CSC 5930/9010 Modern Cryptography: Digital Signatures

Size: px

Start display at page:

Download "CSC 5930/9010 Modern Cryptography: Digital Signatures"

Amber Cummings
5 years ago
Views:

1 CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018

2 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM paradigm The D-H assumptions can be used to create CPA and CCA secure encryption schemes, depending on which assumption is used El Gamal, DHIES The RSA assumption can be used to encrypt uniformly random values If the message is not uniform, random padding must be applied There are numerous historical examples of encryption failures due to mis-implementation or misunderstanding of theoretical guarantees Use crypto AS DOCUMENTED and ONLY for its intended purpose

3 New Guarantees Secrecy guarantee Private-key encryption Public-key encryption Differences? Integrity/authenticity Message Authentication Codes Digital Signatures Differences?

4 Digital Signatures A user possesses two keys, a signing key (private) and a verifying key (public) Generate a signature over a message with the signing key Verify a signature using the public verifying key As long as the verifying key is trusted, the signature verifies the message

5 Differences in the public-key model Solves key management issues Like encryption Provides new guarantees Publicly verifiable and transferable Non-repudiation NOT possible in the private-key setting

6 Definition Gen: given an input 1 n, outputs a pair of keys (pk, sk) Sign: given an input sk and a message m, outputs a signature σ Vrfy: given an input pk, m, and σ, outputs a bit b such that b = 1 if the signature is valid for the given message As usual, fixed-length variants are possible

7 <latexit sha1_base64="euipeix/l8iqwi41f63mth6mwbu=">aaaeexichvnnb9naehxtqiv5auhizabgsqosxeeaqotuwgeohflof6pdtfmpnvxwu653xtwy8t/4g/wbrndnwmwssvohsafxzhjmvbdvb7kuxrbb35dqy/vbt1dw7/h3791/8hbt/dgh0wxb8ybrqyvjatmohcidk6ze47xalg0khg1g71z96awli7tat+mcexlllugez5zs/fxal/0hghgpyrysepa8x0jkqcwen0x6itffiv0qypgdciar3ckwrf0xaajmdubha0yfqlcvgrbm4ssphmumppukgveogufx1qzaatadywqlg/loc8yogcw7g4xjaqgdqthd6sthatavgy4ylwimcztgdxkovl8yo0kj4rg2zadlowosdjrzmqzd2ry0hnzlhjwozyyaad6ixvi3r+tivnoiwkcafxucter/tcqfkjynmb2cj5krxibo+axx60ywpis0gbsqyyydkmmxn8imbidfmu5xoch/hw7eqdij6zc61jnbrmbirkw0uerhqojfsf3dhzszfigzognxnhxdnyiizrhknb1dro4geftax44mdlv7f6ir3e2/l8kkjdyc+n3i5d8gclb7eek8bywppmwm4xxcf22j3wppd1wpwnmw4c1pt7++tblfmpfofvwyy07cdm57fsusilhjxkxbnpers/geqsuynl1q+ggm8jwy8zrdosm90+zihxxljblna+p0xmzvmkvevdspbfk6vwlfpklfz4usujozuhcfssiqw1i6fowxgrachzlyhyvtl01s2j1tiirtty3drhoz1aumki68ktt14ldtcine62zsvj2luoo98z55ds/0xnk73gev6x14vpat9qp2s/zr+xf9ab1r35y11pbm/zz2lp36yz/azxel</latexit> <latexit sha1_base64="euipeix/l8iqwi41f63mth6mwbu=">aaaeexichvnnb9naehxtqiv5auhizabgsqosxeeaqotuwgeohflof6pdtfmpnvxwu653xtwy8t/4g/wbrndnwmwssvohsafxzhjmvbdvb7kuxrbb35dqy/vbt1dw7/h3791/8hbt/dgh0wxb8ybrqyvjatmohcidk6ze47xalg0khg1g71z96awli7tat+mcexlllugez5zs/fxal/0hghgpyrysepa8x0jkqcwen0x6itffiv0qypgdciar3ckwrf0xaajmdubha0yfqlcvgrbm4ssphmumppukgveogufx1qzaatadywqlg/loc8yogcw7g4xjaqgdqthd6sthatavgy4ylwimcztgdxkovl8yo0kj4rg2zadlowosdjrzmqzd2ry0hnzlhjwozyyaad6ixvi3r+tivnoiwkcafxucter/tcqfkjynmb2cj5krxibo+axx60ywpis0gbsqyyydkmmxn8imbidfmu5xoch/hw7eqdij6zc61jnbrmbirkw0uerhqojfsf3dhzszfigzognxnhxdnyiizrhknb1dro4geftax44mdlv7f6ir3e2/l8kkjdyc+n3i5d8gclb7eek8bywppmwm4xxcf22j3wppd1wpwnmw4c1pt7++tblfmpfofvwyy07cdm57fsusilhjxkxbnpers/geqsuynl1q+ggm8jwy8zrdosm90+zihxxljblna+p0xmzvmkvevdspbfk6vwlfpklfz4usujozuhcfssiqw1i6fowxgrachzlyhyvtl01s2j1tiirtty3drhoz1aumki68ktt14ldtcine62zsvj2luoo98z55ds/0xnk73gev6x14vpat9qp2s/zr+xf9ab1r35y11pbm/zz2lp36yz/azxel</latexit> <latexit sha1_base64="euipeix/l8iqwi41f63mth6mwbu=">aaaeexichvnnb9naehxtqiv5auhizabgsqosxeeaqotuwgeohflof6pdtfmpnvxwu653xtwy8t/4g/wbrndnwmwssvohsafxzhjmvbdvb7kuxrbb35dqy/vbt1dw7/h3791/8hbt/dgh0wxb8ybrqyvjatmohcidk6ze47xalg0khg1g71z96awli7tat+mcexlllugez5zs/fxal/0hghgpyrysepa8x0jkqcwen0x6itffiv0qypgdciar3ckwrf0xaajmdubha0yfqlcvgrbm4ssphmumppukgveogufx1qzaatadywqlg/loc8yogcw7g4xjaqgdqthd6sthatavgy4ylwimcztgdxkovl8yo0kj4rg2zadlowosdjrzmqzd2ry0hnzlhjwozyyaad6ixvi3r+tivnoiwkcafxucter/tcqfkjynmb2cj5krxibo+axx60ywpis0gbsqyyydkmmxn8imbidfmu5xoch/hw7eqdij6zc61jnbrmbirkw0uerhqojfsf3dhzszfigzognxnhxdnyiizrhknb1dro4geftax44mdlv7f6ir3e2/l8kkjdyc+n3i5d8gclb7eek8bywppmwm4xxcf22j3wppd1wpwnmw4c1pt7++tblfmpfofvwyy07cdm57fsusilhjxkxbnpers/geqsuynl1q+ggm8jwy8zrdosm90+zihxxljblna+p0xmzvmkvevdspbfk6vwlfpklfz4usujozuhcfssiqw1i6fowxgrachzlyhyvtl01s2j1tiirtty3drhoz1aumki68ktt14ldtcine62zsvj2luoo98z55ds/0xnk73gev6x14vpat9qp2s/zr+xf9ab1r35y11pbm/zz2lp36yz/azxel</latexit> <latexit sha1_base64="euipeix/l8iqwi41f63mth6mwbu=">aaaeexichvnnb9naehxtqiv5auhizabgsqosxeeaqotuwgeohflof6pdtfmpnvxwu653xtwy8t/4g/wbrndnwmwssvohsafxzhjmvbdvb7kuxrbb35dqy/vbt1dw7/h3791/8hbt/dgh0wxb8ybrqyvjatmohcidk6ze47xalg0khg1g71z96awli7tat+mcexlllugez5zs/fxal/0hghgpyrysepa8x0jkqcwen0x6itffiv0qypgdciar3ckwrf0xaajmdubha0yfqlcvgrbm4ssphmumppukgveogufx1qzaatadywqlg/loc8yogcw7g4xjaqgdqthd6sthatavgy4ylwimcztgdxkovl8yo0kj4rg2zadlowosdjrzmqzd2ry0hnzlhjwozyyaad6ixvi3r+tivnoiwkcafxucter/tcqfkjynmb2cj5krxibo+axx60ywpis0gbsqyyydkmmxn8imbidfmu5xoch/hw7eqdij6zc61jnbrmbirkw0uerhqojfsf3dhzszfigzognxnhxdnyiizrhknb1dro4geftax44mdlv7f6ir3e2/l8kkjdyc+n3i5d8gclb7eek8bywppmwm4xxcf22j3wppd1wpwnmw4c1pt7++tblfmpfofvwyy07cdm57fsusilhjxkxbnpers/geqsuynl1q+ggm8jwy8zrdosm90+zihxxljblna+p0xmzvmkvevdspbfk6vwlfpklfz4usujozuhcfssiqw1i6fowxgrachzlyhyvtl01s2j1tiirtty3drhoz1aumki68ktt14ldtcine62zsvj2luoo98z55ds/0xnk73gev6x14vpat9qp2s/zr+xf9ab1r35y11pbm/zz2lp36yz/azxel</latexit> Sig-forge The signature experiment Sig forge A, (n) : 1. Run Gen(1 n ) to obtain (pk, sk) 2. A is given pk and oracle access to Sign sk ( ). The adversary outputs (m, ). Let Q denote the set of all queries that A asked its oracle. 3. A succeeds if and only if (1) Vrfy pk (m, ) = 1 and (2) m/2 Q A signature scheme is existentially unforgeable if, for all PPT adversaries: Pr[Sig forge A, (n) = 1] apple negl(n)

8 Hash-and-sign Recall: public-key schemes are inefficient! Rather than sign a full message, we generally sign a hash of the message Like the hash-and-mac scheme Requires an adversary to either forge the signature or find a collision in the hash

9 <latexit sha1_base64="r2hzykv9n3ag3oqxhsjso0tbovs=">aaaek3icbvpbahsxen3ybpo4t6slt30zmi2xwqq7ly0phzau6ocwupobzf2jlwe9wlppkbqjrsmhtl/t0fqchucpy+zr0zkzm1kcs2fdu/13o1ktpxm6ubvdf/b8xctxo7uvl60udmclrqu21zgzkixccyecxovcimtiivfx6ntvx92isukrczfoszexorkj4mwr1n+t2o/oiizobhybxjdulfglhvs9nmm4gukmwmaswlxhecxpmunitiemrwvdtkatkkigliuzllkhmmelmboqolxudxfa3blkymwksag4twf3gk7rwuwfw9m6gfotrdmfd+bsxdfju+yhwczzkllf2an6fonqqilwmik/ef+pfaqhwdgpj4ascuvthz3firyaqpv7dfolf06djh0tbdbyuqvsiebfz5zx764zlfmec7kxf7euhey4bmhjm2rqkan2qpepf6zqvpbcifvmci1tl9lz934uq/yfpzfiyuz1zroartsyjeekmxhmgh1xjrg/sap7rve3bwrn6vi8i5/741mws2hb1okp7liif7y/yreyc0qtaka1wmyjv7pxpmixc9adzizyc2brrl+7srknnc8yvi5lzu1np5273oqzj7j0ay4s5oyp6eleukgy3c7ephwe9/cbkef5zxothjto8okjy6wdzzexm+zs+3dpg4/t3rqu+dsblg1cxaejkkl6e+hfggyeqe7kmalgjscvwfnmghf0ileulpypmaqsq03endtclwphg1rxedio9edy8kbd8c/dveotwro3gnfb+6ardikpwxhqdc6ci4bx/lwd6na1xntb+1w7qx2duisbsznvgpvv+/efekjuzw==</latexit> <latexit sha1_base64="r2hzykv9n3ag3oqxhsjso0tbovs=">aaaek3icbvpbahsxen3ybpo4t6slt30zmi2xwqq7ly0phzau6ocwupobzf2jlwe9wlppkbqjrsmhtl/t0fqchucpy+zr0zkzm1kcs2fdu/13o1ktpxm6ubvdf/b8xctxo7uvl60udmclrqu21zgzkixccyecxovcimtiivfx6ntvx92isukrczfoszexorkj4mwr1n+t2o/oiizobhybxjdulfglhvs9nmm4gukmwmaswlxhecxpmunitiemrwvdtkatkkigliuzllkhmmelmboqolxudxfa3blkymwksag4twf3gk7rwuwfw9m6gfotrdmfd+bsxdfju+yhwczzkllf2an6fonqqilwmik/ef+pfaqhwdgpj4ascuvthz3firyaqpv7dfolf06djh0tbdbyuqvsiebfz5zx764zlfmec7kxf7euhey4bmhjm2rqkan2qpepf6zqvpbcifvmci1tl9lz934uq/yfpzfiyuz1zroartsyjeekmxhmgh1xjrg/sap7rve3bwrn6vi8i5/741mws2hb1okp7liif7y/yreyc0qtaka1wmyjv7pxpmixc9adzizyc2brrl+7srknnc8yvi5lzu1np5273oqzj7j0ay4s5oyp6eleukgy3c7ephwe9/cbkef5zxothjto8okjy6wdzzexm+zs+3dpg4/t3rqu+dsblg1cxaejkkl6e+hfggyeqe7kmalgjscvwfnmghf0ileulpypmaqsq03endtclwphg1rxedio9edy8kbd8c/dveotwro3gnfb+6ardikpwxhqdc6ci4bx/lwd6na1xntb+1w7qx2duisbsznvgpvv+/efekjuzw==</latexit> <latexit sha1_base64="r2hzykv9n3ag3oqxhsjso0tbovs=">aaaek3icbvpbahsxen3ybpo4t6slt30zmi2xwqq7ly0phzau6ocwupobzf2jlwe9wlppkbqjrsmhtl/t0fqchucpy+zr0zkzm1kcs2fdu/13o1ktpxm6ubvdf/b8xctxo7uvl60udmclrqu21zgzkixccyecxovcimtiivfx6ntvx92isukrczfoszexorkj4mwr1n+t2o/oiizobhybxjdulfglhvs9nmm4gukmwmaswlxhecxpmunitiemrwvdtkatkkigliuzllkhmmelmboqolxudxfa3blkymwksag4twf3gk7rwuwfw9m6gfotrdmfd+bsxdfju+yhwczzkllf2an6fonqqilwmik/ef+pfaqhwdgpj4ascuvthz3firyaqpv7dfolf06djh0tbdbyuqvsiebfz5zx764zlfmec7kxf7euhey4bmhjm2rqkan2qpepf6zqvpbcifvmci1tl9lz934uq/yfpzfiyuz1zroartsyjeekmxhmgh1xjrg/sap7rve3bwrn6vi8i5/741mws2hb1okp7liif7y/yreyc0qtaka1wmyjv7pxpmixc9adzizyc2brrl+7srknnc8yvi5lzu1np5273oqzj7j0ay4s5oyp6eleukgy3c7ephwe9/cbkef5zxothjto8okjy6wdzzexm+zs+3dpg4/t3rqu+dsblg1cxaejkkl6e+hfggyeqe7kmalgjscvwfnmghf0ileulpypmaqsq03endtclwphg1rxedio9edy8kbd8c/dveotwro3gnfb+6ardikpwxhqdc6ci4bx/lwd6na1xntb+1w7qx2duisbsznvgpvv+/efekjuzw==</latexit> <latexit sha1_base64="r2hzykv9n3ag3oqxhsjso0tbovs=">aaaek3icbvpbahsxen3ybpo4t6slt30zmi2xwqq7ly0phzau6ocwupobzf2jlwe9wlppkbqjrsmhtl/t0fqchucpy+zr0zkzm1kcs2fdu/13o1ktpxm6ubvdf/b8xctxo7uvl60udmclrqu21zgzkixccyecxovcimtiivfx6ntvx92isukrczfoszexorkj4mwr1n+t2o/oiizobhybxjdulfglhvs9nmm4gukmwmaswlxhecxpmunitiemrwvdtkatkkigliuzllkhmmelmboqolxudxfa3blkymwksag4twf3gk7rwuwfw9m6gfotrdmfd+bsxdfju+yhwczzkllf2an6fonqqilwmik/ef+pfaqhwdgpj4ascuvthz3firyaqpv7dfolf06djh0tbdbyuqvsiebfz5zx764zlfmec7kxf7euhey4bmhjm2rqkan2qpepf6zqvpbcifvmci1tl9lz934uq/yfpzfiyuz1zroartsyjeekmxhmgh1xjrg/sap7rve3bwrn6vi8i5/741mws2hb1okp7liif7y/yreyc0qtaka1wmyjv7pxpmixc9adzizyc2brrl+7srknnc8yvi5lzu1np5273oqzj7j0ay4s5oyp6eleukgy3c7ephwe9/cbkef5zxothjto8okjy6wdzzexm+zs+3dpg4/t3rqu+dsblg1cxaejkkl6e+hfggyeqe7kmalgjscvwfnmghf0ileulpypmaqsq03endtclwphg1rxedio9edy8kbd8c/dveotwro3gnfb+6ardikpwxhqdc6ci4bx/lwd6na1xntb+1w7qx2duisbsznvgpvv+/efekjuzw==</latexit> Hash-and-sign Let =(Gen, Sign, V rfy) be a signature scheme for messages of length `(n), and let H = (Gen, H) be a hash function with output length `(n). Construct the signature scheme 0 as follows: Gen 0 : on input 1 n,rungen(1 n ) to obtain (pk, sk) and run Gen H (1 n )to obtain s. Thepublickeyishpk, si and the private key is hsk, si Sign 0 : on input hsk, si and m, output Sign sk (H s (m)). Vrfy 0 : on input hpk, si, m,, output Vrfy pk (H s (m), ) Think about the proof of security on your own

10 RSA-based signatures The RSA problem can be used in a similar way to encryption to sign a message Intuition: reverse the roles of the keys The basic scheme follows naturally But, like encryption, is NOT provably secure

11 <latexit sha1_base64="4i1kw5bs2cvubvpd0zczd/8c24a=">aaadvhicdvlbbtnaehviocxcwnjkzusmskqoismdkbkowam8okrqjq0uj9v6pxzw2yvlxueeqh/cj/e3rj2lmjsstnlrzjkzz2cntdntptp5w6m69+4/odh8whv0+mntz0fhzwda5rnfplvczvch0cizxl5hhunvmiericflcpqlyf/omnnmyqszt3ekscjzzcgxnnr9xpnzhq14x1h+pp/kqyhandajzojghwzm5rom/jk9whbiwuscgrtsn97uggkvpw+8hihpy9lcavlj6bugy+vatmejtq+mahuaysw9xmklsavr02sdxbst8pazcloca9pgbzzihcmutcarsqderitbbeym7inha/la3dlldtzty5fsnrcuvw6wlm0sqad3ayziheegvasni6+91h1k8fy/umvllratwcrdkvy9yhfs24evx2bhuolqc1bgmxlfh9u77u554c7wv6durm6z/c+difi0fygn5utrod9jzwhbmsmolz4t15gsoiujdi2urkaelco9uohxnhjbrdj7pyeyertiqytwcxfapibmondzrxbfbpib+p1ouu4kjv02inneresxlbcxdknhcwsizzj1cnrcmkknxd0tjamktbcp4omyxinobj9qy8oozt8d1f0w6lz9i3906yefv0m8df46r5yg4zvvnbpnm3pm9b1adavnarf61v3oru7ufutqtbkqeefshxf2d1btjlc=</latexit> <latexit sha1_base64="4i1kw5bs2cvubvpd0zczd/8c24a=">aaadvhicdvlbbtnaehviocxcwnjkzusmskqoismdkbkowam8okrqjq0uj9v6pxzw2yvlxueeqh/cj/e3rj2lmjsstnlrzjkzz2cntdntptp5w6m69+4/odh8whv0+mntz0fhzwda5rnfplvczvch0cizxl5hhunvmiericflcpqlyf/omnnmyqszt3ekscjzzcgxnnr9xpnzhq14x1h+pp/kqyhandajzojghwzm5rom/jk9whbiwuscgrtsn97uggkvpw+8hihpy9lcavlj6bugy+vatmejtq+mahuaysw9xmklsavr02sdxbst8pazcloca9pgbzzihcmutcarsqderitbbeym7inha/la3dlldtzty5fsnrcuvw6wlm0sqad3ayziheegvasni6+91h1k8fy/umvllratwcrdkvy9yhfs24evx2bhuolqc1bgmxlfh9u77u554c7wv6durm6z/c+difi0fygn5utrod9jzwhbmsmolz4t15gsoiujdi2urkaelco9uohxnhjbrdj7pyeyertiqytwcxfapibmondzrxbfbpib+p1ouu4kjv02inneresxlbcxdknhcwsizzj1cnrcmkknxd0tjamktbcp4omyxinobj9qy8oozt8d1f0w6lz9i3906yefv0m8df46r5yg4zvvnbpnm3pm9b1adavnarf61v3oru7ufutqtbkqeefshxf2d1btjlc=</latexit> <latexit sha1_base64="4i1kw5bs2cvubvpd0zczd/8c24a=">aaadvhicdvlbbtnaehviocxcwnjkzusmskqoismdkbkowam8okrqjq0uj9v6pxzw2yvlxueeqh/cj/e3rj2lmjsstnlrzjkzz2cntdntptp5w6m69+4/odh8whv0+mntz0fhzwda5rnfplvczvch0cizxl5hhunvmiericflcpqlyf/omnnmyqszt3ekscjzzcgxnnr9xpnzhq14x1h+pp/kqyhandajzojghwzm5rom/jk9whbiwuscgrtsn97uggkvpw+8hihpy9lcavlj6bugy+vatmejtq+mahuaysw9xmklsavr02sdxbst8pazcloca9pgbzzihcmutcarsqderitbbeym7inha/la3dlldtzty5fsnrcuvw6wlm0sqad3ayziheegvasni6+91h1k8fy/umvllratwcrdkvy9yhfs24evx2bhuolqc1bgmxlfh9u77u554c7wv6durm6z/c+difi0fygn5utrod9jzwhbmsmolz4t15gsoiujdi2urkaelco9uohxnhjbrdj7pyeyertiqytwcxfapibmondzrxbfbpib+p1ouu4kjv02inneresxlbcxdknhcwsizzj1cnrcmkknxd0tjamktbcp4omyxinobj9qy8oozt8d1f0w6lz9i3906yefv0m8df46r5yg4zvvnbpnm3pm9b1adavnarf61v3oru7ufutqtbkqeefshxf2d1btjlc=</latexit> <latexit sha1_base64="4i1kw5bs2cvubvpd0zczd/8c24a=">aaadvhicdvlbbtnaehviocxcwnjkzusmskqoismdkbkowam8okrqjq0uj9v6pxzw2yvlxueeqh/cj/e3rj2lmjsstnlrzjkzz2cntdntptp5w6m69+4/odh8whv0+mntz0fhzwda5rnfplvczvch0cizxl5hhunvmiericflcpqlyf/omnnmyqszt3ekscjzzcgxnnr9xpnzhq14x1h+pp/kqyhandajzojghwzm5rom/jk9whbiwuscgrtsn97uggkvpw+8hihpy9lcavlj6bugy+vatmejtq+mahuaysw9xmklsavr02sdxbst8pazcloca9pgbzzihcmutcarsqderitbbeym7inha/la3dlldtzty5fsnrcuvw6wlm0sqad3ayziheegvasni6+91h1k8fy/umvllratwcrdkvy9yhfs24evx2bhuolqc1bgmxlfh9u77u554c7wv6durm6z/c+difi0fygn5utrod9jzwhbmsmolz4t15gsoiujdi2urkaelco9uohxnhjbrdj7pyeyertiqytwcxfapibmondzrxbfbpib+p1ouu4kjv02inneresxlbcxdknhcwsizzj1cnrcmkknxd0tjamktbcp4omyxinobj9qy8oozt8d1f0w6lz9i3906yefv0m8df46r5yg4zvvnbpnm3pm9b1adavnarf61v3oru7ufutqtbkqeefshxf2d1btjlc=</latexit> Plain RSA Signatures Let GenRSA be as in the previous text: Gen 0 : on input 1 n,rungenrsa(1 n ) to obtain (N,e,d). The public key is hn,ei and the private key is hn,di Sign 0 : on input hn,di and m, output := [m d mod N]. Vrfy 0 : on input hn,ei, m,, output 1 i m =[ e mod N]

Problems As in the encryption case, the RSA problem applies to uniform messages, not arbitrary messages No-message attacks: Choose a random signature and compute the

12 Problems As in the encryption case, the RSA problem applies to uniform messages, not arbitrary messages No-message attacks: Choose a random signature and compute the corresponding message Two-message attacks: for an arbitrary message m, obtain signatures for m 1 and m 2 such that m = m 1 x m 2 The product of the signatures is valid for m

13 Solution: Hashing Recall: padding the message to produce a roughly uniform input solved the issues with plain-rsa Here, we don't need to necessarily reverse the signing process, just verify correctness We can use a full-domain hash to map messages uniformly onto the domain of the RSA function

14 <latexit sha1_base64="8+ijqawux9jtk0gzf8nzncddpvg=">aaaehnicdvnlb9naehytocw8wjhygvej0iqk4l5akzbaonadqgp9ijip1uuxs6q9a+2uc8hkl+akd34nn8qv/gxi7dzufytz+jt7ztcz346dlbhgdjp/fmr1gzdvls7dbty5e+/+g+wvh4dg5zrjavej0scbm5giiqdw2aspm40sdri8ck5fl/dhz6inuhlfjjlspyywihkcwqqdrcz8fysw3dco3+9turagmancgh0iknczulkbi59st+ehgatzciup+izjhl+ikvwz2wulks3lscsbslcfopcz2szf1lywclrggym7zz0wyavcnbcnsf+wyonecdjfeqgdrp8wgscijc3xfxabyxdaljhjfq8jhzmyyw4zyji2ockiuakubm4bgyixvmtgbnfblzotzx8p1shxih5aprx6ch7k7daiig/jezlyd8syjknovmhyng2+j+jlk1/xsdw2m5ijkrctlhfxyqd7enrbzxrtefi5fcjo351lh+po9f/pmsmtsfswetun7lg3uuszktrqiqlhgpmidr9loh/fk+xvtrtthbgkvclydaznlzzm0q8vz1oulifmmj7xywy/iksft8q1ya1mjj+yghsejuvr9itqu8fwlcihrertjy1u0fmzbuungaubmcsnmjfvyub1d73cri/6rwuwsj4pfovjuxtl2kmonhkbjagwrgx1cnzinoowfo4lslkv/xinlmskimn04+jq8zbiou+yuvfb4ubbi/xuy3xz1dtejeex88rpop7z3nl0tp1d58dhnax9qx2tfat/r/+o/6z/mlbrc9ocr86fu//9d3cwsuu=</latexit> <latexit sha1_base64="8+ijqawux9jtk0gzf8nzncddpvg=">aaaehnicdvnlb9naehytocw8wjhygvej0iqk4l5akzbaonadqgp9ijip1uuxs6q9a+2uc8hkl+akd34nn8qv/gxi7dzufytz+jt7ztcz346dlbhgdjp/fmr1gzdvls7dbty5e+/+g+wvh4dg5zrjavej0scbm5giiqdw2aspm40sdri8ck5fl/dhz6inuhlfjjlspyywihkcwqqdrcz8fysw3dco3+9turagmancgh0iknczulkbi59st+ehgatzciup+izjhl+ikvwz2wulks3lscsbslcfopcz2szf1lywclrggym7zz0wyavcnbcnsf+wyonecdjfeqgdrp8wgscijc3xfxabyxdaljhjfq8jhzmyyw4zyji2ockiuakubm4bgyixvmtgbnfblzotzx8p1shxih5aprx6ch7k7daiig/jezlyd8syjknovmhyng2+j+jlk1/xsdw2m5ijkrctlhfxyqd7enrbzxrtefi5fcjo351lh+po9f/pmsmtsfswetun7lg3uuszktrqiqlhgpmidr9loh/fk+xvtrtthbgkvclydaznlzzm0q8vz1oulifmmj7xywy/iksft8q1ya1mjj+yghsejuvr9itqu8fwlcihrertjy1u0fmzbuungaubmcsnmjfvyub1d73cri/6rwuwsj4pfovjuxtl2kmonhkbjagwrgx1cnzinoowfo4lslkv/xinlmskimn04+jq8zbiou+yuvfb4ubbi/xuy3xz1dtejeex88rpop7z3nl0tp1d58dhnax9qx2tfat/r/+o/6z/mlbrc9ocr86fu//9d3cwsuu=</latexit> <latexit sha1_base64="8+ijqawux9jtk0gzf8nzncddpvg=">aaaehnicdvnlb9naehytocw8wjhygvej0iqk4l5akzbaonadqgp9ijip1uuxs6q9a+2uc8hkl+akd34nn8qv/gxi7dzufytz+jt7ztcz346dlbhgdjp/fmr1gzdvls7dbty5e+/+g+wvh4dg5zrjavej0scbm5giiqdw2aspm40sdri8ck5fl/dhz6inuhlfjjlspyywihkcwqqdrcz8fysw3dco3+9turagmancgh0iknczulkbi59st+ehgatzciup+izjhl+ikvwz2wulks3lscsbslcfopcz2szf1lywclrggym7zz0wyavcnbcnsf+wyonecdjfeqgdrp8wgscijc3xfxabyxdaljhjfq8jhzmyyw4zyji2ockiuakubm4bgyixvmtgbnfblzotzx8p1shxih5aprx6ch7k7daiig/jezlyd8syjknovmhyng2+j+jlk1/xsdw2m5ijkrctlhfxyqd7enrbzxrtefi5fcjo351lh+po9f/pmsmtsfswetun7lg3uuszktrqiqlhgpmidr9loh/fk+xvtrtthbgkvclydaznlzzm0q8vz1oulifmmj7xywy/iksft8q1ya1mjj+yghsejuvr9itqu8fwlcihrertjy1u0fmzbuungaubmcsnmjfvyub1d73cri/6rwuwsj4pfovjuxtl2kmonhkbjagwrgx1cnzinoowfo4lslkv/xinlmskimn04+jq8zbiou+yuvfb4ubbi/xuy3xz1dtejeex88rpop7z3nl0tp1d58dhnax9qx2tfat/r/+o/6z/mlbrc9ocr86fu//9d3cwsuu=</latexit> <latexit sha1_base64="8+ijqawux9jtk0gzf8nzncddpvg=">aaaehnicdvnlb9naehytocw8wjhygvej0iqk4l5akzbaonadqgp9ijip1uuxs6q9a+2uc8hkl+akd34nn8qv/gxi7dzufytz+jt7ztcz346dlbhgdjp/fmr1gzdvls7dbty5e+/+g+wvh4dg5zrjavej0scbm5giiqdw2aspm40sdri8ck5fl/dhz6inuhlfjjlspyywihkcwqqdrcz8fysw3dco3+9turagmancgh0iknczulkbi59st+ehgatzciup+izjhl+ikvwz2wulks3lscsbslcfopcz2szf1lywclrggym7zz0wyavcnbcnsf+wyonecdjfeqgdrp8wgscijc3xfxabyxdaljhjfq8jhzmyyw4zyji2ockiuakubm4bgyixvmtgbnfblzotzx8p1shxih5aprx6ch7k7daiig/jezlyd8syjknovmhyng2+j+jlk1/xsdw2m5ijkrctlhfxyqd7enrbzxrtefi5fcjo351lh+po9f/pmsmtsfswetun7lg3uuszktrqiqlhgpmidr9loh/fk+xvtrtthbgkvclydaznlzzm0q8vz1oulifmmj7xywy/iksft8q1ya1mjj+yghsejuvr9itqu8fwlcihrertjy1u0fmzbuungaubmcsnmjfvyub1d73cri/6rwuwsj4pfovjuxtl2kmonhkbjagwrgx1cnzinoowfo4lslkv/xinlmskimn04+jq8zbiou+yuvfb4ubbi/xuy3xz1dtejeex88rpop7z3nl0tp1d58dhnax9qx2tfat/r/+o/6z/mlbrc9ocr86fu//9d3cwsuu=</latexit> RSA-FDH Let GenRSA be as in the previous text: Gen 0 : on input 1 n,rungenrsa(1 n ) to obtain (N,e,d). The public key is hn,ei and the private key is hn,di. As part of generation, a function H : {0, 1}! Z n is specified. Sign 0 : on input hn,di and m, output := [H(m) d mod N]. Vrfy 0 : on input hn,ei, m,, output 1 i H(m) =[ e mod N]

15 Security Intuition No-message attack: hard to go backwards from a signature to a message Solved if the hash is preimage-resistant Two-message attack: need to remove "multiplicative relations" \_( )_/ Hard to find collisions in general Collision-resistant

16 Random Oracles We don't have an H for which we can prove security of RSA-FDH! If we assume H is modeled as a random oracle that maps inputs uniformly onto Z n *, we can prove security This requires a new proofing technique that we have not covered

17 What is it? The random oracle model is a proof technique that treats a hash function as a publicly accessible, truly random function This means that, along with any oracles associated with a security game, there is an additional oracle H( ) that may be queried For our reductions, in addition to simulating the game oracles for an internal adversary, we must also simulate H (and use it to glean information from the internal A)

Important Caveats The random oracle model is a proof technique, not a cryptographic assumption We cannot instantiate a random oracle since a real adversary may always examine the code of H There are

18 Important Caveats The random oracle model is a proof technique, not a cryptographic assumption We cannot instantiate a random oracle since a real adversary may always examine the code of H There are schemes that can be shown secure in the R.O. model that cannot be securely instantiated No matter how the R.O. is constructed Why use this if it doesn't map to a real-world scheme? Some proof is better than no proof

19 Use in proofs Three properties of H(): If x has not been queried, the value H(x) can be assumed to be uniformly random to the observer Extractability: if an internal adversary queries H(x), the external adversary can see x Programmability: the external adversary may set the value for H(x) as long as the value is correctly distributed As an internal adversary queries H, the external adversary maintains a mapping of x to H(x) and generates the outputs "on-the-fly" A polynomial adversary will only query H() a polynomial number of times

20 Example: modeling a c-r hash as a RO An adversary is given oracle access to H The adversary succeed if it outputs distinct x, x' that collide in H Probability of success can be divided into cases where A queries x' to H and A doesn't query x' In the first case, we have the birthday-bound for whether or not A finds a collision In the second case, we have a uniform guess

21 Example: modeling a PRG as a RO Premise: negligible function such that a distinguisher with oracle access can't distinguish Break success probability into two categories: x queried or not x is queried with negligible probability since no information about x is given and q << l in When x is not queried, H(x) is a uniform, independent string, just like y

22 RSA-FDH proof Intuition: we need to build a reduction that can solve the RSA-problem using an adversary attacking RSA-FDH and with access to a RO modeling the FDH We "program" the RO with an instance of the external RSA problem When A forges a signature, if it forges on the programmed query, we can win the RSA game

23 Proof Build modified Sig-forge experiments

24 Proof Build the (modified) reduction

25 Proof Justify that the probability of success is the standard probability divided by q(n) Substitute to bound using RSA assumption

26 In practice: RSA PKCS #1 v. 2.1 The standard includes a "salted" version of RSA-FDH The hash function cannot be instantiated with an off-theshelf hash, as these typically output values that are too small (do not cover the full domain) Typically instantiated with repeated invocations of a cryptographic hash

27 Discrete-log signatures In general, the DL-problem is less amenable to signature schemes than RSA These signatures are commonly constructed from identification schemes An identification scheme can be converted into a signature scheme using a standard transformation

28 Schnorr ID Scheme Goal: given a prover P with a secret value x, the verifier V needs to verify that P holds x (without learning x) The Schnorr ID scheme uses two group exponentiations to verify possession of x

29 Fiat-Shamir Transform The Fiat-Shamir transformation binds a message to the identity I in and Identity scheme using a hash The first two rounds are computed by a signer, the verification is computed by the verifier Can be proven secure if the hash is modeled as a random oracle

30 Fiat-Shamir Let (Gen id, P 1, P 2, V be an identification scheme. scheme as: Construct a signature Gen 0 : on input 1 n,rungen id (1 n ) to obtain pk, sk. Thepublickeyspecifies a set of possible challenges pk. As part of generation, a function H : {0, 1}! pk is specified. Sign 0 : on input sk and m, 1. Compute (I,st) P 1 (sk). 2. Compute r := H(I,m). 3. Compute s := P 2 (sk, st, r). Output (r, s). Vrfy 0 : on input pk, m, (r, s), compute I := V(pk, r, s) and output 1 i H(I,m)=r

DSA and ECDSA A commonly deployed signature scheme is the Digital Signature Algorithm (and the elliptic-curve variant) Works similarly to the Schnorr signature scheme but

31 DSA and ECDSA A commonly deployed signature scheme is the Digital Signature Algorithm (and the elliptic-curve variant) Works similarly to the Schnorr signature scheme but computes the challenge using two random values instead of one Note that the transform used for DSA is not identical to Fiat-Shamir, but the reasoning behind security is similar

32 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public verifiability and non-repudiation Definitions of security mirror the MAC definitions And still do not capture attacks like replays RSA-FDH provides a secure digital signature if the fulldomain hash is modeled as a random oracle RO proofs provide some assurance of correct construction but do not map to a traditionally secure proof based on reasonable assumptions

33 Next Time... Katz & Lindell Chapter Remember, you need to read it BEFORE you come to class! Homework problems available on the course webpage 33

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure Professor Henry Carter Fall 2018 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public