John Hancock enters the 21th century Digital signature...

Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA

John Hancock enters the 21th centuryDigital signature schemes

Foundations of CryptographyComputer Science Department

Wellesley College

Fall 2016


Table of contents

Introduction

Digital signatures

Hash-and-Sign

RSA Signatures

Hashed RSA


Digital signatures

• So far we have dealt only withmethods for achieving privatecommunication in thepublic-key setting.

• We now turn to the question ofpreserving message integrity.

• The public-key counterpart ofmessage authentication codes(MACs) are known as digitalsignatures. Digital signatures,like real signatures and unlikeMACs, are publicly verifiable,transferable, and have theproperty of nonrepudiation.


Signature schemesDefinition 12.1. A signature scheme is a tuple of three probabilisticpolynomial-time algorithms (Gen, Sign,Vrfy) satisfying the following:

1. The key-generation algorithm Gen takes as input a securityparameter 1n and outputs a pair of keys (pk , sk). These are calledthe public key and the private key, respectively. We assume that pkand sk each have length at least n, and that n can be determinedfrom pk , sk .

2. The signing algorithm Sign takes as input a private key sk and amessage m 2 {0, 1}⇤. It outputs a signature ↵, denoted as↵ Signsk(m).

3. The deterministic verification algorithm Vrfy takes as input a publickey pk , a message m, and a signature ↵. It outputs a bit b, withb = 1 meaning valid and b = 0 meaning invalid. We writeb := Vrfypk(m,↵).

We require that for every (pk , sk) output by Gen(1n) and every

m 2 {0, 1}⇤, Vrfypk(m, Signsk(m)) = 1.


Using a signature scheme

Public key cryptography 17-26

But at a cost

*Digital signatures reduce the burden for applications that do not require confidentiality. .

*All this depends on A’s being able to send B her public key in a reliable and

authenticated manner. But, isn’t that what we are trying to achieve here?


Security of signature schemes

Let ⇧ = (Gen, Sign,Vrfy) be a signature scheme.

The signature experiment Sig-forgeA,⇧(n) :

1. Gen(1n) is run to obtain keys (pk , sk).

2. Adversary A is given pk and oracle access to Signsk(·). Theadversary then outputs (m,↵). Let Q denote the set of messageswhose signatures were requested by A during its execution.

3. The output of the experiment is defined to be 1 if and only if (1)Vrfypk(m,↵) = 1, and (2) m 62 Q

Definition 12.2. A signature scheme ⇧ = (Gen, Sign,Vrfy) is existentiallyunforgeable under an adaptive chosen-message attack if for all PPTadversaries A, there exists a negligible function negl such that

Pr[Sig-forgeA,⇧(n) = 1] negl(n).


The hash-and-sign paradigmConstruction 12.3.Let ⇧ = (GenS , Sign,Vrfy) be a signature scheme for messages of length`(n) and let ⇧H = (GenH ,H) be a hash function where the output of Hon security parameter 1n, has length `(n). Construct a signature scheme⇧0 for arbitrary-length messages as follows:

• Gen’: On input 1n run GenS(1n) to obtain (pk , sk) and runGenH(1n) to obtain s. The public key is pk 0 = hpk , si and theprivate key is sk 0 = hsk , si.

• Sign’: On input a private key hsk , si and a message m 2 {0, 1}⇤,compute the signature

↵ Signsk(Hs(m)).

• Vrfy’: On input a public key hpk , si, a message m 2 {0, 1}⇤, and asignature ↵, output 1 if and only if

Vrfypk(Hs(m),↵)

?= 1.


Security of the hash-and-sign paradigm

Theorem 12.4. If ⇧ is secure signature scheme for message of length `and ⇧H is collision resistant, then Construction 12.3 is existentiallyunforgeable under an adaptive chosen-message attack.

Proof. Let A0 be a PPT adversary attacking ⇧0. In the execution ofexperiment Sig-forgeA0,⇧0(n) let pk 0 = hpk , si denote the public key used,Q the set of message whose signatures were requested, and let (m,↵) bethe final output of A0. Assume m 62 Q.

Define collA0,⇧0(n) be the event, there exists m0 2 Q for whichHs(m0) = Hs(m). We have

Pr[Sig-forgeA0,⇧0(n) = 1]

= Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)]

+Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)]

Pr[collA0,⇧0(n)] + Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)].


A PPT algorithm C for finding a collision in ⇧H

Algorithm C.The algorithm is given s as input.

• Compute GenS(1n) to obtain (pk , sk). Set pk 0 = hpk , si.• Run A0 on input pk 0. When A0 requests the ith signature onsome message mi 2 {0, 1}⇤, compute ↵i Signsk(H

s(mi ))and give ↵i to A0.

• Eventually A0 outputs (m,↵). If there exists an i for whichHs(m) = Hs(mi ), output (m,mi ).

The view of A0 when run as a subroutine by C is distributedidentically to the view of A0 in experiment Sig-forgeA0,⇧0(n). SinceC outputs a collision when collA0,⇧0(n) occurs, we have

Pr[Hash-collC,⇧H(n) = 1] = Pr[collA0,⇧0(n)].


A PPT algorithm A attacking signature scheme ⇧Algorithm A.The adversary is given as input a public key pk and has access to asigning oracle Signsk(·)

• Compute GenH(1n) to obtain s. Set pk 0 = hpk , si.• Run A0 on input pk 0. When A0 requests the ith signature onsome message mi 2 {0, 1}⇤, this is answered as follows: (1)compute m̂i = Hs(mi ); and (2) obtain a signature ↵i on m̂i

from the signing oracle, and give ↵i to A0.

• Eventually A0 outputs (m,↵). Output (Hs(m),↵).

Consider the experiment Sig-forgeA,⇧(n). The view of A0 when runas a subroutine by A is distributed exactly as its view inexperiment Sig-forgeA0,⇧0(n). We show that whenever both

Sig-forgeA0,⇧0(n) = 1 and collA0,⇧0(n) occur, A outputs a forgery.

Pr[Sig-forgeA,⇧(n) = 1] = Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)].


Concluding the proof

Since ⇧H is collision resistant and ⇧ is existentially unforgeableunder an adaptive chosen-message attack, there exist negligiblefunctions negl1, negl2 such that

Pr[Sig-forgeA0,⇧0(n) = 1]

= Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)]

+Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)]

Pr[collA0,⇧0(n)] + Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)]

= Pr[Hash-collC,⇧H(n) = 1] + Pr[Sig-forgeA,⇧(n) = 1]

negl1 + negl2.


“Textbook RSA” signature scheme*


Authentication

*Recall Diffie and Hellman were also interested in addressing authentication. .

*As shown in many standard texts.


“Textbook RSA” signature scheme construction

Construction 12.5.Let GenRSA be a PPT algorithm that, on input 1n, outputs amodulus, N that is a product of two primes, along with integerse, d satisfying ed = 1 mod �(N).

• Gen: On input 1n run GenRSA(1n) to obtain (N, e, d). Thepublic key is hN, ei and the private key is hN, di.

• Sign: On input a private key sk = hN, di and a messagem 2 Z⇤

N , compute the signature

↵ := [md mod N].

• Vrfy: On input a public key pk = hN, ei, a message m 2 Z⇤N ,

and a signature ↵ 2 Z⇤N , output 1 if and only if

m?= [↵e mod N].


“Textbook RSA” does not satisfy our security definitionNo-message attack. Given a public key pk = hN, ei, choose anarbitrary ↵ 2 Z⇤

N and compute m := [↵e mod N]. Then outputthe forgery (m,↵).*

Random Functions 5-3

Attack plans

o  Linear or differential analysis.

o  Exhaustive key search. algorithm EKSE((M1, C1), ...., (Mq, Cq)) for i = 1, ..., 2k do if E(Ti, M1) = C1 and ... and E(Ti, Mq) = Cq then return Ti

Remark. This does not seem like a realistic attack since theadversary has “no control” over the message m for which it forgesa valid signature. Or does she?

*This forgery uses only the public key, without obtaining any signatures from

the legitimate signer.


A more general attack

Forging a signature on an arbitrary message. Say the adversarywants to forge a signature on m 2 Z⇤

N with respect to public keypk = hN, ei.The adversary chooses a random message m1 2 Z⇤

N , setsm2 := [m/m1 mod N], and then obtains signatures ↵1 and ↵2 onm1 and m2 respectively.

Claim. ↵ := [↵1 · ↵2 mod N] is a valid signature on m.

*Again, how realistic is this scenario?


One solution: Hashing the message before signing it

The hashed RSA signature scheme. In addition to the public andprivate keys already discussed, we are given a functionH : {0, 1}⇤ ! Z⇤

N . The message is signed by computing↵ := [H(m)d mod N] and verified by checking whether

↵e ?= H(m) mod N.


But at a cost

*Digital signatures reduce the burden for applications that do not require confidentiality. .

*At a bare bones minimum, H had better be collision-resistant. Why?


The RSA-FDH signature schemeConstruction 12.6.Let GenRSA be a PPT algorithm that, on input 1n, outputs amodulus, N that is a product of two primes, along with integerse, d satisfying ed = 1 mod �(N).

• Gen: On input 1n run GenRSA(1n) to obtain (N, e, d). Thepublic key is hN, ei and the private key is hN, di.As part of the key generation, a function H : {0, 1}⇤ ! Z⇤

N isspecified.

• Sign: On input a private key sk = hN, di and a messagem 2 Z⇤

N , compute the signature

↵ := [H(m)d mod N].

• Vrfy: On input a public key pk = hN, ei, a message m 2 Z⇤N ,

and a signature ↵ 2 Z⇤N , output 1 if and only if

↵e ?= H(m) mod N].


Security of Hashed RSA

There is some intuition as to why the previous attacks seemunlikely.

The no-message attack. One natural attempt is to choose ↵ 2 Z⇤N ,

compute m̂ := [↵e mod N], then try to find some m 2 {0, 1}⇤such that H(m) = m̂.

Forging a signature on an arbitrary message. One attempt toduplicate the chosen-message attack requires the adversary to findthree message m,m1,m2 for which H(m) = [H(m1) · H(m2)mod N].Finally, it must be hard to find collisions in H since ifH(m1) = H(m2), then m1,m2 have the same signature and forgeryis trivial.


Good news and bad

• There is no known function H forwhich hashed RSA signatureschemes are known to be secure.

• However, hashed RSA is provablesecure under an idealize modelwhen H is modeled as a randomoracle that maps inputs uniformlyonto Z⇤

N . In this case the scheme iscalled RSA full-domain hash(RSA-FDH).

• This provides a heuristicjustification of the scheme when His a “random-looking” hashfunctions.


Security of RSA-FDH

Theorem 12.7. If the RSA problem is hard relative to GenRSA andH is modeled as a random oracle, then Construction 12.6 is secure.Proof idea. Consider first security against a no-message attack.The adversary is limited to queries to the random oracle H.

We assume WLOG that A always makes exactly q (distinct)queries to H and that if it outputs a forgery (m,↵) then itpreviously queried m to H.

Suppose there is an e�cient no-message adversary A that makesexactly q queries to H. We construct an e�cient A0 solving RSArelative to GenRSA.

*That is when A cannot request any signatures.


Recall GenRSA

Algorithm 8.47. GenRSA

Input: Length n; parameter tOutput: N, e, d as described below

(N, p, q) GenModulus(1n)*�(N) := (p � 1)(q � 1)find e such that gcd(e,�(N)) = 1compute d := [e�1 mod �(N)]**return N, e, d

*N = pq with p, q n-bit primes.

**Such an integer d exists since e is invertible modulo �(N).


And recall what “RSA is hard relative to GenRSA”means

The RSA experiment RSA-invA,GenRSA(n):

1. Run GenRSA(1n) to obtain (N, e, d).

2. Choose y Z⇤N .

3. A is given N, e, y , and outputs x 2 Z⇤N .

4. The output of the experiment is defined to be 1 if xe = ymod N, and 0 otherwise.

Definition 8.46. We say that the RSA problem is hard relative toGenRSA if for all probabilistic polynomial-time algorithms A thereexists a negligible function negl such that

Pr[RSA-invA,GenRSA(n) = 1] negl(n).


Construction of adversary A0

Adversary A0:The Adversary is given (N, e, y).

1. A0 runs A on the public key pk = hN, ei.

2. Let m1, . . . ,mq denote the q queries A makes to H. A0 answersthese with uniform elements of Z⇤

N except for the ith that isanswered with y (i is chosen uniformly from {1, . . . , q}).

3. If A outputs a forgery (m,↵), then A0 outputs ↵ as the solution toRSA instance (N, e, y).

A’s point of view when run as subroutine of A0 is distributed identicallyto its view when attacking the original signature scheme. If A outputs aforgery (m,↵), then with probability 1/q, m = mi and

↵e = H(m) = H(mi ) = y mod N

and A0 can output ↵ as the solution to its RSA instance (N, e, y).


But what about the case when A can request signatures?

• Adversary A0 does not yet haveaccess to the decryptionexponent d , but needs tocompute valid signatures forsubroutine A.

• However, A0 can correctlycompute signatures on amessage m as long as it setsH(m) to [↵e mod N] for aknown ↵.

• If ↵ is uniform, the so is [↵e

mod N] and the random oracleis properly emulated by A0.

• This intuition is formalized in aproof given in the text.

John Hancock enters the 21th century Digital signature...

Documents

Transcript of John Hancock enters the 21th century Digital signature...