1. B504/I538: Introduction to Cryptography
Spring • Lecture 24
(2017—04—06)

2. RSA+OAEP OAEP = “Optimal Asymmetric Encryption Padding” m 0k1 r Y X
n+k1+k2 is bit length of N=pq
k1 and k2 are constants
(e.g., k1=k2=128)
n is plaintext length
G and H are “random oracles” (cryptographic hash functions)
G：{0，1}k2 →{0，1}n+k1
H：{0，1}n+k1→{0，1}k2
⊕ is bitwise XOR
Public key is (N，e，G，H)
Private key is d≔e-1 mod φ(N) m
0k1 r Y X G H
concatenate
n bits
k1 bits
k2 bits
n+k1 bits

3. RSA+OAEP Encrypting m∈{0，1}n: Ciphertext is c∈ℤN. m 0k1 r Y X
Pad m with k1 zeros: m‘≔m∥0k1
Choose r∊{0，1}k2
“Expand” r using G: r’≔G(r)
XOR m’ with r’: X≔m’⊕r’
“Compress” X using H: X’≔H(X)
XOR X’ with r: Y≔r⊕X’
Concatenate X and Y: m’’≔X∥Y
Apply “textbook RSA” to m’’: c≔(m’’)e
Ciphertext is c∈ℤN. m
0k1 r Y X G H
concatenate
n bits
k1 bits
k2 bits
n+k1 bits

4. RSA+OAEP Decrypting c∈ℤN Plaintext is m∈{0，1}n. m 0k1 r Y X
Recover m’’ from c: m’’≔cd mod N
Parse m’’ as (X，Y)∈{0，1}n+k1×{0，1}k2
Recover X’ from X: X’≔H(X)
Recover r from X’ and Y: r≔Y⊕H(x)
“Expand” r using G: r’≔G(r)
Recover m’ from X and r’: m’≔X⊕r’
Parse m’ as (m,z)∈{0，1}n×{0，1}k1
Check z≟0k1; if not， abort
Plaintext is m∈{0，1}n. m
0k1 r Y X G H
concatenate
n bits
k1 bits
k2 bits
n+k1 bits

5. Going forward
Tuesday (04/06): Digitial signature schemes Thursday (04/11): Random oracle model Tuesday (04/13): Zero-knowledge proofs Thursday (04/18): ?? Tuesday (04/20): ?? Thursday (12/25): ?? Thursday (04/27): ??
Specific cryptosystems
Secret sharing schemes
Pairing-based cryptography
Zero-knowledge proofs
Private information retrieval
Secure multiparty computation
Side-channel attacks
Other security notions
Anonymous credentials
Lattice crypto
some
possible
topics

6. Recall: Secrecy versus Authenticity
Secrecy / confidentiality
IND-CPA: indistiguishable multiple encryptions in the presence of an eavesdropper
Provides ”security” in the presence of passive attackers
Authenticity / integrity
Existential unforgeability under adaptive chosen message attacks
Provides “security” in the presence of active attackers
“security” == secrecy
“security” == integrity

7. Recall: MAC schemes
Defn: A message authentication code (MAC) is a triple of efficient algorithms (Gen，MAC，Ver) such that
Gen：1ℕ→Ｋ is a randomized “key generation” algorithm
MAC：Ｋ×Ｍ→Ｔ is a “tagging” algorithm
Ver：Ｋ×Ｍ×Ｔ→{0，1} is a “tag verification” algorithm
Usually write MACk(m) and Verk(m，t) instead of MAC(k，m) and Ver(k，m，t)
Ｋ is the key space
Ｍ is the message space
Ｔ is the tag space
(the set of possible keys)
(the set of possible messages)
(the set of possible “tags”)

8. Recall: MAC existential forgery game
Challenger (C)
Attacker (A) 1s
k←Gen(1 s) 1s m1
m1∈Ｍ t1
t1←MACk(m1) m2
m2∈Ｍ t2
t2←MACk(m2) ⋮ mn
mn∈Ｍ tn
tn←MACk(mn)
(m，t)∈Ｍ×Ｔ
Let E be the event that (m，t)∉{(m1，t1),…,(mn，tn)} yet Verk(m，t)=1
Define A’s advantage to be AdvMAC-forge(A)≔Pr[E]

9. Recall: Existential unforgeability
Defn: A MAC scheme (Gen，MAC，Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that
AdvMAC-forge(A)≤ε(s).
The message m and tage t are chosen arbitrarily by the attacker at the end of the attack
Existential unforgeability is the “default” unforgeability property

10. Digital signature schemes
Intuitively, a digital signature scheme is the public- key equivalent of a MAC scheme.
Defn: A digital signature scheme is a triple of efficient algorithms (Gen，Sign，Ver) such that
Gen：1ℕ→Ｋs×Ｋv is a randomized “key generation” algorithm
Sign：Ｋs×Ｍ→Ｓ is a randomized “signing” algorithm
Ver：Ｋv×Ｓ→{0，1} is a deterministic “signature verification” algorithm

11. Pr[Verkv(m，Signks(m))=1｜(ks,kv)←Gen(1s)]≥1−ε(s)
Correctness
Intuitively: Correctness is the property of being able to verify a signature (given the appropriate public key)
Defn: A signature scheme (Gen，Sign，Ver) with message space Ｍ is correct if there exists a negligible function ε：ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈Ｍ,
Pr[Verkv(m，Signks(m))=1｜(ks,kv)←Gen(1s)]≥1−ε(s)
If Ver(kv，m，σ)≟1, then we call σ a valid signature on m (under the verification key kv).

12. Signature existential forgery game
Challenger (C)
Attacker (A) kv 1s
(ks，kv)←Gen(1 s) 1s m1
m1∈Ｍ σ1
σ1←Signks(m1) m2
m2∈Ｍ σ2
σ2←Signks(m2) ⋮ mn
mn∈Ｍ σn
(m，σ)∈Ｍ×Ｓ
σn←Signks(mn)
Let E be the event that (m，σ)∉{(m1，σ1),…,(mn，σn)} yet Verkv(m，σ)=1
Define A’s advantage to be AdvSig-forge(A)≔Pr[E]

13. Existential unforgeability
Intuitively: Existential unforgeability is the property of being resistant to forgeries, even those arising from malicious tampering with existing signatures
Defn: A digital signature scheme (Gen，Sign，Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that
AdvSig-forge(A)≤ε(s).

14. “Textbook” RSA signatures
Many textbooks (and courses) describe RSA signatures as a direct application of the RSA trapdoor permutation to a message; that is,
Gen(1s) chooses distinct s-bit primes p and q and e∈℥φ(pq), and then it outputs kv≔(pq，e) and ks≔e-1 mod φ(pq);
Sign(ks，m) outputs σ≔md mod pq; and
Ver(kv，m，σ) outputs 1 if m≟σe mod pq and 0 otherwise.
Q: Is this an existentially unforgeable signature scheme?
A: NO! NO! NO! Don’t ever do this! (Seriously, don’t do it!)
(If you do this and I find out, I will retroactive fail you in this course!)

15. “Textbook” RSA signatures
As with textbook RSA encryption, textbook RSA signatures have some serious problems!
Unclear how to sign “long” messages
Extremely inefficient
“No message” forgery attacks
Forgeries from malleability
Forgeries on arbitrary messages
Key reuse attacks

16. “No message” forgeries
Obs 1: Let pv≔(pq，e) be a verification key for the textbook RSA signature scheme.
Given any σ∈℥N, the attacker can output a valid forgery (m，σ) where m≔
σe mod pq.
???
Q: Can attacker choose σ corresponding to a particular message of its choosing?
A: No! (Unless the RSA assumption fails to hold.)
Message is an eth root of σ modulo pq!

17. Forgeries from malleability
Obs 2: Let pv≔(pq，e) be a verification key for the textbook RSA signature scheme.
Given any two message-signatures pairs (m1，σ1), (m2，σ2) such that Ver(pv，m1，σ1)=Ver(pv，m2，σ2)=1, the attacker can output a valid forgery (m’，σ’) where m’≔m1am2b mod pq and σ’≔ σ1aσ2b mod pq .
Attacker can choose a and b arbitrarily
a=b=1 yields signature on m1m2
b=0 yields signature on m1a

18. Forgeries on arbitrary messages
Obs 3: Let pv≔(pq，e) be a verification key for the textbook RSA signature scheme.
Attacker can forge signature on arbitrary message m of its choosing by
choosing any r∈℥pq such that r≠1,
requesting a signature σ’ on m’≔
outputting σ≔
m·re, and
???
σ’·r-1 mod pq.
???
This “attack” is useful for constructing blind RSA signatures.

19. One-time signature schemes
Intuitively, a one-time signature (OTS) scheme is a digital signature scheme that is existentially unforgeable provided the private key is only used to sign a single message
Q: Why is this notion useful?
A1: We can construct OTS schemes under weaker assumptions
No random oracles, no computational assumptions
A2: OTS’s are a useful building block for “many-time” signatures

20. One-time forgery game 1s (ks，kv)←Gen(1 s) 1s m∈Ｍ σ←Signks(m)
Challenger (C)
Attacker (A) kv 1s
(ks，kv)←Gen(1 s) 1s m
m∈Ｍ σ
σ←Signks(m)
(m’，σ’)∈Ｍ×Ｓ
Let E be the event that (m’，σ’)≠(m，σ) yet Verkv(m’，σ’)=1
Define A’s advantage to be AdvOTS-forge(A)≔Pr[E]

21. One-time existential unforgeability
Defn: A digital signature scheme (Gen，Sign，Ver) is existentially unforgeable under single-message attacks (or is one-time secure) if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that
AdvOTS-forge(A)≤ε(s).

22. Lamport’s OTS scheme (for ℓ(s)-bit messages)
Let F be an OWF (In practice, F is a cryptographic hash function)
Gen(1s) chooses (x1,0，x1,1),…，(xℓ(s),0，xℓ(s),1)∊{0，1}s×{0，1}s and outputs
Ks≔{ x1,0 ⋯ xℓ(s),0 x1,1 ⋯ xℓ(s),1 } and Kv≔{ y1,0 ⋯ yℓ(s),0 y1,1 ⋯ yℓ(s),1 }, where each yij≔F(xij)
Sign(ks，m1∥m2∥⋯∥mℓ(s)) outputs σ≔(x1,m1，x2,m2,…，xℓ(s),mℓ(s))
Ver(kv，m1∥m2∥⋯∥mℓ(s)，σ) outputs 1 if yi,mi≟F(xi,mi) for each i=1,…， ℓ(s) and outputs 0 otherwise

23. Security of Lamport’s OTS scheme
Thm: Let ℓ：ℕ→ℕ be any positive integer-valued polynomial and let F be an OWF. Then Lamport’s OTS scheme for messages of length ℓ(s) is existentially unforgeable under single-message attacks.
Proof (Sketch): Suppose A requests a signature on an ℓ(s)-bit message m and consider any message m’∈{0，1}s∖{m}.
Since m’≠m, there exists a bit position i for which mi≠m′i; thus, forging a signature on m’ requires A to find x′i∈F-1(yi,m′i).
Since F is an OWF, A succeeds in doing so with negligible advantage. ☐

24. That’s all for today, folks!