Presentation is loading. Please wait.

Presentation is loading. Please wait.

Almost uniform density of power residues and the provable security of ESIGN Jacques Stern ASIACRYPT 2003 December 3rd 2003 École normale supérieure Tatsuaki.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Almost uniform density of power residues and the provable security of ESIGN Jacques Stern ASIACRYPT 2003 December 3rd 2003 École normale supérieure Tatsuaki."— Presentation transcript:

1 Almost uniform density of power residues and the provable security of ESIGN Jacques Stern ASIACRYPT 2003 December 3rd 2003 École normale supérieure Tatsuaki Okamoto NTT Labs

2 Almost uniform density of power residues and the security proof of ESIGN. - 2 Jacques Stern Summary  A short introduction to “provable security”  The ESIGN signature scheme  Difficulties with the security proof  Density of power residues  Conclusions

3 Almost uniform density of power residues and the security proof of ESIGN. - 3 Jacques Stern Kerckhoffs’ Principles  1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ;  2° Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi ; K 1883

4 Almost uniform density of power residues and the security proof of ESIGN. - 4 Jacques Stern Kerckhoffs’ Principles (english)  1° The system must be practically if not mathematically indecipherable;  2° The system must not require secrecy, and can fall without drawback into the enemy ’s hands;

5 Almost uniform density of power residues and the security proof of ESIGN. - 5 Jacques Stern Public key cryptography –A private key k d AliceBob Bob has a pair of related keys –A public key k e  known to anyone including Alice  only known to Bob DH 1976 RSA 78 Kerckhoff ’s extended second principle : « Il faut que la clé de chiffrement puisse sans inconvénient tomber entre les mains de l’ennemi »

6 Almost uniform density of power residues and the security proof of ESIGN. - 6 Jacques Stern Provable security  Attempts to mathematically establish security Kerckhoff ’s extended first principle: Le système doit être mathématiquement indéchiffrable : GM84GMR88

7 Almost uniform density of power residues and the security proof of ESIGN. - 7 Jacques Stern “Practical” provable security  The “random oracle” methodology mediates between practice and maths  It substitutes truly random functions to hash functions and averages over these  Very efficient and now requested to support emerging standards (IEEE P1363, Cryptrec, NESSIE, ISO) FS86BR93

8 Almost uniform density of power residues and the security proof of ESIGN. - 8 Jacques Stern The limits of provable security  Provable security does not yield proofs - proofs are relative - proofs often use random oracles. Meaning is debatable ( CGH98 )  Still, provable security is a means to provide some form of guarantee that a crypto scheme is not flawed

9 Almost uniform density of power residues and the security proof of ESIGN. - 9 Jacques Stern Provable security in five steps  1 Define goal of adversary  2 Define security model  3 Provide a proof by reduction  4 Check proof  5 Interpret proof

10 Almost uniform density of power residues and the security proof of ESIGN. - 10 Jacques Stern Signature Scheme (formal)  Key Generation Algorithm G  Signature Algorithm, S  Verification Algorithm, V kvkv ksks S V m  0/1 m Non-repudiation: impossible to forge valid  without k s G

11 Almost uniform density of power residues and the security proof of ESIGN. - 11 Jacques Stern Goal of the adversary (1)  Existential Forgery: Try to forge a valid message-signature pair without the private key Adversary is successful if the following probability is large

12 Almost uniform density of power residues and the security proof of ESIGN. - 12 Jacques Stern Security models (2)  No-Message Attacks The adversary only knows the verification (public) key  Known-Message Attacks (KMA) the adversary has access to a list  of message/signature pairs  Chosen Message Attacks (CMA) the messages are adaptively chosen by the adversary  the strongest attack

13 Almost uniform density of power residues and the security proof of ESIGN. - 13 Jacques Stern Proof by Reduction (3) Let A be an adversary that breaks the ESIGN scheme then A can be used to solve the approximate e-th root problem P A Instance I of P Solution of I

14 Almost uniform density of power residues and the security proof of ESIGN. - 14 Jacques Stern a signature scheme designed in the late 90ies and considered in IEEE P1363, Cryptrec NESSIE, together with a security proof  Uses RSA integers of the form n=p 2 q  Based on the Approximate e-th root problem: given y find x such that y # x e mod n  Signature generation is a very efficient way to compute  = x, given y, with 1/3 leading bits H( m ) and the rest 0 ESIGN O90

15 Almost uniform density of power residues and the security proof of ESIGN. - 15 Jacques Stern  Signature generation relies on the fact that, for random r and variable t ( r+tpq) e mod n ranges over an arithmetical progression, so that one simply adjusts t to fall into a prescribed interval of length pq  thus signing only requires raising to the e-th power  even (slightly) more efficient for e= 2 u ESIGN

16 Almost uniform density of power residues and the security proof of ESIGN. - 16 Jacques Stern Checking proof (4) Let A be an adversary that breaks the ESIGN scheme then A can be used to solve the approximate e-th root problem P A Instance I of P proof not correct in CMA model Solution of I

17 Almost uniform density of power residues and the security proof of ESIGN. - 17 Jacques Stern Overlooked: submit message twice?  In a probabilistic signature scheme, several signatures may correspond to a message  In the usual definition for Existential Forgery in Chosen-Message Attacks (CMA), the adversary can repeatedly submit a message. Otherwise, weaker model :  Single-Occurrence Chosen-Message Attacks (SO-CMA) each message m can be submitted only once ; this produces a signature  and ( m,  ) is added to the list  of messages. SPMS 02

18 Almost uniform density of power residues and the security proof of ESIGN. - 18 Jacques Stern Checking proof (4) Let A be an adversary that breaks the ESIGN scheme then A can be used to solve the approximate e-th root problem P A Instance I of P proof not correct for e a power of two Solution of I

19 Almost uniform density of power residues and the security proof of ESIGN. - 19 Jacques Stern Overlooked: correct simulation of random oracle  In the security proof a key step “simulates” a random oracle so that signature of a requested message can be performed by simulation (i.e. without the secret key)  The simulation picks r at random and “declares” that H( m ) consists of the 1/3 leading bits of r e mod n. This makes  = r a signature of m.  need to prove that this correctly simulates a random function: not obvious when e= 2 u

20 Almost uniform density of power residues and the security proof of ESIGN. - 20 Jacques Stern Completing the proof when e= 2 u  Need to show that the density of power residues is almost uniform in any large enough interval  Theorem. Let N be an RSA modulus, N =pq; the number of e- th power residues modulo N in any interval of length N , 1/2 <  <1, is very close to N  / d, where d is the index of the group of power residues and very close means that the relative difference is bounded by 5 N 1/2-  ln(N).

21 Almost uniform density of power residues and the security proof of ESIGN. - 21 Jacques Stern Completing the proof  We have two proofs:  First uses two-dimensional lattices and yields slightly worse bounds.  Second (found afterwards) uses the so-called Polya-Vinogradov inequality which states that, for any non principal Dirichlet character  over (Z N )*, and any integer h,  x 1  <x  h  (x)  2ln(N)  N.  This is enough to complete the security proof when e is not prime to  (n).

22 Almost uniform density of power residues and the security proof of ESIGN. - 22 Jacques Stern Conclusions (1)  The methodology of provable security is more subtle than it at first appears, even in the random oracle setting: we have shown several potential flaws in the security proof of ESIGN.  The first flaw is methodological in character and is related to the security model  The second is a limitation in the proof that could be overcome by use of (some) number theory.

23 Almost uniform density of power residues and the security proof of ESIGN. - 23 Jacques Stern Conclusions (2)  It took twenty centuries to design RSA  It took over twenty years to understand how to practice RSA and get “provable security”  ESIGN’s provable security took over ten years  Cryptographic schemes should not be adopted and standardized prematurely  And not without a security proof, at least in the random oracle model  Also allow some additional time to check and interpret the security proof

Download ppt "Almost uniform density of power residues and the provable security of ESIGN Jacques Stern ASIACRYPT 2003 December 3rd 2003 École normale supérieure Tatsuaki."

Similar presentations

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Introduction to Modern Cryptography, Lecture 10 Performance Improvements: Fast Arithmetic, Montegomery representation, Batch RSA, Elliptic Curves.

Introduction to Modern Cryptography, Lecture 10 Performance Improvements: Fast Arithmetic, Montegomery representation, Batch RSA, Elliptic Curves.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:

Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

Similar presentations

Ads by Google