The Methodology of Provable Security Marc Joye Thomson Security - - PDF document

The Methodology of Provable Security

Marc Joye

Thomson Security Labs marc.joye@thomson.net

DIWALL Seminar − March 20, 2008

Contents

Part I Introduction Part II Signature Schemes Part III Encryption Schemes Part IV Conclusion

Part I

Introduction

Digital Signatures

Digital counterpart of an handwritten signature

Key properties

Digital signature = ⇒ authentication, integrity, non-repudiation

Textbook RSA Signature

• Key generation

Input: keylength k and e Output: N = pq such that |N|2 = k and gcd(e, φ(N)) = 1 d = e−1 mod φ(N) pk = {e, N} and sk = {d}

• [Plain] RSA signing

Input: private key sk and message m Output: signature σ = md mod N

• [Plain] RSA verification

Input: public key pk, signature σ, and message m Output: σe

?

≡ m (mod N)

Existential Forgeries

Signing σ = md mod N Verification σe ? ≡ m (mod N)

• 1. Choose a random r
• 2. Compute m = re mod N
• 3. Set σ = r
• 4. Output σ as the signature on “message” m

Selective Forgeries

Observation

Multiplicative property: (m1 m2)d ≡ m1d m2d ≡ σ1 σ2 (mod N)

• To obtain the signature σ on a chosen message m:
• 1. Choose a random m1 = r and define m2 = m/r mod N
• 2. Obtain the signatures σ1 = m1d mod N and σ2 = m2d mod N
• 3. Output σ = σ1 σ2 mod N
• One-message forgery?

Idem with m1 = r e mod N for a random r (Note that σ1 = r)

What Means Secure?

• Given (m, e), computing σ = m1/e mod N is difficult

= ⇒ textbook RSA signatures are unforgeable (provided that the RSA problem is hard)

• . . . but it is easy given an oracle returning the signature on

chosen messages

= ⇒ textbook RSA signatures are (universally) forgeable under chosen-message attacks

Provable Security

• Security proofs

Reduction to a hard problem Definition of a security model Definition of the adversary’s resources

• Security notions

Signature schemes Encryption schemes

Bibliography

Mihir Bellare Practice-oriented provable security Lectures on Data Security, LNCS 1561, pages 1–15, Springer, 1999 Neal Koblitz and Alfred J. Menezes Another look at “provable security”

• J. Cryptology 20(1):3–37, 2007

Part II

Provable Secure Signature Schemes

Digital Signatures

Definition

A digital signature scheme is a set of 3 algorithms:

• 1. Key generation

Input: security parameter κ Output: key pair (pk, sk)

• 2. Signing

Input: signing key sk, message m [and random r] Output: σ = S (sk, m [, r])

• 3. Verification

Input: verification key pk, signature σ [and message m] Output: V (pk, σ [, m]) = 0 or 1

Security Notions

Security goals

• Key unbreakability
• Universal unforgeability
• Selective unforgeability
• Existential unforgeability (EUF)

Attack scenarios

• No resources (except public key pk)
• Known-message attacks
• Chosen-message attacks (CMA)

Definition

A security notion is a pair (security goal, attack scenario) e.g., EUF-CMA

EUF-CMA Adversary

Simulation Paradigm ‘Reductio ad Absurdum’

• 0. Challenge:

some instance I of an ‘intractable’ problem

• 1. Simulation:

pk given to A simulation of Ssk(·) to answer qS queries of A

• 2. Reduction:

resolution of I from (m∗, σ∗)

= ⇒ “Reductionist” security

Cryptographic Problems

Definition (RSA problem)

Given RSA modulus N, public exponent e ∈ Z∗

φ(N) and random

y ∈R Z∗

N, compute x = ye−1 mod φ(N) mod N

Definition (Flexible RSA [a.k.a. SRSA] problem)

Given RSA modulus N and random y ∈R Z∗

N, find a pair (x, e) s.t.

y ≡ xe (mod N) and e > 1

GHR Signature Scheme I

Key generation

• pk = {N, u} with N = (2p′ + 1)(2q′ + 1) and u ∈R Z∗

N

• sk = {p′, q′}

Signing For a message m ∈ M, compute σ = uc−1 mod 2p′q′ mod N where c = H(m) Verification Signature σ on message m ∈ M is valid ⇐ ⇒ σH(m) ≡ u (mod N) Hash function H has to be division-intractable

• e.g., H : M → {primes} ∩ {0, 1}ℓh

Security of GHR Scheme I

Theorem

Suppose that the SRSA problem is (τ, ǫ)-hard. Then, for any qS, GHR signature scheme I is (τA, qS, ǫA)-secure in the sense of EUF-CMA, where ǫ ǫA #M and τ τA + (qS + #M) poly(κ)

Security Proof

Challenge Given (N, y), find (x, e) s.t. y ≡ xe (mod N) and e > 1 Simulation

• Key generation: pk = {N, u}

choose m′ ∈R M define E =

m∈M m=m′ H(m) and u = y E mod N

• Signing: on input message m

if m = m′ then return σ = uE/H(m) mod N if m = m′ then abort

Reduction A returns forgery (σ∗, m∗) with probability ǫA

• If m∗ = m′ then σ∗ = yE/H(m′) mod N
• Find a, b ∈ Z s.t. x = σa

∗ yb mod N and e = H(m′)

Success probability 1 ·

• 1 −

qs #M

• · ǫA ·

1 #M−qs = ǫA #M

EUF-CMA Adversary (RO Model)

• RO = Random Oracle

RSA-FDH

Key generation pk = {N, e}, sk = {d} with d = e−1 mod φ(N) Signing

• Padding: m → H(m) with H : {0, 1}∗ → (Z/NZ)∗
• Signature: σ = H(m)d mod N

Verification Given m and σ, check whether σe mod N ? = H(m)

Theorem

Suppose that the RSA problem is (τ, ǫ)-hard. Then, for any qH, qS, RSA-FDH signature scheme is (τA, qS, qH, ǫA)-secure in the sense

• f EUF-CMA in the RO model, where

ǫ ǫA qH + qS and τ τA + (qH + qS) poly(κ)

Security Proof of FDH

• Simulation/reduction principle

Challenge: RSA(ˆ N, ˆ e, ˆ y) Find ˆ x ∈ Z/NZ s.t. ˆ y ≡ ˆ xˆ

e (mod ˆ

N) Find ˆ y ≡

• Notation

qH: number of hash queries that are not followed later by a signature query on the same message qS: number of signature queries

Simulation (1)

Simulation of K (1κ)

• Choose j ∈R {1, . . . , qH + qS}
• pk = {N, e} with N = ˆ

N and e = ˆ e Simulation of H(m)

• If m ∈ Hist[H] then return H(m)
• Otherwise, increment i and

if i = j, add (m, σi, hi) to Hist[H] with hi = σi e mod N for a random σi ∈R (Z/NZ)∗, and return hi if i = j then add (m, ⊥, hj) to Hist[H] with hj = ˆ y, and return hj

Simulation of S

sk(m)

• If m /

∈ Hist[H] then invoke H

• Let (m, σi, hi) the entry in Hist[H] corresponding to m

if σi = ⊥ then fail and stop

• therwise return σi

Reduction (2)

Reduction

• A returns forgery σ∗ = H(m∗)d mod N with probability ǫA,

after time τA, qH queries to H and qS queries to S

• If m∗ = mj then σ∗ = H(mj)d mod N with H(mj) = ˆ

y = ⇒ x = σ∗ is a solution to RSA since ˆ y ≡ σ∗e (mod N) Analysis

• Success probability

ǫ = Pr[Simulation is perfect] · ǫA · Pr[m∗ = mj] =

• 1 −

qS qH + qS

• · ǫA · 1

qH = ǫA qH + qS

• Time

τ = τA + (qH + qS) poly(κ)

Concrete Security

• Security of RSA-FDH: ǫ =

ǫA qH + qS

• If qH = 240 and qS = 220 then

ǫ = 2−120 if ǫA = 2−80 ǫA = 2−40 if ǫ = 2−80

• Improvement
• ptimal proof: ǫ = ǫA

qS

Other Schemes

• RSA-PSS

[Bellare and Rogaway, 1996]

Probabilistic Signature Scheme µ(m) = µPSS(m, r) for a random r highest security level (EUF-CMA) in the ROM tight security proof and can be with message recovery

• PKCS #1 v2.1

[RSA Labs]

GHR Signature Scheme II

Key generation

• pk = {N, u, y, g, P} with N = (2p′ + 1)(2q′ + 1), u ∈R Z∗

N,

y ∈R g ⊆ Z∗

P

g of prime order Q | (P − 1)

• sk = {p′, q′}

Signing For a message m ∈ M, compute σ = (r, uc−1 mod 2p′q′ mod N) where c = H(gmyr mod P) for some r ∈R ZQ Verification Signature σ = (r, s) on message m ∈ M is valid ⇐ ⇒ sc′ ≡ u (mod N) where c′ = H(gmyr mod P) Security reduction is tight but, again, hash function H has to be division-intractable

Chameleon (a.k.a. Trapdoor) Hash

Example (DL-based)

Let G = g ⊆ Z∗

P of order Q

H : M × ZQ → {0, 1}ℓh, (m, r) → H(gm yr mod P)

• c = H(m, r) = H(m′, r′) =

⇒ r′ = r + m−m′

x

mod Q

where x = DLg(y)

Example (RSA-based)

Let an RSA modulus N = pq H : M × ZN → {0, 1}ℓh, (m, r) → H(gm rE mod N)

• c = H(m, r) = H(m′, r′) =

⇒ r′ = r (gm−m′)D mod N

where D = E −1 mod φ(N)

Design Criteria

• Make the GHR signature scheme practical

keep a tight reduction without relying on the division-intractability assumption

• Intuition

choose a random prime exponent c use a chameleon function to tighten the security reduction

• in particular, an RSA-type chameleon function
• the security of TSS is solely related to the SRSA

TSS Signature Scheme

Key generation

• pk = {n, N, u, g, E} with

n = (2p′ + 1)(2q′ + 1) and N = (2P′ + 1)(2Q′ + 1) u ∈R Z∗

n and g ∈R Z∗ N

E is an (ℓm + 1)-bit prime (and gcd(E, P′Q′) = 1)

• sk = {p′, q′, D} where D = E −1 mod 2P′Q′

Signing For a message m ∈ M = {0, 1}ℓm, compute σ =

• (cg−(m+1))D mod N
• =r

, uc−1 mod 2p′q′ mod n

• for some random prime c ∈R [(N + 1)/2, N[

Verification Signature σ = (r, s) on message m ∈ M is valid ⇐ ⇒ sc′ ≡ u (mod n) where c′ = gm+1rE mod N

Notes: 1) For sEUF-CMA, also check that (r, s) ∈ [0, N[ × [0, n[ 2) No need to check the primality of c′

Security Analysis

Theorem

Suppose that the flexible RSA problem is (τ, ǫ)-hard. Then, for any qs, the TSS signature scheme is (τA, qs, ǫA)-secure in the sense of sEUF-CMA, where ǫ ǫA 2 and τ τA + O

• ℓn5 + qs ℓn3 max(log qs, ℓn)
• The proof technique makes use of the chameleon paradigm to

get a tight security reduction

Efficiency Analysis

Security

Typical

Bitsizes

Tight. Ass.

values

σ pk sk GHR (II) O(1) Div + DL ℓn = ℓp = 1024 ℓn + ℓq 2ℓn + 3ℓp

1 2 ℓn

+ SRSA ℓq = 160 Twin-GHR O(1) SRSA ℓn = 1024 2ℓn + 2ℓm 4ℓn ℓn ℓm = 160 CS O 1

qs

• SRSA

ℓn ≫ 1024 2ℓn + ℓh 3ℓn + ℓh

1 2 ℓn

ℓh = 160 Fischlin O 1

qs

• SRSA

ℓn ≫ 1024 ℓn + 2ℓh 4ℓn

1 2 ℓn

ℓh = 160 TSS O(1) SRSA ℓn = 1024 2ℓn 4ℓn + ℓm ℓn ℓm = 160

On-line/Off-line Version

Key generation Idem regular version Signing (off-line) Prepare a coupon σ′ =

• k′, g(k′−D)cD mod N
• =r

, uc−1 mod 2p′q′ mod n

• for some random prime c ∈R [(N + 1)/2, N[ and random

(ℓn + ℓm + ℓ)-bit integer k′ Signing (on-line) For a message m ∈ M = {0, 1}ℓm, compute σ = (k′ + D m

• =k

, r, s) from a fresh coupon σ′ = (k′, r, s) Verification On-line/off-line signature σ = (k, r, s) on message m ∈ M is valid ⇐ ⇒ sc′ ≡ u (mod n) where c′ = gm+1r′E mod N and r′ = r g−k mod N

Summary

• The TSS signature scheme

meets the highest security notion is proven secure in the standard model is tightly and solely related to SRSA does not require additional properties on a hash function

• and so is practical

comes with a companion on-line/off-line variant

• using the same set of keys
• My recommendation

Use it!

Bibliography

• M. Bellare and P. Rogaway

Random oracles are practical: A paradigm for designing efficient protocols 1st ACM Conference on Computer and Communications Security, pp. 62–73, ACM Press, 1993

• B. Chevallier-Mames and M. Joye

A practical and tightly secure signature scheme without hash function Topics in Cryptology − CT-RSA 2007, LNCS 4377,

• pp. 339–356, Springer, 2007
• R. Gennaro, S. Halevi, and T. Rabin

Secure hash-and-sign signatures without the random oracle Advances in Cryptology − EUROCRYPT ’99, LNCS 1592,

• pp. 123–139, Springer-Verlag, 1999

Part III

Provable Secure Encryption Schemes

Encryption Schemes

Definition

A (public-key) encryption scheme is a set of 3 algorithms:

• 1. Key generation

Input: security parameter κ Output: key pair (pk, sk)

• 2. Encryption

Input: encryption key pk, message m [and random r] Output: C = E (pk, m [, r])

• 3. Decryption

Input: decryption key sk, ciphertext C Output: m = D(sk, C)

Security Goals

• Key unbreakabibity
• Non-reversibility
• Indistinguishability of encryptions
• . . .

A system has indistinguishable encryptions if no adversary A can win the following game: Find A chooses 2 equal-length plaintexts m0 and m1 Guess A is now given the encryption cb for unknown bit b The goal of adversary A is to guess the value of b with probability > 1/2

Attack Scenarios

Passive attacks A only observes the communication channel

• ∅
• Ciphertext-only attacks
• Known-plaintext attacks

Chosen-plaintext attacks (CPA)

• Non-adaptive/Adaptive

Chosen-ciphertext attacks (CCA)

• Non-adaptive/Adaptive
• E.g., A gained access to the decryption equipment

Security Notions

Definition

A security notion is a pair (security goal, attack scenario)

Highest security level

IND-CCA2

• that is, indistinguishability under adaptive

chosen-ciphertext attacks

RSA-OAEP Encryption

Key generation pk = {N, e}, sk = {d} with d = e−1 mod φ(N) Encryption

• Choose a random r
• Padding: w = (m0k) ⊕ G(r) and t = r ⊕ H(w)
• Encryption: C = (wt)e mod N

Decryption Given C, compute

• 1. (w′t′) = C d mod N
• 2. r′ = H(w′) ⊕ t′
• 3. (m′z′) = G(r′) ⊕ w′

and output m = m′ if z′ = 0k

Security

Theorem

Under the RSA assumption, RSA-OAEP encryption scheme is secure in the sense of IND-CCA2 in the RO model

• PKCS #1 v2.1

[RSA Labs]

Bibliography

• M. Bellare and P. Rogaway

Optimal asymmetric encryption – How to encrypt with RSA Advances in Cryptology − EUROCRYPT ’94, LNCS 950,

• pp. 92–111, Springer-Verlag, 1995

Part IV

Conclusion

Summary

• Security is always “proved” in a given model

security goal, adversarial resources (black-box adversaries) standard vs. idealized model

• e.g., random oracle model
• Security is reduced to the hardness of some cryptographic

problem

e.g., RSA problem, DL problem, . . .

• Asymptotic vs. concrete security

Comments/Questions?

http://www.geocities.com/MarcJoye/