Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 20 07
Jan 20, 2018
Impossibility proofs for RSA signatures in the standard model
Pascal PaillierTopics in Cryptology – CT-RSA 2007
Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting
RSA Conclusion
Introduction Well-known RSA signatures:
Full domain hash (FDH) Probabilistic signature scheme (PSS / PSS-R) These are hard to invert in the random oracle
model. In the standard model, they have never been
discovered.
Introduction Real-life RSA signatures are breaking any form
of unforgeability. Any signature scheme of RSA type cannot be
equivalent to inverting RSA in the standard model. The key generation is instance-non-malleable. Proof technique is based on black-box meta-
reductions.
Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting
RSA Conclusion
Black-box reduction A black-box reduction R between two
computational problems P1 and P2 is a probabilistic algorithm R which solves P1 given black-box access to oracle solving P2.
when R is known to reduce P1 to P2 in polynomial time.
Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting
RSA Conclusion
RSA and related computational problems
Root extraction problem is computing
is the problem of computing eth roots modulo n.
is a instance generator. Generate a hard instance (n, e) as well as the side
information
RSA and related computational problems
RSA and related computational problems
Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting
RSA Conclusion
Security notions for Real-life RSA signature - Adversarial goals Breakable (BK)
An adversary outputs the secret key. Universally forgeable (UF)
An adversary signs any message. Existential forgeable (EF)
An adversary signs some message. Root extractable (RE)
An adversary attempts to extract the eth root of a randomly chosen element y for a randomly chosen key (n, e)
BK > RE > UF > EF
Security notions for Real-life RSA signature- Attack model
Key-only attack (KOA) The adversary is given nothing else then a public
key. Known message attack (KMA)
The adversary is given a list of valid message/signature pairs.
Chosen message attack (CMA) The adversary is given adaptive access to a signing
oracle.
Security notions for Real-life RSA signature
Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting
RSA Conclusion
Instance-malleability A randomly chosen instance (n, e) is easier
when given repeated access to an oracle that extracts e’th roots modulo n’ for other instance (n’, e’) != (n, e).
An instance generator is instance-non-malleable.
Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting
RSA Conclusion
Impossibility of equivalence with inverting RSA
is an RSA signature scheme, where is an instance-non-malleable instance generator and a padding function
If is equivalent to then is polynomial.
If is equivalent to then is polynomial.
Impossibility of equivalence with inverting RSA
Impossibility of equivalence with inverting RSA
Impossibility of equivalence with inverting RSA
Let be an instance-non-malleable generator. These is no real-life RSA signature scheme such that and is equivalent to unless is polynomial.
Outline Introduction Black-box reductions RSA and related computational problems Security notions for Real-life RSA signature Instance-malleability Impossibility of equivalence with inverting
RSA Conclusion
Conclusion No real-life RSA signatures that are based on
instance-non-malleable key generation can be chosen-message secure under any RSA assumption in the standard model.