Download
1 / 30
310 likes | 439 Vues
Seminar Presentation on Notions of Security. January 18, 2008 COSEC@B-IT, Bonn, Germany. SECURITY NOTIONS FOR SIGNATURE SCHEMES : THE GHR SECURITY PROOF. Presented By S. M. Masud Karim Supervised By Prof. Joachim von zur Gathen Ms Laila El Aimani. Outline of the Talk.
E N D
Seminar Presentation onNotions of Security S M Masud Karim January 18, 2008 COSEC@B-IT, Bonn, Germany
SECURITY NOTIONS FOR SIGNATURE SCHEMES:THE GHR SECURITY PROOF S M Masud Karim Presented By S. M. Masud Karim Supervised By Prof. Joachim von zur Gathen Ms Laila El Aimani
Outline of the Talk S M Masud Karim Introduction to Digital Signature Schemes Why Reductionist Security? Security Notions Mathematical Assumptions The Strong RSA Problem The Gennaro-Halevi-Rabin Signature Scheme Reduction of SRSA Problem to breaking the GHR Signature Scheme in the strongest sense provided by Security Notion.
Digital Signature S M Masud Karim An handwritten signature allows to relate an individual to a specific document. Besides, a signature ► can be verified by anyoneagainst an authenticated signature taken as reference, thereby conferring a legal value to the signed document, ► should be physically impossible to forge. In comparison, a digital signature allows to relate an individual to a specific file and ► can be verified by anyone by public means, which also provides a legal value to the signed file, ► should be computationally impossible to forge, thereby conferring non-repudiation.
Digital Signature Scenarios S M Masud Karim Utilization of message authentication scheme Decryption Singing Encryption Verifying ► Symmetric Key Scenario (... symmetric private key sk) ■ authenticity √ ■integrity √ ■non-repudiation ■universally verifiable ► Public Key Scenario (...public key pk, private key sk) ■ authenticity √ ■integrity √ ■non-repudiation √ ■universally verifiable √
Digital Signature Scheme S M Masud Karim ► Alice generates a public/private key pair (pk, sk) by running a probabilistic key generation algorithmG(|pk|), |pk| being the security parameter. Alice outputs (publishes) pk. ► Whenever Alice wishes to sign a digital document m, she computes the signature s = S(sk, m) where S is the (possibly probabilistic) signing algorithm. She outputs s and maybe also m. ► Bob can verify that s is a signature of m output by Alice by running the verification algorithmV(pk, m, s) returning 1 if s = S(sk, m) or 0 otherwise. The cryptographic system given by the triple (G, S,V) is called a signature scheme.
Taxonomy of Signatures S M Masud Karim The description of (G, S,V) includes function domains (message, signature and key spaces). Signature schemes are usually classified according to the following specific features: ► a signature scheme is said randomized or probabilistic (resp. deterministic) when S is probabilistic (resp. deterministic), ► V is deterministic and gives Boolean responses (true or false) during verification, ► schemes, wherein message m is appended to signature s, are sometimes called signature schemes with appendix.
Why Reductionist Security? S M Masud Karim Once a signature scheme (or a cryptosystem ) is described, how can its security be proved? ►by trying to exhibit an attack ■attack found system insecure! ■ attack not found ?? ► by proving that no attack exists under some assumptions ■attack found false assumption Important: The assumption has to be reasonable.
How to Get a Security Proof? S M Masud Karim To get a security proof, one needs to Step 1: Formally define the security notion to achieve, Step 2: Make precise mathematical assumptions, Step 3: Design a signature scheme (or a cryptosystem) and describe its operational modes, Step 4: Exhibit a reduction from assumption’s underlying problem to breaking the scheme in the sense defined by the security notion. To prove a problem A is reducible to another problem B, it is needed to show an algorithm (with polynomial resources) that solves A with access to an oracle that solves B. It is denoted by A B or A B.
Security Notions S M Masud Karim A security notion (or level) is entirely defined by pairing an adversarial goal with an adversarial model. Depending on the context in which a given signature scheme (or cryptosystem) is used, one may formally define a security notion , ► by telling what goal an adversary would attempt to reach (the adversarial goal), and ► what means or information are made available to the attacker (the adversarial or attack model).
Security Goals S M Masud Karim ► Unbreakability: The attacker recovers the secret key sk from the public key pk (or an equivalent key if any). This goal is denoted UB. Implicitly appeared with public-key signature scheme (or cryptography). ►Universal Unforgeability: The attacker, without necessarily having recovered sk, can produce a valid signature s of any message m in the message space. Noted UUF. ►Existential Unforgeability: The attacker creates a message m and a valid signature s of it (with no control over the message). Denoted EUF.
Security Models S M Masud Karim ► Key-Only Attacks: The adversary only has access to the public key pk. This is denoted KOA. Unavoidable scenario in public-key signature scheme (or cryptography). ►Known Message Attacks: Where an adversary has access to signatures for a set of known messages. Noted KMA. ►Chosen Message Attacks: Here the adversary is allowed to use the signer as an oracle (full access), and may request the signature of any message of his choice (multiple requests of the same message are allowed). Denoted CMA.
Security Notions for Signature S M Masud Karim
Security Notions for Signature (contd.) S M Masud Karim Because EUF-CMA is the upper security level, it is desirable to prove security with respect to this notion. Formally, an signature scheme is said to be (q, ,)-secure if for any adversary A with running time upper-bounded by , SuccEUF-CMA(A) = Pr where the probability is taken over all random choices. The notation AS(sk,·)means that the adversary has access to a signing oracle throughout the game, but at most q times. The message m* output by A was never requested to the signing oracle.
Security Notions for Signature (contd.) S M Masud Karim
Mathematical Assumptions S M Masud Karim Public-key design allows to construct systems by assembling and connecting smaller cryptographic or atomic primitives together. For example: one-way functions, hash functions, arithmetic operations etc. Cryptographic primitives are connected to plenty of (supposedly) intractable problems: ► Strong RSA (SRSA)is hard, ► Discrete log is hard, ► Diffie-Hellman is hard, ► Factoring is hard, Hard = no PPT (probabilistic polynomial time) algorithm can solve the problem with non-negligible probability.
The Strong RSA Problem S M Masud Karim Strong RSA Problem: let n = pq be a safe RSA modulus and z Z*n. Find x and e such that z = xe mod n with (x, e) (z, 1). An algorithm R is said to (R, R)-solve the SRSA problem if in at most R operations, Pr where the probability is taken over R’s random tapes and the distribution of (n, z). Strong RSA Assumption: for any (R, R)- solver, . R ≤ poly(k) R=negl(k)
The GHR Signature Scheme S M Masud Karim Gennaro-Halevi-Rabin (GHR), short message variant. [1]. Generate a safe RSA modulus n = pq with p = 2p’ + 1, q = 2q’ + 1. Randomly select zZ*n . Let H: {0, 1}lPrimes ≥ 3 and p’, q’be a collision-free hash function (l = 30). Publish (n, z). Keep (p, q) private. [2]. To sign a message m {0, 1}l, compute s = z1/H(m) mod n. [3]. Given (m, s), check whether sH(m) = z mod n.
Reduction S M Masud Karim In order to proof that, SRSAEUF-CMA(GHR), it is needed to show that breaking EUF-CMA(GHR) allows to solve SRSA, i.e., that an adversary breaking GHR can be used as a black box tool to answer SRSA requests with non-negligible probability. Probability Spaces: The reduction has to simulate the attacker’s environment in a way that preserves (or does not alter too much) the distribution of all random variables which interact with it.
Reduction (Contd.) S M Masud Karim The reduction R will behave as follows. ► R is given n RSA(1k) and zZ*n, as well as an attacker A that (q, A, A)-solves EUF-CMA(GHR), ► R simulates G and transmits pk to A, ► R receives signature queries from A: R will have to simulate a signing oracle with respect topkat most q times, ► A outputs a forgery (m^, s^) for GHR with probability A, ► R outputs non-trivial (x, e) such that z = xe mod n. ► R will provide a perfect simulation and (R, R)-solve SRSA with
Simulation of Oracles S M Masud Karim
Simulation of G S M Masud Karim ► For each message mi {0, 1}l, compute H(mi). Set E = ► Compute y = zE mod n and send the GHR public key (n, y) to A. Since n RSA(1k) (external to R) and zZ*n (external to R) are random choices, and zzEis one-to-one {as E and (n) are co-prime, f(z) =zEmod n is a bijection}, (n, y) is perfectly indistinguishable from a random GHR public key (n RSA(1k), yZ*n). Therefore, the simulation of G is perfect.
Simulation of S and V S M Masud Karim Simulation of S When A requests the signature of a message mi, send si = zE/H(mi) mod n. Knowing z and E, it is easy to extract a H(mi)-th root of y for any mi. A’s queries can be answered with perfectly valid signatures. Therefore, the simulation of S is perfect. Simulation of V The signature si is verified using siH(mi) = zE mod n. The simulation of V is trivial.
Forgery on Simulation of Oracles S M Masud Karim The simulation of the attacker’s environment is perfect: Pr[A forges] ≥ A Now, the forgery output by A with probability A will be (m^, s^) where m^ is from the given message space and s^ = zE/H(m^) mod n. But it is mentioned earlier that with known z and E, R could have computed the forgery. Besides, the forgery must help R to get good solution for (x, e). As the forgery is not new and provides no clue to the solution for (x, e), it is not possible for R to come up with positive response.
Alternative Simulation S M Masud Karim Simulation of G ►Choose i {1, 2, ... ..., 2l} uniformly at random. ► For each message mj {0, 1}l, compute H(mj). Set E = ► Compute y = zE mod n and send the GHR public key (n, y) to A. The simulation of G is also perfect.
Alternative Simulation (contd.) S M Masud Karim Simulation of S When A requests the signature of a message mi, ► If ji, send si = zE/H(mj) mod n. ► If j =i, abort the simulation experiment A’s queries can be answered with perfectly valid signatures except when the query message is mi. Since i is chosen in [1, 2l] independently from the attacker’s view, the probability of perfect simulation is Pr[mi Queries(A)]
Forgery on Alternative Simulation S M Masud Karim Assume that at the end of the game, A outputs (mi, s) as a forgery. Then sH(mi) = y = zE mod n As H(mi) and E are co-prime, the Bézout theorem says there must be a and b such that aH(mi) + bE = 1. Using the Extended Euclidian Algorithm, the values of a and b can easily be computed. Now, Finally, R sets x = zasb and e = H(mi) and outputs a genuine solution (x, e).
Analysis S M Masud Karim ► In the first simulation (when the simulation is perfect), A can never produce a valid forgery which will eventually be used by R for obtaining the solution (x, e). ► In the second simulation , even then the probability of a successful forgery depends on number of conditions (i.e., lucks). These include: A will never query the message mi which is chosen at random during the simulation of G. If A does query mi, the system will abort and A is not expected to provide a forgery. Message in A’s forgery (m^, s^) must be mi i.e., m^= mi.
Conclusion S M Masud Karim Hence, it is proved that SRSA EUF-CMA(GHR). So, we have ► defined security notions for signature schemes, ► made a precise mathematical assumption (SRSA is hard), ► described the algorithms of GHR signature scheme and ► finally performed a reduction from the underlying problem of the mathematical assumption (SRSA problem) to existentially forging of the GHR signature scheme under chosen message attacks. Therefore, it is evident that GHR signature scheme is secure under strong RSA assumption.
Thank You!! S M Masud Karim
