This presentation is the property of its rightful owner.
1 / 23

# Summary PowerPoint PPT Presentation

Summary. A short introduction to “provable security” The ESIGN signature scheme Difficulties with the security proof Density of power residues Conclusions. Kerckhoffs’ Principles. 1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ;

Summary

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

### Summary

• A short introduction to “provable security”

• The ESIGN signature scheme

• Difficulties with the security proof

• Density of power residues

• Conclusions

### Kerckhoffs’ Principles

• 1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ;

• 2° Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi ;

K 1883

### Kerckhoffs’ Principles (english)

• 1° The system must be practically if not mathematically indecipherable;

• 2° The system must not require secrecy, and can fall without drawback into the enemy ’s hands;

Alice

Bob

### Public key cryptography

DH 1976 RSA 78

Bob has a pair of related keys

• A public key ke

 known to anyone including Alice

• A private key kd

 only known to Bob

Kerckhoff ’s extended second principle :

« Il faut que la clé de chiffrement puisse

sans inconvénient tomber entre les mains de l’ennemi »

### Provable security

• Attempts to mathematically establish security

GM84

GMR88

Kerckhoff ’s extended first principle:

Le système doit être mathématiquement indéchiffrable:

### “Practical” provable security

FS86

BR93

• The “random oracle” methodology mediates between practice and maths

• It substitutes truly random functions to hash functions and averages over these

• Very efficient and now requested to support emerging standards (IEEE P1363, Cryptrec, NESSIE, ISO)

### The limits of provable security

• Provable security does not yield proofs - proofs are relative- proofs often use random oracles. Meaning is debatable (CGH98)

• Still, provable security is a means to provide some form of guarantee that a crypto scheme is not flawed

### Provable security in five steps

• 1 Define goal of adversary

• 2 Define security model

• 3 Provide a proof by reduction

• 4 Check proof

• 5 Interpret proof

ks

kv

V

S

m

0/1

m

### Signature Scheme (formal)

• Key Generation Algorithm G

• Signature Algorithm, S

• Verification Algorithm, V

G

Non-repudiation: impossible to forge valid  without ks

### Goal of the adversary (1)

• Existential Forgery:

Try to forge a valid message-signature pair without the private key

Adversary is successful if the following probability is large

### Security models (2)

• No-Message Attacks The adversary only knows the verification (public) key

• Chosen Message Attacks (CMA)the messages are adaptively chosenby the adversary the strongest attack

InstanceI of P

Solutionof I

A

### Proof by Reduction (3)

Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P

### ESIGN

O90

a signature scheme designed in the late 90ies

and considered in IEEE P1363, Cryptrec

NESSIE, together with a security proof

• Uses RSA integers of the form n=p2q

• Based on the Approximate e-th root problem: given y find x such that y# xemod n

• Signature generation is a very efficient way to compute = x, given y, with 1/3 leading bits H(m) and the rest 0

### ESIGN

• Signature generation relies on the fact that, for random r and variable t (r+tpq)e mod n ranges over an arithmetical progression, so that one simply adjusts t to fall into a prescribed interval of length pq

• thus signing only requires raising to the e-th power

• even (slightly) more efficient for e=2u

InstanceI of P

Solutionof I

A

proof not correct in CMA model

### Checking proof (4)

Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P

### Overlooked: submit message twice?

SPMS 02

• In a probabilistic signature scheme, several signatures may correspond to a message

• In the usual definition for Existential Forgery in Chosen-Message Attacks (CMA), the adversary can repeatedly submit a message. Otherwise, weaker model :

• Single-Occurrence Chosen-Message Attacks (SO-CMA) each message m can be submitted only once ; this produces a signature  and (m, ) is added to the list  of messages.

InstanceI of P

Solutionof I

A

proof not correct for e a power of two

### Checking proof (4)

Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P

### Overlooked: correct simulation of random oracle

• In the security proof a key step “simulates” a random oracle so that signature of a requested message can be performed by simulation (i.e. without the secret key)

• The simulation picks r at random and “declares” that H(m) consists of the 1/3 leading bits of re mod n. This makes =ra signature of m.

• need to prove that this correctly simulates a random function: not obvious when e=2u

### Completing the proof when e=2u

• Need to show that the density of power residues is almost uniform in any large enough interval

• Theorem. Let N be an RSA modulus, N=pq; the number of e-th power residues modulo N in any interval of length N, 1/2 < <1, is very close to N/ d, where d is the index of the group of power residues and very close means that the relative difference is bounded by 5 N1/2- ln(N).

### Completing the proof

• We have two proofs:

• First uses two-dimensional lattices and yields slightly worse bounds.

• Second (found afterwards) uses the so-called Polya-Vinogradov inequality which states that, for any non principal Dirichlet character  over (ZN)*, and any integer h, x 1 <x  h(x)  2ln(N) N.

• This is enough to complete the security proof when e is not prime to (n).

### Conclusions (1)

• The methodology of provable security is more subtle than it at first appears, even in the random oracle setting: we have shown several potential flaws in the security proof of ESIGN.

• The first flaw is methodological in character and is related to the security model

• The second is a limitation in the proof that could be overcome by use of (some) number theory.

### Conclusions (2)

• It took twenty centuries to design RSA

• It took over twenty years to understand how to practice RSA and get “provable security”

• ESIGN’s provable security took over ten years

• Cryptographic schemes should not be adopted and standardized prematurely

• And not without a security proof, at least in the random oracle model

• Also allow some additional time to check and interpret the security proof