The Methodology of Provable Security Marc Joye Thomson Security - PDF document

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net DIWALL Seminar − March 20, 2008 Contents Part I Introduction Part II Signature Schemes Part III Encryption Schemes Part IV Conclusion

Part I Introduction Digital Signatures Digital counterpart of an handwritten signature Key properties ⇒ authentication, integrity, Digital signature = non-repudiation

Textbook RSA Signature • Key generation Input: keylength k and e Output: N = pq such that | N | 2 = k and gcd( e , φ ( N )) = 1 d = e − 1 mod φ ( N ) pk = { e , N } and sk = { d } • [Plain] RSA signing Input: private key sk and message m Output: signature σ = m d mod N • [Plain] RSA verification Input: public key pk , signature σ , and message m ? Output: σ e ≡ m (mod N ) Existential Forgeries Signing σ = m d mod N Verification σ e ? ≡ m (mod N ) 1. Choose a random r 2. Compute m = r e mod N 3. Set σ = r 4. Output σ as the signature on “message” m

Selective Forgeries Observation Multiplicative property: ( m 1 m 2 ) d ≡ m 1 d m 2 d ≡ σ 1 σ 2 (mod N ) • To obtain the signature σ on a chosen message m : 1. Choose a random m 1 = r and define m 2 = m / r mod N 2. Obtain the signatures σ 1 = m 1 d mod N and σ 2 = m 2 d mod N 3. Output σ = σ 1 σ 2 mod N • One-message forgery? Idem with m 1 = r e mod N for a random r (Note that σ 1 = r ) What Means Secure? • Given ( m , e ), computing σ = m 1 / e mod N is difficult = ⇒ textbook RSA signatures are unforgeable (provided that the RSA problem is hard) • . . . but it is easy given an oracle returning the signature on chosen messages ⇒ = textbook RSA signatures are (universally) forgeable under chosen-message attacks

Provable Security • Security proofs Reduction to a hard problem Definition of a security model Definition of the adversary’s resources • Security notions Signature schemes Encryption schemes Bibliography Mihir Bellare Practice-oriented provable security Lectures on Data Security , LNCS 1561, pages 1–15, Springer, 1999 Neal Koblitz and Alfred J. Menezes Another look at “provable security” J. Cryptology 20 (1):3–37, 2007

Part II Provable Secure Signature Schemes Digital Signatures Definition A digital signature scheme is a set of 3 algorithms: 1. Key generation Input: security parameter κ Output: key pair ( pk , sk ) 2. Signing Input: signing key sk , message m [and random r ] Output: σ = S ( sk , m [ , r ]) 3. Verification Input: verification key pk , signature σ [and message m ] Output: V ( pk , σ [ , m ]) = 0 or 1

Security Notions Security goals • Key unbreakability • Universal unforgeability • Selective unforgeability • Existential unforgeability (EUF) Attack scenarios • No resources (except public key pk ) • Known-message attacks • Chosen-message attacks (CMA) Definition A security notion is a pair (security goal, attack scenario) e.g., EUF-CMA EUF-CMA Adversary

Simulation Paradigm ‘Reductio ad Absurdum’ 0. Challenge: some instance I of an ‘intractable’ problem 1. Simulation: pk given to A simulation of S sk ( · ) to answer q S queries of A 2. Reduction: resolution of I from ( m ∗ , σ ∗ ) ⇒ “Reductionist” security =

Cryptographic Problems Definition (RSA problem) Given RSA modulus N , public exponent e ∈ Z ∗ φ ( N ) and random N , compute x = y e − 1 mod φ ( N ) mod N y ∈ R Z ∗ Definition (Flexible RSA [a.k.a. SRSA] problem) Given RSA modulus N and random y ∈ R Z ∗ N , find a pair ( x , e ) s.t. y ≡ x e (mod N ) and e > 1 GHR Signature Scheme I Key generation • pk = { N , u } with N = (2 p ′ + 1)(2 q ′ + 1) and u ∈ R Z ∗ N • sk = { p ′ , q ′ } Signing For a message m ∈ M , compute σ = u c − 1 mod 2 p ′ q ′ mod N where c = H ( m ) Verification Signature σ on message m ∈ M is valid ⇒ σ H ( m ) ≡ u (mod N ) ⇐ Hash function H has to be division-intractable • e.g., H : M → { primes } ∩ { 0 , 1 } ℓ h

Security of GHR Scheme I Theorem Suppose that the SRSA problem is ( τ, ǫ ) -hard. Then, for any q S , GHR signature scheme I is ( τ A , q S , ǫ A ) -secure in the sense of EUF - CMA , where ǫ A τ � τ A + ( q S + # M ) poly( κ ) ǫ � and # M Security Proof Challenge Given ( N , y ), find ( x , e ) s.t. y ≡ x e (mod N ) and e > 1 Simulation • Key generation: pk = { N , u } choose m ′ ∈ R M m � = m ′ H ( m ) and u = y E mod N define E = � m ∈M • Signing: on input message m if m � = m ′ then return σ = u E / H ( m ) mod N if m = m ′ then abort Reduction A returns forgery ( σ ∗ , m ∗ ) with probability ǫ A • If m ∗ = m ′ then σ ∗ = y E / H ( m ′ ) mod N ∗ y b mod N and e = H ( m ′ ) • Find a , b ∈ Z s.t. x = σ a Success probability � � q s ǫ A 1 1 · 1 − · ǫ A · # M− q s = # M # M

EUF-CMA Adversary (RO Model) • RO = Random Oracle RSA-FDH Key generation pk = { N , e } , sk = { d } with d = e − 1 mod φ ( N ) Signing • Padding: m �→ H ( m ) with H : { 0 , 1 } ∗ → ( Z / N Z ) ∗ • Signature: σ = H ( m ) d mod N Verification Given m and σ , check whether σ e mod N ? = H ( m ) Theorem Suppose that the RSA problem is ( τ, ǫ ) -hard. Then, for any q H , q S , RSA-FDH signature scheme is ( τ A , q S , q H , ǫ A ) -secure in the sense of EUF - CMA in the RO model, where ǫ A ǫ � τ � τ A + ( q H + q S ) poly( κ ) and q H + q S

Security Proof of FDH Challenge: RSA(ˆ • Simulation/reduction principle N , ˆ e , ˆ y ) Find ˆ Find x ∈ Z / N Z s.t. e (mod ˆ x ˆ y ≡ ˆ y ≡ ˆ ˆ N ) • Notation q H : number of hash queries that are not followed later by a signature query on the same message q S : number of signature queries Simulation (1) Simulation of K (1 κ ) • Choose j ∈ R { 1 , . . . , q H + q S } • pk = { N , e } with N = ˆ N and e = ˆ e Simulation of H ( m ) • If m ∈ Hist[ H ] then return H ( m ) • Otherwise, increment i and if i � = j , add ( m , σ i , h i ) to Hist[ H ] with h i = σ i e mod N for a random σ i ∈ R ( Z / N Z ) ∗ , and return h i if i = j then add ( m , ⊥ , h j ) to Hist[ H ] with h j = ˆ y , and return h j Simulation of S sk ( m ) • If m / ∈ Hist[ H ] then invoke H • Let ( m , σ i , h i ) the entry in Hist[ H ] corresponding to m if σ i = ⊥ then fail and stop otherwise return σ i

Reduction (2) Reduction • A returns forgery σ ∗ = H ( m ∗ ) d mod N with probability ǫ A , after time τ A , q H queries to H and q S queries to S • If m ∗ = m j then σ ∗ = H ( m j ) d mod N with H ( m j ) = ˆ y y ≡ σ ∗ e (mod N ) ⇒ x = σ ∗ is a solution to RSA since ˆ = Analysis • Success probability ǫ = Pr[Simulation is perfect] · ǫ A · Pr[ m ∗ = m j ] � � · ǫ A · 1 ǫ A q S = 1 − = q H + q S q H q H + q S • Time τ = τ A + ( q H + q S ) poly( κ ) Concrete Security ǫ A • Security of RSA-FDH: ǫ = q H + q S • If q H = 2 40 and q S = 2 20 then ǫ = 2 − 120 if ǫ A = 2 − 80 ǫ A = 2 − 40 if ǫ = 2 − 80 • Improvement optimal proof: ǫ = ǫ A q S

Other Schemes • RSA-PSS [Bellare and Rogaway, 1996] Probabilistic Signature Scheme µ ( m ) = µ PSS ( m , r ) for a random r highest security level (EUF-CMA) in the ROM tight security proof and can be with message recovery • PKCS #1 v2.1 [RSA Labs] GHR Signature Scheme II Key generation • pk = { N , u , y , g , P } with N = (2 p ′ + 1)(2 q ′ + 1), u ∈ R Z ∗ N , y ∈ R � g � ⊆ Z ∗ P g of prime order Q | ( P − 1) • sk = { p ′ , q ′ } Signing For a message m ∈ M , compute σ = ( r , u c − 1 mod 2 p ′ q ′ mod N ) where c = H ( g m y r mod P ) for some r ∈ R Z Q Verification Signature σ = ( r , s ) on message m ∈ M is valid ⇒ s c ′ ≡ u (mod N ) where c ′ = H ( g m y r mod P ) ⇐ Security reduction is tight but, again, hash function H has to be division-intractable

Chameleon (a.k.a. Trapdoor) Hash Example ( DL -based) Let G = � g � ⊆ Z ∗ P of order Q H : M × Z Q → { 0 , 1 } ℓ h , ( m , r ) �→ H ( g m y r mod P ) ⇒ r ′ = r + m − m ′ • c = H ( m , r ) = H ( m ′ , r ′ ) = mod Q x where x = DL g ( y ) Example ( RSA -based) Let an RSA modulus N = pq H : M × Z N → { 0 , 1 } ℓ h , ( m , r ) �→ H ( g m r E mod N ) ⇒ r ′ = r ( g m − m ′ ) D mod N • c = H ( m , r ) = H ( m ′ , r ′ ) = where D = E − 1 mod φ ( N ) Design Criteria • Make the GHR signature scheme practical keep a tight reduction without relying on the division-intractability assumption • Intuition choose a random prime exponent c use a chameleon function to tighten the security reduction • in particular, an RSA-type chameleon function • the security of TSS is solely related to the SRSA