Provable Security vs. Efficiency in Cryptographic Algorithms
The Methodology of Provable Security · The Methodology of Provable Security Marc Joye Thomson...
Transcript of The Methodology of Provable Security · The Methodology of Provable Security Marc Joye Thomson...
The Methodology of ProvableSecurity
Marc Joye
Thomson Security [email protected]
DIWALL Seminar − March 20, 2008
Contents
Part I Introduction
Part II Signature Schemes
Part III Encryption Schemes
Part IV Conclusion
Part I
Introduction
Digital Signatures
Digital counterpart of an handwritten signature
Key properties
Digital signature =⇒authentication, integrity,non-repudiation
Textbook RSA Signature
• Key generation
Input: keylength k and e
Output: N = pq such that |N|2 = k and gcd(e, φ(N)) = 1d = e−1 mod φ(N)
pk = {e,N} and sk = {d}
• [Plain] RSA signing
Input: private key sk and message m
Output: signature σ = md mod N
• [Plain] RSA verification
Input: public key pk, signature σ, and message m
Output: σe ?≡ m (mod N)
Existential Forgeries
Signing σ = md mod N
Verification σe ?≡ m (mod N)
1. Choose a random r
2. Compute m = r e mod N
3. Set σ = r
4. Output σ as the signature on “message” m
Selective Forgeries
Observation
Multiplicative property:
(m1 m2)d ≡ m1
d m2d ≡ σ1 σ2 (mod N)
• To obtain the signature σ on a chosen message m:
1. Choose a random m1 = r and define m2 = m/r mod N
2. Obtain the signatures σ1 = m1d mod N and σ2 = m2
d mod N
3. Output σ = σ1 σ2 mod N
• One-message forgery?
Idem with m1 = r e mod N for a random r
(Note that σ1 = r)
What Means Secure?
• Given (m, e), computing σ = m1/e mod N is difficult
=⇒ textbook RSA signatures are unforgeable (provided that theRSA problem is hard)
• . . . but it is easy given an oracle returning the signature onchosen messages
=⇒ textbook RSA signatures are (universally) forgeable underchosen-message attacks
Provable Security
• Security proofs
Reduction to a hard problemDefinition of a security modelDefinition of the adversary’s resources
• Security notions
Signature schemesEncryption schemes
Bibliography
Mihir BellarePractice-oriented provable securityLectures on Data Security, LNCS 1561, pages 1–15, Springer,1999
Neal Koblitz and Alfred J. MenezesAnother look at “provable security”J. Cryptology 20(1):3–37, 2007
Part II
Provable Secure SignatureSchemes
Digital Signatures
Definition
A digital signature scheme is a set of 3 algorithms:
1. Key generation
Input: security parameter κOutput: key pair (pk, sk)
2. Signing
Input: signing key sk , message m [and random r ]Output: σ = S (sk , m [, r ])
3. Verification
Input: verification key pk, signature σ [and message m]Output: V (pk, σ [,m]) = 0 or 1
Security Notions
Security goals
• Key unbreakability• Universal unforgeability• Selective unforgeability• Existential unforgeability (EUF)
Attack scenarios
• No resources (except public key pk)• Known-message attacks• Chosen-message attacks (CMA)
Definition
A security notion is a pair (security goal, attack scenario)
e.g., EUF-CMA
EUF-CMA Adversary
Simulation Paradigm
‘Reductio ad Absurdum’
0. Challenge:
some instance I of an‘intractable’ problem
1. Simulation:
pk given to Asimulation of Ssk(·) toanswer qS queries of A
2. Reduction:
resolution of I from (m∗, σ∗)
=⇒ “Reductionist” security
Cryptographic Problems
Definition (RSA problem)
Given RSA modulus N, public exponent e ∈ Z∗
φ(N) and random
y ∈R Z∗N , compute x = y e−1 mod φ(N) mod N
Definition (Flexible RSA [a.k.a. SRSA] problem)
Given RSA modulus N and random y ∈R Z∗N , find a pair (x , e) s.t.
y ≡ xe (mod N) and e > 1
GHR Signature Scheme I
Key generation
• pk = {N, u} with N = (2p′ + 1)(2q′ + 1) and u ∈R Z∗N
• sk = {p′, q′}
Signing For a message m ∈M, compute
σ = uc−1 mod 2p′q′ mod N
where c = H(m)
Verification Signature σ on message m ∈M is valid⇐⇒ σH(m) ≡ u (mod N)
Hash function H has to be division-intractable
• e.g., H : M→ {primes} ∩ {0, 1}ℓh
Security of GHR Scheme I
Theorem
Suppose that the SRSA problem is (τ, ǫ)-hard. Then, for any qS ,
GHR signature scheme I is (τA, qS , ǫA)-secure in the sense of
EUF-CMA, where
ǫ >ǫA
#Mand τ 6 τA + (qS + #M) poly(κ)
Security Proof
Challenge Given (N, y), find (x , e) s.t. y ≡ xe (mod N) ande > 1
Simulation• Key generation: pk = {N, u}
choose m′ ∈R Mdefine E =
∏
m∈Mm 6=m′
H(m) and u = yE mod N
• Signing: on input message m
if m 6= m′ then return σ = uE/H(m) mod N
if m = m′ then abort
Reduction A returns forgery (σ∗,m∗) with probability ǫA• If m∗ = m′ then σ∗ = yE/H(m′) mod N• Find a, b ∈ Z s.t. x = σa
∗ yb mod N and e = H(m′)
Success probability
1 ·(1− qs
#M
)· ǫA ·
1#M−qs
= ǫA
#M
EUF-CMA Adversary (RO Model)
• RO = Random Oracle
RSA-FDH
Key generation pk = {N, e}, sk = {d} with d = e−1 mod φ(N)Signing
• Padding: m 7→ H(m) with H : {0, 1}∗ → (Z/NZ)∗
• Signature: σ = H(m)d mod N
Verification Given m and σ, check whether σe mod N?= H(m)
Theorem
Suppose that the RSA problem is (τ, ǫ)-hard. Then, for any qH , qS ,
RSA-FDH signature scheme is (τA, qS , qH , ǫA)-secure in the sense
of EUF-CMA in the RO model, where
ǫ >ǫA
qH + qS
and τ 6 τA + (qH + qS) poly(κ)
Security Proof of FDH
• Simulation/reduction principle Challenge: RSA(N, e, y)
Find x ∈ Z/NZ s.t.
y ≡ x e (mod N)
Find
y ≡
• Notation
qH : number of hash queries that are not followed later bya signature query on the same message
qS : number of signature queries
Simulation (1)
Simulation of K (1κ)
• Choose j ∈R {1, . . . , qH + qS}• pk = {N, e} with N = N and e = e
Simulation of H(m)
• If m ∈ Hist[H] then return H(m)• Otherwise, increment i and
if i 6= j , add (m, σi , hi ) to Hist[H] with hi = σie mod N for a
random σi ∈R (Z/NZ)∗, and return hi
if i = j then add (m,⊥, hj) to Hist[H] with hj = y , andreturn hj
Simulation of Ssk(m)
• If m /∈ Hist[H] then invoke H• Let (m, σi , hi ) the entry in Hist[H] corresponding to m
if σi = ⊥ then fail and stopotherwise return σi
Reduction (2)
Reduction
• A returns forgery σ∗ = H(m∗)d mod N with probability ǫA,
after time τA, qH queries to H and qS queries to S
• If m∗ = mj then σ∗ = H(mj)d mod N with H(mj) = y
=⇒ x = σ∗ is a solution to RSA since y ≡ σ∗e (mod N)
Analysis
• Success probability
ǫ = Pr[Simulation is perfect] · ǫA · Pr[m∗ = mj ]
=(
1−qS
qH + qS
)
· ǫA ·1
qH
=ǫA
qH + qS
• Timeτ = τA + (qH + qS) poly(κ)
Concrete Security
• Security of RSA-FDH: ǫ =ǫA
qH + qS
• If qH = 240 and qS = 220 then
ǫ = 2−120 if ǫA = 2−80
ǫA = 2−40 if ǫ = 2−80
• Improvement
optimal proof: ǫ =ǫAqS
Other Schemes
• RSA-PSS [Bellare and Rogaway, 1996]
Probabilistic Signature Scheme
µ(m) = µPSS(m, r) for a random r
highest security level (EUF-CMA) in the ROMtight security proof and can be with message recovery
• PKCS #1 v2.1 [RSA Labs]
GHR Signature Scheme II
Key generation• pk = {N, u, y , g ,P} with N = (2p′ + 1)(2q′ + 1), u ∈R Z
∗N ,
y ∈R 〈g〉 ⊆ Z∗P
g of prime order Q | (P − 1)
• sk = {p′, q′}
Signing For a message m ∈M, compute
σ = (r , uc−1 mod 2p′q′ mod N)
where c = H(gmy r mod P) for some r ∈R ZQ
Verification Signature σ = (r , s) on message m ∈M is valid⇐⇒ sc ′ ≡ u (mod N) where c ′ = H(gmy r mod P)
Security reduction is tight but, again, hash function H has to bedivision-intractable
Chameleon (a.k.a. Trapdoor) Hash
Example (DL-based)
Let G = 〈g〉 ⊆ Z∗P of order Q
H : M× ZQ → {0, 1}ℓh , (m, r) 7→ H(gm y r mod P)
• c = H(m, r) = H(m′, r ′) =⇒ r ′ = r + m−m′
xmod Q
where x = DLg (y)
Example (RSA-based)
Let an RSA modulus N = pq
H : M× ZN → {0, 1}ℓh , (m, r) 7→ H(gm rE mod N)
• c = H(m, r) = H(m′, r ′) =⇒ r ′ = r (gm−m′)D mod N
where D = E−1 mod φ(N)
Design Criteria
• Make the GHR signature scheme practical
keep a tight reduction without relying on thedivision-intractability assumption
• Intuition
choose a random prime exponent cuse a chameleon function to tighten the security reduction
• in particular, an RSA-type chameleon function• the security of TSS is solely related to the SRSA
TSS Signature Scheme
Key generation• pk = {n,N, u, g ,E} with
n = (2p′ + 1)(2q′ + 1) and N = (2P ′ + 1)(2Q ′ + 1)u ∈R Z
∗n and g ∈R Z
∗N
E is an (ℓm + 1)-bit prime (and gcd(E ,P ′Q ′) = 1)
• sk = {p′, q′,D} where D = E−1 mod 2P ′Q ′
Signing For a message m ∈M = {0, 1}ℓm , compute
σ =((cg−(m+1))D mod N︸ ︷︷ ︸
=r
, uc−1 mod 2p′q′ mod n)
for some random prime c ∈R [(N + 1)/2,N[
Verification Signature σ = (r , s) on message m ∈M is valid⇐⇒ sc ′ ≡ u (mod n) where c ′ = gm+1rE mod N
Notes: 1) For sEUF-CMA, also check that (r , s) ∈ [0, N[ × [0, n[2) No need to check the primality of c
′
Security Analysis
Theorem
Suppose that the flexible RSA problem is (τ, ǫ)-hard. Then, for any
qs , the TSS signature scheme is (τA, qs , ǫA)-secure in the sense of
sEUF-CMA, where
ǫ >ǫA2
and τ . τA + O(ℓn
5 + qs ℓn3 max(log qs , ℓn)
)
• The proof technique makes use of the chameleon paradigm toget a tight security reduction
Efficiency Analysis
Security Typical BitsizesTight. Ass. values σ pk sk
GHR (II) O(1) Div + DL ℓn = ℓp = 1024ℓn + ℓq 2ℓn + 3ℓp
12
ℓn+ SRSA ℓq = 160
Twin-GHR O(1) SRSA ℓn = 1024 2ℓn + 2ℓm 4ℓn ℓnℓm = 160
CS O( 1
qs
)
SRSA ℓn ≫ 1024 2ℓn + ℓh 3ℓn + ℓh12
ℓnℓh = 160
Fischlin O( 1
qs
)
SRSA ℓn ≫ 1024ℓn + 2ℓh 4ℓn
12
ℓnℓh = 160
TSS O(1) SRSA ℓn = 1024 2ℓn 4ℓn + ℓm ℓnℓm = 160
On-line/Off-line Version
Key generation Idem regular version
Signing (off-line) Prepare a coupon
σ′ =(k ′, g (k ′−D)cD mod N
︸ ︷︷ ︸
=r
, uc−1 mod 2p′q′ mod n)
for some random prime c ∈R [(N + 1)/2,N[ and random(ℓn + ℓm + ℓ)-bit integer k ′
Signing (on-line) For a message m ∈M = {0, 1}ℓm , compute
σ = (k ′ + D m︸ ︷︷ ︸
=k
, r , s)
from a fresh coupon σ′ = (k ′, r , s)
Verification On-line/off-line signature σ = (k, r , s) on messagem ∈M is valid ⇐⇒ sc ′ ≡ u (mod n) wherec ′ = gm+1r ′
E mod N and r ′ = r g−k mod N
Summary
• The TSS signature scheme
meets the highest security notionis proven secure in the standard modelis tightly and solely related to SRSAdoes not require additional properties on a hash function
• and so is practical
comes with a companion on-line/off-line variant• using the same set of keys
• My recommendation
Use it!
Bibliography
M. Bellare and P. RogawayRandom oracles are practical: A paradigm for designingefficient protocols1st ACM Conference on Computer and Communications
Security, pp. 62–73, ACM Press, 1993
B. Chevallier-Mames and M. JoyeA practical and tightly secure signature scheme without hashfunctionTopics in Cryptology − CT-RSA 2007, LNCS 4377,pp. 339–356, Springer, 2007
R. Gennaro, S. Halevi, and T. RabinSecure hash-and-sign signatures without the random oracleAdvances in Cryptology − EUROCRYPT ’99, LNCS 1592,pp. 123–139, Springer-Verlag, 1999
Part III
Provable Secure EncryptionSchemes
Encryption Schemes
Definition
A (public-key) encryption scheme is a set of 3 algorithms:
1. Key generation
Input: security parameter κOutput: key pair (pk, sk)
2. Encryption
Input: encryption key pk, message m [and random r ]Output: C = E (pk,m [, r ])
3. Decryption
Input: decryption key sk , ciphertext C
Output: m = D(sk ,C )
Security Goals
• Key unbreakabibity
• Non-reversibility
• Indistinguishability of encryptions
• . . .
A system has indistinguishable encryptions if no adversary A canwin the following game:
Find A chooses 2 equal-length plaintexts m0 and m1
Guess A is now given the encryption cb for unknown bit b
The goal of adversary A is to guess the value of b withprobability > 1/2
Attack Scenarios
Passive attacks A only observes the communication channel
• ∅• Ciphertext-only attacks• Known-plaintext attacks
Chosen-plaintext attacks (CPA)
• Non-adaptive/Adaptive
Chosen-ciphertext attacks (CCA)
• Non-adaptive/Adaptive• E.g., A gained access to the decryption equipment
Security Notions
Definition
A security notion is a pair (security goal, attack scenario)
Highest security level
IND-CCA2
• that is, indistinguishability under adaptivechosen-ciphertext attacks
RSA-OAEP Encryption
Key generation pk = {N, e}, sk = {d} with d = e−1 mod φ(N)
Encryption
• Choose a random r• Padding: w = (m‖0k)⊕ G(r) and t = r ⊕H(w)• Encryption: C = (w‖t)e mod N
Decryption Given C , compute
1. (w ′‖t ′) = Cd mod N
2. r ′ = H(w ′)⊕ t ′
3. (m′‖z ′) = G(r ′)⊕ w ′
and output m = m′ if z ′ = 0k
Security
Theorem
Under the RSA assumption, RSA-OAEP encryption scheme is
secure in the sense of IND-CCA2 in the RO model
• PKCS #1 v2.1 [RSA Labs]
Bibliography
M. Bellare and P. RogawayOptimal asymmetric encryption – How to encrypt with RSAAdvances in Cryptology − EUROCRYPT ’94, LNCS 950,pp. 92–111, Springer-Verlag, 1995
Part IV
Conclusion
Summary
• Security is always “proved” in a given model
security goal, adversarial resources(black-box adversaries)standard vs. idealized model
• e.g., random oracle model
• Security is reduced to the hardness of some cryptographicproblem
e.g., RSA problem, DL problem, . . .
• Asymptotic vs. concrete security
Comments/Questions?
http://www.geocities.com/MarcJoye/