Almost uniform density of power residues and the

provable security of ESIGN

Jacques Stern

ASIACRYPT 2003December 3rd 2003

École normale supérieure

Tatsuaki Okamoto

NTT Labs

Almost uniform density of power residues and the security proof of ESIGN. - 2Jacques Stern

SummarySummary

A short introduction to “provable security”

The ESIGN signature scheme Difficulties with the security proof Density of power residues Conclusions

Almost uniform density of power residues and the security proof of ESIGN. - 3Jacques Stern

Kerckhoffs’ PrinciplesKerckhoffs’ Principles

1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ;

2° Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi ;

K 1883

Almost uniform density of power residues and the security proof of ESIGN. - 4Jacques Stern

Kerckhoffs’ Principles (english)Kerckhoffs’ Principles (english)

1° The system must be practically if not mathematically indecipherable;

2° The system must not require secrecy, and can fall without drawback into the enemy ’s hands;

Almost uniform density of power residues and the security proof of ESIGN. - 5Jacques Stern

Public key cryptography Public key cryptography

– A private key kd

Alice Bob

Bob has a pair of related keys

– A public key ke known to anyone including

Alice

only known to Bob

DH 1976 RSA 78

Kerckhoff ’s extended second principle :« Il faut que la clé de chiffrement puisse

sans inconvénient tomber entre les mains de l’ennemi »

Almost uniform density of power residues and the security proof of ESIGN. - 6Jacques Stern

Provable securityProvable security

Attempts to mathematically establish security

Kerckhoff ’s extended first principle: Le système doit être mathématiquement indéchiffrable :

GM84 GMR88

Almost uniform density of power residues and the security proof of ESIGN. - 7Jacques Stern

““Practical” provable securityPractical” provable security

The “random oracle” methodology mediates between practice and maths

It substitutes truly random functions to hash functions and averages over these

Very efficient and now requested to support emerging standards (IEEE P1363, Cryptrec, NESSIE, ISO)

FS86 BR93

Almost uniform density of power residues and the security proof of ESIGN. - 8Jacques Stern

The limits of provable securityThe limits of provable security

Provable security does not yield proofs - proofs are relative- proofs often use random oracles. Meaning is debatable (CGH98)

Still, provable security is a means to provide some form of guarantee that a crypto scheme is not flawed

Almost uniform density of power residues and the security proof of ESIGN. - 9Jacques Stern

Provable security in five stepsProvable security in five steps

1 Define goal of adversary 2 Define security model 3 Provide a proof by reduction 4 Check proof 5 Interpret proof

Almost uniform density of power residues and the security proof of ESIGN. - 10Jacques Stern

Signature Scheme (formal) Signature Scheme (formal) Key Generation Algorithm G Signature Algorithm, S Verification Algorithm, V

kvks

SV

m 0/1

m

Non-repudiation: impossible to forge valid without ks

G

Almost uniform density of power residues and the security proof of ESIGN. - 11Jacques Stern

Goal of the adversary (1)Goal of the adversary (1)

Existential Forgery:Try to forge a valid message-signature pair without the private keyAdversary is successful if the following probability is large

)σ,()(1)σ,(Pr)(Succ mmef vkAA V

Almost uniform density of power residues and the security proof of ESIGN. - 12Jacques Stern

Security models (2)Security models (2)

No-Message Attacks The adversary only knows the verification (public) key

Known-Message Attacks (KMA) the adversary has access to a list of message/signature pairs

Chosen Message Attacks (CMA) the messages are adaptively chosenby the adversary the strongest attack

Almost uniform density of power residues and the security proof of ESIGN. - 13Jacques Stern

Proof by Reduction (3)Proof by Reduction (3)

Let A be an adversary that breaks the ESIGN scheme then A can be used to solve the approximate e-th root problem P

A

InstanceI of P

Solutionof I

Almost uniform density of power residues and the security proof of ESIGN. - 14Jacques Stern

a signature scheme designed in the late 90iesand considered in IEEE P1363, Cryptrec NESSIE, together with a security proof Uses RSA integers of the form n=p2q Based on the Approximate e-th root problem:

given y find x such that y # xe mod n Signature generation is a very efficient way to

compute = x, given y, with 1/3 leading bits H(m) and the rest 0

ESIGNESIGNO90

Almost uniform density of power residues and the security proof of ESIGN. - 15Jacques Stern

Signature generation relies on the fact that, for random r and variable t (r+tpq)e mod n ranges over an arithmetical progression, so that one simply adjusts t to fall into a prescribed interval of length pq

thus signing only requires raising to the e-th power

even (slightly) more efficient for e= 2u

ESIGNESIGN

Almost uniform density of power residues and the security proof of ESIGN. - 16Jacques Stern

Checking proof (4)Checking proof (4)

Let A be an adversary that breaks the ESIGN scheme then A can be used to solve the approximate e-th root problem P

A

InstanceI of P

proof not correct in CMA model

Solutionof I

Almost uniform density of power residues and the security proof of ESIGN. - 17Jacques Stern

Overlooked: submit message twice?Overlooked: submit message twice?

In a probabilistic signature scheme, several signatures may correspond to a message

In the usual definition for Existential Forgery in Chosen-Message Attacks (CMA), the adversary can repeatedly submit a message. Otherwise, weaker model :

Single-Occurrence Chosen-Message Attacks (SO-CMA) each message m can be submitted only once ; this produces a signature and (m, ) is added to the list of messages.

SPMS 02

Almost uniform density of power residues and the security proof of ESIGN. - 18Jacques Stern

Checking proof (4)Checking proof (4)

Let A be an adversary that breaks the ESIGN scheme then A can be used to solve the approximate e-th root problem P

A

InstanceI of P

proof not correct for e a power of two

Solutionof I

Almost uniform density of power residues and the security proof of ESIGN. - 19Jacques Stern

Overlooked: correct simulation of Overlooked: correct simulation of random oraclerandom oracle

In the security proof a key step “simulates” a random oracle so that signature of a requested message can be performed by simulation (i.e. without the secret key)

The simulation picks r at random and “declares” that H(m) consists of the 1/3 leading bits of re mod n. This makes = r a signature of m.

need to prove that this correctly simulates a random function: not obvious when e= 2u

Almost uniform density of power residues and the security proof of ESIGN. - 20Jacques Stern

Completing the proof when Completing the proof when e=e= 22uu

Need to show that the density of power residues is almost uniform in any large enough interval

Theorem. Let N be an RSA modulus, N =pq; the number of e-th power residues modulo N in any interval of length N, 1/2 < <1, is very close to N/ d, where d is the index of the group of power residues and very close means that the relative difference is bounded by 5 N1/2- ln(N).

Almost uniform density of power residues and the security proof of ESIGN. - 21Jacques Stern

Completing the proofCompleting the proof

We have two proofs: First uses two-dimensional lattices and yields

slightly worse bounds. Second (found afterwards) uses the so-called

Polya-Vinogradov inequality which states that, for any non principal Dirichlet character over (ZN)*, and any integer h,

x 1 <x h (x) 2ln(N) N. This is enough to complete the security proof when

e is not prime to (n).

Almost uniform density of power residues and the security proof of ESIGN. - 22Jacques Stern

Conclusions (1)Conclusions (1)

The methodology of provable security is more subtle than it at first appears, even in the random oracle setting: we have shown several potential flaws in the security proof of ESIGN.

The first flaw is methodological in character and is related to the security model

The second is a limitation in the proof that could be overcome by use of (some) number theory.

Almost uniform density of power residues and the security proof of ESIGN. - 23Jacques Stern

Conclusions (2)Conclusions (2)

It took twenty centuries to design RSA It took over twenty years to understand how to

practice RSA and get “provable security” ESIGN’s provable security took over ten years Cryptographic schemes should not be adopted

and standardized prematurely And not without a security proof, at least in the

random oracle model Also allow some additional time to check and

interpret the security proof