Seminar Presentation on Notions of Security

1
Seminar Presentation onNotions of Security
January 18, 2008 COSEC_at_B-IT, Bonn, Germany
2
SECURITY NOTIONS FOR SIGNATURE SCHEMESTHE GHR
SECURITY PROOF

• Presented By
• S. M. Masud Karim
• Supervised By
• Prof. Joachim von zur Gathen
• Ms Laila El Aimani

3
Outline of the Talk

• Introduction to Digital Signature Schemes
• Why Reductionist Security?
• Security Notions
• Mathematical Assumptions
• The Strong RSA Problem
• The Gennaro-Halevi-Rabin Signature Scheme
• Reduction of SRSA Problem to breaking the GHR
  Signature Scheme in the strongest sense provided
  by Security Notion.

4
Digital Signature

• An handwritten signature allows to relate an
  individual to a specific document. Besides, a
  signature
• ? can be verified by anyone against an
  authenticated signature taken as reference,
  thereby conferring a legal value to the signed
  document,
• ? should be physically impossible to forge.
• In comparison, a digital signature allows to
  relate an individual to a specific file and
• ? can be verified by anyone by public means,
  which also provides a legal value to the signed
  file,
• ? should be computationally impossible to forge,
  thereby conferring non-repudiation.

5
Digital Signature Scenarios

• Utilization of message authentication scheme
• Decryption ? Singing Encryption ?
  Verifying
• ? Symmetric Key Scenario (... symmetric private
  key sk)
• authenticity
  v
• integrity
  v
• non-repudiation
  ?
• universally verifiable
  ?
• ? Public Key Scenario (...public key pk, private
  key sk)
• authenticity
  v
• integrity
  v
• non-repudiation
  v
• universally verifiable
  v

6
Digital Signature Scheme

• ? Alice generates a public/private key pair (pk,
  sk) by running a probabilistic key generation
  algorithm G(pk), pk being the security
  parameter. Alice outputs (publishes) pk.
• ? Whenever Alice wishes to sign a digital
  document m, she computes the signature s S(sk,
  m) where S is the (possibly probabilistic)
  signing algorithm. She outputs s and maybe also
  m.
• ? Bob can verify that s is a signature of m
  output by Alice by running the verification
  algorithm V(pk, m, s) returning 1 if s S(sk, m)
  or 0 otherwise.
• The cryptographic system given by the triple (G,
  S,V) is called a signature scheme.

7
Taxonomy of Signatures

• The description of (G, S,V) includes function
  domains (message, signature and key spaces).
• Signature schemes are usually classified
  according to the following specific features
• ? a signature scheme is said randomized or
  probabilistic (resp. deterministic) when S is
  probabilistic (resp. deterministic),
• ? V is deterministic and gives Boolean responses
  (true or false) during verification,
• ? schemes, wherein message m is appended to
  signature s, are sometimes called signature
  schemes with appendix.

8
Why Reductionist Security?

• Once a signature scheme (or a cryptosystem ) is
  described, how can its security be proved?
• ? by trying to exhibit an attack
• attack found ? system insecure!
• attack not found ? ??
• ? by proving that no attack exists under some
  assumptions
• attack found ? false assumption
• Important The assumption has to be reasonable.

9
How to Get a Security Proof?

• To get a security proof, one needs to
• Step 1 Formally define the security notion to
  achieve,
• Step 2 Make precise mathematical assumptions,
• Step 3 Design a signature scheme (or a
  cryptosystem) and describe its operational modes,
• Step 4 Exhibit a reduction from assumptions
  underlying problem to breaking the scheme in the
  sense defined by the security notion. To prove a
  problem A is reducible to another problem B, it
  is needed to show an algorithm (with polynomial
  resources) that solves A with access to an oracle
  that solves B. It is denoted by A ? B or A ? B.

10
Security Notions

• A security notion (or level) is entirely defined
  by pairing an adversarial goal with an
  adversarial model.
• Depending on the context in which a given
  signature scheme (or cryptosystem) is used, one
  may formally define a security notion ,
• ? by telling what goal an adversary would attempt
  to reach (the adversarial goal), and
• ? what means or information are made available to
  the attacker (the adversarial or attack model).

11
Security Goals

• ? Unbreakability The attacker recovers the
  secret key sk from the public key pk (or an
  equivalent key if any). This goal is denoted UB.
  Implicitly appeared with public-key signature
  scheme (or cryptography).
• ? Universal Unforgeability The attacker, without
  necessarily having recovered sk, can produce a
  valid signature s of any message m in the message
  space. Noted UUF.
• ? Existential Unforgeability The attacker
  creates a message m and a valid signature s of it
  (with no control over the message). Denoted EUF.

12
Security Models

• ? Key-Only Attacks The adversary only has access
  to the public key pk. This is denoted KOA.
  Unavoidable scenario in public-key signature
  scheme (or cryptography).
• ? Known Message Attacks Where an adversary has
  access to signatures for a set of known messages.
  Noted KMA.
• ? Chosen Message Attacks Here the adversary is
  allowed to use the signer as an oracle (full
  access), and
• may request the signature of any message of his
  choice (multiple requests of the same message are
  allowed). Denoted CMA.

13
Security Notions for Signature
14
Security Notions for Signature (contd.)

• Because EUF-CMA is the upper security level, it
  is desirable to prove security with respect to
  this notion.
• Formally, an signature scheme is said to be (q,
  ?, ?)-secure if for any adversary A with running
  time upper-bounded by ?,
• SuccEUF-CMA(A) Pr
• where the probability is taken over all random
  choices.
• The notation AS(sk,) means that the adversary
  has access to a signing oracle throughout the
  game, but at most q times. The message m output
  by A was never requested to the signing oracle.

15
Security Notions for Signature (contd.)
16
Mathematical Assumptions

• Public-key design allows to construct systems by
  assembling and connecting smaller cryptographic
  or atomic primitives together. For example
  one-way functions, hash functions, arithmetic
  operations etc.
• Cryptographic primitives are connected to plenty
  of (supposedly) intractable problems
• ? Strong RSA (SRSA) is hard,
• ? Discrete log is hard,
• ? Diffie-Hellman is hard,
• ? Factoring is hard,
• Hard no PPT (probabilistic polynomial time)
  algorithm can solve the problem with
  non-negligible probability.

17
The Strong RSA Problem

• Strong RSA Problem let n p?q be a safe RSA
  modulus and z ? Zn. Find x and e such that
• z xe mod n with (x, e) ? (z, 1).
• An algorithm R is said to (?R, ?R)-solve the SRSA
  problem if in at most ?R operations,
• Pr
• where the probability is taken over Rs random
  tapes and the distribution of (n, z).
• Strong RSA Assumption for any (?R, ?R)- solver,
• .
• ?R poly(k) ? ?R negl(k)

18
The GHR Signature Scheme

• Gennaro-Halevi-Rabin (GHR), short message
  variant.
• 1. Generate a safe RSA modulus n p?q with
• p 2p 1, q 2q 1. Randomly select
  z ? Zn .
• Let H 0, 1l Primes 3 and ? p, q
  be a collision-free hash function (l 30).
  Publish (n, z). Keep (p, q) private.
• 2. To sign a message m ? 0, 1l,
• compute s z1/H(m) mod n.
• 3. Given (m, s), check whether sH(m) z mod n.

19
Reduction

• In order to proof that,
• SRSA ? EUF-CMA(GHR),
• it is needed to show that breaking EUF-CMA(GHR)
  allows to solve SRSA, i.e., that an adversary
  breaking GHR can be used as a black box tool to
  answer SRSA requests with non-negligible
  probability.
• Probability Spaces The reduction has to simulate
  the attackers environment in a way that
  preserves (or does not alter too much) the
  distribution of all random variables which
  interact with it.

20
Reduction (Contd.)

• The reduction R will behave as follows.
•  
• ? R is given n ? RSA(1k) and z ? Zn, as well as
  an attacker A that (q, ?A, ?A)-solves
  EUF-CMA(GHR),
• ? R simulates G and transmits pk to A,
• ? R receives signature queries from A R will
  have to simulate a signing oracle with respect to
  pk at most q times,
• ? A outputs a forgery (m, s) for GHR with
  probability ?A,
• ? R outputs non-trivial (x, e) such that z xe
  mod n.
• ? R will provide a perfect simulation and (?R,
  ?R)-solve SRSA with

21
Simulation of Oracles
22
Simulation of G

• ? For each message mi ? 0, 1l, compute H(mi).
• Set E
•  
• ? Compute y zE mod n and send the GHR public
  key (n, y) to A.
•  
• Since n ? RSA(1k) (external to R) and z ? Zn
  (external to R) are random choices, and z z
  E is one-to-one as E and ?(n) are co-prime, f(z)
  zE mod n is a bijection, (n, y) is perfectly
  indistinguishable from a random GHR public key (n
  ? RSA(1k), y ? Zn).
•  
• Therefore, the simulation of G is perfect.

23
Simulation of S and V

• Simulation of S
•  
• When A requests the signature of a message mi,
• send si zE/H(mi) mod n.
•  
• Knowing z and E, it is easy to extract a H(mi)-th
  root of y for any mi. As queries can be answered
  with perfectly valid signatures. Therefore, the
  simulation of S is perfect.
•  
• Simulation of V
•  
• The signature si is verified using siH(mi) zE
  mod n.
• The simulation of V is trivial.

24
Forgery on Simulation of Oracles

• The simulation of the attackers environment is
  perfect
•  
• PrA forges ?A
•  
• Now, the forgery output by A with probability ?A
  will be (m, s) where m is from the given
  message space and s zE/H(m) mod n.
• But it is mentioned earlier that with known z and
  E, R could have computed the forgery. Besides,
  the forgery must help R to get good solution for
  (x, e).
• As the forgery is not new and provides no clue to
  the solution for (x, e), it is not possible for R
  to come up with positive response.

25
Alternative Simulation

• Simulation of G
• ? Choose i ? 1, 2, ... ..., 2l uniformly at
  random.
• ? For each message mj ? 0, 1l, compute H(mj).
• Set E
•  
• ? Compute y zE mod n and send the GHR public
  key (n, y) to A.
•  
•  
• The simulation of G is also perfect.

26
Alternative Simulation (contd.)

• Simulation of S
•  
• When A requests the signature of a message mi,
• ? If j ? i, send si zE/H(mj) mod n.
• ? If j i, abort the simulation experiment
• As queries can be answered with perfectly valid
  signatures except when the query message is mi.
•  
• Since i is chosen in 1, 2l independently from
  the attackers view, the probability of perfect
  simulation is
•  
• Prmi ? Queries(A)

27
Forgery on Alternative Simulation

• Assume that at the end of the game, A outputs
  (mi, s) as a forgery. Then
•  
• sH(mi) y zE mod n
•  
• As H(mi) and E are co-prime, the Bézout theorem
  says there must be a and b such that a?H(mi)
  b?E 1.
• Using the Extended Euclidian Algorithm, the
  values of a and b can easily be computed. Now,
•  
•  
• Finally, R sets x za?sb and e H(mi) and
  outputs a genuine solution (x, e).

28
Analysis

• ? In the first simulation (when the simulation is
  perfect), A can never produce a valid forgery
  which will eventually be used by R for obtaining
  the solution (x, e).
• ? In the second simulation , even then the
  probability of a successful forgery depends on
  number of conditions (i.e., lucks). These
  include
•  
• A will never query the message mi which is
  chosen at random during the simulation of G. If A
  does query mi, the system will abort and A is not
  expected to provide a forgery.
• Message in As forgery (m, s) must be mi i.e.,
  m mi.

29
Conclusion

• Hence, it is proved that SRSA ? EUF-CMA(GHR).
• So, we have
• ? defined security notions for signature schemes,
  
• ? made a precise mathematical assumption (SRSA is
  hard),
• ? described the algorithms of GHR signature
  scheme and
• ? finally performed a reduction from the
  underlying problem of the mathematical assumption
  (SRSA problem) to existentially forging of the
  GHR signature scheme under chosen message
  attacks.
• Therefore, it is evident that GHR signature
  scheme is secure under strong RSA assumption.

30
Thank You!!