The Methodology of ProvableSecurity

Marc Joye

Thomson Security Labsmarc.joye@thomson.net

DIWALL Seminar − March 20, 2008

Contents

Part I Introduction

Part II Signature Schemes

Part III Encryption Schemes

Part IV Conclusion

Part I

Introduction

Digital Signatures

Digital counterpart of an handwritten signature

Key properties

Digital signature =⇒authentication, integrity,non-repudiation

Textbook RSA Signature

• Key generation

Input: keylength k and e

Output: N = pq such that |N|2 = k and gcd(e, φ(N)) = 1d = e−1 mod φ(N)

pk = {e,N} and sk = {d}

• [Plain] RSA signing

Input: private key sk and message m

Output: signature σ = md mod N

• [Plain] RSA verification

Input: public key pk, signature σ, and message m

Output: σe ?≡ m (mod N)

Existential Forgeries

Signing σ = md mod N

Verification σe ?≡ m (mod N)

1. Choose a random r

2. Compute m = r e mod N

3. Set σ = r

4. Output σ as the signature on “message” m

Selective Forgeries

Observation

Multiplicative property:

(m1 m2)d ≡ m1

d m2d ≡ σ1 σ2 (mod N)

• To obtain the signature σ on a chosen message m:

1. Choose a random m1 = r and define m2 = m/r mod N

2. Obtain the signatures σ1 = m1d mod N and σ2 = m2

d mod N

3. Output σ = σ1 σ2 mod N

• One-message forgery?

Idem with m1 = r e mod N for a random r

(Note that σ1 = r)

What Means Secure?

• Given (m, e), computing σ = m1/e mod N is difficult

=⇒ textbook RSA signatures are unforgeable (provided that theRSA problem is hard)

• . . . but it is easy given an oracle returning the signature onchosen messages

=⇒ textbook RSA signatures are (universally) forgeable underchosen-message attacks

Provable Security

• Security proofs

Reduction to a hard problemDefinition of a security modelDefinition of the adversary’s resources

• Security notions

Signature schemesEncryption schemes

Bibliography

Mihir BellarePractice-oriented provable securityLectures on Data Security, LNCS 1561, pages 1–15, Springer,1999

Neal Koblitz and Alfred J. MenezesAnother look at “provable security”J. Cryptology 20(1):3–37, 2007

Part II

Provable Secure SignatureSchemes

Digital Signatures

Definition

A digital signature scheme is a set of 3 algorithms:

1. Key generation

Input: security parameter κOutput: key pair (pk, sk)

2. Signing

Input: signing key sk , message m [and random r ]Output: σ = S (sk , m [, r ])

3. Verification

Input: verification key pk, signature σ [and message m]Output: V (pk, σ [,m]) = 0 or 1

Security Notions

Security goals

• Key unbreakability• Universal unforgeability• Selective unforgeability• Existential unforgeability (EUF)

Attack scenarios

• No resources (except public key pk)• Known-message attacks• Chosen-message attacks (CMA)

Definition

A security notion is a pair (security goal, attack scenario)

e.g., EUF-CMA

EUF-CMA Adversary

Simulation Paradigm

‘Reductio ad Absurdum’

0. Challenge:

some instance I of an‘intractable’ problem

1. Simulation:

pk given to Asimulation of Ssk(·) toanswer qS queries of A

2. Reduction:

resolution of I from (m∗, σ∗)

=⇒ “Reductionist” security

Cryptographic Problems

Definition (RSA problem)

Given RSA modulus N, public exponent e ∈ Z∗

φ(N) and random

y ∈R Z∗N , compute x = y e−1 mod φ(N) mod N

Definition (Flexible RSA [a.k.a. SRSA] problem)

Given RSA modulus N and random y ∈R Z∗N , find a pair (x , e) s.t.

y ≡ xe (mod N) and e > 1

GHR Signature Scheme I

Key generation

• pk = {N, u} with N = (2p′ + 1)(2q′ + 1) and u ∈R Z∗N

• sk = {p′, q′}

Signing For a message m ∈M, compute

σ = uc−1 mod 2p′q′ mod N

where c = H(m)

Verification Signature σ on message m ∈M is valid⇐⇒ σH(m) ≡ u (mod N)

Hash function H has to be division-intractable

• e.g., H : M→ {primes} ∩ {0, 1}ℓh

Security of GHR Scheme I

Theorem

Suppose that the SRSA problem is (τ, ǫ)-hard. Then, for any qS ,

GHR signature scheme I is (τA, qS , ǫA)-secure in the sense of

EUF-CMA, where

ǫ >ǫA

#Mand τ 6 τA + (qS + #M) poly(κ)

Security Proof

Challenge Given (N, y), find (x , e) s.t. y ≡ xe (mod N) ande > 1

Simulation• Key generation: pk = {N, u}

choose m′ ∈R Mdefine E =

∏

m∈Mm 6=m′

H(m) and u = yE mod N

• Signing: on input message m

if m 6= m′ then return σ = uE/H(m) mod N

if m = m′ then abort

Reduction A returns forgery (σ∗,m∗) with probability ǫA• If m∗ = m′ then σ∗ = yE/H(m′) mod N• Find a, b ∈ Z s.t. x = σa

∗ yb mod N and e = H(m′)

Success probability

1 ·(1− qs

#M

)· ǫA ·

1#M−qs

= ǫA

#M

EUF-CMA Adversary (RO Model)

• RO = Random Oracle

RSA-FDH

Key generation pk = {N, e}, sk = {d} with d = e−1 mod φ(N)Signing

• Padding: m 7→ H(m) with H : {0, 1}∗ → (Z/NZ)∗

• Signature: σ = H(m)d mod N

Verification Given m and σ, check whether σe mod N?= H(m)

Theorem

Suppose that the RSA problem is (τ, ǫ)-hard. Then, for any qH , qS ,

RSA-FDH signature scheme is (τA, qS , qH , ǫA)-secure in the sense

of EUF-CMA in the RO model, where

ǫ >ǫA

qH + qS

and τ 6 τA + (qH + qS) poly(κ)

Security Proof of FDH

• Simulation/reduction principle Challenge: RSA(N, e, y)

Find x ∈ Z/NZ s.t.

y ≡ x e (mod N)

Find

y ≡

• Notation

qH : number of hash queries that are not followed later bya signature query on the same message

qS : number of signature queries

Simulation (1)

Simulation of K (1κ)

• Choose j ∈R {1, . . . , qH + qS}• pk = {N, e} with N = N and e = e

Simulation of H(m)

• If m ∈ Hist[H] then return H(m)• Otherwise, increment i and

if i 6= j , add (m, σi , hi ) to Hist[H] with hi = σie mod N for a

random σi ∈R (Z/NZ)∗, and return hi

if i = j then add (m,⊥, hj) to Hist[H] with hj = y , andreturn hj

Simulation of Ssk(m)

• If m /∈ Hist[H] then invoke H• Let (m, σi , hi ) the entry in Hist[H] corresponding to m

if σi = ⊥ then fail and stopotherwise return σi

Reduction (2)

Reduction

• A returns forgery σ∗ = H(m∗)d mod N with probability ǫA,

after time τA, qH queries to H and qS queries to S

• If m∗ = mj then σ∗ = H(mj)d mod N with H(mj) = y

=⇒ x = σ∗ is a solution to RSA since y ≡ σ∗e (mod N)

Analysis

• Success probability

ǫ = Pr[Simulation is perfect] · ǫA · Pr[m∗ = mj ]

=(

1−qS

qH + qS

)

· ǫA ·1

qH

=ǫA

qH + qS

• Timeτ = τA + (qH + qS) poly(κ)

Concrete Security

• Security of RSA-FDH: ǫ =ǫA

qH + qS

• If qH = 240 and qS = 220 then

ǫ = 2−120 if ǫA = 2−80

ǫA = 2−40 if ǫ = 2−80

• Improvement

optimal proof: ǫ =ǫAqS

Other Schemes

• RSA-PSS [Bellare and Rogaway, 1996]

Probabilistic Signature Scheme

µ(m) = µPSS(m, r) for a random r

highest security level (EUF-CMA) in the ROMtight security proof and can be with message recovery

• PKCS #1 v2.1 [RSA Labs]

GHR Signature Scheme II

Key generation• pk = {N, u, y , g ,P} with N = (2p′ + 1)(2q′ + 1), u ∈R Z

∗N ,

y ∈R 〈g〉 ⊆ Z∗P

g of prime order Q | (P − 1)

• sk = {p′, q′}

Signing For a message m ∈M, compute

σ = (r , uc−1 mod 2p′q′ mod N)

where c = H(gmy r mod P) for some r ∈R ZQ

Verification Signature σ = (r , s) on message m ∈M is valid⇐⇒ sc ′ ≡ u (mod N) where c ′ = H(gmy r mod P)

Security reduction is tight but, again, hash function H has to bedivision-intractable

Chameleon (a.k.a. Trapdoor) Hash

Example (DL-based)

Let G = 〈g〉 ⊆ Z∗P of order Q

H : M× ZQ → {0, 1}ℓh , (m, r) 7→ H(gm y r mod P)

• c = H(m, r) = H(m′, r ′) =⇒ r ′ = r + m−m′

xmod Q

where x = DLg (y)

Example (RSA-based)

Let an RSA modulus N = pq

H : M× ZN → {0, 1}ℓh , (m, r) 7→ H(gm rE mod N)

• c = H(m, r) = H(m′, r ′) =⇒ r ′ = r (gm−m′)D mod N

where D = E−1 mod φ(N)

Design Criteria

• Make the GHR signature scheme practical

keep a tight reduction without relying on thedivision-intractability assumption

• Intuition

choose a random prime exponent cuse a chameleon function to tighten the security reduction

• in particular, an RSA-type chameleon function• the security of TSS is solely related to the SRSA

TSS Signature Scheme

Key generation• pk = {n,N, u, g ,E} with

n = (2p′ + 1)(2q′ + 1) and N = (2P ′ + 1)(2Q ′ + 1)u ∈R Z

∗n and g ∈R Z

∗N

E is an (ℓm + 1)-bit prime (and gcd(E ,P ′Q ′) = 1)

• sk = {p′, q′,D} where D = E−1 mod 2P ′Q ′

Signing For a message m ∈M = {0, 1}ℓm , compute

σ =((cg−(m+1))D mod N︸ ︷︷ ︸

=r

, uc−1 mod 2p′q′ mod n)

for some random prime c ∈R [(N + 1)/2,N[

Verification Signature σ = (r , s) on message m ∈M is valid⇐⇒ sc ′ ≡ u (mod n) where c ′ = gm+1rE mod N

Notes: 1) For sEUF-CMA, also check that (r , s) ∈ [0, N[ × [0, n[2) No need to check the primality of c

′

Security Analysis

Theorem

Suppose that the flexible RSA problem is (τ, ǫ)-hard. Then, for any

qs , the TSS signature scheme is (τA, qs , ǫA)-secure in the sense of

sEUF-CMA, where

ǫ >ǫA2

and τ . τA + O(ℓn

5 + qs ℓn3 max(log qs , ℓn)

)

• The proof technique makes use of the chameleon paradigm toget a tight security reduction

Efficiency Analysis

Security Typical BitsizesTight. Ass. values σ pk sk

GHR (II) O(1) Div + DL ℓn = ℓp = 1024ℓn + ℓq 2ℓn + 3ℓp

12

ℓn+ SRSA ℓq = 160

Twin-GHR O(1) SRSA ℓn = 1024 2ℓn + 2ℓm 4ℓn ℓnℓm = 160

CS O( 1

qs

)

SRSA ℓn ≫ 1024 2ℓn + ℓh 3ℓn + ℓh12

ℓnℓh = 160

Fischlin O( 1

qs

)

SRSA ℓn ≫ 1024ℓn + 2ℓh 4ℓn

12

ℓnℓh = 160

TSS O(1) SRSA ℓn = 1024 2ℓn 4ℓn + ℓm ℓnℓm = 160

On-line/Off-line Version

Key generation Idem regular version

Signing (off-line) Prepare a coupon

σ′ =(k ′, g (k ′−D)cD mod N

︸ ︷︷ ︸

=r

, uc−1 mod 2p′q′ mod n)

for some random prime c ∈R [(N + 1)/2,N[ and random(ℓn + ℓm + ℓ)-bit integer k ′

Signing (on-line) For a message m ∈M = {0, 1}ℓm , compute

σ = (k ′ + D m︸ ︷︷ ︸

=k

, r , s)

from a fresh coupon σ′ = (k ′, r , s)

Verification On-line/off-line signature σ = (k, r , s) on messagem ∈M is valid ⇐⇒ sc ′ ≡ u (mod n) wherec ′ = gm+1r ′

E mod N and r ′ = r g−k mod N

Summary

• The TSS signature scheme

meets the highest security notionis proven secure in the standard modelis tightly and solely related to SRSAdoes not require additional properties on a hash function

• and so is practical

comes with a companion on-line/off-line variant• using the same set of keys

• My recommendation

Use it!

Bibliography

M. Bellare and P. RogawayRandom oracles are practical: A paradigm for designingefficient protocols1st ACM Conference on Computer and Communications

Security, pp. 62–73, ACM Press, 1993

B. Chevallier-Mames and M. JoyeA practical and tightly secure signature scheme without hashfunctionTopics in Cryptology − CT-RSA 2007, LNCS 4377,pp. 339–356, Springer, 2007

R. Gennaro, S. Halevi, and T. RabinSecure hash-and-sign signatures without the random oracleAdvances in Cryptology − EUROCRYPT ’99, LNCS 1592,pp. 123–139, Springer-Verlag, 1999

Part III

Provable Secure EncryptionSchemes

Encryption Schemes

Definition

A (public-key) encryption scheme is a set of 3 algorithms:

1. Key generation

Input: security parameter κOutput: key pair (pk, sk)

2. Encryption

Input: encryption key pk, message m [and random r ]Output: C = E (pk,m [, r ])

3. Decryption

Input: decryption key sk , ciphertext C

Output: m = D(sk ,C )

Security Goals

• Key unbreakabibity

• Non-reversibility

• Indistinguishability of encryptions

• . . .

A system has indistinguishable encryptions if no adversary A canwin the following game:

Find A chooses 2 equal-length plaintexts m0 and m1

Guess A is now given the encryption cb for unknown bit b

The goal of adversary A is to guess the value of b withprobability > 1/2

Attack Scenarios

Passive attacks A only observes the communication channel

• ∅• Ciphertext-only attacks• Known-plaintext attacks

Chosen-plaintext attacks (CPA)

• Non-adaptive/Adaptive

Chosen-ciphertext attacks (CCA)

• Non-adaptive/Adaptive• E.g., A gained access to the decryption equipment

Security Notions

Definition

A security notion is a pair (security goal, attack scenario)

Highest security level

IND-CCA2

• that is, indistinguishability under adaptivechosen-ciphertext attacks

RSA-OAEP Encryption

Key generation pk = {N, e}, sk = {d} with d = e−1 mod φ(N)

Encryption

• Choose a random r• Padding: w = (m‖0k)⊕ G(r) and t = r ⊕H(w)• Encryption: C = (w‖t)e mod N

Decryption Given C , compute

1. (w ′‖t ′) = Cd mod N

2. r ′ = H(w ′)⊕ t ′

3. (m′‖z ′) = G(r ′)⊕ w ′

and output m = m′ if z ′ = 0k

Security

Theorem

Under the RSA assumption, RSA-OAEP encryption scheme is

secure in the sense of IND-CCA2 in the RO model

• PKCS #1 v2.1 [RSA Labs]

Bibliography

M. Bellare and P. RogawayOptimal asymmetric encryption – How to encrypt with RSAAdvances in Cryptology − EUROCRYPT ’94, LNCS 950,pp. 92–111, Springer-Verlag, 1995

Part IV

Conclusion

Summary

• Security is always “proved” in a given model

security goal, adversarial resources(black-box adversaries)standard vs. idealized model

• e.g., random oracle model

• Security is reduced to the hardness of some cryptographicproblem

e.g., RSA problem, DL problem, . . .

• Asymptotic vs. concrete security

Comments/Questions?

http://www.geocities.com/MarcJoye/