Ryan Henry I 538 /B 609 : Introduction to Cryptography

Ryan Henry Last Thursday’s lecture: El Gamal encryption Goldwasser-Micali bit encryption Paillier encrypton Today’s lecture: Signature schemes 1

Ryan Henry Assignment 6 is due Thursday, Dec 3 (Assignment 7 will be due on the same day!) 2 Thursday, December 10

Ryan Henry 3 Please complete the Online Course Questionnaire Reminder:

Ryan Henry Going forward Tuesday (11/17): Digitial signature schemes Thursday (11/19): Random oracle model **Thanksgiving break (11/22—11/29) ** Tuesday (12/01): Zero-knowledge Thursday (12/03): ?? Tuesday (12/08): ?? Thursday (12/10): ?? 4 – Specific cryptosystems – Secret sharing schemes – Pairing-based cryptography – Zero-knowledge proofs – Private information retrieval – Secure multiparty computation – Side-channel attacks – Other Security notions – Anonymous credentials possible topics

Ryan Henry Recall: Secrecy versus Authenticity ▪S▪Secrecy / confidentiality –I–IND-CPA: indistiguishable multiple encryptions in the presence of an eavesdropper –P–Provides ”security” in the presence of passive attackers ▪A▪Authenticity / integrity –E–Existential unforgeability under adaptive chosen message attacks –P–Provides “security” in the presence of active attackers 5 “ s e c u r i t y ” = = s e c r e c y “ s e c u r i t y ” = = i n t e g r i t y

Ryan Henry Recall: MAC schemes 6 Usually write MAC k (m) and Ver k (m，t) instead of MAC(k，m) and Ver(k，m，t) Ｋ is the key space Ｍ is the message space Ｔ is the tag space (the set of possible keys) (the set of possible messages) (the set of possible “tags”) Def n : A message authentication code (MAC) is a triple of efficient algorithms (Gen，MAC，Ver) such that – Gen：1 ℕ →Ｋ is a randomized “key generation” algorithm – MAC：Ｋ×Ｍ→Ｔ is a “tagging” algorithm – Ver：Ｋ×Ｍ×Ｔ→{0，1} is a “tag verification” algorithm

Ryan Henry Recall: MAC existential forgery game 7 1s1s 1s1s (m，t)∈Ｍ×Ｔ k←Gen(1 s ) m 1 ∈Ｍ t 1 ←MAC k (m 1 ) m 2 ∈Ｍ t 2 ←MAC k (m 2 ) m n ∈Ｍ t n ←MAC k (m n ) m1m1 m2m2 mnmn t1t1 t2t2 tntn Let E be the event that (m，t)∉{(m 1 ，t 1 ),…,(m n ，t n )} yet Ver k (m，t)=1 Define A’s advantage to be Adv MAC-forge (A)≔Pr[E] ⋮

Ryan Henry Recall: Existential unforgeability 8 The message m and tage t are chosen arbitrarily by the attacker at the end of the attack Existential unforgeability is the “default” unforgeability property Def n : A MAC scheme (Gen，MAC，Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ + such that Adv MAC-forge (A)≤ε(s).

Ryan Henry Digital signature schemes ▪ Intuitively, a digital signature scheme is the public-key equivalent of a MAC scheme. 9 Def n : A digital signature scheme is a triple of efficient algorithms (Gen，Sign，Ver) such that – Gen：1 ℕ →Ｋ s ×Ｋ v is a randomized “key generation” algorithm – Sign：Ｋ s ×Ｍ→Ｓ is a randomized “signing” algorithm – Ver：Ｋ v ×Ｓ→{0，1} is a deterministic “signature verification” algorithm

Ryan Henry Correctness ▪ Intuitively: Correctness is the property of being able to verify a signature (given the appropriate public key) 10 Def n : A signature scheme (Gen，Sign，Ver) with message space Ｍ is correct if there exists a negligible function ε：ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈Ｍ, Pr[Ver k v (m，Sign k s (m))=1｜(k s,k v )←Gen(1 s )]≥1−ε(s) If Ver(k v ，m，σ)≟1, then we call σ a valid signature on m (under the verification key k v ).

Ryan Henry Signature existential forgery game 11 1s1s 1s1s (m，σ)∈Ｍ×Ｓ (k s ，k v )←Gen(1 s ) m 1 ∈Ｍ σ 1 ←Sign k s (m 1 ) m 2 ∈Ｍ σ 2 ←Sign k s (m 2 ) m n ∈Ｍ σ n ←Sign k s (m n ) m1m1 m2m2 mnmn σ1σ1 σ2σ2 σnσn Let E be the event that (m，σ)∉{(m 1 ，σ 1 ),…,(m n ，σ n )} yet Ver k v (m，σ)=1 Define A’s advantage to be Adv Sig-forge (A)≔Pr[E] ⋮ kvkv

Ryan Henry Existential unforgeability 12 Def n : A digital signature scheme (Gen，Sign，Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ + such that Adv Sig-forge (A)≤ε(s). ▪ Intuitively: Existential unforgeability is the property of being resistant to forgeries, even those arising from malicious tampering with existing signatures

Ryan Henry “Textbook” RSA signatures 13 ▪M▪Many textbooks (and courses) describe RSA signatures as a direct application of the RSA trapdoor permutation to a message; that is, –G–Gen(1 s ) chooses distinct s-bit primes p and q and e∈℥ φ(pq), and then it outputs k v ≔(pq，e) and k s ≔e -1 mod φ(pq); –S–Sign(k s ，m) outputs σ≔m d mod pq; and –V–Ver(k v ，m，σ) outputs 1 if m≟σ e mod pq and 0 otherwise. Q: Is this an existentially unforgeable signature scheme? A: NO! NO! NO! Don’t ever do this! (Seriously, don’t do it!) (If you do this and I find out, I will retroactive fail you in this course!)

Ryan Henry “Textbook” RSA signatures ▪ As with textbook RSA encryption, textbook RSA signatures have some serious problems! – Unclear how to sign “long” messages – Extremely inefficient – “No message” forgery attacks – Forgeries from malleability – Forgeries on arbitrary messages – Key reuse attacks 14

Ryan Henry “No message” forgeries 15 Obs 1: Let p v ≔(pq，e) be a verification key for the textbook RSA signature scheme. Given any σ∈℥ N, the attacker can output a valid forgery (m，σ) where m≔ σ e mod pq. ??? Q: Can attacker choose σ corresponding to a particular message of its choosing? A: No! (Unless the RSA assumption fails to hold.) Message is an eth root of σ modulo pq!

Ryan Henry Forgeries from malleability ▪ Attacker can choose a and b arbitrarily – a=b=1 yields signature on m 1 m 2 – b=0 yields signature on m 1 a 16 Obs 2: Let p v ≔(pq，e) be a verification key for the textbook RSA signature scheme. Given any two message-signatures pairs (m 1 ，σ 1 ), (m 2 ，σ 2 ) such that Ver(p v ，m 1 ，σ 1 )=Ver(p v ，m 2 ，σ 2 )=1, the attacker can output a valid forgery (m’，σ’) where m’≔m 1 a m 2 b mod pq and σ’≔ σ 1 a σ 2 b mod pq.

Ryan Henry Forgeries on arbitrary messages 17 Obs 3: Let p v ≔(pq，e) be a verification key for the textbook RSA signature scheme. Attacker can forge signature on arbitrary message m of its choosing by 1. choosing any r∈℥ pq such that r≠1, 2. requesting a signature σ’ on m’≔ 3. outputting σ≔ This “attack” is useful for constructing blind RSA signatures. m·r e, and ??? σ’·r -1 mod pq. ???

Ryan Henry One-time signature schemes ▪I▪Intuitively, a one-time signature (OTS) scheme is a digital signature scheme that is existentially unforgeable provided the private key is only used to sign a single message Q: Why is this notion useful? A1: We can construct OTS schemes under weaker assumptions –N–No random oracles, no computational assumptions A2: OTS’s are a useful building block for “many-time” signatures 18

Ryan Henry One-time forgery game 19 1s1s 1s1s (m’，σ’)∈Ｍ×Ｓ (k s ，k v )←Gen(1 s ) m∈Ｍ σ←Sign k s (m) m σ Let E be the event that (m’，σ’)≠(m，σ) yet Ver k v (m’，σ’)=1 Define A’s advantage to be Adv OTS-forge (A)≔Pr[E] kvkv

Ryan Henry One-time existential unforgeability 20 Def n : A digital signature scheme (Gen，Sign，Ver) is existentially unforgeable under single-message attacks (or is one-time secure) if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ + such that Adv OTS-forge (A)≤ε(s).

Ryan Henry Lamport’s OTS scheme (for ℓ(s)-bit messages) 21

Ryan Henry Security of Lamport’s OTS scheme 22 Thm: Let ℓ：ℕ→ℕ be any positive integer-valued polynomial and let F be an OWF. Then Lamport’s OTS scheme for messages of length ℓ(s) is existentially unforgeable under single-message attacks. Proof (Sketch): Suppose A requests a signature on an ℓ(s)-bit message m and consider any message m’∈{0，1} s ∖{m}. Since m’≠m, there exists a bit position i for which m i ≠m′ i ; thus, forging a signature on m’ requires A to find x′ i ∈F -1 (y i,m′ i ). Since F is an OWF, A succeeds in doing so with negligible advantage. ☐

Ryan Henry That’s all for today, folks! 23