230 likes | 322 Vues
Summary. A short introduction to “provable security” The ESIGN signature scheme Difficulties with the security proof Density of power residues Conclusions. Kerckhoffs’ Principles. 1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ;
E N D
Summary • A short introduction to “provable security” • The ESIGN signature scheme • Difficulties with the security proof • Density of power residues • Conclusions
Kerckhoffs’ Principles • 1° Le système doit être matériellement, sinon mathématiquement, indéchiffrable ; • 2° Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi ; K 1883
Kerckhoffs’ Principles (english) • 1° The system must be practically if not mathematically indecipherable; • 2° The system must not require secrecy, and can fall without drawback into the enemy ’s hands;
Alice Bob Public key cryptography DH 1976 RSA 78 Bob has a pair of related keys • A public key ke known to anyone including Alice • A private key kd only known to Bob Kerckhoff ’s extended second principle : « Il faut que la clé de chiffrement puisse sans inconvénient tomber entre les mains de l’ennemi »
Provable security • Attempts to mathematically establish security GM84 GMR88 Kerckhoff ’s extended first principle: Le système doit être mathématiquement indéchiffrable:
“Practical” provable security FS86 BR93 • The “random oracle” methodology mediates between practice and maths • It substitutes truly random functions to hash functions and averages over these • Very efficient and now requested to support emerging standards (IEEE P1363, Cryptrec, NESSIE, ISO)
The limits of provable security • Provable security does not yield proofs - proofs are relative- proofs often use random oracles. Meaning is debatable (CGH98) • Still, provable security is a means to provide some form of guarantee that a crypto scheme is not flawed
Provable security in five steps • 1 Define goal of adversary • 2 Define security model • 3 Provide a proof by reduction • 4 Check proof • 5 Interpret proof
ks kv V S m 0/1 m Signature Scheme (formal) • Key Generation Algorithm G • Signature Algorithm, S • Verification Algorithm, V G Non-repudiation: impossible to forge valid without ks
Goal of the adversary (1) • Existential Forgery: Try to forge a valid message-signature pair without the private key Adversary is successful if the following probability is large
Security models (2) • No-Message Attacks The adversary only knows the verification (public) key • Known-Message Attacks (KMA)the adversary has access to a list of message/signature pairs • Chosen Message Attacks (CMA)the messages are adaptively chosenby the adversary the strongest attack
InstanceI of P Solutionof I A Proof by Reduction (3) Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P
ESIGN O90 a signature scheme designed in the late 90ies and considered in IEEE P1363, Cryptrec NESSIE, together with a security proof • Uses RSA integers of the form n=p2q • Based on the Approximate e-th root problem: given y find x such that y# xemod n • Signature generation is a very efficient way to compute = x, given y, with 1/3 leading bits H(m) and the rest 0
ESIGN • Signature generation relies on the fact that, for random r and variable t (r+tpq)e mod n ranges over an arithmetical progression, so that one simply adjusts t to fall into a prescribed interval of length pq • thus signing only requires raising to the e-th power • even (slightly) more efficient for e=2u
InstanceI of P Solutionof I A proof not correct in CMA model Checking proof (4) Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P
Overlooked: submit message twice? SPMS 02 • In a probabilistic signature scheme, several signatures may correspond to a message • In the usual definition for Existential Forgery in Chosen-Message Attacks (CMA), the adversary can repeatedly submit a message. Otherwise, weaker model : • Single-Occurrence Chosen-Message Attacks (SO-CMA) each message m can be submitted only once ; this produces a signature and (m, ) is added to the list of messages.
InstanceI of P Solutionof I A proof not correct for e a power of two Checking proof (4) Let A be an adversary that breaks the ESIGN scheme thenA can be used to solve the approximate e-th root problem P
Overlooked: correct simulation of random oracle • In the security proof a key step “simulates” a random oracle so that signature of a requested message can be performed by simulation (i.e. without the secret key) • The simulation picks r at random and “declares” that H(m) consists of the 1/3 leading bits of re mod n. This makes =ra signature of m. • need to prove that this correctly simulates a random function: not obvious when e=2u
Completing the proof when e=2u • Need to show that the density of power residues is almost uniform in any large enough interval • Theorem. Let N be an RSA modulus, N=pq; the number of e-th power residues modulo N in any interval of length N, 1/2 < <1, is very close to N/ d, where d is the index of the group of power residues and very close means that the relative difference is bounded by 5 N1/2- ln(N).
Completing the proof • We have two proofs: • First uses two-dimensional lattices and yields slightly worse bounds. • Second (found afterwards) uses the so-called Polya-Vinogradov inequality which states that, for any non principal Dirichlet character over (ZN)*, and any integer h, x 1 <x h(x) 2ln(N) N. • This is enough to complete the security proof when e is not prime to (n).
Conclusions (1) • The methodology of provable security is more subtle than it at first appears, even in the random oracle setting: we have shown several potential flaws in the security proof of ESIGN. • The first flaw is methodological in character and is related to the security model • The second is a limitation in the proof that could be overcome by use of (some) number theory.
Conclusions (2) • It took twenty centuries to design RSA • It took over twenty years to understand how to practice RSA and get “provable security” • ESIGN’s provable security took over ten years • Cryptographic schemes should not be adopted and standardized prematurely • And not without a security proof, at least in the random oracle model • Also allow some additional time to check and interpret the security proof