Security Proofs for Signature Schemes David Pointcheval - PDF document

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Laboratoire d’Informatique ´ Ecole Normale Sup´ erieure 45, rue d’Ulm 75230 PARIS CEDEX 05 Security Proofs for Signature Schemes Summary Introduction • – Model – Assumptions – Attacks – Motivation • Forking lemma • El Gamal • Modified El Gamal – No-message attacks – Adaptively chosen message attacks • Conclusion David Pointcheval & Jacques Stern

Security Proofs for Signature Schemes Signature schemes m Id K p K s unsecure channel V σ Σ Proof of identity of the sender. Security No one can forge a valid pair ( m, σ ) = no existential forgery David Pointcheval & Jacques Stern 1 Security Proofs for Signature Schemes The model (1) Key generation Signature and Verification k is the security parameter K s ω K s G k Σ K p ω f K p m ( σ 1 , h, σ 2 ) n = | K p | V OK ? • G and Σ are probabilistic algorithms: random tape ω V is deterministict • David Pointcheval & Jacques Stern 2

Security Proofs for Signature Schemes The model (2) • Σ and V both use a hash function f with f ∈ R { 0 , 1 } ℓ → { 0 , 1 } k , seen as a random oracle. (refer to Bellare & Rogaway ACM CCCS’93) → validates cryptodesign − (refer to Vaudenay’s attack on DSS) • Signatures are of the following form: ( m, σ 1 , f ( m, σ 1 ) , σ 2 ) David Pointcheval & Jacques Stern 3 Security Proofs for Signature Schemes Assumptions • k ( n ) ≫ log n • Existential forgery: there is an attacker A which outputs proper 1 signatures with probability ε ≥ poly ( n ) for in- finitely many n ’s David Pointcheval & Jacques Stern 4

Security Proofs for Signature Schemes Attacks We will consider only • No-message attacks • Adaptively chosen message attacks Attack I Attack II no-message attack adaptively chosen message attack K s ω K p Σ Q ′ Q � m ρ ′ f A 1 σ 1 , h, σ 2 m i ( σ 1 , h, σ 2 ) i ρ Q � m K p ω A 2 f σ 1 , h, σ 2 ρ K p ω David Pointcheval & Jacques Stern 5 Security Proofs for Signature Schemes Motivation To provide proofs of security for signature schemes rel- atively to well-established difficult problems: Existential forgery under such attacks is equivalent to difficult problems. David Pointcheval & Jacques Stern 6

Security Proofs for Signature Schemes Example: Fiat-Shamir (with single key) G : N = pq such that | N | = n secrete key: s ∈ R Z Z /N Z Z public key: v = s 2 mod N Σ : r 1 , . . . , r k ∈ R Z Z /N Z Z x i = r 2 i mod N : σ 1 = ( x 1 , . . . , x k ) e 1 . . . e k = f ( m, σ 1 ) y i = r i · s e i mod N : σ 2 = ( y 1 , . . . , y k ) � � Signature: m, ( x 1 , . . . , x k ) , e 1 . . . e k , ( y 1 , . . . , y k ) ? y 2 = x i v e i mod N V : i ? � � e 1 . . . e k = f m, ( x 1 , . . . , x k ) David Pointcheval & Jacques Stern 7 Security Proofs for Signature Schemes The forking lemma (1) ρ ρ ¯ � �� � � �� �  � � Q β +1 Q Q m, σ 1  ρ β  • •   ρ Q h, σ 2 Q β  Q 1 Q 2 ω • • • Pr[success] ≥ ε � � ρ 1 ρ ′ m, σ 1 Q   • •  ρ ′  h ′ , σ ′ β  Q ′ Q ′ 2 β +1 Q 2 k answers � �� � ρ ′ ¯ A is an attacker with probability of success, over ω , f and possibly K p , greater that ε . Oracle replay: • play the attack with random ω and f • select β at random • replay the attack with the same ω and same β − 1 first answers, others are given at random David Pointcheval & Jacques Stern 8

Security Proofs for Signature Schemes Application with Fiat-Shamir In order to factor N : create a key pair ( s, v ) with v = s 2 mod N . • • apply the forking lemma to get ( m, σ 1 , h, σ 2 ) and ( m, σ 1 , h ′ , σ ′ 2 ). with h � = h ′ if h and h ′ differ at i , say h i = 0 and h ′ i = 1 i ) 2 = x i v then y 2 i = x i and ( y ′ i y − 1 ) 2 = v mod N hence ( y ′ i Since algorithm cannot distinguish s from other roots, we can factor. Conclusion : existential forgery of the Fiat-Shamir signature scheme, under a no-message attack, is equivalent to the factorization. David Pointcheval & Jacques Stern 9 Security Proofs for Signature Schemes The forking lemma (2) The probabilistic lemma Let A ⊂ X × Y such that Pr[ A ( x, y )] ≥ ε Then there exists U ⊂ X such that Pr[ x ∈ U ] ≥ ε • 2 whenever a ∈ U , Pr[ A ( a, y )] ≥ ε • 2 • there is a query index β such that Pr[success and β ] ≥ ε/Q • using the previous lemma, we get a set Ω such that Pr[( ω, ρ ) ∈ Ω] ≥ ε/ 2 Q • • whenever ( ω, ρ ) ∈ Ω, Pr ¯ ρ [success and β ] ≥ ε/ 2 Q David Pointcheval & Jacques Stern 10

Security Proofs for Signature Schemes The forking lemma (3) With non-negligible probability, one gets • good β • ( ω, ρ ) ∈ Ω ρ ′ , with non-negligible probability: And then, with random choice of ¯ ρ and ¯ with answers ( ρ, ¯ ρ ), the attacker outputs ( m, σ 1 , h, σ 2 ) • such that ( m, σ 1 ) is the β th query, ρ ′ ), the attacker outputs ( m, σ 1 , h ′ , σ ′ • with answers ( ρ, ¯ 2 ), With probability less than 2 − k ( n ) , h = h ′ . David Pointcheval & Jacques Stern 11 Security Proofs for Signature Schemes El Gamal Z) ⋆ G : p prime, and g generator of (Z Z /p Z Z) ⋆ secrete key: x ∈ R (Z Z / ( p − 1)Z public key: y = g x mod p Z) ⋆ Σ : k ∈ R (Z Z / ( p − 1)Z r = g k mod p solve m = xr + ks mod ( p − 1) Signature: ( m, r, s ) g m ? = y r r s mod p : V David Pointcheval & Jacques Stern 12

Security Proofs for Signature Schemes Existential forgery choose e ∈ Z Z / ( p − 1)Z Z Z) ⋆ v = (Z Z / ( p − 1)Z r = g e y v mod p let s = − rv − 1 mod ( p − 1) ( r, s ) is a valid signature of the message m = es mod ( p − 1) David Pointcheval & Jacques Stern 13 Security Proofs for Signature Schemes Modified El Gamal Signature Z) ⋆ G : p prime, and g generator of (Z Z /p Z Z) ⋆ secrete key: x ∈ R (Z Z / ( p − 1)Z public key: y = g x mod p Z) ⋆ Σ : k ∈ R (Z Z / ( p − 1)Z r = g k mod p solve f ( m, r ) = xr + ks mod ( p − 1) Signature: ( m, r, f ( m, r ) , s ) g f ( m,r ) ? = y r r s mod p V : David Pointcheval & Jacques Stern 14

Security Proofs for Signature Schemes First Result For fixed α , an α -hard prime p is a prime p such that p − 1 = QR with Q prime and R ≤ | p | α . Existential forgery of the Modified El Gamal signa- ture scheme, under a no-message attack, is equiv- alent to discrete logarithms with α -hard primes. David Pointcheval & Jacques Stern 15 Security Proofs for Signature Schemes Proof (1) By the forking lemma, we get ( m, r, h, s ) and ( m, r, h ′ , s ′ ) such that � y r r s mod p g h = h � = h ′ and y r r s ′ mod p g h ′ = Hence g hs ′ − h ′ s = y r ( s ′ − s ) mod p g h − h ′ = r s − s ′ mod p There are x and t such that y = g x and r = g t , so hs ′ − h ′ s = xr ( s ′ − s ) mod ( p − 1) h − h ′ = t ( s − s ′ ) mod ( p − 1) David Pointcheval & Jacques Stern 16

Security Proofs for Signature Schemes Proof (2) h and h ′ come from the random oracle, we may assume h − h ′ prime to Q hence s − s ′ prime to Q . 1. r also prime to Q = ⇒ x mod Q = ⇒ x 2. r = bQ with b small = mod Q = ⇒ t ⇒ t 1 1. Pr[ M ( g, y ) → x ] ≥ = ⇒ OK poly ( n ) 1 2. Pr[ M ( g, y ) → ( b, t )] ≥ = ⇒ bad case poly ( n ) David Pointcheval & Jacques Stern 17 Security Proofs for Signature Schemes Proof (3) By trying ( g u , yg v ) for random u, v , it is well-known that if 1 ω,g,y [ M ( g, y ) → x | y = g x ] ≥ Pr poly ( n ) then we obtain a polynomial probabilistic Turing machine M ′ such that for every ( g, y ), 1 ω [ M ′ ( g, y ) → x | y = g x ] ≥ Pr poly ( n ) David Pointcheval & Jacques Stern 18

Security Proofs for Signature Schemes Adaptively Chosen Message Attack Attacker II + Signer (Σ) Attacker II + Simulator ( S ) K s ω ω K p K p Σ S Q ′ ρ ′ m i m i ( σ 1 , h, σ 2 ) i ( σ 1 , h, σ 2 ) i Q Q � � m m f A 2 f A 2 σ 1 , h, σ 2 σ 1 , h, σ 2 ρ ρ K p ω K p ω We suppose f ( m i , ( σ 1 ) i ) = h i ∀ i If the legitimate signer can be simulated with an indistinguishable distribution, the collusion of the attacker and the simulator can solve the discrete logarithm problem. David Pointcheval & Jacques Stern 19 Security Proofs for Signature Schemes Simulation We assume that the output set H of random oracles contains a copy of Z Z /Q Z Z. Z) ⋆ and ℓ ∈ (Z Z) ⋆ . 1. random choice of u ∈ Z Z /Q Z Z, t ∈ (Z Z /Q Z Z /R Z 2. let e = uR mod ( p − 1), v = tR mod ( p − 1) and r = ( g e y v ) g Qℓ mod p until r is a generator. 3. mimicking the existential forgery in the subgroup generated by g R , we need s = − rv − 1 mod Q and h = − erv − 1 mod Q . 4. random choice of h mod R such that h ∈ H . exhaustive search over s mod R such that g h = y r r s mod p . 5. It is easy to see that it is a valid signature if f ( m, r ) = h . David Pointcheval & Jacques Stern 20