B504/I538: Introduction to Cryptography Spring 2017 • Lecture 24 (2017—04—06)

RSA+OAEP OAEP = “Optimal Asymmetric Encryption Padding” m 0k1 r Y X n+k1+k2 is bit length of N=pq k1 and k2 are constants (e.g., k1=k2=128) n is plaintext length G and H are “random oracles” (cryptographic hash functions) G：{0，1}k2 →{0，1}n+k1 H：{0，1}n+k1→{0，1}k2 ⊕ is bitwise XOR Public key is (N，e，G，H) Private key is d≔e-1 mod φ(N) m 0k1 r Y X G H concatenate n bits k1 bits k2 bits n+k1 bits

RSA+OAEP Encrypting m∈{0，1}n: Ciphertext is c∈ℤN. m 0k1 r Y X Pad m with k1 zeros: m‘≔m∥0k1 Choose r∊{0，1}k2 “Expand” r using G: r’≔G(r) XOR m’ with r’: X≔m’⊕r’ “Compress” X using H: X’≔H(X) XOR X’ with r: Y≔r⊕X’ Concatenate X and Y: m’’≔X∥Y Apply “textbook RSA” to m’’: c≔(m’’)e Ciphertext is c∈ℤN. m 0k1 r Y X G H concatenate n bits k1 bits k2 bits n+k1 bits

RSA+OAEP Decrypting c∈ℤN Plaintext is m∈{0，1}n. m 0k1 r Y X Recover m’’ from c: m’’≔cd mod N Parse m’’ as (X，Y)∈{0，1}n+k1×{0，1}k2 Recover X’ from X: X’≔H(X) Recover r from X’ and Y: r≔Y⊕H(x) “Expand” r using G: r’≔G(r) Recover m’ from X and r’: m’≔X⊕r’ Parse m’ as (m,z)∈{0，1}n×{0，1}k1 Check z≟0k1; if not， abort Plaintext is m∈{0，1}n. m 0k1 r Y X G H concatenate n bits k1 bits k2 bits n+k1 bits

Going forward Tuesday (04/06): Digitial signature schemes Thursday (04/11): Random oracle model Tuesday (04/13): Zero-knowledge proofs Thursday (04/18): ?? Tuesday (04/20): ?? Thursday (12/25): ?? Thursday (04/27): ?? Specific cryptosystems Secret sharing schemes Pairing-based cryptography Zero-knowledge proofs Private information retrieval Secure multiparty computation Side-channel attacks Other security notions Anonymous credentials Lattice crypto some possible topics

Recall: Secrecy versus Authenticity Secrecy / confidentiality IND-CPA: indistiguishable multiple encryptions in the presence of an eavesdropper Provides ”security” in the presence of passive attackers Authenticity / integrity Existential unforgeability under adaptive chosen message attacks Provides “security” in the presence of active attackers “security” == secrecy “security” == integrity

Recall: MAC schemes Defn: A message authentication code (MAC) is a triple of efficient algorithms (Gen，MAC，Ver) such that Gen：1ℕ→Ｋ is a randomized “key generation” algorithm MAC：Ｋ×Ｍ→Ｔ is a “tagging” algorithm Ver：Ｋ×Ｍ×Ｔ→{0，1} is a “tag verification” algorithm Usually write MACk(m) and Verk(m，t) instead of MAC(k，m) and Ver(k，m，t) Ｋ is the key space Ｍ is the message space Ｔ is the tag space (the set of possible keys) (the set of possible messages) (the set of possible “tags”)

Recall: MAC existential forgery game Challenger (C) Attacker (A) 1s k←Gen(1 s) 1s m1 m1∈Ｍ t1 t1←MACk(m1) m2 m2∈Ｍ t2 t2←MACk(m2) ⋮ mn mn∈Ｍ tn tn←MACk(mn) (m，t)∈Ｍ×Ｔ Let E be the event that (m，t)∉{(m1，t1),…,(mn，tn)} yet Verk(m，t)=1 Define A’s advantage to be AdvMAC-forge(A)≔Pr[E]

Recall: Existential unforgeability Defn: A MAC scheme (Gen，MAC，Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that AdvMAC-forge(A)≤ε(s). The message m and tage t are chosen arbitrarily by the attacker at the end of the attack Existential unforgeability is the “default” unforgeability property

Digital signature schemes Intuitively, a digital signature scheme is the public- key equivalent of a MAC scheme. Defn: A digital signature scheme is a triple of efficient algorithms (Gen，Sign，Ver) such that Gen：1ℕ→Ｋs×Ｋv is a randomized “key generation” algorithm Sign：Ｋs×Ｍ→Ｓ is a randomized “signing” algorithm Ver：Ｋv×Ｓ→{0，1} is a deterministic “signature verification” algorithm

Pr[Verkv(m，Signks(m))=1｜(ks,kv)←Gen(1s)]≥1−ε(s) Correctness Intuitively: Correctness is the property of being able to verify a signature (given the appropriate public key) Defn: A signature scheme (Gen，Sign，Ver) with message space Ｍ is correct if there exists a negligible function ε：ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈Ｍ, Pr[Verkv(m，Signks(m))=1｜(ks,kv)←Gen(1s)]≥1−ε(s) If Ver(kv，m，σ)≟1, then we call σ a valid signature on m (under the verification key kv).

Signature existential forgery game Challenger (C) Attacker (A) kv 1s (ks，kv)←Gen(1 s) 1s m1 m1∈Ｍ σ1 σ1←Signks(m1) m2 m2∈Ｍ σ2 σ2←Signks(m2) ⋮ mn mn∈Ｍ σn (m，σ)∈Ｍ×Ｓ σn←Signks(mn) Let E be the event that (m，σ)∉{(m1，σ1),…,(mn，σn)} yet Verkv(m，σ)=1 Define A’s advantage to be AdvSig-forge(A)≔Pr[E]

Existential unforgeability Intuitively: Existential unforgeability is the property of being resistant to forgeries, even those arising from malicious tampering with existing signatures Defn: A digital signature scheme (Gen，Sign，Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that AdvSig-forge(A)≤ε(s).

“Textbook” RSA signatures Many textbooks (and courses) describe RSA signatures as a direct application of the RSA trapdoor permutation to a message; that is, Gen(1s) chooses distinct s-bit primes p and q and e∈℥φ(pq), and then it outputs kv≔(pq，e) and ks≔e-1 mod φ(pq); Sign(ks，m) outputs σ≔md mod pq; and Ver(kv，m，σ) outputs 1 if m≟σe mod pq and 0 otherwise. Q: Is this an existentially unforgeable signature scheme? A: NO! NO! NO! Don’t ever do this! (Seriously, don’t do it!) (If you do this and I find out, I will retroactive fail you in this course!)

“Textbook” RSA signatures As with textbook RSA encryption, textbook RSA signatures have some serious problems! Unclear how to sign “long” messages Extremely inefficient “No message” forgery attacks Forgeries from malleability Forgeries on arbitrary messages Key reuse attacks

“No message” forgeries Obs 1: Let pv≔(pq，e) be a verification key for the textbook RSA signature scheme. Given any σ∈℥N, the attacker can output a valid forgery (m，σ) where m≔ σe mod pq. ??? Q: Can attacker choose σ corresponding to a particular message of its choosing? A: No! (Unless the RSA assumption fails to hold.) Message is an eth root of σ modulo pq!

Forgeries from malleability Obs 2: Let pv≔(pq，e) be a verification key for the textbook RSA signature scheme. Given any two message-signatures pairs (m1，σ1), (m2，σ2) such that Ver(pv，m1，σ1)=Ver(pv，m2，σ2)=1, the attacker can output a valid forgery (m’，σ’) where m’≔m1am2b mod pq and σ’≔ σ1aσ2b mod pq . Attacker can choose a and b arbitrarily a=b=1 yields signature on m1m2 b=0 yields signature on m1a

Forgeries on arbitrary messages Obs 3: Let pv≔(pq，e) be a verification key for the textbook RSA signature scheme. Attacker can forge signature on arbitrary message m of its choosing by choosing any r∈℥pq such that r≠1, requesting a signature σ’ on m’≔ outputting σ≔ m·re, and ??? σ’·r-1 mod pq. ??? This “attack” is useful for constructing blind RSA signatures.

One-time signature schemes Intuitively, a one-time signature (OTS) scheme is a digital signature scheme that is existentially unforgeable provided the private key is only used to sign a single message Q: Why is this notion useful? A1: We can construct OTS schemes under weaker assumptions No random oracles, no computational assumptions A2: OTS’s are a useful building block for “many-time” signatures

One-time forgery game 1s (ks，kv)←Gen(1 s) 1s m∈Ｍ σ←Signks(m) Challenger (C) Attacker (A) kv 1s (ks，kv)←Gen(1 s) 1s m m∈Ｍ σ σ←Signks(m) (m’，σ’)∈Ｍ×Ｓ Let E be the event that (m’，σ’)≠(m，σ) yet Verkv(m’，σ’)=1 Define A’s advantage to be AdvOTS-forge(A)≔Pr[E]

One-time existential unforgeability Defn: A digital signature scheme (Gen，Sign，Ver) is existentially unforgeable under single-message attacks (or is one-time secure) if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that AdvOTS-forge(A)≤ε(s).

Lamport’s OTS scheme (for ℓ(s)-bit messages) Let F be an OWF (In practice, F is a cryptographic hash function) Gen(1s) chooses (x1,0，x1,1),…，(xℓ(s),0，xℓ(s),1)∊{0，1}s×{0，1}s and outputs Ks≔{ x1,0 ⋯ xℓ(s),0 x1,1 ⋯ xℓ(s),1 } and Kv≔{ y1,0 ⋯ yℓ(s),0 y1,1 ⋯ yℓ(s),1 }, where each yij≔F(xij) Sign(ks，m1∥m2∥⋯∥mℓ(s)) outputs σ≔(x1,m1，x2,m2,…，xℓ(s),mℓ(s)) Ver(kv，m1∥m2∥⋯∥mℓ(s)，σ) outputs 1 if yi,mi≟F(xi,mi) for each i=1,…， ℓ(s) and outputs 0 otherwise

Security of Lamport’s OTS scheme Thm: Let ℓ：ℕ→ℕ be any positive integer-valued polynomial and let F be an OWF. Then Lamport’s OTS scheme for messages of length ℓ(s) is existentially unforgeable under single-message attacks. Proof (Sketch): Suppose A requests a signature on an ℓ(s)-bit message m and consider any message m’∈{0，1}s∖{m}. Since m’≠m, there exists a bit position i for which mi≠m′i; thus, forging a signature on m’ requires A to find x′i∈F-1(yi,m′i). Since F is an OWF, A succeeds in doing so with negligible advantage. ☐

That’s all for today, folks!