flaws in applying proof methodologies to signature schemes
play

Flaws in Applying Proof Methodologies to Signature Schemes Jacques - PDF document

Nov 29, 2022 •346 likes •479 views

Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval Ecole normale suprieure - France John Malone-Lee - Nigel Smart University of Bristol - UK Summary Summary The methodology of provable

  1. Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval Ecole normale supérieure - France John Malone-Lee - Nigel Smart University of Bristol - UK Summary Summary • The methodology of “provable security” • The context of signature schemes – definitions – questions • Our findings – ESIGN – ECDSA • Conclusions Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 2

  2. Provable security: a short story Provable security: a short story • Originated in the seminal papers [GM86] and [GMR88] • Received increased applicability by allowing random oracles as a substitute to hash functions [FS86, BR93] • Now requested to support emerging standards (IEEE P1363, Cryptrec, NESSIE, ISO) Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 3 The need for provable security The need for provable security • “Textbook” crypto schemes cannot be used as such (obvious homomorphic properties…) • Practitioners need formatting rules to ensure interoperability • Heuristic redundancy is not enough – attack against PKCS#1 V 1.5 [Bl98] – attack against ISO 9796-1 [CNS99, CHJ99] Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 4

  3. The limits of provable security The limits of provable security • Provable security does not yield proofs – proofs are relative – proofs often use random oracles. Meaning is debatable [CGH98] – proofs are not formal objects but appear in talks and papers. Time is needed for acceptance. • Still, provable security is a means to provide some form of guarantee that a crypto scheme is not flawed Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 5 Provable security in five steps Provable security in five steps 1 - Define goal of adversary 2 - Define security model 3 - Provide a proof by reduction 4 - Check proof 5 - Interpret proof Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 6

  4. Proof by reduction reduction Proof by Reduction of a problem �� to an attack Atk : • Let � be an adversary that breaks the scheme then � can be used to solve � Instance � of � � Solution of � � intractable ⇒ scheme unbreakable Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 7 Why other steps matter: OAEP Why other steps matter: OAEP Proposed formatting standard for RSA encryption [BR94] 1 - Goal of adversary: distinguish random encryptions of two messages m 0 m 1 2 - Security models: CPA, CCA1, CCA2 3 - Proof (in [BR94]) 4 - Does not achieve CCA2 [Sh01] 5 - Alternative proof [FOPS01], specific to RSA-OAEP Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 8

  5. Signature Signature • Appends to a message a proof of origin • This should provide non-repudiation and thus even convince a third party Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 9 Signature scheme scheme Signature • Key Generation Algorithm G • Signature Algorithm, • Verification Algorithm, k s k v σ m 0/1 m Non-repudiation: impossible to forge valid σ without k s Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 10

  6. Goal of the adversary Goal of the adversary • Existential Forgery: Try to forge a valid message-signature pair without the private key Adversary is successful if the following probability is large [ ] Succ ( ) Pr ( , ) 1 ( k ) ( , ) ef = = = m m v Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 11 Security models Security models • No-Message Attacks: the adversary only knows the verification (public) key • Known-Message Attacks (KMA): the adversary has access to a list Λ of message/signature pairs • Chosen-Message Attacks (CMA): the messages are adaptively chosen by the adversary ⇒ the strongest attack Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 12

  7. Q1: submit the same message? Q1: submit the same message? • In a probabilistic signature scheme, several signatures may correspond to a message • In the usual definition for Existential Forgery in Chosen-Message Attacks (CMA), the adversary can repeatedly submit a message. Otherwise, weaker model : • Single-Occurrence Chosen-Message Attacks (SO-CMA) - each message m can be submitted only once; this produces a signature σ and ( m, σ ) is added to the list Λ Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 13 Q2: control key generation? Q2: control key generation? • In the usual definition for Existential Forgery, it is assumed that key generation � is fairly played • Having the adversary control � can affect non-repudiation by allowing duplicate signatures: two different messages m 1 , m 2 with a common σ • One can produce ( m 1 , σ ) and later claim that ( m 2 , σ ) was meant Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 14

  8. Q3: output the same message? Q3: output the same message? • In the usual definition for Existential Forgery, output forgery corresponds to a fresh message m. No pair ( m σ ) can be in the list Λ . Otherwise, weaker goal: • Malleability: produce a new pair ( m , σ ) ∉Λ possibly for a submitted message (( m , σ ’) in Λ for some σ ’ ≠ σ ) • Non-malleability is a stronger demand than resistance to existential forgeries Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 15 ESIGN ESIGN A signature scheme designed in the late 90ies and considered in IEEE P1363, Cryptrec NESSIE, together with a security proof • Uses RSA integers of the form n=p 2 q • Based on the Approximate e- th root problem: given y find x such that y # x e mod n • Signature generation is a very efficient way to compute σ = x, given y = H( m ) Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 16

  9. Our findings on ESIGN Our findings on ESIGN • Proofs holds only in SO-CMA scenario • Reduction simulates signature requests by having x ready beforehand such that H( m ) # x e mod n • Gets stuck if m is queried anew • Interpretation: – ESIGN is not broken – either give up CMA property… – or modify ESIGN (cf. NESSIE internal paper by L. Granboulan) Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 17 ECDSA ECDSA =< P > , P an element of order q of EC, x : private key Y = x. P : public key Signing m : • choose k ∈ σ = ( r,s ) q • compute R = k. P • compute r= first-coordinate ( R ) = f ( R ) • compute e= H ( m ) , s= ( e+xr ) /k mod q Verifying ( m , r , s ): first 0 < r , s < q • compute R’ = e s -1 . P + r s -1 . Y test if r=f ( R’ ) Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 18

  10. Duplicate signatures for ECDSA ECDSA Duplicate signatures for • Perform key generation as follows: – compute h 1 = H( m 1 ), h 2 = H( m 2 ) q and compute r = f ( k. P) – choose k ∈ – set private key to x = - ( h 1 + h 2 ) / 2 r mod q – set s = ( h 1 + x r ) / k = - ( h 2 + x r ) / k mod q • Interpretation: – ECDSA is not broken – duplicate signatures reveal secret key – to eliminate duplicates need to tweak ECDSA Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 19 Malleability of ECDSA ECDSA Malleability of • In ECDSA r= first-coordinate ( R ) = f ( R ) = x R Thus f (- R ) = f ( R ) Given a valid signature ( m , r , s ), one obtains another as ( m , r ,- s mod q ) This is exactly malleability • Interpretation: – ECDSA is not broken – to eliminate malleability need to tweak ECDSA Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 20

  11. What does the proof tell? What does the proof tell? • A security proof for ECDSA has been proposed in the generic model , where one gets access to elements of � through encodings • Probabilities are computed by randomizing on encodings • Theorem: Non-malleability of ECDSA cannot be broken with probability significantly greater than 5( n +1)( n + q � +1)/ q ( q � # of signing queries, n # of group operations) Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 21 In other words… In other words… • The security proof “proves” a property that does not hold for the actual scheme • Interpretation: – EC groups are not generic (they have automorphisms) – either change the model… – or tweak the scheme Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 22

  12. Conclusions (1) Conclusions (1) • We have shown several flaws in applying proof methodologies to signature schemes • They are not mathematical errors but misconceptions on the security model Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 23 Conclusions (2) Conclusions (2) • We have shown possible variants to the usual definition of security based on Existential Forgery and CMA, – either weaker (the SO-CMA scenario) – or stronger (requesting non-malleability) • We believe that the strongest possible requirement should be adopted • This would imply tweaks for ESIGN and ECDSA Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD Post-Doc Researcher, Politecnico di Milano CTO, Secure Network Outline Establishing a need for testing methodologies Testing for

1.13k views • 43 slides
Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford University ISI Kolkata, Jan 2012 Short Integer Solu5ons (SIS) A: Z m --&gt; (Z q ) n m

279 views • 15 slides
Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure The Jakobsson-Sako-Impagliazzo Scheme Security notions for DVS schemes DVS Scheme with tight reduction to DDH in NPRO Universal Designated

620 views • 42 slides
Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Number-Theoretic Methods in Cryptology 2019 Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter: Giovanni Di Crescenzo Perspecta Labs Inc. (also doing business as Applied Communication Sciences)

548 views • 33 slides
Proof Methodologies for Behavioural Equivalence in D Alberto Cia ff aglione 1 , Matthew

Proof Methodologies for Behavioural Equivalence in D Alberto Cia ff aglione 1 , Matthew

Proof Methodologies for Behavioural Equivalence in D Alberto Cia ff aglione 1 , Matthew Hennessy 2 , Julian Rathke 2 1 Dipartimento di Matematica e Informatica, Universit` a di Udine (Italy) 2 Department of Informatics, University

166 views • 14 slides
On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes CRYPTO 2002 Rump Session Tom Rosa tomas.rosa@i.cz, http://crypto.hyperlink.cz ICZ, a.s. Dept. of Computer Science, CTU in Prague CZECH REPUBLIC On Key -collisions in (EC)DSA Schemes (1) Let ( m

519 views • 5 slides
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benot Libert 1 , 2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 .N.S. de Lyon, France 2 CNRS, France 3 Nanyang Technological

1.33k views • 92 slides
LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th International Conference on Cryptology, Africacrypt 2020 Fabio Campos 1 Tim Kohlstadt 1 Steffen Reith 1 ottinger 2 Marc St July 19, 2020 1 RheinMain

399 views • 29 slides
Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria

335 views • 14 slides
Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram Poettering and Douglas Stebila Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013

454 views • 41 slides
Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia

Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia

Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia Moura, Carlisle Adams tbardini@sfu.ca, lmoura@uottawa.ca, cadams@uottawa.ca Indocrypt, December 17th 2019 1/31 Introduction MTSS Digital Signatures

637 views • 35 slides
Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to Fault Injection Attacks Jakub Breier, Dirmanto Jap, and Shivam Bhasin Presenter: Wei He Physical Analysis and Cryptographic Engineering Nanyang

525 views • 26 slides
Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin Grgoire 1 , 2 Gilles Barthe 3 Federico Olmedo 3 1 Microsoft Research - INRIA Joint Centre, France 2 INRIA Sophia Antipolis - Mditerrane, France 3

837 views • 51 slides
Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline Blondeau 1 , Dan Page 2 , Michael Tunstall 2 1 Aalto University, Department of Information and Computer Science, Finland 2 University of Bristol,

590 views • 39 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Recap: Part 6 Public key cryptosystem: a pair of keys Public-key: meant for public, should

Recap: Part 6 Public key cryptosystem: a pair of keys Public-key: meant for public, should

Recap: Part 6 Public key cryptosystem: a pair of keys Public-key: meant for public, should be given out Private-key: remains always secret An operation performed by one key in the pair can be inversed only by the other key

267 views • 13 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Guided Specification and Analysis of a Loyalty Card System Laurent Cuennet 1 Marc Pouly 2 c 3

Guided Specification and Analysis of a Loyalty Card System Laurent Cuennet 1 Marc Pouly 2 c 3

Guided Specification and Analysis of a Loyalty Card System Laurent Cuennet 1 Marc Pouly 2 c 3 Sa sa Radomirovi 1 University of Fribourg 2 Lucerne University of Applied Sciences 3 Institute of Information Security, ETH Z urich July 13,

625 views • 37 slides
Blockchain distributed ledgers GOTO 2015 Copenhagen Tamas Blummer Chief Ledger Architect

Blockchain distributed ledgers GOTO 2015 Copenhagen Tamas Blummer Chief Ledger Architect

Blockchain distributed ledgers GOTO 2015 Copenhagen Tamas Blummer Chief Ledger Architect Digital Asset Holdings tamas@digitalasset.com What does it promise? Audit-ability Network wide consensus Privacy and Compliance Trust

141 views • 13 slides
Credit Suisse Transportation Conference September 9, 2010 James A. Squires Executive Vice

Credit Suisse Transportation Conference September 9, 2010 James A. Squires Executive Vice

Credit Suisse Transportation Conference September 9, 2010 James A. Squires Executive Vice President Finance and CFO Norfolk Southern Corporation Agenda Recent Financial Results Current Business Environment Productivity Scorecard

353 views • 31 slides
WESTERN NC CONVERSION HEALTH FOUNDATION FORUM Kim Stravolo kstravolo@maryblackfoundation.org Vice

WESTERN NC CONVERSION HEALTH FOUNDATION FORUM Kim Stravolo kstravolo@maryblackfoundation.org Vice

8/2/2018 WESTERN NC CONVERSION HEALTH FOUNDATION FORUM Kim Stravolo kstravolo@maryblackfoundation.org Vice President/CFO Mary Black Foundation Todays Discussion Who are we? History Evolvement of Initiatives Collaboration

223 views • 5 slides
In-Place Associative Computing Avidan Akerib Ph.D. Vice President Associative Computing BU

In-Place Associative Computing Avidan Akerib Ph.D. Vice President Associative Computing BU

In-Place Associative Computing Avidan Akerib Ph.D. Vice President Associative Computing BU aakerib@gsitechnology.com All Images are Public in the Web 1 Agenda Introduction to associative computing Use case examples Similarity

936 views • 64 slides
Different Spirals of Sameness: A Study of Content Sharing in Mainstream and Alternative Media

Different Spirals of Sameness: A Study of Content Sharing in Mainstream and Alternative Media

Different Spirals of Sameness: A Study of Content Sharing in Mainstream and Alternative Media Benjamin D. Horne , Jeppe Nrregaard, and Sibel Adali Rensselaer Polytechnic Institute, Technical University of Denmark Primary focus of this work is

548 views • 29 slides

More recommend