View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Almost uniform density of power residues and the
provable security of ESIGN
Jacques Stern
ASIACRYPT 2003December 3rd 2003
École normale supérieure
Tatsuaki Okamoto
NTT Labs
Almost uniform density of power residues and the security proof of ESIGN. - 2Jacques Stern
SummarySummary
A short introduction to “provable security”
The ESIGN signature scheme Difficulties with the security proof Density of power residues Conclusions
Almost uniform density of power residues and the security proof of ESIGN. - 3Jacques Stern
Kerckhoffs’ PrinciplesKerckhoffs’ Principles
1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ;
2° Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi ;
K 1883
Almost uniform density of power residues and the security proof of ESIGN. - 4Jacques Stern
Kerckhoffs’ Principles (english)Kerckhoffs’ Principles (english)
1° The system must be practically if not mathematically indecipherable;
2° The system must not require secrecy, and can fall without drawback into the enemy ’s hands;
Almost uniform density of power residues and the security proof of ESIGN. - 5Jacques Stern
Public key cryptography Public key cryptography
– A private key kd
Alice Bob
Bob has a pair of related keys
– A public key ke known to anyone including
Alice
only known to Bob
DH 1976 RSA 78
Kerckhoff ’s extended second principle :« Il faut que la clé de chiffrement puisse
sans inconvénient tomber entre les mains de l’ennemi »
Almost uniform density of power residues and the security proof of ESIGN. - 6Jacques Stern
Provable securityProvable security
Attempts to mathematically establish security
Kerckhoff ’s extended first principle: Le système doit être mathématiquement indéchiffrable :
GM84 GMR88
Almost uniform density of power residues and the security proof of ESIGN. - 7Jacques Stern
““Practical” provable securityPractical” provable security
The “random oracle” methodology mediates between practice and maths
It substitutes truly random functions to hash functions and averages over these
Very efficient and now requested to support emerging standards (IEEE P1363, Cryptrec, NESSIE, ISO)
FS86 BR93
Almost uniform density of power residues and the security proof of ESIGN. - 8Jacques Stern
The limits of provable securityThe limits of provable security
Provable security does not yield proofs - proofs are relative- proofs often use random oracles. Meaning is debatable (CGH98)
Still, provable security is a means to provide some form of guarantee that a crypto scheme is not flawed
Almost uniform density of power residues and the security proof of ESIGN. - 9Jacques Stern
Provable security in five stepsProvable security in five steps
1 Define goal of adversary 2 Define security model 3 Provide a proof by reduction 4 Check proof 5 Interpret proof
Almost uniform density of power residues and the security proof of ESIGN. - 10Jacques Stern
Signature Scheme (formal) Signature Scheme (formal) Key Generation Algorithm G Signature Algorithm, S Verification Algorithm, V
kvks
SV
m 0/1
m
Non-repudiation: impossible to forge valid without ks
G
Almost uniform density of power residues and the security proof of ESIGN. - 11Jacques Stern
Goal of the adversary (1)Goal of the adversary (1)
Existential Forgery:Try to forge a valid message-signature pair without the private keyAdversary is successful if the following probability is large
)σ,()(1)σ,(Pr)(Succ mmef vkAA V
Almost uniform density of power residues and the security proof of ESIGN. - 12Jacques Stern
Security models (2)Security models (2)
No-Message Attacks The adversary only knows the verification (public) key
Known-Message Attacks (KMA) the adversary has access to a list of message/signature pairs
Chosen Message Attacks (CMA) the messages are adaptively chosenby the adversary the strongest attack
Almost uniform density of power residues and the security proof of ESIGN. - 13Jacques Stern
Proof by Reduction (3)Proof by Reduction (3)
Let A be an adversary that breaks the ESIGN scheme then A can be used to solve the approximate e-th root problem P
A
InstanceI of P
Solutionof I
Almost uniform density of power residues and the security proof of ESIGN. - 14Jacques Stern
a signature scheme designed in the late 90iesand considered in IEEE P1363, Cryptrec NESSIE, together with a security proof Uses RSA integers of the form n=p2q Based on the Approximate e-th root problem:
given y find x such that y # xe mod n Signature generation is a very efficient way to
compute = x, given y, with 1/3 leading bits H(m) and the rest 0
ESIGNESIGNO90
Almost uniform density of power residues and the security proof of ESIGN. - 15Jacques Stern
Signature generation relies on the fact that, for random r and variable t (r+tpq)e mod n ranges over an arithmetical progression, so that one simply adjusts t to fall into a prescribed interval of length pq
thus signing only requires raising to the e-th power
even (slightly) more efficient for e= 2u
ESIGNESIGN
Almost uniform density of power residues and the security proof of ESIGN. - 16Jacques Stern
Checking proof (4)Checking proof (4)
Let A be an adversary that breaks the ESIGN scheme then A can be used to solve the approximate e-th root problem P
A
InstanceI of P
proof not correct in CMA model
Solutionof I
Almost uniform density of power residues and the security proof of ESIGN. - 17Jacques Stern
Overlooked: submit message twice?Overlooked: submit message twice?
In a probabilistic signature scheme, several signatures may correspond to a message
In the usual definition for Existential Forgery in Chosen-Message Attacks (CMA), the adversary can repeatedly submit a message. Otherwise, weaker model :
Single-Occurrence Chosen-Message Attacks (SO-CMA) each message m can be submitted only once ; this produces a signature and (m, ) is added to the list of messages.
SPMS 02
Almost uniform density of power residues and the security proof of ESIGN. - 18Jacques Stern
Checking proof (4)Checking proof (4)
Let A be an adversary that breaks the ESIGN scheme then A can be used to solve the approximate e-th root problem P
A
InstanceI of P
proof not correct for e a power of two
Solutionof I
Almost uniform density of power residues and the security proof of ESIGN. - 19Jacques Stern
Overlooked: correct simulation of Overlooked: correct simulation of random oraclerandom oracle
In the security proof a key step “simulates” a random oracle so that signature of a requested message can be performed by simulation (i.e. without the secret key)
The simulation picks r at random and “declares” that H(m) consists of the 1/3 leading bits of re mod n. This makes = r a signature of m.
need to prove that this correctly simulates a random function: not obvious when e= 2u
Almost uniform density of power residues and the security proof of ESIGN. - 20Jacques Stern
Completing the proof when Completing the proof when e=e= 22uu
Need to show that the density of power residues is almost uniform in any large enough interval
Theorem. Let N be an RSA modulus, N =pq; the number of e-th power residues modulo N in any interval of length N, 1/2 < <1, is very close to N/ d, where d is the index of the group of power residues and very close means that the relative difference is bounded by 5 N1/2- ln(N).
Almost uniform density of power residues and the security proof of ESIGN. - 21Jacques Stern
Completing the proofCompleting the proof
We have two proofs: First uses two-dimensional lattices and yields
slightly worse bounds. Second (found afterwards) uses the so-called
Polya-Vinogradov inequality which states that, for any non principal Dirichlet character over (ZN)*, and any integer h,
x 1 <x h (x) 2ln(N) N. This is enough to complete the security proof when
e is not prime to (n).
Almost uniform density of power residues and the security proof of ESIGN. - 22Jacques Stern
Conclusions (1)Conclusions (1)
The methodology of provable security is more subtle than it at first appears, even in the random oracle setting: we have shown several potential flaws in the security proof of ESIGN.
The first flaw is methodological in character and is related to the security model
The second is a limitation in the proof that could be overcome by use of (some) number theory.
Almost uniform density of power residues and the security proof of ESIGN. - 23Jacques Stern
Conclusions (2)Conclusions (2)
It took twenty centuries to design RSA It took over twenty years to understand how to
practice RSA and get “provable security” ESIGN’s provable security took over ten years Cryptographic schemes should not be adopted
and standardized prematurely And not without a security proof, at least in the
random oracle model Also allow some additional time to check and
interpret the security proof