Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - - PowerPoint PPT Presentation

Digital Signatures

Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung)

Digital Signatures 2020-03-17 1

Outline

RSA-based signature schemes RSA-FDH: Full Domain Hash Random Oracle Model RSA-FDH: Security

Digital Signatures 2020-03-17 2

Recap: RSA problem/assumption

Setting:

• N = P · Q, for large primes P, Q
• ϕ(N) = (P − 1)(Q − 1) = |Z∗

N|

• Choose e ∈ N uniformly between 1 and ϕ(N) with

gcd(e, ϕ(N)) = 1.

• Then d ∈ N with e · d ≡ 1 mod ϕ(N) can be found efficiently

from ϕ(N) and e.

• For x ∈ ZN, we have xe·d ≡ x mod N.

Digital Signatures 2020-03-17 3

Recap: RSA problem/assumption

RSA problem:

• Given N, e as above and y ← ZN, find x ∈ ZN with

xe ≡ y mod N.

Digital Signatures 2020-03-17 4

Recap: RSA problem/assumption

RSA problem:

• Given N, e as above and y ← ZN, find x ∈ ZN with

xe ≡ y mod N. RSA assumption:

• ∀ PPT A:

Pr    N, e as above y ← ZN x ← A(1k, N, e, y) : xe = y mod N    negligible.

Digital Signatures 2020-03-17 4

“Textbook RSA”

• Gen(1k) :

– choose P, Q, N, e as above – d := e−1 mod ϕ(N) – pk = (N, e) – sk = (N, d)

• Sign(sk, m) :

σ := md

(mod N)

• Vfy(pk, m, σ) :

σe ?

= m (mod N)

Digital Signatures 2020-03-17 5

“Textbook RSA”

• Gen(1k) :

– choose P, Q, N, e as above – d := e−1 mod ϕ(N) – pk = (N, e) – sk = (N, d)

• Sign(sk, m) :

σ := md

(mod N)

• Vfy(pk, m, σ) :

σe ?

= m (mod N) Correctness:

Digital Signatures 2020-03-17 5

“Textbook RSA”

• Gen(1k) :

– choose P, Q, N, e as above – d := e−1 mod ϕ(N) – pk = (N, e) – sk = (N, d)

• Sign(sk, m) :

σ := md

(mod N)

• Vfy(pk, m, σ) :

σe ?

= m (mod N) Correctness:

σe ≡ (md)e ≡ mde mod ϕ(N) ≡ m1 ≡ m

(mod N)

Digital Signatures 2020-03-17 5

Security

• Not EUF-NMA secure:

– Choose σ∗ ← ZN – Compute m∗ := (σ∗)e mod N – Output (m∗, σ∗) as forgery

Digital Signatures 2020-03-17 6

Security

• Not EUF-NMA secure:

– Choose σ∗ ← ZN – Compute m∗ := (σ∗)e mod N – Output (m∗, σ∗) as forgery

• (Multiplicatively) homomorphic:

– If σ1, σ2 are valid signatures for m1, m2, – then σ3 := σ1σ2 mod N is valid for m3 := m1m2 mod N: σe

3 ≡ (σ1σ2)e ≡ σe 1σe 2 ≡ m1m2 ≡ m3

(mod N)

Digital Signatures 2020-03-17 6

Security

• Not EUF-NMA secure:

– Choose σ∗ ← ZN – Compute m∗ := (σ∗)e mod N – Output (m∗, σ∗) as forgery

• (Multiplicatively) homomorphic:

– If σ1, σ2 are valid signatures for m1, m2, – then σ3 := σ1σ2 mod N is valid for m3 := m1m2 mod N: σe

3 ≡ (σ1σ2)e ≡ σe 1σe 2 ≡ m1m2 ≡ m3

(mod N)

• Exercise:

Textbook-RSA is UUF-NMA secure if the RSA assumption holds.

Digital Signatures 2020-03-17 6

RSA-based signatures Secure signatures based on RSA

Often: suitable preprocessing/encoding of m

• RSA PKCS #1 v1.5
• RSA-FDH (Full Domain Hash)
• RSA-PSS (Probabilistic Signature Scheme, not in notes)

More schemes:

• Gennaro-Halevi-Rabin scheme:

– EUF-naCMA secure under stronger assumption

• Hohenberger-Waters scheme (not covered here):

– similar to GHR, but under standard RSA assumption

Digital Signatures 2020-03-17 7

RSA PKCS #1 v1.5

PKCS #1:

• Public-Key Cryptography Standard #1
• Originally developed by RSA Security
• Version 1.5: November 1993
• Today: Version 2.2 (October 2012)
• Contains also variant of RSA-PSS

– https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/ pkcs-rsa-cryptography-standard.htm – https://tools.ietf.org/html/rfc3447

Digital Signatures 2020-03-17 8

RSA PKCS #1 v1.5

• Gen(1k) : as with Textbook-RSA

Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5

• Gen(1k) : as with Textbook-RSA
• Sign(sk, m) :

– let H be a collision-resistant hash function – encode m as m′ := 0x00 0x01 0xFF ... 0xFF 0x00 spec. H H(m)

Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5

• Gen(1k) : as with Textbook-RSA
• Sign(sk, m) :

– let H be a collision-resistant hash function – encode m as m′ := 0x00 0x01 0xFF ... 0xFF 0x00 spec. H H(m) type of encoding: signature

Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5

• Gen(1k) : as with Textbook-RSA
• Sign(sk, m) :

– let H be a collision-resistant hash function – encode m as m′ := 0x00 0x01 0xFF ... 0xFF 0x00 spec. H H(m) type of encoding: signature padding

Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5

• Gen(1k) : as with Textbook-RSA
• Sign(sk, m) :

– let H be a collision-resistant hash function – encode m as m′ := 0x00 0x01 0xFF ... 0xFF 0x00 spec. H H(m) type of encoding: signature padding boundary

Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5

• Gen(1k) : as with Textbook-RSA
• Sign(sk, m) :

– let H be a collision-resistant hash function – encode m as m′ := 0x00 0x01 0xFF ... 0xFF 0x00 spec. H H(m) type of encoding: signature padding boundary which H?

Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5

• Gen(1k) : as with Textbook-RSA
• Sign(sk, m) :

– let H be a collision-resistant hash function – encode m as m′ := 0x00 0x01 0xFF ... 0xFF 0x00 spec. H H(m) type of encoding: signature padding boundary which H? hash value

Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5

• Gen(1k) : as with Textbook-RSA
• Sign(sk, m) :

– let H be a collision-resistant hash function – encode m as m′ := 0x00 0x01 0xFF ... 0xFF 0x00 spec. H H(m) type of encoding: signature padding boundary which H? hash value – σ := (m′)d (mod N)

Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5

• Gen(1k) : as with Textbook-RSA
• Sign(sk, m) :

– let H be a collision-resistant hash function – encode m as m′ := 0x00 0x01 0xFF ... 0xFF 0x00 spec. H H(m) type of encoding: signature padding boundary which H? hash value – σ := (m′)d (mod N)

• Vfy(pk, m, σ) :

– compute m′ := σe (mod N) – check if m′ valid encoding of m

Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5: security

Security?

• not clear, but at least not (obviously) homomorphic
• no attacks known, but also no security proof
• exception: attack on implementation flaws

Why relevant?

• old, used in practice

Digital Signatures 2020-03-17 10

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• First quiz (about textbook RSA) start now!

Digital Signatures 2020-03-17 11

RSA-FDH

• Let H := {0, 1}∗ → ZN be a collision-resistant hash function
• Idea: sign H(m) with Textbook RSA

– Message space/domain of Textbook RSA: ZN – Hence naming: H hashes to full domain ZN

Digital Signatures 2020-03-17 12

RSA-FDH

• Let H := {0, 1}∗ → ZN be a collision-resistant hash function
• Idea: sign H(m) with Textbook RSA

– Message space/domain of Textbook RSA: ZN – Hence naming: H hashes to full domain ZN

Specifically:

• Gen(1k) as with Textbook RSA
• Sign(sk, m) :

Digital Signatures 2020-03-17 12

RSA-FDH

• Let H := {0, 1}∗ → ZN be a collision-resistant hash function
• Idea: sign H(m) with Textbook RSA

– Message space/domain of Textbook RSA: ZN – Hence naming: H hashes to full domain ZN

Specifically:

• Gen(1k) as with Textbook RSA
• Sign(sk, m) :

σ := H(m)d

(mod N)

Digital Signatures 2020-03-17 12

RSA-FDH

• Let H := {0, 1}∗ → ZN be a collision-resistant hash function
• Idea: sign H(m) with Textbook RSA

– Message space/domain of Textbook RSA: ZN – Hence naming: H hashes to full domain ZN

Specifically:

• Gen(1k) as with Textbook RSA
• Sign(sk, m) :

σ := H(m)d

(mod N)

• Vfy(pk, m, σ) :

Digital Signatures 2020-03-17 12

RSA-FDH

• Let H := {0, 1}∗ → ZN be a collision-resistant hash function
• Idea: sign H(m) with Textbook RSA

– Message space/domain of Textbook RSA: ZN – Hence naming: H hashes to full domain ZN

Specifically:

• Gen(1k) as with Textbook RSA
• Sign(sk, m) :

σ := H(m)d

(mod N)

• Vfy(pk, m, σ) :

σe ? ≡ H(m)

(mod N)

Digital Signatures 2020-03-17 12

RSA-FDH

• Let H := {0, 1}∗ → ZN be a collision-resistant hash function
• Idea: sign H(m) with Textbook RSA

– Message space/domain of Textbook RSA: ZN – Hence naming: H hashes to full domain ZN

Specifically:

• Gen(1k) as with Textbook RSA
• Sign(sk, m) :

σ := H(m)d

(mod N)

• Vfy(pk, m, σ) :

σe ? ≡ H(m)

(mod N) Correctness: clear

Digital Signatures 2020-03-17 12

Security of RSA-FDH

Theorem

If the RSA assumption holds, then RSA-FDH is EUF-CMA secure

Digital Signatures 2020-03-17 13

Security of RSA-FDH

Theorem

If the RSA assumption holds, then RSA-FDH is EUF-CMA secure in the random oracle model.

Digital Signatures 2020-03-17 13

Security of RSA-FDH

Theorem

If the RSA assumption holds, then RSA-FDH is EUF-CMA secure in the random oracle model.

Random oracle model?

Digital Signatures 2020-03-17 13

Random Oracle Model (ROM)

• Heuristic
• Consider idealized hash function H
• Output H(m) independently uniform for every m
• H modeled as “random” oracle that chooses and outputs H(m)
• All parties/algorithms use the same oracle

Digital Signatures 2020-03-17 14

Random Oracle Model (ROM)

• Heuristic
• Consider idealized hash function H
• Output H(m) independently uniform for every m
• H modeled as “random” oracle that chooses and outputs H(m)
• All parties/algorithms use the same oracle

Th H oracle:

• Can be (“lazily”) implemented as follows:

if m in T: return T[m] else:

y ← ZN T[m] := y

return y

Digital Signatures 2020-03-17 14

ROM: Discussion

• Fact: ROM cannot be implemented with any hash function

Digital Signatures 2020-03-17 15

ROM: Discussion

• Fact: ROM cannot be implemented with any hash function
• Hence: “standard model” security proof better than ROM proof

Digital Signatures 2020-03-17 15

ROM: Discussion

• Fact: ROM cannot be implemented with any hash function
• Hence: “standard model” security proof better than ROM proof
• But: some cryptographic problems solvable only in ROM

Digital Signatures 2020-03-17 15

ROM: Discussion

• Fact: ROM cannot be implemented with any hash function
• Hence: “standard model” security proof better than ROM proof
• But: some cryptographic problems solvable only in ROM
• Also: ROM schemes often more efficient than non-ROM

schemes

– Example: RSA-based signatures

Digital Signatures 2020-03-17 15

ROM: Discussion

• Fact: ROM cannot be implemented with any hash function
• Hence: “standard model” security proof better than ROM proof
• But: some cryptographic problems solvable only in ROM
• Also: ROM schemes often more efficient than non-ROM

schemes

– Example: RSA-based signatures

• Besides: ROM solution can be first step towards non-ROM

solution

Digital Signatures 2020-03-17 15

ROM: Discussion

• Fact: for many ROM constructions no “real” attacks known

Digital Signatures 2020-03-17 16

ROM: Discussion

• Fact: for many ROM constructions no “real” attacks known
• But: There are cryptographic constructions

that are secure in the ROM but are insecure with any implementation of H.

Digital Signatures 2020-03-17 16

ROM: Discussion

• Fact: for many ROM constructions no “real” attacks known
• But: There are cryptographic constructions

that are secure in the ROM but are insecure with any implementation of H.

• Unclear what exactly a ROM proof guarantees in practice

– Intuition: “Scheme secure modulo hash function”

Digital Signatures 2020-03-17 16

ROM: Discussion

Summary:

• ROM admits/enables efficient and natural constructions
• works fine in practice so far
• but over-idealizes, only heuristic

ROM is controversial

Digital Signatures 2020-03-17 17

RSA-FDH: Security

Theorem (64)

If H is modeled as random oracle, then for every adversary A that attacks the EUF-CMA security of RSA-FDH in time tA with success

ǫA and makes at most qH queries to the H oracle, there is an

adversary B that solves the RSA problem in time tB ≈ tA with success

ǫB ≥ ǫA − 1/N

qH .

Digital Signatures 2020-03-17 18

RSA-FDH: security proof

Simulation/reduction strategy:

• A has to explicitly query H for hash values (also for m∗)
• Intercept these queries and simulate RO for A

Digital Signatures 2020-03-17 19

RSA-FDH: security proof

Simulation/reduction strategy:

• A has to explicitly query H for hash values (also for m∗)
• Intercept these queries and simulate RO for A
• B can implement RO for A as follows:

– guess index i∗ of message for which A forges a signature (i.e., guess when m∗ is being queried) – choose hash values hi (for i = i∗) such that signature is known – set hi∗ = y (for the given RSA challenge y)

Digital Signatures 2020-03-17 19

RSA-FDH: security proof

• Assume that A outputs valid forgery (m∗, σ∗).
• Then one of the following events must occur:

– E0: A (wins and) never queries H(m∗) from RO – E1: A (wins and) explicitly queries H(m∗) from RO

Digital Signatures 2020-03-17 20

RSA-FDH: security proof

• Assume that A outputs valid forgery (m∗, σ∗).
• Then one of the following events must occur:

– E0: A (wins and) never queries H(m∗) from RO – E1: A (wins and) explicitly queries H(m∗) from RO

We have

ǫA = Pr[E0] + Pr[E1]

Digital Signatures 2020-03-17 20

RSA-FDH: event E0

E0: A wins but never queries H(m∗)

• RO chooses H(m∗) independently uniformly from ZN
• Map h → he mod N is bijective
• Thus there is only one valid signature σ∗ = H(m∗)d for m∗
• The probability that A outputs this σ∗ is 1/N.

Digital Signatures 2020-03-17 21

RSA-FDH: event E0

E0: A wins but never queries H(m∗)

• RO chooses H(m∗) independently uniformly from ZN
• Map h → he mod N is bijective
• Thus there is only one valid signature σ∗ = H(m∗)d for m∗
• The probability that A outputs this σ∗ is 1/N.

=

⇒ Pr[E0] ≤ 1

N

Digital Signatures 2020-03-17 21

RSA-FDH: proof strategy to bound Pr[E1]

CRSA B A RSA problem EUF-CMA

Digital Signatures 2020-03-17 22

RSA-FDH: proof strategy to bound Pr[E1]

CRSA B A RSA problem EUF-CMA choose N, e, y N , e , y

Digital Signatures 2020-03-17 22

RSA-FDH: proof strategy to bound Pr[E1]

CRSA B A RSA problem EUF-CMA choose N, e, y N , e , y p k

Digital Signatures 2020-03-17 22

RSA-FDH: proof strategy to bound Pr[E1]

CRSA B A RSA problem EUF-CMA choose N, e, y N , e , y p k H ( m ) = ? 1

Digital Signatures 2020-03-17 22

RSA-FDH: proof strategy to bound Pr[E1]

CRSA B A RSA problem EUF-CMA choose N, e, y N , e , y p k H ( m ) = ? 1 choose H(m) suitably H ( m )

Digital Signatures 2020-03-17 22

RSA-FDH: proof strategy to bound Pr[E1]

CRSA B A RSA problem EUF-CMA choose N, e, y N , e , y p k H ( m ) = ? 1 choose H(m) suitably H ( m ) Sign(sk, m) = ? 2

Digital Signatures 2020-03-17 22

RSA-FDH: proof strategy to bound Pr[E1]

CRSA B A RSA problem EUF-CMA choose N, e, y N , e , y p k H ( m ) = ? 1 choose H(m) suitably H ( m ) Sign(sk, m) = ? 2 compute σ suitably σ

Digital Signatures 2020-03-17 22

RSA-FDH: proof strategy to bound Pr[E1]

CRSA B A RSA problem EUF-CMA choose N, e, y N , e , y p k H ( m ) = ? 1 choose H(m) suitably H ( m ) Sign(sk, m) = ? 2 compute σ suitably σ m∗ , σ∗ 3

Digital Signatures 2020-03-17 22

RSA-FDH: proof strategy to bound Pr[E1]

CRSA B A RSA problem EUF-CMA choose N, e, y N , e , y p k H ( m ) = ? 1 choose H(m) suitably H ( m ) Sign(sk, m) = ? 2 compute σ suitably σ m∗ , σ∗ 3 x

Digital Signatures 2020-03-17 22

RSA-FDH: success probability

• Choice of H(m) (reduction B can make up H(m) for A!):

Digital Signatures 2020-03-17 23

RSA-FDH: success probability

• Choice of H(m) (reduction B can make up H(m) for A!):

– Setting H(m) = xe mod N for known (previously chosen) x. . . – . . . allows to later output a signature σ := x for m

Digital Signatures 2020-03-17 23

RSA-FDH: success probability

• Choice of H(m) (reduction B can make up H(m) for A!):

– Setting H(m) = xe mod N for known (previously chosen) x. . . – . . . allows to later output a signature σ := x for m – Setting H(m) = y for the RSA challenge y. . . – . . . means that a signature σ for m solves the RSA challenge (since xe = H(m) = y mod N)

Digital Signatures 2020-03-17 23

RSA-FDH: success probability

• Choice of H(m) (reduction B can make up H(m) for A!):

– Setting H(m) = xe mod N for known (previously chosen) x. . . – . . . allows to later output a signature σ := x for m – Setting H(m) = y for the RSA challenge y. . . – . . . means that a signature σ for m solves the RSA challenge (since xe = H(m) = y mod N)

• Ideally: set H(mi) = xe

i mod N for known xi and all (later)

signature queries mi; also set H(m∗) = y

Digital Signatures 2020-03-17 23

RSA-FDH: success probability

• Choice of H(m) (reduction B can make up H(m) for A!):

– Setting H(m) = xe mod N for known (previously chosen) x. . . – . . . allows to later output a signature σ := x for m – Setting H(m) = y for the RSA challenge y. . . – . . . means that a signature σ for m solves the RSA challenge (since xe = H(m) = y mod N)

• Ideally: set H(mi) = xe

i mod N for known xi and all (later)

signature queries mi; also set H(m∗) = y

• Problem: not known which mi are asked to be signed and

which hash query is m∗

Digital Signatures 2020-03-17 23

RSA-FDH: success probability

• Choice of H(m) (reduction B can make up H(m) for A!):

– Setting H(m) = xe mod N for known (previously chosen) x. . . – . . . allows to later output a signature σ := x for m – Setting H(m) = y for the RSA challenge y. . . – . . . means that a signature σ for m solves the RSA challenge (since xe = H(m) = y mod N)

• Ideally: set H(mi) = xe

i mod N for known xi and all (later)

signature queries mi; also set H(m∗) = y

• Problem: not known which mi are asked to be signed and

which hash query is m∗

• Solution: guess index i∗ of hash query for which mi∗ = m∗, set

H(mi) = xe

i mod N for all other queries mi (with i = i∗)

Digital Signatures 2020-03-17 23

RSA-FDH: proof strategy to bound Pr[E1]

CRSA B A RSA problem EUF-CMA choose N, e, y N , e , y p k H ( m

i

) = ? 1

i = i∗ : H(mi) := xe

i mod N

i = i∗ : H(mi) := y

H ( m

i

) Sign(sk, mi) = ? 2 set σ = xi σ m∗ , σ∗ 3 x = σ∗

Digital Signatures 2020-03-17 24

RSA-FDH: success probability

• Recap: ǫA ≤ Pr[E0] + Pr[E1]
• So far: Pr[E0] ≤ 1/N und ǫB ≥ Pr[E1]/qH

Digital Signatures 2020-03-17 25

RSA-FDH: success probability

• Recap: ǫA ≤ Pr[E0] + Pr[E1]
• So far: Pr[E0] ≤ 1/N und ǫB ≥ Pr[E1]/qH
• Hence:

ǫB · qH ≥ Pr[E1] ≥ ǫA − Pr[E0] ≥ ǫA − 1/N ⇔ ǫB ≥ ǫA − 1/N

qH

Digital Signatures 2020-03-17 25

RSA-FDH: discussion (not in lecture notes)

• Constructed adversary B has success probability

ǫB ≥ ǫA − 1/N

qH

• “weak” result (“lossy” reduction)
• sufficient to show (asymptotic) EUF-CMA security
• but: ǫB ≥ ǫA would be stronger

Digital Signatures 2020-03-17 26

RSA-FDH: discussion (not in lecture notes)

• Constructed adversary B has success probability

ǫB ≥ ǫA − 1/N

qH

• “weak” result (“lossy” reduction)
• sufficient to show (asymptotic) EUF-CMA security
• but: ǫB ≥ ǫA would be stronger

Question:

Does this weakness have consequences?

Digital Signatures 2020-03-17 26

RSA-FDH: discussion (not in lecture notes)

Yes!

(if you insist on security guarantees → next lecture)

Digital Signatures 2020-03-17 27

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Second quiz (about RSA-FDH) start now!

Digital Signatures 2020-03-17 28