Presentation is loading. Please wait.

Presentation is loading. Please wait.

Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.

Published byCecilia Watson Modified over 8 years ago

Similar presentations

Presentation on theme: "Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007."— Presentation transcript:

1 Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007

2 Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

3 Introduction  Well-known RSA signatures: Full domain hash (FDH) Probabilistic signature scheme (PSS / PSS-R) These are hard to invert in the random oracle model. In the standard model, they have never been discovered.

4 Introduction  Real-life RSA signatures are breaking any form of unforgeability. Any signature scheme of RSA type cannot be equivalent to inverting RSA in the standard model.  The key generation is instance-non-malleable.  Proof technique is based on black-box meta- reductions.

5 Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

6 Black-box reduction  A black-box reduction R between two computational problems P 1 and P 2 is a probabilistic algorithm R which solves P 1 given black-box access to oracle solving P 2.  when R is known to reduce P 1 to P 2 in polynomial time.

7 Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

8 RSA and related computational problems  Root extraction problem is computing  is the problem of computing e th roots modulo n.  is a instance generator. Generate a hard instance (n, e) as well as the side information

9 RSA and related computational problems        

10

11 Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

12 Security notions for Real-life RSA signature - Adversarial goals  Breakable (BK) An adversary outputs the secret key.  Universally forgeable (UF) An adversary signs any message.  Existential forgeable (EF) An adversary signs some message.  Root extractable (RE) An adversary attempts to extract the e th root of a randomly chosen element y for a randomly chosen key (n, e)  BK > RE > UF > EF

13 Security notions for Real-life RSA signature - Attack model  Key-only attack (KOA) The adversary is given nothing else then a public key.  Known message attack (KMA) The adversary is given a list of valid message/signature pairs.  Chosen message attack (CMA) The adversary is given adaptive access to a signing oracle.

14 Security notions for Real-life RSA signature

15 Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

16 Instance-malleability  A randomly chosen instance (n, e) is easier when given repeated access to an oracle that extracts e’ th roots modulo n’ for other instance (n’, e’) != (n, e).  An instance generator is instance-non- malleable.

17 Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

18 Impossibility of equivalence with inverting RSA  is an RSA signature scheme, where is an instance-non-malleable instance generator and a padding function  If is equivalent to then is polynomial.

19 Impossibility of equivalence with inverting RSA

20

21  Let be an instance-non-malleable generator. These is no real-life RSA signature scheme such that and is equivalent to unless is polynomial.

22 Outline  Introduction  Black-box reductions  RSA and related computational problems  Security notions for Real-life RSA signature  Instance-malleability  Impossibility of equivalence with inverting RSA  Conclusion

23 Conclusion  No real-life RSA signatures that are based on instance-non-malleable key generation can be chosen-message secure under any RSA assumption in the standard model.

Download ppt "Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007."

Similar presentations

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Design and Security Analysis of Marked Blind Signature

Design and Security Analysis of Marked Blind Signature
Cryptography and Network Security

Cryptography and Network Security
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Identity Based Encryption

Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.

On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
Almost uniform density of power residues and the provable security of ESIGN Jacques Stern ASIACRYPT 2003 December 3rd 2003 École normale supérieure Tatsuaki.

Almost uniform density of power residues and the provable security of ESIGN Jacques Stern ASIACRYPT 2003 December 3rd 2003 École normale supérieure Tatsuaki.
Cryptography in Subgroups of Z n * Jens Groth UCLA.

Cryptography in Subgroups of Z n * Jens Groth UCLA.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.

Similar presentations

Ads by Google