Almost uniform density of power residues and the provable security of ESIGN Jacques Stern ASIACRYPT 2003 December 3rd 2003 École normale supérieure Tatsuaki Okamoto NTT Labs

Almost uniform density of power residues and the security proof of ESIGN. - 2 Jacques Stern Summary  A short introduction to “provable security”  The ESIGN signature scheme  Difficulties with the security proof  Density of power residues  Conclusions

Almost uniform density of power residues and the security proof of ESIGN. - 3 Jacques Stern Kerckhoffs’ Principles  1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ;  2° Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi ; K 1883

Almost uniform density of power residues and the security proof of ESIGN. - 4 Jacques Stern Kerckhoffs’ Principles (english)  1° The system must be practically if not mathematically indecipherable;  2° The system must not require secrecy, and can fall without drawback into the enemy ’s hands;

Almost uniform density of power residues and the security proof of ESIGN. - 5 Jacques Stern Public key cryptography –A private key k d AliceBob Bob has a pair of related keys –A public key k e  known to anyone including Alice  only known to Bob DH 1976 RSA 78 Kerckhoff ’s extended second principle : « Il faut que la clé de chiffrement puisse sans inconvénient tomber entre les mains de l’ennemi »

Almost uniform density of power residues and the security proof of ESIGN. - 6 Jacques Stern Provable security  Attempts to mathematically establish security Kerckhoff ’s extended first principle: Le système doit être mathématiquement indéchiffrable : GM84GMR88

Almost uniform density of power residues and the security proof of ESIGN. - 7 Jacques Stern “Practical” provable security  The “random oracle” methodology mediates between practice and maths  It substitutes truly random functions to hash functions and averages over these  Very efficient and now requested to support emerging standards (IEEE P1363, Cryptrec, NESSIE, ISO) FS86BR93

Almost uniform density of power residues and the security proof of ESIGN. - 8 Jacques Stern The limits of provable security  Provable security does not yield proofs - proofs are relative - proofs often use random oracles. Meaning is debatable ( CGH98 )  Still, provable security is a means to provide some form of guarantee that a crypto scheme is not flawed

Almost uniform density of power residues and the security proof of ESIGN. - 9 Jacques Stern Provable security in five steps  1 Define goal of adversary  2 Define security model  3 Provide a proof by reduction  4 Check proof  5 Interpret proof

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern Signature Scheme (formal)  Key Generation Algorithm G  Signature Algorithm, S  Verification Algorithm, V kvkv ksks S V m  0/1 m Non-repudiation: impossible to forge valid  without k s G

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern Goal of the adversary (1)  Existential Forgery: Try to forge a valid message-signature pair without the private key Adversary is successful if the following probability is large

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern Security models (2)  No-Message Attacks The adversary only knows the verification (public) key  Known-Message Attacks (KMA) the adversary has access to a list  of message/signature pairs  Chosen Message Attacks (CMA) the messages are adaptively chosen by the adversary  the strongest attack

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern Proof by Reduction (3) Let A be an adversary that breaks the ESIGN scheme then A can be used to solve the approximate e-th root problem P A Instance I of P Solution of I

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern a signature scheme designed in the late 90ies and considered in IEEE P1363, Cryptrec NESSIE, together with a security proof  Uses RSA integers of the form n=p 2 q  Based on the Approximate e-th root problem: given y find x such that y # x e mod n  Signature generation is a very efficient way to compute  = x, given y, with 1/3 leading bits H( m ) and the rest 0 ESIGN O90

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern  Signature generation relies on the fact that, for random r and variable t ( r+tpq) e mod n ranges over an arithmetical progression, so that one simply adjusts t to fall into a prescribed interval of length pq  thus signing only requires raising to the e-th power  even (slightly) more efficient for e= 2 u ESIGN

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern Checking proof (4) Let A be an adversary that breaks the ESIGN scheme then A can be used to solve the approximate e-th root problem P A Instance I of P proof not correct in CMA model Solution of I

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern Overlooked: submit message twice?  In a probabilistic signature scheme, several signatures may correspond to a message  In the usual definition for Existential Forgery in Chosen-Message Attacks (CMA), the adversary can repeatedly submit a message. Otherwise, weaker model :  Single-Occurrence Chosen-Message Attacks (SO-CMA) each message m can be submitted only once ; this produces a signature  and ( m,  ) is added to the list  of messages. SPMS 02

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern Checking proof (4) Let A be an adversary that breaks the ESIGN scheme then A can be used to solve the approximate e-th root problem P A Instance I of P proof not correct for e a power of two Solution of I

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern Overlooked: correct simulation of random oracle  In the security proof a key step “simulates” a random oracle so that signature of a requested message can be performed by simulation (i.e. without the secret key)  The simulation picks r at random and “declares” that H( m ) consists of the 1/3 leading bits of r e mod n. This makes  = r a signature of m.  need to prove that this correctly simulates a random function: not obvious when e= 2 u

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern Completing the proof when e= 2 u  Need to show that the density of power residues is almost uniform in any large enough interval  Theorem. Let N be an RSA modulus, N =pq; the number of e- th power residues modulo N in any interval of length N , 1/2 <  <1, is very close to N  / d, where d is the index of the group of power residues and very close means that the relative difference is bounded by 5 N 1/2-  ln(N).

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern Completing the proof  We have two proofs:  First uses two-dimensional lattices and yields slightly worse bounds.  Second (found afterwards) uses the so-called Polya-Vinogradov inequality which states that, for any non principal Dirichlet character  over (Z N )*, and any integer h,  x 1  <x  h  (x)  2ln(N)  N.  This is enough to complete the security proof when e is not prime to  (n).

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern Conclusions (1)  The methodology of provable security is more subtle than it at first appears, even in the random oracle setting: we have shown several potential flaws in the security proof of ESIGN.  The first flaw is methodological in character and is related to the security model  The second is a limitation in the proof that could be overcome by use of (some) number theory.

Almost uniform density of power residues and the security proof of ESIGN Jacques Stern Conclusions (2)  It took twenty centuries to design RSA  It took over twenty years to understand how to practice RSA and get “provable security”  ESIGN’s provable security took over ten years  Cryptographic schemes should not be adopted and standardized prematurely  And not without a security proof, at least in the random oracle model  Also allow some additional time to check and interpret the security proof