RSA-PSS â Provably secure RSA Signatures and their ...

More documents

Recommendations

Info

eduction, meaning every result that is bigger than N is divided by N and theremainder is taken.The exponents are chosen in a way that for any number M with M < N,the following is always true:M = M d·e mod N = M e·d mod N (1)The public key is the pair of (N, e), the private key is the pair of (N, d). Wegenerally can assume that exponentiation in a modulus can be done fast.Within the key generation, it is possible (and necessary) to generate theprivate exponent d with the knowledge of e and the factors p and q. d and ehave the relationd · e ≡ 1 (mod (p − 1)(q − 1))This is true due to the Chinese remainder theorem and Fermat’s little theorem.This also means that if an attacker is able to generate the factors p andq out of N, the attacker can generate the private key. So the security of RSArelies on the fact that factoring N is a hard problem.If Bob wants to send a message to Alice, he needs her public key (N, e).The encryption of a message M (with M < N) is done by the operation E =M e mod N. If Alice wants to decrypt the message, she calculates M D = E dmod N. As we can easily see with equation (1), M D is exactly M, becauseM D = (M e ) d mod N = M (e·d) mod N = M.Now we will have a look at signatures. Alice wants to sign a message M sothat Bob can verify with her public key that the message truly is from her. Shecalculates S = M d mod N. She then sends M and S to Bob. Bob can calculateM V = S e . Again, with equation (1) it can be easily seen that M V = M d·e = M.If this is the case, Bob can be sure that S was created with Alice’s private key.2.3 RSA and FactoringAs we have already seen, public key algorithms are based on trap-door functions,a special kind of mathematical one-way functions. The RSA algorithm is basedon factoring. It is easy to multiply two large prime numbers, but no algorithmis known that is able to factorize a large number efficiently.However, it is not proved that RSA is as secure as factoring. It can be shownthat if an attacker is able to generate a private key from a public key, he is alsoable to factorize large numbers. But until today nobody was able to prove thatan attacker who is able to decrypt messages or forge signatures is also able tofactorize large numbers. So it is unknown if the complexity of the RSA problemis the same as the complexity of factoring.In 1979, two years after the publication of RSA, Michael O. Rabin proposedthe Rabin public key algorithm [Rabin, 1979]. The Rabin algorithm has theadvantage of being provably as secure as factoring. It has, however, a down-6
side: Every decryption operation produces four possible outputs and thus isnot suitable for practical applications. Williams suggested a change that avoidsthis ambiguities [Williams, 1980]. This is called the Rabin-Williams algorithm,abbreviated RW. We will come back to discuss Rabin-Williams in chapter 3.6.The original Rabin algorithm already included the idea of hashing a messagebefore signing - a concept which became also crucial to make RSA secure, as wewill see in the next chapter.2.4 Plain / Textbook RSAIn the algorithm defined in the original RSA paper [Rivest et al., 1977], thefunction for signing is S = M e mod N, for verification M = S d mod N (S:Signature, M: Message, e, N: public key, d, N: private key). This originalversion – often called textbook RSA – has security problems. Assuming anattacker has messages M 1 and M 2 and signatures S(M 1 ) and S(M 2 ). Due tothe nature of the RSA signature function, (S(M 1 )·S(M 2 )) mod N would give avalid signature for (M 1 · M 2 ) mod N. This is called the multiplicative propertyof the RSA algorithm [Davida, 1982].Another problem of the original, unpadded RSA scheme is the fact that theencryption operation is directly the inverse of the signature operation. Thus,if a person is using the same RSA key pair for both signing and encryption,an attacker might be able to give the person encrypted data and asks for asignature. If the victim signs, the signature contains the decrypted data. Whilethis may sound like an unrealistic threat, signature generation is often part ofan automated system.2.5 Hash FunctionsA way to avoid attack vectors against plain RSA is the use of a cryptographichash function. A hash function is a one-way function mapping any input toan output of a fixed length. A cryptographic hash function can be classifiedby certain properties. The most important one is collision resistance: A hashfunction is called collision resistant if it is not possible for an attacker to generatetwo different inputs which produce the same output in a reasonable amount oftime (in mathematical terms, it shall not be possible to efficiently generate M 1and M 2 so that M 1 ≠ M 2 and Hash(M 1 ) = Hash(M 2 )).If for a given hash H and a message M 1 with H = Hash(M 1 ) an attacker isable to create a message M 2 with Hash(M 1 ) = Hash(M 2 ), this is called a secondpreimage attack. If for a given hash H an attacker is able to generate a messageM so that H = Hash(M), this is called a preimage attack.For simple signature schemes, it is necessary to have a hash function whichis collision resistant. We will later see that in certain scenarios a preimageresistant hash function may be enough.7
Page 3 and 4: 7.6 No Support yet: OpenPGP, DNSSEC
Page 5: look at requirements by law and pos
Page 9 and 10: MMGFMGF(M)Figure 2: Full Domain Has
Page 11 and 12: key size have equal security. Howev
Page 13 and 14: MHashPadding1mHashsaltPadding2saltH
Page 15 and 16: In the PKCS standard, the old and n
Page 17 and 18: --- crypto / rsa / rsa_sign .c 26 A
Page 19 and 20: impact of fault-based attacks on ra
Page 21 and 22: This only works because the first t
Page 23 and 24: MsaltRMXRMHashPadding1mHashsaltPadd
Page 25 and 26: PKCS #1 v2.1 specifies the use of P
Page 27 and 28: Default / no parametersWith paramet
Page 29 and 30: MacOS X supports only PSS signature
Page 31 and 32: DNSSEC is a security extension to t
Page 33 and 34: static SECStatusemsa_pss_verify ( c
Page 35 and 36: such a struct to pass it down throu
Page 37 and 38: 8.10 DifficultiesI found out that t
Page 39 and 40: During the implementation of RSASSA
Page 41 and 42: Certificate :Data :Version : 3 (0 x
Page 43 and 44: 11 Really provable SecurityThe conc
Page 45 and 46: PSPACE problemsNP ProblemsBQPFigure
Page 47 and 48: and physics where today very little
Page 49 and 50: are more likely to consider the use
Page 51 and 52: [Brier et al., 2006] Brier, E., Che
Page 53 and 54: [IETF Network Working Group, 2005a]
Page 55 and 56: [Technical Committee CEN/TC 224, 20
Page 57 and 58:
OAEP Optimal asymmetric Encryption
show all

RSA-PSS â Provably secure RSA Signatures and their ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?

RSA-PSS â Provably secure RSA Signatures and their ...