Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-24 1

Outline Parameter choices RSA-PSS Genaro-Halevi-Rabin signatures Digital Signatures 2020-03-24 2

Recap Last lecture: • Random Oracle Model • RSA Full Domain Hash • Security proof: – RSA-FDH adversary A with runtime t A , success probability ǫ A , q H hash queries � RSA solver B with runtime t B ≈ t A and success ǫ B ≥ ǫ A − 1 / N q H Digital Signatures 2020-03-24 3

Recap Last lecture: • Random Oracle Model • RSA Full Domain Hash • Security proof: – RSA-FDH adversary A with runtime t A , success probability ǫ A , q H hash queries � RSA solver B with runtime t B ≈ t A and success ǫ B ≥ ǫ A − 1 / N q H • Quality of reduction? Digital Signatures 2020-03-24 3

Contents Today: interlude ( not in notes ) Parameter choices RSA-PSS Genaro-Halevi-Rabin signatures Digital Signatures 2020-03-24 4

Parameter choices How do you choose parameters for cryptosystems? Example: RSA • N = P · Q with prime P , Q • How large should P , Q be? • Generally: security only for suitably large security parameter k Digital Signatures 2020-03-24 5

Parameter choices How do you choose parameters for cryptosystems? Example: RSA • N = P · Q with prime P , Q • How large should P , Q be? • Generally: security only for suitably large security parameter k • P , Q ∈ [2 100 , 2 101 ) large enough? Digital Signatures 2020-03-24 5

Parameter choices How do you choose parameters for cryptosystems? Example: RSA • N = P · Q with prime P , Q • How large should P , Q be? • Generally: security only for suitably large security parameter k • P , Q ∈ [2 100 , 2 101 ) large enough? • Comparison: #atoms in universe ≈ 10 80 ≈ 2 266 • P , Q ∈ [2 300 , 2 301 )? Digital Signatures 2020-03-24 5

Parameter choices Best known attack against RSA: • Factor N (i.e., compute P , Q from N = PQ ) • Compute ϕ ( N ) = ( P − 1)( Q − 1), d := e − 1 mod ϕ ( N ) � RSA secret key Digital Signatures 2020-03-24 6

Parameter choices Best known attack against RSA: • Factor N (i.e., compute P , Q from N = PQ ) • Compute ϕ ( N ) = ( P − 1)( Q − 1), d := e − 1 mod ϕ ( N ) � RSA secret key Best known factorization algorithm: • General Number Field Sieve (GNFS) • Runtime for n -bit modulus ( n = ⌊ log 2 ( N ) ⌋ + 1): �� 64 � 1 / 3 � 1 2 t GNFS ( n ) := C · exp 3 ln( n ) n 3 9 – (runtime conjectured) Digital Signatures 2020-03-24 6

Tradeoff: time/success Given: • PPT algorithm B solves problem in time t with success probability ǫ Digital Signatures 2020-03-24 7

Tradeoff: time/success Given: • PPT algorithm B solves problem in time t with success probability ǫ Consider Algorithm C : repeat solution ← B ( N ) until solution is correct • Las Vegas algorithm (succeeds always, but not PPT!) • Expected runtime: 1 ǫ · t � 1 ǫ t gives “1/quality” of B . The smaller this value, the better is B . Digital Signatures 2020-03-24 7

Parameter choices So how do you choose concrete parameters? Goal: signature scheme secure against any adversary A that. . . • can perform at most t A operation steps • knows at most q signatures • can compute at most q H hash values Digital Signatures 2020-03-24 8

Parameter choices So how do you choose concrete parameters? Goal: signature scheme secure against any adversary A that. . . • can perform at most t A operation steps • knows at most q signatures • can compute at most q H hash values Concrete assumption (“GNFS assumption”): • There is no Las-Vegas algorithm C that solves the RSA problem faster than the GNFS Digital Signatures 2020-03-24 8

Parameter choice for RSA-FDH • Security reduction converts adversaries A � B – t B ≈ t A – ǫ B ≥ ǫ A − 1 / N ≈ ǫ A q H q H Digital Signatures 2020-03-24 9

Parameter choice for RSA-FDH • Security reduction converts adversaries A � B – t B ≈ t A – ǫ B ≥ ǫ A − 1 / N ≈ ǫ A q H q H • The resource consumption (or “inverse quality”) of B is 1 t B ≤ q H t B ǫ B ǫ A ≈ q H t A ǫ A Digital Signatures 2020-03-24 9

Parameter choice for RSA-FDH • Security reduction converts adversaries A � B – t B ≈ t A – ǫ B ≥ ǫ A − 1 / N ≈ ǫ A q H q H • The resource consumption (or “inverse quality”) of B is 1 t B ≤ q H t B ǫ B ǫ A ≈ q H t A ǫ A • Choose n large enough, so that t GNFS ( n ) > q H t A ǫ A Digital Signatures 2020-03-24 9

Parameter choice for RSA-FDH • Security reduction converts adversaries A � B – t B ≈ t A – ǫ B ≥ ǫ A − 1 / N ≈ ǫ A q H q H • The resource consumption (or “inverse quality”) of B is 1 t B ≤ q H t B ǫ B ǫ A ≈ q H t A ǫ A • Choose n large enough, so that t GNFS ( n ) > q H t A ǫ A • Then existence of A contradicts “GNFS assumption”. Digital Signatures 2020-03-24 9

Parameter choice for better reduction Hypothetically: better reduction • t B ≈ t A • ǫ B ≥ ǫ A Digital Signatures 2020-03-24 10

Parameter choice for better reduction Hypothetically: better reduction • t B ≈ t A • ǫ B ≥ ǫ A • leads to: 1 t B ≤ 1 t B ǫ B ǫ A ≈ 1 t A ǫ A Digital Signatures 2020-03-24 10

Parameter choice for better reduction Hypothetically: better reduction • t B ≈ t A • ǫ B ≥ ǫ A • leads to: 1 t B ≤ 1 t B ǫ B ǫ A ≈ 1 t A ǫ A • Choose n large enough, so that t GNFS ( n ) > 1 t A ǫ A Digital Signatures 2020-03-24 10

Parameter choice for better reduction Hypothetically: better reduction • t B ≈ t A • ǫ B ≥ ǫ A • leads to: 1 t B ≤ 1 t B ǫ B ǫ A ≈ 1 t A ǫ A • Choose n large enough, so that t GNFS ( n ) > 1 t A ǫ A With better reduction: can choose smaller n = ⇒ more efficient scheme! Digital Signatures 2020-03-24 10

Typical target security levels Typical target security levels • best publicly known supercomputer (Nov 2019): Summit (IBM) • theoretical performance: ≈ 2 58 FLOP/s • in 2 22 seconds ( ≈ 49 days): 2 80 FLOP ⇒ t A ≥ 2 80 operations • = • typical: t A ∈ { 2 100 , 2 128 } • q : e.g. 2 30 ( > 1 billion signatures) • q H : e.g. 2 60 ( > 1 billion billion hash computations) Digital Signatures 2020-03-24 11

Different perspective Different perspective: • Goal: for all FDH adversaries A , we want ǫ A ≤ 1 / 2 80 • Allow 2 30 hash queries • Reduction says: ǫ B ≥ ǫ A / q H = 1 / 2 110 • Hence we need to choose RSA parameters such that for realistic adversaries, ǫ B ≤ 1 / 2 110 Digital Signatures 2020-03-24 12

Different perspective Different perspective: • Goal: for all FDH adversaries A , we want ǫ A ≤ 1 / 2 80 • Allow 2 30 hash queries • Reduction says: ǫ B ≥ ǫ A / q H = 1 / 2 110 • Hence we need to choose RSA parameters such that for realistic adversaries, ǫ B ≤ 1 / 2 110 • If we had ǫ B ≥ ǫ A , then ǫ B ≤ 1 / 2 80 would suffice • Would lead to smaller parameters and more efficiency Digital Signatures 2020-03-24 12

Socrative Self-checking with quizzes • Use following URL: https://b.socrative.com/login/student • . . . and enter room “HOFHEINZ8872” • Will also be in chat (so you can click on link) • No registration necessary • First quiz (about parameter choices) starts now! Digital Signatures 2020-03-24 13

Contents Today: interlude ( not in notes ) Parameter choices RSA-PSS Genaro-Halevi-Rabin signatures Digital Signatures 2020-03-24 14

RSA-PSS • RSA-based signature scheme • Like textbook RSA, but with preprocessing of m • EUF-CMA secure in ROM (under RSA assumption) • Security reduction with small reduction loss • Standardized in PKCS #1 since version 2.1 (June 2002) – . . . but we will describe the slightly simpler version from the research paper Digital Signatures 2020-03-24 15

RSA-PSS • Gen (1 k ) : as with textbook RSA • Sign ( sk , m ) : Digital Signatures 2020-03-24 16

RSA-PSS • Gen (1 k ) : as with textbook RSA • Sign ( sk , m ) : σ := PSS-Encode( m ) d (mod N ) Digital Signatures 2020-03-24 16

RSA-PSS • Gen (1 k ) : as with textbook RSA • Sign ( sk , m ) : σ := PSS-Encode( m ) d (mod N ) • Vfy ( pk , m , σ ) : – Compute y = σ e (mod N ) – Output 1 iff y valid encoding of m Digital Signatures 2020-03-24 16

RSA-PSS PSS-Encoding: • Parameter k 0 , k 1 with k 0 + k 1 ≤ k − 1. • Requires two hash functions G , H • H : { 0, 1 } ∗ → { 0, 1 } k 1 • G : { 0, 1 } k 1 → { 0, 1 } k − k 1 − 1 – G 1 : first k 0 bits of G – G 2 : rest of G – ∀ w ∈ { 0, 1 } k 1 : G ( w ) = G 1 ( w ) � G 2 ( w ) Digital Signatures 2020-03-24 17

RSA-PSS PSS-Encoding (continued): m r • choose r ← { 0, 1 } k 0 uniformly H • w := H ( m � r ) w • r ∗ := G 1 ( w ) ⊕ r • γ := G 2 ( w ) G • encoding := 0 � w � r ∗ � γ G 1 ( w ) G 2 ( w ) r 0 k − k 0 − k 1 − 1 0 w r ∗ γ Digital Signatures 2020-03-24 18

RSA-PSS: verification • Compute y = σ e mod N • If first bit of y not equal to 0: output 0 • Split y into 0, w ′ , r ′∗ , γ ′ • Compute r ′ := r ′∗ ⊕ G 1 ( w ′ ) • Output 1 iff γ ′ ? w ′ ? = G 2 ( w ′ ) = H ( m � r ′ ), and else 0. Digital Signatures 2020-03-24 19