Provable Security RSA-PKCS Encryption - Signature Lawrence - - PDF document

David Pointcheval LIENS-CNRS Ecole normale supérieure

Provable Security RSA-PKCS Encryption - Signature

Lawrence Berkeley National Lab August 2003

Provable Security - RSA-PKCS - Encryption-Signature - 2 David Pointcheval

Summary Summary

• Encryption

– PKCS #1 v1.5 – PKCS #1 v2.0 : OAEP

• Signature

– PKCS #1 v1.5/2.0 – PKCS #1 v2.1 : PSS

• Conclusion

Provable Security - RSA-PKCS - Encryption-Signature - 3 David Pointcheval

Summary Summary

• Encryption

– PKCS #1 v1.5 – PKCS #1 v2.0 : OAEP

• Signature

– PKCS #1 v1.5/2.0 – PKCS #1 v2.1 : PSS

• Conclusion

Provable Security - RSA-PKCS - Encryption-Signature - 4 David Pointcheval

RSA RSA

• n=pq : public modulus

e : public exponent

• d=e-1 mod ϕ(n) : private

en/de-cryption (m) = me mod n (c) = cd mod n Relies on the so-called RSA problem: extracting e-th roots mod n

Rivest - Shamir - Adleman 1978

Provable Security - RSA-PKCS - Encryption-Signature - 5 David Pointcheval

• One-Wayness = RSA Problem
• Deterministic:

cannot achieve Semantic Security

Does c encrypt m0 or m1? Re-encrypt m0, and check whether it is c

• Multiplicativity:

cannot prevent Chosen-Ciphertext Attacks

With c = e(m) = me mod n Compute c’ = 2e c mod n, ask for m’ Note that c’ = (2m)e mod n, thus m = m’/2 mod n

⇒ need of padding

Plain-RSA: Weak Security Plain-RSA: Weak Security

Provable Security - RSA-PKCS - Encryption-Signature - 6 David Pointcheval

PKCS # PKCS #1 v 1.5 1 v 1.5

00 02 00

Data Block Padding String

length ≥ 8 bytes ≠ 0

• Efficient encoding/decoding
• Probabilistic encryption
• Breaks multiplicativity
• But…

a random ciphertext is valid with non-negligible probability ≈ 2-16 EM

Provable Security - RSA-PKCS - Encryption-Signature - 7 David Pointcheval

PKCS # PKCS #1 v 1.5 1 v 1.5

00 02 00

Data Block Padding String

length ≥ 8 bytes ≠ 0

Valid ciphertext ⇒ the MSB of the encoded message is at zero

– The bit-security of RSA says that any bit

• f the e-th root is as hard as the whole e-th root

– Any bit-leakage is serious – Here: 2 full bytes are leaked!

EM

Provable Security - RSA-PKCS - Encryption-Signature - 8 David Pointcheval

Breaking PKCS #1 v 1.5 Breaking PKCS #1 v 1.5

00 02 00

Data Block Padding String

length ≥ 8 bytes ≠ 0

Valid ciphertext C = EMe mod n ⇒ 2 × 256k-2 ≤ EM < 3 × 256k-2 Challenge ciphertext C = EMe mod n

– Find small S such that C’ = C × Se mod n valid: for some 0 < r < S, 2 × 256k-2 - rn ≤ EM S < 3 × 256k-2 - rn ⇒ EM lies in a small interval [a, b]

EM

*

Provable Security - RSA-PKCS - Encryption-Signature - 9 David Pointcheval

Breaking PKCS #1 v 1.5 Breaking PKCS #1 v 1.5

00 02 00

Data Block Padding String

length ≥ 8 bytes ≠ 0

Choose a new S such that the sets {a S mod n, (a+1) S mod n, …, b S mod n} and [2 × 256k-2, 3 × 256k-2[ overlap Validity of C’ = C Se mod n tells in which part it is ⇒ new small inverval [a’, b’] for EM Approx.: any new valid ciphertext reduces the interval by 1/2 EM

*

Provable Security - RSA-PKCS - Encryption-Signature - 10 David Pointcheval

Breaking PKCS #1 v 1.5 Breaking PKCS #1 v 1.5

00 02 00

Data Block Padding String

length ≥ 8 bytes ≠ 0

• Reaction Attack (validity requests)

breaks the One-Wayness

• Given a challenge ciphertext c*,

after a few thousand of requests c,

• ne can recover the plaintext m*

EM

Provable Security - RSA-PKCS - Encryption-Signature - 11 David Pointcheval

Summary Summary

• Encryption

– PKCS #1 v1.5 – PKCS #1 v2.0 : OAEP

• Signature

– PKCS #1 v1.5/2.0 – PKCS #1 v2.1 : PSS

• Conclusion

Provable Security - RSA-PKCS - Encryption-Signature - 12 David Pointcheval

OAEP OAEP

Bellare Bellare-

• Rogaway

Rogaway ‘94 ‘94

M r s t

G H M = m||0k r random

(m,r) : Compute a,b then c=f (s||t) = EMe mod n (c) : Compute EM = s||t = f -1(c) = cd mod n, invert OAEP, and check redundancy f a trapdoor one-way permutation (e.g. RSA) then (with G → {0,1}n and H → {0,1}) EM

Provable Security - RSA-PKCS - Encryption-Signature - 13 David Pointcheval

In 1994, Bellare and Rogaway proved that

• the OAEP construction provides an IND-CPA

cryptosystem under the OW of f

• it is plaintext-aware (PA94)

proven: IND-CPA + PA94 ⇒ IND-CCA1 But widely believed: not proven: IND-CPA + PA94 ⇒ IND-CCA2 and namely for OAEP…

IND-CCA2 under OW of IND-CCA2 under OW of f f

Provable Security - RSA-PKCS - Encryption-Signature - 14 David Pointcheval

In 1998, improved plaintext-awareness (PA98) proven: IND-CPA + PA98 ⇒ IND-CCA2 But… PA98 of OAEP never studied And IND-CCA2 of OAEP still widely believed under the sole OW of f and namely for RSA-OAEP RSA-OAEP: the most efficient and “provably secure” construction ⇒ became the new PKCS #1 v2.0

IND-CCA2 under OW of IND-CCA2 under OW of f f

Provable Security - RSA-PKCS - Encryption-Signature - 15 David Pointcheval

However, in 2000, Shoup showed a counter-example:

– a trapdoor one-way permutation f – so that f -OAEP can be broken: malleable from a ciphertext c of an unknown message m,

• ne can build a ciphertext c’ of m’ = m ⊕ 1

⇒ break OW-CCA2, and thus IND-CCA

Given a challenge c, the encryption of m,

• ne derives the ciphertext c’ of m ⊕ 1
• ne request to the decryption oracle is enough!

IND-CCA2 under OW of IND-CCA2 under OW of f f

Provable Security - RSA-PKCS - Encryption-Signature - 16 David Pointcheval

• Let g be a trapdoor one-way permutation

so that their exists an algorithm , which on a and g(x) computes g(x ⊕ a)

• Let us define f (s,t) = s || g(t), which is clearly

a trapdoor one-way permutation

Counter-Example Counter-Example

*

Provable Security - RSA-PKCS - Encryption-Signature - 17 David Pointcheval

Malleability Malleability

m 0k r G H t s ⊕ δ → m’ ⊕ δ || 0k → s’ ⊕ T → t’ T = H(s)⊕H(s’)

*

Provable Security - RSA-PKCS - Encryption-Signature - 18 David Pointcheval

One receives c = (m,r) = f (s,t) = s || g(t) where M= m ||0k, s = M ⊕ G(r), t = r ⊕ H(s)

– One gets s, and computes s’ = s ⊕ ∆ for some ∆ = δ || 0k – One computes T = H(s) ⊕ H(s’), and t’ = t ⊕T as well as g(t ⊕T) granted on g(t) and T

r’ = t’ ⊕H(s’) = t ⊕T ⊕H(s’) = t ⊕H(s) = r M’ = s’⊕G(r) = s⊕∆⊕G(r) = M⊕∆ = (m⊕δ) || 0k

– c’ = f (s’,t’) is a new ciphertext: of m ⊕ δ

Malleability (details) Malleability (details)

*

Provable Security - RSA-PKCS - Encryption-Signature - 19 David Pointcheval

From c = (m,r) = f (s,t) ⇒ c’ = (m ⊕ δ,r) for any δ of his choice

• without asking G(r) ⇒ OW of f not broken
• but asking H(s) ⇒ partial-domain OW of f

This intuition can be made formal: Break IND-CCA2 of f -OAEP, ⇒ partially invert f

Fujisaki-Okamoto-Pointcheval-Stern Crypto ‘01

Partial-Domain One- Partial-Domain One-Wayness Wayness

Provable Security - RSA-PKCS - Encryption-Signature - 20 David Pointcheval

The RSA permutation is particular: Partial Domain One-Wayness ⇔ One-Wayness Consequence: RSA-OAEP is IND-CCA2 under the classical RSA assumption

Note: Shoup repaired the proof for RSA exponent 3 only, we repaired it for any exponent

RSA: a Particular Case RSA: a Particular Case

Provable Security - RSA-PKCS - Encryption-Signature - 21 David Pointcheval

PKCS # PKCS #1 v 1 v 2.0 2.0

After Bleichenbacher’s attack, the OAEP construction was adopted by RSA in PKCS #1 v 2.0 (and still in v 2.1) Even if a construction is provably secure, careless implementations often lead to very weak cryptosystems

e.g. invalidity reasons must be indistinguishable – MSB different of zero – Redundancy not satisfied

Provable Security - RSA-PKCS - Encryption-Signature - 22 David Pointcheval

Summary Summary

• Encryption

– PKCS #1 v1.5 – PKCS #1 v2.0 : OAEP

• Signature

– PKCS #1 v1.5/2.0 – PKCS #1 v2.1 : PSS

• Conclusion

Provable Security - RSA-PKCS - Encryption-Signature - 23 David Pointcheval

(m) = md mod n (m,σ) = (m = σe mod n)

Plain-RSA Signature Plain-RSA Signature

• n=pq : public modulus

e : public exponent

• d=e-1 mod ϕ(n) : private

Existential forgery:

– choose a random σ – compute m = σe mod n

Provable Security - RSA-PKCS - Encryption-Signature - 24 David Pointcheval

PKCS # PKCS #1 v 1. 1 v 1.5/2.0 5/2.0

00 01 00

Digest Info Padding String

length ≥ 8 bytes ≠ 0

EM

) EM ( ( ) , (

?

= = f m

• )

EM ( ) (

1 −

= f m

Provable Security - RSA-PKCS - Encryption-Signature - 25 David Pointcheval

PKCS # PKCS #1 v 1. 1 v 1.5/2.0 5/2.0

00 01 00

Digest Info Padding String

length ≥ 8 bytes ≠ 0

• Digest Info = HashID and H(m)

It is small, and the padding string can be long… under the control of the adversary

• Using the multiplicativity of RSA

a weakness has been found in 1999 EM

Provable Security - RSA-PKCS - Encryption-Signature - 26 David Pointcheval

Attack Idea Attack Idea

• A lot of freedom in the Padding String
• Get many EMi for several i such that

EM = Π EMi ⇒ σ = Π σi After several queries to the signing oracle,

• ne can build a new signature

*

Provable Security - RSA-PKCS - Encryption-Signature - 27 David Pointcheval

New Version New Version

Applied on a slight variant of ISO 9796-1 But theoretical only on PKCS #1 v1.5 … less efficient than factoring! Anyway, a provably secure construction was better.

Provable Security - RSA-PKCS - Encryption-Signature - 28 David Pointcheval

Summary Summary

• Encryption

– PKCS #1 v1.5 – PKCS #1 v2.0 : OAEP

• Signature

– PKCS #1 v1.5/2.0 – PKCS #1 v2.1 : PSS

• Conclusion

Provable Security - RSA-PKCS - Encryption-Signature - 29 David Pointcheval

Probabilistic Signature Scheme Probabilistic Signature Scheme

Bellare Bellare-

• Rogaway

Rogaway ‘96 ‘96

m r H w G F s t

⊕

k2 k1 k0

k = k0 + k1 + k2 + 1 {0,1}k-1 ⊂ X ⊂ {0,1}k f : X → X y = 0||w||s||t σ = f -1(y)

Provable Security - RSA-PKCS - Encryption-Signature - 30 David Pointcheval

RSA - PSS RSA - PSS

• n, k-bit RSA modulus (k = k0 + k1 + k2 + 1)
• n,e : public key
• d : private key

{ } { } { } { } { } { }

2 1 2 2

0,1 0,1 : 0,1 0,1 : 0,1 0,1 :

* k k k k k

H G F → → → and n y t s w y w F t r w G s r m H w

d mod

) ( , ) ( ), , ( = = = ⊕ = = and

Provable Security - RSA-PKCS - Encryption-Signature - 31 David Pointcheval

• Provably secure

no existential forgeries under chosen-message attacks

• Efficient security proof

⇒ practical security

• Probabilistic

⇒ PKCS #1 v2.1

RSA - PSS RSA - PSS

Provable Security - RSA-PKCS - Encryption-Signature - 32 David Pointcheval

Summary Summary

• Encryption

– PKCS #1 v1.5 – PKCS #1 v2.0 : OAEP

• Signature

– PKCS #1 v1.5/2.0 – PKCS #1 v2.1 : PSS

• Conclusion

Provable Security - RSA-PKCS - Encryption-Signature - 33 David Pointcheval

Conclusion Conclusion

Almost all the previously defined paddings, without any security proof, have been showed to be flawed Any new standard (ISO, IEEE, IETF, PKCS, …) needs a security proof