Digital Signature Schemes and the Random Oracle Model A. Hülsing

Review provable security of “in use” signature schemes. (PKCS #1 v2.x) Today‘s goal Review provable security of “in use” signature schemes. (PKCS #1 v2.x) 20-11-2018

Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/DSA.jpg 20-11-2018

Definition: Digital Signature (formally) Let 𝓜 be the message space. A digital signature scheme DSig = (KeyGen, Sign, Verify) is a triple of PPT algorithms 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : upon input of a security parameter 𝟏 𝒌 outputs a private signing key 𝒔𝒌 and a public verification key 𝒑𝒌, 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : outputs a signature 𝛔 under 𝒔𝒌 for message 𝑴, if 𝑴∈𝓜, 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : outputs 1 iff 𝛔 is a valid signature on 𝑴 under 𝒑𝒌, such that the following correctness condition is fulfilled: ∀ 𝒑𝒌,𝒔𝒌 ←𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 ,∀ 𝑴∈𝓜 : 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 =𝟏. 20-11-2018

Attack goals Consider adversary 𝑨 Full break (FB): 𝐴 can compute the secret key. Universal forgery (UU): 𝐴 can forge a signature for any given message. 𝐴 can efficiently answer any signing query. Selective forgery (SU): 𝐴 can forge a signature for some message of its choice. In this case 𝐴 commits itself to a message before the attack starts. Existential forgery (EU): 𝐴 can forge a signature for one, arbitrary message. 𝐴 might output a forgery for any message for which it did not learn the signature from an oracle during the attack. 20-11-2018

Attack Models Key-only attack (KOA): 𝐴 only gets the public key for which it has to forge a signature. Random message attack (RMA): 𝐴 learns the public key and the signatures on a set of random messages. Adaptively chosen message attack (CMA): 𝐴 learns the public key and is allowed to adaptively ask for the signatures on messages of its choice. 20-11-2018

Existential unforgeability under adaptive chosen message attacks PK, 1n SK 𝑞 𝑠 Mi SIGN (σi, Mi) (σ*, M*) Success if M* ≠ Mi , Ɐ i ∈ [0,q] and Verify(pk,σ*,M*) = Accept 20-11-2018

Reduction Problem Transform Problem PK, 1n 𝑞 𝑠 Mi SIGN Implement SIGN (σi, Mi) Solution Extract Solution (σ*, M*) 20-11-2018

Why security reductions? Current RSA signature standards so far unbroken Vulnerabilities might exist! (And existed for previous proposals) Might be possible to forge RSA signatures without solving RSA problem or factoring! 20-11-2018

What could possibly go wrong? 20-11-2018

RSA Let (𝐍,𝐞,𝐝)⟵𝐆𝐞𝐧𝐑𝐒𝐀( 𝟏 𝒌 ) be a PPT algorithm that outputs a modulus 𝑵 that is the product of two 𝒌-bit primes (except possibly with negligible probability), along with an integer 𝒆>𝟎 with 𝐠𝐜𝐝⁡(𝒆, 𝝓(𝑵))=𝟏 and an integer 𝒅>𝟎 satisfying 𝒆𝒅 = 𝟏 𝐦𝐨𝐝 𝝓 𝑵 . For any (𝐍,𝐞,𝐝)⟵𝐆𝐞𝐧𝐑𝐒𝐀( 𝟏 𝒌 ) and any 𝒚∈ ℤ 𝑵 ∗ we have ( 𝒚 𝒅 ) 𝒆 = 𝒚 𝒅𝒆 = 𝒚 𝒅𝒆 𝐦𝐨𝐝 𝝓 𝑵 = 𝒚 𝟏 =𝒚 𝐦𝐨𝐝 𝑵 20-11-2018

RSA Assumption Definition 1. We say that the RSA problem is hard relative to 𝐆𝐞𝐧𝐑𝐒𝐀 if for all PPT algorithms A, the following is negligible: 𝑷𝒓⁡[(𝑵, 𝒆, 𝒅)←𝐆𝐞𝐧𝐑𝐒𝐀( 𝟏 𝒌 ); 𝒚← ℤ 𝑵 ∗ ; 𝒙←𝑨(𝑵, 𝒆, 𝒚): 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵]. 20-11-2018

A simple RSA Signature (a.k.a. textbook RSA) 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : Run 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 . Return (𝒑𝒌,𝒔𝒌) with 𝒑𝒌= 𝑵, 𝒆 , 𝒔𝒌=𝒅. 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Return 𝛔=( 𝑴 𝑑 𝐦𝐨𝐝 𝑵) 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : Return 1 iff 𝝈 𝒆 𝐦𝐨𝐝 𝑵==𝑴 20-11-2018

Some RSA properties Public function: 𝑷 𝒙 = 𝒙 𝒆 mod 𝑵 Secret function: 𝑺 𝒙 = 𝒙 𝒅 mod 𝑵 Reciprocal property (RP): 𝑷∘𝑺=𝑺∘𝑷=𝑰𝒅 Multiplicative property (MP): ∀𝒙,𝒚∈ ℤ 𝑵 : 𝑺 𝒙𝒚 =𝑺 𝒙 𝑺(𝒚) 20-11-2018

Existential forgery under KOA Given public key 𝒑𝒌= 𝑵, 𝒆 Choose random 𝝈∈ ℤ 𝑵 . Apply public function: 𝑷 𝝈 = 𝝈 𝒆 𝐦𝐨𝐝 𝑵=𝑴 Return signature-message pair 𝝈, 𝑴 . 20-11-2018

Universal forgery under CMA Given public key 𝒑𝒌= 𝑵, 𝒆 To create a forgery on a given message 𝑴: Choose two messages 𝐱,𝐲∈ ℤ 𝑵 such that 𝒙𝒚=𝑴 𝐦𝐨𝐝 𝑵 Ask for signatures 𝝈 𝒙 of 𝒙 and 𝝈 𝒚 of 𝒚 Output forgery ( 𝝈 𝒙 𝝈 𝒚 ,𝑴) 20-11-2018

Universal forgery under CMA: The Blinding Attack Given public key 𝒑𝒌= 𝑵, 𝒆 To create a forgery on any given message 𝑴: Sample random 𝒓∈ ℤ 𝑵 ∗ Ask for signature 𝝈 on 𝒓 𝒆 𝑴 𝐦𝐨𝐝 𝑵 Output forgery 𝝈 𝒓 𝐦𝐨𝐝 𝑵,𝑴 Recall 𝝈= ( 𝒓 𝒆 𝑴) 𝒅 = 𝒓 𝒆𝒅 𝑴 𝒅 =𝒓 𝑴 𝒅 𝐦𝐨𝐝 𝑵 Hence 𝝈 𝒓 = 𝑴 𝒅 𝐦𝐨𝐝 𝑵 20-11-2018

A slightly better RSA Signature Assume Hashfunction 𝑯: {𝟎,𝟏} ∗ → {𝟎,𝟏} 𝒏 for e.g. 𝒏=𝟏𝟔𝟎 (like with SHA1) 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : Run 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 . Return (𝒑𝒌,𝒔𝒌) with 𝒑𝒌= 𝑵, 𝒆 , 𝒔𝒌=𝒅. 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Pad with suff. zeros that 𝛍 𝑴 =(𝟎…𝟎||𝑯 𝑴 )∈ ℤ 𝑵 ∗ Return 𝛔= 𝛍 𝑴 𝑑 𝐦𝐨𝐝 𝑵 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : Return 1 iff 𝝈 𝒆 𝐦𝐨𝐝 𝑵==𝛍 𝑴 =(𝟎…𝟎||𝑯 𝑴 ) 20-11-2018

B-smooth B-smooth: An integer is B-smooth if all its prime factors are smaller than B. 20-11-2018

Remember Index Calculus? Given public key 𝒑𝒌= 𝑵, 𝒆 Select a bound 𝒚 and let 𝑺=( 𝒑 𝟏 , . . . , 𝒑 𝒍 ) be the list of primes smaller than 𝒚. Find at least 𝒍+𝟏 messages 𝑴 𝒊 such that each 𝛍 𝑴 𝒊 =(𝟎…𝟎||𝑯 𝑴 𝒊 ) is a product of primes in 𝑺 (i.e. 𝒚–smooth). Express one 𝛍 𝑴 𝒋 as a multiplicative combination of the other 𝛍 𝑴 𝒊 by solving a linear system given by the exponent vectors of the 𝛍 𝑴 𝒊 with respect to the primes in 𝑺. Ask for the signatures on all 𝑴 𝒊 , 𝒊≠𝒋 and forge signature on 𝑴 𝒋 . 20-11-2018

Step 3 Recall 𝛍 𝑴 𝒊 =(𝟎…𝟎||𝑯 𝑴 𝒊 ) We can write ∀𝑴 𝒊 ,𝟏≤𝒊≤𝝉: 𝛍 𝑴 𝒊 = 𝒋=𝟏 𝒍 𝒑 𝒋 𝒗 𝒊,𝒋 Associate with 𝛍 𝑴 𝒊 length 𝒍 vector 𝑽 𝒊 𝒗 𝒊,𝟏 𝐦𝐨𝐝 𝒆,…, 𝒗 𝒊,𝒍 𝐦𝐨𝐝 𝒆 𝝉≥𝒍+1 and there are only 𝒍 linearly independent length 𝒍 vectors: We can express one vector as combination of others mod e. Let this be 𝑽 𝝉 = 𝒊=𝟏 𝝉−𝟏 𝜷 𝒊 𝑽 𝒊 +𝒆𝚪 ; for some 𝚪=( 𝜸 𝟏 ,…, 𝜸 𝒍 ) Hence, 𝛍 𝑴 𝝉 = ( 𝒋=𝟏 𝒍 𝒑 𝒋 𝜸 𝒋 ) 𝒆 𝒊=𝟏 𝝉−𝟏 𝛍 𝑴 𝒊 𝜷 𝒊 20-11-2018

Step 4 Ask for signatures 𝝈 𝒊 = 𝛍 𝑴 𝒊 𝒅 𝐦𝐨𝐝 𝑵 on 𝑴 𝒊 for 𝟏≤𝒊<𝝉 Compute: 𝝈 ∗ = 𝛍 𝑴 𝝉 𝒅 = 𝒋=𝟏 𝒍 𝒑 𝒋 𝜸 𝒋 𝒊=𝟏 𝝉−𝟏 𝛍 𝑴 𝒊 𝒅 𝜷 𝒊 𝐦𝐨𝐝 𝑵 Output forgery (𝝈 ∗ , 𝑴 𝝉 ) 20-11-2018

Summing up Original attack (Misarsky, PKC’98) works even for more complicated paddings (ISO/IEC 9796-2) Attack only works for small 𝒏! (Complexity depends on 𝒍 and probability that an 𝒏-bit number is 𝒚-smooth). But using SHA-1 (𝒏=𝟏𝟔𝟎) the attack takes much less than 𝟐 𝟓𝟎 operations! There are many ways to make mistakes... (Similar attacks apply to encryption!) That‘s why we want security reductions 20-11-2018

The Random Oracle Model 20-11-2018

Standard model vs. idealized model Standard model: Assume building block has property P (e.g., collision resistance). Use property in reduction. Idealized model: Assume a building block behaves perfectly (e.g. hash function behaves like truely random function). Replace building block by an oracle in reduction. 20-11-2018

Reduction Problem Transform Problem PK, 1n 𝑞 𝑠 Mi SIGN Implement SIGN (σi, Mi) Solution Extract Solution (σ*, M*) 20-11-2018

Random Oracle Model (ROM) Idealized Model Perfectly Random Function Mj H(Mj) Mj H(Mj) RO 20-11-2018

How to implement RO? (In theory) ”Lazy Sampling”: Keep list of (𝒙𝒊, 𝒚𝒊) Given 𝑴𝒋, search for 𝒙𝒊=𝑴𝒋 If 𝒙𝒊=𝑴𝒋 exists, return 𝒚𝒊 Else sample new 𝒚 from Domain, using uniform distribution Add (𝑴𝒋, 𝒚) to table Return 𝒚 RO 20-11-2018

ROM security Take scheme that uses cryptographic hash For proof, replace hash by RO Different flavors: Random function vs. Programmable RO Heuristic security argument Allows to verify construction Worked for ”Natural schemes” so far However: Artificial counter examples exist! 20-11-2018

Full Domain Hash Signature Scheme 20-11-2018

Trapdoor (One-way) Permutation 𝑭 𝒑𝒌,𝒙 =𝝅(𝒙) 𝑭 𝒔𝒌,𝒚 =𝝅 −𝟏 (𝒚) Computing 𝝅 −𝟏 (𝒚) without knowledge of sk computationally hard 20-11-2018

RSA Trapdoor (One-way) Permutation 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 ; 𝒑𝒌= 𝑵, 𝒆 ; 𝒔𝒌=𝒅 𝑭 𝒑𝒌,𝒙 = 𝒙 𝒆 𝒎𝒐𝒅 𝑵 𝑭 𝒔𝒌,𝒚 = 𝒚 𝒅 𝒎𝒐𝒅 𝑵 Computing 𝝅 −𝟏 (𝒚) without knowledge of sk computationally hard if RSA Assumption holds 20-11-2018

Generic FDH: Sign M 𝒚=𝑯(𝑴) 𝝈=𝑭 𝒔𝒌,𝒚 = 𝝅 −𝟏 (𝒚) 𝝈=𝑺𝒊𝒈𝒏 𝒔𝒌,𝑴 = 𝝅 −𝟏 (𝑯 𝑴 ) =𝑭(𝒔𝒌,𝑯 𝑴 ) 20-11-2018

Generic FDH: Verify M 𝒚=𝑯(𝑴) 𝒚 ′ =𝑭 𝒑𝒌,𝝈 =𝝅(𝝈) 𝑽𝒆𝒓𝒊𝒇𝒚 𝒑𝒌,𝑴,𝝈 : check 𝒚=𝑯 𝑴 == 𝝅 𝝈 =𝑭 𝒑𝒌,𝝈 = 𝒚 ′ 20-11-2018

RSA-PFDH Randomized FDH Simplified RSA-PSS Standardized in PKCS #1 v2 (slightly different randomization) Tight Reduction from RSA Assumption in ROM 20-11-2018

RSA-PFDH Assume Hashfunction 𝑯: {𝟎,𝟏} ∗ → ℤ 𝑵 ∗ 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : Run 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 . Return (𝒑𝒌,𝒔𝒌) with 𝒑𝒌= 𝑵, 𝒆 , 𝒔𝒌=𝒅. 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Sample 𝒓 $ 𝑼 𝜿 ; Compute 𝐲=𝑯(𝒓||𝑴) Return 𝛔=(𝒓, 𝒚 𝑑 𝐦𝐨𝐝 𝑵) 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : Return 1 iff 𝝈 𝒆 𝐦𝐨𝐝 𝑵==𝑯(𝒓||𝑴) 20-11-2018

RSA-PFDH Security If the RSA Assumption holds, RSA-PFDH is existentially unforgeable under adaptive chosen message attacks in the ROM. 20-11-2018

Proof TODO: Show that any forger A against RSA-PFDH can be used to break the RSA Assumption with approx. the same time and success probability. ”Given a forger A against RSA-PFDH with success probability 𝜺, we construct an oracle Machine MA that succeeds with probability 𝜺/𝟒.” 20-11-2018

Reduction 𝑵, 𝒆, 𝒚 Transform Problem pk, 1n Mi Mj SIGN Implement SIGN (σi, Mi) H(Mj) RO 𝒙: 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵 Extract Solution (σ*, M*) 20-11-2018

Reduction: Transform Problem 𝑵, 𝒆, 𝒚 𝒑𝒌=(𝑵, 𝒆) Transform Problem pk, 1n 𝑵, 𝒆, 𝒚 Mi Mj SIGN Implement SIGN (σi, Mi) H(Mj) RO 𝒙: 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵 Extract Solution (σ*, M*) 20-11-2018

The RO trick Simulate RO such that you can answer SIGN-queries. 20-11-2018

Reduction: Implement SIGN 𝑵, 𝒆, 𝒚 𝒑𝒌=(𝑵, 𝒆) Transform Problem pk, 1n 𝑵, 𝒆, 𝒚 Mi Mj SIGN Implement SIGN (σi, Mi) H(Mj) RO 𝒙: 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵 Extract Solution (σ*, M*) 20-11-2018

Implement SIGN – Simulate RO Keep table of tripples (∗, ∗, ∗) When A asks for 𝑯(𝒓||𝑴): If there is an entry ((𝒓||𝑴), 𝒙, 𝒛) in table, return 𝒛 If list 𝑳 𝑴 already exists, go to 3. Otherwise, choose 𝒒 𝒔 values 𝒓 𝑴,𝟏 ,…, 𝒓 𝑴, 𝒒 𝒔 ← {𝟎,𝟏} 𝜿 and store them in a list 𝑳 𝑴 . If 𝒓∈ 𝑳 𝑴 then let 𝒊 be such that 𝒓= 𝒓 𝑴,𝒊 . Choose random 𝒙 𝑴,𝒊 ∈ ℤ 𝑵 ∗ and return the answer 𝐳= 𝒙 𝑴,𝒊 𝒆 𝐦𝐨𝐝 𝑵. Store (𝒓||𝑴, 𝒙 𝑴,𝒊 ,𝒛) in the table. (RP) If 𝒓∉ 𝑳 𝑴 , choose random 𝒙∈ ℤ 𝑵 ∗ and return the answer 𝒛=𝒚 𝒙 𝒆 𝐦𝐨𝐝 𝑵. Store (𝒓||𝑴,𝒙,𝒛) in the table. 20-11-2018

Implement SIGN When A requests some message 𝑴 to be signed for the 𝒊 th time: let 𝒓 𝑴,𝒊 be the 𝒊 th value in 𝑳 𝑴 and compute 𝐳=𝐇( 𝒓 𝑴,𝒊 ||𝑴) using RO. Let (𝒓||𝑴, 𝒙 𝑴,𝒊 ,𝒛) be the corresponding entry in the RO table. Output signature ( 𝒓 𝑴,𝒊 , 𝒙 𝑴,𝒊 ). 20-11-2018

Observation All SIGN queries can be answered! SIGN queries are answered using hash 𝐇( 𝒓 𝑴,𝒊 | 𝑴 =𝐳= 𝒙 𝑴,𝒊 𝒆 𝐦𝐨𝐝 𝑵 Signature ( 𝒓 𝑴,𝒊 , 𝒙 𝑴,𝒊 ) known by programming RO All other hash queries are answered with 𝐇(𝒓| 𝑴 =𝒛=𝒚 𝒙 𝒆 𝐦𝐨𝐝 𝑵 (with high probability). Signature not known! BUT: Allows to extract solution from forgery! Note: Any A with non-negl. success probability has to query RO for digest of forgery message! 20-11-2018

Reduction: Extract Solution 𝑵, 𝒆, 𝒚 𝒑𝒌=(𝑵, 𝒆) Transform Problem pk, 1n 𝑞 𝐻 𝑵, 𝒆, 𝒚 𝑞 𝑠 Mi Mj SIGN Implement SIGN (σi, Mi) H(Mj) RO 𝒙: 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵 Extract Solution (σ*, M*) 20-11-2018

Reduction: Extract Solution If A outputs a forgery ( 𝑴 ∗ , ( 𝒓 ∗ , 𝝈 ∗ )): If 𝒓 ∗ ∈ 𝑳 𝑴 ∗ abort. Else, let ( 𝒓 ∗ ||𝑴 ∗ , 𝒙,𝒛) be the corresponding entry of the table. Output 𝝈 ∗ 𝒙 𝐦𝐨𝐝 𝑵. Note: 𝝈 ∗ 𝒙 𝒆 = 𝝈 ∗ 𝒆 𝒙 𝒆 = 𝑯 𝒓 ∗ ||𝑴 ∗ 𝒙 𝒆 = 𝒚 𝒙 𝒆 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵 ⟹ 𝝈 ∗ 𝒙 = 𝒆 𝒚 𝐦𝐨𝐝 𝑵 20-11-2018

Analysis Transform Problem: Implement SIGN / RO: Extract Solution: Succeeds always Generates exactly matching distribution Implement SIGN / RO: Succeeds always (we choose 𝒓) Generates exactly matching distribution: RO: Outputs are uniform in ℤ 𝑵 ∗ SIGN: Follows from RO Extract Solution: Succeeds iff A succeeds AND 𝒓 ∗ ∉ 𝑳 𝑴 ∗ ⇒𝐩=𝐏𝐫 𝒓 ∗ ∉ 𝑳 𝑴 ∗ = (𝟏− 𝟐 −𝜿 ) 𝒒 𝒔 Setting 𝜿= 𝐥𝐨𝐠 𝟐 𝒒 𝒔 : 𝒑≥ 𝟏 𝟒 assuming 𝒒 𝒔 ≥𝟐 20-11-2018

What have we shown? We can turn any forger A against RSA-PFDH with success probability 𝜺 into an algorithm MA that solves the RSA problem with probability 𝜺/𝟒. In reverse: If there exists no algorithm to solve the RSA problem with probability ≥𝜺 then there exists no forger against RSA-PFDH that succeeds with probability ≥𝟒𝜺. As proof is in ROM we have to add ”... As long as the used hash function behaves like a RO.” 20-11-2018

How to implement RO? (In practice) Formerly: Use hash function + PRG E.g. SHA2 in couter mode / SHA2-HMAC in counter mode keyed with SHA2(M) Today: Use XOF E.g. SHAKE128 RO 20-11-2018

Conclusion Ad Hoc constructions problematic Blinding / Index Calculus Proofs (even in ROM) allow to check construction There is one standardized RSA Sig with proof Similar situation for DSA (ROM proof) 20-11-2018

Thank you! Questions? 20-11-2018