1. Digital Signature Schemes and the Random Oracle Model
A. Hülsing

2. Review provable security of “in use” signature schemes. (PKCS #1 v2.x)
Today‘s goal
Review provable security of “in use” signature schemes. (PKCS #1 v2.x)

3. Digital Signature
Source:

4. Definition: Digital Signature (formally)
Let 𝓜 be the message space. A digital signature scheme DSig = (KeyGen, Sign, Verify) is a triple of PPT algorithms
𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : upon input of a security parameter 𝟏 𝒌 outputs a private signing key 𝒔𝒌 and a public verification key 𝒑𝒌,
𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : outputs a signature 𝛔 under 𝒔𝒌 for message 𝑴, if 𝑴∈𝓜,
𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : outputs 1 iff 𝛔 is a valid signature on 𝑴 under 𝒑𝒌,
such that the following correctness condition is fulfilled: ∀ 𝒑𝒌,𝒔𝒌 ←𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 ,∀ 𝑴∈𝓜 : 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 =𝟏.

5. Attack goals Consider adversary 𝑨
Full break (FB): 𝐴 can compute the secret key.
Universal forgery (UU): 𝐴 can forge a signature for any given message. 𝐴 can efficiently answer any signing query.
Selective forgery (SU): 𝐴 can forge a signature for some message of its choice. In this case 𝐴 commits itself to a message before the attack starts.
Existential forgery (EU): 𝐴 can forge a signature for one, arbitrary message. 𝐴 might output a forgery for any message for which it did not learn the signature from an oracle during the attack.

6. Attack Models
Key-only attack (KOA): 𝐴 only gets the public key for which it has to forge a signature.
Random message attack (RMA): 𝐴 learns the public key and the signatures on a set of random messages.
Adaptively chosen message attack (CMA): 𝐴 learns the public key and is allowed to adaptively ask for the signatures on messages of its choice.

7. Existential unforgeability under adaptive chosen message attacks
PK, 1n SK
𝑞 𝑠 Mi
SIGN
(σi, Mi)
(σ*, M*)
Success if M* ≠ Mi , Ɐ i ∈ [0,q] and Verify(pk,σ*,M*) = Accept

8. Reduction Problem Transform Problem PK, 1n 𝑞 𝑠 Mi SIGN Implement SIGN
(σi, Mi)
Solution
Extract Solution
(σ*, M*)

9. Why security reductions?
Current RSA signature standards so far unbroken
Vulnerabilities might exist! (And existed for previous proposals)
Might be possible to forge RSA signatures without solving RSA problem or factoring!

10. What could possibly go wrong?

11. RSA
Let (𝐍,𝐞,𝐝)⟵𝐆𝐞𝐧𝐑𝐒𝐀( 𝟏 𝒌 ) be a PPT algorithm that outputs a modulus 𝑵 that is the product of two 𝒌-bit primes (except possibly with negligible probability), along with an integer 𝒆>𝟎 with 𝐠𝐜𝐝⁡(𝒆, 𝝓(𝑵))=𝟏 and an integer 𝒅>𝟎 satisfying 𝒆𝒅 = 𝟏 𝐦𝐨𝐝 𝝓 𝑵 .
For any (𝐍,𝐞,𝐝)⟵𝐆𝐞𝐧𝐑𝐒𝐀( 𝟏 𝒌 ) and any 𝒚∈ ℤ 𝑵 ∗ we have
( 𝒚 𝒅 ) 𝒆 = 𝒚 𝒅𝒆 = 𝒚 𝒅𝒆 𝐦𝐨𝐝 𝝓 𝑵 = 𝒚 𝟏 =𝒚 𝐦𝐨𝐝 𝑵

12. RSA Assumption
Definition 1. We say that the RSA problem is hard relative to 𝐆𝐞𝐧𝐑𝐒𝐀 if for all PPT algorithms A, the following is negligible: 𝑷𝒓⁡[(𝑵, 𝒆, 𝒅)←𝐆𝐞𝐧𝐑𝐒𝐀( 𝟏 𝒌 ); 𝒚← ℤ 𝑵 ∗ ; 𝒙←𝑨(𝑵, 𝒆, 𝒚): 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵].

13. A simple RSA Signature (a.k.a. textbook RSA)
𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : Run 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 . Return (𝒑𝒌,𝒔𝒌) with 𝒑𝒌= 𝑵, 𝒆 , 𝒔𝒌=𝒅. 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Return 𝛔=( 𝑴 𝑑 𝐦𝐨𝐝 𝑵) 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : Return 1 iff 𝝈 𝒆 𝐦𝐨𝐝 𝑵==𝑴

14. Some RSA properties Public function: 𝑷 𝒙 = 𝒙 𝒆 mod 𝑵
Secret function: 𝑺 𝒙 = 𝒙 𝒅 mod 𝑵
Reciprocal property (RP): 𝑷∘𝑺=𝑺∘𝑷=𝑰𝒅
Multiplicative property (MP): ∀𝒙,𝒚∈ ℤ 𝑵 : 𝑺 𝒙𝒚 =𝑺 𝒙 𝑺(𝒚)

15. Existential forgery under KOA
Given public key 𝒑𝒌= 𝑵, 𝒆
Choose random 𝝈∈ ℤ 𝑵 .
Apply public function: 𝑷 𝝈 = 𝝈 𝒆 𝐦𝐨𝐝 𝑵=𝑴
Return signature-message pair 𝝈, 𝑴 .

16. Universal forgery under CMA
Given public key 𝒑𝒌= 𝑵, 𝒆
To create a forgery on a given message 𝑴:
Choose two messages 𝐱,𝐲∈ ℤ 𝑵 such that 𝒙𝒚=𝑴 𝐦𝐨𝐝 𝑵
Ask for signatures 𝝈 𝒙 of 𝒙 and 𝝈 𝒚 of 𝒚
Output forgery ( 𝝈 𝒙 𝝈 𝒚 ,𝑴)

17. Universal forgery under CMA: The Blinding Attack
Given public key 𝒑𝒌= 𝑵, 𝒆
To create a forgery on any given message 𝑴:
Sample random 𝒓∈ ℤ 𝑵 ∗
Ask for signature 𝝈 on 𝒓 𝒆 𝑴 𝐦𝐨𝐝 𝑵
Output forgery 𝝈 𝒓 𝐦𝐨𝐝 𝑵,𝑴
Recall 𝝈= ( 𝒓 𝒆 𝑴) 𝒅 = 𝒓 𝒆𝒅 𝑴 𝒅 =𝒓 𝑴 𝒅 𝐦𝐨𝐝 𝑵
Hence 𝝈 𝒓 = 𝑴 𝒅 𝐦𝐨𝐝 𝑵

18. A slightly better RSA Signature
Assume Hashfunction 𝑯: {𝟎,𝟏} ∗ → {𝟎,𝟏} 𝒏 for e.g. 𝒏=𝟏𝟔𝟎 (like with SHA1) 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : Run 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 . Return (𝒑𝒌,𝒔𝒌) with 𝒑𝒌= 𝑵, 𝒆 , 𝒔𝒌=𝒅. 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Pad with suff. zeros that 𝛍 𝑴 =(𝟎…𝟎||𝑯 𝑴 )∈ ℤ 𝑵 ∗ Return 𝛔= 𝛍 𝑴 𝑑 𝐦𝐨𝐝 𝑵 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : Return 1 iff 𝝈 𝒆 𝐦𝐨𝐝 𝑵==𝛍 𝑴 =(𝟎…𝟎||𝑯 𝑴 )

19. B-smooth
B-smooth: An integer is B-smooth if all its prime factors are smaller than B.

20. Remember Index Calculus?
Given public key 𝒑𝒌= 𝑵, 𝒆
Select a bound 𝒚 and let 𝑺=( 𝒑 𝟏 , , 𝒑 𝒍 ) be the list of primes smaller than 𝒚.
Find at least 𝒍+𝟏 messages 𝑴 𝒊 such that each 𝛍 𝑴 𝒊 =(𝟎…𝟎||𝑯 𝑴 𝒊 ) is a product of primes in 𝑺 (i.e. 𝒚–smooth).
Express one 𝛍 𝑴 𝒋 as a multiplicative combination of the other 𝛍 𝑴 𝒊 by solving a linear system given by the exponent vectors of the 𝛍 𝑴 𝒊 with respect to the primes in 𝑺.
Ask for the signatures on all 𝑴 𝒊 , 𝒊≠𝒋 and forge signature on 𝑴 𝒋 .

21. Step 3 Recall 𝛍 𝑴 𝒊 =(𝟎…𝟎||𝑯 𝑴 𝒊 )
We can write ∀𝑴 𝒊 ,𝟏≤𝒊≤𝝉: 𝛍 𝑴 𝒊 = 𝒋=𝟏 𝒍 𝒑 𝒋 𝒗 𝒊,𝒋
Associate with 𝛍 𝑴 𝒊 length 𝒍 vector 𝑽 𝒊 𝒗 𝒊,𝟏 𝐦𝐨𝐝 𝒆,…, 𝒗 𝒊,𝒍 𝐦𝐨𝐝 𝒆
𝝉≥𝒍+1 and there are only 𝒍 linearly independent length 𝒍 vectors: We can express one vector as combination of others mod e. Let this be 𝑽 𝝉 = 𝒊=𝟏 𝝉−𝟏 𝜷 𝒊 𝑽 𝒊 +𝒆𝚪 ; for some 𝚪=( 𝜸 𝟏 ,…, 𝜸 𝒍 )
Hence, 𝛍 𝑴 𝝉 = ( 𝒋=𝟏 𝒍 𝒑 𝒋 𝜸 𝒋 ) 𝒆 𝒊=𝟏 𝝉−𝟏 𝛍 𝑴 𝒊 𝜷 𝒊

22. Step 4 Ask for signatures 𝝈 𝒊 = 𝛍 𝑴 𝒊 𝒅 𝐦𝐨𝐝 𝑵 on 𝑴 𝒊 for 𝟏≤𝒊<𝝉
Compute: 𝝈 ∗ = 𝛍 𝑴 𝝉 𝒅 = 𝒋=𝟏 𝒍 𝒑 𝒋 𝜸 𝒋 𝒊=𝟏 𝝉−𝟏 𝛍 𝑴 𝒊 𝒅 𝜷 𝒊 𝐦𝐨𝐝 𝑵
Output forgery (𝝈 ∗ , 𝑴 𝝉 )

23. Summing up
Original attack (Misarsky, PKC’98) works even for more complicated paddings (ISO/IEC )
Attack only works for small 𝒏! (Complexity depends on 𝒍 and probability that an 𝒏-bit number is 𝒚-smooth).
But using SHA-1 (𝒏=𝟏𝟔𝟎) the attack takes much less than 𝟐 𝟓𝟎 operations!
There are many ways to make mistakes...
(Similar attacks apply to encryption!)
That‘s why we want security reductions

24. The Random Oracle Model

25. Standard model vs. idealized model
Standard model: Assume building block has property P (e.g., collision resistance). Use property in reduction. Idealized model: Assume a building block behaves perfectly (e.g. hash function behaves like truely random function). Replace building block by an oracle in reduction.

26. Reduction Problem Transform Problem PK, 1n 𝑞 𝑠 Mi SIGN Implement SIGN
(σi, Mi)
Solution
Extract Solution
(σ*, M*)

27. Random Oracle Model (ROM)
Idealized Model
Perfectly Random Function Mj
H(Mj) Mj
H(Mj) RO

28. How to implement RO? (In theory)
”Lazy Sampling”:
Keep list of (𝒙𝒊, 𝒚𝒊)
Given 𝑴𝒋, search for 𝒙𝒊=𝑴𝒋
If 𝒙𝒊=𝑴𝒋 exists, return 𝒚𝒊
Else sample new 𝒚 from Domain, using uniform distribution
Add (𝑴𝒋, 𝒚) to table
Return 𝒚 RO

29. ROM security Take scheme that uses cryptographic hash
For proof, replace hash by RO
Different flavors: Random function vs. Programmable RO
Heuristic security argument
Allows to verify construction
Worked for ”Natural schemes” so far
However: Artificial counter examples exist!

30. Full Domain Hash Signature Scheme

31. Trapdoor (One-way) Permutation
𝑭 𝒑𝒌,𝒙 =𝝅(𝒙)
𝑭 𝒔𝒌,𝒚 =𝝅 −𝟏 (𝒚)
Computing 𝝅 −𝟏 (𝒚)
without knowledge of sk computationally hard

32. RSA Trapdoor (One-way) Permutation
𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 ;
𝒑𝒌= 𝑵, 𝒆 ;
𝒔𝒌=𝒅
𝑭 𝒑𝒌,𝒙 = 𝒙 𝒆 𝒎𝒐𝒅 𝑵
𝑭 𝒔𝒌,𝒚 = 𝒚 𝒅 𝒎𝒐𝒅 𝑵
Computing 𝝅 −𝟏 (𝒚)
without knowledge of sk computationally hard if
RSA Assumption holds

33. Generic FDH: Sign M 𝒚=𝑯(𝑴) 𝝈=𝑭 𝒔𝒌,𝒚 = 𝝅 −𝟏 (𝒚) 𝝈=𝑺𝒊𝒈𝒏 𝒔𝒌,𝑴
= 𝝅 −𝟏 (𝑯 𝑴 )
=𝑭(𝒔𝒌,𝑯 𝑴 )

34. Generic FDH: Verify M 𝒚=𝑯(𝑴) 𝒚 ′ =𝑭 𝒑𝒌,𝝈 =𝝅(𝝈) 𝑽𝒆𝒓𝒊𝒇𝒚 𝒑𝒌,𝑴,𝝈 :
check 𝒚=𝑯 𝑴 == 𝝅 𝝈 =𝑭 𝒑𝒌,𝝈 = 𝒚 ′

35. RSA-PFDH Randomized FDH Simplified RSA-PSS
Standardized in PKCS #1 v2
(slightly different randomization)
Tight Reduction from RSA Assumption in ROM

36. RSA-PFDH
Assume Hashfunction 𝑯: {𝟎,𝟏} ∗ → ℤ 𝑵 ∗ 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : Run 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 . Return (𝒑𝒌,𝒔𝒌) with 𝒑𝒌= 𝑵, 𝒆 , 𝒔𝒌=𝒅. 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Sample 𝒓 $ 𝑼 𝜿 ; Compute 𝐲=𝑯(𝒓||𝑴) Return 𝛔=(𝒓, 𝒚 𝑑 𝐦𝐨𝐝 𝑵) 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : Return 1 iff 𝝈 𝒆 𝐦𝐨𝐝 𝑵==𝑯(𝒓||𝑴)

37. RSA-PFDH Security
If the RSA Assumption holds, RSA-PFDH is existentially unforgeable under adaptive chosen message attacks in the ROM.

38. Proof
TODO: Show that any forger A against RSA-PFDH can be used to break the RSA Assumption with approx. the same time and success probability. ”Given a forger A against RSA-PFDH with success probability 𝜺, we construct an oracle Machine MA that succeeds with probability 𝜺/𝟒.”

39. Reduction 𝑵, 𝒆, 𝒚 Transform Problem pk, 1n Mi Mj SIGN Implement SIGN
(σi, Mi)
H(Mj) RO 𝒙:
𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵
Extract Solution
(σ*, M*)

40. Reduction: Transform Problem
𝑵, 𝒆, 𝒚
𝒑𝒌=(𝑵, 𝒆)
Transform Problem
pk, 1n
𝑵, 𝒆, 𝒚 Mi Mj
SIGN
Implement
SIGN
(σi, Mi)
H(Mj) RO 𝒙:
𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵
Extract Solution
(σ*, M*)

41. The RO trick Simulate RO such that you can answer SIGN-queries.

42. Reduction: Implement SIGN
𝑵, 𝒆, 𝒚
𝒑𝒌=(𝑵, 𝒆)
Transform Problem
pk, 1n
𝑵, 𝒆, 𝒚 Mi Mj
SIGN
Implement
SIGN
(σi, Mi)
H(Mj) RO 𝒙:
𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵
Extract Solution
(σ*, M*)

43. Implement SIGN – Simulate RO
Keep table of tripples (∗, ∗, ∗)
When A asks for 𝑯(𝒓||𝑴):
If there is an entry ((𝒓||𝑴), 𝒙, 𝒛) in table, return 𝒛
If list 𝑳 𝑴 already exists, go to 3. Otherwise, choose 𝒒 𝒔 values 𝒓 𝑴,𝟏 ,…, 𝒓 𝑴, 𝒒 𝒔 ← {𝟎,𝟏} 𝜿 and store them in a list 𝑳 𝑴 .
If 𝒓∈ 𝑳 𝑴 then let 𝒊 be such that 𝒓= 𝒓 𝑴,𝒊 . Choose random 𝒙 𝑴,𝒊 ∈ ℤ 𝑵 ∗ and return the answer 𝐳= 𝒙 𝑴,𝒊 𝒆 𝐦𝐨𝐝 𝑵. Store (𝒓||𝑴, 𝒙 𝑴,𝒊 ,𝒛) in the table. (RP)
If 𝒓∉ 𝑳 𝑴 , choose random 𝒙∈ ℤ 𝑵 ∗ and return the answer 𝒛=𝒚 𝒙 𝒆 𝐦𝐨𝐝 𝑵. Store (𝒓||𝑴,𝒙,𝒛) in the table.

44. Implement SIGN
When A requests some message 𝑴 to be signed for the 𝒊 th time:
let 𝒓 𝑴,𝒊 be the 𝒊 th value in 𝑳 𝑴 and
compute 𝐳=𝐇( 𝒓 𝑴,𝒊 ||𝑴) using RO.
Let (𝒓||𝑴, 𝒙 𝑴,𝒊 ,𝒛) be the corresponding entry in the RO table.
Output signature ( 𝒓 𝑴,𝒊 , 𝒙 𝑴,𝒊 ).

45. Observation All SIGN queries can be answered!
SIGN queries are answered using hash 𝐇( 𝒓 𝑴,𝒊 | 𝑴 =𝐳= 𝒙 𝑴,𝒊 𝒆 𝐦𝐨𝐝 𝑵
Signature ( 𝒓 𝑴,𝒊 , 𝒙 𝑴,𝒊 ) known by programming RO
All other hash queries are answered with 𝐇(𝒓| 𝑴 =𝒛=𝒚 𝒙 𝒆 𝐦𝐨𝐝 𝑵 (with high probability).
Signature not known!
BUT: Allows to extract solution from forgery!
Note: Any A with non-negl. success probability has to query RO for digest of forgery message!

46. Reduction: Extract Solution
𝑵, 𝒆, 𝒚
𝒑𝒌=(𝑵, 𝒆)
Transform Problem
pk, 1n
𝑞 𝐻
𝑵, 𝒆, 𝒚
𝑞 𝑠 Mi Mj
SIGN
Implement
SIGN
(σi, Mi)
H(Mj) RO 𝒙:
𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵
Extract Solution
(σ*, M*)

47. Reduction: Extract Solution
If A outputs a forgery ( 𝑴 ∗ , ( 𝒓 ∗ , 𝝈 ∗ )):
If 𝒓 ∗ ∈ 𝑳 𝑴 ∗ abort.
Else, let ( 𝒓 ∗ ||𝑴 ∗ , 𝒙,𝒛) be the corresponding entry of the table.
Output 𝝈 ∗ 𝒙 𝐦𝐨𝐝 𝑵.
Note: 𝝈 ∗ 𝒙 𝒆 = 𝝈 ∗ 𝒆 𝒙 𝒆 = 𝑯 𝒓 ∗ ||𝑴 ∗ 𝒙 𝒆 = 𝒚 𝒙 𝒆 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵
⟹ 𝝈 ∗ 𝒙 = 𝒆 𝒚 𝐦𝐨𝐝 𝑵

48. Analysis Transform Problem: Implement SIGN / RO: Extract Solution:
Succeeds always
Generates exactly matching distribution
Implement SIGN / RO:
Succeeds always (we choose 𝒓)
Generates exactly matching distribution:
RO: Outputs are uniform in ℤ 𝑵 ∗
SIGN: Follows from RO
Extract Solution:
Succeeds iff A succeeds AND
𝒓 ∗ ∉ 𝑳 𝑴 ∗ ⇒𝐩=𝐏𝐫 𝒓 ∗ ∉ 𝑳 𝑴 ∗ = (𝟏− 𝟐 −𝜿 ) 𝒒 𝒔 Setting 𝜿= 𝐥𝐨𝐠 𝟐 𝒒 𝒔 : 𝒑≥ 𝟏 𝟒 assuming 𝒒 𝒔 ≥𝟐

49. What have we shown?
We can turn any forger A against RSA-PFDH with success probability 𝜺 into an algorithm MA that solves the RSA problem with probability 𝜺/𝟒.
In reverse: If there exists no algorithm to solve the RSA problem with probability ≥𝜺 then there exists no forger against RSA-PFDH that succeeds with probability ≥𝟒𝜺.
As proof is in ROM we have to add ”... As long as the used hash function behaves like a RO.”

50. How to implement RO? (In practice)
Formerly:
Use hash function + PRG
E.g. SHA2 in couter mode /
SHA2-HMAC in counter mode keyed with SHA2(M)
Today:
Use XOF
E.g. SHAKE128 RO

51. Conclusion Ad Hoc constructions problematic
Blinding / Index Calculus
Proofs (even in ROM) allow to check construction
There is one standardized RSA Sig with proof
Similar situation for DSA (ROM proof)

52. Thank you! Questions?