, 𝒆, 𝒅 ← 𝐆𝐞𝐧𝐑𝐒𝐀 𝟏𝒌 ;
Generic FDH: Sign
PAGE 324-12-2017
𝝈 = 𝑭 𝒔𝒌, 𝒚 = 𝝅−𝟏(𝒚)
M𝒚 = 𝑯(𝑴)
𝝈 = 𝑺𝒊𝒈𝒏 𝒔𝒌,𝑴= 𝝅−𝟏(𝑯 𝑴 )= 𝑭(𝒔𝒌,𝑯 𝑴 )
Generic FDH: Verify
PAGE 334-12-2017
M𝒚 = 𝑯(𝑴)
𝑽𝒆𝒓𝒊𝒇𝒚 𝒑𝒌,𝑴, 𝝈 :check 𝒚 = 𝑯 𝑴 == 𝝅 𝝈 = 𝑭 𝒑𝒌, 𝝈 = 𝒚′
𝒚′ = 𝑭 𝒑𝒌, 𝝈 = 𝝅(𝝈)
RSA-PFDH
• Randomized FDH
• Simplified RSA-PSS
• Standardized in PKCS #1 v2
(slightly different randomization)
• Tight Reduction from RSA Assumption in ROM
PAGE 344-12-2017
RSA-PFDH
Assume Hashfunction 𝑯: {𝟎, 𝟏}∗→ ℤ𝑵∗
𝐊𝐞𝐲𝐆𝐞𝐧 𝟏𝒌 : Run 𝑵, 𝒆, 𝒅 ← 𝐆𝐞𝐧𝐑𝐒𝐀 𝟏𝒌 .
Return (𝒑𝒌, 𝒔𝒌) with 𝒑𝒌 = 𝑵, 𝒆 , 𝒔𝒌 = 𝒅.
𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Sample 𝒓←$𝑼𝜿; Compute 𝐲 = 𝑯(𝒓||𝑴)
Return 𝛔 = (𝒓, 𝒚𝑑 𝐦𝐨𝐝 𝑵)
𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴, 𝝈 : Return 1 iff 𝝈𝒆𝐦𝐨𝐝 𝑵 == 𝑯(𝒓||𝑴)
PAGE 354-12-2017
RSA-PFDH Security
If the RSA Assumption holds, RSA-PFDH is
existentially unforgeable under adaptive chosen
message attacks in the ROM.
PAGE 364-12-2017
Proof
TODO:
Show that any forger A against RSA-PFDH can be used to
break the RSA Assumption with approx. the same time and
success probability.
”Given a forger A against RSA-PFDH with success
probability 𝜺, we construct an oracle Machine MA that
succeeds with probability 𝜺/𝟒.”
PAGE 374-12-2017
Reduction
PAGE 384-12-2017
pk, 1n
Mi
(σi, Mi)
(σ*, M*)
Implement
SIGNSIGN
Transform Problem
Extract Solution
Mj
H(Mj)
RO
𝑵, 𝒆, 𝒚
𝒙:𝒙𝒆 = 𝒚𝐦𝐨𝐝 𝑵
Reduction: Transform Problem
PAGE 394-12-2017
pk, 1n
Mi
(σi, Mi)
(σ*, M*)
Implement
SIGNSIGN
Transform Problem
Extract Solution
Mj
H(Mj)
RO
𝑵, 𝒆, 𝒚
𝒙:𝒙𝒆 = 𝒚𝐦𝐨𝐝 𝑵
𝒑𝒌 = (𝑵, 𝒆)
𝑵, 𝒆, 𝒚
Reduction: Implement SIGN
PAGE 414-12-2017
pk, 1n
Mi
(σi, Mi)
(σ*, M*)
Implement
SIGNSIGN
Transform Problem
Extract Solution
Mj
H(Mj)
RO
𝑵, 𝒆, 𝒚
𝒙:𝒙𝒆 = 𝒚𝐦𝐨𝐝 𝑵
𝒑𝒌 = (𝑵, 𝒆)
𝑵, 𝒆, 𝒚
Implement SIGN – Simulate RO
• Keep table of tripples (∗,∗,∗)
• When A asks for 𝑯(𝒓||𝑴):
1. If there is an entry ((𝒓||𝑴), 𝒙, 𝒛) in table, return 𝒛
2. If list 𝑳𝑴 already exists, go to 3. Otherwise, choose 𝒒𝒔values 𝒓𝑴,𝟏, … , 𝒓𝑴,𝒒𝒔 ← {𝟎, 𝟏}
𝜿 and store them in a list 𝑳𝑴.
3. If 𝒓 ∈ 𝑳𝑴 then let 𝒊 be such that 𝒓 = 𝒓𝑴,𝒊. Choose random
𝒙𝑴,𝒊 ∈ ℤ𝑵∗ and return the answer 𝐳 = 𝒙𝑴,𝒊
𝒆𝐦𝐨𝐝 𝑵. Store
(𝒓||𝑴, 𝒙𝑴,𝒊, 𝒛) in the table. (RP)
4. If 𝒓 ∉ 𝑳𝑴, choose random 𝒙 ∈ ℤ𝑵∗ and return the answer
𝒛 = 𝒚𝒙𝒆𝐦𝐨𝐝 𝑵. Store (𝒓||𝑴, 𝒙, 𝒛) in the table.
PAGE 424-12-2017
Implement SIGN
• When A requests some message 𝑴 to be signed for the
𝒊 th time:
• let 𝒓𝑴,𝒊 be the 𝒊 th value in 𝑳𝑴 and
• compute 𝐳 = 𝐇(𝒓𝑴,𝒊||𝑴) using RO.
• Let (𝒓||𝑴, 𝒙𝑴,𝒊, 𝒛) be the corresponding entry in the RO
table.
• Output signature (𝒓𝑴,𝒊, 𝒙𝑴,𝒊).
PAGE 434-12-2017
Observation
• All SIGN queries can be answered!
• SIGN queries are answered using hash
𝐇(𝒓𝑴,𝒊| 𝑴 = 𝐳 = 𝒙𝑴,𝒊𝒆𝐦𝐨𝐝 𝑵
Signature (𝒓𝑴,𝒊, 𝒙𝑴,𝒊) known by programming RO
• All other hash queries are answered with
𝐇(𝒓| 𝑴 = 𝒛 = 𝒚𝒙𝒆𝐦𝐨𝐝 𝑵(with high probability).
Signature not known!
BUT: Allows to extract solution from forgery!
• Note: Any A with non-negl. success probability has to
query RO for digest of forgery message!
PAGE 444-12-2017
Reduction: Extract Solution
PAGE 454-12-2017
pk, 1n
Mi
(σi, Mi)
(σ*, M*)
Implement
SIGNSIGN
Transform Problem
Extract Solution
Mj
H(Mj)
RO
𝑵, 𝒆, 𝒚
𝒙:𝒙𝒆 = 𝒚𝐦𝐨𝐝 𝑵
𝒑𝒌 = (𝑵, 𝒆)
𝑵, 𝒆, 𝒚 𝑞𝑠𝑞𝐻
Reduction: Extract Solution
• If A outputs a forgery (𝑴∗, (𝒓∗, 𝝈∗)):
• If 𝒓∗ ∈ 𝑳𝑴∗ abort.
• Else, let (𝒓∗||𝑴∗, 𝒙, 𝒛) be the corresponding entry of the
table.
• Output𝝈∗
𝒙𝐦𝐨𝐝 𝑵.
• Note:
𝝈∗
𝒙
𝒆
=𝝈∗𝒆
𝒙𝒆=𝑯 𝒓∗||𝑴∗
𝒙𝒆=𝒚𝒙𝒆
𝒙𝒆= 𝒚𝐦𝐨𝐝 𝑵
⟹𝝈∗
𝒙= 𝒆 𝒚𝐦𝐨𝐝 𝑵
PAGE 464-12-2017
Analysis
• Transform Problem:
• Succeeds always
• Generates exactly matching distribution
• Implement SIGN / RO:
• Succeeds always (we choose 𝒓)
• Generates exactly matching distribution:
− RO: Outputs are uniform in ℤ𝑵∗
− SIGN: Follows from RO
• Extract Solution:
• Succeeds iff A succeeds AND
• 𝒓∗ ∉ 𝑳𝑴∗ ⇒ 𝐩 = 𝐏𝐫 𝒓∗ ∉ 𝑳𝑴∗ = (𝟏 − 𝟐
−𝜿)𝒒𝒔
Setting 𝜿 = 𝐥𝐨𝐠𝟐 𝒒𝒔: 𝒑 ≥𝟏
𝟒assuming 𝒒𝒔 ≥ 𝟐
PAGE 474-12-2017
What have we shown?
• We can turn any forger A against RSA-PFDH with
success probability 𝜺 into an algorithm MA that solves the
RSA problem with probability 𝜺/𝟒.
• In reverse:
If there exists no algorithm to solve the RSA problem with
probability ≥ 𝜺 then there exists no forger against RSA-
PFDH that succeeds with probability ≥ 𝟒𝜺.
• As proof is in ROM we have to add
”... As long as the used hash function behaves like a RO.”
PAGE 484-12-2017
How to implement RO? (In practice)
Formerly:
• Use hash function + PRG
• E.g. SHA2 in couter mode /
• SHA2-HMAC in counter mode keyed
with SHA2(M)
Today:
• Use XOF
• E.g. SHAKE128
PAGE 494-12-2017
RO
Conclusion
• Ad Hoc constructions problematic
• Blinding / Index Calculus
• Proofs (even in ROM) allow to check construction
• There is one standardized RSA Sig with proof
• Similar situation for DSA (ROM proof)
PAGE 504-12-2017