Ryan Henry

Spring 2017 • Lecture 24

B504 /I538:Introduction toCryptography

Ryan Henry

RSA+OAEP

1

• OAEP = “Optimal Asymmetric Encryption Padding”– n+k1+k2 is bit length of N=pq– k1 and k2 are constants

(e.g., k1=k2=128)– n is plaintext length– G and H are “random oracles”

(cryptographic hash functions)– G：{0，1}k2 →{0，1}n+k1

– H：{0，1}n+k1→{0，1}k2

– ⊕ is bitwise XOR• Public key is (N，e，G，H)• Private key is d≔e-1 mod φ(N)

m 0k1 r

YX

G

H

concatenate

n bits k1 bits k2 bits

k2 bitsn+k1 bits

n+k1 bits k2 bits

k2 bitsn+k1 bits

Ryan Henry

RSA+OAEP

2

Encrypting m∈{0，1}n:1. Pad m with k1 zeros: m‘≔m∥0k1

2. Choose r∊{0，1}k2

3. “Expand” r using G: r’≔G(r)4. XOR m’ with r’: X≔m’⊕r’5. “Compress” X using H: X’≔H(X)6. XOR X’ with r: Y≔r⊕X’7. Concatenate X and Y: m’’≔X∥Y8. Apply “textbook RSA” to m’’: c≔(m’’)e

Ciphertext is c∈ℤN.

m 0k1 r

YX

G

H

concatenate

n bits k1 bits k2 bits

k2 bitsn+k1 bits

n+k1 bits k2 bits

k2 bitsn+k1 bits

Ryan Henry

RSA+OAEP

3

Decrypting c∈ℤN1. Recover m’’ from c: m’’≔cd mod N2. Parse m’’ as (X，Y)∈{0，1}n+k1×{0，1}k2

3. Recover X’ from X: X’≔H(X)4. Recover r from X’ and Y: r≔Y⊕H(x)5. “Expand” r using G: r’≔G(r)6. Recover m’ from X and r’: m’≔X⊕r’7. Parse m’ as (m,z)∈{0，1}n×{0，1}k1

8. Check z≟0k1; if not， abort

Plaintext is m∈{0，1}n.

m 0k1 r

YX

G

H

concatenate

n bits k1 bits k2 bits

k2 bitsn+k1 bits

n+k1 bits k2 bits

k2 bitsn+k1 bits

Ryan Henry

Going forward

Tuesday (04/06): Digitial signature schemesThursday (04/11): Random oracle modelTuesday (04/13): Zero-knowledge proofsThursday (04/18): ??Tuesday (04/20): ??Thursday (12/25): ??Thursday (04/27): ??

4

– Specific cryptosystems– Secret sharing schemes– Pairing-based cryptography– Zero-knowledge proofs– Private information retrieval– Secure multiparty computation– Side-channel attacks– Other security notions– Anonymous credentials– Lattice crypto

Ryan Henry

Recall: Secrecy versus Authenticity

▪ Secrecy / confidentiality– IND-CPA: indistiguishable multiple encryptions in the presence of an

eavesdropper– Provides ”security” in the presence of passive attackers

▪ Authenticity / integrity– Existential unforgeability under adaptive chosen message attacks– Provides “security” in the presence of active attackers

5

Ryan Henry

Recall: MAC schemes

6

Usually write MACk(m) and Verk(m，t) instead of MAC(k，m) and Ver(k，m，t)• Ｋ is the key space• Ｍ is the message space• Ｔ is the tag space

(the set of possible keys)(the set of possible messages)(the set of possible “tags”)

Defn: A message authentication code (MAC) is a triple of efficient algorithms (Gen，MAC，Ver) such that– Gen：1ℕ→Ｋ is a randomized “key generation” algorithm– MAC：Ｋ×Ｍ→Ｔ is a “tagging” algorithm– Ver：Ｋ×Ｍ×Ｔ→{0，1} is a “tag verification” algorithm

Ryan Henry

Recall: MAC existential forgery game

7

Challenger (C) Attacker (A)

1s 1s

(m，t)∈Ｍ×Ｔ

k←Gen(1s)m1∈Ｍ

t1←MACk(m1)m2∈Ｍ

t2←MACk(m2)

mn∈Ｍtn←MACk(mn)

m1

m2

mn

t1

t2

tn

Let E be the event that (m，t)∉{(m1，t1),…,(mn，tn)} yet Verk(m，t)=1Define A’s advantage to be AdvMAC-forge(A)≔Pr[E]

⋮

Ryan Henry

Recall: Existential unforgeability

8

The message m and tage t are chosen arbitrarily by the attacker at the end of the attackExistential unforgeability is the “default” unforgeability property

Defn: A MAC scheme (Gen，MAC，Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligiblefunction ε：ℕ→ℝ+ such that

AdvMAC-forge(A)≤ε(s).

Ryan Henry

Digital signature schemes

▪ Intuitively, a digital signature scheme is the public-key equivalent of a MAC scheme.

9

Defn: A digital signature scheme is a triple of efficientalgorithms (Gen，Sign，Ver) such that– Gen：1ℕ→Ｋs×Ｋv is a randomized “key generation” algorithm– Sign：Ｋs×Ｍ→Ｓ is a randomized “signing” algorithm– Ver：Ｋv×Ｓ→{0，1} is a deterministic “signature verification”

algorithm

Ryan Henry

Correctness

▪ Intuitively: Correctness is the property of being able to verify a signature (given the appropriate public key)

10

Defn: A signature scheme (Gen，Sign，Ver) with message space Ｍ is correct if there exists a negligible function ε：ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈Ｍ,

Pr[Verkv(m，Signks(m))=1｜(ks,kv)←Gen(1s)]≥1−ε(s)If Ver(kv，m，σ)≟1, then we call σ a valid signature on m (under the verification key kv).

Ryan Henry

Signature existential forgery game

11

Challenger (C) Attacker (A)

1s 1s

(m，σ)∈Ｍ×Ｓ

(ks，kv)←Gen(1s)m1∈Ｍ

σ1←Signks(m1)m2∈Ｍ

σ2←Signks(m2)

mn∈Ｍσn←Signks(mn)

m1

m2

mn

σ1

σ2

σn

Let E be the event that (m，σ)∉{(m1，σ1),…,(mn，σn)} yet Verkv(m，σ)=1Define A’s advantage to be AdvSig-forge(A)≔Pr[E]

⋮

kv

Ryan Henry

Existential unforgeability

12

Defn: A digital signature scheme (Gen，Sign，Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that

AdvSig-forge(A)≤ε(s).

▪ Intuitively: Existential unforgeability is the property of being resistant to forgeries, even those arising from malicious tampering with existing signatures

Ryan Henry

“Textbook” RSA signatures

13

▪ Many textbooks (and courses) describe RSA signatures as a direct application of the RSA trapdoor permutation to a message; that is,– Gen(1s) chooses distinct s-bit primes p and q and e∈℥φ(pq), and

then it outputs kv≔(pq，e) and ks≔e-1 mod φ(pq);– Sign(ks，m) outputs σ≔md mod pq; and– Ver(kv，m，σ) outputs 1 if m≟σe mod pq and 0 otherwise.

Q: Is this an existentially unforgeable signature scheme?A: NO! NO! NO! Don’t ever do this! (Seriously, don’t do it!)

(If you do this and I find out, I will retroactive fail you in this course!)

Ryan Henry

“Textbook” RSA signatures

▪ As with textbook RSA encryption, textbook RSA signatures have some serious problems!– Unclear how to sign “long” messages– Extremely inefficient– “No message” forgery attacks– Forgeries from malleability– Forgeries on arbitrary messages– Key reuse attacks

14

Ryan Henry

“No message” forgeries

15

Obs 1: Let pv≔(pq，e) be a verification key for the textbook RSA signature scheme. Given any σ∈℥N, the attacker can output a valid forgery (m，σ) where m≔σe mod pq.???

Q: Can attacker choose σ corresponding to a particular message of its choosing?A: No! (Unless the RSA assumption fails to hold.)

• Message is an eth root of σ modulo pq!

Ryan Henry

Forgeries from malleability

▪ Attacker can choose a and b arbitrarily– a=b=1 yields signature on m1m2– b=0 yields signature on m1

a

16

Obs 2: Let pv≔(pq，e) be a verification key for the textbook RSA signature scheme. Given any two message-signatures pairs (m1，σ1), (m2，σ2) such that Ver(pv，m1，σ1)=Ver(pv，m2，σ2)=1, the attacker can output a valid forgery (m’，σ’) where m’≔m1

am2b mod pq and

σ’≔ σ1aσ2

b mod pq .

Ryan Henry

Forgeries on arbitrary messages

17

Obs 3: Let pv≔(pq，e) be a verification key for the textbook RSA signature scheme. Attacker can forge signature on arbitrary message m of its choosing by

1. choosing any r∈℥pq such that r≠1,2. requesting a signature σ’ on m’≔3. outputting σ≔

• This “attack” is useful for constructing blind RSA signatures.

m·re, and???σ’·r-1 mod pq.???

Ryan Henry

One-time signature schemes

▪ Intuitively, a one-time signature (OTS) scheme is a digital signature scheme that is existentially unforgeable provided the private key is only used to sign a single message

Q: Why is this notion useful?A1: We can construct OTS schemes under weaker assumptions

– No random oracles, no computational assumptions

A2: OTS’s are a useful building block for “many-time” signatures

18

Ryan Henry

One-time forgery game

19

Challenger (C) Attacker (A)

1s 1s

(m’，σ’)∈Ｍ×Ｓ

(ks，kv)←Gen(1s)

m∈Ｍ

σ←Signks(m)

m

σ

Let E be the event that (m’，σ’)≠(m，σ) yet Verkv(m’，σ’)=1Define A’s advantage to be AdvOTS-forge(A)≔Pr[E]

kv

Ryan Henry

One-time existential unforgeability

20

Defn: A digital signature scheme (Gen，Sign，Ver) is existentially unforgeable under single-message attacks (or is one-time secure) if, for every PPTattacker A, there exists a negligible function ε：ℕ→ℝ+

such thatAdvOTS-forge(A)≤ε(s).

Ryan Henry

Lamport’s OTS scheme (for ℓ(s)-bit messages)

▪ Let F be an OWF (In practice, F is a cryptographic hash function)

– Gen(1s) chooses (x1,0，x1,1),…，(xℓ(s),0，xℓ(s),1)∊{0，1}s×{0，1}s and outputs

Ks≔{x1,0 ⋯ xℓ(s),0x1,1 ⋯ xℓ(s),1} and Kv≔{

y1,0 ⋯ yℓ(s),0y1,1 ⋯ yℓ(s),1}, where each yi j≔F(x i j)

– Sign(ks，m1∥m2∥⋯∥mℓ(s)) outputs σ≔(x1,m1，x2,m2

,…，xℓ(s),mℓ(s))

– Ver(kv，m1∥m2∥⋯∥mℓ(s)，σ) outputs 1 if yi,mi≟F(xi,mi

) for each i=1,…，ℓ(s) and outputs 0 otherwise

21

Ryan Henry

Security of Lamport’s OTS scheme

22

Thm: Let ℓ：ℕ→ℕ be any positive integer-valued polynomialand let F be an OWF. Then Lamport’s OTS scheme for messages of length ℓ(s) is existentially unforgeable under single-message attacks.

Proof (Sketch): Suppose A requests a signature on an ℓ(s)-bit message m and consider any message m’∈{0，1}s∖{m}.Since m’≠m, there exists a bit position i for which mi≠m′i; thus, forging a signature on m’ requires A to find x′i∈F-1(yi,m′i).Since F is an OWF, A succeeds in doing so with negligible advantage. ☐

Ryan Henry

That’s all for today, folks!

23