Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yevgeniy Dodis Iftach Haitner Aris Tentes On the (In)Security of RSA Signatures 1.

Published byAngela Bryan Modified over 9 years ago

Similar presentations

Presentation on theme: "Yevgeniy Dodis Iftach Haitner Aris Tentes On the (In)Security of RSA Signatures 1."— Presentation transcript:

1 Yevgeniy Dodis Iftach Haitner Aris Tentes On the (In)Security of RSA Signatures 1

2 Signature Schemes Triplet of efficient algorithms (Gen,Sign,Ver) Gen (1 k ): s,v Sign s (m): ¾ Ver v (m, ¾ ): 0/1 Correctness and existential unforgability Key criteria: Efficiency/Simplicity Provable security 2

3 RSA Full-Domain-Hash Signatures Gen( 1 k ): s = (n= p ¢ q, d), v =(n,e) where d ´ e -1 mod Á (n) Sign n,d ( m ): h(m) d mod n V er n,e (m, ¾ ): “1” iff h(m) ´ ¾ e mod n Where h:{0,1} ¤  Z n ¤ is a fixed hash function (e.g., SHA1) Very efficient Basis of several standards: PKCS#1 Secure (under the RSA assumption) when h is modeled as a random function (i.e., secure in the “random oracle heuristic”) [Bellare-Rogaway ‘93] Can we reduce the security of RSA-FDH to some falsifiable assumption? 3

4 Known Results The Random Oracle Heuristic is not always a security guarantee [Canetti et. al, Nielsen, Goldwasser-Kalai, Bellare et. al] Only for artificial schemes No “fully-black-box” trapdoor permutation FDH [ Dodis-Oliveira-Pietrzak‘05] Does not rule out schemes that use the group structure Other impossibility results [GMR ‘89, Paillier ‘06] Only for restricted class of reductions None of the above results rules out fully-black-box RSA-FDH Exist RSA-based signature schemes that critically do not obey these restrictions [Gennaro et. al ’99, Cramer-Shoup ’00, Hohenberger-Waters ’09] 4

5 Our Result No fully-black-box RSA-FDH* from any “reasonable” assumption (e.g., RSA is hard) Even if the hash function depends on RSA parameters Novel adaptation of Gennaro-Trevisan ``short description paradigm” to Generic Groups Construction of bounded-query RSA-FDH (under the RSA assumption) * for prime verification key (i.e., e) 5

6 Fully-Black-Box RSA-FDH How to rule-out RSA-FDH without breaking it? Create a “world” in which The RSA assumption holds RSA-FDH is breakable All known (provable) techniques to create RSA-based signatures still go through In our world The RSA group is modeled as a random group isomorphic to Z n ¤ There exists a generic forger that breaks any RSA-FDH scheme All known (provable) RSA-based signatures are secure

7 Fully-Black-Box RSA-FDH cont. Formally, we only consider reductions that Work over any group G isomorphic to Z n ¤ and treat G as black-box (alternatively, Z n ¤ is treated as a symbolic group) The adversary (i.e., the forger) is treated as a black-box Several meaningful ways to do so [Nechaev ‘94, Shoup ’97, Maurer ’05] Our model captures all known RSA based signature schemes [Gennaro et. al ’99, Cramer-Shoup ’00, Hohenberger- Waters ’09] Allows “Oblivious Sampling”

8 Generic Groups For n 2 N, let ¦ n be the set of all permutations from Z n ¤  Z n ¤ For ¼ 2 ¦ n, let ¼ (Z n ¤ ) be the group induced by ¼ on Z n ¤ by “translating” the operations over ¼ (Z n ¤ ) those of Z n ¤ For a,b 2 ¼ (Z n ¤ ) a -1 = ¼ (( ¼ -1 (a)) -1 mod n) a ¢ b = ¼ ( ¼ -1 (a) ¢ ¼ -1 (b) mod n) Sometimes we explicitly write a ¢ b [ ¼ (Z n ¤ ) ] Let G n = { ¼ (Z n ¤ ): ¼ 2 ¦ n } and G = { G n : n 2 N} 8 Zn¤Zn¤ ¼ (Z n ¤ ) a¢ba¢b ¼ -1 (a) ¢ ¼ -1 (b) ¼ -1 ¼

9 The RSA Assumption over G 9 For any efficient A Pr [ A G (1 k,n,e,x ) ´ x d [G n ] ] = negl(k) G = {G i } à G (n = p ¢ q 2  ( 2 k ),e) à Gen(1 k ) x à Z n ¤ d = e -1 mod Á (n) Lemma ( [Aggarwal–Maurer ’09], reproved here*) RSA assumption over G is equivalent to factoring

10 Fully-Black-Box RSA-FDH over G G={ G i } 2 G Gen G (1 k ): s = (n = p ¢ q, d, h () ), v=(n,e,h () ) d = e -1 mod Á (n) h G :{0,1} ¤  Z n ¤ is an efficient oracle-aided function Sign G n,d,h (m): h G (m) d [ G n ] Ver G n,e (m, ¾ ) : “1” iff h G (m) ´ ¾ e [ G n ] Algorithm F breaks (Gen,Sign,Ver), if Pr G Ã G [F G break the unforgability of (Gen G,Sign G,Ver G )] > neg(k) Black box proof from RSA: 9 efficient R, F breaks the scheme ) R F breaks the RSA assumption over G F gives us extra power (recall that RSA is hard over G ) Weakly black-box proof: 9 efficient R and D = {D k } F breaks the scheme ) for any efficient Emul, | ( D k,R G,F ( 1 k,D k ) ) G Ã G, (D k,Emul G ( 1 k,D k )) G Ã G | > neg(k) Claim: BB proof from RSA (or any hard assumption) ) Weakly BB proof Let D k be a random RSA challenge (i.e., ( n,e,y)) R G,F (n,e,y) outputs x = y d [G n ] Claim: BB proof from RSA (or any hard assumption) ) Weakly BB proof Let D k be a random RSA challenge (i.e., ( n,e,y)) R G,F (n,e,y) outputs x = y d [G n ]

11 Impossibility of RSA-FDH 11 Theorem: There exists no RSA-FDH with weakly black-box proof Main Lemma: There exist (inefficient) F and efficient Emul such that for any RSA-FDH (with Pr[e 2 P ] > negl) 1. F breaks the scheme 2. |(D k,R G,F ( 1 k,D k ), (D k,Emul G,R ( 1 k,D k )) |< 2 -k for any efficient R and any D={D k }, where G Ã G

12 The Forger F 12 F G ( n,e,h,x 1,…, x t ) If |h|<t, and 8 i 2 [t] h G (i) ´ x i e [ G n ] Compute (say by factoring n) d ´ e -1 mod Á (n) and return ( h G (0)) d [ G n ] Otherwise, return ? It suffices to prove that 1. F G breaks the security of any RSA-FDH 2. For all (non-uniform) efficient R, Pr[q à R G ( 1 k ): F G (q)  ? ] = negl(k) On F G query, Emul returns ?  Pr[q à R G ( 1 k ): F G (q)  ? & q is non- degenerate ] = negl(k) On F G query, Emul either factors or returns ? Incorrect!, for instance h(i) = 2 e for all i  0, h(0) = y h(i) = (2 e ) i for all i  0, h(0) = y Either such “degenerate” queries are detectable given q and thus we change F to returns ? on such queries still strong enough to break RSA-FDH Or imply a factoring of n and thus easy to emulate Incorrect!, for instance h(i) = 2 e for all i  0, h(0) = y h(i) = (2 e ) i for all i  0, h(0) = y Either such “degenerate” queries are detectable given q and thus we change F to returns ? on such queries still strong enough to break RSA-FDH Or imply a factoring of n and thus easy to emulate

13 Pr[F G (q)  ? & q= (n,e,h,{x i }) non-degenerate] = negl 13 Proof idea: The only way to know h(i) d is to hardwire h(i) = x e Since q is non-degenerate, the h(i)’s are “unrelated” Since |h|< t, h can only contain < t unrelated hardwired values The actual proof follows Gennaro-Trevisan paradigm: [Gennaro-Trevisan ‘00, Gennaro et. al ’05, Haitner et. al ’07,…] R contradicts claim ) too short description for ¼ 2 ¦ n All previous works are in the random functions realm

14 Short Description of ¼ 14 Let G n = ¼ ( Z n ¤ ) and let q=(n,e,q,{ x i } i 2 [t] ) = R G (1 k ) Description: for some W µ Z n ¤ of size t (desc. of) h, ¼ -1 ( Z n ¤ \ W) + (short) advic e Reconstruction: 1. Use h + advise to emulate (H G ;R G ) and find W 2. Use the collisions { x i e ´ h(i) } + advice to compute ¼ -1 (W) Since |h| < t, the above description is too short “Compressor”/ “Decompressor” might be unbounded Zn¤Zn¤ ¼ -1 (W) Zn¤Zn¤ W ¼ 8 i eval h G (i) b = a -1 f = c ¢ g 8 i eval x i e 8 i eval h G (i) b = a -1 f = c ¢ g 8 i eval x i e … Output q R G H G Does such set W always exist? Yes for non-degenerate q What are non-degenerate queries? [ Dodis et. al]: (essentially) h(i)  h(j) Here, need to also worry about algebraic relations Does such set W always exist? Yes for non-degenerate q What are non-degenerate queries? [ Dodis et. al]: (essentially) h(i)  h(j) Here, need to also worry about algebraic relations

15 Hardwired Values 15 Hardwire values: first appear on the “right-hand side” It is hard to find “non-degenerate” relations between them We assume there are t hardwire values { w i } i 2 [t], and let W={ w i } { h(i) ´ x i e } i 2 [t] ) {  w ij mij ´  w ij e ¢ m ’ ij [G n ] } i 2 [t] ) {  ¼ -1 (w ij mij ) ´  ¼ -1 (w ij ) e ¢ m ’ ij [Z n ¤ ] } i 2 [t] Let M H = { m ij } and M H;R = { m ’ ij } “Non degenerated” M H ) h + ¼ -1 ( Z n ¤ \{ w i } ) + (short) advise determine ¼ -1 ({ w i }) 8 i eval h G (i) b = a -1 f = c ¢ g 8 i eval x i e 8 i eval h G (i) b = a -1 f = c ¢ g 8 i eval x i e …

16 The “Collision Matrix” M H 16 Recall {  w ij mij ´  w ij e ¢ m ’ ij }, M H = { m ij }, M H;R = { m ’ ij } Claim 1: rank e (M H ) < t ) forging is easy (using e 2 P) e.g., h(1) = w 1, h(2) = w 1 5 ) x 2 = x 1 5 We modify F G to return ? on such h In the following we assume rank e (M H ) = t and let a = det(M H - e ¢ M H;R )  0 Claim 2: gcd(a, Á (n)) is large – contains all prime factors of Á (n) of size (log n) ! (1) ) factoring n is easy ) Emulating the call F G (n,e,h, {x i } ) is easy Claim 3: gcd(a, Á (n)) is not large ) ¼ -1 ({w i }) is determined by h, ¼ -1 ( Z n ¤ \{ w i }) and a “short” advice ( ) short description of ¼ )  (via [Miller ‘76]) Since ¼ does not have a short description ) Over Generic Groups, RSA ´ factoring Since ¼ does not have a short description ) Over Generic Groups, RSA ´ factoring

17 Solution Set for ū = ( ¼ -1 (w 1 ),…, ¼ -1 (w t )) 17 Assume that (H G ;R G ) has k steps, and for i 2 {0,…,k} let S i be the solution set for ū after the i’th step 1. |S 0 |= Á (n) t 2. |S i+1 | divides |S i | 3. Let p 2 P be a factor of Á (n) but not of a = det(M H –e ¢ M H;R ), then |S k | · ( Á (n)/p) t “Proof”: since {  ¼ -1 (w ij mij ) ´  ¼ -1 (w ij’ e ¢ m ’ ij ) [Z n ¤ ] } … Fix super-polynomial such p (recall gcd(a, Á (n)) is not large) The emulation of (H G ;R G ) determines S k ) h, ¼ -1 ( Z n ¤ \ { w i } ) and the index of ū inside S k determine ū ) shorter description of ¼ (in t ¢ log(p) -h| 2  (t) bits)

18 Emulating (H G ;R G ) 18 Basic idea: keep an order list of the query answers ( log n for each) and remove (the preimages of) these elements from ¼ -1 ( Z n ¤ \{ w i }) Problem: How to handle collisions? Should give enough information to enable the emulation Should not give redundant information Solution: just give the necessary information about ¼ Problem: now our description of ¼ equals its (real) length! Solution: describe each “informative collision” using O(log log n) bits 8 i eval h G (i) b = a -1 f = c ¢ g 8 i eval x i e 8 i eval h G (i) b = a -1 f = c ¢ g 8 i eval x i e … f ´ b 1. |S 0 |= Á (n) t 2. |S i+1 | divides |S i | 3. |S k | · ( Á (n)/p) t Hence, 9 { i 1,.., i z } µ [k] s.t  |S ij |/|S ij+1 | ¸ p t 1. |S 0 |= Á (n) t 2. |S i+1 | divides |S i | 3. |S k | · ( Á (n)/p) t Hence, 9 { i 1,.., i z } µ [k] s.t  |S ij |/|S ij+1 | ¸ p t

19 Open Questions Rule out Black-box RSA-FDH for any e (also non primes) Rule out constructions of RSA-FDH with black-box proof Use Gennaro-Trevisan paradigm to obtain other Generic Groups impossibility results: e.g., BLS signatures and RSA-OAEP 19

Download ppt "Yevgeniy Dodis Iftach Haitner Aris Tentes On the (In)Security of RSA Signatures 1."

Similar presentations

Quantum Lower Bound for the Collision Problem Scott Aaronson 1/10/2002 quant-ph/0111102 I was born at the Big Bang. Cool! We have the same birthday.

Quantum Lower Bound for the Collision Problem Scott Aaronson 1/10/2002 quant-ph/ I was born at the Big Bang. Cool! We have the same birthday.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.

Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.

A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Similar presentations

Ads by Google