Summary 5477446
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

Summary PowerPoint PPT Presentation


  • 50 Views
  • Uploaded on
  • Presentation posted in: General

Summary. A short introduction to “provable security” The ESIGN signature scheme Difficulties with the security proof Density of power residues Conclusions. Kerckhoffs’ Principles. 1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ;

Download Presentation

Summary

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Summary

Summary

  • A short introduction to “provable security”

  • The ESIGN signature scheme

  • Difficulties with the security proof

  • Density of power residues

  • Conclusions


Kerckhoffs principles

Kerckhoffs’ Principles

  • 1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ;

  • 2° Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi ;

K 1883


Kerckhoffs principles english

Kerckhoffs’ Principles (english)

  • 1° The system must be practically if not mathematically indecipherable;

  • 2° The system must not require secrecy, and can fall without drawback into the enemy ’s hands;


Public key cryptography

Alice

Bob

Public key cryptography

DH 1976 RSA 78

Bob has a pair of related keys

  • A public key ke

 known to anyone including Alice

  • A private key kd

 only known to Bob

Kerckhoff ’s extended second principle :

« Il faut que la clé de chiffrement puisse

sans inconvénient tomber entre les mains de l’ennemi »


Provable security

Provable security

  • Attempts to mathematically establish security

GM84

GMR88

Kerckhoff ’s extended first principle:

Le système doit être mathématiquement indéchiffrable:


Practical provable security

“Practical” provable security

FS86

BR93

  • The “random oracle” methodology mediates between practice and maths

  • It substitutes truly random functions to hash functions and averages over these

  • Very efficient and now requested to support emerging standards (IEEE P1363, Cryptrec, NESSIE, ISO)


The limits of provable security

The limits of provable security

  • Provable security does not yield proofs - proofs are relative- proofs often use random oracles. Meaning is debatable (CGH98)

  • Still, provable security is a means to provide some form of guarantee that a crypto scheme is not flawed


Provable security in five steps

Provable security in five steps

  • 1 Define goal of adversary

  • 2 Define security model

  • 3 Provide a proof by reduction

  • 4 Check proof

  • 5 Interpret proof


Signature scheme formal

ks

kv

V

S

m

0/1

m

Signature Scheme (formal)

  • Key Generation Algorithm G

  • Signature Algorithm, S

  • Verification Algorithm, V

G

Non-repudiation: impossible to forge valid  without ks


Goal of the adversary 1

Goal of the adversary (1)

  • Existential Forgery:

    Try to forge a valid message-signature pair without the private key

    Adversary is successful if the following probability is large


Security models 2

Security models (2)

  • No-Message Attacks The adversary only knows the verification (public) key

  • Known-Message Attacks (KMA)the adversary has access to a list  of message/signature pairs

  • Chosen Message Attacks (CMA)the messages are adaptively chosenby the adversary the strongest attack


Proof by reduction 3

InstanceI of P

Solutionof I

A

Proof by Reduction (3)

Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P


Esign

ESIGN

O90

a signature scheme designed in the late 90ies

and considered in IEEE P1363, Cryptrec

NESSIE, together with a security proof

  • Uses RSA integers of the form n=p2q

  • Based on the Approximate e-th root problem: given y find x such that y# xemod n

  • Signature generation is a very efficient way to compute = x, given y, with 1/3 leading bits H(m) and the rest 0


Esign1

ESIGN

  • Signature generation relies on the fact that, for random r and variable t (r+tpq)e mod n ranges over an arithmetical progression, so that one simply adjusts t to fall into a prescribed interval of length pq

  • thus signing only requires raising to the e-th power

  • even (slightly) more efficient for e=2u


Checking proof 4

InstanceI of P

Solutionof I

A

proof not correct in CMA model

Checking proof (4)

Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P


Overlooked submit message twice

Overlooked: submit message twice?

SPMS 02

  • In a probabilistic signature scheme, several signatures may correspond to a message

  • In the usual definition for Existential Forgery in Chosen-Message Attacks (CMA), the adversary can repeatedly submit a message. Otherwise, weaker model :

  • Single-Occurrence Chosen-Message Attacks (SO-CMA) each message m can be submitted only once ; this produces a signature  and (m, ) is added to the list  of messages.


Checking proof 41

InstanceI of P

Solutionof I

A

proof not correct for e a power of two

Checking proof (4)

Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P


Overlooked correct simulation of random oracle

Overlooked: correct simulation of random oracle

  • In the security proof a key step “simulates” a random oracle so that signature of a requested message can be performed by simulation (i.e. without the secret key)

  • The simulation picks r at random and “declares” that H(m) consists of the 1/3 leading bits of re mod n. This makes =ra signature of m.

  • need to prove that this correctly simulates a random function: not obvious when e=2u


Completing the proof when e 2 u

Completing the proof when e=2u

  • Need to show that the density of power residues is almost uniform in any large enough interval

  • Theorem. Let N be an RSA modulus, N=pq; the number of e-th power residues modulo N in any interval of length N, 1/2 < <1, is very close to N/ d, where d is the index of the group of power residues and very close means that the relative difference is bounded by 5 N1/2- ln(N).


Completing the proof

Completing the proof

  • We have two proofs:

  • First uses two-dimensional lattices and yields slightly worse bounds.

  • Second (found afterwards) uses the so-called Polya-Vinogradov inequality which states that, for any non principal Dirichlet character  over (ZN)*, and any integer h, x 1 <x  h(x)  2ln(N) N.

  • This is enough to complete the security proof when e is not prime to (n).


Conclusions 1

Conclusions (1)

  • The methodology of provable security is more subtle than it at first appears, even in the random oracle setting: we have shown several potential flaws in the security proof of ESIGN.

  • The first flaw is methodological in character and is related to the security model

  • The second is a limitation in the proof that could be overcome by use of (some) number theory.


Conclusions 2

Conclusions (2)

  • It took twenty centuries to design RSA

  • It took over twenty years to understand how to practice RSA and get “provable security”

  • ESIGN’s provable security took over ten years

  • Cryptographic schemes should not be adopted and standardized prematurely

  • And not without a security proof, at least in the random oracle model

  • Also allow some additional time to check and interpret the security proof


  • Login