Post on 13-Oct-2020
transcript
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)
Digital Signatures 2020-03-24 1
Outline
Parameter choices
RSA-PSS
Genaro-Halevi-Rabin signatures
Digital Signatures 2020-03-24 2
Recap
Last lecture:
• Random Oracle Model
• RSA Full Domain Hash• Security proof:
– RSA-FDH adversary A with runtime tA, success probability εA,qH hash queries
RSA solver B with runtime tB ≈ tA and success
εB ≥εA − 1/N
qH
• Quality of reduction?
Digital Signatures 2020-03-24 3
Contents
Today: interlude (not in notes)
Parameter choices
RSA-PSS
Genaro-Halevi-Rabin signatures
Digital Signatures 2020-03-24 4
Parameter choices
How do you choose parameters forcryptosystems?
Example: RSA
• N = P · Q with prime P, Q
• How large should P, Q be?
• Generally: security only for suitably large security parameter k
• P, Q ∈ [2100, 2101) large enough?
• Comparison: #atoms in universe ≈ 1080 ≈ 2266
• P, Q ∈ [2300, 2301)?
Digital Signatures 2020-03-24 5
Parameter choicesBest known attack against RSA:
• Factor N (i.e., compute P, Q from N = PQ)
• Compute ϕ(N) = (P − 1)(Q − 1), d := e−1 mod ϕ(N) RSA secret key
Best known factorization algorithm:
• General Number Field Sieve (GNFS)
• Runtime for n-bit modulus (n = blog2(N)c + 1):
tGNFS(n) := C · exp
((649
)1/3n
13 ln(n)
23
)
– (runtime conjectured)
Digital Signatures 2020-03-24 6
Tradeoff: time/successGiven:• PPT algorithm B solves problem in time t with success
probability ε
Consider Algorithm C:repeat
solution ← B(N)until solution is correct• Las Vegas algorithm (succeeds always, but not PPT!)• Expected runtime:
1ε· t
1ε t gives “1/quality” of B.
The smaller this value, the better is B.Digital Signatures 2020-03-24 7
Parameter choices
So how do you choose concrete parameters?
Goal:signature scheme secure against any adversary A that. . .
• can perform at most tA operation steps
• knows at most q signatures
• can compute at most qH hash values
Concrete assumption (“GNFS assumption”):
• There is no Las-Vegas algorithm C that solves the RSAproblem faster than the GNFS
Digital Signatures 2020-03-24 8
Parameter choice for RSA-FDH• Security reduction converts adversaries A B
– tB ≈ tA– εB ≥ εA−1/N
qH≈ εA
qH
• The resource consumption (or “inverse quality”) of B is1εB
tB ≤qH
εAtB
≈ qH
εAtA
• Choose n large enough, so that
tGNFS(n) >qH
εAtA
• Then existence of A contradicts “GNFS assumption”.Digital Signatures 2020-03-24 9
Parameter choice for better reductionHypothetically: better reduction• tB ≈ tA• εB ≥ εA• leads to:
1εB
tB ≤1εA
tB
≈ 1εA
tA
• Choose n large enough, so that
tGNFS(n) >1εA
tA
With better reduction: can choose smaller n =⇒ more efficientscheme! Digital Signatures 2020-03-24 10
Typical target security levels
Typical target security levels
• best publicly known supercomputer (Nov 2019): Summit (IBM)
• theoretical performance: ≈ 258 FLOP/s
• in 222 seconds (≈ 49 days): 280 FLOP
• =⇒ tA ≥ 280 operations
• typical: tA ∈ {2100, 2128}
• q: e.g. 230 (> 1 billion signatures)
• qH : e.g. 260 (> 1 billion billion hash computations)
Digital Signatures 2020-03-24 11
Different perspective
Different perspective:
• Goal: for all FDH adversaries A, we want εA ≤ 1/280
• Allow 230 hash queries
• Reduction says:
εB ≥ εA/qH = 1/2110
• Hence we need to choose RSA parameters such that forrealistic adversaries, εB ≤ 1/2110
• If we had εB ≥ εA, then εB ≤ 1/280 would suffice
• Would lead to smaller parameters and more efficiency
Digital Signatures 2020-03-24 12
Socrative
Self-checking with quizzes
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• First quiz (about parameter choices) starts now!
Digital Signatures 2020-03-24 13
Contents
Today: interlude (not in notes)
Parameter choices
RSA-PSS
Genaro-Halevi-Rabin signatures
Digital Signatures 2020-03-24 14
RSA-PSS
• RSA-based signature scheme
• Like textbook RSA, but with preprocessing of m
• EUF-CMA secure in ROM (under RSA assumption)
• Security reduction with small reduction loss• Standardized in PKCS #1 since version 2.1 (June 2002)
– . . . but we will describe the slightly simpler version from theresearch paper
Digital Signatures 2020-03-24 15
RSA-PSS
• Gen(1k ) : as with textbook RSA
• Sign(sk , m) :
σ := PSS-Encode(m)d (mod N)
• Vfy(pk , m,σ) :– Compute y = σe (mod N)– Output 1 iff y valid encoding of m
Digital Signatures 2020-03-24 16
RSA-PSS
PSS-Encoding:
• Parameter k0, k1 with k0 + k1 ≤ k − 1.
• Requires two hash functions G, H
• H : {0, 1}∗ → {0, 1}k1
• G : {0, 1}k1 → {0, 1}k−k1−1
– G1 : first k0 bits of G– G2 : rest of G– ∀w ∈ {0, 1}k1 : G(w) = G1(w) ‖G2(w)
Digital Signatures 2020-03-24 17
RSA-PSS
PSS-Encoding (continued):
• choose r ← {0, 1}k0 uniformly
• w := H(m ‖ r )
• r∗ := G1(w)⊕ r
• γ := G2(w)
• encoding := 0 ‖w ‖ r∗ ‖ γ
H
G
rm
w
0k−k0−k1−1r
r∗
γ0 w
G1(w) G2(w)
Digital Signatures 2020-03-24 18
RSA-PSS: verification
• Compute y = σe mod N
• If first bit of y not equal to 0: output 0
• Split y into 0, w ′, r ′∗, γ′
• Compute r ′ := r ′∗ ⊕ G1(w ′)
• Output 1 iff
γ′ ?= G2(w ′) and w ′ ?= H(m ‖ r ′),
else 0.
Digital Signatures 2020-03-24 19
RSA-PSSAssume G and H are random oracles. Then for every adversary Athat breaks the EUF-CMA security of RSA-PSS• in time tA• with at most qhash hash queries to G and H,• at most q signature queries• and success probability εA,
there exists an adversary B that solves the RSA problem in time tBwith success probability
εB ≥ εA −(
2(q + qhash)2 + 1)· (2−k0 + 2−k1)
tB ≤ tA + (q + qhash + 1) · k0 ·Θ(n3).
Note: simplification: k0 = k1.Digital Signatures 2020-03-24 20
Proof overview
Recap: RSA-FDH proof
• B implements H-oracle for A• embeds own RSA instance in one (randomly chosen) H-query
• all other H-queries: program H(m) such that signature for m isknown
=⇒ B has to guess which H-query corresponds to forgery (guesscorrect with probability 1
qH)
Digital Signatures 2020-03-24 21
Proof overview
Changes with RSA-PSS:
• many valid encodings for every m
• upon G- or H-queries: embed own RSA instance
• upon signature query: choose another encoding with knownsignature
– more specifically: choose random encoding– with high probability different from previous (hashed) encoding
Digital Signatures 2020-03-24 22
RSA-PSS: Summary
• EUF-CMA secure in ROM (under RSA assumption)
• Same principle as with RSA-FDH: encode message, thentextbook RSA• Efficiency similar to that of RSA-FDH
– Main difference: 2 hash computations (not 1) per signature
• But: reduction has almost no “loss”
• In practice more efficient than RSA-FDH when compensatingfor lossy reduction
Digital Signatures 2020-03-24 23
Socrative
Self-checking with quizzes
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Second quiz (about RSA-PSS) starts now!
Digital Signatures 2020-03-24 24
RSA signatures so far: issues
• Schemes so far: either inefficient, or only heuristic security(ROM)• Goal (hard!): EUF-CMA-secure signature scheme based on
RSA. . .– that is efficient (i.e., usable in practice)– whose security requires no random oracles.
• “Workaround”: Strong RSA assumption
Digital Signatures 2020-03-24 25
Strong RSA assumption
RSA problem:
• given N, e and y ← ZN , find x ∈ ZN with xe ≡ y mod N.
RSA assumption:
• ∀ PPT A:
Pr
[N = P · Q, e← Z∗ϕ(N),
y ← ZN , x ← A(1k , N, e, y ): xe ≡ y mod N
]
is negligible in k .
Digital Signatures 2020-03-24 26
Strong RSA assumption
Strong RSA problem:
• given N and y ← ZN , find x ∈ ZN , e > 1 with xe ≡ y mod N.
Strong RSA assumption:
• ∀ PPT A:
Pr
[N = P · Q,
y ← ZN , (x , e)← A(1k , N, y ): xe ≡ y mod N ∧ e > 1
]
is negligible in k .
Digital Signatures 2020-03-24 26
Strong RSA: naming
• Strong RSA assumption stronger assumption than RSAassumption
– We give adversary more control, easier to win game– We assume that it’s still hard for adversary to win
• But: strong RSA problem easier than RSA problem
Strong RSA assumption⇒ RSA assumption,converse implication not obvious at all
Digital Signatures 2020-03-24 27
Genaro-Halevi-Rabin signatures
Let h : {0, 1}∗ → P be a hash function (P = primes)Gen(1k ) :
• Choose N = P · Q, P, Q prime as with RSA
• s ← ZN
• Choose h such that ∀m ∈ {0, 1}∗ : gcd(h(m),ϕ(N)) = 1 ~• pk := (N, s, h)
• sk := ϕ(N) = (P − 1)(Q − 1)
Sign(sk , m) :
• σ := s1/h(m) mod N
Vfy(pk , m,σ) : σh(m) ?≡ s mod N(~ : can be enforced, e.g., by letting h only output large primes)
Digital Signatures 2020-03-24 28
GHR signatures: security
Theorem 70: For every PPT A that breaks the EUF-naCMAsecurity of Σ in time tA with success εA bricht, there is a PPT B thatruns in time tB ≈ tA and which
• either breaks the collision-resistance of h with success
εcoll ≥ εA/2,
• or solves the strong RSA problem with success
εsRSA ≥ εA/2.
Digital Signatures 2020-03-24 29