S EMINAR P RESENTATION ON N OTIONS OF S ECURITY 1 S M Masud Karim January 18, 2008 Bonn, Germany

SECURITY NOTIONS FOR SIGNATURE SCHEMES : THE GHR SECURITY PROOF Presented By S. M. Masud Karim Supervised By Prof. Joachim von zur Gathen Ms Laila El Aimani 2 S M Masud Karim

Outline of the Talk  Introduction to Digital Signature Schemes  Why Reductionist Security?  Security Notions  Mathematical Assumptions  The Strong RSA Problem  The Gennaro-Halevi-Rabin Signature Scheme  Reduction of SRSA Problem to breaking the GHR Signature Scheme in the strongest sense provided by Security Notion. 3 S M Masud Karim

Digital Signature An handwritten signature allows to relate an individual to a specific document. Besides, a signature ► can be verified by anyone against an authenticated signature taken as reference, thereby conferring a legal value to the signed document, ► should be physically impossible to forge. In comparison, a digital signature allows to relate an individual to a specific file and ► can be verified by anyone by public means, which also provides a legal value to the signed file, ► should be computationally impossible to forge, thereby conferring non-repudiation. 4 S M Masud Karim

Digital Signature Scenarios Utilization of message authentication scheme Decryption  Singing Encryption  Verifying ► Symmetric Key Scenario (... symmetric private key sk) ■ authenticity √ ■ integrity √ ■ non-repudiation  ■ universally verifiable  ► Public Key Scenario (...public key pk, private key sk) ■ authenticity √ ■ integrity √ ■ non-repudiation √ ■ universally verifiable √ 5 S M Masud Karim

Digital Signature Scheme ► Alice generates a public/private key pair (pk, sk) by running a probabilistic key generation algorithm G(|pk|), |pk| being the security parameter. Alice outputs (publishes) pk. ► Whenever Alice wishes to sign a digital document m, she computes the signature s = S(sk, m ) where S is the (possibly probabilistic) signing algorithm. She outputs s and maybe also m. ► Bob can verify that s is a signature of m output by Alice by running the verification algorithm V(pk, m, s ) returning 1 if s = S(sk, m ) or 0 otherwise. The cryptographic system given by the triple (G, S,V) is called a signature scheme. 6 S M Masud Karim

Taxonomy of Signatures The description of (G, S,V) includes function domains (message, signature and key spaces). Signature schemes are usually classified according to the following specific features: ► a signature scheme is said randomized or probabilistic (resp. deterministic) when S is probabilistic (resp. deterministic), ► V is deterministic and gives Boolean responses ( true or false ) during verification, ► schemes, wherein message m is appended to signature s, are sometimes called signature schemes with appendix. 7 S M Masud Karim

Why Reductionist Security? Once a signature scheme (or a cryptosystem ) is described, how can its security be proved? ► by trying to exhibit an attack ■ attack found  system insecure! ■ attack not found  ?? ► by proving that no attack exists under some assumptions ■ attack found  false assumption Important: The assumption has to be reasonable. 8 S M Masud Karim

How to Get a Security Proof? To get a security proof, one needs to Step 1: Formally define the security notion to achieve, Step 2: Make precise mathematical assumptions, Step 3: Design a signature scheme (or a cryptosystem) and describe its operational modes, Step 4: Exhibit a reduction from assumption’s underlying problem to breaking the scheme in the sense defined by the security notion. To prove a problem A is reducible to another problem B, it is needed to show an algorithm (with polynomial resources) that solves A with access to an oracle that solves B. It is denoted by A  B or A  B. 9 S M Masud Karim

Security Notions A security notion (or level) is entirely defined by pairing an adversarial goal with an adversarial model. Depending on the context in which a given signature scheme (or cryptosystem) is used, one may formally define a security notion, ► by telling what goal an adversary would attempt to reach (the adversarial goal), and ► what means or information are made available to the attacker (the adversarial or attack model). 10 S M Masud Karim

11 S M Masud Karim Security Goals ► Unbreakability: The attacker recovers the secret key sk from the public key pk (or an equivalent key if any). This goal is denoted UB. Implicitly appeared with public-key signature scheme (or cryptography). ► Universal Unforgeability: The attacker, without necessarily having recovered sk, can produce a valid signature s of any message m in the message space. Noted UUF. ► Existential Unforgeability: The attacker creates a message m and a valid signature s of it (with no control over the message). Denoted EUF.

12 S M Masud Karim Security Models ► Key-Only Attacks: The adversary only has access to the public key pk. This is denoted KOA. Unavoidable scenario in public-key signature scheme (or cryptography). ► Known Message Attacks: Where an adversary has access to signatures for a set of known messages. Noted KMA. ► Chosen Message Attacks: Here the adversary is allowed to use the signer as an oracle (full access), and may request the signature of any message of his choice (multiple requests of the same message are allowed). Denoted CMA.

13 S M Masud Karim Security Notions for Signature

14 S M Masud Karim Security Notions for Signature (contd.) Because EUF-CMA is the upper security level, it is desirable to prove security with respect to this notion. Formally, an signature scheme is said to be ( q, ,  )-secure if for any adversary A with running time upper-bounded by , S UCC EUF-CMA ( A ) = Pr where the probability is taken over all random choices. The notation A S(sk,·) means that the adversary has access to a signing oracle throughout the game, but at most q times. The message m * output by A was never requested to the signing oracle.

15 S M Masud Karim Security Notions for Signature (contd.)

16 S M Masud Karim Mathematical Assumptions Public-key design allows to construct systems by assembling and connecting smaller cryptographic or atomic primitives together. For example: one-way functions, hash functions, arithmetic operations etc. Cryptographic primitives are connected to plenty of (supposedly) intractable problems: ► Strong RSA (SRSA) is hard, ► Discrete log is hard, ► Diffie-Hellman is hard, ► Factoring is hard, Hard = no PPT (probabilistic polynomial time) algorithm can solve the problem with non-negligible probability.

17 S M Masud Karim The Strong RSA Problem Strong RSA Problem: let n = p  q be a safe RSA modulus and z  Z * n. Find x and e such that z = x e mod n with ( x, e )  ( z, 1). An algorithm R is said to (  R,  R )-solve the SRSA problem if in at most  R operations, Pr where the probability is taken over R’s random tapes and the distribution of ( n, z ). Strong RSA Assumption: for any (  R,  R )- solver,.  R ≤ poly( k )   R = negl( k )

18 S M Masud Karim The GHR Signature Scheme Gennaro-Halevi-Rabin (GHR), short message variant. [1]. Generate a safe RSA modulus n = p  q with p = 2 p’ + 1, q = 2 q’ + 1. Randomly select z  Z * n. Let H: {0, 1} l Primes ≥ 3 and  p’, q’ be a collision- free hash function ( l = 30). Publish ( n, z ). Keep ( p, q ) private. [2]. To sign a message m  {0, 1} l, compute s = z 1/H( m ) mod n. [3]. Given ( m, s ), check whether s H ( m ) = z mod n.

19 S M Masud Karim Reduction In order to proof that, SRSA  EUF-CMA(GHR), it is needed to show that breaking EUF-CMA(GHR) allows to solve SRSA, i.e., that an adversary breaking GHR can be used as a black box tool to answer SRSA requests with non-negligible probability. Probability Spaces: The reduction has to simulate the attacker’s environment in a way that preserves (or does not alter too much) the distribution of all random variables which interact with it.

20 S M Masud Karim Reduction (Contd.) The reduction R will behave as follows. ► R is given n  RSA(1 k ) and z  Z * n, as well as an attacker A that ( q,  A,  A )-solves EUF-CMA(GHR), ► R simulates G and transmits pk to A, ► R receives signature queries from A : R will have to simulate a signing oracle with respect to pk at most q times, ► A outputs a forgery ( m ^, s ^ ) for GHR with probability  A, ► R outputs non-trivial ( x, e ) such that z = x e mod n. ► R will provide a perfect simulation and (  R,  R )-solve SRSA with

21 S M Masud Karim Simulation of Oracles

22 S M Masud Karim Simulation of G ► For each message m i  {0, 1} l, compute H( m i ). Set E = ► Compute y = z E mod n and send the GHR public key ( n, y ) to A. Since n  RSA(1 k ) (external to R ) and z  Z * n (external to R ) are random choices, and z z E is one-to-one {as E and  ( n ) are co-prime, f ( z ) = z E mod n is a bijection}, ( n, y ) is perfectly indistinguishable from a random GHR public key ( n  RSA(1 k ), y  Z * n ). Therefore, the simulation of G is perfect.

23 S M Masud Karim Simulation of S and V Simulation of S When A requests the signature of a message m i, send s i = z E / H ( m i ) mod n. Knowing z and E, it is easy to extract a H( m i )-th root of y for any m i. A ’s queries can be answered with perfectly valid signatures. Therefore, the simulation of S is perfect. Simulation of V The signature s i is verified using s i H( m i ) = z E mod n. The simulation of V is trivial.

24 S M Masud Karim Forgery on Simulation of Oracles The simulation of the attacker’s environment is perfect: Pr[ A forges] ≥  A Now, the forgery output by A with probability  A will be ( m ^, s ^ ) where m ^ is from the given message space and s ^ = z E / H ( m^ ) mod n. But it is mentioned earlier that with known z and E, R could have computed the forgery. Besides, the forgery must help R to get good solution for ( x, e ). As the forgery is not new and provides no clue to the solution for ( x, e ), it is not possible for R to come up with positive response.

25 S M Masud Karim Alternative Simulation Simulation of G ► Choose i  {1, 2,......, 2 l } uniformly at random. ► For each message m j  {0, 1} l, compute H ( m j ). Set E = ► Compute y = z E mod n and send the GHR public key ( n, y ) to A. The simulation of G is also perfect.

26 S M Masud Karim Alternative Simulation (contd.) Simulation of S When A requests the signature of a message m i, ► If j  i, send s i = z E / H ( m j ) mod n. ► If j = i, abort the simulation experiment A ’s queries can be answered with perfectly valid signatures except when the query message is m i. Since i is chosen in [1, 2 l ] independently from the attacker’s view, the probability of perfect simulation is Pr[ m i  Queries( A )]

27 S M Masud Karim Forgery on Alternative Simulation Assume that at the end of the game, A outputs ( m i, s ) as a forgery. Then s H ( m i ) = y = z E mod n As H ( m i ) and E are co-prime, the Bézout theorem says there must be a and b such that a  H ( m i ) + b  E = 1. Using the Extended Euclidian Algorithm, the values of a and b can easily be computed. Now, Finally, R sets x = z a  s b and e = H ( m i ) and outputs a genuine solution ( x, e ).

28 S M Masud Karim Analysis ► In the first simulation (when the simulation is perfect), A can never produce a valid forgery which will eventually be used by R for obtaining the solution ( x, e ). ► In the second simulation, even then the probability of a successful forgery depends on number of conditions (i.e., lucks). These include: A will never query the message m i which is chosen at random during the simulation of G. If A does query m i, the system will abort and A is not expected to provide a forgery. Message in A’s forgery ( m ^, s ^ ) must be m i i.e., m ^ = m i.

29 S M Masud Karim Conclusion Hence, it is proved that SRSA  EUF-CMA(GHR). So, we have ► defined security notions for signature schemes, ► made a precise mathematical assumption (SRSA is hard), ► described the algorithms of GHR signature scheme and ► finally performed a reduction from the underlying problem of the mathematical assumption (SRSA problem) to existentially forging of the GHR signature scheme under chosen message attacks. Therefore, it is evident that GHR signature scheme is secure under strong RSA assumption.

Thank You!! 30 S M Masud Karim