flaws in applying proof methodologies to signature schemes
play

Flaws in Applying Proof Methodologies to Signature Schemes Jacques - PDF document

Nov 29, 2022 •346 likes •479 views

Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval Ecole normale suprieure - France John Malone-Lee - Nigel Smart University of Bristol - UK Summary Summary The methodology of provable

  1. Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval Ecole normale supérieure - France John Malone-Lee - Nigel Smart University of Bristol - UK Summary Summary • The methodology of “provable security” • The context of signature schemes – definitions – questions • Our findings – ESIGN – ECDSA • Conclusions Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 2

  2. Provable security: a short story Provable security: a short story • Originated in the seminal papers [GM86] and [GMR88] • Received increased applicability by allowing random oracles as a substitute to hash functions [FS86, BR93] • Now requested to support emerging standards (IEEE P1363, Cryptrec, NESSIE, ISO) Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 3 The need for provable security The need for provable security • “Textbook” crypto schemes cannot be used as such (obvious homomorphic properties…) • Practitioners need formatting rules to ensure interoperability • Heuristic redundancy is not enough – attack against PKCS#1 V 1.5 [Bl98] – attack against ISO 9796-1 [CNS99, CHJ99] Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 4

  3. The limits of provable security The limits of provable security • Provable security does not yield proofs – proofs are relative – proofs often use random oracles. Meaning is debatable [CGH98] – proofs are not formal objects but appear in talks and papers. Time is needed for acceptance. • Still, provable security is a means to provide some form of guarantee that a crypto scheme is not flawed Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 5 Provable security in five steps Provable security in five steps 1 - Define goal of adversary 2 - Define security model 3 - Provide a proof by reduction 4 - Check proof 5 - Interpret proof Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 6

  4. Proof by reduction reduction Proof by Reduction of a problem �� to an attack Atk : • Let � be an adversary that breaks the scheme then � can be used to solve � Instance � of � � Solution of � � intractable ⇒ scheme unbreakable Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 7 Why other steps matter: OAEP Why other steps matter: OAEP Proposed formatting standard for RSA encryption [BR94] 1 - Goal of adversary: distinguish random encryptions of two messages m 0 m 1 2 - Security models: CPA, CCA1, CCA2 3 - Proof (in [BR94]) 4 - Does not achieve CCA2 [Sh01] 5 - Alternative proof [FOPS01], specific to RSA-OAEP Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 8

  5. Signature Signature • Appends to a message a proof of origin • This should provide non-repudiation and thus even convince a third party Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 9 Signature scheme scheme Signature • Key Generation Algorithm G • Signature Algorithm, • Verification Algorithm, k s k v σ m 0/1 m Non-repudiation: impossible to forge valid σ without k s Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 10

  6. Goal of the adversary Goal of the adversary • Existential Forgery: Try to forge a valid message-signature pair without the private key Adversary is successful if the following probability is large [ ] Succ ( ) Pr ( , ) 1 ( k ) ( , ) ef = = = m m v Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 11 Security models Security models • No-Message Attacks: the adversary only knows the verification (public) key • Known-Message Attacks (KMA): the adversary has access to a list Λ of message/signature pairs • Chosen-Message Attacks (CMA): the messages are adaptively chosen by the adversary ⇒ the strongest attack Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 12

  7. Q1: submit the same message? Q1: submit the same message? • In a probabilistic signature scheme, several signatures may correspond to a message • In the usual definition for Existential Forgery in Chosen-Message Attacks (CMA), the adversary can repeatedly submit a message. Otherwise, weaker model : • Single-Occurrence Chosen-Message Attacks (SO-CMA) - each message m can be submitted only once; this produces a signature σ and ( m, σ ) is added to the list Λ Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 13 Q2: control key generation? Q2: control key generation? • In the usual definition for Existential Forgery, it is assumed that key generation � is fairly played • Having the adversary control � can affect non-repudiation by allowing duplicate signatures: two different messages m 1 , m 2 with a common σ • One can produce ( m 1 , σ ) and later claim that ( m 2 , σ ) was meant Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 14

  8. Q3: output the same message? Q3: output the same message? • In the usual definition for Existential Forgery, output forgery corresponds to a fresh message m. No pair ( m σ ) can be in the list Λ . Otherwise, weaker goal: • Malleability: produce a new pair ( m , σ ) ∉Λ possibly for a submitted message (( m , σ ’) in Λ for some σ ’ ≠ σ ) • Non-malleability is a stronger demand than resistance to existential forgeries Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 15 ESIGN ESIGN A signature scheme designed in the late 90ies and considered in IEEE P1363, Cryptrec NESSIE, together with a security proof • Uses RSA integers of the form n=p 2 q • Based on the Approximate e- th root problem: given y find x such that y # x e mod n • Signature generation is a very efficient way to compute σ = x, given y = H( m ) Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 16

  9. Our findings on ESIGN Our findings on ESIGN • Proofs holds only in SO-CMA scenario • Reduction simulates signature requests by having x ready beforehand such that H( m ) # x e mod n • Gets stuck if m is queried anew • Interpretation: – ESIGN is not broken – either give up CMA property… – or modify ESIGN (cf. NESSIE internal paper by L. Granboulan) Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 17 ECDSA ECDSA =< P > , P an element of order q of EC, x : private key Y = x. P : public key Signing m : • choose k ∈ σ = ( r,s ) q • compute R = k. P • compute r= first-coordinate ( R ) = f ( R ) • compute e= H ( m ) , s= ( e+xr ) /k mod q Verifying ( m , r , s ): first 0 < r , s < q • compute R’ = e s -1 . P + r s -1 . Y test if r=f ( R’ ) Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 18

  10. Duplicate signatures for ECDSA ECDSA Duplicate signatures for • Perform key generation as follows: – compute h 1 = H( m 1 ), h 2 = H( m 2 ) q and compute r = f ( k. P) – choose k ∈ – set private key to x = - ( h 1 + h 2 ) / 2 r mod q – set s = ( h 1 + x r ) / k = - ( h 2 + x r ) / k mod q • Interpretation: – ECDSA is not broken – duplicate signatures reveal secret key – to eliminate duplicates need to tweak ECDSA Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 19 Malleability of ECDSA ECDSA Malleability of • In ECDSA r= first-coordinate ( R ) = f ( R ) = x R Thus f (- R ) = f ( R ) Given a valid signature ( m , r , s ), one obtains another as ( m , r ,- s mod q ) This is exactly malleability • Interpretation: – ECDSA is not broken – to eliminate malleability need to tweak ECDSA Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 20

  11. What does the proof tell? What does the proof tell? • A security proof for ECDSA has been proposed in the generic model , where one gets access to elements of � through encodings • Probabilities are computed by randomizing on encodings • Theorem: Non-malleability of ECDSA cannot be broken with probability significantly greater than 5( n +1)( n + q � +1)/ q ( q � # of signing queries, n # of group operations) Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 21 In other words… In other words… • The security proof “proves” a property that does not hold for the actual scheme • Interpretation: – EC groups are not generic (they have automorphisms) – either change the model… – or tweak the scheme Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 22

  12. Conclusions (1) Conclusions (1) • We have shown several flaws in applying proof methodologies to signature schemes • They are not mathematical errors but misconceptions on the security model Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 23 Conclusions (2) Conclusions (2) • We have shown possible variants to the usual definition of security based on Existential Forgery and CMA, – either weaker (the SO-CMA scenario) – or stronger (requesting non-malleability) • We believe that the strongest possible requirement should be adopted • This would imply tweaks for ESIGN and ECDSA Jacques Stern Flaws in Applying Proof Methodologies to Signature Schemes - 24

Recommend

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD Post-Doc Researcher, Politecnico di Milano CTO, Secure Network Outline Establishing a need for testing methodologies Testing for

1.13k views • 43 slides
Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford University ISI Kolkata, Jan 2012 Short Integer Solu5ons (SIS) A: Z m --&gt; (Z q ) n m

279 views • 15 slides
Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure The Jakobsson-Sako-Impagliazzo Scheme Security notions for DVS schemes DVS Scheme with tight reduction to DDH in NPRO Universal Designated

620 views • 42 slides
Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Number-Theoretic Methods in Cryptology 2019 Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter: Giovanni Di Crescenzo Perspecta Labs Inc. (also doing business as Applied Communication Sciences)

548 views • 33 slides
Proof Methodologies for Behavioural Equivalence in D Alberto Cia ff aglione 1 , Matthew

Proof Methodologies for Behavioural Equivalence in D Alberto Cia ff aglione 1 , Matthew

Proof Methodologies for Behavioural Equivalence in D Alberto Cia ff aglione 1 , Matthew Hennessy 2 , Julian Rathke 2 1 Dipartimento di Matematica e Informatica, Universit` a di Udine (Italy) 2 Department of Informatics, University

166 views • 14 slides
On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes CRYPTO 2002 Rump Session Tom Rosa tomas.rosa@i.cz, http://crypto.hyperlink.cz ICZ, a.s. Dept. of Computer Science, CTU in Prague CZECH REPUBLIC On Key -collisions in (EC)DSA Schemes (1) Let ( m

519 views • 5 slides
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benot Libert 1 , 2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 .N.S. de Lyon, France 2 CNRS, France 3 Nanyang Technological

1.33k views • 92 slides
LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th International Conference on Cryptology, Africacrypt 2020 Fabio Campos 1 Tim Kohlstadt 1 Steffen Reith 1 ottinger 2 Marc St July 19, 2020 1 RheinMain

399 views • 29 slides
Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria

335 views • 14 slides
Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram Poettering and Douglas Stebila Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013

454 views • 41 slides
Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia

Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia

Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia Moura, Carlisle Adams tbardini@sfu.ca, lmoura@uottawa.ca, cadams@uottawa.ca Indocrypt, December 17th 2019 1/31 Introduction MTSS Digital Signatures

637 views • 35 slides
Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to

Mistakes Are Proof That You Are Trying: On Verifying Software Encoding Schemes Resistance to Fault Injection Attacks Jakub Breier, Dirmanto Jap, and Shivam Bhasin Presenter: Wei He Physical Analysis and Cryptographic Engineering Nanyang

525 views • 26 slides
Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin Grgoire 1 , 2 Gilles Barthe 3 Federico Olmedo 3 1 Microsoft Research - INRIA Joint Centre, France 2 INRIA Sophia Antipolis - Mditerrane, France 3

837 views • 51 slides
Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline Blondeau 1 , Dan Page 2 , Michael Tunstall 2 1 Aalto University, Department of Information and Computer Science, Finland 2 University of Bristol,

590 views • 39 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of

Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of

Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of Informatics University of Edinburgh 31st January 2013 Outline Basics Constructing signature schemes Security of signature schemes ElGamal DSA

1.15k views • 91 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore, India Foteini Baldimtsi, Anna Lysyanskaya 2 Blind Signatures [Chaum'82] Blind signatures are a special type of digital signatures. Signer is

439 views • 33 slides
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of

Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of

Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Background

1.76k views • 77 slides
Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI &amp;

Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI &amp;

Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI &amp; Universiteit Leiden IPAM Retreat: Securing Cyberspace 9 June 2009 Network coding [ACLY00] recipient router router router sender router

330 views • 18 slides
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Laboratoire dInformatique Ecole Normale Sup erieure 45, rue dUlm 75230 PARIS CEDEX 05 Security Proofs for

588 views • 12 slides
Signature Schemes Chester Rebeiro IIT Madras CR CR STINSON : chapter 7 Recall : MACs y = h K

Signature Schemes Chester Rebeiro IIT Madras CR CR STINSON : chapter 7 Recall : MACs y = h K

Signature Schemes Chester Rebeiro IIT Madras CR CR STINSON : chapter 7 Recall : MACs y = h K (x) Alice Bob h K = K A=ack at Dawn!! Message Digest h K K unsecure channel Message A=ack at Dawn!! MACs allow Bob to be certain

701 views • 37 slides
ratification and signature Signature vs ratification Signature formal expression of intent to

ratification and signature Signature vs ratification Signature formal expression of intent to

Steps and technical modalities to follow for the deposit of the instrument of ratification and signature Signature vs ratification Signature formal expression of intent to be bound, but no legal obligation yet: however, a State is

585 views • 10 slides

More recommend