+ All Categories
Home > Documents > Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in...

Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in...

Date post: 13-Oct-2020
Category:
Upload: others
View: 4 times
Download: 0 times
Share this document with a friend
15
Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-24 1 Outline Parameter choices RSA-PSS Genaro-Halevi-Rabin signatures Digital Signatures 2020-03-24 2
Transcript
Page 1: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)

Digital Signatures 2020-03-24 1

Outline

Parameter choices

RSA-PSS

Genaro-Halevi-Rabin signatures

Digital Signatures 2020-03-24 2

Page 2: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

Recap

Last lecture:

• Random Oracle Model

• RSA Full Domain Hash• Security proof:

– RSA-FDH adversary A with runtime tA, success probability εA,qH hash queries

RSA solver B with runtime tB ≈ tA and success

εB ≥εA − 1/N

qH

• Quality of reduction?

Digital Signatures 2020-03-24 3

Contents

Today: interlude (not in notes)

Parameter choices

RSA-PSS

Genaro-Halevi-Rabin signatures

Digital Signatures 2020-03-24 4

Page 3: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

Parameter choices

How do you choose parameters forcryptosystems?

Example: RSA

• N = P · Q with prime P, Q

• How large should P, Q be?

• Generally: security only for suitably large security parameter k

• P, Q ∈ [2100, 2101) large enough?

• Comparison: #atoms in universe ≈ 1080 ≈ 2266

• P, Q ∈ [2300, 2301)?

Digital Signatures 2020-03-24 5

Parameter choicesBest known attack against RSA:

• Factor N (i.e., compute P, Q from N = PQ)

• Compute ϕ(N) = (P − 1)(Q − 1), d := e−1 mod ϕ(N) RSA secret key

Best known factorization algorithm:

• General Number Field Sieve (GNFS)

• Runtime for n-bit modulus (n = blog2(N)c + 1):

tGNFS(n) := C · exp

((649

)1/3n

13 ln(n)

23

)

– (runtime conjectured)

Digital Signatures 2020-03-24 6

Page 4: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

Tradeoff: time/successGiven:• PPT algorithm B solves problem in time t with success

probability ε

Consider Algorithm C:repeat

solution ← B(N)until solution is correct• Las Vegas algorithm (succeeds always, but not PPT!)• Expected runtime:

1ε· t

1ε t gives “1/quality” of B.

The smaller this value, the better is B.Digital Signatures 2020-03-24 7

Parameter choices

So how do you choose concrete parameters?

Goal:signature scheme secure against any adversary A that. . .

• can perform at most tA operation steps

• knows at most q signatures

• can compute at most qH hash values

Concrete assumption (“GNFS assumption”):

• There is no Las-Vegas algorithm C that solves the RSAproblem faster than the GNFS

Digital Signatures 2020-03-24 8

Page 5: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

Parameter choice for RSA-FDH• Security reduction converts adversaries A B

– tB ≈ tA– εB ≥ εA−1/N

qH≈ εA

qH

• The resource consumption (or “inverse quality”) of B is1εB

tB ≤qH

εAtB

≈ qH

εAtA

• Choose n large enough, so that

tGNFS(n) >qH

εAtA

• Then existence of A contradicts “GNFS assumption”.Digital Signatures 2020-03-24 9

Parameter choice for better reductionHypothetically: better reduction• tB ≈ tA• εB ≥ εA• leads to:

1εB

tB ≤1εA

tB

≈ 1εA

tA

• Choose n large enough, so that

tGNFS(n) >1εA

tA

With better reduction: can choose smaller n =⇒ more efficientscheme! Digital Signatures 2020-03-24 10

Page 6: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

Typical target security levels

Typical target security levels

• best publicly known supercomputer (Nov 2019): Summit (IBM)

• theoretical performance: ≈ 258 FLOP/s

• in 222 seconds (≈ 49 days): 280 FLOP

• =⇒ tA ≥ 280 operations

• typical: tA ∈ {2100, 2128}

• q: e.g. 230 (> 1 billion signatures)

• qH : e.g. 260 (> 1 billion billion hash computations)

Digital Signatures 2020-03-24 11

Different perspective

Different perspective:

• Goal: for all FDH adversaries A, we want εA ≤ 1/280

• Allow 230 hash queries

• Reduction says:

εB ≥ εA/qH = 1/2110

• Hence we need to choose RSA parameters such that forrealistic adversaries, εB ≤ 1/2110

• If we had εB ≥ εA, then εB ≤ 1/280 would suffice

• Would lead to smaller parameters and more efficiency

Digital Signatures 2020-03-24 12

Page 7: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student

• . . . and enter room “HOFHEINZ8872”

• Will also be in chat (so you can click on link)

• No registration necessary

• First quiz (about parameter choices) starts now!

Digital Signatures 2020-03-24 13

Contents

Today: interlude (not in notes)

Parameter choices

RSA-PSS

Genaro-Halevi-Rabin signatures

Digital Signatures 2020-03-24 14

Page 8: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

RSA-PSS

• RSA-based signature scheme

• Like textbook RSA, but with preprocessing of m

• EUF-CMA secure in ROM (under RSA assumption)

• Security reduction with small reduction loss• Standardized in PKCS #1 since version 2.1 (June 2002)

– . . . but we will describe the slightly simpler version from theresearch paper

Digital Signatures 2020-03-24 15

RSA-PSS

• Gen(1k ) : as with textbook RSA

• Sign(sk , m) :

σ := PSS-Encode(m)d (mod N)

• Vfy(pk , m,σ) :– Compute y = σe (mod N)– Output 1 iff y valid encoding of m

Digital Signatures 2020-03-24 16

Page 9: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

RSA-PSS

PSS-Encoding:

• Parameter k0, k1 with k0 + k1 ≤ k − 1.

• Requires two hash functions G, H

• H : {0, 1}∗ → {0, 1}k1

• G : {0, 1}k1 → {0, 1}k−k1−1

– G1 : first k0 bits of G– G2 : rest of G– ∀w ∈ {0, 1}k1 : G(w) = G1(w) ‖G2(w)

Digital Signatures 2020-03-24 17

RSA-PSS

PSS-Encoding (continued):

• choose r ← {0, 1}k0 uniformly

• w := H(m ‖ r )

• r∗ := G1(w)⊕ r

• γ := G2(w)

• encoding := 0 ‖w ‖ r∗ ‖ γ

H

G

rm

w

0k−k0−k1−1r

r∗

γ0 w

G1(w) G2(w)

Digital Signatures 2020-03-24 18

Page 10: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

RSA-PSS: verification

• Compute y = σe mod N

• If first bit of y not equal to 0: output 0

• Split y into 0, w ′, r ′∗, γ′

• Compute r ′ := r ′∗ ⊕ G1(w ′)

• Output 1 iff

γ′ ?= G2(w ′) and w ′ ?= H(m ‖ r ′),

else 0.

Digital Signatures 2020-03-24 19

RSA-PSSAssume G and H are random oracles. Then for every adversary Athat breaks the EUF-CMA security of RSA-PSS• in time tA• with at most qhash hash queries to G and H,• at most q signature queries• and success probability εA,

there exists an adversary B that solves the RSA problem in time tBwith success probability

εB ≥ εA −(

2(q + qhash)2 + 1)· (2−k0 + 2−k1)

tB ≤ tA + (q + qhash + 1) · k0 ·Θ(n3).

Note: simplification: k0 = k1.Digital Signatures 2020-03-24 20

Page 11: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

Proof overview

Recap: RSA-FDH proof

• B implements H-oracle for A• embeds own RSA instance in one (randomly chosen) H-query

• all other H-queries: program H(m) such that signature for m isknown

=⇒ B has to guess which H-query corresponds to forgery (guesscorrect with probability 1

qH)

Digital Signatures 2020-03-24 21

Proof overview

Changes with RSA-PSS:

• many valid encodings for every m

• upon G- or H-queries: embed own RSA instance

• upon signature query: choose another encoding with knownsignature

– more specifically: choose random encoding– with high probability different from previous (hashed) encoding

Digital Signatures 2020-03-24 22

Page 12: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

RSA-PSS: Summary

• EUF-CMA secure in ROM (under RSA assumption)

• Same principle as with RSA-FDH: encode message, thentextbook RSA• Efficiency similar to that of RSA-FDH

– Main difference: 2 hash computations (not 1) per signature

• But: reduction has almost no “loss”

• In practice more efficient than RSA-FDH when compensatingfor lossy reduction

Digital Signatures 2020-03-24 23

Socrative

Self-checking with quizzes

• Use following URL: https://b.socrative.com/login/student

• . . . and enter room “HOFHEINZ8872”

• Will also be in chat (so you can click on link)

• No registration necessary

• Second quiz (about RSA-PSS) starts now!

Digital Signatures 2020-03-24 24

Page 13: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

RSA signatures so far: issues

• Schemes so far: either inefficient, or only heuristic security(ROM)• Goal (hard!): EUF-CMA-secure signature scheme based on

RSA. . .– that is efficient (i.e., usable in practice)– whose security requires no random oracles.

• “Workaround”: Strong RSA assumption

Digital Signatures 2020-03-24 25

Strong RSA assumption

RSA problem:

• given N, e and y ← ZN , find x ∈ ZN with xe ≡ y mod N.

RSA assumption:

• ∀ PPT A:

Pr

[N = P · Q, e← Z∗ϕ(N),

y ← ZN , x ← A(1k , N, e, y ): xe ≡ y mod N

]

is negligible in k .

Digital Signatures 2020-03-24 26

Page 14: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

Strong RSA assumption

Strong RSA problem:

• given N and y ← ZN , find x ∈ ZN , e > 1 with xe ≡ y mod N.

Strong RSA assumption:

• ∀ PPT A:

Pr

[N = P · Q,

y ← ZN , (x , e)← A(1k , N, y ): xe ≡ y mod N ∧ e > 1

]

is negligible in k .

Digital Signatures 2020-03-24 26

Strong RSA: naming

• Strong RSA assumption stronger assumption than RSAassumption

– We give adversary more control, easier to win game– We assume that it’s still hard for adversary to win

• But: strong RSA problem easier than RSA problem

Strong RSA assumption⇒ RSA assumption,converse implication not obvious at all

Digital Signatures 2020-03-24 27

Page 15: Digital Signatures · Recap: RSA-FDH proof B implements H -oracle for A embeds own RSA instance in one (randomly chosen) H -query all other H -queries: program H (m ) such that signature

Genaro-Halevi-Rabin signatures

Let h : {0, 1}∗ → P be a hash function (P = primes)Gen(1k ) :

• Choose N = P · Q, P, Q prime as with RSA

• s ← ZN

• Choose h such that ∀m ∈ {0, 1}∗ : gcd(h(m),ϕ(N)) = 1 ~• pk := (N, s, h)

• sk := ϕ(N) = (P − 1)(Q − 1)

Sign(sk , m) :

• σ := s1/h(m) mod N

Vfy(pk , m,σ) : σh(m) ?≡ s mod N(~ : can be enforced, e.g., by letting h only output large primes)

Digital Signatures 2020-03-24 28

GHR signatures: security

Theorem 70: For every PPT A that breaks the EUF-naCMAsecurity of Σ in time tA with success εA bricht, there is a PPT B thatruns in time tB ≈ tA and which

• either breaks the collision-resistance of h with success

εcoll ≥ εA/2,

• or solves the strong RSA problem with success

εsRSA ≥ εA/2.

Digital Signatures 2020-03-24 29


Recommended