Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.

Slides:



Advertisements
Similar presentations
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Advertisements

Design and Security Analysis of Marked Blind Signature
Cryptography and Network Security
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent
Chapter 7-1 Signature Schemes.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
Almost uniform density of power residues and the provable security of ESIGN Jacques Stern ASIACRYPT 2003 December 3rd 2003 École normale supérieure Tatsuaki.
Cryptography in Subgroups of Z n * Jens Groth UCLA.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
Chapter 13 Digital Signature
8. Data Integrity Techniques
Digital Signatures Applied Handbook of Cryptography: Chapt 11
Bob can sign a message using a digital signature generation algorithm
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.
The RSA Algorithm Rocky K. C. Chang, March
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Topic 22: Digital Schemes (2)
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Prepared by Dr. Lamiaa Elshenawy
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
S EMINAR P RESENTATION ON N OTIONS OF S ECURITY 1 S M Masud Karim January 18, 2008 Bonn, Germany.
A New Provably Secure Certificateless Signature Scheme Date: Reporter:Chien-Wen Huang 出處 :2008 IEEE International Conference on Communications.
Tae-Joon Kim Jong yun Jun
Weaknesses in the Generic Group Model
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
COM 5336 Lecture 8 Digital Signatures
1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Key Substitution Attacks on Some Provably Secure Signature Schemes
B504/I538: Introduction to Cryptography
Digital signatures.
Digital Signature Schemes and the Random Oracle Model
Cryptography Lecture 26.
Semantic Security and Indistinguishability in the Quantum World
Digital Signature Schemes and the Random Oracle Model
Introduction to Modern Cryptography
Digital Signatures.
One Time Signature.
The power of Pairings towards standard model security
Cryptography Lecture 22.
Cryptography Lecture 25.
Cryptography Lecture 26.
Presentation transcript:

Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007

Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

Introduction  Well-known RSA signatures: Full domain hash (FDH) Probabilistic signature scheme (PSS / PSS-R) These are hard to invert in the random oracle model. In the standard model, they have never been discovered.

Introduction  Real-life RSA signatures are breaking any form of unforgeability. Any signature scheme of RSA type cannot be equivalent to inverting RSA in the standard model.  The key generation is instance-non-malleable.  Proof technique is based on black-box meta- reductions.

Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

Black-box reduction  A black-box reduction R between two computational problems P 1 and P 2 is a probabilistic algorithm R which solves P 1 given black-box access to oracle solving P 2.  when R is known to reduce P 1 to P 2 in polynomial time.

Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

RSA and related computational problems  Root extraction problem is computing  is the problem of computing e th roots modulo n.  is a instance generator. Generate a hard instance (n, e) as well as the side information

RSA and related computational problems        

Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

Security notions for Real-life RSA signature - Adversarial goals  Breakable (BK) An adversary outputs the secret key.  Universally forgeable (UF) An adversary signs any message.  Existential forgeable (EF) An adversary signs some message.  Root extractable (RE) An adversary attempts to extract the e th root of a randomly chosen element y for a randomly chosen key (n, e)  BK > RE > UF > EF

Security notions for Real-life RSA signature - Attack model  Key-only attack (KOA) The adversary is given nothing else then a public key.  Known message attack (KMA) The adversary is given a list of valid message/signature pairs.  Chosen message attack (CMA) The adversary is given adaptive access to a signing oracle.

Security notions for Real-life RSA signature

Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

Instance-malleability  A randomly chosen instance (n, e) is easier when given repeated access to an oracle that extracts e’ th roots modulo n’ for other instance (n’, e’) != (n, e).  An instance generator is instance-non- malleable.

Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

Impossibility of equivalence with inverting RSA  is an RSA signature scheme, where is an instance-non-malleable instance generator and a padding function  If is equivalent to then is polynomial.

Impossibility of equivalence with inverting RSA

 Let be an instance-non-malleable generator. These is no real-life RSA signature scheme such that and is equivalent to unless is polynomial.

Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

Conclusion  No real-life RSA signatures that are based on instance-non-malleable key generation can be chosen-message secure under any RSA assumption in the standard model.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.