provable security rsa-pkcs encryption - signature

David PointchevalLIENS-CNRSEcole normale supérieure

Provable SecurityRSA-PKCS

Encryption - SignatureLawrence Berkeley National Lab

August 2003

Provable Security - RSA-PKCS - Encryption-Signature - 2David Pointcheval

SummarySummary

• Encryption– PKCS #1 v1.5– PKCS #1 v2.0 : OAEP

• Signature– PKCS #1 v1.5/2.0– PKCS #1 v2.1 : PSS

• Conclusion


SummarySummary



• Conclusion


RSARSA

• n=pq : public modulus e : public exponent

• d=e-1 mod ϕ(n) : private

en/de-cryption�(m) = me mod n

�(c) = cd mod n

Relies on the so-called RSA problem:extracting e-th roots mod n

Rivest - Shamir - Adleman 1978


• One-Wayness = RSA Problem• Deterministic:

cannot achieve Semantic SecurityDoes c encrypt m0 or m1?Re-encrypt m0, and check whether it is c

• Multiplicativity:cannot prevent Chosen-Ciphertext Attacks

With c = �e(m) = me mod n

Compute c’ = 2e c mod n, ask for m’

Note that c’ = (2m)e mod n, thus m = m’ /2 mod n

⇒ need of padding

Plain-RSA: Weak SecurityPlain-RSA: Weak Security


PKCS #PKCS #1 v 1.51 v 1.5

00 02 00 Data BlockPadding String

length ≥ 8bytes ≠ 0

• Efficient encoding/decoding• Probabilistic encryption• Breaks multiplicativity• But…

a random ciphertext is validwith non-negligible probability ≈ 2-16

EM


PKCS #PKCS #1 v 1.51 v 1.5



Valid ciphertext⇒ the MSB of the encoded message is at zero– The bit-security of RSA says that any bit

of the e-th root is as hard as the whole e-th root

– Any bit-leakage is serious– Here: 2 full bytes are leaked!

EM


Breaking PKCS #1 v 1.5Breaking PKCS #1 v 1.5



Valid ciphertext C = EMe mod n

⇒ 2 × 256k-2 ≤ EM < 3 × 256k-2

Challenge ciphertext C = EMe mod n– Find small S such that C’ = C × Se mod n valid:

for some 0 < r < S,

2 × 256k-2 - rn ≤ EM S < 3 × 256k-2 - rn

⇒ EM lies in a small interval [a, b]

EM

*





Choose a new S such that the sets{ a S mod n, (a+1) S mod n, …, b S mod n}and [2 × 256k-2, 3 × 256k-2[ overlap

Validity of C’ = C Se mod n tells in which part it is

⇒ new small inverval [a’, b’] for EM

Approx.: any new valid ciphertextreduces the interval by 1/2

EM

*





• Reaction Attack (validity requests)breaks the One-Wayness

• Given a challenge ciphertext c*,after a few thousand of requests c,one can recover the plaintext m*

EM


SummarySummary



• Conclusion


OAEPOAEP BellareBellare--RogawayRogaway ‘94 ‘94

M

r

s

t

G HM = m||0k

r random

�(m,r) : Compute a,b then c=f (s||t) = EMe mod n�(c) : Compute EM = s||t = f -1(c) = cd mod n,

invert OAEP, and check redundancy

f a trapdoor one-way permutation (e.g. RSA)then (with G → {0,1}n and H → {0,1}�)

EM


In 1994, Bellare and Rogaway proved that• the OAEP construction provides an IND-CPA

cryptosystem under the OW of f• it is plaintext-aware (PA94)

proven: IND-CPA + PA94 ⇒ IND-CCA1But widely believed:

not proven: IND-CPA + PA94 ⇒ IND-CCA2and namely for OAEP…

IND-CCA2 under OW of IND-CCA2 under OW of ff


In 1998, improved plaintext-awareness (PA98)

proven: IND-CPA + PA98 ⇒ IND-CCA2But… PA98 of OAEP never studiedAnd IND-CCA2 of OAEP still widely believed

under the sole OW of fand namely for RSA-OAEP

RSA-OAEP: the most efficientand “provably secure” construction

⇒ became the new PKCS #1 v2.0



However, in 2000,Shoup showed a counter-example:– a trapdoor one-way permutation f

– so that f -OAEP can be broken: malleablefrom a ciphertext c of an unknown message m,

one can build a ciphertext c’ of m’ = m ⊕ 1

⇒ break OW-CCA2, and thus IND-CCAGiven a challenge c, the encryption of m,

one derives the ciphertext c’ of m ⊕ 1one request to the decryption oracle is enough!



• Let g be a trapdoor one-way permutationso that their exists an algorithm �,which on a and g(x) computes g(x ⊕ a)

• Let us define f (s,t) = s || g(t), which is clearlya trapdoor one-way permutation

Counter-ExampleCounter-Example *


MalleabilityMalleability

m 0k r

G

H

ts

⊕ δ → m’

⊕ δ || 0k → s’ ⊕ T → t’

T = H(s)⊕H(s’ )

*


One receives c = �(m,r) = f (s,t) = s || g(t) where

M= m ||0k, s = M ⊕ G(r), t = r ⊕ H(s)– One gets s, and computes s’ = s ⊕ ∆

for some ∆ = δ || 0k

– One computes T = H(s) ⊕ H(s’), and t’ = t ⊕Tas well as g(t ⊕T) granted � on g(t) and T

r’ = t’ ⊕H(s’) = t ⊕T ⊕H(s’) = t ⊕H(s) = rM’ = s’⊕G(r) = s⊕∆⊕G(r) = M⊕∆ = (m⊕δ) || 0k

– c’ = f (s’,t’) is a new ciphertext: of m ⊕ δ

Malleability (details)Malleability (details) *


From c = �(m,r) = f (s,t)

⇒ c’ = �(m ⊕ δ,r) for any δ of his choice

• without asking G(r) ⇒ OW of f not broken

• but asking H(s) ⇒ partial-domain OW of f

This intuition can be made formal:Break IND-CCA2 of f -OAEP,

⇒ partially invert fFujisaki-Okamoto-Pointcheval-Stern Crypto ‘01

Partial-Domain One-Partial-Domain One-WaynessWayness


The RSA permutation is particular:Partial Domain One-Wayness

⇔ One-WaynessConsequence:

RSA-OAEP is IND-CCA2 underthe classical RSA assumptionNote: Shoup repaired the proof

for RSA exponent 3 only,we repaired it for any exponent

RSA: a Particular CaseRSA: a Particular Case


PKCS #PKCS #1 v 1 v 2.02.0

After Bleichenbacher’s attack,the OAEP construction was adoptedby RSA in PKCS #1 v 2.0 (and still in v 2.1)

Even if a construction is provably secure,careless implementations often lead tovery weak cryptosystemse.g. invalidity reasons must be indistinguishable– MSB different of zero

– Redundancy not satisfied


SummarySummary



• Conclusion


�(m) = md mod n

�(m,σ) = (m = σe mod n)

Plain-RSA SignaturePlain-RSA Signature

• n=pq : public modulus e : public exponent

• d=e-1 mod ϕ(n) : private

Existential forgery:– choose a random σ– compute m = σe mod n


PKCS #PKCS #1 v 1.1 v 1.5/2.05/2.0

00 01 00 Digest InfoPadding String


EM

)EM((),(?

== fm�)EM()( 1−= fm�


PKCS #PKCS #1 v 1.1 v 1.5/2.05/2.0

00 01 00 Digest InfoPadding String


• Digest Info = HashID and H(m)It is small, and the padding string can be long…

under the control of the adversary

• Using the multiplicativity of RSAa weakness has been found in 1999

EM


Attack IdeaAttack Idea

• A lot of freedom in the Padding String• Get many EMi for several i such that

EM = Π EMi ⇒ σ = Π σi

After several queries to the signing oracle,one can build a new signature

*


New VersionNew Version

Applied on a slight variant of ISO 9796-1But theoretical only on PKCS #1 v1.5… less efficient than factoring!

Anyway, a provably secure constructionwas better.


SummarySummary



• Conclusion


Probabilistic Signature SchemeProbabilistic Signature SchemeBellareBellare--RogawayRogaway ‘96 ‘96

m r

H

w

G

F

s t

⊕

0

k2 k1 k0

k = k0 + k1 + k2 + 1{0,1}k-1 ⊂ X ⊂ {0,1}k

f : X → X

y = 0||w||s||tσ = f -1(y)


RSA - PSSRSA - PSS

• n, k-bit RSA modulus (k = k0 + k1 + k2 + 1)• n,e : public key• d : private key

{ } { } { } { }{ } { } 2

1202

0,10,1 :

0,10,1 :0,10,1 :* k

kkkk

H

GF

→→→ and

nytswy

wFtrwGsrmHwd mod 0

)(,)(),,(

===⊕==

and


• Provably secure

no existential forgeriesunder chosen-message attacks

• Efficient security proof

⇒ practical security

• Probabilistic

⇒ PKCS #1 v2.1

RSA - PSSRSA - PSS


SummarySummary



• Conclusion


ConclusionConclusion

Almost all the previously defined paddings,without any security proof,have been showed to be flawed

Any new standard(ISO, IEEE, IETF, PKCS, …)needs a security proof

provable security rsa-pkcs encryption - signature

Documents