Proving tight security for Rabin-Williams signatures D. J. - PDF document

Proving tight security for Rabin-Williams signatures D. J. Bernstein

Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest Shamir Adleman: e s � m 2 pq Z . verify pq ; e ) with big random e ; Public ( m ; signature s 2 Z =pq . message 1977 (and 1978) RSA was slow: e th powering. many mults in Even worse, horribly insecure: m; s ) = (1 ; 1). e.g. forge (

s 2 � H ( m ) 2 pq Z . 1979 Rabin: H . Public pq . Standard m . Signature s . Message Fast; conjecturally secure; but � 1 = 4 of all m ’s. can sign only s 2 � H ( r ; m ) 2 pq Z . 1979 Rabin: r ; s ) instead of s . Signature ( r ’s, Signer tries random � 4 times. on average ef s 2 � � � � 2 pq Z ; 1980 Williams: e 2 f� 1 ; 1 g ; f 2 f 1 ; 2 g . h 2 Z =pq is ef s 2 Each for exactly 4 vectors ( e; f ; s ) p 2 3 + 8 Z , q 2 7 + 8 Z . if

Subsequent RW variations: � Eliminate Euclid, Jacobi. � Expand s for faster verification. � Compress s to 1 = 2 size. � Compress pq to 1 = 3 size. � Compress (“recover”) m via H . Many other signature systems (e.g. elliptic-curve Schnorr), but RW family still holds verification speed records. RW is the best choice for verification-heavy applications: e.g., Internet DNS security.

Attacks against RW pq Attacker sees public key m; e; f ; r ; s ) and many vectors ( legitimately signed under that key. 0 0 0 0 0 ) m ; e ; f ; r ; s Attacker forges ( 0 0 e 2 f� 1 ; 1 g , f 2 f 1 ; 2 g , with 0 of standard length, 0 r s 2 Z =pq . Forgery is successful if 0 0 ( 0 ) 2 0 0 ) e f s � H ( r ; m 2 pq Z and 0 wasn’t legitimately signed. m Fundamental security question: What’s maximum Pr[ A succeeds] A ? among all feasible attacks

Maybe answer depends on how messages are generated. We want Pr[ A succeeds] small for all message generators A . and all feasible attacks Different users have different types of message generators, communication between attacker and message generator, etc. Would be painful to analyze each generator separately. Similarly, would be painful to limit set of messages.

H inversion. Attack 1: Blind 0 0 0 , e ; f ; s Attacker chooses 0 0 ( 0 ) 2 + h 2 e f s pq Z , chooses 0 0 r ; m guesses uniform random 0 0 ) = H ( r ; m h , until finding 0 0 0 0 0 ). m ; e ; f ; r ; s forges ( Obstacle to success of attack: What’s chance of finding 0 0 ) = H ( r ; m h after a feasible number of guesses? Conjecturally negligible H . for every popular

Attack 2: Blind collision search. 0 0 00 r ; m ; r ; m Attacker guesses 0 m m and with 6 = 0 0 ) = 00 H ( r ; m H ( r ; m ). m Message generator gives m; e; f ; r ; s ). to signer: ( 0 0 m ; e; f ; r ; s ). Attacker forges ( 00 : r = r Forgery succeeds if 00 0 0 ). H ( r ; m ) = H ( r ; m ) = H ( r ; m r is short. Good chance if Same obstacle as before: Feasible number of guesses has conjecturally negligible H . chance of finding collision in

Attack 3: MD5 collision search. Was popular last decade H ( x ) = G (MD5( x )) to build G . for standard function H . Assume this shape of Feasible calculation, highly non-uniform guessing, finds collisions in MD5. (2004 Wang Feng Lai Yu) H . Thus obtain collision in Forge as in attack 2. Good chance of success r is short. Feasible attack! if

One reaction to this attack: MD5 was a bad design. H . Change choice of Collisions conjecturally infeasible H ’s. for many popular Another reaction (1979 Rabin, 1989 Schnorr, et al.): r . Standardize 256-bit 00 . r = r Negligible chance of Inversions conjecturally infeasible H ’s. for many popular Is second reaction better? r is clear disadvantage. Long H ? Maybe outweighed by faster

Attack 4: Factorization by NFS. Attacker hires computational n number theorist to factor using the number-field sieve. 0 , signs 0 m m Attacker chooses same way as legitimate signer. 1978 RSA: “We recommend using 100-digit (decimal) p and q , prime numbers n has 200 digits.” so that 2005 Bahr Boehm Franke Kleinjung: “We have factored RSA200 by GNFS.”

Attack 5: Leak detection. Signer has many choices m : of signature for B choices of B -bit r , 2 e; f ; s ). and then 4 choices of ( Imagine idiotic signer p making successive bits of visible to attacker by, e.g., r or copying them into bits of s mod pq . into Jacobi symbol of Evidently security depends on choice of signing algorithm.

Many more attacks in literature. Many (most?) of the attacks H -generic : are H attack works for every function H ’s) (or a large fraction of if signer, attacker, verifier H . use an oracle for It’s quite embarrassing for a system to be broken H -generic attack by an faster than factorization! Example: Signing-leak attacks H -generic, embarrassing. are

1987 Fiat Shamir: Here’s a signature system where embarrassment is limited. H -generic attack Can convert into factorization algorithm with only polynomial loss of efficiency and effectiveness. 1996 Bellare Rogaway: Here’s a signature system immune to embarrassment. H -generic attack Can convert into factorization algorithm with almost negligible loss of efficiency and effectiveness.

Many subsequent systems and “reductions in the random-oracle model.” Confusing terminology. Common flaws in the theorems: � Reductions aren’t very tight. � Tightness isn’t quantified. � Proofs have gaps, errors. � The theorems don’t apply to the fastest systems. The point of this talk: We can do better! Now have very tight proofs for some state-of-the-art RW variants. (most recently 2006 Bernstein)

Three state-of-the-art systems “Fixed 0-bit unstructured RW” is immune to embarrassment. r “0-bit”: 0 bits in (despite 2002 Coron theorem that “FDH can’t be tight”). “Unstructured”: Signer’s choice e; f ; s ) is uniform random, of ( p; q ). independent of ( m again, “Fixed”: Given same signer chooses same signature. For comparison, easily break “variable 0-bit unstructured RW.”

“Fixed” needs memory m ’s. for signatures of old But, without memory, can produce indistinguishable results, assuming standard conjectures in secret-key cryptography: signer generates “random” bits m together with by hashing p; q . a secret independent of (1997 Barwood, 1997 Wigley) m using Poly1305 Can hash or forthcoming MAC1071; just a few cycles per byte. Scramble output with Salsa20.

“Fixed 1-bit principal RW” is immune to embarrassment. r , “1-bit”: uniform random bit p; q ). independent of ( “Principal”: Signer chooses e = 1 when there’s a choice; f = 1 when there’s a choice; s 2 Z =pq and the unique that’s a square in Z =pq . (Same idea as 2003 Katz Wang reduction for fixed 1-bit RSA etc., but need generalization beyond “claw-free permutation pairs.”)

j principal j RW” “Fixed 128-bit is immune to embarrassment. “128-bit”: uniform random r , independent of ( p; q ). 128-bit “ j Principal j ”: Signer chooses e = 1 when there’s a choice; f = 1 when there’s a choice; s 2 f 0 ; 1 ; : : : ; ( pq � 1) = 2 g and s or � s square in Z =pq . with Implementation note: Can continue to avoid Euclid, Jacobi.

Blind attacks A 1 that, � � Consider algorithm pq 2 ; : : : ; 2 2049 � 1 2 2048 given 0 , computes ( e 0 0 0 ). h ; f ; s and 0 0 ( 0 ) 2 = 0 ] How large is Pr[ e f s h 0 ? h for uniform random 2048-bit A 0 : Build factorization algorithm e; f ; s ); choose uniform random ( 0 = h ef s 2 ; compute 0 h � 2 2048 ; start over if 0 0 0 ) = 0 ); compute ( e ; f ; s A 1 ( pq ; h � � 0 pq ; s � s compute gcd . A 1 . Comparable efficiency to

A 1 as successful Define 0 0 ( 0 ) 2 = 0 . e f s h if A 1 is always successful If 0 0 ( 0 ) 2 = e f s ef s 2 ; then 0 s ; s are coprime to pq � � , tiny � ; with probability 1 0 s ; s are independent square roots; � � 0 pq ; s � s 2 f p; q g so gcd � (1 � � ) = 2. with probability More generally: A 1 succeeds] = � for If Pr[ 0 then h uniform random 2048-bit A 0 factors pq ] � � (1 � � ) = 2. Pr[

Seeing a signature A 2 that, Consider algorithm 0 h; e; f ; s; h ; pq with given 0 0 0 ). h = ef s 2 , computes ( e ; f ; s 0 0 ( 0 ) 2 = 0 ] How large is Pr[ e f s h for independent uniform 0 ? h; h random 2048-bit Three versions of question: e; f ; s ). 1. Unstructured ( e; f ; s ). 2. Principal ( j Principal j ( e; f ; s ). 3. Analogy: Attack sees signature of 0 m , forges signature of m m . 6 =

A 2 learns nothing Intuition: h; e; f ; s . from seeing Formalization: pq , Simulated signer , given h; e; f ; s ) with generates random ( exactly the right distribution. A 1 from A 2 . Thus can build 0 , A 1 , given pq ; h h; e; f ; s ; generates 0 A 2 with h; e; f ; s; h ; pq . runs A 2 succeeds] = Pr[ A 1 succeeds]. Pr[