Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in...

Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)

Digital Signatures 2020-03-24 1

Outline

Parameter choices

RSA-PSS

Genaro-Halevi-Rabin signatures


Recap

Last lecture:

• Random Oracle Model

• RSA Full Domain Hash• Security proof:

– RSA-FDH adversary A with runtime tA, success probability εA,qH hash queries

RSA solver B with runtime tB ≈ tA and success

εB ≥εA − 1/N

qH

• Quality of reduction?


Contents

Today: interlude (not in notes)

Parameter choices

RSA-PSS



Parameter choices

How do you choose parameters forcryptosystems?

Example: RSA

• N = P · Q with prime P, Q

• How large should P, Q be?

• Generally: security only for suitably large security parameter k

• P, Q ∈ [2100, 2101) large enough?

• Comparison: #atoms in universe ≈ 1080 ≈ 2266

• P, Q ∈ [2300, 2301)?


Parameter choicesBest known attack against RSA:

• Factor N (i.e., compute P, Q from N = PQ)

• Compute ϕ(N) = (P − 1)(Q − 1), d := e−1 mod ϕ(N) RSA secret key

Best known factorization algorithm:

• General Number Field Sieve (GNFS)

• Runtime for n-bit modulus (n = blog2(N)c + 1):

tGNFS(n) := C · exp

((649

)1/3n

13 ln(n)

23

)

– (runtime conjectured)


Tradeoff: time/successGiven:• PPT algorithm B solves problem in time t with success

probability ε

Consider Algorithm C:repeat

solution ← B(N)until solution is correct• Las Vegas algorithm (succeeds always, but not PPT!)• Expected runtime:

1ε· t

1ε t gives “1/quality” of B.

The smaller this value, the better is B.Digital Signatures 2020-03-24 7

Parameter choices

So how do you choose concrete parameters?

Goal:signature scheme secure against any adversary A that. . .

• can perform at most tA operation steps

• knows at most q signatures

• can compute at most qH hash values

Concrete assumption (“GNFS assumption”):

• There is no Las-Vegas algorithm C that solves the RSAproblem faster than the GNFS


Parameter choice for RSA-FDH• Security reduction converts adversaries A B

– tB ≈ tA– εB ≥ εA−1/N

qH≈ εA

qH

• The resource consumption (or “inverse quality”) of B is1εB

tB ≤qH

εAtB

≈ qH

εAtA

• Choose n large enough, so that

tGNFS(n) >qH

εAtA

• Then existence of A contradicts “GNFS assumption”.Digital Signatures 2020-03-24 9

Parameter choice for better reductionHypothetically: better reduction• tB ≈ tA• εB ≥ εA• leads to:

1εB

tB ≤1εA

tB

≈ 1εA

tA

• Choose n large enough, so that

tGNFS(n) >1εA

tA

With better reduction: can choose smaller n =⇒ more efficientscheme! Digital Signatures 2020-03-24 10

Typical target security levels

Typical target security levels

• best publicly known supercomputer (Nov 2019): Summit (IBM)

• theoretical performance: ≈ 258 FLOP/s

• in 222 seconds (≈ 49 days): 280 FLOP

• =⇒ tA ≥ 280 operations

• typical: tA ∈ {2100, 2128}

• q: e.g. 230 (> 1 billion signatures)

• qH : e.g. 260 (> 1 billion billion hash computations)


Different perspective

Different perspective:

• Goal: for all FDH adversaries A, we want εA ≤ 1/280

• Allow 230 hash queries

• Reduction says:

εB ≥ εA/qH = 1/2110

• Hence we need to choose RSA parameters such that forrealistic adversaries, εB ≤ 1/2110

• If we had εB ≥ εA, then εB ≤ 1/280 would suffice

• Would lead to smaller parameters and more efficiency


Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student

• . . . and enter room “HOFHEINZ8872”

• Will also be in chat (so you can click on link)

• No registration necessary

• First quiz (about parameter choices) starts now!


Contents

Today: interlude (not in notes)

Parameter choices

RSA-PSS



RSA-PSS

• RSA-based signature scheme

• Like textbook RSA, but with preprocessing of m

• EUF-CMA secure in ROM (under RSA assumption)

• Security reduction with small reduction loss• Standardized in PKCS #1 since version 2.1 (June 2002)

– . . . but we will describe the slightly simpler version from theresearch paper


RSA-PSS

• Gen(1k ) : as with textbook RSA

• Sign(sk , m) :

σ := PSS-Encode(m)d (mod N)

• Vfy(pk , m,σ) :– Compute y = σe (mod N)– Output 1 iff y valid encoding of m


RSA-PSS

PSS-Encoding:

• Parameter k0, k1 with k0 + k1 ≤ k − 1.

• Requires two hash functions G, H

• H : {0, 1}∗ → {0, 1}k1

• G : {0, 1}k1 → {0, 1}k−k1−1

– G1 : first k0 bits of G– G2 : rest of G– ∀w ∈ {0, 1}k1 : G(w) = G1(w) ‖G2(w)


RSA-PSS

PSS-Encoding (continued):

• choose r ← {0, 1}k0 uniformly

• w := H(m ‖ r )

• r∗ := G1(w)⊕ r

• γ := G2(w)

• encoding := 0 ‖w ‖ r∗ ‖ γ

H

G

rm

w

0k−k0−k1−1r

r∗

γ0 w

G1(w) G2(w)


RSA-PSS: verification

• Compute y = σe mod N

• If first bit of y not equal to 0: output 0

• Split y into 0, w ′, r ′∗, γ′

• Compute r ′ := r ′∗ ⊕ G1(w ′)

• Output 1 iff

γ′ ?= G2(w ′) and w ′ ?= H(m ‖ r ′),

else 0.


RSA-PSSAssume G and H are random oracles. Then for every adversary Athat breaks the EUF-CMA security of RSA-PSS• in time tA• with at most qhash hash queries to G and H,• at most q signature queries• and success probability εA,

there exists an adversary B that solves the RSA problem in time tBwith success probability

εB ≥ εA −(

2(q + qhash)2 + 1)· (2−k0 + 2−k1)

tB ≤ tA + (q + qhash + 1) · k0 ·Θ(n3).

Note: simplification: k0 = k1.Digital Signatures 2020-03-24 20

Proof overview

Recap: RSA-FDH proof

• B implements H-oracle for A• embeds own RSA instance in one (randomly chosen) H-query

• all other H-queries: program H(m) such that signature for m isknown

=⇒ B has to guess which H-query corresponds to forgery (guesscorrect with probability 1

qH)


Proof overview

Changes with RSA-PSS:

• many valid encodings for every m

• upon G- or H-queries: embed own RSA instance

• upon signature query: choose another encoding with knownsignature

– more specifically: choose random encoding– with high probability different from previous (hashed) encoding


RSA-PSS: Summary

• EUF-CMA secure in ROM (under RSA assumption)

• Same principle as with RSA-FDH: encode message, thentextbook RSA• Efficiency similar to that of RSA-FDH

– Main difference: 2 hash computations (not 1) per signature

• But: reduction has almost no “loss”

• In practice more efficient than RSA-FDH when compensatingfor lossy reduction


Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student

• . . . and enter room “HOFHEINZ8872”

• Will also be in chat (so you can click on link)

• No registration necessary

• Second quiz (about RSA-PSS) starts now!


RSA signatures so far: issues

• Schemes so far: either inefficient, or only heuristic security(ROM)• Goal (hard!): EUF-CMA-secure signature scheme based on

RSA. . .– that is efficient (i.e., usable in practice)– whose security requires no random oracles.

• “Workaround”: Strong RSA assumption


Strong RSA assumption

RSA problem:

• given N, e and y ← ZN , find x ∈ ZN with xe ≡ y mod N.

RSA assumption:

• ∀ PPT A:

Pr

[N = P · Q, e← Z∗ϕ(N),

y ← ZN , x ← A(1k , N, e, y ): xe ≡ y mod N

]

is negligible in k .


Strong RSA assumption

Strong RSA problem:

• given N and y ← ZN , find x ∈ ZN , e > 1 with xe ≡ y mod N.

Strong RSA assumption:

• ∀ PPT A:

Pr

[N = P · Q,

y ← ZN , (x , e)← A(1k , N, y ): xe ≡ y mod N ∧ e > 1

]

is negligible in k .


Strong RSA: naming

• Strong RSA assumption stronger assumption than RSAassumption

– We give adversary more control, easier to win game– We assume that it’s still hard for adversary to win

• But: strong RSA problem easier than RSA problem

Strong RSA assumption⇒ RSA assumption,converse implication not obvious at all



Let h : {0, 1}∗ → P be a hash function (P = primes)Gen(1k ) :

• Choose N = P · Q, P, Q prime as with RSA

• s ← ZN

• Choose h such that ∀m ∈ {0, 1}∗ : gcd(h(m),ϕ(N)) = 1 ~• pk := (N, s, h)

• sk := ϕ(N) = (P − 1)(Q − 1)

Sign(sk , m) :

• σ := s1/h(m) mod N

Vfy(pk , m,σ) : σh(m) ?≡ s mod N(~ : can be enforced, e.g., by letting h only output large primes)


GHR signatures: security

Theorem 70: For every PPT A that breaks the EUF-naCMAsecurity of Σ in time tA with success εA bricht, there is a PPT B thatruns in time tB ≈ tA and which

• either breaks the collision-resistance of h with success

εcoll ≥ εA/2,

• or solves the strong RSA problem with success

εsRSA ≥ εA/2.


Date post:	13-Oct-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in...

Documents