- 68 Views
- Uploaded on
- Presentation posted in: General

Summary

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Summary

- A short introduction to “provable security”
- The ESIGN signature scheme
- Difficulties with the security proof
- Density of power residues
- Conclusions

Kerckhoffs’ Principles

- 1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ;
- 2° Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi ;

K 1883

Kerckhoffs’ Principles (english)

- 1° The system must be practically if not mathematically indecipherable;
- 2° The system must not require secrecy, and can fall without drawback into the enemy ’s hands;

Bob

Public key cryptographyDH 1976 RSA 78

Bob has a pair of related keys

- A public key ke

known to anyone including Alice

- A private key kd

only known to Bob

Kerckhoff ’s extended second principle :

« Il faut que la clé de chiffrement puisse

sans inconvénient tomber entre les mains de l’ennemi »

Provable security

- Attempts to mathematically establish security

GM84

GMR88

Kerckhoff ’s extended first principle:

Le système doit être mathématiquement indéchiffrable:

“Practical” provable security

FS86

BR93

- The “random oracle” methodology mediates between practice and maths
- It substitutes truly random functions to hash functions and averages over these
- Very efficient and now requested to support emerging standards (IEEE P1363, Cryptrec, NESSIE, ISO)

The limits of provable security

- Provable security does not yield proofs - proofs are relative- proofs often use random oracles. Meaning is debatable (CGH98)
- Still, provable security is a means to provide some form of guarantee that a crypto scheme is not flawed

Provable security in five steps

- 1 Define goal of adversary
- 2 Define security model
- 3 Provide a proof by reduction
- 4 Check proof
- 5 Interpret proof

ks

kv

V

S

m

0/1

m

Signature Scheme (formal)- Key Generation Algorithm G
- Signature Algorithm, S
- Verification Algorithm, V

G

Non-repudiation: impossible to forge valid without ks

Goal of the adversary (1)

- Existential Forgery:
Try to forge a valid message-signature pair without the private key

Adversary is successful if the following probability is large

Security models (2)

- No-Message Attacks The adversary only knows the verification (public) key
- Known-Message Attacks (KMA)the adversary has access to a list of message/signature pairs
- Chosen Message Attacks (CMA)the messages are adaptively chosenby the adversary the strongest attack

InstanceI of P

Solutionof I

A

Proof by Reduction (3)Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P

ESIGN

O90

a signature scheme designed in the late 90ies

and considered in IEEE P1363, Cryptrec

NESSIE, together with a security proof

- Uses RSA integers of the form n=p2q
- Based on the Approximate e-th root problem: given y find x such that y# xemod n
- Signature generation is a very efficient way to compute = x, given y, with 1/3 leading bits H(m) and the rest 0

ESIGN

- Signature generation relies on the fact that, for random r and variable t (r+tpq)e mod n ranges over an arithmetical progression, so that one simply adjusts t to fall into a prescribed interval of length pq
- thus signing only requires raising to the e-th power
- even (slightly) more efficient for e=2u

InstanceI of P

Solutionof I

A

proof not correct in CMA model

Checking proof (4)Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P

Overlooked: submit message twice?

SPMS 02

- In a probabilistic signature scheme, several signatures may correspond to a message
- In the usual definition for Existential Forgery in Chosen-Message Attacks (CMA), the adversary can repeatedly submit a message. Otherwise, weaker model :
- Single-Occurrence Chosen-Message Attacks (SO-CMA) each message m can be submitted only once ; this produces a signature and (m, ) is added to the list of messages.

InstanceI of P

Solutionof I

A

proof not correct for e a power of two

Checking proof (4)Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P

Overlooked: correct simulation of random oracle

- In the security proof a key step “simulates” a random oracle so that signature of a requested message can be performed by simulation (i.e. without the secret key)
- The simulation picks r at random and “declares” that H(m) consists of the 1/3 leading bits of re mod n. This makes =ra signature of m.
- need to prove that this correctly simulates a random function: not obvious when e=2u

Completing the proof when e=2u

- Need to show that the density of power residues is almost uniform in any large enough interval
- Theorem. Let N be an RSA modulus, N=pq; the number of e-th power residues modulo N in any interval of length N, 1/2 < <1, is very close to N/ d, where d is the index of the group of power residues and very close means that the relative difference is bounded by 5 N1/2- ln(N).

Completing the proof

- We have two proofs:
- First uses two-dimensional lattices and yields slightly worse bounds.
- Second (found afterwards) uses the so-called Polya-Vinogradov inequality which states that, for any non principal Dirichlet character over (ZN)*, and any integer h, x 1 <x h(x) 2ln(N) N.
- This is enough to complete the security proof when e is not prime to (n).

Conclusions (1)

- The methodology of provable security is more subtle than it at first appears, even in the random oracle setting: we have shown several potential flaws in the security proof of ESIGN.
- The first flaw is methodological in character and is related to the security model
- The second is a limitation in the proof that could be overcome by use of (some) number theory.

Conclusions (2)

- It took twenty centuries to design RSA
- It took over twenty years to understand how to practice RSA and get “provable security”
- ESIGN’s provable security took over ten years
- Cryptographic schemes should not be adopted and standardized prematurely
- And not without a security proof, at least in the random oracle model
- Also allow some additional time to check and interpret the security proof