seminar presentation on notions of security
DESCRIPTION
Seminar Presentation on Notions of Security. January 18, 2008 COSEC@B-IT, Bonn, Germany. SECURITY NOTIONS FOR SIGNATURE SCHEMES : THE GHR SECURITY PROOF. Presented By S. M. Masud Karim Supervised By Prof. Joachim von zur Gathen Ms Laila El Aimani. Outline of the Talk. - PowerPoint PPT PresentationTRANSCRIPT
SEMINAR PRESENTATION ON
NOTIONS OF SECURITY
1
S M Masud Karim
January 18, 2008COSEC@B-IT, Bonn, Germany
SECURITY NOTIONS FOR SIGNATURE
SCHEMES:THE GHR SECURITY
PROOF
Presented By
S. M. Masud Karim
Supervised By
Prof. Joachim von zur GathenMs Laila El Aimani
2
S M Masud Karim
Outline of the Talk
Introduction to Digital Signature Schemes
Why Reductionist Security?
Security Notions
Mathematical Assumptions
The Strong RSA Problem
The Gennaro-Halevi-Rabin Signature Scheme
Reduction of SRSA Problem to breaking the GHR Signature Scheme in the strongest sense provided by Security Notion.
3
S M Masud Karim
Digital Signature
An handwritten signature allows to relate an individual to a specific document. Besides, a signature
► can be verified by anyone against an authenticated signature taken as reference, thereby conferring a legal value to the signed document,
► should be physically impossible to forge.
In comparison, a digital signature allows to relate an individual to a specific file and
► can be verified by anyone by public means, which also provides a legal value to the signed file,
► should be computationally impossible to forge, thereby conferring non-repudiation.
4
S M Masud Karim
Digital Signature Scenarios
Utilization of message authentication scheme
Decryption Singing Encryption Verifying
► Symmetric Key Scenario (... symmetric private key sk)
■ authenticity √ ■ integrity √ ■ non-repudiation ■ universally verifiable ► Public Key Scenario (...public key pk, private key sk)
■ authenticity √ ■ integrity √ ■ non-repudiation √ ■ universally verifiable √
5
S M Masud Karim
Digital Signature Scheme
► Alice generates a public/private key pair (pk, sk) by running a probabilistic key generation algorithm G(|pk|), |pk| being the security parameter. Alice outputs (publishes) pk.
► Whenever Alice wishes to sign a digital document m, she computes the signature s = S(sk, m) where S is the (possibly probabilistic) signing algorithm. She outputs s and maybe also m.
► Bob can verify that s is a signature of m output by Alice by running the verification algorithm V(pk, m, s) returning 1 if s = S(sk, m) or 0 otherwise.
The cryptographic system given by the triple (G, S,V) is called a signature scheme.
6
S M Masud Karim
Taxonomy of Signatures
The description of (G, S,V) includes function domains (message, signature and key spaces).
Signature schemes are usually classified according to the following specific features:
► a signature scheme is said randomized or probabilistic (resp. deterministic) when S is probabilistic (resp. deterministic),
► V is deterministic and gives Boolean responses (true or false) during verification,
► schemes, wherein message m is appended to signature s, are sometimes called signature schemes with appendix.
7
S M Masud Karim
Why Reductionist Security?
Once a signature scheme (or a cryptosystem ) is described, how can its security be proved?
► by trying to exhibit an attack
■ attack found system insecure!
■ attack not found ??
► by proving that no attack exists under some assumptions
■ attack found false assumption
Important: The assumption has to be reasonable.
8
S M Masud Karim
How to Get a Security Proof?
To get a security proof, one needs to
Step 1: Formally define the security notion to achieve,
Step 2: Make precise mathematical assumptions,
Step 3: Design a signature scheme (or a cryptosystem) and describe its operational modes,
Step 4: Exhibit a reduction from assumption’s underlying problem to breaking the scheme in the sense defined by the security notion. To prove a problem A is reducible to another problem B, it is needed to show an algorithm (with polynomial resources) that solves A with access to an oracle that solves B. It is denoted by A B or A B.
9
S M Masud Karim
Security Notions
A security notion (or level) is entirely defined by pairing an adversarial goal with an adversarial model.
Depending on the context in which a given signature scheme (or cryptosystem) is used, one may formally define a security notion ,
► by telling what goal an adversary would attempt to reach (the adversarial goal), and
► what means or information are made available to the attacker (the adversarial or attack model).
10
S M Masud Karim
11
S M Masud Karim
Security Goals
► Unbreakability: The attacker recovers the secret key sk from the public key pk (or an equivalent key if any). This goal is denoted UB. Implicitly appeared with public-key signature scheme (or cryptography).
► Universal Unforgeability: The attacker, without necessarily having recovered sk, can produce a valid signature s of any message m in the message space. Noted UUF.
► Existential Unforgeability: The attacker creates a message m and a valid signature s of it (with no control over the message). Denoted EUF.
12
S M Masud Karim
Security Models
► Key-Only Attacks: The adversary only has access to the public key pk. This is denoted KOA. Unavoidable scenario in public-key signature scheme (or cryptography).
► Known Message Attacks: Where an adversary has access to signatures for a set of known messages. Noted KMA.
► Chosen Message Attacks: Here the adversary is allowed to use the signer as an oracle (full access), and
may request the signature of any message of his choice (multiple requests of the same message are allowed). Denoted CMA.
13
S M Masud Karim
Security Notions for Signature
14
S M Masud Karim
Security Notions for Signature (contd.)
Because EUF-CMA is the upper security level, it is desirable to prove security with respect to this notion.
Formally, an signature scheme is said to be (q, , )-secure if for any adversary A with running time upper-bounded by ,
SUCCEUF-CMA(A) = Pr
where the probability is taken over all random choices.
The notation AS(sk,·) means that the adversary has access to a signing oracle throughout the game, but at most q times. The message m* output by A was never requested to the signing oracle.
15
S M Masud Karim
Security Notions for Signature (contd.)
16
S M Masud Karim
Mathematical Assumptions
Public-key design allows to construct systems by assembling and connecting smaller cryptographic or atomic primitives together. For example: one-way functions, hash functions, arithmetic operations etc.
Cryptographic primitives are connected to plenty of (supposedly) intractable problems:
► Strong RSA (SRSA) is hard,
► Discrete log is hard,
► Diffie-Hellman is hard,
► Factoring is hard,
Hard = no PPT (probabilistic polynomial time) algorithm can solve the problem with non-negligible probability.
17
S M Masud Karim
The Strong RSA ProblemStrong RSA Problem: let n = pq be a safe RSA modulus and z Z*
n. Find x and e such that
z = xe mod n with (x, e) (z, 1).
An algorithm R is said to (R, R)-solve the SRSA problem if in at most R operations,
Pr
where the probability is taken over R’s random tapes and the distribution of (n, z).
Strong RSA Assumption: for any (R, R)- solver,
.
R ≤ poly(k) R = negl(k)
18
S M Masud Karim
The GHR Signature Scheme
Gennaro-Halevi-Rabin (GHR), short message variant.
[1]. Generate a safe RSA modulus n = pq with
p = 2p’ + 1, q = 2q’ + 1. Randomly select z Z*
n .
Let H: {0, 1}l Primes ≥ 3 and p’, q’ be a collision-free hash function (l = 30). Publish (n, z). Keep (p, q) private.
[2]. To sign a message m {0, 1}l,
compute s = z1/H(m) mod n.
[3]. Given (m, s), check whether sH(m) = z mod n.
19
S M Masud Karim
Reduction
In order to proof that,
SRSA EUF-CMA(GHR),
it is needed to show that breaking EUF-CMA(GHR) allows to solve SRSA, i.e., that an adversary breaking GHR can be used as a black box tool to answer SRSA requests with non-negligible probability.
Probability Spaces: The reduction has to simulate the attacker’s environment in a way that preserves (or does not alter too much) the distribution of all random variables which interact with it.
20
S M Masud Karim
Reduction (Contd.)
The reduction R will behave as follows.
► R is given n RSA(1k) and z Z*n, as well as an
attacker A that (q, A, A)-solves EUF-CMA(GHR),
► R simulates G and transmits pk to A,
► R receives signature queries from A: R will have to simulate a signing oracle with respect to pk at most q times,
► A outputs a forgery (m^, s^) for GHR with probability A,
► R outputs non-trivial (x, e) such that z = xe mod n.
► R will provide a perfect simulation and (R, R)-solve SRSA with
21
S M Masud Karim
Simulation of Oracles
22
S M Masud Karim
Simulation of G
► For each message mi {0, 1}l, compute H(mi).
Set E =
► Compute y = zE mod n and send the GHR public key (n, y) to A.
Since n RSA(1k) (external to R) and z Z*n
(external to R) are random choices, and z z E is one-to-one {as E and (n) are co-prime, f(z) = zE mod n is a bijection}, (n, y) is perfectly indistinguishable from a random GHR public key (n RSA(1k), y Z*
n).
Therefore, the simulation of G is perfect.
23
S M Masud Karim
Simulation of S and V
Simulation of S
When A requests the signature of a message mi,
send si = zE/H(mi) mod n.
Knowing z and E, it is easy to extract a H(mi)-th root of y for any mi. A’s queries can be answered with perfectly valid signatures. Therefore, the simulation of S is perfect.
Simulation of V
The signature si is verified using siH(m
i) = zE mod
n.
The simulation of V is trivial.
24
S M Masud Karim
Forgery on Simulation of Oracles
The simulation of the attacker’s environment is perfect:
Pr[A forges] ≥ A
Now, the forgery output by A with probability A will be (m^, s^) where m^ is from the given message space and s^ = zE/H(m^) mod n.
But it is mentioned earlier that with known z and E, R could have computed the forgery. Besides, the forgery must help R to get good solution for (x, e).
As the forgery is not new and provides no clue to the solution for (x, e), it is not possible for R to come up with positive response.
25
S M Masud Karim
Alternative Simulation
Simulation of G
► Choose i {1, 2, ... ..., 2l} uniformly at random.
► For each message mj {0, 1}l, compute H(mj).
Set E =
► Compute y = zE mod n and send the GHR public key (n, y) to A.
The simulation of G is also perfect.
26
S M Masud Karim
Alternative Simulation (contd.)
Simulation of S
When A requests the signature of a message mi,
► If j i, send si = zE/H(mj) mod n.
► If j = i, abort the simulation experiment
A’s queries can be answered with perfectly valid signatures except when the query message is mi.
Since i is chosen in [1, 2l] independently from the attacker’s view, the probability of perfect simulation is
Pr[mi Queries(A)]
27
S M Masud Karim
Forgery on Alternative Simulation
Assume that at the end of the game, A outputs (mi, s) as a forgery. Then
sH(mi) = y = zE mod n
As H(mi) and E are co-prime, the Bézout theorem says there must be a and b such that aH(mi) + bE = 1.
Using the Extended Euclidian Algorithm, the values of a and b can easily be computed. Now,
Finally, R sets x = zasb and e = H(mi) and outputs a genuine solution (x, e).
28
S M Masud Karim
Analysis
► In the first simulation (when the simulation is perfect), A can never produce a valid forgery which will eventually be used by R for obtaining the solution (x, e).
► In the second simulation , even then the probability of a successful forgery depends on number of conditions (i.e., lucks). These include:
• A will never query the message mi which is chosen at random during the simulation of G. If A does query mi, the system will abort and A is not expected to provide a forgery.
• Message in A’s forgery (m^, s^) must be mi i.e., m^ = mi.
29
S M Masud Karim
ConclusionHence, it is proved that SRSA EUF-CMA(GHR).
So, we have
► defined security notions for signature schemes,
► made a precise mathematical assumption (SRSA is hard),
► described the algorithms of GHR signature scheme and
► finally performed a reduction from the underlying problem of the mathematical assumption (SRSA problem) to existentially forging of the GHR signature scheme under chosen message attacks.
Therefore, it is evident that GHR signature scheme is secure under strong RSA assumption.
Thank You!!
30
S M Masud Karim