1 / 23

Impossibility proofs for RSA signatures in the standard model

Impossibility proofs for RSA signatures in the standard model. Pascal Paillier Topics in Cryptology – CT-RSA 2007. Outline. Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability

hilel-spencer
Download Presentation

Impossibility proofs for RSA signatures in the standard model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007

  2. Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion

  3. Introduction • Well-known RSA signatures: • Full domain hash (FDH) • Probabilistic signature scheme (PSS / PSS-R) • These are hard to invert in the random oracle model. • In the standard model, they have never been discovered.

  4. Introduction • Real-life RSA signatures are breaking any form of unforgeability. • Any signature scheme of RSA type cannot be equivalent to inverting RSA in the standard model. • The key generation is instance-non-malleable. • Proof technique is based on black-box meta-reductions.

  5. Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion

  6. Black-box reduction • A black-box reduction R between two computational problems P1 and P2 is a probabilistic algorithm R which solves P1 given black-box access to oracle solving P2. • when R is known to reduce P1 to P2 in polynomial time.

  7. Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion

  8. RSA and related computational problems • Root extraction problem is computing • is the problem of computing eth roots modulo n. • is a instance generator. • Generate a hard instance (n, e) as well as the side information

  9. RSA and related computational problems

  10. RSA and related computational problems

  11. Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion

  12. Security notions for Real-life RSA signature - Adversarial goals • Breakable (BK) • An adversary outputs the secret key. • Universally forgeable (UF) • An adversary signs any message. • Existential forgeable (EF) • An adversary signs some message. • Root extractable (RE) • An adversary attempts to extract the eth root of a randomly chosen element y for a randomly chosen key (n, e) • BK > RE > UF > EF

  13. Security notions for Real-life RSA signature- Attack model • Key-only attack (KOA) • The adversary is given nothing else then a public key. • Known message attack (KMA) • The adversary is given a list of valid message/signature pairs. • Chosen message attack (CMA) • The adversary is given adaptive access to a signing oracle.

  14. Security notions for Real-life RSA signature

  15. Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion

  16. Instance-malleability • A randomly chosen instance (n, e) is easier when given repeated access to an oracle that extracts e’th roots modulo n’ for other instance (n’, e’) != (n, e). • An instance generator is instance-non-malleable.

  17. Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion

  18. Impossibility of equivalence with inverting RSA • is an RSA signature scheme, where is an instance-non-malleable instance generator and a padding function • If is equivalent to then is polynomial. • If is equivalent to then is polynomial.

  19. Impossibility of equivalence with inverting RSA

  20. Impossibility of equivalence with inverting RSA

  21. Impossibility of equivalence with inverting RSA • Let be an instance-non-malleable generator. These is no real-life RSA signature scheme such that and is equivalent to unless is polynomial.

  22. Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion

  23. Conclusion • No real-life RSA signatures that are based on instance-non-malleable key generation can be chosen-message secure under any RSA assumption in the standard model.

More Related