optimal security proofs for full-domain hash, revisitedrsa-fdh|horst görtz institute for...
TRANSCRIPT
![Page 1: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/1.jpg)
Optimal Security Proofs for Full-DomainHash, revisitedCambridge, EUROCRYPT 2012
Saqib A. Kakvi Eike KiltzFoundations of CryptographyChair for Cryptography and IT Security
![Page 2: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/2.jpg)
1 Introduction
2 Our results
3 Extensions
4 Conclusions
![Page 3: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/3.jpg)
RSA-Full Domain Hash Signatures
§ RSA-Full Domain Hash (RSA-FDH) was introduced by Bellare andRogaway [BelRog93] and is arguably one of the most importantsignature schemes based on RSA.
procedure Sign(sk ,m)
procedure KeyGen return σ = H(m)1e mod N
p, q ∈R P, N = pqe ∈R Zϕ(N) procedure Verify(pk ,m, σ)Pick H : {0, 1}∗ → ZN if σe mod N = H(m)return (pk = (N, e,H), sk = (p, q)) then return 1
else return 0
§ RSA-FDH signatures are unique.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 3/20
![Page 4: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/4.jpg)
RSA-Full Domain Hash Signatures
§ RSA-Full Domain Hash (RSA-FDH) was introduced by Bellare andRogaway [BelRog93] and is arguably one of the most importantsignature schemes based on RSA.
procedure Sign(sk ,m)
procedure KeyGen return σ = H(m)1e mod N
p, q ∈R P, N = pqe ∈R Zϕ(N) procedure Verify(pk ,m, σ)Pick H : {0, 1}∗ → ZN if σe mod N = H(m)return (pk = (N, e,H), sk = (p, q)) then return 1
else return 0
§ RSA-FDH signatures are unique.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 3/20
![Page 5: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/5.jpg)
RSA-Full Domain Hash Signatures
§ RSA-Full Domain Hash (RSA-FDH) was introduced by Bellare andRogaway [BelRog93] and is arguably one of the most importantsignature schemes based on RSA.
procedure Sign(sk ,m)
procedure KeyGen return σ = H(m)1e mod N
p, q ∈R P, N = pqe ∈R Zϕ(N) procedure Verify(pk ,m, σ)Pick H : {0, 1}∗ → ZN if σe mod N = H(m)return (pk = (N, e,H), sk = (p, q)) then return 1
else return 0
§ RSA-FDH signatures are unique.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 3/20
![Page 6: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/6.jpg)
Classical security results of RSA-FDH
§ We would like a tight security proof (UF-CMA) for RSA-FDH.
§ All known proofs are non-tight§ In practice, people use a 1024-bit modulus, but in theory?§ If RSA is (t, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure
§ Can RSA-FDH be tightly secure?§ Exactly 10 years ago at EUROCRYPT 2002 in Amsterdam, Coronanswered this by showing that a loss of a factor of qs is optimal
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20
![Page 7: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/7.jpg)
Classical security results of RSA-FDH
§ We would like a tight security proof (UF-CMA) for RSA-FDH.§ All known proofs are non-tight
§ In practice, people use a 1024-bit modulus, but in theory?§ If RSA is (t, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure
§ Can RSA-FDH be tightly secure?§ Exactly 10 years ago at EUROCRYPT 2002 in Amsterdam, Coronanswered this by showing that a loss of a factor of qs is optimal
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20
![Page 8: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/8.jpg)
Classical security results of RSA-FDH
§ We would like a tight security proof (UF-CMA) for RSA-FDH.§ All known proofs are non-tight§ In practice, people use a 1024-bit modulus, but in theory?
§ If RSA is (t, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure
§ Can RSA-FDH be tightly secure?§ Exactly 10 years ago at EUROCRYPT 2002 in Amsterdam, Coronanswered this by showing that a loss of a factor of qs is optimal
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20
![Page 9: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/9.jpg)
Classical security results of RSA-FDH
§ We would like a tight security proof (UF-CMA) for RSA-FDH.§ All known proofs are non-tight§ In practice, people use a 1024-bit modulus, but in theory?§ If RSA is (t, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure
Security Proof Security Loss ε/ε′ Equivalent RSA modulus
§ Can RSA-FDH be tightly secure?§ Exactly 10 years ago at EUROCRYPT 2002 in Amsterdam, Coronanswered this by showing that a loss of a factor of qs is optimal
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20
![Page 10: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/10.jpg)
Classical security results of RSA-FDH
§ We would like a tight security proof (UF-CMA) for RSA-FDH.§ All known proofs are non-tight§ In practice, people use a 1024-bit modulus, but in theory?§ If RSA is (t, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure
Security Proof Security Loss ε/ε′ Equivalent RSA modulusIdeal 1 ≈ 1024 bits
§ Can RSA-FDH be tightly secure?§ Exactly 10 years ago at EUROCRYPT 2002 in Amsterdam, Coronanswered this by showing that a loss of a factor of qs is optimal
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20
![Page 11: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/11.jpg)
Classical security results of RSA-FDH
§ We would like a tight security proof (UF-CMA) for RSA-FDH.§ All known proofs are non-tight§ In practice, people use a 1024-bit modulus, but in theory?§ If RSA is (t, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure
Security Proof Security Loss ε/ε′ Equivalent RSA modulusIdeal 1 1024 bits
§ Can RSA-FDH be tightly secure?§ Exactly 10 years ago at EUROCRYPT 2002 in Amsterdam, Coronanswered this by showing that a loss of a factor of qs is optimal
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20
![Page 12: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/12.jpg)
Classical security results of RSA-FDH
§ We would like a tight security proof (UF-CMA) for RSA-FDH.§ All known proofs are non-tight§ In practice, people use a 1024-bit modulus, but in theory?§ If RSA is (t, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure
Security Proof Security Loss ε/ε′ Equivalent RSA modulusIdeal 1 1024 bits
[BelRog93] qh ≈ 260 ≈ 200 bits
§ Can RSA-FDH be tightly secure?§ Exactly 10 years ago at EUROCRYPT 2002 in Amsterdam, Coronanswered this by showing that a loss of a factor of qs is optimal
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20
![Page 13: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/13.jpg)
Classical security results of RSA-FDH
§ We would like a tight security proof (UF-CMA) for RSA-FDH.§ All known proofs are non-tight§ In practice, people use a 1024-bit modulus, but in theory?§ If RSA is (t, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure
Security Proof Security Loss ε/ε′ Equivalent RSA modulusIdeal 1 1024 bits
[BelRog93] qh ≈ 260 ≈ 200 bits[Coron00] qs ≈ 230 ≈ 500 bits
§ Can RSA-FDH be tightly secure?§ Exactly 10 years ago at EUROCRYPT 2002 in Amsterdam, Coronanswered this by showing that a loss of a factor of qs is optimal
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20
![Page 14: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/14.jpg)
Classical security results of RSA-FDH
§ We would like a tight security proof (UF-CMA) for RSA-FDH.§ All known proofs are non-tight§ In practice, people use a 1024-bit modulus, but in theory?§ If RSA is (t, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure
Security Proof Security Loss ε/ε′ Equivalent RSA modulusIdeal 1 1024 bits
[BelRog93] qh ≈ 260 ≈ 200 bits[Coron00] qs ≈ 230 ≈ 500 bits
(PSS) [BelRog96] 1 ≈ 1024 bits
§ Can RSA-FDH be tightly secure?§ Exactly 10 years ago at EUROCRYPT 2002 in Amsterdam, Coronanswered this by showing that a loss of a factor of qs is optimal
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20
![Page 15: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/15.jpg)
Classical security results of RSA-FDH
§ We would like a tight security proof (UF-CMA) for RSA-FDH.§ All known proofs are non-tight§ In practice, people use a 1024-bit modulus, but in theory?§ If RSA is (t, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure
Security Proof Security Loss ε/ε′ Equivalent RSA modulusIdeal 1 1024 bits
[BelRog93] qh ≈ 260 ≈ 200 bits[Coron00] qs ≈ 230 ≈ 500 bits
(PSS) [BelRog96] 1 ≈ 1024 bits
§ Can RSA-FDH be tightly secure?
§ Exactly 10 years ago at EUROCRYPT 2002 in Amsterdam, Coronanswered this by showing that a loss of a factor of qs is optimal
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20
![Page 16: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/16.jpg)
Classical security results of RSA-FDH
§ We would like a tight security proof (UF-CMA) for RSA-FDH.§ All known proofs are non-tight§ In practice, people use a 1024-bit modulus, but in theory?§ If RSA is (t, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure
Security Proof Security Loss ε/ε′ Equivalent RSA modulusIdeal 1 1024 bits
[BelRog93] qh ≈ 260 ≈ 200 bits[Coron00] qs ≈ 230 ≈ 500 bits
(PSS) [BelRog96] 1 ≈ 1024 bits
§ Can RSA-FDH be tightly secure?§ Exactly 10 years ago at EUROCRYPT 2002 in Amsterdam, Coronanswered this by showing that a loss of a factor of qs is optimal
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20
![Page 17: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/17.jpg)
1 Introduction
2 Our results
3 Extensions
4 Conclusions
![Page 18: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/18.jpg)
Our Results
§ We revisit Coron’s impossibility result
◦ Uncover a subtle flaw◦ Proof does not hold for small e
§ We show a tight proof for small e
◦ Proof is to Φ-Hiding , which is stronger than RSA
§ We then show some generalizations and extensions.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 6/20
![Page 19: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/19.jpg)
Our Results
§ We revisit Coron’s impossibility result◦ Uncover a subtle flaw
◦ Proof does not hold for small e§ We show a tight proof for small e
◦ Proof is to Φ-Hiding , which is stronger than RSA
§ We then show some generalizations and extensions.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 6/20
![Page 20: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/20.jpg)
Our Results
§ We revisit Coron’s impossibility result◦ Uncover a subtle flaw◦ Proof does not hold for small e
§ We show a tight proof for small e
◦ Proof is to Φ-Hiding , which is stronger than RSA
§ We then show some generalizations and extensions.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 6/20
![Page 21: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/21.jpg)
Our Results
§ We revisit Coron’s impossibility result◦ Uncover a subtle flaw◦ Proof does not hold for small e
§ We show a tight proof for small e
◦ Proof is to Φ-Hiding , which is stronger than RSA
§ We then show some generalizations and extensions.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 6/20
![Page 22: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/22.jpg)
Our Results
§ We revisit Coron’s impossibility result◦ Uncover a subtle flaw◦ Proof does not hold for small e
§ We show a tight proof for small e◦ Proof is to Φ-Hiding , which is stronger than RSA
§ We then show some generalizations and extensions.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 6/20
![Page 23: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/23.jpg)
Our Results
§ We revisit Coron’s impossibility result◦ Uncover a subtle flaw◦ Proof does not hold for small e
§ We show a tight proof for small e◦ Proof is to Φ-Hiding , which is stronger than RSA
§ We then show some generalizations and extensions.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 6/20
![Page 24: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/24.jpg)
Flaw in Coron’s Proof
Theorem 1 (Coron)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
R
(N, e, xe mod N) x
F
pk = (N, e)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 7/20
![Page 25: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/25.jpg)
Flaw in Coron’s Proof
Theorem 1 (Coron)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
R
(N, e, xe mod N) x
F
pk = (N, e)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 7/20
![Page 26: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/26.jpg)
Flaw in Coron’s Proof
Theorem 1 (Coron)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
R
(N, e, xe mod N)
x
F
pk = (N, e)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 7/20
![Page 27: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/27.jpg)
Flaw in Coron’s Proof
Theorem 1 (Coron)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
R
(N, e, xe mod N) x
F
pk = (N, e)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 7/20
![Page 28: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/28.jpg)
Flaw in Coron’s Proof
Theorem 1 (Coron)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
R
(N, e, xe mod N) x
F
pk = (N, e)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 7/20
![Page 29: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/29.jpg)
Flaw in Coron’s Proof
Theorem 1 (Coron)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
R
(N, e, xe mod N) x
F
pk = (N, e)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 7/20
![Page 30: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/30.jpg)
Flaw in Coron’s Proof
Theorem 1 (Coron)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
R
(N, e, xe mod N) x
F
pk = (N, e)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 7/20
![Page 31: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/31.jpg)
Flaw in Coron’s Proof
Theorem 1 (Coron)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
R
(N, e, xe mod N) x
F
pk = (N, e)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 7/20
![Page 32: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/32.jpg)
Flaw in Coron’s Proof
Theorem 1 (Coron)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
R
(N, e, xe mod N) x
F
pk = (N, e)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 7/20
![Page 33: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/33.jpg)
Flaw in Coron’s Proof
Theorem 1 (Coron)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
R
(N, e, xe mod N) x
F
pk = (N, e)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 7/20
![Page 34: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/34.jpg)
Flaw in Coron’s Proof
Theorem 1 (Coron)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
R
(N, e, xe mod N) x
F
pk = (N, e)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 7/20
![Page 35: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/35.jpg)
Flaw in Coron’s Proof
Theorem 1 (Coron)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
R
(N, e, xe mod N) x
F
pk = (N, e)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 7/20
![Page 36: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/36.jpg)
Flaw in Coron’s Proof
Theorem 1 (Coron)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
R
(N, e, xe mod N) x
F
pk = (N, e)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 7/20
![Page 37: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/37.jpg)
Fixing Coron’s Proof
Theorem 2 (Coron Corrected)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
F R
(N, e, xe mod N) x
pk = (N ′, e′)
(m∗, σ∗)
I
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 8/20
![Page 38: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/38.jpg)
Fixing Coron’s Proof
Theorem 2 (Coron Corrected)
If there is a reduction R from RSA-FDH to inverting RSA, with securityloss less than qs , then we can efficiently invert RSA.
F R
(N, e, xe mod N) x
pk = (N ′, e′)
(m∗, σ∗)
I ??
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 8/20
![Page 39: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/39.jpg)
Fixing Coron’s Proof
Theorem 2 (Coron Corrected)
If there is a reduction R from RSA-FDH to inverting certified RSA,with security loss less than qs , then we can efficiently invert RSA.
F R
(N, e, xe mod N) x
pk = (N ′, e′)
(m∗, σ∗)
I
Certify(·)
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 8/20
![Page 40: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/40.jpg)
Is RSA certified?
§ We say RSA is certified if given a public key (N, e), we can decidein polynomial time if the RSA function f(N,e)(x) = xe mod N isa permutation. [BelYun03]
§ Need to decide if e|ϕ(N) or if gcd(e, ϕ(N)) = 1.§ This is easy for prime e > N.§ Thought to be hard for prime e < N0.25.§ Overall, we have:
e 3 N0.25 N
Figure: Known results for RSA Certification with Prime Exponent
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 9/20
![Page 41: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/41.jpg)
Is RSA certified?
§ We say RSA is certified if given a public key (N, e), we can decidein polynomial time if the RSA function f(N,e)(x) = xe mod N isa permutation. [BelYun03]
§ Need to decide if e|ϕ(N) or if gcd(e, ϕ(N)) = 1.
§ This is easy for prime e > N.§ Thought to be hard for prime e < N0.25.§ Overall, we have:
e 3 N0.25 N
Figure: Known results for RSA Certification with Prime Exponent
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 9/20
![Page 42: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/42.jpg)
Is RSA certified?
§ We say RSA is certified if given a public key (N, e), we can decidein polynomial time if the RSA function f(N,e)(x) = xe mod N isa permutation. [BelYun03]
§ Need to decide if e|ϕ(N) or if gcd(e, ϕ(N)) = 1.§ This is easy for prime e > N.
§ Thought to be hard for prime e < N0.25.§ Overall, we have:
e 3 N0.25 N
Figure: Known results for RSA Certification with Prime Exponent
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 9/20
![Page 43: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/43.jpg)
Is RSA certified?
§ We say RSA is certified if given a public key (N, e), we can decidein polynomial time if the RSA function f(N,e)(x) = xe mod N isa permutation. [BelYun03]
§ Need to decide if e|ϕ(N) or if gcd(e, ϕ(N)) = 1.§ This is easy for prime e > N.§ Thought to be hard for prime e < N0.25.
§ Overall, we have:
e 3 N0.25 N
Figure: Known results for RSA Certification with Prime Exponent
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 9/20
![Page 44: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/44.jpg)
Is RSA certified?
§ We say RSA is certified if given a public key (N, e), we can decidein polynomial time if the RSA function f(N,e)(x) = xe mod N isa permutation. [BelYun03]
§ Need to decide if e|ϕ(N) or if gcd(e, ϕ(N)) = 1.§ This is easy for prime e > N.§ Thought to be hard for prime e < N0.25.§ Overall, we have:
e 3 N0.25 N
Figure: Known results for RSA Certification with Prime Exponent
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 9/20
![Page 45: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/45.jpg)
Is RSA certified?
§ We say RSA is certified if given a public key (N, e), we can decidein polynomial time if the RSA function f(N,e)(x) = xe mod N isa permutation. [BelYun03]
§ Need to decide if e|ϕ(N) or if gcd(e, ϕ(N)) = 1.§ This is easy for prime e > N.§ Thought to be hard for prime e < N0.25.§ Overall, we have:
e 3 N0.25 N
CERTIFIED
Figure: Known results for RSA Certification with Prime Exponent
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 9/20
![Page 46: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/46.jpg)
Is RSA certified?
§ We say RSA is certified if given a public key (N, e), we can decidein polynomial time if the RSA function f(N,e)(x) = xe mod N isa permutation. [BelYun03]
§ Need to decide if e|ϕ(N) or if gcd(e, ϕ(N)) = 1.§ This is easy for prime e > N.§ Thought to be hard for prime e < N0.25.§ Overall, we have:
e 3 N0.25 N
CERTIFIED????????????
Figure: Known results for RSA Certification with Prime Exponent
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 9/20
![Page 47: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/47.jpg)
Is RSA certified?
§ We say RSA is certified if given a public key (N, e), we can decidein polynomial time if the RSA function f(N,e)(x) = xe mod N isa permutation. [BelYun03]
§ Need to decide if e|ϕ(N) or if gcd(e, ϕ(N)) = 1.§ This is easy for prime e > N.§ Thought to be hard for prime e < N0.25.§ Overall, we have:
e 3 N0.25 N
CERTIFIED????????????LOSSY
Figure: Known results for RSA Certification with Prime Exponent
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 9/20
![Page 48: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/48.jpg)
Is RSA certified?
§ We say RSA is certified if given a public key (N, e), we can decidein polynomial time if the RSA function f(N,e)(x) = xe mod N isa permutation. [BelYun03]
§ Need to decide if e|ϕ(N) or if gcd(e, ϕ(N)) = 1.§ This is easy for prime e > N.§ Thought to be hard for prime e < N0.25.§ Overall, we have:
e 3 N0.25 N
CERTIFIEDLOSSY [KKM12]
Figure: Known results for RSA Certification with Prime Exponent
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 9/20
![Page 49: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/49.jpg)
Lossiness of RSA
§ A function is said to be lossy if there exists an alternate KeyGenalgorithm that outputs a lossy key [PeiWat08].
§ A lossy keys are computationally indistinguishable real keys§ Lossy keys give a function where the range is smaller than thedomain.
§ In particular for RSA, the lossy function is e-to-1.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 10/20
![Page 50: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/50.jpg)
Lossiness of RSA
§ A function is said to be lossy if there exists an alternate KeyGenalgorithm that outputs a lossy key [PeiWat08].
§ A lossy keys are computationally indistinguishable real keys
§ Lossy keys give a function where the range is smaller than thedomain.
§ In particular for RSA, the lossy function is e-to-1.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 10/20
![Page 51: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/51.jpg)
Lossiness of RSA
§ A function is said to be lossy if there exists an alternate KeyGenalgorithm that outputs a lossy key [PeiWat08].
§ A lossy keys are computationally indistinguishable real keys§ Lossy keys give a function where the range is smaller than thedomain.
§ In particular for RSA, the lossy function is e-to-1.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 10/20
![Page 52: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/52.jpg)
Lossiness of RSA
§ A function is said to be lossy if there exists an alternate KeyGenalgorithm that outputs a lossy key [PeiWat08].
§ A lossy keys are computationally indistinguishable real keys§ Lossy keys give a function where the range is smaller than thedomain.
§ In particular for RSA, the lossy function is e-to-1.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 10/20
![Page 53: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/53.jpg)
Lossines of RSA
§ RSA was shown to be lossy under Φ-Hiding [KOS10].
§ Φ-Hiding was introduced in 1999 by Cachin, Micali and Stadler[CMS99].
§ Φ-Hiding states that given N and a prime e < N0.25 it is hard todistinguish e|ϕ(N) and gcd(e, ϕ(N)) = 1.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 11/20
![Page 54: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/54.jpg)
Lossines of RSA
§ RSA was shown to be lossy under Φ-Hiding [KOS10].§ Φ-Hiding was introduced in 1999 by Cachin, Micali and Stadler[CMS99].
§ Φ-Hiding states that given N and a prime e < N0.25 it is hard todistinguish e|ϕ(N) and gcd(e, ϕ(N)) = 1.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 11/20
![Page 55: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/55.jpg)
Lossines of RSA
§ RSA was shown to be lossy under Φ-Hiding [KOS10].§ Φ-Hiding was introduced in 1999 by Cachin, Micali and Stadler[CMS99].
§ Φ-Hiding states that given N and a prime e < N0.25 it is hard todistinguish e|ϕ(N) and gcd(e, ϕ(N)) = 1.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 11/20
![Page 56: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/56.jpg)
Main Result
Main TheoremIf Φ-Hiding is (t ′, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure, forany qh, qs , with t ≈ t ′, ε ≈ 2ε′.
§ GAME0 Standard UF-CMA§ GAME1 Simulate H such that sign no longer needs sk . Simulationknows exactly 1 valid signature for each message
§ GAME2 KeyGen is switched from real to lossy. Now each messagehas exactly e valid signatures.
§ A forgery (m∗, σ∗) gives a collision in the RSA function withprobability 1− 1
e , allowing us to factor or break Φ-Hiding .§ The final security loss is approximately 2 = O(1).
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 12/20
![Page 57: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/57.jpg)
Main Result
Main TheoremIf Φ-Hiding is (t ′, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure, forany qh, qs , with t ≈ t ′, ε ≈ 2ε′.
§ GAME0 Standard UF-CMA
§ GAME1 Simulate H such that sign no longer needs sk . Simulationknows exactly 1 valid signature for each message
§ GAME2 KeyGen is switched from real to lossy. Now each messagehas exactly e valid signatures.
§ A forgery (m∗, σ∗) gives a collision in the RSA function withprobability 1− 1
e , allowing us to factor or break Φ-Hiding .§ The final security loss is approximately 2 = O(1).
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 12/20
![Page 58: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/58.jpg)
Main Result
Main TheoremIf Φ-Hiding is (t ′, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure, forany qh, qs , with t ≈ t ′, ε ≈ 2ε′.
§ GAME0 Standard UF-CMA§ GAME1 Simulate H such that sign no longer needs sk . Simulationknows exactly 1 valid signature for each message
§ GAME2 KeyGen is switched from real to lossy. Now each messagehas exactly e valid signatures.
§ A forgery (m∗, σ∗) gives a collision in the RSA function withprobability 1− 1
e , allowing us to factor or break Φ-Hiding .§ The final security loss is approximately 2 = O(1).
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 12/20
![Page 59: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/59.jpg)
Main Result
Main TheoremIf Φ-Hiding is (t ′, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure, forany qh, qs , with t ≈ t ′, ε ≈ 2ε′.
§ GAME0 Standard UF-CMA§ GAME1 Simulate H such that sign no longer needs sk . Simulationknows exactly 1 valid signature for each message
§ GAME2 KeyGen is switched from real to lossy. Now each messagehas exactly e valid signatures.
§ A forgery (m∗, σ∗) gives a collision in the RSA function withprobability 1− 1
e , allowing us to factor or break Φ-Hiding .§ The final security loss is approximately 2 = O(1).
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 12/20
![Page 60: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/60.jpg)
Main Result
Main TheoremIf Φ-Hiding is (t ′, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure, forany qh, qs , with t ≈ t ′, ε ≈ 2ε′.
§ GAME0 Standard UF-CMA§ GAME1 Simulate H such that sign no longer needs sk . Simulationknows exactly 1 valid signature for each message
§ GAME2 KeyGen is switched from real to lossy. Now each messagehas exactly e valid signatures.
§ A forgery (m∗, σ∗) gives a collision in the RSA function withprobability 1− 1
e , allowing us to factor or break Φ-Hiding .
§ The final security loss is approximately 2 = O(1).
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 12/20
![Page 61: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/61.jpg)
Main Result
Main TheoremIf Φ-Hiding is (t ′, ε′)-hard, then RSA-FDH is (qh, qs , t, ε)-secure, forany qh, qs , with t ≈ t ′, ε ≈ 2ε′.
§ GAME0 Standard UF-CMA§ GAME1 Simulate H such that sign no longer needs sk . Simulationknows exactly 1 valid signature for each message
§ GAME2 KeyGen is switched from real to lossy. Now each messagehas exactly e valid signatures.
§ A forgery (m∗, σ∗) gives a collision in the RSA function withprobability 1− 1
e , allowing us to factor or break Φ-Hiding .§ The final security loss is approximately 2 = O(1).
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 12/20
![Page 62: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/62.jpg)
Implications of our results
§ If we assume that solving Φ-Hiding is equivalent to inverting RSA,then:
Security Proof Security Loss ε/ε′ Equivalent RSA modulusIdeal 1 1024 bits
[BelRog93] qh ≈ 260 ≈ 200 bits[Coron00] qs ≈ 230 ≈ 500 bits
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 13/20
![Page 63: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/63.jpg)
Implications of our results
§ If we assume that solving Φ-Hiding is equivalent to inverting RSA,then:
Security Proof Security Loss ε/ε′ Equivalent RSA modulusThis work 1 ≈ 1024 bits[BelRog93] qh ≈ 260 ≈ 200 bits[Coron00] qs ≈ 230 ≈ 500 bits
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 13/20
![Page 64: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/64.jpg)
1 Introduction
2 Our results
3 Extensions
4 Conclusions
![Page 65: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/65.jpg)
Extensions: Generalizations
§ We can extend our main theorem to any certified trapdoor permu-tation
Theorem 3If TDP is (t ′, ε′)-lossy, then TDP-FDH is (qh, qs , t, ε)-secure, for anyqh, qs , with t ≈ t ′, ε ≈ 2ε′.
§ We can show impossibility for any hard problem Π and any certifiedunique signature scheme Σ.
Theorem 4If there is a reduction R from Σ to solving Π, with security loss lessthan qs , then we can efficiently solve Π.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 15/20
![Page 66: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/66.jpg)
Extensions: Generalizations
§ We can extend our main theorem to any certified trapdoor permu-tation
Theorem 3If TDP is (t ′, ε′)-lossy, then TDP-FDH is (qh, qs , t, ε)-secure, for anyqh, qs , with t ≈ t ′, ε ≈ 2ε′.
§ We can show impossibility for any hard problem Π and any certifiedunique signature scheme Σ.
Theorem 4If there is a reduction R from Σ to solving Π, with security loss lessthan qs , then we can efficiently solve Π.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 15/20
![Page 67: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/67.jpg)
Extensions: PSS
§ Our results also extend to PSS, in particular PSS-R.
0k1 m||r (r ∈ {0, 1}k0)
H
G
f −1
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 16/20
![Page 68: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/68.jpg)
Extensions: PSS
§ Our results also extend to PSS, in particular PSS-R.
0k1 m||r (r ∈ {0, 1}k0)
H
G
f −1
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 16/20
![Page 69: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/69.jpg)
Extensions: PSS
§ Our results also extend to PSS, in particular PSS-R.
Theorem 5If Φ-Hiding is (t ′, ε′)-hard, then RSA-PSS-R is (qh, qs , t, ε)-secure, forany qh, qs , with t ≈ t ′, ε ≈ 2 · ε′ + (qh+qs)2
2k1
0k1 m||r (r ∈ {0, 1}k0)
H
G
f −1
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 16/20
![Page 70: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/70.jpg)
Extensions: PSS with message recovery
§ When using signatures with recovery we want to minimize band-width.
§ Signer needs only to send the “enhanced signature”.§ Verify is replaced by Recover, which outputs message or ⊥.§ We use a measure called overhead, which is the difference in sizebetween the message and the “enhanced signature”.
Security Proof Randomness Padding Total overheadBellare-Rogaway [BR96] 160 160 320
Coron [Cor02] 30 160 190This work 0 160 160
Table: Total overhead using RSA-PSS-R for 80 bit security.
§ PSS-R comparable to BLS signatures.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 17/20
![Page 71: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/71.jpg)
Extensions: PSS with message recovery
§ When using signatures with recovery we want to minimize band-width.
§ Signer needs only to send the “enhanced signature”.
§ Verify is replaced by Recover, which outputs message or ⊥.§ We use a measure called overhead, which is the difference in sizebetween the message and the “enhanced signature”.
Security Proof Randomness Padding Total overheadBellare-Rogaway [BR96] 160 160 320
Coron [Cor02] 30 160 190This work 0 160 160
Table: Total overhead using RSA-PSS-R for 80 bit security.
§ PSS-R comparable to BLS signatures.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 17/20
![Page 72: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/72.jpg)
Extensions: PSS with message recovery
§ When using signatures with recovery we want to minimize band-width.
§ Signer needs only to send the “enhanced signature”.§ Verify is replaced by Recover, which outputs message or ⊥.
§ We use a measure called overhead, which is the difference in sizebetween the message and the “enhanced signature”.
Security Proof Randomness Padding Total overheadBellare-Rogaway [BR96] 160 160 320
Coron [Cor02] 30 160 190This work 0 160 160
Table: Total overhead using RSA-PSS-R for 80 bit security.
§ PSS-R comparable to BLS signatures.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 17/20
![Page 73: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/73.jpg)
Extensions: PSS with message recovery
§ When using signatures with recovery we want to minimize band-width.
§ Signer needs only to send the “enhanced signature”.§ Verify is replaced by Recover, which outputs message or ⊥.§ We use a measure called overhead, which is the difference in sizebetween the message and the “enhanced signature”.
Security Proof Randomness Padding Total overheadBellare-Rogaway [BR96] 160 160 320
Coron [Cor02] 30 160 190This work 0 160 160
Table: Total overhead using RSA-PSS-R for 80 bit security.
§ PSS-R comparable to BLS signatures.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 17/20
![Page 74: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/74.jpg)
Extensions: PSS with message recovery
§ When using signatures with recovery we want to minimize band-width.
§ Signer needs only to send the “enhanced signature”.§ Verify is replaced by Recover, which outputs message or ⊥.§ We use a measure called overhead, which is the difference in sizebetween the message and the “enhanced signature”.
Security Proof Randomness Padding Total overheadBellare-Rogaway [BR96] 160 160 320
Coron [Cor02] 30 160 190This work 0 160 160
Table: Total overhead using RSA-PSS-R for 80 bit security.
§ PSS-R comparable to BLS signatures.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 17/20
![Page 75: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/75.jpg)
Extensions: PSS with message recovery
§ When using signatures with recovery we want to minimize band-width.
§ Signer needs only to send the “enhanced signature”.§ Verify is replaced by Recover, which outputs message or ⊥.§ We use a measure called overhead, which is the difference in sizebetween the message and the “enhanced signature”.
Security Proof Randomness Padding Total overheadBellare-Rogaway [BR96] 160 160 320
Coron [Cor02] 30 160 190This work 0 160 160
Table: Total overhead using RSA-PSS-R for 80 bit security.
§ PSS-R comparable to BLS signatures.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 17/20
![Page 76: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/76.jpg)
Extensions: PSS with message recovery
§ When using signatures with recovery we want to minimize band-width.
§ Signer needs only to send the “enhanced signature”.§ Verify is replaced by Recover, which outputs message or ⊥.§ We use a measure called overhead, which is the difference in sizebetween the message and the “enhanced signature”.
Security Proof Randomness Padding Total overheadBellare-Rogaway [BR96] 160 160 320
Coron [Cor02] 30 160 190This work 0 160 160
Table: Total overhead using RSA-PSS-R for 80 bit security.
§ PSS-R comparable to BLS signatures.RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 17/20
![Page 77: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/77.jpg)
1 Introduction
2 Our results
3 Extensions
4 Conclusions
![Page 78: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/78.jpg)
Conclusion
§ Revisited and corrected Coron’s proof.
§ Tight security proof for RSA-FDH with small exponents.§ Extensions to TDP and other problems.§ Extensions to PSS and PSS-R.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 19/20
![Page 79: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/79.jpg)
Conclusion
§ Revisited and corrected Coron’s proof.§ Tight security proof for RSA-FDH with small exponents.
§ Extensions to TDP and other problems.§ Extensions to PSS and PSS-R.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 19/20
![Page 80: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/80.jpg)
Conclusion
§ Revisited and corrected Coron’s proof.§ Tight security proof for RSA-FDH with small exponents.§ Extensions to TDP and other problems.
§ Extensions to PSS and PSS-R.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 19/20
![Page 81: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/81.jpg)
Conclusion
§ Revisited and corrected Coron’s proof.§ Tight security proof for RSA-FDH with small exponents.§ Extensions to TDP and other problems.§ Extensions to PSS and PSS-R.
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 19/20
![Page 82: Optimal Security Proofs for Full-Domain Hash, revisitedRSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 4/20. 1 Introduction 2 Ourresults 3 Extensions 4 Conclusions](https://reader033.vdocument.in/reader033/viewer/2022052008/601d327c96edab71ca5123a1/html5/thumbnails/82.jpg)
Many thanks for your attention!
QUESTIONS?
RSA-FDH|Horst Görtz Institute for IT-Security|Cambridge|EUROCRYPT 2012 20/20