Post on 24-Jul-2019
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
John Hancock enters the 21th centuryDigital signature schemes
Foundations of CryptographyComputer Science Department
Wellesley College
Fall 2016
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
Table of contents
Introduction
Digital signatures
Hash-and-Sign
RSA Signatures
Hashed RSA
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
Digital signatures
• So far we have dealt only withmethods for achieving privatecommunication in thepublic-key setting.
• We now turn to the question ofpreserving message integrity.
• The public-key counterpart ofmessage authentication codes(MACs) are known as digitalsignatures. Digital signatures,like real signatures and unlikeMACs, are publicly verifiable,transferable, and have theproperty of nonrepudiation.
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
Signature schemesDefinition 12.1. A signature scheme is a tuple of three probabilisticpolynomial-time algorithms (Gen, Sign,Vrfy) satisfying the following:
1. The key-generation algorithm Gen takes as input a securityparameter 1n and outputs a pair of keys (pk , sk). These are calledthe public key and the private key, respectively. We assume that pkand sk each have length at least n, and that n can be determinedfrom pk , sk .
2. The signing algorithm Sign takes as input a private key sk and amessage m 2 {0, 1}⇤. It outputs a signature ↵, denoted as↵ Signsk(m).
3. The deterministic verification algorithm Vrfy takes as input a publickey pk , a message m, and a signature ↵. It outputs a bit b, withb = 1 meaning valid and b = 0 meaning invalid. We writeb := Vrfypk(m,↵).
We require that for every (pk , sk) output by Gen(1n) and every
m 2 {0, 1}⇤, Vrfypk(m, Signsk(m)) = 1.
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
Using a signature scheme
Public key cryptography 17-26
But at a cost
*Digital signatures reduce the burden for applications that do not require confidentiality. .
*All this depends on A’s being able to send B her public key in a reliable and
authenticated manner. But, isn’t that what we are trying to achieve here?
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
Security of signature schemes
Let ⇧ = (Gen, Sign,Vrfy) be a signature scheme.
The signature experiment Sig-forgeA,⇧(n) :
1. Gen(1n) is run to obtain keys (pk , sk).
2. Adversary A is given pk and oracle access to Signsk(·). Theadversary then outputs (m,↵). Let Q denote the set of messageswhose signatures were requested by A during its execution.
3. The output of the experiment is defined to be 1 if and only if (1)Vrfypk(m,↵) = 1, and (2) m 62 Q
Definition 12.2. A signature scheme ⇧ = (Gen, Sign,Vrfy) is existentiallyunforgeable under an adaptive chosen-message attack if for all PPTadversaries A, there exists a negligible function negl such that
Pr[Sig-forgeA,⇧(n) = 1] negl(n).
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
The hash-and-sign paradigmConstruction 12.3.Let ⇧ = (GenS , Sign,Vrfy) be a signature scheme for messages of length`(n) and let ⇧H = (GenH ,H) be a hash function where the output of Hon security parameter 1n, has length `(n). Construct a signature scheme⇧0 for arbitrary-length messages as follows:
• Gen’: On input 1n run GenS(1n) to obtain (pk , sk) and runGenH(1n) to obtain s. The public key is pk 0 = hpk , si and theprivate key is sk 0 = hsk , si.
• Sign’: On input a private key hsk , si and a message m 2 {0, 1}⇤,compute the signature
↵ Signsk(Hs(m)).
• Vrfy’: On input a public key hpk , si, a message m 2 {0, 1}⇤, and asignature ↵, output 1 if and only if
Vrfypk(Hs(m),↵)
?= 1.
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
Security of the hash-and-sign paradigm
Theorem 12.4. If ⇧ is secure signature scheme for message of length `and ⇧H is collision resistant, then Construction 12.3 is existentiallyunforgeable under an adaptive chosen-message attack.
Proof. Let A0 be a PPT adversary attacking ⇧0. In the execution ofexperiment Sig-forgeA0,⇧0(n) let pk 0 = hpk , si denote the public key used,Q the set of message whose signatures were requested, and let (m,↵) bethe final output of A0. Assume m 62 Q.
Define collA0,⇧0(n) be the event, there exists m0 2 Q for whichHs(m0) = Hs(m). We have
Pr[Sig-forgeA0,⇧0(n) = 1]
= Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)]
+Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)]
Pr[collA0,⇧0(n)] + Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)].
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
A PPT algorithm C for finding a collision in ⇧H
Algorithm C.The algorithm is given s as input.
• Compute GenS(1n) to obtain (pk , sk). Set pk 0 = hpk , si.• Run A0 on input pk 0. When A0 requests the ith signature onsome message mi 2 {0, 1}⇤, compute ↵i Signsk(H
s(mi ))and give ↵i to A0.
• Eventually A0 outputs (m,↵). If there exists an i for whichHs(m) = Hs(mi ), output (m,mi ).
The view of A0 when run as a subroutine by C is distributedidentically to the view of A0 in experiment Sig-forgeA0,⇧0(n). SinceC outputs a collision when collA0,⇧0(n) occurs, we have
Pr[Hash-collC,⇧H(n) = 1] = Pr[collA0,⇧0(n)].
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
A PPT algorithm A attacking signature scheme ⇧Algorithm A.The adversary is given as input a public key pk and has access to asigning oracle Signsk(·)
• Compute GenH(1n) to obtain s. Set pk 0 = hpk , si.• Run A0 on input pk 0. When A0 requests the ith signature onsome message mi 2 {0, 1}⇤, this is answered as follows: (1)compute m̂i = Hs(mi ); and (2) obtain a signature ↵i on m̂i
from the signing oracle, and give ↵i to A0.
• Eventually A0 outputs (m,↵). Output (Hs(m),↵).
Consider the experiment Sig-forgeA,⇧(n). The view of A0 when runas a subroutine by A is distributed exactly as its view inexperiment Sig-forgeA0,⇧0(n). We show that whenever both
Sig-forgeA0,⇧0(n) = 1 and collA0,⇧0(n) occur, A outputs a forgery.
Pr[Sig-forgeA,⇧(n) = 1] = Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)].
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
Concluding the proof
Since ⇧H is collision resistant and ⇧ is existentially unforgeableunder an adaptive chosen-message attack, there exist negligiblefunctions negl1, negl2 such that
Pr[Sig-forgeA0,⇧0(n) = 1]
= Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)]
+Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)]
Pr[collA0,⇧0(n)] + Pr[Sig-forgeA0,⇧0(n) ^ collA0,⇧0(n)]
= Pr[Hash-collC,⇧H(n) = 1] + Pr[Sig-forgeA,⇧(n) = 1]
negl1 + negl2.
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
“Textbook RSA” signature scheme*
Public key cryptography 17-19
Authentication
*Recall Diffie and Hellman were also interested in addressing authentication. .
*As shown in many standard texts.
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
“Textbook RSA” signature scheme construction
Construction 12.5.Let GenRSA be a PPT algorithm that, on input 1n, outputs amodulus, N that is a product of two primes, along with integerse, d satisfying ed = 1 mod �(N).
• Gen: On input 1n run GenRSA(1n) to obtain (N, e, d). Thepublic key is hN, ei and the private key is hN, di.
• Sign: On input a private key sk = hN, di and a messagem 2 Z⇤
N , compute the signature
↵ := [md mod N].
• Vrfy: On input a public key pk = hN, ei, a message m 2 Z⇤N ,
and a signature ↵ 2 Z⇤N , output 1 if and only if
m?= [↵e mod N].
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
“Textbook RSA” does not satisfy our security definitionNo-message attack. Given a public key pk = hN, ei, choose anarbitrary ↵ 2 Z⇤
N and compute m := [↵e mod N]. Then outputthe forgery (m,↵).*
Random Functions 5-3
Attack plans
o Linear or differential analysis.
o Exhaustive key search. algorithm EKSE((M1, C1), ...., (Mq, Cq)) for i = 1, ..., 2k do if E(Ti, M1) = C1 and ... and E(Ti, Mq) = Cq then return Ti
Remark. This does not seem like a realistic attack since theadversary has “no control” over the message m for which it forgesa valid signature. Or does she?
*This forgery uses only the public key, without obtaining any signatures from
the legitimate signer.
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
A more general attack
Forging a signature on an arbitrary message. Say the adversarywants to forge a signature on m 2 Z⇤
N with respect to public keypk = hN, ei.The adversary chooses a random message m1 2 Z⇤
N , setsm2 := [m/m1 mod N], and then obtains signatures ↵1 and ↵2 onm1 and m2 respectively.
Claim. ↵ := [↵1 · ↵2 mod N] is a valid signature on m.
*Again, how realistic is this scenario?
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
One solution: Hashing the message before signing it
The hashed RSA signature scheme. In addition to the public andprivate keys already discussed, we are given a functionH : {0, 1}⇤ ! Z⇤
N . The message is signed by computing↵ := [H(m)d mod N] and verified by checking whether
↵e ?= H(m) mod N.
Public key cryptography 17-26
But at a cost
*Digital signatures reduce the burden for applications that do not require confidentiality. .
*At a bare bones minimum, H had better be collision-resistant. Why?
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
The RSA-FDH signature schemeConstruction 12.6.Let GenRSA be a PPT algorithm that, on input 1n, outputs amodulus, N that is a product of two primes, along with integerse, d satisfying ed = 1 mod �(N).
• Gen: On input 1n run GenRSA(1n) to obtain (N, e, d). Thepublic key is hN, ei and the private key is hN, di.As part of the key generation, a function H : {0, 1}⇤ ! Z⇤
N isspecified.
• Sign: On input a private key sk = hN, di and a messagem 2 Z⇤
N , compute the signature
↵ := [H(m)d mod N].
• Vrfy: On input a public key pk = hN, ei, a message m 2 Z⇤N ,
and a signature ↵ 2 Z⇤N , output 1 if and only if
↵e ?= H(m) mod N].
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
Security of Hashed RSA
There is some intuition as to why the previous attacks seemunlikely.
The no-message attack. One natural attempt is to choose ↵ 2 Z⇤N ,
compute m̂ := [↵e mod N], then try to find some m 2 {0, 1}⇤such that H(m) = m̂.
Forging a signature on an arbitrary message. One attempt toduplicate the chosen-message attack requires the adversary to findthree message m,m1,m2 for which H(m) = [H(m1) · H(m2)mod N].Finally, it must be hard to find collisions in H since ifH(m1) = H(m2), then m1,m2 have the same signature and forgeryis trivial.
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
Good news and bad
• There is no known function H forwhich hashed RSA signatureschemes are known to be secure.
• However, hashed RSA is provablesecure under an idealize modelwhen H is modeled as a randomoracle that maps inputs uniformlyonto Z⇤
N . In this case the scheme iscalled RSA full-domain hash(RSA-FDH).
• This provides a heuristicjustification of the scheme when His a “random-looking” hashfunctions.
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
Security of RSA-FDH
Theorem 12.7. If the RSA problem is hard relative to GenRSA andH is modeled as a random oracle, then Construction 12.6 is secure.Proof idea. Consider first security against a no-message attack.The adversary is limited to queries to the random oracle H.
We assume WLOG that A always makes exactly q (distinct)queries to H and that if it outputs a forgery (m,↵) then itpreviously queried m to H.
Suppose there is an e�cient no-message adversary A that makesexactly q queries to H. We construct an e�cient A0 solving RSArelative to GenRSA.
*That is when A cannot request any signatures.
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
Recall GenRSA
Algorithm 8.47. GenRSA
Input: Length n; parameter tOutput: N, e, d as described below
(N, p, q) GenModulus(1n)*�(N) := (p � 1)(q � 1)find e such that gcd(e,�(N)) = 1compute d := [e�1 mod �(N)]**return N, e, d
*N = pq with p, q n-bit primes.
**Such an integer d exists since e is invertible modulo �(N).
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
And recall what “RSA is hard relative to GenRSA”means
The RSA experiment RSA-invA,GenRSA(n):
1. Run GenRSA(1n) to obtain (N, e, d).
2. Choose y Z⇤N .
3. A is given N, e, y , and outputs x 2 Z⇤N .
4. The output of the experiment is defined to be 1 if xe = ymod N, and 0 otherwise.
Definition 8.46. We say that the RSA problem is hard relative toGenRSA if for all probabilistic polynomial-time algorithms A thereexists a negligible function negl such that
Pr[RSA-invA,GenRSA(n) = 1] negl(n).
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
Construction of adversary A0
Adversary A0:The Adversary is given (N, e, y).
1. A0 runs A on the public key pk = hN, ei.
2. Let m1, . . . ,mq denote the q queries A makes to H. A0 answersthese with uniform elements of Z⇤
N except for the ith that isanswered with y (i is chosen uniformly from {1, . . . , q}).
3. If A outputs a forgery (m,↵), then A0 outputs ↵ as the solution toRSA instance (N, e, y).
A’s point of view when run as subroutine of A0 is distributed identicallyto its view when attacking the original signature scheme. If A outputs aforgery (m,↵), then with probability 1/q, m = mi and
↵e = H(m) = H(mi ) = y mod N
and A0 can output ↵ as the solution to its RSA instance (N, e, y).
Introduction Digital signatures Hash-and-Sign RSA Signatures Hashed RSA
But what about the case when A can request signatures?
• Adversary A0 does not yet haveaccess to the decryptionexponent d , but needs tocompute valid signatures forsubroutine A.
• However, A0 can correctlycompute signatures on amessage m as long as it setsH(m) to [↵e mod N] for aknown ↵.
• If ↵ is uniform, the so is [↵e
mod N] and the random oracleis properly emulated by A0.
• This intuition is formalized in aproof given in the text.