230 likes | 330 Views
Impossibility proofs for RSA signatures in the standard model. Pascal Paillier Topics in Cryptology – CT-RSA 2007. Outline. Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability
E N D
Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007
Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion
Introduction • Well-known RSA signatures: • Full domain hash (FDH) • Probabilistic signature scheme (PSS / PSS-R) • These are hard to invert in the random oracle model. • In the standard model, they have never been discovered.
Introduction • Real-life RSA signatures are breaking any form of unforgeability. • Any signature scheme of RSA type cannot be equivalent to inverting RSA in the standard model. • The key generation is instance-non-malleable. • Proof technique is based on black-box meta-reductions.
Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion
Black-box reduction • A black-box reduction R between two computational problems P1 and P2 is a probabilistic algorithm R which solves P1 given black-box access to oracle solving P2. • when R is known to reduce P1 to P2 in polynomial time.
Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion
RSA and related computational problems • Root extraction problem is computing • is the problem of computing eth roots modulo n. • is a instance generator. • Generate a hard instance (n, e) as well as the side information
Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion
Security notions for Real-life RSA signature - Adversarial goals • Breakable (BK) • An adversary outputs the secret key. • Universally forgeable (UF) • An adversary signs any message. • Existential forgeable (EF) • An adversary signs some message. • Root extractable (RE) • An adversary attempts to extract the eth root of a randomly chosen element y for a randomly chosen key (n, e) • BK > RE > UF > EF
Security notions for Real-life RSA signature- Attack model • Key-only attack (KOA) • The adversary is given nothing else then a public key. • Known message attack (KMA) • The adversary is given a list of valid message/signature pairs. • Chosen message attack (CMA) • The adversary is given adaptive access to a signing oracle.
Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion
Instance-malleability • A randomly chosen instance (n, e) is easier when given repeated access to an oracle that extracts e’th roots modulo n’ for other instance (n’, e’) != (n, e). • An instance generator is instance-non-malleable.
Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion
Impossibility of equivalence with inverting RSA • is an RSA signature scheme, where is an instance-non-malleable instance generator and a padding function • If is equivalent to then is polynomial. • If is equivalent to then is polynomial.
Impossibility of equivalence with inverting RSA • Let be an instance-non-malleable generator. These is no real-life RSA signature scheme such that and is equivalent to unless is polynomial.
Outline • Introduction • Black-box reductions • RSA and related computational problems • Security notions for Real-life RSA signature • Instance-malleability • Impossibility of equivalence with inverting RSA • Conclusion
Conclusion • No real-life RSA signatures that are based on instance-non-malleable key generation can be chosen-message secure under any RSA assumption in the standard model.