Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-17 1

Outline RSA-based signature schemes RSA-FDH: Full Domain Hash Random Oracle Model RSA-FDH: Security Digital Signatures 2020-03-17 2

Recap: RSA problem/assumption Setting: • N = P · Q , for large primes P , Q • ϕ ( N ) = ( P − 1)( Q − 1) = | Z ∗ N | • Choose e ∈ N uniformly between 1 and ϕ ( N ) with gcd( e , ϕ ( N )) = 1. • Then d ∈ N with e · d ≡ 1 mod ϕ ( N ) can be found efficiently from ϕ ( N ) and e . • For x ∈ Z N , we have x e · d ≡ x mod N . Digital Signatures 2020-03-17 3

Recap: RSA problem/assumption RSA problem: • Given N , e as above and y ← Z N , find x ∈ Z N with x e ≡ y mod N . Digital Signatures 2020-03-17 4

Recap: RSA problem/assumption RSA problem: • Given N , e as above and y ← Z N , find x ∈ Z N with x e ≡ y mod N . RSA assumption: • ∀ PPT A :   N , e as above : x e = y mod N Pr y ← Z N     x ← A (1 k , N , e , y ) negligible. Digital Signatures 2020-03-17 4

“Textbook RSA” • Gen (1 k ) : – choose P , Q , N , e as above – d := e − 1 mod ϕ ( N ) – pk = ( N , e ) – sk = ( N , d ) • Sign ( sk , m ) : σ := m d (mod N ) • Vfy ( pk , m , σ ) : σ e ? = m (mod N ) Digital Signatures 2020-03-17 5

“Textbook RSA” • Gen (1 k ) : – choose P , Q , N , e as above – d := e − 1 mod ϕ ( N ) – pk = ( N , e ) – sk = ( N , d ) • Sign ( sk , m ) : σ := m d (mod N ) • Vfy ( pk , m , σ ) : σ e ? = m (mod N ) Correctness: Digital Signatures 2020-03-17 5

“Textbook RSA” • Gen (1 k ) : – choose P , Q , N , e as above – d := e − 1 mod ϕ ( N ) – pk = ( N , e ) – sk = ( N , d ) • Sign ( sk , m ) : σ := m d (mod N ) • Vfy ( pk , m , σ ) : σ e ? = m (mod N ) Correctness: σ e ≡ ( m d ) e ≡ m de mod ϕ ( N ) ≡ m 1 ≡ m (mod N ) Digital Signatures 2020-03-17 5

Security • Not EUF-NMA secure: – Choose σ ∗ ← Z N – Compute m ∗ := ( σ ∗ ) e mod N – Output ( m ∗ , σ ∗ ) as forgery Digital Signatures 2020-03-17 6

Security • Not EUF-NMA secure: – Choose σ ∗ ← Z N – Compute m ∗ := ( σ ∗ ) e mod N – Output ( m ∗ , σ ∗ ) as forgery • (Multiplicatively) homomorphic: – If σ 1 , σ 2 are valid signatures for m 1 , m 2 , – then σ 3 := σ 1 σ 2 mod N is valid for m 3 := m 1 m 2 mod N : 3 ≡ ( σ 1 σ 2 ) e ≡ σ e σ e 1 σ e 2 ≡ m 1 m 2 ≡ m 3 (mod N ) Digital Signatures 2020-03-17 6

Security • Not EUF-NMA secure: – Choose σ ∗ ← Z N – Compute m ∗ := ( σ ∗ ) e mod N – Output ( m ∗ , σ ∗ ) as forgery • (Multiplicatively) homomorphic: – If σ 1 , σ 2 are valid signatures for m 1 , m 2 , – then σ 3 := σ 1 σ 2 mod N is valid for m 3 := m 1 m 2 mod N : 3 ≡ ( σ 1 σ 2 ) e ≡ σ e σ e 1 σ e 2 ≡ m 1 m 2 ≡ m 3 (mod N ) • Exercise : Textbook-RSA is UUF-NMA secure if the RSA assumption holds. Digital Signatures 2020-03-17 6

RSA-based signatures Secure signatures based on RSA Often: suitable preprocessing /encoding of m • RSA PKCS #1 v1.5 • RSA-FDH (Full Domain Hash) • RSA-PSS (Probabilistic Signature Scheme, not in notes ) More schemes: • Gennaro-Halevi-Rabin scheme: – EUF-naCMA secure under stronger assumption • Hohenberger-Waters scheme (not covered here): – similar to GHR, but under standard RSA assumption Digital Signatures 2020-03-17 7

RSA PKCS #1 v1.5 PKCS #1: • Public-Key Cryptography Standard #1 • Originally developed by RSA Security • Version 1.5: November 1993 • Today: Version 2.2 (October 2012) • Contains also variant of RSA-PSS – https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/ pkcs-rsa-cryptography-standard.htm – https://tools.ietf.org/html/rfc3447 Digital Signatures 2020-03-17 8

RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as padding m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as padding m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature boundary Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as padding which H ? m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature boundary Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as padding which H ? m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature boundary hash value Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as padding which H ? m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature boundary hash value – σ := ( m ′ ) d (mod N ) Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as padding which H ? m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature boundary hash value – σ := ( m ′ ) d (mod N ) • Vfy ( pk , m , σ ) : – compute m ′ := σ e (mod N ) – check if m ′ valid encoding of m Digital Signatures 2020-03-17 9

RSA PKCS #1 v1.5: security Security? • not clear, but at least not (obviously) homomorphic • no attacks known, but also no security proof • exception: attack on implementation flaws Why relevant? • old, used in practice Digital Signatures 2020-03-17 10

Socrative Self-checking with quizzes • Use following URL: https://b.socrative.com/login/student • . . . and enter room “HOFHEINZ8872” • Will also be in chat (so you can click on link) • No registration necessary • First quiz (about textbook RSA) start now! Digital Signatures 2020-03-17 11

RSA-FDH • Let H := { 0, 1 } ∗ → Z N be a collision-resistant hash function • Idea: sign H ( m ) with Textbook RSA – Message space/domain of Textbook RSA: Z N – Hence naming: H hashes to full domain Z N Digital Signatures 2020-03-17 12

RSA-FDH • Let H := { 0, 1 } ∗ → Z N be a collision-resistant hash function • Idea: sign H ( m ) with Textbook RSA – Message space/domain of Textbook RSA: Z N – Hence naming: H hashes to full domain Z N Specifically: • Gen (1 k ) as with Textbook RSA • Sign ( sk , m ) : Digital Signatures 2020-03-17 12

RSA-FDH • Let H := { 0, 1 } ∗ → Z N be a collision-resistant hash function • Idea: sign H ( m ) with Textbook RSA – Message space/domain of Textbook RSA: Z N – Hence naming: H hashes to full domain Z N Specifically: • Gen (1 k ) as with Textbook RSA • Sign ( sk , m ) : σ := H ( m ) d (mod N ) Digital Signatures 2020-03-17 12

RSA-FDH • Let H := { 0, 1 } ∗ → Z N be a collision-resistant hash function • Idea: sign H ( m ) with Textbook RSA – Message space/domain of Textbook RSA: Z N – Hence naming: H hashes to full domain Z N Specifically: • Gen (1 k ) as with Textbook RSA • Sign ( sk , m ) : σ := H ( m ) d (mod N ) • Vfy ( pk , m , σ ) : Digital Signatures 2020-03-17 12

RSA-FDH • Let H := { 0, 1 } ∗ → Z N be a collision-resistant hash function • Idea: sign H ( m ) with Textbook RSA – Message space/domain of Textbook RSA: Z N – Hence naming: H hashes to full domain Z N Specifically: • Gen (1 k ) as with Textbook RSA • Sign ( sk , m ) : σ := H ( m ) d (mod N ) • Vfy ( pk , m , σ ) : σ e ? ≡ H ( m ) (mod N ) Digital Signatures 2020-03-17 12

RSA-FDH • Let H := { 0, 1 } ∗ → Z N be a collision-resistant hash function • Idea: sign H ( m ) with Textbook RSA – Message space/domain of Textbook RSA: Z N – Hence naming: H hashes to full domain Z N Specifically: • Gen (1 k ) as with Textbook RSA • Sign ( sk , m ) : σ := H ( m ) d (mod N ) • Vfy ( pk , m , σ ) : σ e ? ≡ H ( m ) (mod N ) Correctness: clear Digital Signatures 2020-03-17 12

Security of RSA-FDH Theorem If the RSA assumption holds, then RSA-FDH is EUF-CMA secure Digital Signatures 2020-03-17 13