1 / 23

Summary - PowerPoint PPT Presentation

Summary. A short introduction to “provable security” The ESIGN signature scheme Difficulties with the security proof Density of power residues Conclusions. Kerckhoffs’ Principles. 1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ;

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

PowerPoint Slideshow about 'Summary' - gene

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

• A short introduction to “provable security”

• The ESIGN signature scheme

• Difficulties with the security proof

• Density of power residues

• Conclusions

• 1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ;

• 2° Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi ;

K 1883

• 1° The system must be practically if not mathematically indecipherable;

• 2° The system must not require secrecy, and can fall without drawback into the enemy ’s hands;

Bob

Public key cryptography

DH 1976 RSA 78

Bob has a pair of related keys

• A public key ke

 known to anyone including Alice

• A private key kd

 only known to Bob

Kerckhoff ’s extended second principle :

« Il faut que la clé de chiffrement puisse

sans inconvénient tomber entre les mains de l’ennemi »

• Attempts to mathematically establish security

GM84

GMR88

Kerckhoff ’s extended first principle:

Le système doit être mathématiquement indéchiffrable:

FS86

BR93

• The “random oracle” methodology mediates between practice and maths

• It substitutes truly random functions to hash functions and averages over these

• Very efficient and now requested to support emerging standards (IEEE P1363, Cryptrec, NESSIE, ISO)

• Provable security does not yield proofs - proofs are relative- proofs often use random oracles. Meaning is debatable (CGH98)

• Still, provable security is a means to provide some form of guarantee that a crypto scheme is not flawed

• 1 Define goal of adversary

• 2 Define security model

• 3 Provide a proof by reduction

• 4 Check proof

• 5 Interpret proof

ks

kv

V

S

m

0/1

m

Signature Scheme (formal)

• Key Generation Algorithm G

• Signature Algorithm, S

• Verification Algorithm, V

G

Non-repudiation: impossible to forge valid  without ks

• Existential Forgery:

Try to forge a valid message-signature pair without the private key

Adversary is successful if the following probability is large

• No-Message Attacks The adversary only knows the verification (public) key

• Chosen Message Attacks (CMA)the messages are adaptively chosenby the adversary the strongest attack

InstanceI of P

Solutionof I

A

Proof by Reduction (3)

Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P

O90

a signature scheme designed in the late 90ies

and considered in IEEE P1363, Cryptrec

NESSIE, together with a security proof

• Uses RSA integers of the form n=p2q

• Based on the Approximate e-th root problem: given y find x such that y# xemod n

• Signature generation is a very efficient way to compute = x, given y, with 1/3 leading bits H(m) and the rest 0

• Signature generation relies on the fact that, for random r and variable t (r+tpq)e mod n ranges over an arithmetical progression, so that one simply adjusts t to fall into a prescribed interval of length pq

• thus signing only requires raising to the e-th power

• even (slightly) more efficient for e=2u

InstanceI of P

Solutionof I

A

proof not correct in CMA model

Checking proof (4)

Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P

SPMS 02

• In a probabilistic signature scheme, several signatures may correspond to a message

• In the usual definition for Existential Forgery in Chosen-Message Attacks (CMA), the adversary can repeatedly submit a message. Otherwise, weaker model :

• Single-Occurrence Chosen-Message Attacks (SO-CMA) each message m can be submitted only once ; this produces a signature  and (m, ) is added to the list  of messages.

InstanceI of P

Solutionof I

A

proof not correct for e a power of two

Checking proof (4)

Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P

• In the security proof a key step “simulates” a random oracle so that signature of a requested message can be performed by simulation (i.e. without the secret key)

• The simulation picks r at random and “declares” that H(m) consists of the 1/3 leading bits of re mod n. This makes =ra signature of m.

• need to prove that this correctly simulates a random function: not obvious when e=2u

• Need to show that the density of power residues is almost uniform in any large enough interval

• Theorem. Let N be an RSA modulus, N=pq; the number of e-th power residues modulo N in any interval of length N, 1/2 < <1, is very close to N/ d, where d is the index of the group of power residues and very close means that the relative difference is bounded by 5 N1/2- ln(N).

• We have two proofs:

• First uses two-dimensional lattices and yields slightly worse bounds.

• Second (found afterwards) uses the so-called Polya-Vinogradov inequality which states that, for any non principal Dirichlet character  over (ZN)*, and any integer h, x 1 <x  h(x)  2ln(N) N.

• This is enough to complete the security proof when e is not prime to (n).

• The methodology of provable security is more subtle than it at first appears, even in the random oracle setting: we have shown several potential flaws in the security proof of ESIGN.

• The first flaw is methodological in character and is related to the security model

• The second is a limitation in the proof that could be overcome by use of (some) number theory.

• It took twenty centuries to design RSA

• It took over twenty years to understand how to practice RSA and get “provable security”

• ESIGN’s provable security took over ten years

• Cryptographic schemes should not be adopted and standardized prematurely

• And not without a security proof, at least in the random oracle model

• Also allow some additional time to check and interpret the security proof