1 / 23

Summary

Summary. A short introduction to “provable security” The ESIGN signature scheme Difficulties with the security proof Density of power residues Conclusions. Kerckhoffs’ Principles. 1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ;

Download Presentation

Summary

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Summary • A short introduction to “provable security” • The ESIGN signature scheme • Difficulties with the security proof • Density of power residues • Conclusions

  2. Kerckhoffs’ Principles • 1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ; • 2° Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi ; K 1883

  3. Kerckhoffs’ Principles (english) • 1° The system must be practically if not mathematically indecipherable; • 2° The system must not require secrecy, and can fall without drawback into the enemy ’s hands;

  4. Alice Bob Public key cryptography DH 1976 RSA 78 Bob has a pair of related keys • A public key ke  known to anyone including Alice • A private key kd  only known to Bob Kerckhoff ’s extended second principle : « Il faut que la clé de chiffrement puisse sans inconvénient tomber entre les mains de l’ennemi »

  5. Provable security • Attempts to mathematically establish security GM84 GMR88 Kerckhoff ’s extended first principle: Le système doit être mathématiquement indéchiffrable:

  6. “Practical” provable security FS86 BR93 • The “random oracle” methodology mediates between practice and maths • It substitutes truly random functions to hash functions and averages over these • Very efficient and now requested to support emerging standards (IEEE P1363, Cryptrec, NESSIE, ISO)

  7. The limits of provable security • Provable security does not yield proofs - proofs are relative- proofs often use random oracles. Meaning is debatable (CGH98) • Still, provable security is a means to provide some form of guarantee that a crypto scheme is not flawed

  8. Provable security in five steps • 1 Define goal of adversary • 2 Define security model • 3 Provide a proof by reduction • 4 Check proof • 5 Interpret proof

  9. ks kv  V S m 0/1 m Signature Scheme (formal) • Key Generation Algorithm G • Signature Algorithm, S • Verification Algorithm, V G Non-repudiation: impossible to forge valid  without ks

  10. Goal of the adversary (1) • Existential Forgery: Try to forge a valid message-signature pair without the private key Adversary is successful if the following probability is large

  11. Security models (2) • No-Message Attacks The adversary only knows the verification (public) key • Known-Message Attacks (KMA)the adversary has access to a list  of message/signature pairs • Chosen Message Attacks (CMA)the messages are adaptively chosenby the adversary the strongest attack

  12. InstanceI of P Solutionof I A Proof by Reduction (3) Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P

  13. ESIGN O90 a signature scheme designed in the late 90ies and considered in IEEE P1363, Cryptrec NESSIE, together with a security proof • Uses RSA integers of the form n=p2q • Based on the Approximate e-th root problem: given y find x such that y# xemod n • Signature generation is a very efficient way to compute = x, given y, with 1/3 leading bits H(m) and the rest 0

  14. ESIGN • Signature generation relies on the fact that, for random r and variable t (r+tpq)e mod n ranges over an arithmetical progression, so that one simply adjusts t to fall into a prescribed interval of length pq • thus signing only requires raising to the e-th power • even (slightly) more efficient for e=2u

  15. InstanceI of P Solutionof I A proof not correct in CMA model Checking proof (4) Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P

  16. Overlooked: submit message twice? SPMS 02 • In a probabilistic signature scheme, several signatures may correspond to a message • In the usual definition for Existential Forgery in Chosen-Message Attacks (CMA), the adversary can repeatedly submit a message. Otherwise, weaker model : • Single-Occurrence Chosen-Message Attacks (SO-CMA) each message m can be submitted only once ; this produces a signature  and (m, ) is added to the list  of messages.

  17. InstanceI of P Solutionof I A proof not correct for e a power of two Checking proof (4) Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P

  18. Overlooked: correct simulation of random oracle • In the security proof a key step “simulates” a random oracle so that signature of a requested message can be performed by simulation (i.e. without the secret key) • The simulation picks r at random and “declares” that H(m) consists of the 1/3 leading bits of re mod n. This makes =ra signature of m. • need to prove that this correctly simulates a random function: not obvious when e=2u

  19. Completing the proof when e=2u • Need to show that the density of power residues is almost uniform in any large enough interval • Theorem. Let N be an RSA modulus, N=pq; the number of e-th power residues modulo N in any interval of length N, 1/2 < <1, is very close to N/ d, where d is the index of the group of power residues and very close means that the relative difference is bounded by 5 N1/2- ln(N).

  20. Completing the proof • We have two proofs: • First uses two-dimensional lattices and yields slightly worse bounds. • Second (found afterwards) uses the so-called Polya-Vinogradov inequality which states that, for any non principal Dirichlet character  over (ZN)*, and any integer h, x 1 <x  h(x)  2ln(N) N. • This is enough to complete the security proof when e is not prime to (n).

  21. Conclusions (1) • The methodology of provable security is more subtle than it at first appears, even in the random oracle setting: we have shown several potential flaws in the security proof of ESIGN. • The first flaw is methodological in character and is related to the security model • The second is a limitation in the proof that could be overcome by use of (some) number theory.

  22. Conclusions (2) • It took twenty centuries to design RSA • It took over twenty years to understand how to practice RSA and get “provable security” • ESIGN’s provable security took over ten years • Cryptographic schemes should not be adopted and standardized prematurely • And not without a security proof, at least in the random oracle model • Also allow some additional time to check and interpret the security proof

More Related