Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - - PowerPoint PPT Presentation

Digital Signatures

Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung)

Digital Signatures 2020-03-24 1

Outline

Parameter choices RSA-PSS Genaro-Halevi-Rabin signatures

Digital Signatures 2020-03-24 2

Recap

Last lecture:

• Random Oracle Model
• RSA Full Domain Hash
• Security proof:

– RSA-FDH adversary A with runtime tA, success probability ǫA, qH hash queries RSA solver B with runtime tB ≈ tA and success ǫB ≥ ǫA − 1/N qH

Digital Signatures 2020-03-24 3

Recap

Last lecture:

• Random Oracle Model
• RSA Full Domain Hash
• Security proof:

– RSA-FDH adversary A with runtime tA, success probability ǫA, qH hash queries RSA solver B with runtime tB ≈ tA and success ǫB ≥ ǫA − 1/N qH

• Quality of reduction?

Digital Signatures 2020-03-24 3

Contents Today: interlude (not in notes)

Parameter choices RSA-PSS Genaro-Halevi-Rabin signatures

Digital Signatures 2020-03-24 4

Parameter choices How do you choose parameters for cryptosystems?

Example: RSA

• N = P · Q with prime P, Q
• How large should P, Q be?
• Generally: security only for suitably large security parameter k

Digital Signatures 2020-03-24 5

Parameter choices How do you choose parameters for cryptosystems?

Example: RSA

• N = P · Q with prime P, Q
• How large should P, Q be?
• Generally: security only for suitably large security parameter k
• P, Q ∈ [2100, 2101) large enough?

Digital Signatures 2020-03-24 5

Parameter choices How do you choose parameters for cryptosystems?

Example: RSA

• N = P · Q with prime P, Q
• How large should P, Q be?
• Generally: security only for suitably large security parameter k
• P, Q ∈ [2100, 2101) large enough?
• Comparison: #atoms in universe ≈ 1080 ≈ 2266
• P, Q ∈ [2300, 2301)?

Digital Signatures 2020-03-24 5

Parameter choices

Best known attack against RSA:

• Factor N (i.e., compute P, Q from N = PQ)
• Compute ϕ(N) = (P − 1)(Q − 1), d := e−1 mod ϕ(N)

RSA secret key

Digital Signatures 2020-03-24 6

Parameter choices

Best known attack against RSA:

• Factor N (i.e., compute P, Q from N = PQ)
• Compute ϕ(N) = (P − 1)(Q − 1), d := e−1 mod ϕ(N)

RSA secret key

Best known factorization algorithm:

• General Number Field Sieve (GNFS)
• Runtime for n-bit modulus (n = ⌊log2(N)⌋ + 1):

tGNFS(n) := C · exp 64 9 1/3 n

1 3 ln(n) 2 3

• – (runtime conjectured)

Digital Signatures 2020-03-24 6

Tradeoff: time/success

Given:

• PPT algorithm B solves problem in time t with success

probability ǫ

Digital Signatures 2020-03-24 7

Tradeoff: time/success

Given:

• PPT algorithm B solves problem in time t with success

probability ǫ Consider Algorithm C:

repeat solution ← B(N) until solution is correct

• Las Vegas algorithm (succeeds always, but not PPT!)
• Expected runtime:

1

ǫ · t 1

ǫ t gives “1/quality” of B.

The smaller this value, the better is B.

Digital Signatures 2020-03-24 7

Parameter choices So how do you choose concrete parameters?

Goal: signature scheme secure against any adversary A that. . .

• can perform at most tA operation steps
• knows at most q signatures
• can compute at most qH hash values

Digital Signatures 2020-03-24 8

Parameter choices So how do you choose concrete parameters?

Goal: signature scheme secure against any adversary A that. . .

• can perform at most tA operation steps
• knows at most q signatures
• can compute at most qH hash values

Concrete assumption (“GNFS assumption”):

• There is no Las-Vegas algorithm C that solves the RSA

problem faster than the GNFS

Digital Signatures 2020-03-24 8

Parameter choice for RSA-FDH

• Security reduction converts adversaries A B

– tB ≈ tA – ǫB ≥ ǫA−1/N

qH

≈ ǫA

qH

Digital Signatures 2020-03-24 9

Parameter choice for RSA-FDH

• Security reduction converts adversaries A B

– tB ≈ tA – ǫB ≥ ǫA−1/N

qH

≈ ǫA

qH

• The resource consumption (or “inverse quality”) of B is

1

ǫB

tB ≤ qH

ǫA

tB

≈ qH ǫA

tA

Digital Signatures 2020-03-24 9

Parameter choice for RSA-FDH

• Security reduction converts adversaries A B

– tB ≈ tA – ǫB ≥ ǫA−1/N

qH

≈ ǫA

qH

• The resource consumption (or “inverse quality”) of B is

1

ǫB

tB ≤ qH

ǫA

tB

≈ qH ǫA

tA

• Choose n large enough, so that

tGNFS(n) > qH

ǫA

tA

Digital Signatures 2020-03-24 9

Parameter choice for RSA-FDH

• Security reduction converts adversaries A B

– tB ≈ tA – ǫB ≥ ǫA−1/N

qH

≈ ǫA

qH

• The resource consumption (or “inverse quality”) of B is

1

ǫB

tB ≤ qH

ǫA

tB

≈ qH ǫA

tA

• Choose n large enough, so that

tGNFS(n) > qH

ǫA

tA

• Then existence of A contradicts “GNFS assumption”.

Digital Signatures 2020-03-24 9

Parameter choice for better reduction

Hypothetically: better reduction

• tB ≈ tA
• ǫB ≥ ǫA

Digital Signatures 2020-03-24 10

Parameter choice for better reduction

Hypothetically: better reduction

• tB ≈ tA
• ǫB ≥ ǫA
• leads to:

1

ǫB

tB ≤ 1

ǫA

tB

≈ 1 ǫA

tA

Digital Signatures 2020-03-24 10

Parameter choice for better reduction

Hypothetically: better reduction

• tB ≈ tA
• ǫB ≥ ǫA
• leads to:

1

ǫB

tB ≤ 1

ǫA

tB

≈ 1 ǫA

tA

• Choose n large enough, so that

tGNFS(n) > 1

ǫA

tA

Digital Signatures 2020-03-24 10

Parameter choice for better reduction

Hypothetically: better reduction

• tB ≈ tA
• ǫB ≥ ǫA
• leads to:

1

ǫB

tB ≤ 1

ǫA

tB

≈ 1 ǫA

tA

• Choose n large enough, so that

tGNFS(n) > 1

ǫA

tA With better reduction: can choose smaller n =

⇒ more efficient

scheme!

Digital Signatures 2020-03-24 10

Typical target security levels Typical target security levels

• best publicly known supercomputer (Nov 2019): Summit (IBM)
• theoretical performance: ≈ 258 FLOP/s
• in 222 seconds (≈ 49 days): 280 FLOP
• =

⇒ tA ≥ 280 operations

• typical: tA ∈ {2100, 2128}
• q: e.g. 230 (> 1 billion signatures)
• qH: e.g. 260 (> 1 billion billion hash computations)

Digital Signatures 2020-03-24 11

Different perspective

Different perspective:

• Goal: for all FDH adversaries A, we want ǫA ≤ 1/280
• Allow 230 hash queries
• Reduction says:

ǫB ≥ ǫA/qH = 1/2110

• Hence we need to choose RSA parameters such that for

realistic adversaries, ǫB ≤ 1/2110

Digital Signatures 2020-03-24 12

Different perspective

Different perspective:

• Goal: for all FDH adversaries A, we want ǫA ≤ 1/280
• Allow 230 hash queries
• Reduction says:

ǫB ≥ ǫA/qH = 1/2110

• Hence we need to choose RSA parameters such that for

realistic adversaries, ǫB ≤ 1/2110

• If we had ǫB ≥ ǫA, then ǫB ≤ 1/280 would suffice
• Would lead to smaller parameters and more efficiency

Digital Signatures 2020-03-24 12

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• First quiz (about parameter choices) starts now!

Digital Signatures 2020-03-24 13

Contents Today: interlude (not in notes)

Parameter choices RSA-PSS Genaro-Halevi-Rabin signatures

Digital Signatures 2020-03-24 14

RSA-PSS

• RSA-based signature scheme
• Like textbook RSA, but with preprocessing of m
• EUF-CMA secure in ROM (under RSA assumption)
• Security reduction with small reduction loss
• Standardized in PKCS #1 since version 2.1 (June 2002)

– . . . but we will describe the slightly simpler version from the research paper

Digital Signatures 2020-03-24 15

RSA-PSS

• Gen(1k) : as with textbook RSA
• Sign(sk, m) :

Digital Signatures 2020-03-24 16

RSA-PSS

• Gen(1k) : as with textbook RSA
• Sign(sk, m) :

σ := PSS-Encode(m)d

(mod N)

Digital Signatures 2020-03-24 16

RSA-PSS

• Gen(1k) : as with textbook RSA
• Sign(sk, m) :

σ := PSS-Encode(m)d

(mod N)

• Vfy(pk, m, σ) :

– Compute y = σe (mod N) – Output 1 iff y valid encoding of m

Digital Signatures 2020-03-24 16

RSA-PSS

PSS-Encoding:

• Parameter k0, k1 with k0 + k1 ≤ k − 1.
• Requires two hash functions G, H
• H : {0, 1}∗ → {0, 1}k1
• G : {0, 1}k1 → {0, 1}k−k1−1

– G1 : first k0 bits of G – G2 : rest of G – ∀w ∈ {0, 1}k1 : G(w) = G1(w) G2(w)

Digital Signatures 2020-03-24 17

RSA-PSS

PSS-Encoding (continued):

• choose r ← {0, 1}k0 uniformly
• w := H(m r)
• r∗ := G1(w) ⊕ r
• γ := G2(w)
• encoding := 0 w r∗ γ

H G r m w

0k−k0−k1−1

r r∗ γ w G1(w) G2(w) Digital Signatures 2020-03-24 18

RSA-PSS: verification

• Compute y = σe mod N
• If first bit of y not equal to 0: output 0
• Split y into 0, w′, r′∗, γ′
• Compute r′ := r′∗ ⊕ G1(w′)
• Output 1 iff

γ′ ?

= G2(w′) and w′ ? = H(m r′), else 0.

Digital Signatures 2020-03-24 19

RSA-PSS

Assume G and H are random oracles. Then for every adversary A that breaks the EUF-CMA security of RSA-PSS

• in time tA
• with at most qhash hash queries to G and H,
• at most q signature queries
• and success probability ǫA,

there exists an adversary B that solves the RSA problem in time tB with success probability

ǫB ≥ ǫA −

• 2(q + qhash)2 + 1
• · (2−k0 + 2−k1)

tB ≤ tA + (q + qhash + 1) · k0 · Θ(n3).

Digital Signatures 2020-03-24 20

RSA-PSS

Assume G and H are random oracles. Then for every adversary A that breaks the EUF-CMA security of RSA-PSS

• in time tA
• with at most qhash hash queries to G and H,
• at most q signature queries
• and success probability ǫA,

there exists an adversary B that solves the RSA problem in time tB with success probability

ǫB ≥ ǫA −

• 2(q + qhash)2 + 1
• · (2−k0 + 2−k1)

tB ≤ tA + (q + qhash + 1) · k0 · Θ(n3). Note: simplification: k0 = k1.

Digital Signatures 2020-03-24 20

Proof overview

Recap: RSA-FDH proof

• B implements H-oracle for A
• embeds own RSA instance in one (randomly chosen) H-query
• all other H-queries: program H(m) such that signature for m is

known =

⇒ B has to guess which H-query corresponds to forgery (guess

correct with probability

1 qH )

Digital Signatures 2020-03-24 21

Proof overview

Changes with RSA-PSS:

• many valid encodings for every m
• upon G- or H-queries: embed own RSA instance
• upon signature query: choose another encoding with known

signature

– more specifically: choose random encoding – with high probability different from previous (hashed) encoding

Digital Signatures 2020-03-24 22

RSA-PSS: Summary

• EUF-CMA secure in ROM (under RSA assumption)
• Same principle as with RSA-FDH: encode message, then

textbook RSA

• Efficiency similar to that of RSA-FDH

– Main difference: 2 hash computations (not 1) per signature

Digital Signatures 2020-03-24 23

RSA-PSS: Summary

• EUF-CMA secure in ROM (under RSA assumption)
• Same principle as with RSA-FDH: encode message, then

textbook RSA

• Efficiency similar to that of RSA-FDH

– Main difference: 2 hash computations (not 1) per signature

• But: reduction has almost no “loss”
• In practice more efficient than RSA-FDH when compensating

for lossy reduction

Digital Signatures 2020-03-24 23

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Second quiz (about RSA-PSS) starts now!

Digital Signatures 2020-03-24 24

RSA signatures so far: issues

• Schemes so far: either inefficient, or only heuristic security

(ROM)

• Goal (hard!): EUF-CMA-secure signature scheme based on
• RSA. . .

– that is efficient (i.e., usable in practice) – whose security requires no random oracles.

• “Workaround”: Strong RSA assumption

Digital Signatures 2020-03-24 25

Strong RSA assumption

RSA problem:

• given N, e and y ← ZN, find x ∈ ZN with xe ≡ y mod N.

RSA assumption:

• ∀ PPT A:

Pr

• N = P · Q, e ← Z∗

ϕ(N),

y ← ZN, x ← A(1k, N, e, y) : xe ≡ y mod N

• is negligible in k.

Digital Signatures 2020-03-24 26

Strong RSA assumption

Strong RSA problem:

• given N and y ← ZN, find x ∈ ZN , e > 1 with xe ≡ y mod N.

Strong RSA assumption:

• ∀ PPT A:

Pr

• N = P · Q,

y ← ZN, (x, e) ← A(1k, N, y) : xe ≡ y mod N ∧ e > 1

• is negligible in k.

Digital Signatures 2020-03-24 26

Strong RSA: naming

• Strong RSA assumption stronger assumption than RSA

assumption

– We give adversary more control, easier to win game – We assume that it’s still hard for adversary to win

Digital Signatures 2020-03-24 27

Strong RSA: naming

• Strong RSA assumption stronger assumption than RSA

assumption

– We give adversary more control, easier to win game – We assume that it’s still hard for adversary to win

• But: strong RSA problem easier than RSA problem

Digital Signatures 2020-03-24 27

Strong RSA: naming

• Strong RSA assumption stronger assumption than RSA

assumption

– We give adversary more control, easier to win game – We assume that it’s still hard for adversary to win

• But: strong RSA problem easier than RSA problem

Strong RSA assumption ⇒ RSA assumption, converse implication not obvious at all

Digital Signatures 2020-03-24 27

Genaro-Halevi-Rabin signatures

Let h : {0, 1}∗ → P be a hash function (P = primes)

Digital Signatures 2020-03-24 28

Genaro-Halevi-Rabin signatures

Let h : {0, 1}∗ → P be a hash function (P = primes)

Gen(1k) :

• Choose N = P · Q, P, Q prime as with RSA
• s ← ZN
• Choose h such that ∀m ∈ {0, 1}∗ : gcd(h(m), ϕ(N)) = 1 ⊛
• pk := (N, s, h)
• sk := ϕ(N) = (P − 1)(Q − 1)

Digital Signatures 2020-03-24 28

Genaro-Halevi-Rabin signatures

Let h : {0, 1}∗ → P be a hash function (P = primes)

Gen(1k) :

• Choose N = P · Q, P, Q prime as with RSA
• s ← ZN
• Choose h such that ∀m ∈ {0, 1}∗ : gcd(h(m), ϕ(N)) = 1 ⊛
• pk := (N, s, h)
• sk := ϕ(N) = (P − 1)(Q − 1)

Sign(sk, m) :

• σ := s1/h(m) mod N

Digital Signatures 2020-03-24 28

Genaro-Halevi-Rabin signatures

Let h : {0, 1}∗ → P be a hash function (P = primes)

Gen(1k) :

• Choose N = P · Q, P, Q prime as with RSA
• s ← ZN
• Choose h such that ∀m ∈ {0, 1}∗ : gcd(h(m), ϕ(N)) = 1 ⊛
• pk := (N, s, h)
• sk := ϕ(N) = (P − 1)(Q − 1)

Sign(sk, m) :

• σ := s1/h(m) mod N

Vfy(pk, m, σ) : σh(m) ? ≡ s mod N

Digital Signatures 2020-03-24 28

Genaro-Halevi-Rabin signatures

Let h : {0, 1}∗ → P be a hash function (P = primes)

Gen(1k) :

• Choose N = P · Q, P, Q prime as with RSA
• s ← ZN
• Choose h such that ∀m ∈ {0, 1}∗ : gcd(h(m), ϕ(N)) = 1 ⊛
• pk := (N, s, h)
• sk := ϕ(N) = (P − 1)(Q − 1)

Sign(sk, m) :

• σ := s1/h(m) mod N

Vfy(pk, m, σ) : σh(m) ? ≡ s mod N

(⊛ : can be enforced, e.g., by letting h only output large primes)

Digital Signatures 2020-03-24 28

GHR signatures: security

Theorem 70: For every PPT A that breaks the EUF-naCMA security of Σ in time tA with success ǫA bricht, there is a PPT B that runs in time tB ≈ tA and which

• either breaks the collision-resistance of h with success

ǫcoll ≥ ǫA/2,

• or solves the strong RSA problem with success

ǫsRSA ≥ ǫA/2.

Digital Signatures 2020-03-24 29