1. Digital Signature Schemes and the Random Oracle Model
A. Hülsing

2. Review provable security of “in use” signature schemes. (PKCS #1 v2.x)
Today‘s goal
Review provable security of “in use” signature schemes. (PKCS #1 v2.x)

3. Digital Signature
Source:

4. Existential unforgeability under adaptive chosen message attacks
PK, 1n SK
𝑞 𝑠 Mi
SIGN
(σi, Mi)
(σ*, M*)
Success if M* ≠ Mi , Ɐ i ∈ [0,q] and Verify(pk,σ*,M*) = Accept

5. Reduction Problem Transform Problem PK, 1n 𝑞 𝑠 Mi SIGN Implement SIGN
(σi, Mi)
Solution
Extract Solution
(σ*, M*)

6. Why security reductions?
Current RSA signature standard so far unbroken
Vulnerabilities might exist! (And existed for previous proposals)
Might be possible to forge RSA signatures without solving RSA problem or factoring!

7. What could possibly go wrong?

8. RSA
Let (𝐍,𝐞,𝐝)⟵𝐆𝐞𝐧𝐑𝐒𝐀( 𝟏 𝒌 ) be a PPT algorithm that outputs a modulus 𝑵 that is the product of two 𝑘-bit primes (except possibly with negligible probability), along with an integer 𝒆>𝟎 with 𝐠𝐜𝐝⁡(𝒆, 𝝓(𝑵))=𝟏 and an integer 𝒅>𝟎 satisfying 𝒆𝒅 = 𝟏 𝐦𝐨𝐝 𝝓 𝑵 .
For any (𝐍,𝐞,𝐝)⟵𝐆𝐞𝐧𝐑𝐒𝐀( 𝟏 𝒌 ) and any 𝒚∈ ℤ 𝑵 ∗ we have
( 𝒚 𝒅 ) 𝒆 = 𝒚 𝒅𝒆 = 𝒚 𝒅𝒆 𝐦𝐨𝐝 𝝓 𝑵 = 𝒚 𝟏 =𝒚 𝐦𝐨𝐝 𝑵

9. RSA Assumption
Definition 1. We say that the RSA problem is hard relative to 𝐆𝐞𝐧𝐑𝐒𝐀 if for all PPT algorithms A, the following is negligible: 𝑷𝒓⁡[(𝑵, 𝒆, 𝒅)←𝐆𝐞𝐧𝐑𝐒𝐀( 𝟏 𝒌 ); 𝒚← ℤ 𝑵 ∗ ; 𝒙←𝑨(𝑵, 𝒆, 𝒚): 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵].

10. A simple RSA Signature
𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : Run 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 . Return (𝒑𝒌,𝒔𝒌) with 𝒑𝒌= 𝑵, 𝒆 , 𝒔𝒌=𝒅. 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Return 𝛔=( 𝑴 𝑑 𝐦𝐨𝐝 𝑵) 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : Return 1 iff 𝝈 𝒆 𝐦𝐨𝐝 𝑵==𝑴

11. The Blinding Attack Given public key 𝒑𝒌= 𝑵, 𝒆
To create a forgery on any target message 𝑴:
Sample random 𝒓∈ ℤ 𝑵 ∗
Ask for signature 𝝈 on 𝒓 𝒆 𝑴 𝐦𝐨𝐝 𝑵
Output forgery (𝑴, 𝝈 𝒓 𝐦𝐨𝐝 𝑵)
Recall 𝝈= ( 𝒓 𝒆 𝑴) 𝒅 = 𝒓 𝒆𝒅 𝑴 𝒅 =𝒓 𝑴 𝒅 𝐦𝐨𝐝 𝑵
Hence 𝝈 𝒓 = 𝑴 𝒅 𝐦𝐨𝐝 𝑵

12. A slightly better RSA Signature
Assume Hashfunction 𝑯: {𝟎,𝟏} ∗ → {𝟎,𝟏} 𝒏 for e.g. 𝒏=𝟏𝟔𝟎 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : Run 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 . Return (𝒑𝒌,𝒔𝒌) with 𝒑𝒌= 𝑵, 𝒆 , 𝒔𝒌=𝒅. 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Pad with suff. zeros that (𝟎…𝟎||𝑯 𝑴 )∈ ℤ 𝑵 ∗ Return 𝛔=( (𝟎…𝟎||𝑯 𝑴 ) 𝑑 𝐦𝐨𝐝 𝑵) 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : Return 1 iff 𝝈 𝒆 𝐦𝐨𝐝 𝑵==(𝟎…𝟎||𝑯 𝑴 )

13. Remember Index Calculus?
Given public key 𝒑𝒌= 𝑵, 𝒆
Select a bound 𝒚 and let 𝑺=( 𝒑 𝟏 , , 𝒑 𝒍 ) be the list of primes smaller than 𝒚.
Find at least 𝒍+𝟏 messages 𝑴 𝒊 such that each (𝟎…𝟎||𝑯 𝑴 𝒊 ) is a product of primes in 𝑺.
Express one (𝟎…𝟎||𝑯 𝑴 𝒋 ) as a multiplicative combination of the other (𝟎…𝟎||𝑯 𝑴 𝒊 ) by solving a linear system given by the exponent vectors of the (𝟎…𝟎||𝑯 𝑴 𝒊 ) with respect to the primes in 𝑺.
Ask for the signatures on all 𝑴 𝒊 , 𝒊≠𝒋 and forge signature on 𝑴 𝒋 .

14. Step 3 Write 𝛍 𝑴 𝒊 =(𝟎…𝟎||𝑯 𝑴 𝒊 )
We can write ∀𝑴 𝒊 ,𝟏≤𝒊≤𝝉: 𝛍 𝑴 𝒊 = 𝒋=𝟏 𝒍 𝒑 𝒋 𝒗 𝒊,𝒋
Associate with 𝛍 𝑴 𝒊 length 𝒍 vector 𝑽 𝒊 𝒗 𝒊,𝟏 𝐦𝐨𝐝 𝒆,…, 𝒗 𝒊,𝒍 𝐦𝐨𝐝 𝒆
𝝉≥𝒍+𝟏 and there are only 𝒍 linearly independent length 𝒍 vectors: We can express one vector as combination of others mod e. Let this be 𝑽 𝝉 = 𝒊=𝟏 𝝉−𝟏 𝜷 𝒊 𝑽 𝒊 +𝒆𝚪 ; 𝐟𝐨𝐫 𝐬𝐨𝐦𝐞 𝚪=( 𝜸 𝟏 ,…, 𝜸 𝒍 )
Hence 𝛍 𝑴 𝝉 = ( 𝒋=𝟏 𝒍 𝒑 𝒋 𝜸 𝒋 ) 𝒆 𝒊=𝟏 𝝉−𝟏 𝛍 𝑴 𝒊 𝜷 𝒊

15. Step 4 Ask for signatures 𝝈 𝒊 = 𝛍 𝑴 𝒊 𝒅 𝐦𝐨𝐝 𝑵 on 𝑴 𝒊 for 𝟏≤𝒊<𝝉
Compute: 𝝈 ∗ = 𝛍 𝑴 𝝉 𝒅 = 𝒋=𝟏 𝒍 𝒑 𝒋 𝜸 𝒋 𝒊=𝟏 𝝉−𝟏 𝛍 𝑴 𝒊 𝒅 𝜷 𝒊 𝐦𝐨𝐝 𝑵
Output forgery (𝝈 ∗ , 𝑴 𝝉 )

16. Summing up
Original attack (Misarsky, PKC’98) works even for more complicated paddings (ISO/IEC )
Attack only works for small n!
But using SHA-1 (n=160) the attack takes much less than 𝟐 𝟓𝟎 operations!
There are many ways to make mistakes...
(Similar attacks apply to encryption!)
That‘s why we want security reductions

17. The Random Oracle Model

18. Reduction Problem Transform Problem PK, 1n 𝑞 𝑠 Mi SIGN Implement SIGN
(σi, Mi)
Solution
Extract Solution
(σ*, M*)

19. Random Oracle Model (ROM)
Idealized Model
Perfectly Random Function Mj
H(Mj) Mj
H(Mj) RO

20. How to implement RO? ”Lazy Sampling”: Keep list of (xi, yi)
Given Mj, search for xi = Mj
If xi = Mj exists, return yi
Else sample new y from Domain, using uniform distribution
Add (Mj, y) to table
Return y RO

21. ROM security Take scheme that uses cryptographic hash
For proof, replace hash by RO
Different flavors: Random function vs. Programmable RO
Heuristic security argument
Allows to verify construction
Worked for ”Natural schemes” so far
However: Artificial counter examples exist!

22. Full Domain Hash Signature Scheme

23. Trapdoor (One-way) Permutation
𝐹 𝑝𝑘,𝑥 =𝜋(𝑥)
𝐹 𝑠𝑘,𝑦 =𝜋 −1 (𝑦)
Computing 𝜋 −1 (𝑦)
without knowledge of sk computationally hard

24. RSA Trapdoor (One-way) Permutation
𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 ;
𝒑𝒌= 𝑵, 𝒆 ;
𝒔𝒌=𝒅
𝐹 𝑝𝑘,𝑥 = 𝑥 𝑒 𝑚𝑜𝑑 𝑁
𝐹 𝑠𝑘,𝑦 = 𝑦 𝑑 𝑚𝑜𝑑 𝑁
Computing 𝜋 −1 (𝑦)
without knowledge of sk computationally hard if
RSA Assumption holds

25. Generic FDH: Sign M 𝑦=𝐻(𝑀) 𝜎=𝐹 𝑠𝑘,𝑦 = 𝜋 −1 (𝑦) 𝜎=𝑆𝑖𝑔𝑛 𝑠𝑘,𝑀
= 𝜋 −1 (𝐻 𝑀 )
=𝐹(𝑠𝑘,𝐻 𝑀 )

26. Generic FDH: Verify M 𝑦=𝐻(𝑀) 𝑦 ′ =𝐹 𝑝𝑘,𝜎 =𝜋(𝜎) 𝑉𝑒𝑟𝑖𝑓𝑦 𝑝𝑘,𝑀,𝜎 :
𝑐ℎ𝑒𝑐𝑘 𝑦=𝐻 𝑀 == 𝜋 𝜎 =𝐹 𝑝𝑘,𝜎 = 𝑦 ′

27. RSA-PFDH Randomized FDH Simplified RSA-PSS
Standardized in PKCS #1 v2
(slightly different randomization)
Tight Reduction from RSA Assumption in ROM

28. RSA-PFDH
Assume Hashfunction 𝑯: {𝟎,𝟏} ∗ → ℤ 𝑵 ∗ 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : Run 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 . Return (𝒑𝒌,𝒔𝒌) with 𝒑𝒌= 𝑵, 𝒆 , 𝒔𝒌=𝒅. 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Sample 𝒓 $ 𝑼 𝜿 ; Compute 𝐲=𝑯(𝒓||𝑴) Return 𝛔=(𝒓, 𝒚 𝑑 𝐦𝐨𝐝 𝑵) 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : Return 1 iff 𝝈 𝒆 𝐦𝐨𝐝 𝑵==𝑯(𝒓||𝑴)

29. RSA-PFDH Security
If the RSA Assumption holds, RSA-PFDH is existentially unforgeable under adaptive chosen message attacks.

30. Proof
Idea: Show that any forger A against RSA-PFDH can be used to break the RSA Assumption with ~ the same time and success probability. ”Given a forger A against RSA-PFDH with success probability 𝜺, we construct an oracle Machine MA that succeeds with probability 𝜺/𝟒.”

31. Reduction 𝑵, 𝒆, 𝒚 Transform Problem pk, 1n Mi Mj SIGN Implement SIGN
(σi, Mi)
H(Mj) RO 𝒙:
𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵
Extract Solution
(σ*, M*)

32. Reduction: Transform Problem
𝑵, 𝒆, 𝒚
𝒑𝒌=(𝑵, 𝒆)
Transform Problem
pk, 1n
𝑵, 𝒆, 𝒚 Mi Mj
SIGN
Implement
SIGN
(σi, Mi)
H(Mj) RO 𝒙:
𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵
Extract Solution
(σ*, M*)

33. Reduction: Implement SIGN
𝑵, 𝒆, 𝒚
𝒑𝒌=(𝑵, 𝒆)
Transform Problem
pk, 1n
𝑵, 𝒆, 𝒚 Mi Mj
SIGN
Implement
SIGN
(σi, Mi)
H(Mj) RO 𝒙:
𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵
Extract Solution
(σ*, M*)

34. Implement SIGN – Implement RO
Keep table of tripples ( . , . , . )
When A asks for 𝑯(𝒓||𝑴):
If there is an entry (𝒓||𝑴, 𝒙, 𝒛) in table, return 𝒛
If list 𝑳 𝑴 already exists, go to 3. Otherwise, choose 𝒒 𝒔 values 𝒓 𝑴,𝟏 ,…, 𝒓 𝑴, 𝒒 𝒔 ← {𝟎,𝟏} 𝜿 and store them in a list 𝑳 𝑴 .
If 𝒓∈ 𝑳 𝑴 then let 𝒊 be such that 𝒓= 𝒓 𝑴,𝒊 . Choose random 𝒙 𝑴,𝒊 ∈ ℤ 𝑵 ∗ and return the answer 𝐳= 𝒙 𝑴,𝒊 𝒆 𝐦𝐨𝐝 𝑵. Store (𝒓||𝑴, 𝒙 𝑴,𝒊 ,𝒛) in the table.
If 𝒓∉ 𝑳 𝑴 , choose random 𝒙∈ ℤ 𝑵 ∗ and return the answer 𝒛=𝒚 𝒙 𝒆 𝐦𝐨𝐝 𝑵. Store (𝒓||𝑴,𝒙,𝒛) in the table.

35. Implement SIGN
When A requests some message 𝑴 to be signed for the 𝒊 th time:
let 𝒓 𝑴,𝒊 be the 𝒊 th value in 𝑳 𝑴 and
compute 𝐳=𝐇( 𝒓 𝑴,𝒊 ||𝑴) using RO.
Let (𝒓||𝑴, 𝒙 𝑴,𝒊 ,𝒛) be the corresponding entry in the RO table.
Output signature ( 𝒓 𝑴,𝒊 , 𝒙 𝑴,𝒊 ).

36. Observation All SIGN queries can be answered!
SIGN queries are answered using hash 𝐇( 𝒓 𝑴,𝒊 | 𝑴 =𝐳= 𝒙 𝑴,𝒊 𝒆 𝐦𝐨𝐝 𝑵
Signature ( 𝒓 𝑴,𝒊 , 𝒙 𝑴,𝒊 ) known by programming RO
All other hash queries are answered with 𝐇(𝒓| 𝑴 =𝒛=𝒚 𝒙 𝒆 𝐦𝐨𝐝 𝑵
Signature not known!
BUT: Allows to extract solution from forgery!

37. Reduction: Extract Solution
𝑵, 𝒆, 𝒚
𝒑𝒌=(𝑵, 𝒆)
Transform Problem
pk, 1n
𝑞 𝐻
𝑵, 𝒆, 𝒚
𝑞 𝑠 Mi Mj
SIGN
Implement
SIGN
(σi, Mi)
H(Mj) RO 𝒙:
𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵
Extract Solution
(σ*, M*)

38. Reduction: Extract Solution
If A outputs a forgery ( 𝑴 ∗ , ( 𝒓 ∗ , 𝝈 ∗ )):
If 𝒓 ∗ ∈ 𝑳 𝑴 ∗ abort.
Else, let ( 𝒓 ∗ ||𝑴 ∗ , 𝒙,𝒛) be the corresponding entry of the table.
Output 𝝈 ∗ 𝒙 𝐦𝐨𝐝 𝑵.
Note: 𝝈 ∗ 𝒙 𝒆 = 𝝈 ∗ 𝒆 𝒙 𝒆 = 𝑯 𝒓 ∗ ||𝑴 ∗ 𝒙 𝒆 = 𝒚 𝒙 𝒆 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵
⟹ 𝝈 ∗ 𝒙 = 𝒆 𝒚 𝐦𝐨𝐝 𝑵

39. Analysis Transform Problem: Implement SIGN / RO: Extract Solution:
Succeeds always
Generates exactly matching distribution
Implement SIGN / RO:
Succeeds always (we choose 𝒓)
Generates exactly matching distribution:
RO: Outputs are uniform in ℤ 𝑵 ∗
SIGN: Follows from RO
Extract Solution:
Succeeds iff A succeeds AND
𝒓 ∗ ∉ 𝑳 𝑴 ∗ ⇒𝐩=𝐏𝐫 𝒓 ∗ ∉ 𝑳 𝑴 ∗ = (𝟏− 𝟐 −𝜿 ) 𝒒 𝒔 Setting 𝜿= 𝐥𝐨𝐠 𝟐 𝒒 𝒔 : 𝒑≥ 𝟏 𝟒 assuming 𝒒 𝒔 ≥𝟐

40. What have we shown?
We can turn any forger A against RSA-PFDH with success probability 𝜺 into an algorithm MA that solves the RSA problem with probability 𝜺/𝟒.
In reverse: If there exists no algorithm to solve the RSA problem with probability ≥𝜺 then there exists no forger against RSA-PFDH that succeeds with probability ≥𝟒𝜺.
As proof is in ROM we have to add ”... As long as the used hash function behaves like a RO.”

41. Conclusion Ad Hoc constructions problematic
Blinding / Index Calculus
Proofs (even in ROM) allow to check construction
There is one standardized RSA Sig with proof
Similar situation for DSA (ROM proof)

42. Thank you! Questions?