Ryan Henry
Spring 2017 • Lecture 24
B504 /I538:Introduction toCryptography
Ryan Henry
RSA+OAEP
1
• OAEP = “Optimal Asymmetric Encryption Padding”– n+k1+k2 is bit length of N=pq– k1 and k2 are constants
(e.g., k1=k2=128)– n is plaintext length– G and H are “random oracles”
(cryptographic hash functions)– G:{0,1}k2 →{0,1}n+k1
– H:{0,1}n+k1→{0,1}k2
– ⊕ is bitwise XOR• Public key is (N,e,G,H)• Private key is d≔e-1 mod φ(N)
m 0k1 r
YX
G
H
concatenate
n bits k1 bits k2 bits
k2 bitsn+k1 bits
n+k1 bits k2 bits
k2 bitsn+k1 bits
Ryan Henry
RSA+OAEP
2
Encrypting m∈{0,1}n:1. Pad m with k1 zeros: m‘≔m∥0k1
2. Choose r∊{0,1}k2
3. “Expand” r using G: r’≔G(r)4. XOR m’ with r’: X≔m’⊕r’5. “Compress” X using H: X’≔H(X)6. XOR X’ with r: Y≔r⊕X’7. Concatenate X and Y: m’’≔X∥Y8. Apply “textbook RSA” to m’’: c≔(m’’)e
Ciphertext is c∈ℤN.
m 0k1 r
YX
G
H
concatenate
n bits k1 bits k2 bits
k2 bitsn+k1 bits
n+k1 bits k2 bits
k2 bitsn+k1 bits
Ryan Henry
RSA+OAEP
3
Decrypting c∈ℤN1. Recover m’’ from c: m’’≔cd mod N2. Parse m’’ as (X,Y)∈{0,1}n+k1×{0,1}k2
3. Recover X’ from X: X’≔H(X)4. Recover r from X’ and Y: r≔Y⊕H(x)5. “Expand” r using G: r’≔G(r)6. Recover m’ from X and r’: m’≔X⊕r’7. Parse m’ as (m,z)∈{0,1}n×{0,1}k1
8. Check z≟0k1; if not, abort
Plaintext is m∈{0,1}n.
m 0k1 r
YX
G
H
concatenate
n bits k1 bits k2 bits
k2 bitsn+k1 bits
n+k1 bits k2 bits
k2 bitsn+k1 bits
Ryan Henry
Going forward
Tuesday (04/06): Digitial signature schemesThursday (04/11): Random oracle modelTuesday (04/13): Zero-knowledge proofsThursday (04/18): ??Tuesday (04/20): ??Thursday (12/25): ??Thursday (04/27): ??
4
– Specific cryptosystems– Secret sharing schemes– Pairing-based cryptography– Zero-knowledge proofs– Private information retrieval– Secure multiparty computation– Side-channel attacks– Other security notions– Anonymous credentials– Lattice crypto
Ryan Henry
Recall: Secrecy versus Authenticity
▪ Secrecy / confidentiality– IND-CPA: indistiguishable multiple encryptions in the presence of an
eavesdropper– Provides ”security” in the presence of passive attackers
▪ Authenticity / integrity– Existential unforgeability under adaptive chosen message attacks– Provides “security” in the presence of active attackers
5
Ryan Henry
Recall: MAC schemes
6
Usually write MACk(m) and Verk(m,t) instead of MAC(k,m) and Ver(k,m,t)• K is the key space• M is the message space• T is the tag space
(the set of possible keys)(the set of possible messages)(the set of possible “tags”)
Defn: A message authentication code (MAC) is a triple of efficient algorithms (Gen,MAC,Ver) such that– Gen:1ℕ→K is a randomized “key generation” algorithm– MAC:K×M→T is a “tagging” algorithm– Ver:K×M×T→{0,1} is a “tag verification” algorithm
Ryan Henry
Recall: MAC existential forgery game
7
Challenger (C) Attacker (A)
1s 1s
(m,t)∈M×T
k←Gen(1s)m1∈M
t1←MACk(m1)m2∈M
t2←MACk(m2)
mn∈Mtn←MACk(mn)
m1
m2
mn
t1
t2
tn
Let E be the event that (m,t)∉{(m1,t1),…,(mn,tn)} yet Verk(m,t)=1Define A’s advantage to be AdvMAC-forge(A)≔Pr[E]
⋮
Ryan Henry
Recall: Existential unforgeability
8
The message m and tage t are chosen arbitrarily by the attacker at the end of the attackExistential unforgeability is the “default” unforgeability property
Defn: A MAC scheme (Gen,MAC,Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligiblefunction ε:ℕ→ℝ+ such that
AdvMAC-forge(A)≤ε(s).
Ryan Henry
Digital signature schemes
▪ Intuitively, a digital signature scheme is the public-key equivalent of a MAC scheme.
9
Defn: A digital signature scheme is a triple of efficientalgorithms (Gen,Sign,Ver) such that– Gen:1ℕ→Ks×Kv is a randomized “key generation” algorithm– Sign:Ks×M→S is a randomized “signing” algorithm– Ver:Kv×S→{0,1} is a deterministic “signature verification”
algorithm
Ryan Henry
Correctness
▪ Intuitively: Correctness is the property of being able to verify a signature (given the appropriate public key)
10
Defn: A signature scheme (Gen,Sign,Ver) with message space M is correct if there exists a negligible function ε:ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈M,
Pr[Verkv(m,Signks(m))=1|(ks,kv)←Gen(1s)]≥1−ε(s)If Ver(kv,m,σ)≟1, then we call σ a valid signature on m (under the verification key kv).
Ryan Henry
Signature existential forgery game
11
Challenger (C) Attacker (A)
1s 1s
(m,σ)∈M×S
(ks,kv)←Gen(1s)m1∈M
σ1←Signks(m1)m2∈M
σ2←Signks(m2)
mn∈Mσn←Signks(mn)
m1
m2
mn
σ1
σ2
σn
Let E be the event that (m,σ)∉{(m1,σ1),…,(mn,σn)} yet Verkv(m,σ)=1Define A’s advantage to be AdvSig-forge(A)≔Pr[E]
⋮
kv
Ryan Henry
Existential unforgeability
12
Defn: A digital signature scheme (Gen,Sign,Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ+ such that
AdvSig-forge(A)≤ε(s).
▪ Intuitively: Existential unforgeability is the property of being resistant to forgeries, even those arising from malicious tampering with existing signatures
Ryan Henry
“Textbook” RSA signatures
13
▪ Many textbooks (and courses) describe RSA signatures as a direct application of the RSA trapdoor permutation to a message; that is,– Gen(1s) chooses distinct s-bit primes p and q and e∈℥φ(pq), and
then it outputs kv≔(pq,e) and ks≔e-1 mod φ(pq);– Sign(ks,m) outputs σ≔md mod pq; and– Ver(kv,m,σ) outputs 1 if m≟σe mod pq and 0 otherwise.
Q: Is this an existentially unforgeable signature scheme?A: NO! NO! NO! Don’t ever do this! (Seriously, don’t do it!)
(If you do this and I find out, I will retroactive fail you in this course!)
Ryan Henry
“Textbook” RSA signatures
▪ As with textbook RSA encryption, textbook RSA signatures have some serious problems!– Unclear how to sign “long” messages– Extremely inefficient– “No message” forgery attacks– Forgeries from malleability– Forgeries on arbitrary messages– Key reuse attacks
14
Ryan Henry
“No message” forgeries
15
Obs 1: Let pv≔(pq,e) be a verification key for the textbook RSA signature scheme. Given any σ∈℥N, the attacker can output a valid forgery (m,σ) where m≔σe mod pq.???
Q: Can attacker choose σ corresponding to a particular message of its choosing?A: No! (Unless the RSA assumption fails to hold.)
• Message is an eth root of σ modulo pq!
Ryan Henry
Forgeries from malleability
▪ Attacker can choose a and b arbitrarily– a=b=1 yields signature on m1m2– b=0 yields signature on m1
a
16
Obs 2: Let pv≔(pq,e) be a verification key for the textbook RSA signature scheme. Given any two message-signatures pairs (m1,σ1), (m2,σ2) such that Ver(pv,m1,σ1)=Ver(pv,m2,σ2)=1, the attacker can output a valid forgery (m’,σ’) where m’≔m1
am2b mod pq and
σ’≔ σ1aσ2
b mod pq .
Ryan Henry
Forgeries on arbitrary messages
17
Obs 3: Let pv≔(pq,e) be a verification key for the textbook RSA signature scheme. Attacker can forge signature on arbitrary message m of its choosing by
1. choosing any r∈℥pq such that r≠1,2. requesting a signature σ’ on m’≔3. outputting σ≔
• This “attack” is useful for constructing blind RSA signatures.
m·re, and???σ’·r-1 mod pq.???
Ryan Henry
One-time signature schemes
▪ Intuitively, a one-time signature (OTS) scheme is a digital signature scheme that is existentially unforgeable provided the private key is only used to sign a single message
Q: Why is this notion useful?A1: We can construct OTS schemes under weaker assumptions
– No random oracles, no computational assumptions
A2: OTS’s are a useful building block for “many-time” signatures
18
Ryan Henry
One-time forgery game
19
Challenger (C) Attacker (A)
1s 1s
(m’,σ’)∈M×S
(ks,kv)←Gen(1s)
m∈M
σ←Signks(m)
m
σ
Let E be the event that (m’,σ’)≠(m,σ) yet Verkv(m’,σ’)=1Define A’s advantage to be AdvOTS-forge(A)≔Pr[E]
kv
Ryan Henry
One-time existential unforgeability
20
Defn: A digital signature scheme (Gen,Sign,Ver) is existentially unforgeable under single-message attacks (or is one-time secure) if, for every PPTattacker A, there exists a negligible function ε:ℕ→ℝ+
such thatAdvOTS-forge(A)≤ε(s).
Ryan Henry
Lamport’s OTS scheme (for ℓ(s)-bit messages)
▪ Let F be an OWF (In practice, F is a cryptographic hash function)
– Gen(1s) chooses (x1,0,x1,1),…,(xℓ(s),0,xℓ(s),1)∊{0,1}s×{0,1}s and outputs
Ks≔{x1,0 ⋯ xℓ(s),0x1,1 ⋯ xℓ(s),1} and Kv≔{
y1,0 ⋯ yℓ(s),0y1,1 ⋯ yℓ(s),1}, where each yi j≔F(x i j)
– Sign(ks,m1∥m2∥⋯∥mℓ(s)) outputs σ≔(x1,m1,x2,m2
,…,xℓ(s),mℓ(s))
– Ver(kv,m1∥m2∥⋯∥mℓ(s),σ) outputs 1 if yi,mi≟F(xi,mi
) for each i=1,…,ℓ(s) and outputs 0 otherwise
21
Ryan Henry
Security of Lamport’s OTS scheme
22
Thm: Let ℓ:ℕ→ℕ be any positive integer-valued polynomialand let F be an OWF. Then Lamport’s OTS scheme for messages of length ℓ(s) is existentially unforgeable under single-message attacks.
Proof (Sketch): Suppose A requests a signature on an ℓ(s)-bit message m and consider any message m’∈{0,1}s∖{m}.Since m’≠m, there exists a bit position i for which mi≠m′i; thus, forging a signature on m’ requires A to find x′i∈F-1(yi,m′i).Since F is an OWF, A succeeds in doing so with negligible advantage. ☐
Ryan Henry
That’s all for today, folks!
23