Impossibility proofs for RSA signatures in the standard model

Pascal PaillierTopics in Cryptology – CT-RSA 2007

Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting

RSA Conclusion

Introduction Well-known RSA signatures:

Full domain hash (FDH) Probabilistic signature scheme (PSS / PSS-R) These are hard to invert in the random oracle

model. In the standard model, they have never been

discovered.

Introduction Real-life RSA signatures are breaking any form

of unforgeability. Any signature scheme of RSA type cannot be

equivalent to inverting RSA in the standard model. The key generation is instance-non-malleable. Proof technique is based on black-box meta-

reductions.

Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting

RSA Conclusion

Black-box reduction A black-box reduction R between two

computational problems P1 and P2 is a probabilistic algorithm R which solves P1 given black-box access to oracle solving P2.

when R is known to reduce P1 to P2 in polynomial time.

Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting

RSA Conclusion

RSA and related computational problems

Root extraction problem is computing

is the problem of computing eth roots modulo n.

is a instance generator. Generate a hard instance (n, e) as well as the side

information

RSA and related computational problems

RSA and related computational problems

Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting

RSA Conclusion

Security notions for Real-life RSA signature - Adversarial goals Breakable (BK)

An adversary outputs the secret key. Universally forgeable (UF)

An adversary signs any message. Existential forgeable (EF)

An adversary signs some message. Root extractable (RE)

An adversary attempts to extract the eth root of a randomly chosen element y for a randomly chosen key (n, e)

BK > RE > UF > EF

Security notions for Real-life RSA signature- Attack model

Key-only attack (KOA) The adversary is given nothing else then a public

key. Known message attack (KMA)

The adversary is given a list of valid message/signature pairs.

Chosen message attack (CMA) The adversary is given adaptive access to a signing

oracle.

Security notions for Real-life RSA signature

Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting

RSA Conclusion

Instance-malleability A randomly chosen instance (n, e) is easier

when given repeated access to an oracle that extracts e’th roots modulo n’ for other instance (n’, e’) != (n, e).

An instance generator is instance-non-malleable.

Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting

RSA Conclusion

Impossibility of equivalence with inverting RSA

is an RSA signature scheme, where is an instance-non-malleable instance generator and a padding function

If is equivalent to then is polynomial.

If is equivalent to then is polynomial.

Impossibility of equivalence with inverting RSA

Impossibility of equivalence with inverting RSA

Impossibility of equivalence with inverting RSA

Let be an instance-non-malleable generator. These is no real-life RSA signature scheme such that and is equivalent to unless is polynomial.

Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting

RSA Conclusion

Conclusion No real-life RSA signatures that are based on

instance-non-malleable key generation can be chosen-message secure under any RSA assumption in the standard model.