On the Security of the PKCS1 v15 Signature Scheme

Tibor Jager1 Saqib A Kakvi1 Alexander May2

September 10 2018

1Department of Computer Science Universitat Paderborntiborjagersaqibkakviupbde2Hortz Gortz Institute Ruhr Universitat Bochum

alexmayrubde

Abstract

The RSA PKCS1 v15 signature algorithm is the most widely used digital signature scheme inpractice Its two main strengths are its extreme simplicity which makes it very easy to implement andthat verification of signatures is significantly faster than for DSA or ECDSA Despite the huge practicalimportance of RSA PKCS1 v15 signatures providing formal evidence for their security based onplausible cryptographic hardness assumptions has turned out to be very difficult Therefore the mostrecent version of PKCS1 (RFC 8017) even recommends a replacement the more complex and lessefficient scheme RSA-PSS as it is provably secure and therefore considered more robust The mainobstacle is that RSA PKCS1 v15 signatures use a deterministic padding scheme which makes standardproof techniques not applicable

We introduce a new technique that enables the first security proof for RSA-PKCS1 v15 signaturesWe prove full existential unforgeability against adaptive chosen-message attacks (EUF-CMA) under thestandard RSA assumption Furthermore we give a tight proof under the Phi-Hiding assumption Theseproofs are in the random oracle model and the parameters deviate slightly from the standard use becausewe require a larger output length of the hash function However we also show how RSA-PKCS1 v15signatures can be instantiated in practice such that our security proofs apply

In order to draw a more complete picture of the precise security of RSA PKCS1 v15 signatureswe also give security proofs in the standard model but with respect to weaker attacker models (key-onlyattacks) and based on known complexity assumptions The main conclusion of our work is that froma provable security perspective RSA PKCS1 v15 can be safely used if the output length of the hashfunction is chosen appropriately

ccopyAuthors 2018 This is the authorsrsquo version of the work It is posted here for your personal use Notfor redistribution The definitive Version of Record was published in 2018 ACM SIGSAC Conference onComputer and Communications Security (CCS rsquo18) httpdxdoiorg10114532437343243798

1

1 Introduction

The RSA PKCS1 v15 signature algorithm was originally specified in version 15 of the PKCS1 standard(RFC 2313) and is still contained in the most recent version (22) of PKCS1 (RFC 8017) It is used incountless important applications such as X509 (RFC 4055) SMIME (RFC 3370) PGP (RFC 4880) IPSec(RFC 4359) all TLS versions up to 12 (RFCs 2246 4346 5246) JSON Web Signature (RFC 7515) W3CrsquosXML Signature1 and many more

PKCS1 v15 is an attractive choice in practice because it is RSA-based and extremely simple thereforeit is quick and easy to implement Its simplicity makes it less prone to implementation errors which is ahighly desirable feature for cryptographic algorithms Furthermore it is compatible with legacy hardwareand software implementations which is relevant for applications such as TLS where interoperability isimportant Another nice feature is that verification is extremely efficient and significantly faster than thatof DSA or ECDSA Concretely the OpenSSL benchmark

openssl speed rsa dsa ecdsa

shows about 1170 signature verifications per second for RSA-2048 while EC-DSA achieves only around350 verificationss for nistp256 nistk233 and nistb233 curves and DSA-2048 achieves only 100 verifica-tionss2 Similar results were obtained by the Crypto++ 600 benchmarks even with precomputations tospeed-up the verification in DSA3

Security of RSA PKCS1 v15 signatures Even though RSA PKCS1 v15 is still the most importantdigital signature scheme used in practice we do not yet have any formal evidence of its security providedby a rigorous reduction-based security proof under any standard complexity assumption We do not evenknow any security proof under a non-standard but plausible interactive assumption apart from the trivialassumption that the scheme is secure

Due to the lack of security proofs for PKCS1 v15 signatures some standards allow to use PKCS1v15 but recommend RSA-PSS [BR96] instead This includes TLS 13 X509v3 (RFC 4055) and PKCS1itself since version 21 (RFC 3447)

ldquoAlthough no attacks are known against RSASSA-PKCS1 v15 in the interest of increasedrobustness RSA-PSS is recommended for eventual adoption in new applicationsrdquo (RFC 3447)

While RSA-PSS has the advantage of being provably secure it also has several disadvantages Mostimportantly it is much more complex than PKCS1 v15 and thus more difficult to implement and maintainand it is more prone to implementation errors Furthermore it requires randomness which may be difficultto generate securely on some devices while PKCS1 v15 is deterministic and has unique signatures Thelatter automatically yields security against subversion attacks as shown in [AMV15] if the RSA public key(N e) defines a certified trapdoor permutation in the sense of [BY93 KKM12]

The difficulty of replacing PKCS1 v15 signatures with PSS It has turned out to be extremely difficultto replace PKCS1 v15 with PSS in practice Hence even though several standards prefer PSS one has toexpect that PKCS1 v15 will remain deployed in many applications and retain its huge practical relevancefor a long time For instance let us consider the recent efforts to remove legacy cryptography from TLS in

1See httpswwww3orgTRxmldsig-core1sec-PKCS12 The experiments were executed on an Apple MacBook Pro running MacOS 10134 on an Intel Core i7 33 GHz CPU3See httpswwwcryptoppcombenchmarkshtml

2

TLS 13 Although TLS 13 has in principle moved to RSA-PSS as a preferred algorithm this decisionwas preceded by intense discussion4 It was pointed out that in many applications it is impossible to removePKCS1 v15 signatures with a simple software update because the signing algorithm is implemented inhardware and it is considered infeasible that this hardware will be replaced at large scale within a foreseeabletimeframe Furthermore X509 certificates require PKCS1 v15 signatures anyway for interoperabilityreasons Hence a TLS implementation now has to implement both schemes The need to support twodifferent RSA signature schemes makes implementations more complex and requires the maintenance ofmore security-critical code Furthermore due to a lack of RSA-certificates that can exclusively be usedwith RSA-PSS TLS implementations also accept ldquolegacyrdquo PKCS1 v15 certificates for PSS Formally thisvoids the known security proofs for PSS since they consider a setting where RSA public keys are usedexclusively for PSS5

In summary even though the importance of using provably-secure algorithms is increasingly recognizedby standardization bodies and practicioners it turned out to be extremely difficult to replace PKCS1 v15signatures with provably secure alternatives like PSS at large scale due to backwards compatibility andinteroperability requirements By providing rigorous security proofs for PKCS1 v15 signatures understandard cryptographic hardness assumptions we show that PKCS1 v15 signatures can be used securelyin practice if instantiated in a way such that the bounds on the length of the hash function output and theRSA modulus from our security proofs apply

The difficulty of proving security of RSA PKCS1 v15 signatures The main obstacle in proving secu-rity of RSA PKCS1 v15 signatures is that a deterministic padding scheme is used which makes standardproof techniques not directly applicable More precisely a PKCS1 v15-signature σ with respect to anRSA public key (N e) and message m is

σ = (PAD||z)1e mod N

where PAD is a long constant string and z = H(m) is a relatively short hash of the message Concretely fora 2048-bit modulus N and H = SHA-256 we have |z| = 256 and |PAD| = 2048minus 256 = 1792 Hence themessage representatives PAD||z lie in an extremely small subset of ZN and the set of signatures σ such thatthere exists z with σe = PAD||z is devoid of any known algebraic structure The combination of these twofactors means that standard proof techniques are not immediately applicable because in standard securityproofs for RSA-based schemes [BR96 Cor00 Cor02 KK12 KK18] one samples a random signature σand computes σe as the message representative However since the set of valid message representatives isvery small the chance of obtaining a valid random signature that satisfies σe = PAD||z for some z is verylow

Our results We present the first security proofs for RSA PKCS1 v15 We prove full existential un-forgeability under adaptive chosen message attacks (UF-CMA) in the random oracle model [BR93] Thisis the same security level that other practical signature schemes such as RSA-PSS or RSA Full-DomainHash [BR96 Cor00 Cor02 KK12 KK18] provably achieve We give two different results

1 The first is based on the standard RSA assumption and has a linear security loss in the number qsof signature queries made by the adversary If the RSA public key (N e) defines a certified trapdoorpermutation in the sense of [KKM12] then this was shown to be optimal in [Cor00 KK12 KK18]

4See httpswwwietforgmail-archivewebtlscurrentmsg19360html for instance5As pointed out in httpsnikmavblogspotcom201805gnutls-and-tls-13html

3

because in this case RSA PKCS1 v15 has a unique signature for each message Furthermore in thiscase our proofs immediately imply strong existential unforgeability in the sense of [SPW07] as wellas resilience against subversion attacks in the sense of [AMV15]

2 The second is based on the ϕ-Hiding assumption [CMS99] This follows a line of recent results[KOS10 KK18 LOS13 KPS13 Seu14 SZ15] which use lossy trapdoor permutations [PW08] toprove security Lossy RSA keys are indistinguishable from injective keys under the ϕ-Hiding As-sumption In this case we get a tight security proof that is independent of qs However in this casewe only get UF-CMA-security but not strong UF-CMA and no provable security against subversionattacks

Both proofs are based on a new technique which introduces an Encode algorithm that makes it possible toembed arbitrary elements of ZN into correctly PKCS1 v15-padded strings modulo N where N = NRfor some additional prime factorR The signature scheme is defined modulo N while we consider hardnessassumptions modulo N Thus if N = PQ is the product of two primes then our proof considers a variantof PKCS1 v15 signatures with a modulus N = PQR that is the product of three primes We explainbelow how this results can easily be lifted to the standard two-prime setting

Finally in order to complete the picture we also give security proofs in the standard model but withrespect to very weak security notions In this case we consider no message attacks which are also know askey only attacks In this scenario the adversary has only the public key and must forge a signature As withthe random oracle case we prove two different results

1 The first result is also based on the ϕ-Hiding assumption It is well know that when using lossy keysthe RSA function gives an e-regular lossy trapdoor permutation that is a permutation that is exactlye-to-1 This means that the set of eth residues is much smaller We argue that the distribution of theseresidues is such that with high probability there are no message representatives that are ethresidues

2 The second result relies on a variant of the Approximate e-th Root assumption (AER) which is ageneralization of the RSA assumption Essentially we give the adversary more freedom as he doesnot have to find an e-th root of a specific value but an e-th root of any value sufficiently close to thegiven target We use this to cover the entire set of message representatives and the proof follows fromthere More details are discussed in Section 42

Implication for practical instantiations Our UF-CMA security proof considers PKCS1 v15 signatureswith moduli N = PQR that are a product of three primes In practice PKCS1 v15 signatures are usuallyused with moduli that have only two prime factors Firstly we point out that the PKCS1 standard definesN as a product of two or more primes such that the setting considered in our paper is already standardcompliant In order to avoid an additional assumption one can simply use a modulus of the form N = PQRwhich is compatible with PKCS1 In any case we can easily lift this result to the standard setting where Nis the product of only two primes To this end we simply make the additional complexity assumption thatfor a suitably large modulus N breaking the UF-CMA-security of PKCS1 v15 signatures with N = PQa product of two primes is at least as hard as breaking PKCS1 v15 signatures with N = PQR Weconsider this as a very plausible assumption since more prime factors should only make it easier to breakthe signature scheme and we prove security even for more prime factors With this additional assumptionwe immediately obtain a security proof for the standard case where N is the product of two primes

Furthermore we remark that our proofs work only with a hash function with an unusually long outputMore precisely if we use the Encode algorithm described in Section 311 then we can prove security for

4

PKCS1 v15 signatures instantiated with an 2n-bit modulus and `-bit hash function under the assumptionthat breaking the RSA (or ϕ-Hiding) assumption is hard with respect to an n-bit modulus N with |N | = `Concretely for signatures instantiated with an 2048-bit RSA modulus N we can prove security under the1024-bit RSA assumption with 1024-bit padding and 1024-bit hash function Here we note that being ableto deal with very long paddings of 1024 bits and more goes significantly beyond what is achievable withprior proof techniques Furthermore there are several practical ways to instantiate hash functions with longoutput of 1024 bits or more even with solutions that are already standardized

bull The PKCS1 v22 standard (RFC 8017) itself already specifies a way to turn a cryptographic hashfunction into a function with arbitrary output size The construction is called MGF1 (Mask GenerationFunction 1) in Appendix B of RFC 8017 This function is a building block of the 2-round Feistelnetwork used in PSS signatures and OAEP encryption It is basically a standard hash function whichis repeatedly applied to the input and increasing counter values until the total output has the desiredlength

bull The Keccak construction [BDPA11] which is the basis of the SHA-3 hash function allows to specifya longer output length The NIST standard specifying SHA-3 [FIPS 202] also specifies Keccak-basedextendable-output functions (XOFs) called SHAKE128 and SHAKE256 which have arbitrary lengthoutput

Thus even though our proofs do not immediately apply to PKCS1 v15 when instantiated with standardhash functions such as SHA-512 we show that it is still possible to instantiate PKCS1 v15 signatures ina meaningful way and based on standardized constructions such as MGF1 from RFC 8017 or the XOFsSHAKE128 and SHAKE256 standardized by NIST in FIPS 202

We recommend that future versions of the PKCS1 standard allow the use of such hash functions withlonger output as a compromise between the simplicity of classical PKCS1 v15 signatures (but withoutany provable security) and the significantly more complex RSA-PSS scheme (with provable security)

Idea of our Encode algorithm The main novelty of this paper is the idea to use an Encode algorithmto embed numbers modulo N into strings with correct PKCS1 v15-padding with respect to some largerinteger N = NR where R is a prime number chosen by us The Encode algorithm exploits this knowledgeof the part factorization of the modulus N = NR Concretely

(y s z)larr$ Encode(N e 1 PAD R)

is an efficient algorithm that takes as input an n-bit integerN an exponent e y isin ZlowastN a padding pattern PADand an r-bit primeR It outputs (y s z) isin ZN timesZN times0 1` such that y has to correct form for a PKCS1signature mod N with z being our message hash Additionally s will be an eth root mod N Using this andthe knowledge of R we can compute an eth root modulo N Additionally we can embed an RSA challengein our signature if we replace 1 with our random challenge y In this case we cannot simulate a signaturebut given a forgery we can solve our RSA challenge With these two uses of the Encode algorithm we areable to prove UF-CMA security of PKCS1 in the Random Oracle Model

We remark that the above proof sketch is slightly different from our actual proof In fact we use the moresophisticated approach of Coron [Cor00] to embed y in multiple hash values This achieves a better tightnessbound where the loss is only linear in the number of signature queries qs and not in the number of hashqueries qh This approach is known to be optimal for unique signatures [Cor02 KK12 BJLS16 KK18]However this is only a minor technical difference and the main proof idea remains identical

5

Instantiating the Encode algorithm We instantiate Encode based on elementary modular arithmeticOur algorithm works for both the RSA-based and the ϕ-Hiding-based security proof

Related work At the CRYPTO 2006 rump session Bleichenbacher presented a low-exponent attack onRSA-PKCS1 v15 signatures This attack was later described by Finney in a posting to the OpenPGPmailing list6 The attack exploits a vulnerable implementation of a flawed signature verification algorithmIn this paper we consider only forgeries that are accepted by a correct verification algorithm

The RSA-PSS scheme and RSA Full-Domain Hash signatures have already been mentioned aboveThere are several further signature schemes that are based on the RSA [HW09 BHJ+13] or the strong-RSA [GHR99 CS99 Fis03 Sch11 HJK11] assumption None of them is widely used in practice as theyrequire the generation of relatively large primes not only for key generation but also to compute signaturesHence they are computationally significantly less efficient that RSA-FDH or RSA-PSS

The PKCS1 standards also specify encryption schemes The RSA-PKCS1 v15 encryption scheme isvery similar to RSA-PKCS1 v15 signatures except that a probabilistic padding is used and the RSA publickey is applied to the padded message instead of the secret key This scheme is also very widely-used in prac-tice eg in all TLS versions up to 12 While there are no known attacks for correctly-implemented RSA-PKCS1 v15 signatures there are many examples of chosen-ciphertext attacks that break PKCS1 v15encryption [Ble98 CFPR96 CJNP00 KPR03 DLP+12 BFK+12 MSW+14 ZJRR14 JSS15a JSS15bBSY17] The RSA OAEP encryption scheme due to Bellare and Rogaway [BR95] uses a similar Feistel-likemessage encoding as RSA-PSS Its security has been extensively studied in [BR95 Sho02 KP09 KOS10FGK+13]

2 Preliminaries

21 Notations and conventions

We denote our security parameter as n For all n isin N we denote by 0n and 1n the n-bit string of allzeroes and all ones respectively For any set S we use x isinR S to indicate that we choose x uniformlyrandom from S All algorithms may be randomized For any algorithm A we define x larr$ A(a1 an)as the execution of A with inputs a1 an and fresh randomness and then assigning the output to x Fordeterministic algorithms we drop the $ from the arrow We denote the set of prime numbers by P and wedenote the set of κ-bit integers as Z[κ] Similarly we denote the set of κ-bit primes as P[κ] We denote byZlowastN the multiplicative group modulo N isin N We will use game based proofs and will denote by GA rArr 1the event that the adversary A wins game G ie the Finalize Procedure outputs 1

22 Digital Signatures and their security

A digital signature scheme is a triple Sig = (KeyGenSignVerify) of algorithms which are defined asfollows

bull KeyGen takes as an input the unary representation of our security parameter (1n) and outputs a privatesigning key sk and a public verification key pk

bull Sign takes as input a signing key sk message m and outputs a signature σ6See httpswwwietforgmail-archivewebopenpgpcurrentmsg00999html

6

PKCS1 v15 signatures instantiated with an 2n-bit modulus and `-bit hash function under the assumptionthat breaking the RSA (or ϕ-Hiding) assumption is hard with respect to an n-bit modulus N with |N | = `Concretely for signatures instantiated with an 2048-bit RSA modulus N we can prove security under the1024-bit RSA assumption with 1024-bit padding and 1024-bit hash function Here we note that being ableto deal with very long paddings of 1024 bits and more goes significantly beyond what is achievable withprior proof techniques Furthermore there are several practical ways to instantiate hash functions with longoutput of 1024 bits or more even with solutions that are already standardized

bull The PKCS1 v22 standard (RFC 8017) itself already specifies a way to turn a cryptographic hashfunction into a function with arbitrary output size The construction is called MGF1 (Mask GenerationFunction 1) in Appendix B of RFC 8017 This function is a building block of the 2-round Feistelnetwork used in PSS signatures and OAEP encryption It is basically a standard hash function whichis repeatedly applied to the input and increasing counter values until the total output has the desiredlength

bull The Keccak construction [BDPA11] which is the basis of the SHA-3 hash function allows to specifya longer output length The NIST standard specifying SHA-3 [FIPS 202] also specifies Keccak-basedextendable-output functions (XOFs) called SHAKE128 and SHAKE256 which have arbitrary lengthoutput

Thus even though our proofs do not immediately apply to PKCS1 v15 when instantiated with standardhash functions such as SHA-512 we show that it is still possible to instantiate PKCS1 v15 signatures ina meaningful way and based on standardized constructions such as MGF1 from RFC 8017 or the XOFsSHAKE128 and SHAKE256 standardized by NIST in FIPS 202

We recommend that future versions of the PKCS1 standard allow the use of such hash functions withlonger output as a compromise between the simplicity of classical PKCS1 v15 signatures (but withoutany provable security) and the significantly more complex RSA-PSS scheme (with provable security)

Idea of our Encode algorithm The main novelty of this paper is the idea to use an Encode algorithmto embed numbers modulo N into strings with correct PKCS1 v15-padding with respect to some largerinteger N = NR where R is a prime number chosen by us The Encode algorithm exploits this knowledgeof the part factorization of the modulus N = NR Concretely

(y s z)larr$ Encode(N e 1 PAD R)

is an efficient algorithm that takes as input an n-bit integerN an exponent e y isin ZlowastN a padding pattern PADand an r-bit primeR It outputs (y s z) isin ZN timesZN times0 1` such that y has to correct form for a PKCS1signature mod N with z being our message hash Additionally s will be an eth root mod N Using this andthe knowledge of R we can compute an eth root modulo N Additionally we can embed an RSA challengein our signature if we replace 1 with our random challenge y In this case we cannot simulate a signaturebut given a forgery we can solve our RSA challenge With these two uses of the Encode algorithm we areable to prove UF-CMA security of PKCS1 in the Random Oracle Model

We remark that the above proof sketch is slightly different from our actual proof In fact we use the moresophisticated approach of Coron [Cor00] to embed y in multiple hash values This achieves a better tightnessbound where the loss is only linear in the number of signature queries qs and not in the number of hashqueries qh This approach is known to be optimal for unique signatures [Cor02 KK12 BJLS16 KK18]However this is only a minor technical difference and the main proof idea remains identical

5

Instantiating the Encode algorithm We instantiate Encode based on elementary modular arithmeticOur algorithm works for both the RSA-based and the ϕ-Hiding-based security proof

Related work At the CRYPTO 2006 rump session Bleichenbacher presented a low-exponent attack onRSA-PKCS1 v15 signatures This attack was later described by Finney in a posting to the OpenPGPmailing list6 The attack exploits a vulnerable implementation of a flawed signature verification algorithmIn this paper we consider only forgeries that are accepted by a correct verification algorithm

The RSA-PSS scheme and RSA Full-Domain Hash signatures have already been mentioned aboveThere are several further signature schemes that are based on the RSA [HW09 BHJ+13] or the strong-RSA [GHR99 CS99 Fis03 Sch11 HJK11] assumption None of them is widely used in practice as theyrequire the generation of relatively large primes not only for key generation but also to compute signaturesHence they are computationally significantly less efficient that RSA-FDH or RSA-PSS

The PKCS1 standards also specify encryption schemes The RSA-PKCS1 v15 encryption scheme isvery similar to RSA-PKCS1 v15 signatures except that a probabilistic padding is used and the RSA publickey is applied to the padded message instead of the secret key This scheme is also very widely-used in prac-tice eg in all TLS versions up to 12 While there are no known attacks for correctly-implemented RSA-PKCS1 v15 signatures there are many examples of chosen-ciphertext attacks that break PKCS1 v15encryption [Ble98 CFPR96 CJNP00 KPR03 DLP+12 BFK+12 MSW+14 ZJRR14 JSS15a JSS15bBSY17] The RSA OAEP encryption scheme due to Bellare and Rogaway [BR95] uses a similar Feistel-likemessage encoding as RSA-PSS Its security has been extensively studied in [BR95 Sho02 KP09 KOS10FGK+13]

2 Preliminaries

21 Notations and conventions

We denote our security parameter as n For all n isin N we denote by 0n and 1n the n-bit string of allzeroes and all ones respectively For any set S we use x isinR S to indicate that we choose x uniformlyrandom from S All algorithms may be randomized For any algorithm A we define x larr$ A(a1 an)as the execution of A with inputs a1 an and fresh randomness and then assigning the output to x Fordeterministic algorithms we drop the $ from the arrow We denote the set of prime numbers by P and wedenote the set of κ-bit integers as Z[κ] Similarly we denote the set of κ-bit primes as P[κ] We denote byZlowastN the multiplicative group modulo N isin N We will use game based proofs and will denote by GA rArr 1the event that the adversary A wins game G ie the Finalize Procedure outputs 1

22 Digital Signatures and their security

A digital signature scheme is a triple Sig = (KeyGenSignVerify) of algorithms which are defined asfollows

bull KeyGen takes as an input the unary representation of our security parameter (1n) and outputs a privatesigning key sk and a public verification key pk

bull Sign takes as input a signing key sk message m and outputs a signature σ6See httpswwwietforgmail-archivewebopenpgpcurrentmsg00999html

6

Instantiating the Encode algorithm We instantiate Encode based on elementary modular arithmeticOur algorithm works for both the RSA-based and the ϕ-Hiding-based security proof

Related work At the CRYPTO 2006 rump session Bleichenbacher presented a low-exponent attack onRSA-PKCS1 v15 signatures This attack was later described by Finney in a posting to the OpenPGPmailing list6 The attack exploits a vulnerable implementation of a flawed signature verification algorithmIn this paper we consider only forgeries that are accepted by a correct verification algorithm

The RSA-PSS scheme and RSA Full-Domain Hash signatures have already been mentioned aboveThere are several further signature schemes that are based on the RSA [HW09 BHJ+13] or the strong-RSA [GHR99 CS99 Fis03 Sch11 HJK11] assumption None of them is widely used in practice as theyrequire the generation of relatively large primes not only for key generation but also to compute signaturesHence they are computationally significantly less efficient that RSA-FDH or RSA-PSS

The PKCS1 standards also specify encryption schemes The RSA-PKCS1 v15 encryption scheme isvery similar to RSA-PKCS1 v15 signatures except that a probabilistic padding is used and the RSA publickey is applied to the padded message instead of the secret key This scheme is also very widely-used in prac-tice eg in all TLS versions up to 12 While there are no known attacks for correctly-implemented RSA-PKCS1 v15 signatures there are many examples of chosen-ciphertext attacks that break PKCS1 v15encryption [Ble98 CFPR96 CJNP00 KPR03 DLP+12 BFK+12 MSW+14 ZJRR14 JSS15a JSS15bBSY17] The RSA OAEP encryption scheme due to Bellare and Rogaway [BR95] uses a similar Feistel-likemessage encoding as RSA-PSS Its security has been extensively studied in [BR95 Sho02 KP09 KOS10FGK+13]

2 Preliminaries

21 Notations and conventions

We denote our security parameter as n For all n isin N we denote by 0n and 1n the n-bit string of allzeroes and all ones respectively For any set S we use x isinR S to indicate that we choose x uniformlyrandom from S All algorithms may be randomized For any algorithm A we define x larr$ A(a1 an)as the execution of A with inputs a1 an and fresh randomness and then assigning the output to x Fordeterministic algorithms we drop the $ from the arrow We denote the set of prime numbers by P and wedenote the set of κ-bit integers as Z[κ] Similarly we denote the set of κ-bit primes as P[κ] We denote byZlowastN the multiplicative group modulo N isin N We will use game based proofs and will denote by GA rArr 1the event that the adversary A wins game G ie the Finalize Procedure outputs 1

22 Digital Signatures and their security

A digital signature scheme is a triple Sig = (KeyGenSignVerify) of algorithms which are defined asfollows

bull KeyGen takes as an input the unary representation of our security parameter (1n) and outputs a privatesigning key sk and a public verification key pk

bull Sign takes as input a signing key sk message m and outputs a signature σ6See httpswwwietforgmail-archivewebopenpgpcurrentmsg00999html

6

bull Verify is a deterministic algorithm which on input of a public key and a message-signature pair (mσ)outputs 1 (accept) or 0 (reject)

We say that Sig is correct if for all public key and secret key pairs generated by KeyGen we have

Pr[Verify(pkm Sign(skm)) = 1] = 1

We will consider two different notions of security for digital signatures namely Unforegeability under

No Message Attack (UF-NMA) and Unforgeability under Chosen Message Attack (UF-CMA) Recall thatthe distinction between the two security definitions is that in UF-CMA the attacker has access to a signingoracle whereas in UF-NMA it does not UF-NMA is sometimes called a ldquokey only attackrdquo in the literatureAdditionally we only consider UF-NMA in the standard model and UF-CMA in the random oracle modeland therefore extend the latter with an additional Hash(m) oracle

Game UF-NMA(StdM)

Initialize(1n)

(pk sk)larr$ KeyGen(1n)return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

Figure 1 Game defining NMA security in the Standard Model

Consider the UF-NMA security experiment in Figure 1 when executed with a signature scheme Sig =(KeyGenSignVerify) We say that Sig is (t ε)-UF-NMA secure if for any forger F running in time at mostt we have

AdvUF-NMAF Sig = Pr

[1larr Finalize(mlowast σlowast)

(mlowast σlowast)larr F(pk)

]6 ε

Consider the UF-CMA game in Figure 2 executed with scheme Sig = (KeyGenSignVerify) We saythat Sig is (t ε qh qs)-UF-CMA secure if for any forger F running in time at most t making at most qhhash queries and making at most qs signature queries we have

AdvUF-CMAF Sig = Pr

[1larr Finalize(mlowast σlowast)

(mlowast σlowast)larr FHash(middot)Sign(middot)(pk)

]6 ε

23 RSA PKCS1 v15 Signatures

We now describe the RSA PKCS1 v15 scheme see Figure 3 We note that in PKCS1 version 22 therecommended hash functions are SHA-224 SHA-256 SHA-384 SHA-512 SHA-512224 SHA512256Additionally MD2 MD5 and SHA-1 are included for backwards compatibility

Let us point out that our description in Figure 3 deviates from the original scheme in a few minor waysStrictly speaking the string PAD is not included in the public key but is publicly known We included it in

7

Game UF-CMA(ROM)

Initialize(pk sk)larr$ KeyGen(1n)return pk

Hash(m)

if (m middot) isin Hfetch (m y) isin Hreturn y

elsey isinR DomainH larr Hcup (m y)return y

Sign(m)

MlarrMcup mreturn σ larr$ Sign(skm)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) == 1 andmlowast 6isin Mreturn 1

elsereturn 0

Figure 2 Game defining CMA security in the Random Oracle Model

the public key for self-containment Also we define our signing function as taking the eth root instead ofthe dth power This is done for keeping a consistent notation throughout the paper since d is not defined forlossy keys

The string PAD seems somewhat arbitrary and the reason for this is historical In PKCS v151 (RFC2313) all message were encoded in representative ldquoblocksrdquo These representatives had the (hexadecimal)format

0x00||BT||PS||0x00||D

BT defined the type of block which is 0x01 for signatures and 0x02 for encryption D is the encodingof the message which for signatures is the hash of the message prefixed with the hash id IDH PS is theldquopadding stringrdquo whose purpose is to ensure our message representative is exactly n bits long PS is fixedto 0xFF FF for BT = 0x01 Thus signature ldquoblocksrdquo have the (hexadecimal) format

0x00||0x01||0xFF FF||0x00||IDH||H(m)

The overarching concept of blocks has since been dropped primarily due to the switch to OAEP encryp-tion but PKCS signatures still use this format for the message representatives If we convert this format intobinary it is easy to see that the prefix of H(m) is exactly our prefix PAD It is worth noting at this juncturethat the identifier strings IDH do not have a fixed length thus we need to take into account their bit length α

8

Scheme RSA-PKCS1-v15

KeyGen(1n `)

PQ isinR P[n2]N = PQϕ(N) = (P minus 1)(Qminus 1)e isinR ZlowastN gcd(e ϕ(N)) = 1pick hash function H 0 1lowast rarr 0 1`Look-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH) sk = (PQ))

Sign(skm)

z larr H(m)y = PAD||zreturn σ = y1e mod N

Verify(pkm σ)

yprime = σe mod Nz larr H(m)if (PAD||z == yprime)

return 1else

return 0

Figure 3 RSA PKCS1 v15

3 Existential Unforgeability in the Random Oracle Model

In this section we give two different proofs that RSA PKCS1 v15 signatures are UF-CMA-secure Thefirst is based on the RSA assumption the second is based on the ϕ-Hiding assumption Both proofs arein the random oracle model and both proofs consider the case where the modulus N used in the signaturescheme is a product of three primes Even though RSA PKCS1 v15 signatures are usually used withmoduli consisting of only two prime factors we stress that all versions of the PKCS1 standards allow touse moduli N consisting of three prime factors meaning that this choice is standard compliant

31 The Encode Algorithm

The main novel ingredient for our RSA PKCS1 v15 signature UF-CMA-security proofs is an Encodealgorithm which enable us to efficiently encode an arbitrary integer y modulo N as an integer y moduloN = NR for some prime R such that y has correct PKCS1 v15 padding modulo N Let us defineformally the properties that an Encode algorithm has to fulfil

Definition 1 Let(y s z) cup perp $larr Encode(N e y ` PAD R)

be an algorithm that takes as input an n-bit integer N an exponent e y isin ZlowastN a padding pattern PAD andan r-bit prime R isin P[r] and outputs (y s z) isin Z

Ntimes ZlowastN times 0 1` or failure perp We say that Encode

9

`-simulates the PKCS1 v15 encoding modulo N = NR if all the following conditions are satisfied Wesay that Encode efficiently `-simulates the PKCS1 v15 encoding modulo N = NR if Encode additionallyruns in time polynomial in n

1 Encode outputs (y s z) except with negligible failure probability (in n)

2 z is uniformly distributed over 0 1`

3 y isin ZN

is the PKCS1 v15 encoding of the string z isin 0 1` with padding of size |PAD| = n+rminus`That is we have

y = PAD||z

4 It holds that y = y middot se mod N

Intuitively we use Encode as follows to prove UF-CMA-security of RSA-PKCS1 v15 signaturesEncode enables us to embed an RSA-challenge (N e y) modulo N into the UF-CMA-security experimentfor RSA-PKCS1 v15 signatures defined modulo N Concretely to achieve this we will run(y s z)

$larr Encode(N e y ` PAD R) to obtain y = PAD||z Then we program the random oracle H withrange 0 1` such that H(mlowast) = z which is possible because z is uniformly distributed Furthermore wealso show that Encode enables us to simulate correct signatures in a similar way

As we show in the following our Encode algorithm allows us to create correctly-padded strings y withfreely adjustable padding of size asymp |r| and relatively large hash value size ` asymp |n|

311 Encode Algorithm

Consider the algorithm Encode as defined in Figure 4 It takes as input an n-bit modulus N an exponent ean integer y isin ZN a hash value length ` a padding pattern PAD of size |PAD| = n + r minus ` an r-bit primeR and outputs a string y = PAD||z such that |z| = `

Encode (N e y ` PAD R)

n = dlog2Ne r = dlog2Rez = 2` k = 0while (z ge 2`) and (k lt n middot 2nminus`)k = k + 1

s$larr ZN

z = yse minus 2` middot PAD mod Ny = 2` middot PAD + zif z lt 2` then

return (y s z)else

return perp

Figure 4 Encode algorithm

Theorem 1 For ` lt n = |N | the Encode algorithm described in Figure 4 `-simulates the PKCS1 v15encoding modulo NR in time O(n4 middot 2nminus`)

10

PROOF In order to verify condition (1) of Definition 1 we have to show that Encode outputs a tuple (y s z)expect with negligible failure probability By the last line in Figure 4 Encode fails in producing (y s z) iffz ge 2` for all iterations of the while-loop

Observe that the value z = yse minus 2` middot PAD mod N computed inside each iteration of the while-loop isindependently uniformly distributed moduloN because s is uniform over ZN and the maps s 7rarr se mod Nand s 7rarr smiddoty mod N are permutations (note here that y isin ZlowastN is invertible) Hence for uniformly distributedz

$larr ZN N lt 2n we have per iteration

Pr[z ge 2`

]=N minus 2`

Nlt 1minus 2`minusn

Using 1minus x le eminusx we fail after n middot 2nminus` iterations with probability at most

(1minus 2`minusn)nmiddot2nminus` le eminusn

The uniform distribution of z over 0 1` (condition (2)) follows from the fact that z is a uniformly dis-tributed integer modulo N Hence for ` lt n we can use the well-known rejection sampling methodRejecting all values of z ge 2` yields uniformly distributed values in 0 1`

For checking condition (3) we see that y = 2` middot PAD + z by definition in Encode From (2) wehave z lt 2` which implies y = PAD||z over the integers However y has to be defined in Z

N Since

|PAD| = n+ r minus `minus 2 we verify that

2` middot PAD + z lt 2` middot 2n+rminus`minus2 = 2nminus1 middot 2rminus1 lt NR = N

To show (4) we compute

y = 2` middot PAD + z mod N

= 2` middot PAD + yse minus 2` middot PAD mod N

= yse mod N

Finally we observe that Encodersquos running time is dominated by the while-loop with a maximum ofn middot 2nminus` iterations each taking time O(log e log2N) = O(n3)

Corollary 1 Let n = |N | The Encode algorithm described in Figure 4 efficiently (nminusO(log n))-simulates the PKCS1 v15 encoding modulo NR

By Corollary 1 our Encode algorithm is efficient only for hash values as large as ` asymp |n| We leave itas an important open problem to reduce ` to output sizes of standard hash functions

32 Security Proof under the RSA Assumption

Now we are ready to prove security under the RSA assumption Normally the size of the RSA modulus isimplicitly assumed to be the same in the assumption as in the scheme therefore it is never explicitly fixedHowever our proof modifies this by using a larger modulus for the scheme than in the assumption thus weneed to explicitly state these values For the sake of notation we formulate our assumptions with explicitbit-sizes We also consider the more general case where primes may but need not be of the same size Onceall the primes have been selected we can pick an exponent e such that gcd(e ϕ(N)) = 1 where we have

for N =

kprodi=1

pi that ϕ(N) =

kprodi=1

(pi minus 1)

11

Assumption 1 ((k n)-RSA Assumption) The RSA Assumption denoted by (k n)-RSA states that given(N e xe) it is hard to compute x where N is the product of k distinct random prime numbers pi isin P[ni]

for i isin J1 kK k constant andnsumi=1

ni = n e isin Zlowastϕ(N) and x isinR ZN RSA is said to be (t ε)-hard if for all

adversaries A running in time at most t we have

Adv(kn)-RSAA = Pr [x = A(N e xe mod N)] 6 ε

Additionally we define RSA-PKCS1-v15 [k n `] to be the RSA PKCS1 v15 scheme with a n-bitpublic modulus N which is the product of k primes and an `-bit hash function It should be noted thathaving a modulus that is the product of more than two primes is allowed by the PKCS standard (RFC 8017)

Our first proof follows the proof technique of Coron [Cor00 Cor01] and has a loss in the order of qsAs was shown by Coron [Cor02 Cor01] and Kakvi and Kiltz [KK12 KK18] this loss is optimal for RSAwith ldquolargerdquo exponents This is due to the fact that RSA with a ldquolargerdquo exponent defines a certified trapdoorpermutation [BY93 BY96] as was shown by Kakvi Kiltz and May [KKM12]

Our second proof follows the proof technique of Kakvi and Kiltz [KK12 KK18] and is tight to theϕ-Hiding assumption This proof bypasses the optimality result by using keys that do not define a certifiedtrapdoor permutation By using ldquosmallrdquo keys which gives us a lossy trapdoor permutation we can providea tight security proof to the ϕ-Hiding assumption Furthermore there is currently no known proof techniquewhich achieves tighter security for small exponents (such as e = 216 + 1 as commonly used in real-worldinstantiations) and is based on the RSA assumption

Theorem 2 Assume the (2 n)-RSA assumption is (tprime εprime)-hard Then for any (qh qs) the RSA-PKCS1-v15[3 2nminus 1] scheme is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

εprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ qh middot O(n4)

PROOF We describe the oracles in Figure 5 The reduction first receives a (2 n)minusRSA challenge (N e y)It then builds a 2n-bit modulus by selecting R isinR P[n] gcd(eR minus 1) = 1 and computing N = NR Thereduction then computes the corresponding padding by first computing ν = nminusαminus23 and then computingPAD = 015||1ν ||08||IDH The public key pk = (N e PAD) is sent to the forger We now describe our oracles

For every hash querymi the reduction flips a biased coin χi with Pr[χi = 0] = p0Pr[χi = 1] = p1 thechoice of which will be discussed later The idea behind this is that with probability p1 the reduction embedsthe RSA challenge into the oracle response and with probability p0 it will not For the values where thereduction does not embed the challenge ie χi = 0 it can simulate signatures and for ones where it does ieχi = 1 it can extract a solution In the case χi = 0 the reduction simply runs Encode(N e 1 ` PAD R)and gets (yi si zi) The reduction now computes σi using the Chinese Remainder Theorem It is clear fromthe construction that y1e = si mod N and furthermore the reduction can easily compute y1e mod Rwhich gives

σi = si middotR(Rminus1 mod N) + (y1ei mod R) middotN(Nminus1 mod R) mod N

The reduction then adds (mi zi si σi) to its hash listHIn the case χi = 1 the reduction runs Encode(N e y ` PAD R) and gets (yi si zi) However since

it cannot simulate a signature it stores the distinguished abort symbol perp as the signature ie it adds(mi zi siperp) to its hash listH

12

RSA Proof OraclesInitialize(1n)(N e y)larr$ RSA(2 1n)R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elseχm larrp0p1 0 1if (χi = 0)

(ym sm zm)larr$ Encode(N e 1 ` PAD R)σm = sm middotR(Rminus1 mod N) + (y

1em mod R) middotN(Nminus1 mod R) mod N

else if (χm = 1)(y sm zm)larr$ Encode(N e y ` PAD R)σm = perp

H larr H cup (m zm sm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

if (χmlowast = 1)x = σlowast middot (smlowast)minus1 mod N

elsex = perp

RSAFinalize(x)return 1

elseRSAFinalize(perp)return 0

Figure 5 Oracles for the RSA based proof

13

Having updatedH the reduction now returns zi as the response to the random oracle queryWe assume that the forger always makes a hash query on a message before it queries that message to the

signing oracle The reduction can also implicitly do this by querying the random oracle itself This meansthat for every signature query mi there is an entry (mi zi σi) isin H If σi = perp ie the hash value hasa challenge embedded in it the reduction aborts as it cannot provide a signature If this is not the caseit simply returns σi as response and adds mi to the list of queried messages M The probability that thereduction answers any signature query correctly is p0 and the probability that it answers all queries correctlyis at least pqs0

In the final phase the forger submits a forgery (mlowast σlowast) With probability p1 mlowast is one of the messageswhere we embedded our RSA challenge First we observe that a valid forgery means that σlowast = ylowast1e modN Our encode algorithm ensures that y = slowaste middot y mod N which in turn means that σlowast mod N = y =slowast middot y1e mod N Because the reduction has an entry inH containing (mlowast zlowast slowastperp) it can extract y1e =σlowast middot (slowast)minus1 mod N which is the solution to its RSA challenge

The reduction can extract a solution with probability p1 = 1 minus p0 which means that the reductionsucceeds with probability at least pqs0 middot (1 minus p0) middot ε To get the optimal result we need to maximize theexpression pqs0 middot (1 minus p0) middot ε Coron [Cor02] showed an optimal value of p0 = 1

qs+1 giving us a success

probability of at least εqsmiddot(

1minus 1qs+1

)qs+1 as required The time bound is the time needed to answer all

hash queries

Remark 1 In the proof we select R to be a prime number however this is not strictly necessary What werequire is that we are able to compute eth roots mod R Thus it would also suffice if we knew the primefactorization of R It should be noted that the difficulty of factoring N = NR is at least that of factoringN if the smallest prime factor of R is at least n2 bits long R was chosen to be prime in the proof forconvenience but the proof goes through equally for any suitable composite R

Remark 2 While the PKCS1 standard does not specify how long the padding must be apart from thelimitation that PS must be at least 8 octets long one must be careful when using smaller paddings If thepadding is less than half of the bits the message represenatives are suceptible to the attacks of de Jonge andChaum [dC86] and Girault and Misarsky [GM97] Although the usage of a hash function complicates theattacks it is always better to err on the side of caution

33 Security Proof under the Phi-Hiding Assumption

We are also able to produce an essentially optimal security proof for ldquosmallrdquo exponents e using the tech-niques of Kakvi and Kiltz [KK12 KK18] In our case ldquosmallrdquo means our exponent is at most 1

4 of thebit-length of our modulus This proof proceeds as a series of games each of which we will describe sepa-rately We first recall the ϕ-Hiding Assumption

Assumption 2 (The ϕ-Hiding Assumption [CMS99]) The ϕ-Hiding Assumption denoted by ΦHA statesthat it is hard to distinguish between (N e) and (N e) where N is the product of two random (n2)-bitprimes and e e gt 3 isin P and and e e le N

14 with gcd(e ϕ(N)) = 1 and gcd(e ϕ(N)) = e where ϕ is the

Euler Totient function ΦHA is said to be (t ε)-hard if for all distinguishers D running in time at most twe have

AdvΦHD = Pr [1larr D(N e)]minus Pr [1larr D(N e)] 6 ε

14

Game G0

Initialize(1n)(pk sk)larr$ RSA-PKCS1-v15[3 2n n]return pk

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elsezm isinR 0 1`H larr Hcup (m zm)return zm

Sign(m)MlarrMcup (m)fetch (m zm) isin Hreturn σm = (PAD||zm)1e

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

return 1else

return 0

(a) Game 0 The Standard UF-CMA Game

Game G1

Initialize(1n)(N e)larr$ RSAPermGen(1n) G1G3

(N e)larr$ RSALossyGen(1n) G2G4

R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

else(y σm zm)larr$ Encode(N e 1 PAD R)H larr Hcup (m zm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (σlowast = σm) G3G4

return 0 G3G4

if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)return 1

elsereturn 0

(b) Games 1-4 The Simulated Reduction Games

The requirement that e e le N14 stems from the fact that simply given a modulus N we are unable to

ascertain how many prime factors it consists of and how large they are in relation to one another We knowthatN is composite therefore consists of at least 2 prime factors7 The bound then follows directly from thewell known attacks due to Coppersmith [Cop97] We also note that when gcd(e ϕ(N)) = e the functionxe mod N is exactly e-to-1 ie it said to be e-regular lossy as defined by Kakvi and Kiltz [KK12 KK18]

Theorem 3 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function Then for any (qh qs)RSA-PKCS1-v15 [3 2n] is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

ε 62γ minus 1

γ minus 1middot εprime

tprime 6 t+ qh middot O(n4)

PROOF7We assume N is not a prime power which can be checked efficiently [Ber98]

15

The proof proceeds in a sequence of games which are given in Figures 6a 6b The idea is to move fromthe UF-CMA game to one the forger cannot win The original UF-CMA game is given in G0 The first gamehop we make is from normal signing to simulating signatures using our Encode algorithm which does notchange anything from the view of the forger The next step is to move from the ldquonormalrdquo public key wheregcd(e ϕ(N)) = 1 to the lossy key (N e) were now we have a 1-to-e signing function The forger does notnotice this unless it breaks the ΦHA Now a new abort condition is introduced the reduction aborts if theforgery is the same signature it picked in the simulation phase Since the signature is picked from the setof e signatures independently from the view of the forger this happens with probability at most 1

e Finallythe keys are switched back to ldquonormalrdquo keys which now means any valid forgery leads to an abort from thereduction If we combine the bounds from all the games we get exactly the bounds stated in the proof Weprove the Theorem step by step with Lemmata 1 2 3 4 amp 5

Lemma 1 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF In G0 we modelled the hash function as a random oracle In G1 we modify the random oracle andthe signing queries On any m the random oracle now ldquoprecomputesrdquo a signature for m using the Encodealgorithm Note that signing no longer requires the secret key It can be seen that all our signatures willverify due to the fact that σem = PAD||zm for all m Thus our simulation of the signatures is correct SinceEncode gives us uniformly distributed values s z the distribution of our hash queries in G1 is identical tothe distribution in G0 Thus we have Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

Lemma 2 There exists a distinguisher D1 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat

∣∣Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]∣∣ = AdvΦHA

D1

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) howeverthe oracles are identical in both games We now build a distinguisher D1 against the ΦHA using thesegames The distinguisher will run F and simulates the oracles Sign(middot)Hash(middot) as described in games G1

and G2 Note that D1 does not require the signing key to simulate the oracles After F calls Finalize D1

returns the output of Finalize Thus we can see that Pr[1larr D1(N e)] = Pr[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

] Hence we have∣∣Pr

[GF1 rArr 1

]minus Pr

[GF2 rArr 1

]∣∣ = |Pr[1larr D1(N e)]minus Pr[1larr D1(N e)]| = AdvΦHAD1

Lemma 3 Pr[GF3 rArr 1

]=(eminus1e

)Pr[GF2 rArr 1

]

PROOF In G3 we introduce a new rule which aborts the reduction if the forgery σlowast provided by F is thesame as the simulated signature σmlowast for the target message mlowast If this is the case the forger loses the gameie G3 outputs 0 σmlowast is independent of Frsquos view and is uniformly distributed in the set of pre-images ofymlowast Due to the fact that the function xe mod N is e-regular lossy the probability of a collision is 1eThus we see that this abort condition reduces the probability of the forger winning the game by 1e hence

Pr[GF3 rArr 1

]=

(1minus 1

e

)Pr[GF2 rArr 1

]=

(eminus 1

e

)Pr[GF2 rArr 1

]

16

Lemma 4 There exists a distinguisher D2 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat |Pr[GF3 rArr 1]minus Pr[GF4 rArr 1]| = AdvΦHA

D2

PROOF From G3 to G4 we change the key generation from a lossy key (N e) to a normal key (N e)however the oracles are identical in both games We now build a distinguisher D2 against ΦHA using thesegames The distinguisher runs F and simulates the oracles Sign(middot)Hash(middot) as described in games G3ampG4Note that D2 does not require the signing key to simulate the oracles After F calls Finalize D2 returns theoutput of Finalize Thus we can see that Pr[1larr D2(N e)] = Pr

[GF4 rArr 1

]and

Pr [1larr D2(N e)] = Pr[GF3 rArr 1

]Hence we have∣∣Pr

[GF4 rArr 1

]minus Pr

[GF3 rArr 1

]∣∣ = |Pr[1larr D2(N e)]minus Pr[1larr D2(N e)]| = AdvΦHAD2

Lemma 5 Pr[G4 rArr 1] = 0

PROOF In G4 we are using the normal keys ie xe mod N is a 1-to-1 function Since our signing functionis now injective any forgery implies a collision Therefore whenever the forger is able to produce a validforgery the game outputs 0 due to it failing the check as forallmlowast σm = σlowast Whenever the forger is unableto make a forgery the game outputs 0 Thus we can see that in all cases the game will output 0 hencePr[G4 rArr 1] = 0

We combine Lemmata 1 to 5 to get

Pr[1larr G0] = AdvΦHAD1

+

(e

eminus 1

)AdvΦHA

D2

Because D1 and D2 run in time at most t + qh middot O(n3) by our assumption both distinguishers have anadvantage of at most εprime giving us

ε le 2eminus 1

eminus 1middot εprime

As we have an e-regular lossy permutation we see that for γ = e we get exactly the bounds we need

34 The Case of Two Prime Factors

We can easily lift our results for three prime factors presented in the previous section to the standard caseof two prime factors by additionally assuming that breaking the UF-CMA-security of RSA PKCS1 v15signatures with 2 prime factors is not significantly easier than with 3 prime factors To make this moreprecise we define the 2 vs 3 Primes Assumption denoted by 2v3PA which states that

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

for small ε and all efficient UF-CMA-forgers F

Assumption 3 (Two vs Three Primes Assumption) We say that 2v3PA is (t ε)-hard if for all F running intime at most t we have

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

17

Note that breaking RSA PKCS1 v15 signatures should only become easier if the modulus N is aproduct of more prime factors For instance let N2 = PQ be a product of two primes of approximatelyequal size and N3 = PQR be a product of three primes of approximately equal size such that N2 and N3

have the same size With known factoring algorithms it should be easier to compute the factorisation of N3

than that of N2 Hence even though 2v3PA is a very specific and non-standard assumption we consider itas very plausible for sufficiently large moduli With this additional assumption we get the following result

Theorem 4 Assume the (2 n)-RSA assumption is (tprime εprime)-hard and 2v3PA is (tprimeprime εprimeprime)-hard Then forany (qh qs) the RSA-PKCS1-v15 [2 2n n] scheme is (t ε qh qs)-UF-CMA secure in the Random Ora-cle Model where

εprime + εprimeprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ tprimeprime + qh middot O(n4)

PROOF SKETCH The proof works nearly identically to the proof of Theorem 2 except that we use the2v3PA assumption in order to replace a two-prime modulus N with a three-prime modulus More preciselywe begin with considering the RSA-PKCS1-v15 [2 2n] defined over a two-prime modulus Then we replacethis scheme with RSA-PKCS1-v15 [3 2n n] Now we can apply the proof from Theorem 2

The following theorem can be proven similarly by extending the proof of Theorem 3 with an additionalstep that uses the 2v3PA assumption

Theorem 5 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function and 2v3PA is (tprimeprime εprimeprime)-hard Then for any (qh qs) RSA-PKCS1-v15 [2 n+ `] is (t ε qh qs)-UF-CMA secure in the RandomOracle Model where

ε le 2γ minus 1

γ minus 1middot εprime + εprimeprime

tprime le t+ tprimeprime + qh middot O(n4)

4 Proofs in the Standard Model

In order to give a more complete picture of what security properties of RSA PKCS1 v15 signatures can beproved we now present different approaches to provide security proofs without random oracles

41 Proof based on The Phi-Hiding Assumption

We now present our proof based on the lossiness of RSA and the ΦHA In this proof we rely on the fact thatwhen e|ϕ(N) the ethroots modulo N are close to uniformly distributed Okamoto and Stern [OS03] showthat in any interval of length L ge N12 the number of eth powers is close to its expectation However weneed the same statement for intervals of size 2` which is usually smaller than N

12 So [OS03] gives us an

indication that our assumption in Theorem 6 is plausible but we cannot direct apply [OS03]The main idea of the proof of Theorem 6 is that for lossy RSA keys with e|ϕ(N) with high probability

there does not even exist a valid RSA PKCS1 v15 signature

18

Theorem 6 Assume ΦHA is (tprime εprime)-hard Further assume that e-th powers S = σe | σ isin ZlowastN areuniformly distributed in ZlowastN when e|ϕ(N) Then RSA-PKCS1-v15 with an `-bit hash function H is (t ε)-UF-NMA secure in the Standard Model where

ε 6

(1minus 2`

e

)εprime

t asymp tprime

PROOF We prove this theorem via game hops which we show in Figures 7a7b amp 7c G0 is the UF-NMAgame In G1 we switch to ldquosimulatedrdquo real keys There is no change since we consider no message attacks(NMA) and therefore never need a secret key Secondly in G2 we switch to ldquosimulatedrdquo lossy keys Thedifference here is εprime unless the forger breaks the ΦHA Finally in this game we show that the adversarycannot win except with a very small probability

Game G0

Initialize(1n)

(pk sk)larr$ RSA-PKCS1-v15[2 n]return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(a) Standard UF-NMA Game

Game G1

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(b) UF-NMA Game with simulatedpublic key

Game G2

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(c) UF-NMA Game with lossy simu-lated public key

Lemma 6 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF From G0 to G1 we changed from the RSA-PKCS1-v15 key generation to the ΦHA instance genera-tion It is clear to see that the distributions are the same thus there is no change from the view of the forger

Lemma 7 There exists a distinguisher D against the ΦHA which runs in time tprime asymp t and such that|Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]| = AdvΦHA

D

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) We nowbuild a distinguisher D against the ΦHA using these games The distinguisher will run F and after F callsFinalize D returns the output of Finalize Thus we can see that Pr [1larr D1(N e)] = Pr

[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

]Hence we have |Pr

[GF1 rArr 1

]minusPr

[GF2 rArr 1

]| = |Pr [1larr D1(N e)]minus

Pr[1larr D1(N e)]| = AdvΦHAD

19

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

Game UF-CMA(ROM)

Initialize(pk sk)larr$ KeyGen(1n)return pk

Hash(m)

if (m middot) isin Hfetch (m y) isin Hreturn y

elsey isinR DomainH larr Hcup (m y)return y

Sign(m)

MlarrMcup mreturn σ larr$ Sign(skm)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) == 1 andmlowast 6isin Mreturn 1

elsereturn 0

Figure 2 Game defining CMA security in the Random Oracle Model

the public key for self-containment Also we define our signing function as taking the eth root instead ofthe dth power This is done for keeping a consistent notation throughout the paper since d is not defined forlossy keys

The string PAD seems somewhat arbitrary and the reason for this is historical In PKCS v151 (RFC2313) all message were encoded in representative ldquoblocksrdquo These representatives had the (hexadecimal)format

0x00||BT||PS||0x00||D

BT defined the type of block which is 0x01 for signatures and 0x02 for encryption D is the encodingof the message which for signatures is the hash of the message prefixed with the hash id IDH PS is theldquopadding stringrdquo whose purpose is to ensure our message representative is exactly n bits long PS is fixedto 0xFF FF for BT = 0x01 Thus signature ldquoblocksrdquo have the (hexadecimal) format

0x00||0x01||0xFF FF||0x00||IDH||H(m)

The overarching concept of blocks has since been dropped primarily due to the switch to OAEP encryp-tion but PKCS signatures still use this format for the message representatives If we convert this format intobinary it is easy to see that the prefix of H(m) is exactly our prefix PAD It is worth noting at this juncturethat the identifier strings IDH do not have a fixed length thus we need to take into account their bit length α

8

Scheme RSA-PKCS1-v15

KeyGen(1n `)

PQ isinR P[n2]N = PQϕ(N) = (P minus 1)(Qminus 1)e isinR ZlowastN gcd(e ϕ(N)) = 1pick hash function H 0 1lowast rarr 0 1`Look-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH) sk = (PQ))

Sign(skm)

z larr H(m)y = PAD||zreturn σ = y1e mod N

Verify(pkm σ)

yprime = σe mod Nz larr H(m)if (PAD||z == yprime)

return 1else

return 0

Figure 3 RSA PKCS1 v15

3 Existential Unforgeability in the Random Oracle Model

In this section we give two different proofs that RSA PKCS1 v15 signatures are UF-CMA-secure Thefirst is based on the RSA assumption the second is based on the ϕ-Hiding assumption Both proofs arein the random oracle model and both proofs consider the case where the modulus N used in the signaturescheme is a product of three primes Even though RSA PKCS1 v15 signatures are usually used withmoduli consisting of only two prime factors we stress that all versions of the PKCS1 standards allow touse moduli N consisting of three prime factors meaning that this choice is standard compliant

31 The Encode Algorithm

The main novel ingredient for our RSA PKCS1 v15 signature UF-CMA-security proofs is an Encodealgorithm which enable us to efficiently encode an arbitrary integer y modulo N as an integer y moduloN = NR for some prime R such that y has correct PKCS1 v15 padding modulo N Let us defineformally the properties that an Encode algorithm has to fulfil

Definition 1 Let(y s z) cup perp $larr Encode(N e y ` PAD R)

be an algorithm that takes as input an n-bit integer N an exponent e y isin ZlowastN a padding pattern PAD andan r-bit prime R isin P[r] and outputs (y s z) isin Z

Ntimes ZlowastN times 0 1` or failure perp We say that Encode

9

`-simulates the PKCS1 v15 encoding modulo N = NR if all the following conditions are satisfied Wesay that Encode efficiently `-simulates the PKCS1 v15 encoding modulo N = NR if Encode additionallyruns in time polynomial in n

1 Encode outputs (y s z) except with negligible failure probability (in n)

2 z is uniformly distributed over 0 1`

3 y isin ZN

is the PKCS1 v15 encoding of the string z isin 0 1` with padding of size |PAD| = n+rminus`That is we have

y = PAD||z

4 It holds that y = y middot se mod N

Intuitively we use Encode as follows to prove UF-CMA-security of RSA-PKCS1 v15 signaturesEncode enables us to embed an RSA-challenge (N e y) modulo N into the UF-CMA-security experimentfor RSA-PKCS1 v15 signatures defined modulo N Concretely to achieve this we will run(y s z)

$larr Encode(N e y ` PAD R) to obtain y = PAD||z Then we program the random oracle H withrange 0 1` such that H(mlowast) = z which is possible because z is uniformly distributed Furthermore wealso show that Encode enables us to simulate correct signatures in a similar way

As we show in the following our Encode algorithm allows us to create correctly-padded strings y withfreely adjustable padding of size asymp |r| and relatively large hash value size ` asymp |n|

311 Encode Algorithm

Consider the algorithm Encode as defined in Figure 4 It takes as input an n-bit modulus N an exponent ean integer y isin ZN a hash value length ` a padding pattern PAD of size |PAD| = n + r minus ` an r-bit primeR and outputs a string y = PAD||z such that |z| = `

Encode (N e y ` PAD R)

n = dlog2Ne r = dlog2Rez = 2` k = 0while (z ge 2`) and (k lt n middot 2nminus`)k = k + 1

s$larr ZN

z = yse minus 2` middot PAD mod Ny = 2` middot PAD + zif z lt 2` then

return (y s z)else

return perp

Figure 4 Encode algorithm

Theorem 1 For ` lt n = |N | the Encode algorithm described in Figure 4 `-simulates the PKCS1 v15encoding modulo NR in time O(n4 middot 2nminus`)

10

PROOF In order to verify condition (1) of Definition 1 we have to show that Encode outputs a tuple (y s z)expect with negligible failure probability By the last line in Figure 4 Encode fails in producing (y s z) iffz ge 2` for all iterations of the while-loop

Observe that the value z = yse minus 2` middot PAD mod N computed inside each iteration of the while-loop isindependently uniformly distributed moduloN because s is uniform over ZN and the maps s 7rarr se mod Nand s 7rarr smiddoty mod N are permutations (note here that y isin ZlowastN is invertible) Hence for uniformly distributedz

$larr ZN N lt 2n we have per iteration

Pr[z ge 2`

]=N minus 2`

Nlt 1minus 2`minusn

Using 1minus x le eminusx we fail after n middot 2nminus` iterations with probability at most

(1minus 2`minusn)nmiddot2nminus` le eminusn

The uniform distribution of z over 0 1` (condition (2)) follows from the fact that z is a uniformly dis-tributed integer modulo N Hence for ` lt n we can use the well-known rejection sampling methodRejecting all values of z ge 2` yields uniformly distributed values in 0 1`

For checking condition (3) we see that y = 2` middot PAD + z by definition in Encode From (2) wehave z lt 2` which implies y = PAD||z over the integers However y has to be defined in Z

N Since

|PAD| = n+ r minus `minus 2 we verify that

2` middot PAD + z lt 2` middot 2n+rminus`minus2 = 2nminus1 middot 2rminus1 lt NR = N

To show (4) we compute

y = 2` middot PAD + z mod N

= 2` middot PAD + yse minus 2` middot PAD mod N

= yse mod N

Finally we observe that Encodersquos running time is dominated by the while-loop with a maximum ofn middot 2nminus` iterations each taking time O(log e log2N) = O(n3)

Corollary 1 Let n = |N | The Encode algorithm described in Figure 4 efficiently (nminusO(log n))-simulates the PKCS1 v15 encoding modulo NR

By Corollary 1 our Encode algorithm is efficient only for hash values as large as ` asymp |n| We leave itas an important open problem to reduce ` to output sizes of standard hash functions

32 Security Proof under the RSA Assumption

Now we are ready to prove security under the RSA assumption Normally the size of the RSA modulus isimplicitly assumed to be the same in the assumption as in the scheme therefore it is never explicitly fixedHowever our proof modifies this by using a larger modulus for the scheme than in the assumption thus weneed to explicitly state these values For the sake of notation we formulate our assumptions with explicitbit-sizes We also consider the more general case where primes may but need not be of the same size Onceall the primes have been selected we can pick an exponent e such that gcd(e ϕ(N)) = 1 where we have

for N =

kprodi=1

pi that ϕ(N) =

kprodi=1

(pi minus 1)

11

Assumption 1 ((k n)-RSA Assumption) The RSA Assumption denoted by (k n)-RSA states that given(N e xe) it is hard to compute x where N is the product of k distinct random prime numbers pi isin P[ni]

for i isin J1 kK k constant andnsumi=1

ni = n e isin Zlowastϕ(N) and x isinR ZN RSA is said to be (t ε)-hard if for all

adversaries A running in time at most t we have

Adv(kn)-RSAA = Pr [x = A(N e xe mod N)] 6 ε

Additionally we define RSA-PKCS1-v15 [k n `] to be the RSA PKCS1 v15 scheme with a n-bitpublic modulus N which is the product of k primes and an `-bit hash function It should be noted thathaving a modulus that is the product of more than two primes is allowed by the PKCS standard (RFC 8017)

Our first proof follows the proof technique of Coron [Cor00 Cor01] and has a loss in the order of qsAs was shown by Coron [Cor02 Cor01] and Kakvi and Kiltz [KK12 KK18] this loss is optimal for RSAwith ldquolargerdquo exponents This is due to the fact that RSA with a ldquolargerdquo exponent defines a certified trapdoorpermutation [BY93 BY96] as was shown by Kakvi Kiltz and May [KKM12]

Our second proof follows the proof technique of Kakvi and Kiltz [KK12 KK18] and is tight to theϕ-Hiding assumption This proof bypasses the optimality result by using keys that do not define a certifiedtrapdoor permutation By using ldquosmallrdquo keys which gives us a lossy trapdoor permutation we can providea tight security proof to the ϕ-Hiding assumption Furthermore there is currently no known proof techniquewhich achieves tighter security for small exponents (such as e = 216 + 1 as commonly used in real-worldinstantiations) and is based on the RSA assumption

Theorem 2 Assume the (2 n)-RSA assumption is (tprime εprime)-hard Then for any (qh qs) the RSA-PKCS1-v15[3 2nminus 1] scheme is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

εprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ qh middot O(n4)

PROOF We describe the oracles in Figure 5 The reduction first receives a (2 n)minusRSA challenge (N e y)It then builds a 2n-bit modulus by selecting R isinR P[n] gcd(eR minus 1) = 1 and computing N = NR Thereduction then computes the corresponding padding by first computing ν = nminusαminus23 and then computingPAD = 015||1ν ||08||IDH The public key pk = (N e PAD) is sent to the forger We now describe our oracles

For every hash querymi the reduction flips a biased coin χi with Pr[χi = 0] = p0Pr[χi = 1] = p1 thechoice of which will be discussed later The idea behind this is that with probability p1 the reduction embedsthe RSA challenge into the oracle response and with probability p0 it will not For the values where thereduction does not embed the challenge ie χi = 0 it can simulate signatures and for ones where it does ieχi = 1 it can extract a solution In the case χi = 0 the reduction simply runs Encode(N e 1 ` PAD R)and gets (yi si zi) The reduction now computes σi using the Chinese Remainder Theorem It is clear fromthe construction that y1e = si mod N and furthermore the reduction can easily compute y1e mod Rwhich gives

σi = si middotR(Rminus1 mod N) + (y1ei mod R) middotN(Nminus1 mod R) mod N

The reduction then adds (mi zi si σi) to its hash listHIn the case χi = 1 the reduction runs Encode(N e y ` PAD R) and gets (yi si zi) However since

it cannot simulate a signature it stores the distinguished abort symbol perp as the signature ie it adds(mi zi siperp) to its hash listH

12

RSA Proof OraclesInitialize(1n)(N e y)larr$ RSA(2 1n)R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elseχm larrp0p1 0 1if (χi = 0)

(ym sm zm)larr$ Encode(N e 1 ` PAD R)σm = sm middotR(Rminus1 mod N) + (y

1em mod R) middotN(Nminus1 mod R) mod N

else if (χm = 1)(y sm zm)larr$ Encode(N e y ` PAD R)σm = perp

H larr H cup (m zm sm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

if (χmlowast = 1)x = σlowast middot (smlowast)minus1 mod N

elsex = perp

RSAFinalize(x)return 1

elseRSAFinalize(perp)return 0

Figure 5 Oracles for the RSA based proof

13

Having updatedH the reduction now returns zi as the response to the random oracle queryWe assume that the forger always makes a hash query on a message before it queries that message to the

signing oracle The reduction can also implicitly do this by querying the random oracle itself This meansthat for every signature query mi there is an entry (mi zi σi) isin H If σi = perp ie the hash value hasa challenge embedded in it the reduction aborts as it cannot provide a signature If this is not the caseit simply returns σi as response and adds mi to the list of queried messages M The probability that thereduction answers any signature query correctly is p0 and the probability that it answers all queries correctlyis at least pqs0

In the final phase the forger submits a forgery (mlowast σlowast) With probability p1 mlowast is one of the messageswhere we embedded our RSA challenge First we observe that a valid forgery means that σlowast = ylowast1e modN Our encode algorithm ensures that y = slowaste middot y mod N which in turn means that σlowast mod N = y =slowast middot y1e mod N Because the reduction has an entry inH containing (mlowast zlowast slowastperp) it can extract y1e =σlowast middot (slowast)minus1 mod N which is the solution to its RSA challenge

The reduction can extract a solution with probability p1 = 1 minus p0 which means that the reductionsucceeds with probability at least pqs0 middot (1 minus p0) middot ε To get the optimal result we need to maximize theexpression pqs0 middot (1 minus p0) middot ε Coron [Cor02] showed an optimal value of p0 = 1

qs+1 giving us a success

probability of at least εqsmiddot(

1minus 1qs+1

)qs+1 as required The time bound is the time needed to answer all

hash queries

Remark 1 In the proof we select R to be a prime number however this is not strictly necessary What werequire is that we are able to compute eth roots mod R Thus it would also suffice if we knew the primefactorization of R It should be noted that the difficulty of factoring N = NR is at least that of factoringN if the smallest prime factor of R is at least n2 bits long R was chosen to be prime in the proof forconvenience but the proof goes through equally for any suitable composite R

Remark 2 While the PKCS1 standard does not specify how long the padding must be apart from thelimitation that PS must be at least 8 octets long one must be careful when using smaller paddings If thepadding is less than half of the bits the message represenatives are suceptible to the attacks of de Jonge andChaum [dC86] and Girault and Misarsky [GM97] Although the usage of a hash function complicates theattacks it is always better to err on the side of caution

33 Security Proof under the Phi-Hiding Assumption

We are also able to produce an essentially optimal security proof for ldquosmallrdquo exponents e using the tech-niques of Kakvi and Kiltz [KK12 KK18] In our case ldquosmallrdquo means our exponent is at most 1

4 of thebit-length of our modulus This proof proceeds as a series of games each of which we will describe sepa-rately We first recall the ϕ-Hiding Assumption

Assumption 2 (The ϕ-Hiding Assumption [CMS99]) The ϕ-Hiding Assumption denoted by ΦHA statesthat it is hard to distinguish between (N e) and (N e) where N is the product of two random (n2)-bitprimes and e e gt 3 isin P and and e e le N

14 with gcd(e ϕ(N)) = 1 and gcd(e ϕ(N)) = e where ϕ is the

Euler Totient function ΦHA is said to be (t ε)-hard if for all distinguishers D running in time at most twe have

AdvΦHD = Pr [1larr D(N e)]minus Pr [1larr D(N e)] 6 ε

14

Game G0

Initialize(1n)(pk sk)larr$ RSA-PKCS1-v15[3 2n n]return pk

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elsezm isinR 0 1`H larr Hcup (m zm)return zm

Sign(m)MlarrMcup (m)fetch (m zm) isin Hreturn σm = (PAD||zm)1e

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

return 1else

return 0

(a) Game 0 The Standard UF-CMA Game

Game G1

Initialize(1n)(N e)larr$ RSAPermGen(1n) G1G3

(N e)larr$ RSALossyGen(1n) G2G4

R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

else(y σm zm)larr$ Encode(N e 1 PAD R)H larr Hcup (m zm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (σlowast = σm) G3G4

return 0 G3G4

if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)return 1

elsereturn 0

(b) Games 1-4 The Simulated Reduction Games

The requirement that e e le N14 stems from the fact that simply given a modulus N we are unable to

ascertain how many prime factors it consists of and how large they are in relation to one another We knowthatN is composite therefore consists of at least 2 prime factors7 The bound then follows directly from thewell known attacks due to Coppersmith [Cop97] We also note that when gcd(e ϕ(N)) = e the functionxe mod N is exactly e-to-1 ie it said to be e-regular lossy as defined by Kakvi and Kiltz [KK12 KK18]

Theorem 3 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function Then for any (qh qs)RSA-PKCS1-v15 [3 2n] is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

ε 62γ minus 1

γ minus 1middot εprime

tprime 6 t+ qh middot O(n4)

PROOF7We assume N is not a prime power which can be checked efficiently [Ber98]

15

The proof proceeds in a sequence of games which are given in Figures 6a 6b The idea is to move fromthe UF-CMA game to one the forger cannot win The original UF-CMA game is given in G0 The first gamehop we make is from normal signing to simulating signatures using our Encode algorithm which does notchange anything from the view of the forger The next step is to move from the ldquonormalrdquo public key wheregcd(e ϕ(N)) = 1 to the lossy key (N e) were now we have a 1-to-e signing function The forger does notnotice this unless it breaks the ΦHA Now a new abort condition is introduced the reduction aborts if theforgery is the same signature it picked in the simulation phase Since the signature is picked from the setof e signatures independently from the view of the forger this happens with probability at most 1

e Finallythe keys are switched back to ldquonormalrdquo keys which now means any valid forgery leads to an abort from thereduction If we combine the bounds from all the games we get exactly the bounds stated in the proof Weprove the Theorem step by step with Lemmata 1 2 3 4 amp 5

Lemma 1 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF In G0 we modelled the hash function as a random oracle In G1 we modify the random oracle andthe signing queries On any m the random oracle now ldquoprecomputesrdquo a signature for m using the Encodealgorithm Note that signing no longer requires the secret key It can be seen that all our signatures willverify due to the fact that σem = PAD||zm for all m Thus our simulation of the signatures is correct SinceEncode gives us uniformly distributed values s z the distribution of our hash queries in G1 is identical tothe distribution in G0 Thus we have Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

Lemma 2 There exists a distinguisher D1 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat

∣∣Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]∣∣ = AdvΦHA

D1

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) howeverthe oracles are identical in both games We now build a distinguisher D1 against the ΦHA using thesegames The distinguisher will run F and simulates the oracles Sign(middot)Hash(middot) as described in games G1

and G2 Note that D1 does not require the signing key to simulate the oracles After F calls Finalize D1

returns the output of Finalize Thus we can see that Pr[1larr D1(N e)] = Pr[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

] Hence we have∣∣Pr

[GF1 rArr 1

]minus Pr

[GF2 rArr 1

]∣∣ = |Pr[1larr D1(N e)]minus Pr[1larr D1(N e)]| = AdvΦHAD1

Lemma 3 Pr[GF3 rArr 1

]=(eminus1e

)Pr[GF2 rArr 1

]

PROOF In G3 we introduce a new rule which aborts the reduction if the forgery σlowast provided by F is thesame as the simulated signature σmlowast for the target message mlowast If this is the case the forger loses the gameie G3 outputs 0 σmlowast is independent of Frsquos view and is uniformly distributed in the set of pre-images ofymlowast Due to the fact that the function xe mod N is e-regular lossy the probability of a collision is 1eThus we see that this abort condition reduces the probability of the forger winning the game by 1e hence

Pr[GF3 rArr 1

]=

(1minus 1

e

)Pr[GF2 rArr 1

]=

(eminus 1

e

)Pr[GF2 rArr 1

]

16

Lemma 4 There exists a distinguisher D2 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat |Pr[GF3 rArr 1]minus Pr[GF4 rArr 1]| = AdvΦHA

D2

PROOF From G3 to G4 we change the key generation from a lossy key (N e) to a normal key (N e)however the oracles are identical in both games We now build a distinguisher D2 against ΦHA using thesegames The distinguisher runs F and simulates the oracles Sign(middot)Hash(middot) as described in games G3ampG4Note that D2 does not require the signing key to simulate the oracles After F calls Finalize D2 returns theoutput of Finalize Thus we can see that Pr[1larr D2(N e)] = Pr

[GF4 rArr 1

]and

Pr [1larr D2(N e)] = Pr[GF3 rArr 1

]Hence we have∣∣Pr

[GF4 rArr 1

]minus Pr

[GF3 rArr 1

]∣∣ = |Pr[1larr D2(N e)]minus Pr[1larr D2(N e)]| = AdvΦHAD2

Lemma 5 Pr[G4 rArr 1] = 0

PROOF In G4 we are using the normal keys ie xe mod N is a 1-to-1 function Since our signing functionis now injective any forgery implies a collision Therefore whenever the forger is able to produce a validforgery the game outputs 0 due to it failing the check as forallmlowast σm = σlowast Whenever the forger is unableto make a forgery the game outputs 0 Thus we can see that in all cases the game will output 0 hencePr[G4 rArr 1] = 0

We combine Lemmata 1 to 5 to get

Pr[1larr G0] = AdvΦHAD1

+

(e

eminus 1

)AdvΦHA

D2

Because D1 and D2 run in time at most t + qh middot O(n3) by our assumption both distinguishers have anadvantage of at most εprime giving us

ε le 2eminus 1

eminus 1middot εprime

As we have an e-regular lossy permutation we see that for γ = e we get exactly the bounds we need

34 The Case of Two Prime Factors

We can easily lift our results for three prime factors presented in the previous section to the standard caseof two prime factors by additionally assuming that breaking the UF-CMA-security of RSA PKCS1 v15signatures with 2 prime factors is not significantly easier than with 3 prime factors To make this moreprecise we define the 2 vs 3 Primes Assumption denoted by 2v3PA which states that

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

for small ε and all efficient UF-CMA-forgers F

Assumption 3 (Two vs Three Primes Assumption) We say that 2v3PA is (t ε)-hard if for all F running intime at most t we have

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

17

Note that breaking RSA PKCS1 v15 signatures should only become easier if the modulus N is aproduct of more prime factors For instance let N2 = PQ be a product of two primes of approximatelyequal size and N3 = PQR be a product of three primes of approximately equal size such that N2 and N3

have the same size With known factoring algorithms it should be easier to compute the factorisation of N3

than that of N2 Hence even though 2v3PA is a very specific and non-standard assumption we consider itas very plausible for sufficiently large moduli With this additional assumption we get the following result

Theorem 4 Assume the (2 n)-RSA assumption is (tprime εprime)-hard and 2v3PA is (tprimeprime εprimeprime)-hard Then forany (qh qs) the RSA-PKCS1-v15 [2 2n n] scheme is (t ε qh qs)-UF-CMA secure in the Random Ora-cle Model where

εprime + εprimeprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ tprimeprime + qh middot O(n4)

PROOF SKETCH The proof works nearly identically to the proof of Theorem 2 except that we use the2v3PA assumption in order to replace a two-prime modulus N with a three-prime modulus More preciselywe begin with considering the RSA-PKCS1-v15 [2 2n] defined over a two-prime modulus Then we replacethis scheme with RSA-PKCS1-v15 [3 2n n] Now we can apply the proof from Theorem 2

The following theorem can be proven similarly by extending the proof of Theorem 3 with an additionalstep that uses the 2v3PA assumption

Theorem 5 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function and 2v3PA is (tprimeprime εprimeprime)-hard Then for any (qh qs) RSA-PKCS1-v15 [2 n+ `] is (t ε qh qs)-UF-CMA secure in the RandomOracle Model where

ε le 2γ minus 1

γ minus 1middot εprime + εprimeprime

tprime le t+ tprimeprime + qh middot O(n4)

4 Proofs in the Standard Model

In order to give a more complete picture of what security properties of RSA PKCS1 v15 signatures can beproved we now present different approaches to provide security proofs without random oracles

41 Proof based on The Phi-Hiding Assumption

We now present our proof based on the lossiness of RSA and the ΦHA In this proof we rely on the fact thatwhen e|ϕ(N) the ethroots modulo N are close to uniformly distributed Okamoto and Stern [OS03] showthat in any interval of length L ge N12 the number of eth powers is close to its expectation However weneed the same statement for intervals of size 2` which is usually smaller than N

12 So [OS03] gives us an

indication that our assumption in Theorem 6 is plausible but we cannot direct apply [OS03]The main idea of the proof of Theorem 6 is that for lossy RSA keys with e|ϕ(N) with high probability

there does not even exist a valid RSA PKCS1 v15 signature

18

Theorem 6 Assume ΦHA is (tprime εprime)-hard Further assume that e-th powers S = σe | σ isin ZlowastN areuniformly distributed in ZlowastN when e|ϕ(N) Then RSA-PKCS1-v15 with an `-bit hash function H is (t ε)-UF-NMA secure in the Standard Model where

ε 6

(1minus 2`

e

)εprime

t asymp tprime

PROOF We prove this theorem via game hops which we show in Figures 7a7b amp 7c G0 is the UF-NMAgame In G1 we switch to ldquosimulatedrdquo real keys There is no change since we consider no message attacks(NMA) and therefore never need a secret key Secondly in G2 we switch to ldquosimulatedrdquo lossy keys Thedifference here is εprime unless the forger breaks the ΦHA Finally in this game we show that the adversarycannot win except with a very small probability

Game G0

Initialize(1n)

(pk sk)larr$ RSA-PKCS1-v15[2 n]return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(a) Standard UF-NMA Game

Game G1

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(b) UF-NMA Game with simulatedpublic key

Game G2

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(c) UF-NMA Game with lossy simu-lated public key

Lemma 6 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF From G0 to G1 we changed from the RSA-PKCS1-v15 key generation to the ΦHA instance genera-tion It is clear to see that the distributions are the same thus there is no change from the view of the forger

Lemma 7 There exists a distinguisher D against the ΦHA which runs in time tprime asymp t and such that|Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]| = AdvΦHA

D

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) We nowbuild a distinguisher D against the ΦHA using these games The distinguisher will run F and after F callsFinalize D returns the output of Finalize Thus we can see that Pr [1larr D1(N e)] = Pr

[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

]Hence we have |Pr

[GF1 rArr 1

]minusPr

[GF2 rArr 1

]| = |Pr [1larr D1(N e)]minus

Pr[1larr D1(N e)]| = AdvΦHAD

19

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

Scheme RSA-PKCS1-v15

KeyGen(1n `)

PQ isinR P[n2]N = PQϕ(N) = (P minus 1)(Qminus 1)e isinR ZlowastN gcd(e ϕ(N)) = 1pick hash function H 0 1lowast rarr 0 1`Look-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH) sk = (PQ))

Sign(skm)

z larr H(m)y = PAD||zreturn σ = y1e mod N

Verify(pkm σ)

yprime = σe mod Nz larr H(m)if (PAD||z == yprime)

return 1else

return 0

Figure 3 RSA PKCS1 v15

3 Existential Unforgeability in the Random Oracle Model

In this section we give two different proofs that RSA PKCS1 v15 signatures are UF-CMA-secure Thefirst is based on the RSA assumption the second is based on the ϕ-Hiding assumption Both proofs arein the random oracle model and both proofs consider the case where the modulus N used in the signaturescheme is a product of three primes Even though RSA PKCS1 v15 signatures are usually used withmoduli consisting of only two prime factors we stress that all versions of the PKCS1 standards allow touse moduli N consisting of three prime factors meaning that this choice is standard compliant

31 The Encode Algorithm

The main novel ingredient for our RSA PKCS1 v15 signature UF-CMA-security proofs is an Encodealgorithm which enable us to efficiently encode an arbitrary integer y modulo N as an integer y moduloN = NR for some prime R such that y has correct PKCS1 v15 padding modulo N Let us defineformally the properties that an Encode algorithm has to fulfil

Definition 1 Let(y s z) cup perp $larr Encode(N e y ` PAD R)

be an algorithm that takes as input an n-bit integer N an exponent e y isin ZlowastN a padding pattern PAD andan r-bit prime R isin P[r] and outputs (y s z) isin Z

Ntimes ZlowastN times 0 1` or failure perp We say that Encode

9

`-simulates the PKCS1 v15 encoding modulo N = NR if all the following conditions are satisfied Wesay that Encode efficiently `-simulates the PKCS1 v15 encoding modulo N = NR if Encode additionallyruns in time polynomial in n

1 Encode outputs (y s z) except with negligible failure probability (in n)

2 z is uniformly distributed over 0 1`

3 y isin ZN

is the PKCS1 v15 encoding of the string z isin 0 1` with padding of size |PAD| = n+rminus`That is we have

y = PAD||z

4 It holds that y = y middot se mod N

Intuitively we use Encode as follows to prove UF-CMA-security of RSA-PKCS1 v15 signaturesEncode enables us to embed an RSA-challenge (N e y) modulo N into the UF-CMA-security experimentfor RSA-PKCS1 v15 signatures defined modulo N Concretely to achieve this we will run(y s z)

$larr Encode(N e y ` PAD R) to obtain y = PAD||z Then we program the random oracle H withrange 0 1` such that H(mlowast) = z which is possible because z is uniformly distributed Furthermore wealso show that Encode enables us to simulate correct signatures in a similar way

As we show in the following our Encode algorithm allows us to create correctly-padded strings y withfreely adjustable padding of size asymp |r| and relatively large hash value size ` asymp |n|

311 Encode Algorithm

Consider the algorithm Encode as defined in Figure 4 It takes as input an n-bit modulus N an exponent ean integer y isin ZN a hash value length ` a padding pattern PAD of size |PAD| = n + r minus ` an r-bit primeR and outputs a string y = PAD||z such that |z| = `

Encode (N e y ` PAD R)

n = dlog2Ne r = dlog2Rez = 2` k = 0while (z ge 2`) and (k lt n middot 2nminus`)k = k + 1

s$larr ZN

z = yse minus 2` middot PAD mod Ny = 2` middot PAD + zif z lt 2` then

return (y s z)else

return perp

Figure 4 Encode algorithm

Theorem 1 For ` lt n = |N | the Encode algorithm described in Figure 4 `-simulates the PKCS1 v15encoding modulo NR in time O(n4 middot 2nminus`)

10

PROOF In order to verify condition (1) of Definition 1 we have to show that Encode outputs a tuple (y s z)expect with negligible failure probability By the last line in Figure 4 Encode fails in producing (y s z) iffz ge 2` for all iterations of the while-loop

Observe that the value z = yse minus 2` middot PAD mod N computed inside each iteration of the while-loop isindependently uniformly distributed moduloN because s is uniform over ZN and the maps s 7rarr se mod Nand s 7rarr smiddoty mod N are permutations (note here that y isin ZlowastN is invertible) Hence for uniformly distributedz

$larr ZN N lt 2n we have per iteration

Pr[z ge 2`

]=N minus 2`

Nlt 1minus 2`minusn

Using 1minus x le eminusx we fail after n middot 2nminus` iterations with probability at most

(1minus 2`minusn)nmiddot2nminus` le eminusn

The uniform distribution of z over 0 1` (condition (2)) follows from the fact that z is a uniformly dis-tributed integer modulo N Hence for ` lt n we can use the well-known rejection sampling methodRejecting all values of z ge 2` yields uniformly distributed values in 0 1`

For checking condition (3) we see that y = 2` middot PAD + z by definition in Encode From (2) wehave z lt 2` which implies y = PAD||z over the integers However y has to be defined in Z

N Since

|PAD| = n+ r minus `minus 2 we verify that

2` middot PAD + z lt 2` middot 2n+rminus`minus2 = 2nminus1 middot 2rminus1 lt NR = N

To show (4) we compute

y = 2` middot PAD + z mod N

= 2` middot PAD + yse minus 2` middot PAD mod N

= yse mod N

Finally we observe that Encodersquos running time is dominated by the while-loop with a maximum ofn middot 2nminus` iterations each taking time O(log e log2N) = O(n3)

Corollary 1 Let n = |N | The Encode algorithm described in Figure 4 efficiently (nminusO(log n))-simulates the PKCS1 v15 encoding modulo NR

By Corollary 1 our Encode algorithm is efficient only for hash values as large as ` asymp |n| We leave itas an important open problem to reduce ` to output sizes of standard hash functions

32 Security Proof under the RSA Assumption

Now we are ready to prove security under the RSA assumption Normally the size of the RSA modulus isimplicitly assumed to be the same in the assumption as in the scheme therefore it is never explicitly fixedHowever our proof modifies this by using a larger modulus for the scheme than in the assumption thus weneed to explicitly state these values For the sake of notation we formulate our assumptions with explicitbit-sizes We also consider the more general case where primes may but need not be of the same size Onceall the primes have been selected we can pick an exponent e such that gcd(e ϕ(N)) = 1 where we have

for N =

kprodi=1

pi that ϕ(N) =

kprodi=1

(pi minus 1)

11

Assumption 1 ((k n)-RSA Assumption) The RSA Assumption denoted by (k n)-RSA states that given(N e xe) it is hard to compute x where N is the product of k distinct random prime numbers pi isin P[ni]

for i isin J1 kK k constant andnsumi=1

ni = n e isin Zlowastϕ(N) and x isinR ZN RSA is said to be (t ε)-hard if for all

adversaries A running in time at most t we have

Adv(kn)-RSAA = Pr [x = A(N e xe mod N)] 6 ε

Additionally we define RSA-PKCS1-v15 [k n `] to be the RSA PKCS1 v15 scheme with a n-bitpublic modulus N which is the product of k primes and an `-bit hash function It should be noted thathaving a modulus that is the product of more than two primes is allowed by the PKCS standard (RFC 8017)

Our first proof follows the proof technique of Coron [Cor00 Cor01] and has a loss in the order of qsAs was shown by Coron [Cor02 Cor01] and Kakvi and Kiltz [KK12 KK18] this loss is optimal for RSAwith ldquolargerdquo exponents This is due to the fact that RSA with a ldquolargerdquo exponent defines a certified trapdoorpermutation [BY93 BY96] as was shown by Kakvi Kiltz and May [KKM12]

Our second proof follows the proof technique of Kakvi and Kiltz [KK12 KK18] and is tight to theϕ-Hiding assumption This proof bypasses the optimality result by using keys that do not define a certifiedtrapdoor permutation By using ldquosmallrdquo keys which gives us a lossy trapdoor permutation we can providea tight security proof to the ϕ-Hiding assumption Furthermore there is currently no known proof techniquewhich achieves tighter security for small exponents (such as e = 216 + 1 as commonly used in real-worldinstantiations) and is based on the RSA assumption

Theorem 2 Assume the (2 n)-RSA assumption is (tprime εprime)-hard Then for any (qh qs) the RSA-PKCS1-v15[3 2nminus 1] scheme is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

εprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ qh middot O(n4)

PROOF We describe the oracles in Figure 5 The reduction first receives a (2 n)minusRSA challenge (N e y)It then builds a 2n-bit modulus by selecting R isinR P[n] gcd(eR minus 1) = 1 and computing N = NR Thereduction then computes the corresponding padding by first computing ν = nminusαminus23 and then computingPAD = 015||1ν ||08||IDH The public key pk = (N e PAD) is sent to the forger We now describe our oracles

For every hash querymi the reduction flips a biased coin χi with Pr[χi = 0] = p0Pr[χi = 1] = p1 thechoice of which will be discussed later The idea behind this is that with probability p1 the reduction embedsthe RSA challenge into the oracle response and with probability p0 it will not For the values where thereduction does not embed the challenge ie χi = 0 it can simulate signatures and for ones where it does ieχi = 1 it can extract a solution In the case χi = 0 the reduction simply runs Encode(N e 1 ` PAD R)and gets (yi si zi) The reduction now computes σi using the Chinese Remainder Theorem It is clear fromthe construction that y1e = si mod N and furthermore the reduction can easily compute y1e mod Rwhich gives

σi = si middotR(Rminus1 mod N) + (y1ei mod R) middotN(Nminus1 mod R) mod N

The reduction then adds (mi zi si σi) to its hash listHIn the case χi = 1 the reduction runs Encode(N e y ` PAD R) and gets (yi si zi) However since

it cannot simulate a signature it stores the distinguished abort symbol perp as the signature ie it adds(mi zi siperp) to its hash listH

12

RSA Proof OraclesInitialize(1n)(N e y)larr$ RSA(2 1n)R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elseχm larrp0p1 0 1if (χi = 0)

(ym sm zm)larr$ Encode(N e 1 ` PAD R)σm = sm middotR(Rminus1 mod N) + (y

1em mod R) middotN(Nminus1 mod R) mod N

else if (χm = 1)(y sm zm)larr$ Encode(N e y ` PAD R)σm = perp

H larr H cup (m zm sm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

if (χmlowast = 1)x = σlowast middot (smlowast)minus1 mod N

elsex = perp

RSAFinalize(x)return 1

elseRSAFinalize(perp)return 0

Figure 5 Oracles for the RSA based proof

13

Having updatedH the reduction now returns zi as the response to the random oracle queryWe assume that the forger always makes a hash query on a message before it queries that message to the

signing oracle The reduction can also implicitly do this by querying the random oracle itself This meansthat for every signature query mi there is an entry (mi zi σi) isin H If σi = perp ie the hash value hasa challenge embedded in it the reduction aborts as it cannot provide a signature If this is not the caseit simply returns σi as response and adds mi to the list of queried messages M The probability that thereduction answers any signature query correctly is p0 and the probability that it answers all queries correctlyis at least pqs0

In the final phase the forger submits a forgery (mlowast σlowast) With probability p1 mlowast is one of the messageswhere we embedded our RSA challenge First we observe that a valid forgery means that σlowast = ylowast1e modN Our encode algorithm ensures that y = slowaste middot y mod N which in turn means that σlowast mod N = y =slowast middot y1e mod N Because the reduction has an entry inH containing (mlowast zlowast slowastperp) it can extract y1e =σlowast middot (slowast)minus1 mod N which is the solution to its RSA challenge

The reduction can extract a solution with probability p1 = 1 minus p0 which means that the reductionsucceeds with probability at least pqs0 middot (1 minus p0) middot ε To get the optimal result we need to maximize theexpression pqs0 middot (1 minus p0) middot ε Coron [Cor02] showed an optimal value of p0 = 1

qs+1 giving us a success

probability of at least εqsmiddot(

1minus 1qs+1

)qs+1 as required The time bound is the time needed to answer all

hash queries

Remark 1 In the proof we select R to be a prime number however this is not strictly necessary What werequire is that we are able to compute eth roots mod R Thus it would also suffice if we knew the primefactorization of R It should be noted that the difficulty of factoring N = NR is at least that of factoringN if the smallest prime factor of R is at least n2 bits long R was chosen to be prime in the proof forconvenience but the proof goes through equally for any suitable composite R

Remark 2 While the PKCS1 standard does not specify how long the padding must be apart from thelimitation that PS must be at least 8 octets long one must be careful when using smaller paddings If thepadding is less than half of the bits the message represenatives are suceptible to the attacks of de Jonge andChaum [dC86] and Girault and Misarsky [GM97] Although the usage of a hash function complicates theattacks it is always better to err on the side of caution

33 Security Proof under the Phi-Hiding Assumption

We are also able to produce an essentially optimal security proof for ldquosmallrdquo exponents e using the tech-niques of Kakvi and Kiltz [KK12 KK18] In our case ldquosmallrdquo means our exponent is at most 1

4 of thebit-length of our modulus This proof proceeds as a series of games each of which we will describe sepa-rately We first recall the ϕ-Hiding Assumption

Assumption 2 (The ϕ-Hiding Assumption [CMS99]) The ϕ-Hiding Assumption denoted by ΦHA statesthat it is hard to distinguish between (N e) and (N e) where N is the product of two random (n2)-bitprimes and e e gt 3 isin P and and e e le N

14 with gcd(e ϕ(N)) = 1 and gcd(e ϕ(N)) = e where ϕ is the

Euler Totient function ΦHA is said to be (t ε)-hard if for all distinguishers D running in time at most twe have

AdvΦHD = Pr [1larr D(N e)]minus Pr [1larr D(N e)] 6 ε

14

Game G0

Initialize(1n)(pk sk)larr$ RSA-PKCS1-v15[3 2n n]return pk

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elsezm isinR 0 1`H larr Hcup (m zm)return zm

Sign(m)MlarrMcup (m)fetch (m zm) isin Hreturn σm = (PAD||zm)1e

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

return 1else

return 0

(a) Game 0 The Standard UF-CMA Game

Game G1

Initialize(1n)(N e)larr$ RSAPermGen(1n) G1G3

(N e)larr$ RSALossyGen(1n) G2G4

R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

else(y σm zm)larr$ Encode(N e 1 PAD R)H larr Hcup (m zm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (σlowast = σm) G3G4

return 0 G3G4

if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)return 1

elsereturn 0

(b) Games 1-4 The Simulated Reduction Games

The requirement that e e le N14 stems from the fact that simply given a modulus N we are unable to

ascertain how many prime factors it consists of and how large they are in relation to one another We knowthatN is composite therefore consists of at least 2 prime factors7 The bound then follows directly from thewell known attacks due to Coppersmith [Cop97] We also note that when gcd(e ϕ(N)) = e the functionxe mod N is exactly e-to-1 ie it said to be e-regular lossy as defined by Kakvi and Kiltz [KK12 KK18]

Theorem 3 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function Then for any (qh qs)RSA-PKCS1-v15 [3 2n] is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

ε 62γ minus 1

γ minus 1middot εprime

tprime 6 t+ qh middot O(n4)

PROOF7We assume N is not a prime power which can be checked efficiently [Ber98]

15

The proof proceeds in a sequence of games which are given in Figures 6a 6b The idea is to move fromthe UF-CMA game to one the forger cannot win The original UF-CMA game is given in G0 The first gamehop we make is from normal signing to simulating signatures using our Encode algorithm which does notchange anything from the view of the forger The next step is to move from the ldquonormalrdquo public key wheregcd(e ϕ(N)) = 1 to the lossy key (N e) were now we have a 1-to-e signing function The forger does notnotice this unless it breaks the ΦHA Now a new abort condition is introduced the reduction aborts if theforgery is the same signature it picked in the simulation phase Since the signature is picked from the setof e signatures independently from the view of the forger this happens with probability at most 1

e Finallythe keys are switched back to ldquonormalrdquo keys which now means any valid forgery leads to an abort from thereduction If we combine the bounds from all the games we get exactly the bounds stated in the proof Weprove the Theorem step by step with Lemmata 1 2 3 4 amp 5

Lemma 1 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF In G0 we modelled the hash function as a random oracle In G1 we modify the random oracle andthe signing queries On any m the random oracle now ldquoprecomputesrdquo a signature for m using the Encodealgorithm Note that signing no longer requires the secret key It can be seen that all our signatures willverify due to the fact that σem = PAD||zm for all m Thus our simulation of the signatures is correct SinceEncode gives us uniformly distributed values s z the distribution of our hash queries in G1 is identical tothe distribution in G0 Thus we have Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

Lemma 2 There exists a distinguisher D1 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat

∣∣Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]∣∣ = AdvΦHA

D1

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) howeverthe oracles are identical in both games We now build a distinguisher D1 against the ΦHA using thesegames The distinguisher will run F and simulates the oracles Sign(middot)Hash(middot) as described in games G1

and G2 Note that D1 does not require the signing key to simulate the oracles After F calls Finalize D1

returns the output of Finalize Thus we can see that Pr[1larr D1(N e)] = Pr[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

] Hence we have∣∣Pr

[GF1 rArr 1

]minus Pr

[GF2 rArr 1

]∣∣ = |Pr[1larr D1(N e)]minus Pr[1larr D1(N e)]| = AdvΦHAD1

Lemma 3 Pr[GF3 rArr 1

]=(eminus1e

)Pr[GF2 rArr 1

]

PROOF In G3 we introduce a new rule which aborts the reduction if the forgery σlowast provided by F is thesame as the simulated signature σmlowast for the target message mlowast If this is the case the forger loses the gameie G3 outputs 0 σmlowast is independent of Frsquos view and is uniformly distributed in the set of pre-images ofymlowast Due to the fact that the function xe mod N is e-regular lossy the probability of a collision is 1eThus we see that this abort condition reduces the probability of the forger winning the game by 1e hence

Pr[GF3 rArr 1

]=

(1minus 1

e

)Pr[GF2 rArr 1

]=

(eminus 1

e

)Pr[GF2 rArr 1

]

16

Lemma 4 There exists a distinguisher D2 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat |Pr[GF3 rArr 1]minus Pr[GF4 rArr 1]| = AdvΦHA

D2

PROOF From G3 to G4 we change the key generation from a lossy key (N e) to a normal key (N e)however the oracles are identical in both games We now build a distinguisher D2 against ΦHA using thesegames The distinguisher runs F and simulates the oracles Sign(middot)Hash(middot) as described in games G3ampG4Note that D2 does not require the signing key to simulate the oracles After F calls Finalize D2 returns theoutput of Finalize Thus we can see that Pr[1larr D2(N e)] = Pr

[GF4 rArr 1

]and

Pr [1larr D2(N e)] = Pr[GF3 rArr 1

]Hence we have∣∣Pr

[GF4 rArr 1

]minus Pr

[GF3 rArr 1

]∣∣ = |Pr[1larr D2(N e)]minus Pr[1larr D2(N e)]| = AdvΦHAD2

Lemma 5 Pr[G4 rArr 1] = 0

PROOF In G4 we are using the normal keys ie xe mod N is a 1-to-1 function Since our signing functionis now injective any forgery implies a collision Therefore whenever the forger is able to produce a validforgery the game outputs 0 due to it failing the check as forallmlowast σm = σlowast Whenever the forger is unableto make a forgery the game outputs 0 Thus we can see that in all cases the game will output 0 hencePr[G4 rArr 1] = 0

We combine Lemmata 1 to 5 to get

Pr[1larr G0] = AdvΦHAD1

+

(e

eminus 1

)AdvΦHA

D2

Because D1 and D2 run in time at most t + qh middot O(n3) by our assumption both distinguishers have anadvantage of at most εprime giving us

ε le 2eminus 1

eminus 1middot εprime

As we have an e-regular lossy permutation we see that for γ = e we get exactly the bounds we need

34 The Case of Two Prime Factors

We can easily lift our results for three prime factors presented in the previous section to the standard caseof two prime factors by additionally assuming that breaking the UF-CMA-security of RSA PKCS1 v15signatures with 2 prime factors is not significantly easier than with 3 prime factors To make this moreprecise we define the 2 vs 3 Primes Assumption denoted by 2v3PA which states that

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

for small ε and all efficient UF-CMA-forgers F

Assumption 3 (Two vs Three Primes Assumption) We say that 2v3PA is (t ε)-hard if for all F running intime at most t we have

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

17

Note that breaking RSA PKCS1 v15 signatures should only become easier if the modulus N is aproduct of more prime factors For instance let N2 = PQ be a product of two primes of approximatelyequal size and N3 = PQR be a product of three primes of approximately equal size such that N2 and N3

have the same size With known factoring algorithms it should be easier to compute the factorisation of N3

than that of N2 Hence even though 2v3PA is a very specific and non-standard assumption we consider itas very plausible for sufficiently large moduli With this additional assumption we get the following result

Theorem 4 Assume the (2 n)-RSA assumption is (tprime εprime)-hard and 2v3PA is (tprimeprime εprimeprime)-hard Then forany (qh qs) the RSA-PKCS1-v15 [2 2n n] scheme is (t ε qh qs)-UF-CMA secure in the Random Ora-cle Model where

εprime + εprimeprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ tprimeprime + qh middot O(n4)

PROOF SKETCH The proof works nearly identically to the proof of Theorem 2 except that we use the2v3PA assumption in order to replace a two-prime modulus N with a three-prime modulus More preciselywe begin with considering the RSA-PKCS1-v15 [2 2n] defined over a two-prime modulus Then we replacethis scheme with RSA-PKCS1-v15 [3 2n n] Now we can apply the proof from Theorem 2

The following theorem can be proven similarly by extending the proof of Theorem 3 with an additionalstep that uses the 2v3PA assumption

Theorem 5 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function and 2v3PA is (tprimeprime εprimeprime)-hard Then for any (qh qs) RSA-PKCS1-v15 [2 n+ `] is (t ε qh qs)-UF-CMA secure in the RandomOracle Model where

ε le 2γ minus 1

γ minus 1middot εprime + εprimeprime

tprime le t+ tprimeprime + qh middot O(n4)

4 Proofs in the Standard Model

In order to give a more complete picture of what security properties of RSA PKCS1 v15 signatures can beproved we now present different approaches to provide security proofs without random oracles

41 Proof based on The Phi-Hiding Assumption

We now present our proof based on the lossiness of RSA and the ΦHA In this proof we rely on the fact thatwhen e|ϕ(N) the ethroots modulo N are close to uniformly distributed Okamoto and Stern [OS03] showthat in any interval of length L ge N12 the number of eth powers is close to its expectation However weneed the same statement for intervals of size 2` which is usually smaller than N

12 So [OS03] gives us an

indication that our assumption in Theorem 6 is plausible but we cannot direct apply [OS03]The main idea of the proof of Theorem 6 is that for lossy RSA keys with e|ϕ(N) with high probability

there does not even exist a valid RSA PKCS1 v15 signature

18

Theorem 6 Assume ΦHA is (tprime εprime)-hard Further assume that e-th powers S = σe | σ isin ZlowastN areuniformly distributed in ZlowastN when e|ϕ(N) Then RSA-PKCS1-v15 with an `-bit hash function H is (t ε)-UF-NMA secure in the Standard Model where

ε 6

(1minus 2`

e

)εprime

t asymp tprime

PROOF We prove this theorem via game hops which we show in Figures 7a7b amp 7c G0 is the UF-NMAgame In G1 we switch to ldquosimulatedrdquo real keys There is no change since we consider no message attacks(NMA) and therefore never need a secret key Secondly in G2 we switch to ldquosimulatedrdquo lossy keys Thedifference here is εprime unless the forger breaks the ΦHA Finally in this game we show that the adversarycannot win except with a very small probability

Game G0

Initialize(1n)

(pk sk)larr$ RSA-PKCS1-v15[2 n]return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(a) Standard UF-NMA Game

Game G1

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(b) UF-NMA Game with simulatedpublic key

Game G2

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(c) UF-NMA Game with lossy simu-lated public key

Lemma 6 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF From G0 to G1 we changed from the RSA-PKCS1-v15 key generation to the ΦHA instance genera-tion It is clear to see that the distributions are the same thus there is no change from the view of the forger

Lemma 7 There exists a distinguisher D against the ΦHA which runs in time tprime asymp t and such that|Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]| = AdvΦHA

D

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) We nowbuild a distinguisher D against the ΦHA using these games The distinguisher will run F and after F callsFinalize D returns the output of Finalize Thus we can see that Pr [1larr D1(N e)] = Pr

[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

]Hence we have |Pr

[GF1 rArr 1

]minusPr

[GF2 rArr 1

]| = |Pr [1larr D1(N e)]minus

Pr[1larr D1(N e)]| = AdvΦHAD

19

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

`-simulates the PKCS1 v15 encoding modulo N = NR if all the following conditions are satisfied Wesay that Encode efficiently `-simulates the PKCS1 v15 encoding modulo N = NR if Encode additionallyruns in time polynomial in n

1 Encode outputs (y s z) except with negligible failure probability (in n)

2 z is uniformly distributed over 0 1`

3 y isin ZN

is the PKCS1 v15 encoding of the string z isin 0 1` with padding of size |PAD| = n+rminus`That is we have

y = PAD||z

4 It holds that y = y middot se mod N

Intuitively we use Encode as follows to prove UF-CMA-security of RSA-PKCS1 v15 signaturesEncode enables us to embed an RSA-challenge (N e y) modulo N into the UF-CMA-security experimentfor RSA-PKCS1 v15 signatures defined modulo N Concretely to achieve this we will run(y s z)

$larr Encode(N e y ` PAD R) to obtain y = PAD||z Then we program the random oracle H withrange 0 1` such that H(mlowast) = z which is possible because z is uniformly distributed Furthermore wealso show that Encode enables us to simulate correct signatures in a similar way

As we show in the following our Encode algorithm allows us to create correctly-padded strings y withfreely adjustable padding of size asymp |r| and relatively large hash value size ` asymp |n|

311 Encode Algorithm

Consider the algorithm Encode as defined in Figure 4 It takes as input an n-bit modulus N an exponent ean integer y isin ZN a hash value length ` a padding pattern PAD of size |PAD| = n + r minus ` an r-bit primeR and outputs a string y = PAD||z such that |z| = `

Encode (N e y ` PAD R)

n = dlog2Ne r = dlog2Rez = 2` k = 0while (z ge 2`) and (k lt n middot 2nminus`)k = k + 1

s$larr ZN

z = yse minus 2` middot PAD mod Ny = 2` middot PAD + zif z lt 2` then

return (y s z)else

return perp

Figure 4 Encode algorithm

Theorem 1 For ` lt n = |N | the Encode algorithm described in Figure 4 `-simulates the PKCS1 v15encoding modulo NR in time O(n4 middot 2nminus`)

10

PROOF In order to verify condition (1) of Definition 1 we have to show that Encode outputs a tuple (y s z)expect with negligible failure probability By the last line in Figure 4 Encode fails in producing (y s z) iffz ge 2` for all iterations of the while-loop

Observe that the value z = yse minus 2` middot PAD mod N computed inside each iteration of the while-loop isindependently uniformly distributed moduloN because s is uniform over ZN and the maps s 7rarr se mod Nand s 7rarr smiddoty mod N are permutations (note here that y isin ZlowastN is invertible) Hence for uniformly distributedz

$larr ZN N lt 2n we have per iteration

Pr[z ge 2`

]=N minus 2`

Nlt 1minus 2`minusn

Using 1minus x le eminusx we fail after n middot 2nminus` iterations with probability at most

(1minus 2`minusn)nmiddot2nminus` le eminusn

The uniform distribution of z over 0 1` (condition (2)) follows from the fact that z is a uniformly dis-tributed integer modulo N Hence for ` lt n we can use the well-known rejection sampling methodRejecting all values of z ge 2` yields uniformly distributed values in 0 1`

For checking condition (3) we see that y = 2` middot PAD + z by definition in Encode From (2) wehave z lt 2` which implies y = PAD||z over the integers However y has to be defined in Z

N Since

|PAD| = n+ r minus `minus 2 we verify that

2` middot PAD + z lt 2` middot 2n+rminus`minus2 = 2nminus1 middot 2rminus1 lt NR = N

To show (4) we compute

y = 2` middot PAD + z mod N

= 2` middot PAD + yse minus 2` middot PAD mod N

= yse mod N

Finally we observe that Encodersquos running time is dominated by the while-loop with a maximum ofn middot 2nminus` iterations each taking time O(log e log2N) = O(n3)

Corollary 1 Let n = |N | The Encode algorithm described in Figure 4 efficiently (nminusO(log n))-simulates the PKCS1 v15 encoding modulo NR

By Corollary 1 our Encode algorithm is efficient only for hash values as large as ` asymp |n| We leave itas an important open problem to reduce ` to output sizes of standard hash functions

32 Security Proof under the RSA Assumption

Now we are ready to prove security under the RSA assumption Normally the size of the RSA modulus isimplicitly assumed to be the same in the assumption as in the scheme therefore it is never explicitly fixedHowever our proof modifies this by using a larger modulus for the scheme than in the assumption thus weneed to explicitly state these values For the sake of notation we formulate our assumptions with explicitbit-sizes We also consider the more general case where primes may but need not be of the same size Onceall the primes have been selected we can pick an exponent e such that gcd(e ϕ(N)) = 1 where we have

for N =

kprodi=1

pi that ϕ(N) =

kprodi=1

(pi minus 1)

11

Assumption 1 ((k n)-RSA Assumption) The RSA Assumption denoted by (k n)-RSA states that given(N e xe) it is hard to compute x where N is the product of k distinct random prime numbers pi isin P[ni]

for i isin J1 kK k constant andnsumi=1

ni = n e isin Zlowastϕ(N) and x isinR ZN RSA is said to be (t ε)-hard if for all

adversaries A running in time at most t we have

Adv(kn)-RSAA = Pr [x = A(N e xe mod N)] 6 ε

Additionally we define RSA-PKCS1-v15 [k n `] to be the RSA PKCS1 v15 scheme with a n-bitpublic modulus N which is the product of k primes and an `-bit hash function It should be noted thathaving a modulus that is the product of more than two primes is allowed by the PKCS standard (RFC 8017)

Our first proof follows the proof technique of Coron [Cor00 Cor01] and has a loss in the order of qsAs was shown by Coron [Cor02 Cor01] and Kakvi and Kiltz [KK12 KK18] this loss is optimal for RSAwith ldquolargerdquo exponents This is due to the fact that RSA with a ldquolargerdquo exponent defines a certified trapdoorpermutation [BY93 BY96] as was shown by Kakvi Kiltz and May [KKM12]

Our second proof follows the proof technique of Kakvi and Kiltz [KK12 KK18] and is tight to theϕ-Hiding assumption This proof bypasses the optimality result by using keys that do not define a certifiedtrapdoor permutation By using ldquosmallrdquo keys which gives us a lossy trapdoor permutation we can providea tight security proof to the ϕ-Hiding assumption Furthermore there is currently no known proof techniquewhich achieves tighter security for small exponents (such as e = 216 + 1 as commonly used in real-worldinstantiations) and is based on the RSA assumption

Theorem 2 Assume the (2 n)-RSA assumption is (tprime εprime)-hard Then for any (qh qs) the RSA-PKCS1-v15[3 2nminus 1] scheme is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

εprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ qh middot O(n4)

PROOF We describe the oracles in Figure 5 The reduction first receives a (2 n)minusRSA challenge (N e y)It then builds a 2n-bit modulus by selecting R isinR P[n] gcd(eR minus 1) = 1 and computing N = NR Thereduction then computes the corresponding padding by first computing ν = nminusαminus23 and then computingPAD = 015||1ν ||08||IDH The public key pk = (N e PAD) is sent to the forger We now describe our oracles

For every hash querymi the reduction flips a biased coin χi with Pr[χi = 0] = p0Pr[χi = 1] = p1 thechoice of which will be discussed later The idea behind this is that with probability p1 the reduction embedsthe RSA challenge into the oracle response and with probability p0 it will not For the values where thereduction does not embed the challenge ie χi = 0 it can simulate signatures and for ones where it does ieχi = 1 it can extract a solution In the case χi = 0 the reduction simply runs Encode(N e 1 ` PAD R)and gets (yi si zi) The reduction now computes σi using the Chinese Remainder Theorem It is clear fromthe construction that y1e = si mod N and furthermore the reduction can easily compute y1e mod Rwhich gives

σi = si middotR(Rminus1 mod N) + (y1ei mod R) middotN(Nminus1 mod R) mod N

The reduction then adds (mi zi si σi) to its hash listHIn the case χi = 1 the reduction runs Encode(N e y ` PAD R) and gets (yi si zi) However since

it cannot simulate a signature it stores the distinguished abort symbol perp as the signature ie it adds(mi zi siperp) to its hash listH

12

RSA Proof OraclesInitialize(1n)(N e y)larr$ RSA(2 1n)R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elseχm larrp0p1 0 1if (χi = 0)

(ym sm zm)larr$ Encode(N e 1 ` PAD R)σm = sm middotR(Rminus1 mod N) + (y

1em mod R) middotN(Nminus1 mod R) mod N

else if (χm = 1)(y sm zm)larr$ Encode(N e y ` PAD R)σm = perp

H larr H cup (m zm sm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

if (χmlowast = 1)x = σlowast middot (smlowast)minus1 mod N

elsex = perp

RSAFinalize(x)return 1

elseRSAFinalize(perp)return 0

Figure 5 Oracles for the RSA based proof

13

Having updatedH the reduction now returns zi as the response to the random oracle queryWe assume that the forger always makes a hash query on a message before it queries that message to the

signing oracle The reduction can also implicitly do this by querying the random oracle itself This meansthat for every signature query mi there is an entry (mi zi σi) isin H If σi = perp ie the hash value hasa challenge embedded in it the reduction aborts as it cannot provide a signature If this is not the caseit simply returns σi as response and adds mi to the list of queried messages M The probability that thereduction answers any signature query correctly is p0 and the probability that it answers all queries correctlyis at least pqs0

In the final phase the forger submits a forgery (mlowast σlowast) With probability p1 mlowast is one of the messageswhere we embedded our RSA challenge First we observe that a valid forgery means that σlowast = ylowast1e modN Our encode algorithm ensures that y = slowaste middot y mod N which in turn means that σlowast mod N = y =slowast middot y1e mod N Because the reduction has an entry inH containing (mlowast zlowast slowastperp) it can extract y1e =σlowast middot (slowast)minus1 mod N which is the solution to its RSA challenge

The reduction can extract a solution with probability p1 = 1 minus p0 which means that the reductionsucceeds with probability at least pqs0 middot (1 minus p0) middot ε To get the optimal result we need to maximize theexpression pqs0 middot (1 minus p0) middot ε Coron [Cor02] showed an optimal value of p0 = 1

qs+1 giving us a success

probability of at least εqsmiddot(

1minus 1qs+1

)qs+1 as required The time bound is the time needed to answer all

hash queries

Remark 1 In the proof we select R to be a prime number however this is not strictly necessary What werequire is that we are able to compute eth roots mod R Thus it would also suffice if we knew the primefactorization of R It should be noted that the difficulty of factoring N = NR is at least that of factoringN if the smallest prime factor of R is at least n2 bits long R was chosen to be prime in the proof forconvenience but the proof goes through equally for any suitable composite R

Remark 2 While the PKCS1 standard does not specify how long the padding must be apart from thelimitation that PS must be at least 8 octets long one must be careful when using smaller paddings If thepadding is less than half of the bits the message represenatives are suceptible to the attacks of de Jonge andChaum [dC86] and Girault and Misarsky [GM97] Although the usage of a hash function complicates theattacks it is always better to err on the side of caution

33 Security Proof under the Phi-Hiding Assumption

We are also able to produce an essentially optimal security proof for ldquosmallrdquo exponents e using the tech-niques of Kakvi and Kiltz [KK12 KK18] In our case ldquosmallrdquo means our exponent is at most 1

4 of thebit-length of our modulus This proof proceeds as a series of games each of which we will describe sepa-rately We first recall the ϕ-Hiding Assumption

Assumption 2 (The ϕ-Hiding Assumption [CMS99]) The ϕ-Hiding Assumption denoted by ΦHA statesthat it is hard to distinguish between (N e) and (N e) where N is the product of two random (n2)-bitprimes and e e gt 3 isin P and and e e le N

14 with gcd(e ϕ(N)) = 1 and gcd(e ϕ(N)) = e where ϕ is the

Euler Totient function ΦHA is said to be (t ε)-hard if for all distinguishers D running in time at most twe have

AdvΦHD = Pr [1larr D(N e)]minus Pr [1larr D(N e)] 6 ε

14

Game G0

Initialize(1n)(pk sk)larr$ RSA-PKCS1-v15[3 2n n]return pk

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elsezm isinR 0 1`H larr Hcup (m zm)return zm

Sign(m)MlarrMcup (m)fetch (m zm) isin Hreturn σm = (PAD||zm)1e

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

return 1else

return 0

(a) Game 0 The Standard UF-CMA Game

Game G1

Initialize(1n)(N e)larr$ RSAPermGen(1n) G1G3

(N e)larr$ RSALossyGen(1n) G2G4

R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

else(y σm zm)larr$ Encode(N e 1 PAD R)H larr Hcup (m zm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (σlowast = σm) G3G4

return 0 G3G4

if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)return 1

elsereturn 0

(b) Games 1-4 The Simulated Reduction Games

The requirement that e e le N14 stems from the fact that simply given a modulus N we are unable to

ascertain how many prime factors it consists of and how large they are in relation to one another We knowthatN is composite therefore consists of at least 2 prime factors7 The bound then follows directly from thewell known attacks due to Coppersmith [Cop97] We also note that when gcd(e ϕ(N)) = e the functionxe mod N is exactly e-to-1 ie it said to be e-regular lossy as defined by Kakvi and Kiltz [KK12 KK18]

Theorem 3 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function Then for any (qh qs)RSA-PKCS1-v15 [3 2n] is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

ε 62γ minus 1

γ minus 1middot εprime

tprime 6 t+ qh middot O(n4)

PROOF7We assume N is not a prime power which can be checked efficiently [Ber98]

15

The proof proceeds in a sequence of games which are given in Figures 6a 6b The idea is to move fromthe UF-CMA game to one the forger cannot win The original UF-CMA game is given in G0 The first gamehop we make is from normal signing to simulating signatures using our Encode algorithm which does notchange anything from the view of the forger The next step is to move from the ldquonormalrdquo public key wheregcd(e ϕ(N)) = 1 to the lossy key (N e) were now we have a 1-to-e signing function The forger does notnotice this unless it breaks the ΦHA Now a new abort condition is introduced the reduction aborts if theforgery is the same signature it picked in the simulation phase Since the signature is picked from the setof e signatures independently from the view of the forger this happens with probability at most 1

e Finallythe keys are switched back to ldquonormalrdquo keys which now means any valid forgery leads to an abort from thereduction If we combine the bounds from all the games we get exactly the bounds stated in the proof Weprove the Theorem step by step with Lemmata 1 2 3 4 amp 5

Lemma 1 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF In G0 we modelled the hash function as a random oracle In G1 we modify the random oracle andthe signing queries On any m the random oracle now ldquoprecomputesrdquo a signature for m using the Encodealgorithm Note that signing no longer requires the secret key It can be seen that all our signatures willverify due to the fact that σem = PAD||zm for all m Thus our simulation of the signatures is correct SinceEncode gives us uniformly distributed values s z the distribution of our hash queries in G1 is identical tothe distribution in G0 Thus we have Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

Lemma 2 There exists a distinguisher D1 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat

∣∣Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]∣∣ = AdvΦHA

D1

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) howeverthe oracles are identical in both games We now build a distinguisher D1 against the ΦHA using thesegames The distinguisher will run F and simulates the oracles Sign(middot)Hash(middot) as described in games G1

and G2 Note that D1 does not require the signing key to simulate the oracles After F calls Finalize D1

returns the output of Finalize Thus we can see that Pr[1larr D1(N e)] = Pr[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

] Hence we have∣∣Pr

[GF1 rArr 1

]minus Pr

[GF2 rArr 1

]∣∣ = |Pr[1larr D1(N e)]minus Pr[1larr D1(N e)]| = AdvΦHAD1

Lemma 3 Pr[GF3 rArr 1

]=(eminus1e

)Pr[GF2 rArr 1

]

PROOF In G3 we introduce a new rule which aborts the reduction if the forgery σlowast provided by F is thesame as the simulated signature σmlowast for the target message mlowast If this is the case the forger loses the gameie G3 outputs 0 σmlowast is independent of Frsquos view and is uniformly distributed in the set of pre-images ofymlowast Due to the fact that the function xe mod N is e-regular lossy the probability of a collision is 1eThus we see that this abort condition reduces the probability of the forger winning the game by 1e hence

Pr[GF3 rArr 1

]=

(1minus 1

e

)Pr[GF2 rArr 1

]=

(eminus 1

e

)Pr[GF2 rArr 1

]

16

Lemma 4 There exists a distinguisher D2 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat |Pr[GF3 rArr 1]minus Pr[GF4 rArr 1]| = AdvΦHA

D2

PROOF From G3 to G4 we change the key generation from a lossy key (N e) to a normal key (N e)however the oracles are identical in both games We now build a distinguisher D2 against ΦHA using thesegames The distinguisher runs F and simulates the oracles Sign(middot)Hash(middot) as described in games G3ampG4Note that D2 does not require the signing key to simulate the oracles After F calls Finalize D2 returns theoutput of Finalize Thus we can see that Pr[1larr D2(N e)] = Pr

[GF4 rArr 1

]and

Pr [1larr D2(N e)] = Pr[GF3 rArr 1

]Hence we have∣∣Pr

[GF4 rArr 1

]minus Pr

[GF3 rArr 1

]∣∣ = |Pr[1larr D2(N e)]minus Pr[1larr D2(N e)]| = AdvΦHAD2

Lemma 5 Pr[G4 rArr 1] = 0

PROOF In G4 we are using the normal keys ie xe mod N is a 1-to-1 function Since our signing functionis now injective any forgery implies a collision Therefore whenever the forger is able to produce a validforgery the game outputs 0 due to it failing the check as forallmlowast σm = σlowast Whenever the forger is unableto make a forgery the game outputs 0 Thus we can see that in all cases the game will output 0 hencePr[G4 rArr 1] = 0

We combine Lemmata 1 to 5 to get

Pr[1larr G0] = AdvΦHAD1

+

(e

eminus 1

)AdvΦHA

D2

Because D1 and D2 run in time at most t + qh middot O(n3) by our assumption both distinguishers have anadvantage of at most εprime giving us

ε le 2eminus 1

eminus 1middot εprime

As we have an e-regular lossy permutation we see that for γ = e we get exactly the bounds we need

34 The Case of Two Prime Factors

We can easily lift our results for three prime factors presented in the previous section to the standard caseof two prime factors by additionally assuming that breaking the UF-CMA-security of RSA PKCS1 v15signatures with 2 prime factors is not significantly easier than with 3 prime factors To make this moreprecise we define the 2 vs 3 Primes Assumption denoted by 2v3PA which states that

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

for small ε and all efficient UF-CMA-forgers F

Assumption 3 (Two vs Three Primes Assumption) We say that 2v3PA is (t ε)-hard if for all F running intime at most t we have

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

17

Note that breaking RSA PKCS1 v15 signatures should only become easier if the modulus N is aproduct of more prime factors For instance let N2 = PQ be a product of two primes of approximatelyequal size and N3 = PQR be a product of three primes of approximately equal size such that N2 and N3

have the same size With known factoring algorithms it should be easier to compute the factorisation of N3

than that of N2 Hence even though 2v3PA is a very specific and non-standard assumption we consider itas very plausible for sufficiently large moduli With this additional assumption we get the following result

Theorem 4 Assume the (2 n)-RSA assumption is (tprime εprime)-hard and 2v3PA is (tprimeprime εprimeprime)-hard Then forany (qh qs) the RSA-PKCS1-v15 [2 2n n] scheme is (t ε qh qs)-UF-CMA secure in the Random Ora-cle Model where

εprime + εprimeprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ tprimeprime + qh middot O(n4)

PROOF SKETCH The proof works nearly identically to the proof of Theorem 2 except that we use the2v3PA assumption in order to replace a two-prime modulus N with a three-prime modulus More preciselywe begin with considering the RSA-PKCS1-v15 [2 2n] defined over a two-prime modulus Then we replacethis scheme with RSA-PKCS1-v15 [3 2n n] Now we can apply the proof from Theorem 2

The following theorem can be proven similarly by extending the proof of Theorem 3 with an additionalstep that uses the 2v3PA assumption

Theorem 5 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function and 2v3PA is (tprimeprime εprimeprime)-hard Then for any (qh qs) RSA-PKCS1-v15 [2 n+ `] is (t ε qh qs)-UF-CMA secure in the RandomOracle Model where

ε le 2γ minus 1

γ minus 1middot εprime + εprimeprime

tprime le t+ tprimeprime + qh middot O(n4)

4 Proofs in the Standard Model

In order to give a more complete picture of what security properties of RSA PKCS1 v15 signatures can beproved we now present different approaches to provide security proofs without random oracles

41 Proof based on The Phi-Hiding Assumption

We now present our proof based on the lossiness of RSA and the ΦHA In this proof we rely on the fact thatwhen e|ϕ(N) the ethroots modulo N are close to uniformly distributed Okamoto and Stern [OS03] showthat in any interval of length L ge N12 the number of eth powers is close to its expectation However weneed the same statement for intervals of size 2` which is usually smaller than N

12 So [OS03] gives us an

indication that our assumption in Theorem 6 is plausible but we cannot direct apply [OS03]The main idea of the proof of Theorem 6 is that for lossy RSA keys with e|ϕ(N) with high probability

there does not even exist a valid RSA PKCS1 v15 signature

18

Theorem 6 Assume ΦHA is (tprime εprime)-hard Further assume that e-th powers S = σe | σ isin ZlowastN areuniformly distributed in ZlowastN when e|ϕ(N) Then RSA-PKCS1-v15 with an `-bit hash function H is (t ε)-UF-NMA secure in the Standard Model where

ε 6

(1minus 2`

e

)εprime

t asymp tprime

PROOF We prove this theorem via game hops which we show in Figures 7a7b amp 7c G0 is the UF-NMAgame In G1 we switch to ldquosimulatedrdquo real keys There is no change since we consider no message attacks(NMA) and therefore never need a secret key Secondly in G2 we switch to ldquosimulatedrdquo lossy keys Thedifference here is εprime unless the forger breaks the ΦHA Finally in this game we show that the adversarycannot win except with a very small probability

Game G0

Initialize(1n)

(pk sk)larr$ RSA-PKCS1-v15[2 n]return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(a) Standard UF-NMA Game

Game G1

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(b) UF-NMA Game with simulatedpublic key

Game G2

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(c) UF-NMA Game with lossy simu-lated public key

Lemma 6 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF From G0 to G1 we changed from the RSA-PKCS1-v15 key generation to the ΦHA instance genera-tion It is clear to see that the distributions are the same thus there is no change from the view of the forger

Lemma 7 There exists a distinguisher D against the ΦHA which runs in time tprime asymp t and such that|Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]| = AdvΦHA

D

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) We nowbuild a distinguisher D against the ΦHA using these games The distinguisher will run F and after F callsFinalize D returns the output of Finalize Thus we can see that Pr [1larr D1(N e)] = Pr

[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

]Hence we have |Pr

[GF1 rArr 1

]minusPr

[GF2 rArr 1

]| = |Pr [1larr D1(N e)]minus

Pr[1larr D1(N e)]| = AdvΦHAD

19

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

PROOF In order to verify condition (1) of Definition 1 we have to show that Encode outputs a tuple (y s z)expect with negligible failure probability By the last line in Figure 4 Encode fails in producing (y s z) iffz ge 2` for all iterations of the while-loop

Observe that the value z = yse minus 2` middot PAD mod N computed inside each iteration of the while-loop isindependently uniformly distributed moduloN because s is uniform over ZN and the maps s 7rarr se mod Nand s 7rarr smiddoty mod N are permutations (note here that y isin ZlowastN is invertible) Hence for uniformly distributedz

$larr ZN N lt 2n we have per iteration

Pr[z ge 2`

]=N minus 2`

Nlt 1minus 2`minusn

Using 1minus x le eminusx we fail after n middot 2nminus` iterations with probability at most

(1minus 2`minusn)nmiddot2nminus` le eminusn

The uniform distribution of z over 0 1` (condition (2)) follows from the fact that z is a uniformly dis-tributed integer modulo N Hence for ` lt n we can use the well-known rejection sampling methodRejecting all values of z ge 2` yields uniformly distributed values in 0 1`

For checking condition (3) we see that y = 2` middot PAD + z by definition in Encode From (2) wehave z lt 2` which implies y = PAD||z over the integers However y has to be defined in Z

N Since

|PAD| = n+ r minus `minus 2 we verify that

2` middot PAD + z lt 2` middot 2n+rminus`minus2 = 2nminus1 middot 2rminus1 lt NR = N

To show (4) we compute

y = 2` middot PAD + z mod N

= 2` middot PAD + yse minus 2` middot PAD mod N

= yse mod N

Finally we observe that Encodersquos running time is dominated by the while-loop with a maximum ofn middot 2nminus` iterations each taking time O(log e log2N) = O(n3)

Corollary 1 Let n = |N | The Encode algorithm described in Figure 4 efficiently (nminusO(log n))-simulates the PKCS1 v15 encoding modulo NR

By Corollary 1 our Encode algorithm is efficient only for hash values as large as ` asymp |n| We leave itas an important open problem to reduce ` to output sizes of standard hash functions

32 Security Proof under the RSA Assumption

Now we are ready to prove security under the RSA assumption Normally the size of the RSA modulus isimplicitly assumed to be the same in the assumption as in the scheme therefore it is never explicitly fixedHowever our proof modifies this by using a larger modulus for the scheme than in the assumption thus weneed to explicitly state these values For the sake of notation we formulate our assumptions with explicitbit-sizes We also consider the more general case where primes may but need not be of the same size Onceall the primes have been selected we can pick an exponent e such that gcd(e ϕ(N)) = 1 where we have

for N =

kprodi=1

pi that ϕ(N) =

kprodi=1

(pi minus 1)

11

Assumption 1 ((k n)-RSA Assumption) The RSA Assumption denoted by (k n)-RSA states that given(N e xe) it is hard to compute x where N is the product of k distinct random prime numbers pi isin P[ni]

for i isin J1 kK k constant andnsumi=1

ni = n e isin Zlowastϕ(N) and x isinR ZN RSA is said to be (t ε)-hard if for all

adversaries A running in time at most t we have

Adv(kn)-RSAA = Pr [x = A(N e xe mod N)] 6 ε

Additionally we define RSA-PKCS1-v15 [k n `] to be the RSA PKCS1 v15 scheme with a n-bitpublic modulus N which is the product of k primes and an `-bit hash function It should be noted thathaving a modulus that is the product of more than two primes is allowed by the PKCS standard (RFC 8017)

Our first proof follows the proof technique of Coron [Cor00 Cor01] and has a loss in the order of qsAs was shown by Coron [Cor02 Cor01] and Kakvi and Kiltz [KK12 KK18] this loss is optimal for RSAwith ldquolargerdquo exponents This is due to the fact that RSA with a ldquolargerdquo exponent defines a certified trapdoorpermutation [BY93 BY96] as was shown by Kakvi Kiltz and May [KKM12]

Our second proof follows the proof technique of Kakvi and Kiltz [KK12 KK18] and is tight to theϕ-Hiding assumption This proof bypasses the optimality result by using keys that do not define a certifiedtrapdoor permutation By using ldquosmallrdquo keys which gives us a lossy trapdoor permutation we can providea tight security proof to the ϕ-Hiding assumption Furthermore there is currently no known proof techniquewhich achieves tighter security for small exponents (such as e = 216 + 1 as commonly used in real-worldinstantiations) and is based on the RSA assumption

Theorem 2 Assume the (2 n)-RSA assumption is (tprime εprime)-hard Then for any (qh qs) the RSA-PKCS1-v15[3 2nminus 1] scheme is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

εprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ qh middot O(n4)

PROOF We describe the oracles in Figure 5 The reduction first receives a (2 n)minusRSA challenge (N e y)It then builds a 2n-bit modulus by selecting R isinR P[n] gcd(eR minus 1) = 1 and computing N = NR Thereduction then computes the corresponding padding by first computing ν = nminusαminus23 and then computingPAD = 015||1ν ||08||IDH The public key pk = (N e PAD) is sent to the forger We now describe our oracles

For every hash querymi the reduction flips a biased coin χi with Pr[χi = 0] = p0Pr[χi = 1] = p1 thechoice of which will be discussed later The idea behind this is that with probability p1 the reduction embedsthe RSA challenge into the oracle response and with probability p0 it will not For the values where thereduction does not embed the challenge ie χi = 0 it can simulate signatures and for ones where it does ieχi = 1 it can extract a solution In the case χi = 0 the reduction simply runs Encode(N e 1 ` PAD R)and gets (yi si zi) The reduction now computes σi using the Chinese Remainder Theorem It is clear fromthe construction that y1e = si mod N and furthermore the reduction can easily compute y1e mod Rwhich gives

σi = si middotR(Rminus1 mod N) + (y1ei mod R) middotN(Nminus1 mod R) mod N

The reduction then adds (mi zi si σi) to its hash listHIn the case χi = 1 the reduction runs Encode(N e y ` PAD R) and gets (yi si zi) However since

it cannot simulate a signature it stores the distinguished abort symbol perp as the signature ie it adds(mi zi siperp) to its hash listH

12

RSA Proof OraclesInitialize(1n)(N e y)larr$ RSA(2 1n)R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elseχm larrp0p1 0 1if (χi = 0)

(ym sm zm)larr$ Encode(N e 1 ` PAD R)σm = sm middotR(Rminus1 mod N) + (y

1em mod R) middotN(Nminus1 mod R) mod N

else if (χm = 1)(y sm zm)larr$ Encode(N e y ` PAD R)σm = perp

H larr H cup (m zm sm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

if (χmlowast = 1)x = σlowast middot (smlowast)minus1 mod N

elsex = perp

RSAFinalize(x)return 1

elseRSAFinalize(perp)return 0

Figure 5 Oracles for the RSA based proof

13

Having updatedH the reduction now returns zi as the response to the random oracle queryWe assume that the forger always makes a hash query on a message before it queries that message to the

signing oracle The reduction can also implicitly do this by querying the random oracle itself This meansthat for every signature query mi there is an entry (mi zi σi) isin H If σi = perp ie the hash value hasa challenge embedded in it the reduction aborts as it cannot provide a signature If this is not the caseit simply returns σi as response and adds mi to the list of queried messages M The probability that thereduction answers any signature query correctly is p0 and the probability that it answers all queries correctlyis at least pqs0

In the final phase the forger submits a forgery (mlowast σlowast) With probability p1 mlowast is one of the messageswhere we embedded our RSA challenge First we observe that a valid forgery means that σlowast = ylowast1e modN Our encode algorithm ensures that y = slowaste middot y mod N which in turn means that σlowast mod N = y =slowast middot y1e mod N Because the reduction has an entry inH containing (mlowast zlowast slowastperp) it can extract y1e =σlowast middot (slowast)minus1 mod N which is the solution to its RSA challenge

The reduction can extract a solution with probability p1 = 1 minus p0 which means that the reductionsucceeds with probability at least pqs0 middot (1 minus p0) middot ε To get the optimal result we need to maximize theexpression pqs0 middot (1 minus p0) middot ε Coron [Cor02] showed an optimal value of p0 = 1

qs+1 giving us a success

probability of at least εqsmiddot(

1minus 1qs+1

)qs+1 as required The time bound is the time needed to answer all

hash queries

Remark 1 In the proof we select R to be a prime number however this is not strictly necessary What werequire is that we are able to compute eth roots mod R Thus it would also suffice if we knew the primefactorization of R It should be noted that the difficulty of factoring N = NR is at least that of factoringN if the smallest prime factor of R is at least n2 bits long R was chosen to be prime in the proof forconvenience but the proof goes through equally for any suitable composite R

Remark 2 While the PKCS1 standard does not specify how long the padding must be apart from thelimitation that PS must be at least 8 octets long one must be careful when using smaller paddings If thepadding is less than half of the bits the message represenatives are suceptible to the attacks of de Jonge andChaum [dC86] and Girault and Misarsky [GM97] Although the usage of a hash function complicates theattacks it is always better to err on the side of caution

33 Security Proof under the Phi-Hiding Assumption

We are also able to produce an essentially optimal security proof for ldquosmallrdquo exponents e using the tech-niques of Kakvi and Kiltz [KK12 KK18] In our case ldquosmallrdquo means our exponent is at most 1

4 of thebit-length of our modulus This proof proceeds as a series of games each of which we will describe sepa-rately We first recall the ϕ-Hiding Assumption

Assumption 2 (The ϕ-Hiding Assumption [CMS99]) The ϕ-Hiding Assumption denoted by ΦHA statesthat it is hard to distinguish between (N e) and (N e) where N is the product of two random (n2)-bitprimes and e e gt 3 isin P and and e e le N

14 with gcd(e ϕ(N)) = 1 and gcd(e ϕ(N)) = e where ϕ is the

Euler Totient function ΦHA is said to be (t ε)-hard if for all distinguishers D running in time at most twe have

AdvΦHD = Pr [1larr D(N e)]minus Pr [1larr D(N e)] 6 ε

14

Game G0

Initialize(1n)(pk sk)larr$ RSA-PKCS1-v15[3 2n n]return pk

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elsezm isinR 0 1`H larr Hcup (m zm)return zm

Sign(m)MlarrMcup (m)fetch (m zm) isin Hreturn σm = (PAD||zm)1e

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

return 1else

return 0

(a) Game 0 The Standard UF-CMA Game

Game G1

Initialize(1n)(N e)larr$ RSAPermGen(1n) G1G3

(N e)larr$ RSALossyGen(1n) G2G4

R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

else(y σm zm)larr$ Encode(N e 1 PAD R)H larr Hcup (m zm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (σlowast = σm) G3G4

return 0 G3G4

if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)return 1

elsereturn 0

(b) Games 1-4 The Simulated Reduction Games

The requirement that e e le N14 stems from the fact that simply given a modulus N we are unable to

ascertain how many prime factors it consists of and how large they are in relation to one another We knowthatN is composite therefore consists of at least 2 prime factors7 The bound then follows directly from thewell known attacks due to Coppersmith [Cop97] We also note that when gcd(e ϕ(N)) = e the functionxe mod N is exactly e-to-1 ie it said to be e-regular lossy as defined by Kakvi and Kiltz [KK12 KK18]

Theorem 3 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function Then for any (qh qs)RSA-PKCS1-v15 [3 2n] is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

ε 62γ minus 1

γ minus 1middot εprime

tprime 6 t+ qh middot O(n4)

PROOF7We assume N is not a prime power which can be checked efficiently [Ber98]

15

The proof proceeds in a sequence of games which are given in Figures 6a 6b The idea is to move fromthe UF-CMA game to one the forger cannot win The original UF-CMA game is given in G0 The first gamehop we make is from normal signing to simulating signatures using our Encode algorithm which does notchange anything from the view of the forger The next step is to move from the ldquonormalrdquo public key wheregcd(e ϕ(N)) = 1 to the lossy key (N e) were now we have a 1-to-e signing function The forger does notnotice this unless it breaks the ΦHA Now a new abort condition is introduced the reduction aborts if theforgery is the same signature it picked in the simulation phase Since the signature is picked from the setof e signatures independently from the view of the forger this happens with probability at most 1

e Finallythe keys are switched back to ldquonormalrdquo keys which now means any valid forgery leads to an abort from thereduction If we combine the bounds from all the games we get exactly the bounds stated in the proof Weprove the Theorem step by step with Lemmata 1 2 3 4 amp 5

Lemma 1 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF In G0 we modelled the hash function as a random oracle In G1 we modify the random oracle andthe signing queries On any m the random oracle now ldquoprecomputesrdquo a signature for m using the Encodealgorithm Note that signing no longer requires the secret key It can be seen that all our signatures willverify due to the fact that σem = PAD||zm for all m Thus our simulation of the signatures is correct SinceEncode gives us uniformly distributed values s z the distribution of our hash queries in G1 is identical tothe distribution in G0 Thus we have Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

Lemma 2 There exists a distinguisher D1 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat

∣∣Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]∣∣ = AdvΦHA

D1

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) howeverthe oracles are identical in both games We now build a distinguisher D1 against the ΦHA using thesegames The distinguisher will run F and simulates the oracles Sign(middot)Hash(middot) as described in games G1

and G2 Note that D1 does not require the signing key to simulate the oracles After F calls Finalize D1

returns the output of Finalize Thus we can see that Pr[1larr D1(N e)] = Pr[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

] Hence we have∣∣Pr

[GF1 rArr 1

]minus Pr

[GF2 rArr 1

]∣∣ = |Pr[1larr D1(N e)]minus Pr[1larr D1(N e)]| = AdvΦHAD1

Lemma 3 Pr[GF3 rArr 1

]=(eminus1e

)Pr[GF2 rArr 1

]

PROOF In G3 we introduce a new rule which aborts the reduction if the forgery σlowast provided by F is thesame as the simulated signature σmlowast for the target message mlowast If this is the case the forger loses the gameie G3 outputs 0 σmlowast is independent of Frsquos view and is uniformly distributed in the set of pre-images ofymlowast Due to the fact that the function xe mod N is e-regular lossy the probability of a collision is 1eThus we see that this abort condition reduces the probability of the forger winning the game by 1e hence

Pr[GF3 rArr 1

]=

(1minus 1

e

)Pr[GF2 rArr 1

]=

(eminus 1

e

)Pr[GF2 rArr 1

]

16

Lemma 4 There exists a distinguisher D2 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat |Pr[GF3 rArr 1]minus Pr[GF4 rArr 1]| = AdvΦHA

D2

PROOF From G3 to G4 we change the key generation from a lossy key (N e) to a normal key (N e)however the oracles are identical in both games We now build a distinguisher D2 against ΦHA using thesegames The distinguisher runs F and simulates the oracles Sign(middot)Hash(middot) as described in games G3ampG4Note that D2 does not require the signing key to simulate the oracles After F calls Finalize D2 returns theoutput of Finalize Thus we can see that Pr[1larr D2(N e)] = Pr

[GF4 rArr 1

]and

Pr [1larr D2(N e)] = Pr[GF3 rArr 1

]Hence we have∣∣Pr

[GF4 rArr 1

]minus Pr

[GF3 rArr 1

]∣∣ = |Pr[1larr D2(N e)]minus Pr[1larr D2(N e)]| = AdvΦHAD2

Lemma 5 Pr[G4 rArr 1] = 0

PROOF In G4 we are using the normal keys ie xe mod N is a 1-to-1 function Since our signing functionis now injective any forgery implies a collision Therefore whenever the forger is able to produce a validforgery the game outputs 0 due to it failing the check as forallmlowast σm = σlowast Whenever the forger is unableto make a forgery the game outputs 0 Thus we can see that in all cases the game will output 0 hencePr[G4 rArr 1] = 0

We combine Lemmata 1 to 5 to get

Pr[1larr G0] = AdvΦHAD1

+

(e

eminus 1

)AdvΦHA

D2

Because D1 and D2 run in time at most t + qh middot O(n3) by our assumption both distinguishers have anadvantage of at most εprime giving us

ε le 2eminus 1

eminus 1middot εprime

As we have an e-regular lossy permutation we see that for γ = e we get exactly the bounds we need

34 The Case of Two Prime Factors

We can easily lift our results for three prime factors presented in the previous section to the standard caseof two prime factors by additionally assuming that breaking the UF-CMA-security of RSA PKCS1 v15signatures with 2 prime factors is not significantly easier than with 3 prime factors To make this moreprecise we define the 2 vs 3 Primes Assumption denoted by 2v3PA which states that

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

for small ε and all efficient UF-CMA-forgers F

Assumption 3 (Two vs Three Primes Assumption) We say that 2v3PA is (t ε)-hard if for all F running intime at most t we have

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

17

Note that breaking RSA PKCS1 v15 signatures should only become easier if the modulus N is aproduct of more prime factors For instance let N2 = PQ be a product of two primes of approximatelyequal size and N3 = PQR be a product of three primes of approximately equal size such that N2 and N3

have the same size With known factoring algorithms it should be easier to compute the factorisation of N3

than that of N2 Hence even though 2v3PA is a very specific and non-standard assumption we consider itas very plausible for sufficiently large moduli With this additional assumption we get the following result

Theorem 4 Assume the (2 n)-RSA assumption is (tprime εprime)-hard and 2v3PA is (tprimeprime εprimeprime)-hard Then forany (qh qs) the RSA-PKCS1-v15 [2 2n n] scheme is (t ε qh qs)-UF-CMA secure in the Random Ora-cle Model where

εprime + εprimeprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ tprimeprime + qh middot O(n4)

PROOF SKETCH The proof works nearly identically to the proof of Theorem 2 except that we use the2v3PA assumption in order to replace a two-prime modulus N with a three-prime modulus More preciselywe begin with considering the RSA-PKCS1-v15 [2 2n] defined over a two-prime modulus Then we replacethis scheme with RSA-PKCS1-v15 [3 2n n] Now we can apply the proof from Theorem 2

The following theorem can be proven similarly by extending the proof of Theorem 3 with an additionalstep that uses the 2v3PA assumption

Theorem 5 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function and 2v3PA is (tprimeprime εprimeprime)-hard Then for any (qh qs) RSA-PKCS1-v15 [2 n+ `] is (t ε qh qs)-UF-CMA secure in the RandomOracle Model where

ε le 2γ minus 1

γ minus 1middot εprime + εprimeprime

tprime le t+ tprimeprime + qh middot O(n4)

4 Proofs in the Standard Model

In order to give a more complete picture of what security properties of RSA PKCS1 v15 signatures can beproved we now present different approaches to provide security proofs without random oracles

41 Proof based on The Phi-Hiding Assumption

We now present our proof based on the lossiness of RSA and the ΦHA In this proof we rely on the fact thatwhen e|ϕ(N) the ethroots modulo N are close to uniformly distributed Okamoto and Stern [OS03] showthat in any interval of length L ge N12 the number of eth powers is close to its expectation However weneed the same statement for intervals of size 2` which is usually smaller than N

12 So [OS03] gives us an

indication that our assumption in Theorem 6 is plausible but we cannot direct apply [OS03]The main idea of the proof of Theorem 6 is that for lossy RSA keys with e|ϕ(N) with high probability

there does not even exist a valid RSA PKCS1 v15 signature

18

Theorem 6 Assume ΦHA is (tprime εprime)-hard Further assume that e-th powers S = σe | σ isin ZlowastN areuniformly distributed in ZlowastN when e|ϕ(N) Then RSA-PKCS1-v15 with an `-bit hash function H is (t ε)-UF-NMA secure in the Standard Model where

ε 6

(1minus 2`

e

)εprime

t asymp tprime

PROOF We prove this theorem via game hops which we show in Figures 7a7b amp 7c G0 is the UF-NMAgame In G1 we switch to ldquosimulatedrdquo real keys There is no change since we consider no message attacks(NMA) and therefore never need a secret key Secondly in G2 we switch to ldquosimulatedrdquo lossy keys Thedifference here is εprime unless the forger breaks the ΦHA Finally in this game we show that the adversarycannot win except with a very small probability

Game G0

Initialize(1n)

(pk sk)larr$ RSA-PKCS1-v15[2 n]return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(a) Standard UF-NMA Game

Game G1

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(b) UF-NMA Game with simulatedpublic key

Game G2

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(c) UF-NMA Game with lossy simu-lated public key

Lemma 6 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF From G0 to G1 we changed from the RSA-PKCS1-v15 key generation to the ΦHA instance genera-tion It is clear to see that the distributions are the same thus there is no change from the view of the forger

Lemma 7 There exists a distinguisher D against the ΦHA which runs in time tprime asymp t and such that|Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]| = AdvΦHA

D

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) We nowbuild a distinguisher D against the ΦHA using these games The distinguisher will run F and after F callsFinalize D returns the output of Finalize Thus we can see that Pr [1larr D1(N e)] = Pr

[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

]Hence we have |Pr

[GF1 rArr 1

]minusPr

[GF2 rArr 1

]| = |Pr [1larr D1(N e)]minus

Pr[1larr D1(N e)]| = AdvΦHAD

19

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

Assumption 1 ((k n)-RSA Assumption) The RSA Assumption denoted by (k n)-RSA states that given(N e xe) it is hard to compute x where N is the product of k distinct random prime numbers pi isin P[ni]

for i isin J1 kK k constant andnsumi=1

ni = n e isin Zlowastϕ(N) and x isinR ZN RSA is said to be (t ε)-hard if for all

adversaries A running in time at most t we have

Adv(kn)-RSAA = Pr [x = A(N e xe mod N)] 6 ε

Additionally we define RSA-PKCS1-v15 [k n `] to be the RSA PKCS1 v15 scheme with a n-bitpublic modulus N which is the product of k primes and an `-bit hash function It should be noted thathaving a modulus that is the product of more than two primes is allowed by the PKCS standard (RFC 8017)

Our first proof follows the proof technique of Coron [Cor00 Cor01] and has a loss in the order of qsAs was shown by Coron [Cor02 Cor01] and Kakvi and Kiltz [KK12 KK18] this loss is optimal for RSAwith ldquolargerdquo exponents This is due to the fact that RSA with a ldquolargerdquo exponent defines a certified trapdoorpermutation [BY93 BY96] as was shown by Kakvi Kiltz and May [KKM12]

Our second proof follows the proof technique of Kakvi and Kiltz [KK12 KK18] and is tight to theϕ-Hiding assumption This proof bypasses the optimality result by using keys that do not define a certifiedtrapdoor permutation By using ldquosmallrdquo keys which gives us a lossy trapdoor permutation we can providea tight security proof to the ϕ-Hiding assumption Furthermore there is currently no known proof techniquewhich achieves tighter security for small exponents (such as e = 216 + 1 as commonly used in real-worldinstantiations) and is based on the RSA assumption

Theorem 2 Assume the (2 n)-RSA assumption is (tprime εprime)-hard Then for any (qh qs) the RSA-PKCS1-v15[3 2nminus 1] scheme is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

εprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ qh middot O(n4)

PROOF We describe the oracles in Figure 5 The reduction first receives a (2 n)minusRSA challenge (N e y)It then builds a 2n-bit modulus by selecting R isinR P[n] gcd(eR minus 1) = 1 and computing N = NR Thereduction then computes the corresponding padding by first computing ν = nminusαminus23 and then computingPAD = 015||1ν ||08||IDH The public key pk = (N e PAD) is sent to the forger We now describe our oracles

For every hash querymi the reduction flips a biased coin χi with Pr[χi = 0] = p0Pr[χi = 1] = p1 thechoice of which will be discussed later The idea behind this is that with probability p1 the reduction embedsthe RSA challenge into the oracle response and with probability p0 it will not For the values where thereduction does not embed the challenge ie χi = 0 it can simulate signatures and for ones where it does ieχi = 1 it can extract a solution In the case χi = 0 the reduction simply runs Encode(N e 1 ` PAD R)and gets (yi si zi) The reduction now computes σi using the Chinese Remainder Theorem It is clear fromthe construction that y1e = si mod N and furthermore the reduction can easily compute y1e mod Rwhich gives

σi = si middotR(Rminus1 mod N) + (y1ei mod R) middotN(Nminus1 mod R) mod N

The reduction then adds (mi zi si σi) to its hash listHIn the case χi = 1 the reduction runs Encode(N e y ` PAD R) and gets (yi si zi) However since

it cannot simulate a signature it stores the distinguished abort symbol perp as the signature ie it adds(mi zi siperp) to its hash listH

12

RSA Proof OraclesInitialize(1n)(N e y)larr$ RSA(2 1n)R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elseχm larrp0p1 0 1if (χi = 0)

(ym sm zm)larr$ Encode(N e 1 ` PAD R)σm = sm middotR(Rminus1 mod N) + (y

1em mod R) middotN(Nminus1 mod R) mod N

else if (χm = 1)(y sm zm)larr$ Encode(N e y ` PAD R)σm = perp

H larr H cup (m zm sm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

if (χmlowast = 1)x = σlowast middot (smlowast)minus1 mod N

elsex = perp

RSAFinalize(x)return 1

elseRSAFinalize(perp)return 0

Figure 5 Oracles for the RSA based proof

13

Having updatedH the reduction now returns zi as the response to the random oracle queryWe assume that the forger always makes a hash query on a message before it queries that message to the

signing oracle The reduction can also implicitly do this by querying the random oracle itself This meansthat for every signature query mi there is an entry (mi zi σi) isin H If σi = perp ie the hash value hasa challenge embedded in it the reduction aborts as it cannot provide a signature If this is not the caseit simply returns σi as response and adds mi to the list of queried messages M The probability that thereduction answers any signature query correctly is p0 and the probability that it answers all queries correctlyis at least pqs0

In the final phase the forger submits a forgery (mlowast σlowast) With probability p1 mlowast is one of the messageswhere we embedded our RSA challenge First we observe that a valid forgery means that σlowast = ylowast1e modN Our encode algorithm ensures that y = slowaste middot y mod N which in turn means that σlowast mod N = y =slowast middot y1e mod N Because the reduction has an entry inH containing (mlowast zlowast slowastperp) it can extract y1e =σlowast middot (slowast)minus1 mod N which is the solution to its RSA challenge

The reduction can extract a solution with probability p1 = 1 minus p0 which means that the reductionsucceeds with probability at least pqs0 middot (1 minus p0) middot ε To get the optimal result we need to maximize theexpression pqs0 middot (1 minus p0) middot ε Coron [Cor02] showed an optimal value of p0 = 1

qs+1 giving us a success

probability of at least εqsmiddot(

1minus 1qs+1

)qs+1 as required The time bound is the time needed to answer all

hash queries

Remark 1 In the proof we select R to be a prime number however this is not strictly necessary What werequire is that we are able to compute eth roots mod R Thus it would also suffice if we knew the primefactorization of R It should be noted that the difficulty of factoring N = NR is at least that of factoringN if the smallest prime factor of R is at least n2 bits long R was chosen to be prime in the proof forconvenience but the proof goes through equally for any suitable composite R

Remark 2 While the PKCS1 standard does not specify how long the padding must be apart from thelimitation that PS must be at least 8 octets long one must be careful when using smaller paddings If thepadding is less than half of the bits the message represenatives are suceptible to the attacks of de Jonge andChaum [dC86] and Girault and Misarsky [GM97] Although the usage of a hash function complicates theattacks it is always better to err on the side of caution

33 Security Proof under the Phi-Hiding Assumption

We are also able to produce an essentially optimal security proof for ldquosmallrdquo exponents e using the tech-niques of Kakvi and Kiltz [KK12 KK18] In our case ldquosmallrdquo means our exponent is at most 1

4 of thebit-length of our modulus This proof proceeds as a series of games each of which we will describe sepa-rately We first recall the ϕ-Hiding Assumption

Assumption 2 (The ϕ-Hiding Assumption [CMS99]) The ϕ-Hiding Assumption denoted by ΦHA statesthat it is hard to distinguish between (N e) and (N e) where N is the product of two random (n2)-bitprimes and e e gt 3 isin P and and e e le N

14 with gcd(e ϕ(N)) = 1 and gcd(e ϕ(N)) = e where ϕ is the

Euler Totient function ΦHA is said to be (t ε)-hard if for all distinguishers D running in time at most twe have

AdvΦHD = Pr [1larr D(N e)]minus Pr [1larr D(N e)] 6 ε

14

Game G0

Initialize(1n)(pk sk)larr$ RSA-PKCS1-v15[3 2n n]return pk

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elsezm isinR 0 1`H larr Hcup (m zm)return zm

Sign(m)MlarrMcup (m)fetch (m zm) isin Hreturn σm = (PAD||zm)1e

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

return 1else

return 0

(a) Game 0 The Standard UF-CMA Game

Game G1

Initialize(1n)(N e)larr$ RSAPermGen(1n) G1G3

(N e)larr$ RSALossyGen(1n) G2G4

R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

else(y σm zm)larr$ Encode(N e 1 PAD R)H larr Hcup (m zm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (σlowast = σm) G3G4

return 0 G3G4

if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)return 1

elsereturn 0

(b) Games 1-4 The Simulated Reduction Games

The requirement that e e le N14 stems from the fact that simply given a modulus N we are unable to

ascertain how many prime factors it consists of and how large they are in relation to one another We knowthatN is composite therefore consists of at least 2 prime factors7 The bound then follows directly from thewell known attacks due to Coppersmith [Cop97] We also note that when gcd(e ϕ(N)) = e the functionxe mod N is exactly e-to-1 ie it said to be e-regular lossy as defined by Kakvi and Kiltz [KK12 KK18]

Theorem 3 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function Then for any (qh qs)RSA-PKCS1-v15 [3 2n] is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

ε 62γ minus 1

γ minus 1middot εprime

tprime 6 t+ qh middot O(n4)

PROOF7We assume N is not a prime power which can be checked efficiently [Ber98]

15

The proof proceeds in a sequence of games which are given in Figures 6a 6b The idea is to move fromthe UF-CMA game to one the forger cannot win The original UF-CMA game is given in G0 The first gamehop we make is from normal signing to simulating signatures using our Encode algorithm which does notchange anything from the view of the forger The next step is to move from the ldquonormalrdquo public key wheregcd(e ϕ(N)) = 1 to the lossy key (N e) were now we have a 1-to-e signing function The forger does notnotice this unless it breaks the ΦHA Now a new abort condition is introduced the reduction aborts if theforgery is the same signature it picked in the simulation phase Since the signature is picked from the setof e signatures independently from the view of the forger this happens with probability at most 1

e Finallythe keys are switched back to ldquonormalrdquo keys which now means any valid forgery leads to an abort from thereduction If we combine the bounds from all the games we get exactly the bounds stated in the proof Weprove the Theorem step by step with Lemmata 1 2 3 4 amp 5

Lemma 1 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF In G0 we modelled the hash function as a random oracle In G1 we modify the random oracle andthe signing queries On any m the random oracle now ldquoprecomputesrdquo a signature for m using the Encodealgorithm Note that signing no longer requires the secret key It can be seen that all our signatures willverify due to the fact that σem = PAD||zm for all m Thus our simulation of the signatures is correct SinceEncode gives us uniformly distributed values s z the distribution of our hash queries in G1 is identical tothe distribution in G0 Thus we have Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

Lemma 2 There exists a distinguisher D1 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat

∣∣Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]∣∣ = AdvΦHA

D1

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) howeverthe oracles are identical in both games We now build a distinguisher D1 against the ΦHA using thesegames The distinguisher will run F and simulates the oracles Sign(middot)Hash(middot) as described in games G1

and G2 Note that D1 does not require the signing key to simulate the oracles After F calls Finalize D1

returns the output of Finalize Thus we can see that Pr[1larr D1(N e)] = Pr[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

] Hence we have∣∣Pr

[GF1 rArr 1

]minus Pr

[GF2 rArr 1

]∣∣ = |Pr[1larr D1(N e)]minus Pr[1larr D1(N e)]| = AdvΦHAD1

Lemma 3 Pr[GF3 rArr 1

]=(eminus1e

)Pr[GF2 rArr 1

]

PROOF In G3 we introduce a new rule which aborts the reduction if the forgery σlowast provided by F is thesame as the simulated signature σmlowast for the target message mlowast If this is the case the forger loses the gameie G3 outputs 0 σmlowast is independent of Frsquos view and is uniformly distributed in the set of pre-images ofymlowast Due to the fact that the function xe mod N is e-regular lossy the probability of a collision is 1eThus we see that this abort condition reduces the probability of the forger winning the game by 1e hence

Pr[GF3 rArr 1

]=

(1minus 1

e

)Pr[GF2 rArr 1

]=

(eminus 1

e

)Pr[GF2 rArr 1

]

16

Lemma 4 There exists a distinguisher D2 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat |Pr[GF3 rArr 1]minus Pr[GF4 rArr 1]| = AdvΦHA

D2

PROOF From G3 to G4 we change the key generation from a lossy key (N e) to a normal key (N e)however the oracles are identical in both games We now build a distinguisher D2 against ΦHA using thesegames The distinguisher runs F and simulates the oracles Sign(middot)Hash(middot) as described in games G3ampG4Note that D2 does not require the signing key to simulate the oracles After F calls Finalize D2 returns theoutput of Finalize Thus we can see that Pr[1larr D2(N e)] = Pr

[GF4 rArr 1

]and

Pr [1larr D2(N e)] = Pr[GF3 rArr 1

]Hence we have∣∣Pr

[GF4 rArr 1

]minus Pr

[GF3 rArr 1

]∣∣ = |Pr[1larr D2(N e)]minus Pr[1larr D2(N e)]| = AdvΦHAD2

Lemma 5 Pr[G4 rArr 1] = 0

PROOF In G4 we are using the normal keys ie xe mod N is a 1-to-1 function Since our signing functionis now injective any forgery implies a collision Therefore whenever the forger is able to produce a validforgery the game outputs 0 due to it failing the check as forallmlowast σm = σlowast Whenever the forger is unableto make a forgery the game outputs 0 Thus we can see that in all cases the game will output 0 hencePr[G4 rArr 1] = 0

We combine Lemmata 1 to 5 to get

Pr[1larr G0] = AdvΦHAD1

+

(e

eminus 1

)AdvΦHA

D2

Because D1 and D2 run in time at most t + qh middot O(n3) by our assumption both distinguishers have anadvantage of at most εprime giving us

ε le 2eminus 1

eminus 1middot εprime

As we have an e-regular lossy permutation we see that for γ = e we get exactly the bounds we need

34 The Case of Two Prime Factors

We can easily lift our results for three prime factors presented in the previous section to the standard caseof two prime factors by additionally assuming that breaking the UF-CMA-security of RSA PKCS1 v15signatures with 2 prime factors is not significantly easier than with 3 prime factors To make this moreprecise we define the 2 vs 3 Primes Assumption denoted by 2v3PA which states that

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

for small ε and all efficient UF-CMA-forgers F

Assumption 3 (Two vs Three Primes Assumption) We say that 2v3PA is (t ε)-hard if for all F running intime at most t we have

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

17

Note that breaking RSA PKCS1 v15 signatures should only become easier if the modulus N is aproduct of more prime factors For instance let N2 = PQ be a product of two primes of approximatelyequal size and N3 = PQR be a product of three primes of approximately equal size such that N2 and N3

have the same size With known factoring algorithms it should be easier to compute the factorisation of N3

than that of N2 Hence even though 2v3PA is a very specific and non-standard assumption we consider itas very plausible for sufficiently large moduli With this additional assumption we get the following result

Theorem 4 Assume the (2 n)-RSA assumption is (tprime εprime)-hard and 2v3PA is (tprimeprime εprimeprime)-hard Then forany (qh qs) the RSA-PKCS1-v15 [2 2n n] scheme is (t ε qh qs)-UF-CMA secure in the Random Ora-cle Model where

εprime + εprimeprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ tprimeprime + qh middot O(n4)

PROOF SKETCH The proof works nearly identically to the proof of Theorem 2 except that we use the2v3PA assumption in order to replace a two-prime modulus N with a three-prime modulus More preciselywe begin with considering the RSA-PKCS1-v15 [2 2n] defined over a two-prime modulus Then we replacethis scheme with RSA-PKCS1-v15 [3 2n n] Now we can apply the proof from Theorem 2

The following theorem can be proven similarly by extending the proof of Theorem 3 with an additionalstep that uses the 2v3PA assumption

Theorem 5 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function and 2v3PA is (tprimeprime εprimeprime)-hard Then for any (qh qs) RSA-PKCS1-v15 [2 n+ `] is (t ε qh qs)-UF-CMA secure in the RandomOracle Model where

ε le 2γ minus 1

γ minus 1middot εprime + εprimeprime

tprime le t+ tprimeprime + qh middot O(n4)

4 Proofs in the Standard Model

In order to give a more complete picture of what security properties of RSA PKCS1 v15 signatures can beproved we now present different approaches to provide security proofs without random oracles

41 Proof based on The Phi-Hiding Assumption

We now present our proof based on the lossiness of RSA and the ΦHA In this proof we rely on the fact thatwhen e|ϕ(N) the ethroots modulo N are close to uniformly distributed Okamoto and Stern [OS03] showthat in any interval of length L ge N12 the number of eth powers is close to its expectation However weneed the same statement for intervals of size 2` which is usually smaller than N

12 So [OS03] gives us an

indication that our assumption in Theorem 6 is plausible but we cannot direct apply [OS03]The main idea of the proof of Theorem 6 is that for lossy RSA keys with e|ϕ(N) with high probability

there does not even exist a valid RSA PKCS1 v15 signature

18

Theorem 6 Assume ΦHA is (tprime εprime)-hard Further assume that e-th powers S = σe | σ isin ZlowastN areuniformly distributed in ZlowastN when e|ϕ(N) Then RSA-PKCS1-v15 with an `-bit hash function H is (t ε)-UF-NMA secure in the Standard Model where

ε 6

(1minus 2`

e

)εprime

t asymp tprime

PROOF We prove this theorem via game hops which we show in Figures 7a7b amp 7c G0 is the UF-NMAgame In G1 we switch to ldquosimulatedrdquo real keys There is no change since we consider no message attacks(NMA) and therefore never need a secret key Secondly in G2 we switch to ldquosimulatedrdquo lossy keys Thedifference here is εprime unless the forger breaks the ΦHA Finally in this game we show that the adversarycannot win except with a very small probability

Game G0

Initialize(1n)

(pk sk)larr$ RSA-PKCS1-v15[2 n]return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(a) Standard UF-NMA Game

Game G1

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(b) UF-NMA Game with simulatedpublic key

Game G2

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(c) UF-NMA Game with lossy simu-lated public key

Lemma 6 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF From G0 to G1 we changed from the RSA-PKCS1-v15 key generation to the ΦHA instance genera-tion It is clear to see that the distributions are the same thus there is no change from the view of the forger

Lemma 7 There exists a distinguisher D against the ΦHA which runs in time tprime asymp t and such that|Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]| = AdvΦHA

D

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) We nowbuild a distinguisher D against the ΦHA using these games The distinguisher will run F and after F callsFinalize D returns the output of Finalize Thus we can see that Pr [1larr D1(N e)] = Pr

[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

]Hence we have |Pr

[GF1 rArr 1

]minusPr

[GF2 rArr 1

]| = |Pr [1larr D1(N e)]minus

Pr[1larr D1(N e)]| = AdvΦHAD

19

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

RSA Proof OraclesInitialize(1n)(N e y)larr$ RSA(2 1n)R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elseχm larrp0p1 0 1if (χi = 0)

(ym sm zm)larr$ Encode(N e 1 ` PAD R)σm = sm middotR(Rminus1 mod N) + (y

1em mod R) middotN(Nminus1 mod R) mod N

else if (χm = 1)(y sm zm)larr$ Encode(N e y ` PAD R)σm = perp

H larr H cup (m zm sm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

if (χmlowast = 1)x = σlowast middot (smlowast)minus1 mod N

elsex = perp

RSAFinalize(x)return 1

elseRSAFinalize(perp)return 0

Figure 5 Oracles for the RSA based proof

13

Having updatedH the reduction now returns zi as the response to the random oracle queryWe assume that the forger always makes a hash query on a message before it queries that message to the

signing oracle The reduction can also implicitly do this by querying the random oracle itself This meansthat for every signature query mi there is an entry (mi zi σi) isin H If σi = perp ie the hash value hasa challenge embedded in it the reduction aborts as it cannot provide a signature If this is not the caseit simply returns σi as response and adds mi to the list of queried messages M The probability that thereduction answers any signature query correctly is p0 and the probability that it answers all queries correctlyis at least pqs0

In the final phase the forger submits a forgery (mlowast σlowast) With probability p1 mlowast is one of the messageswhere we embedded our RSA challenge First we observe that a valid forgery means that σlowast = ylowast1e modN Our encode algorithm ensures that y = slowaste middot y mod N which in turn means that σlowast mod N = y =slowast middot y1e mod N Because the reduction has an entry inH containing (mlowast zlowast slowastperp) it can extract y1e =σlowast middot (slowast)minus1 mod N which is the solution to its RSA challenge

The reduction can extract a solution with probability p1 = 1 minus p0 which means that the reductionsucceeds with probability at least pqs0 middot (1 minus p0) middot ε To get the optimal result we need to maximize theexpression pqs0 middot (1 minus p0) middot ε Coron [Cor02] showed an optimal value of p0 = 1

qs+1 giving us a success

probability of at least εqsmiddot(

1minus 1qs+1

)qs+1 as required The time bound is the time needed to answer all

hash queries

Remark 1 In the proof we select R to be a prime number however this is not strictly necessary What werequire is that we are able to compute eth roots mod R Thus it would also suffice if we knew the primefactorization of R It should be noted that the difficulty of factoring N = NR is at least that of factoringN if the smallest prime factor of R is at least n2 bits long R was chosen to be prime in the proof forconvenience but the proof goes through equally for any suitable composite R

Remark 2 While the PKCS1 standard does not specify how long the padding must be apart from thelimitation that PS must be at least 8 octets long one must be careful when using smaller paddings If thepadding is less than half of the bits the message represenatives are suceptible to the attacks of de Jonge andChaum [dC86] and Girault and Misarsky [GM97] Although the usage of a hash function complicates theattacks it is always better to err on the side of caution

33 Security Proof under the Phi-Hiding Assumption

We are also able to produce an essentially optimal security proof for ldquosmallrdquo exponents e using the tech-niques of Kakvi and Kiltz [KK12 KK18] In our case ldquosmallrdquo means our exponent is at most 1

4 of thebit-length of our modulus This proof proceeds as a series of games each of which we will describe sepa-rately We first recall the ϕ-Hiding Assumption

Assumption 2 (The ϕ-Hiding Assumption [CMS99]) The ϕ-Hiding Assumption denoted by ΦHA statesthat it is hard to distinguish between (N e) and (N e) where N is the product of two random (n2)-bitprimes and e e gt 3 isin P and and e e le N

14 with gcd(e ϕ(N)) = 1 and gcd(e ϕ(N)) = e where ϕ is the

Euler Totient function ΦHA is said to be (t ε)-hard if for all distinguishers D running in time at most twe have

AdvΦHD = Pr [1larr D(N e)]minus Pr [1larr D(N e)] 6 ε

14

Game G0

Initialize(1n)(pk sk)larr$ RSA-PKCS1-v15[3 2n n]return pk

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elsezm isinR 0 1`H larr Hcup (m zm)return zm

Sign(m)MlarrMcup (m)fetch (m zm) isin Hreturn σm = (PAD||zm)1e

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

return 1else

return 0

(a) Game 0 The Standard UF-CMA Game

Game G1

Initialize(1n)(N e)larr$ RSAPermGen(1n) G1G3

(N e)larr$ RSALossyGen(1n) G2G4

R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

else(y σm zm)larr$ Encode(N e 1 PAD R)H larr Hcup (m zm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (σlowast = σm) G3G4

return 0 G3G4

if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)return 1

elsereturn 0

(b) Games 1-4 The Simulated Reduction Games

The requirement that e e le N14 stems from the fact that simply given a modulus N we are unable to

ascertain how many prime factors it consists of and how large they are in relation to one another We knowthatN is composite therefore consists of at least 2 prime factors7 The bound then follows directly from thewell known attacks due to Coppersmith [Cop97] We also note that when gcd(e ϕ(N)) = e the functionxe mod N is exactly e-to-1 ie it said to be e-regular lossy as defined by Kakvi and Kiltz [KK12 KK18]

Theorem 3 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function Then for any (qh qs)RSA-PKCS1-v15 [3 2n] is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

ε 62γ minus 1

γ minus 1middot εprime

tprime 6 t+ qh middot O(n4)

PROOF7We assume N is not a prime power which can be checked efficiently [Ber98]

15

The proof proceeds in a sequence of games which are given in Figures 6a 6b The idea is to move fromthe UF-CMA game to one the forger cannot win The original UF-CMA game is given in G0 The first gamehop we make is from normal signing to simulating signatures using our Encode algorithm which does notchange anything from the view of the forger The next step is to move from the ldquonormalrdquo public key wheregcd(e ϕ(N)) = 1 to the lossy key (N e) were now we have a 1-to-e signing function The forger does notnotice this unless it breaks the ΦHA Now a new abort condition is introduced the reduction aborts if theforgery is the same signature it picked in the simulation phase Since the signature is picked from the setof e signatures independently from the view of the forger this happens with probability at most 1

e Finallythe keys are switched back to ldquonormalrdquo keys which now means any valid forgery leads to an abort from thereduction If we combine the bounds from all the games we get exactly the bounds stated in the proof Weprove the Theorem step by step with Lemmata 1 2 3 4 amp 5

Lemma 1 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF In G0 we modelled the hash function as a random oracle In G1 we modify the random oracle andthe signing queries On any m the random oracle now ldquoprecomputesrdquo a signature for m using the Encodealgorithm Note that signing no longer requires the secret key It can be seen that all our signatures willverify due to the fact that σem = PAD||zm for all m Thus our simulation of the signatures is correct SinceEncode gives us uniformly distributed values s z the distribution of our hash queries in G1 is identical tothe distribution in G0 Thus we have Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

Lemma 2 There exists a distinguisher D1 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat

∣∣Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]∣∣ = AdvΦHA

D1

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) howeverthe oracles are identical in both games We now build a distinguisher D1 against the ΦHA using thesegames The distinguisher will run F and simulates the oracles Sign(middot)Hash(middot) as described in games G1

and G2 Note that D1 does not require the signing key to simulate the oracles After F calls Finalize D1

returns the output of Finalize Thus we can see that Pr[1larr D1(N e)] = Pr[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

] Hence we have∣∣Pr

[GF1 rArr 1

]minus Pr

[GF2 rArr 1

]∣∣ = |Pr[1larr D1(N e)]minus Pr[1larr D1(N e)]| = AdvΦHAD1

Lemma 3 Pr[GF3 rArr 1

]=(eminus1e

)Pr[GF2 rArr 1

]

PROOF In G3 we introduce a new rule which aborts the reduction if the forgery σlowast provided by F is thesame as the simulated signature σmlowast for the target message mlowast If this is the case the forger loses the gameie G3 outputs 0 σmlowast is independent of Frsquos view and is uniformly distributed in the set of pre-images ofymlowast Due to the fact that the function xe mod N is e-regular lossy the probability of a collision is 1eThus we see that this abort condition reduces the probability of the forger winning the game by 1e hence

Pr[GF3 rArr 1

]=

(1minus 1

e

)Pr[GF2 rArr 1

]=

(eminus 1

e

)Pr[GF2 rArr 1

]

16

Lemma 4 There exists a distinguisher D2 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat |Pr[GF3 rArr 1]minus Pr[GF4 rArr 1]| = AdvΦHA

D2

PROOF From G3 to G4 we change the key generation from a lossy key (N e) to a normal key (N e)however the oracles are identical in both games We now build a distinguisher D2 against ΦHA using thesegames The distinguisher runs F and simulates the oracles Sign(middot)Hash(middot) as described in games G3ampG4Note that D2 does not require the signing key to simulate the oracles After F calls Finalize D2 returns theoutput of Finalize Thus we can see that Pr[1larr D2(N e)] = Pr

[GF4 rArr 1

]and

Pr [1larr D2(N e)] = Pr[GF3 rArr 1

]Hence we have∣∣Pr

[GF4 rArr 1

]minus Pr

[GF3 rArr 1

]∣∣ = |Pr[1larr D2(N e)]minus Pr[1larr D2(N e)]| = AdvΦHAD2

Lemma 5 Pr[G4 rArr 1] = 0

PROOF In G4 we are using the normal keys ie xe mod N is a 1-to-1 function Since our signing functionis now injective any forgery implies a collision Therefore whenever the forger is able to produce a validforgery the game outputs 0 due to it failing the check as forallmlowast σm = σlowast Whenever the forger is unableto make a forgery the game outputs 0 Thus we can see that in all cases the game will output 0 hencePr[G4 rArr 1] = 0

We combine Lemmata 1 to 5 to get

Pr[1larr G0] = AdvΦHAD1

+

(e

eminus 1

)AdvΦHA

D2

Because D1 and D2 run in time at most t + qh middot O(n3) by our assumption both distinguishers have anadvantage of at most εprime giving us

ε le 2eminus 1

eminus 1middot εprime

As we have an e-regular lossy permutation we see that for γ = e we get exactly the bounds we need

34 The Case of Two Prime Factors

We can easily lift our results for three prime factors presented in the previous section to the standard caseof two prime factors by additionally assuming that breaking the UF-CMA-security of RSA PKCS1 v15signatures with 2 prime factors is not significantly easier than with 3 prime factors To make this moreprecise we define the 2 vs 3 Primes Assumption denoted by 2v3PA which states that

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

for small ε and all efficient UF-CMA-forgers F

Assumption 3 (Two vs Three Primes Assumption) We say that 2v3PA is (t ε)-hard if for all F running intime at most t we have

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

17

Note that breaking RSA PKCS1 v15 signatures should only become easier if the modulus N is aproduct of more prime factors For instance let N2 = PQ be a product of two primes of approximatelyequal size and N3 = PQR be a product of three primes of approximately equal size such that N2 and N3

have the same size With known factoring algorithms it should be easier to compute the factorisation of N3

than that of N2 Hence even though 2v3PA is a very specific and non-standard assumption we consider itas very plausible for sufficiently large moduli With this additional assumption we get the following result

Theorem 4 Assume the (2 n)-RSA assumption is (tprime εprime)-hard and 2v3PA is (tprimeprime εprimeprime)-hard Then forany (qh qs) the RSA-PKCS1-v15 [2 2n n] scheme is (t ε qh qs)-UF-CMA secure in the Random Ora-cle Model where

εprime + εprimeprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ tprimeprime + qh middot O(n4)

PROOF SKETCH The proof works nearly identically to the proof of Theorem 2 except that we use the2v3PA assumption in order to replace a two-prime modulus N with a three-prime modulus More preciselywe begin with considering the RSA-PKCS1-v15 [2 2n] defined over a two-prime modulus Then we replacethis scheme with RSA-PKCS1-v15 [3 2n n] Now we can apply the proof from Theorem 2

The following theorem can be proven similarly by extending the proof of Theorem 3 with an additionalstep that uses the 2v3PA assumption

Theorem 5 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function and 2v3PA is (tprimeprime εprimeprime)-hard Then for any (qh qs) RSA-PKCS1-v15 [2 n+ `] is (t ε qh qs)-UF-CMA secure in the RandomOracle Model where

ε le 2γ minus 1

γ minus 1middot εprime + εprimeprime

tprime le t+ tprimeprime + qh middot O(n4)

4 Proofs in the Standard Model

In order to give a more complete picture of what security properties of RSA PKCS1 v15 signatures can beproved we now present different approaches to provide security proofs without random oracles

41 Proof based on The Phi-Hiding Assumption

We now present our proof based on the lossiness of RSA and the ΦHA In this proof we rely on the fact thatwhen e|ϕ(N) the ethroots modulo N are close to uniformly distributed Okamoto and Stern [OS03] showthat in any interval of length L ge N12 the number of eth powers is close to its expectation However weneed the same statement for intervals of size 2` which is usually smaller than N

12 So [OS03] gives us an

indication that our assumption in Theorem 6 is plausible but we cannot direct apply [OS03]The main idea of the proof of Theorem 6 is that for lossy RSA keys with e|ϕ(N) with high probability

there does not even exist a valid RSA PKCS1 v15 signature

18

Theorem 6 Assume ΦHA is (tprime εprime)-hard Further assume that e-th powers S = σe | σ isin ZlowastN areuniformly distributed in ZlowastN when e|ϕ(N) Then RSA-PKCS1-v15 with an `-bit hash function H is (t ε)-UF-NMA secure in the Standard Model where

ε 6

(1minus 2`

e

)εprime

t asymp tprime

PROOF We prove this theorem via game hops which we show in Figures 7a7b amp 7c G0 is the UF-NMAgame In G1 we switch to ldquosimulatedrdquo real keys There is no change since we consider no message attacks(NMA) and therefore never need a secret key Secondly in G2 we switch to ldquosimulatedrdquo lossy keys Thedifference here is εprime unless the forger breaks the ΦHA Finally in this game we show that the adversarycannot win except with a very small probability

Game G0

Initialize(1n)

(pk sk)larr$ RSA-PKCS1-v15[2 n]return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(a) Standard UF-NMA Game

Game G1

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(b) UF-NMA Game with simulatedpublic key

Game G2

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(c) UF-NMA Game with lossy simu-lated public key

Lemma 6 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF From G0 to G1 we changed from the RSA-PKCS1-v15 key generation to the ΦHA instance genera-tion It is clear to see that the distributions are the same thus there is no change from the view of the forger

Lemma 7 There exists a distinguisher D against the ΦHA which runs in time tprime asymp t and such that|Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]| = AdvΦHA

D

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) We nowbuild a distinguisher D against the ΦHA using these games The distinguisher will run F and after F callsFinalize D returns the output of Finalize Thus we can see that Pr [1larr D1(N e)] = Pr

[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

]Hence we have |Pr

[GF1 rArr 1

]minusPr

[GF2 rArr 1

]| = |Pr [1larr D1(N e)]minus

Pr[1larr D1(N e)]| = AdvΦHAD

19

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

Having updatedH the reduction now returns zi as the response to the random oracle queryWe assume that the forger always makes a hash query on a message before it queries that message to the

signing oracle The reduction can also implicitly do this by querying the random oracle itself This meansthat for every signature query mi there is an entry (mi zi σi) isin H If σi = perp ie the hash value hasa challenge embedded in it the reduction aborts as it cannot provide a signature If this is not the caseit simply returns σi as response and adds mi to the list of queried messages M The probability that thereduction answers any signature query correctly is p0 and the probability that it answers all queries correctlyis at least pqs0

In the final phase the forger submits a forgery (mlowast σlowast) With probability p1 mlowast is one of the messageswhere we embedded our RSA challenge First we observe that a valid forgery means that σlowast = ylowast1e modN Our encode algorithm ensures that y = slowaste middot y mod N which in turn means that σlowast mod N = y =slowast middot y1e mod N Because the reduction has an entry inH containing (mlowast zlowast slowastperp) it can extract y1e =σlowast middot (slowast)minus1 mod N which is the solution to its RSA challenge

The reduction can extract a solution with probability p1 = 1 minus p0 which means that the reductionsucceeds with probability at least pqs0 middot (1 minus p0) middot ε To get the optimal result we need to maximize theexpression pqs0 middot (1 minus p0) middot ε Coron [Cor02] showed an optimal value of p0 = 1

qs+1 giving us a success

probability of at least εqsmiddot(

1minus 1qs+1

)qs+1 as required The time bound is the time needed to answer all

hash queries

Remark 1 In the proof we select R to be a prime number however this is not strictly necessary What werequire is that we are able to compute eth roots mod R Thus it would also suffice if we knew the primefactorization of R It should be noted that the difficulty of factoring N = NR is at least that of factoringN if the smallest prime factor of R is at least n2 bits long R was chosen to be prime in the proof forconvenience but the proof goes through equally for any suitable composite R

Remark 2 While the PKCS1 standard does not specify how long the padding must be apart from thelimitation that PS must be at least 8 octets long one must be careful when using smaller paddings If thepadding is less than half of the bits the message represenatives are suceptible to the attacks of de Jonge andChaum [dC86] and Girault and Misarsky [GM97] Although the usage of a hash function complicates theattacks it is always better to err on the side of caution

33 Security Proof under the Phi-Hiding Assumption

We are also able to produce an essentially optimal security proof for ldquosmallrdquo exponents e using the tech-niques of Kakvi and Kiltz [KK12 KK18] In our case ldquosmallrdquo means our exponent is at most 1

4 of thebit-length of our modulus This proof proceeds as a series of games each of which we will describe sepa-rately We first recall the ϕ-Hiding Assumption

Assumption 2 (The ϕ-Hiding Assumption [CMS99]) The ϕ-Hiding Assumption denoted by ΦHA statesthat it is hard to distinguish between (N e) and (N e) where N is the product of two random (n2)-bitprimes and e e gt 3 isin P and and e e le N

14 with gcd(e ϕ(N)) = 1 and gcd(e ϕ(N)) = e where ϕ is the

Euler Totient function ΦHA is said to be (t ε)-hard if for all distinguishers D running in time at most twe have

AdvΦHD = Pr [1larr D(N e)]minus Pr [1larr D(N e)] 6 ε

14

Game G0

Initialize(1n)(pk sk)larr$ RSA-PKCS1-v15[3 2n n]return pk

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elsezm isinR 0 1`H larr Hcup (m zm)return zm

Sign(m)MlarrMcup (m)fetch (m zm) isin Hreturn σm = (PAD||zm)1e

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

return 1else

return 0

(a) Game 0 The Standard UF-CMA Game

Game G1

Initialize(1n)(N e)larr$ RSAPermGen(1n) G1G3

(N e)larr$ RSALossyGen(1n) G2G4

R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

else(y σm zm)larr$ Encode(N e 1 PAD R)H larr Hcup (m zm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (σlowast = σm) G3G4

return 0 G3G4

if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)return 1

elsereturn 0

(b) Games 1-4 The Simulated Reduction Games

The requirement that e e le N14 stems from the fact that simply given a modulus N we are unable to

ascertain how many prime factors it consists of and how large they are in relation to one another We knowthatN is composite therefore consists of at least 2 prime factors7 The bound then follows directly from thewell known attacks due to Coppersmith [Cop97] We also note that when gcd(e ϕ(N)) = e the functionxe mod N is exactly e-to-1 ie it said to be e-regular lossy as defined by Kakvi and Kiltz [KK12 KK18]

Theorem 3 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function Then for any (qh qs)RSA-PKCS1-v15 [3 2n] is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

ε 62γ minus 1

γ minus 1middot εprime

tprime 6 t+ qh middot O(n4)

PROOF7We assume N is not a prime power which can be checked efficiently [Ber98]

15

The proof proceeds in a sequence of games which are given in Figures 6a 6b The idea is to move fromthe UF-CMA game to one the forger cannot win The original UF-CMA game is given in G0 The first gamehop we make is from normal signing to simulating signatures using our Encode algorithm which does notchange anything from the view of the forger The next step is to move from the ldquonormalrdquo public key wheregcd(e ϕ(N)) = 1 to the lossy key (N e) were now we have a 1-to-e signing function The forger does notnotice this unless it breaks the ΦHA Now a new abort condition is introduced the reduction aborts if theforgery is the same signature it picked in the simulation phase Since the signature is picked from the setof e signatures independently from the view of the forger this happens with probability at most 1

e Finallythe keys are switched back to ldquonormalrdquo keys which now means any valid forgery leads to an abort from thereduction If we combine the bounds from all the games we get exactly the bounds stated in the proof Weprove the Theorem step by step with Lemmata 1 2 3 4 amp 5

Lemma 1 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF In G0 we modelled the hash function as a random oracle In G1 we modify the random oracle andthe signing queries On any m the random oracle now ldquoprecomputesrdquo a signature for m using the Encodealgorithm Note that signing no longer requires the secret key It can be seen that all our signatures willverify due to the fact that σem = PAD||zm for all m Thus our simulation of the signatures is correct SinceEncode gives us uniformly distributed values s z the distribution of our hash queries in G1 is identical tothe distribution in G0 Thus we have Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

Lemma 2 There exists a distinguisher D1 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat

∣∣Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]∣∣ = AdvΦHA

D1

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) howeverthe oracles are identical in both games We now build a distinguisher D1 against the ΦHA using thesegames The distinguisher will run F and simulates the oracles Sign(middot)Hash(middot) as described in games G1

and G2 Note that D1 does not require the signing key to simulate the oracles After F calls Finalize D1

returns the output of Finalize Thus we can see that Pr[1larr D1(N e)] = Pr[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

] Hence we have∣∣Pr

[GF1 rArr 1

]minus Pr

[GF2 rArr 1

]∣∣ = |Pr[1larr D1(N e)]minus Pr[1larr D1(N e)]| = AdvΦHAD1

Lemma 3 Pr[GF3 rArr 1

]=(eminus1e

)Pr[GF2 rArr 1

]

PROOF In G3 we introduce a new rule which aborts the reduction if the forgery σlowast provided by F is thesame as the simulated signature σmlowast for the target message mlowast If this is the case the forger loses the gameie G3 outputs 0 σmlowast is independent of Frsquos view and is uniformly distributed in the set of pre-images ofymlowast Due to the fact that the function xe mod N is e-regular lossy the probability of a collision is 1eThus we see that this abort condition reduces the probability of the forger winning the game by 1e hence

Pr[GF3 rArr 1

]=

(1minus 1

e

)Pr[GF2 rArr 1

]=

(eminus 1

e

)Pr[GF2 rArr 1

]

16

Lemma 4 There exists a distinguisher D2 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat |Pr[GF3 rArr 1]minus Pr[GF4 rArr 1]| = AdvΦHA

D2

PROOF From G3 to G4 we change the key generation from a lossy key (N e) to a normal key (N e)however the oracles are identical in both games We now build a distinguisher D2 against ΦHA using thesegames The distinguisher runs F and simulates the oracles Sign(middot)Hash(middot) as described in games G3ampG4Note that D2 does not require the signing key to simulate the oracles After F calls Finalize D2 returns theoutput of Finalize Thus we can see that Pr[1larr D2(N e)] = Pr

[GF4 rArr 1

]and

Pr [1larr D2(N e)] = Pr[GF3 rArr 1

]Hence we have∣∣Pr

[GF4 rArr 1

]minus Pr

[GF3 rArr 1

]∣∣ = |Pr[1larr D2(N e)]minus Pr[1larr D2(N e)]| = AdvΦHAD2

Lemma 5 Pr[G4 rArr 1] = 0

PROOF In G4 we are using the normal keys ie xe mod N is a 1-to-1 function Since our signing functionis now injective any forgery implies a collision Therefore whenever the forger is able to produce a validforgery the game outputs 0 due to it failing the check as forallmlowast σm = σlowast Whenever the forger is unableto make a forgery the game outputs 0 Thus we can see that in all cases the game will output 0 hencePr[G4 rArr 1] = 0

We combine Lemmata 1 to 5 to get

Pr[1larr G0] = AdvΦHAD1

+

(e

eminus 1

)AdvΦHA

D2

Because D1 and D2 run in time at most t + qh middot O(n3) by our assumption both distinguishers have anadvantage of at most εprime giving us

ε le 2eminus 1

eminus 1middot εprime

As we have an e-regular lossy permutation we see that for γ = e we get exactly the bounds we need

34 The Case of Two Prime Factors

We can easily lift our results for three prime factors presented in the previous section to the standard caseof two prime factors by additionally assuming that breaking the UF-CMA-security of RSA PKCS1 v15signatures with 2 prime factors is not significantly easier than with 3 prime factors To make this moreprecise we define the 2 vs 3 Primes Assumption denoted by 2v3PA which states that

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

for small ε and all efficient UF-CMA-forgers F

Assumption 3 (Two vs Three Primes Assumption) We say that 2v3PA is (t ε)-hard if for all F running intime at most t we have

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

17

Note that breaking RSA PKCS1 v15 signatures should only become easier if the modulus N is aproduct of more prime factors For instance let N2 = PQ be a product of two primes of approximatelyequal size and N3 = PQR be a product of three primes of approximately equal size such that N2 and N3

have the same size With known factoring algorithms it should be easier to compute the factorisation of N3

than that of N2 Hence even though 2v3PA is a very specific and non-standard assumption we consider itas very plausible for sufficiently large moduli With this additional assumption we get the following result

Theorem 4 Assume the (2 n)-RSA assumption is (tprime εprime)-hard and 2v3PA is (tprimeprime εprimeprime)-hard Then forany (qh qs) the RSA-PKCS1-v15 [2 2n n] scheme is (t ε qh qs)-UF-CMA secure in the Random Ora-cle Model where

εprime + εprimeprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ tprimeprime + qh middot O(n4)

PROOF SKETCH The proof works nearly identically to the proof of Theorem 2 except that we use the2v3PA assumption in order to replace a two-prime modulus N with a three-prime modulus More preciselywe begin with considering the RSA-PKCS1-v15 [2 2n] defined over a two-prime modulus Then we replacethis scheme with RSA-PKCS1-v15 [3 2n n] Now we can apply the proof from Theorem 2

The following theorem can be proven similarly by extending the proof of Theorem 3 with an additionalstep that uses the 2v3PA assumption

Theorem 5 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function and 2v3PA is (tprimeprime εprimeprime)-hard Then for any (qh qs) RSA-PKCS1-v15 [2 n+ `] is (t ε qh qs)-UF-CMA secure in the RandomOracle Model where

ε le 2γ minus 1

γ minus 1middot εprime + εprimeprime

tprime le t+ tprimeprime + qh middot O(n4)

4 Proofs in the Standard Model

In order to give a more complete picture of what security properties of RSA PKCS1 v15 signatures can beproved we now present different approaches to provide security proofs without random oracles

41 Proof based on The Phi-Hiding Assumption

We now present our proof based on the lossiness of RSA and the ΦHA In this proof we rely on the fact thatwhen e|ϕ(N) the ethroots modulo N are close to uniformly distributed Okamoto and Stern [OS03] showthat in any interval of length L ge N12 the number of eth powers is close to its expectation However weneed the same statement for intervals of size 2` which is usually smaller than N

12 So [OS03] gives us an

indication that our assumption in Theorem 6 is plausible but we cannot direct apply [OS03]The main idea of the proof of Theorem 6 is that for lossy RSA keys with e|ϕ(N) with high probability

there does not even exist a valid RSA PKCS1 v15 signature

18

Theorem 6 Assume ΦHA is (tprime εprime)-hard Further assume that e-th powers S = σe | σ isin ZlowastN areuniformly distributed in ZlowastN when e|ϕ(N) Then RSA-PKCS1-v15 with an `-bit hash function H is (t ε)-UF-NMA secure in the Standard Model where

ε 6

(1minus 2`

e

)εprime

t asymp tprime

PROOF We prove this theorem via game hops which we show in Figures 7a7b amp 7c G0 is the UF-NMAgame In G1 we switch to ldquosimulatedrdquo real keys There is no change since we consider no message attacks(NMA) and therefore never need a secret key Secondly in G2 we switch to ldquosimulatedrdquo lossy keys Thedifference here is εprime unless the forger breaks the ΦHA Finally in this game we show that the adversarycannot win except with a very small probability

Game G0

Initialize(1n)

(pk sk)larr$ RSA-PKCS1-v15[2 n]return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(a) Standard UF-NMA Game

Game G1

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(b) UF-NMA Game with simulatedpublic key

Game G2

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(c) UF-NMA Game with lossy simu-lated public key

Lemma 6 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF From G0 to G1 we changed from the RSA-PKCS1-v15 key generation to the ΦHA instance genera-tion It is clear to see that the distributions are the same thus there is no change from the view of the forger

Lemma 7 There exists a distinguisher D against the ΦHA which runs in time tprime asymp t and such that|Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]| = AdvΦHA

D

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) We nowbuild a distinguisher D against the ΦHA using these games The distinguisher will run F and after F callsFinalize D returns the output of Finalize Thus we can see that Pr [1larr D1(N e)] = Pr

[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

]Hence we have |Pr

[GF1 rArr 1

]minusPr

[GF2 rArr 1

]| = |Pr [1larr D1(N e)]minus

Pr[1larr D1(N e)]| = AdvΦHAD

19

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

Game G0

Initialize(1n)(pk sk)larr$ RSA-PKCS1-v15[3 2n n]return pk

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

elsezm isinR 0 1`H larr Hcup (m zm)return zm

Sign(m)MlarrMcup (m)fetch (m zm) isin Hreturn σm = (PAD||zm)1e

Finalize(mlowast σlowast)if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)

return 1else

return 0

(a) Game 0 The Standard UF-CMA Game

Game G1

Initialize(1n)(N e)larr$ RSAPermGen(1n) G1G3

(N e)larr$ RSALossyGen(1n) G2G4

R isinR P [n] gcd(eRminus 1) = 1

N = N middotR isin Z[2n]pick IDH isin 0 1αν = nminus αminus 23PAD = 015||1ν ||08||IDHreturn pk = (N e PAD)

Hash(m)if (m middot) isin H

fetch (m zm) isin Hreturn zm

else(y σm zm)larr$ Encode(N e 1 PAD R)H larr Hcup (m zm σm)return zm

Sign(m)MlarrMcup (m)fetch (m zm σm) isin Hreturn σm

Finalize(mlowast σlowast)if (σlowast = σm) G3G4

return 0 G3G4

if (Verify(pkmlowast σlowast) = 1) and (mlowast 6isin M)return 1

elsereturn 0

(b) Games 1-4 The Simulated Reduction Games

The requirement that e e le N14 stems from the fact that simply given a modulus N we are unable to

ascertain how many prime factors it consists of and how large they are in relation to one another We knowthatN is composite therefore consists of at least 2 prime factors7 The bound then follows directly from thewell known attacks due to Coppersmith [Cop97] We also note that when gcd(e ϕ(N)) = e the functionxe mod N is exactly e-to-1 ie it said to be e-regular lossy as defined by Kakvi and Kiltz [KK12 KK18]

Theorem 3 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function Then for any (qh qs)RSA-PKCS1-v15 [3 2n] is (t ε qh qs)-UF-CMA secure in the Random Oracle Model where

ε 62γ minus 1

γ minus 1middot εprime

tprime 6 t+ qh middot O(n4)

PROOF7We assume N is not a prime power which can be checked efficiently [Ber98]

15

The proof proceeds in a sequence of games which are given in Figures 6a 6b The idea is to move fromthe UF-CMA game to one the forger cannot win The original UF-CMA game is given in G0 The first gamehop we make is from normal signing to simulating signatures using our Encode algorithm which does notchange anything from the view of the forger The next step is to move from the ldquonormalrdquo public key wheregcd(e ϕ(N)) = 1 to the lossy key (N e) were now we have a 1-to-e signing function The forger does notnotice this unless it breaks the ΦHA Now a new abort condition is introduced the reduction aborts if theforgery is the same signature it picked in the simulation phase Since the signature is picked from the setof e signatures independently from the view of the forger this happens with probability at most 1

e Finallythe keys are switched back to ldquonormalrdquo keys which now means any valid forgery leads to an abort from thereduction If we combine the bounds from all the games we get exactly the bounds stated in the proof Weprove the Theorem step by step with Lemmata 1 2 3 4 amp 5

Lemma 1 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF In G0 we modelled the hash function as a random oracle In G1 we modify the random oracle andthe signing queries On any m the random oracle now ldquoprecomputesrdquo a signature for m using the Encodealgorithm Note that signing no longer requires the secret key It can be seen that all our signatures willverify due to the fact that σem = PAD||zm for all m Thus our simulation of the signatures is correct SinceEncode gives us uniformly distributed values s z the distribution of our hash queries in G1 is identical tothe distribution in G0 Thus we have Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

Lemma 2 There exists a distinguisher D1 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat

∣∣Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]∣∣ = AdvΦHA

D1

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) howeverthe oracles are identical in both games We now build a distinguisher D1 against the ΦHA using thesegames The distinguisher will run F and simulates the oracles Sign(middot)Hash(middot) as described in games G1

and G2 Note that D1 does not require the signing key to simulate the oracles After F calls Finalize D1

returns the output of Finalize Thus we can see that Pr[1larr D1(N e)] = Pr[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

] Hence we have∣∣Pr

[GF1 rArr 1

]minus Pr

[GF2 rArr 1

]∣∣ = |Pr[1larr D1(N e)]minus Pr[1larr D1(N e)]| = AdvΦHAD1

Lemma 3 Pr[GF3 rArr 1

]=(eminus1e

)Pr[GF2 rArr 1

]

PROOF In G3 we introduce a new rule which aborts the reduction if the forgery σlowast provided by F is thesame as the simulated signature σmlowast for the target message mlowast If this is the case the forger loses the gameie G3 outputs 0 σmlowast is independent of Frsquos view and is uniformly distributed in the set of pre-images ofymlowast Due to the fact that the function xe mod N is e-regular lossy the probability of a collision is 1eThus we see that this abort condition reduces the probability of the forger winning the game by 1e hence

Pr[GF3 rArr 1

]=

(1minus 1

e

)Pr[GF2 rArr 1

]=

(eminus 1

e

)Pr[GF2 rArr 1

]

16

Lemma 4 There exists a distinguisher D2 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat |Pr[GF3 rArr 1]minus Pr[GF4 rArr 1]| = AdvΦHA

D2

PROOF From G3 to G4 we change the key generation from a lossy key (N e) to a normal key (N e)however the oracles are identical in both games We now build a distinguisher D2 against ΦHA using thesegames The distinguisher runs F and simulates the oracles Sign(middot)Hash(middot) as described in games G3ampG4Note that D2 does not require the signing key to simulate the oracles After F calls Finalize D2 returns theoutput of Finalize Thus we can see that Pr[1larr D2(N e)] = Pr

[GF4 rArr 1

]and

Pr [1larr D2(N e)] = Pr[GF3 rArr 1

]Hence we have∣∣Pr

[GF4 rArr 1

]minus Pr

[GF3 rArr 1

]∣∣ = |Pr[1larr D2(N e)]minus Pr[1larr D2(N e)]| = AdvΦHAD2

Lemma 5 Pr[G4 rArr 1] = 0

PROOF In G4 we are using the normal keys ie xe mod N is a 1-to-1 function Since our signing functionis now injective any forgery implies a collision Therefore whenever the forger is able to produce a validforgery the game outputs 0 due to it failing the check as forallmlowast σm = σlowast Whenever the forger is unableto make a forgery the game outputs 0 Thus we can see that in all cases the game will output 0 hencePr[G4 rArr 1] = 0

We combine Lemmata 1 to 5 to get

Pr[1larr G0] = AdvΦHAD1

+

(e

eminus 1

)AdvΦHA

D2

Because D1 and D2 run in time at most t + qh middot O(n3) by our assumption both distinguishers have anadvantage of at most εprime giving us

ε le 2eminus 1

eminus 1middot εprime

As we have an e-regular lossy permutation we see that for γ = e we get exactly the bounds we need

34 The Case of Two Prime Factors

We can easily lift our results for three prime factors presented in the previous section to the standard caseof two prime factors by additionally assuming that breaking the UF-CMA-security of RSA PKCS1 v15signatures with 2 prime factors is not significantly easier than with 3 prime factors To make this moreprecise we define the 2 vs 3 Primes Assumption denoted by 2v3PA which states that

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

for small ε and all efficient UF-CMA-forgers F

Assumption 3 (Two vs Three Primes Assumption) We say that 2v3PA is (t ε)-hard if for all F running intime at most t we have

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

17

Note that breaking RSA PKCS1 v15 signatures should only become easier if the modulus N is aproduct of more prime factors For instance let N2 = PQ be a product of two primes of approximatelyequal size and N3 = PQR be a product of three primes of approximately equal size such that N2 and N3

have the same size With known factoring algorithms it should be easier to compute the factorisation of N3

than that of N2 Hence even though 2v3PA is a very specific and non-standard assumption we consider itas very plausible for sufficiently large moduli With this additional assumption we get the following result

Theorem 4 Assume the (2 n)-RSA assumption is (tprime εprime)-hard and 2v3PA is (tprimeprime εprimeprime)-hard Then forany (qh qs) the RSA-PKCS1-v15 [2 2n n] scheme is (t ε qh qs)-UF-CMA secure in the Random Ora-cle Model where

εprime + εprimeprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ tprimeprime + qh middot O(n4)

PROOF SKETCH The proof works nearly identically to the proof of Theorem 2 except that we use the2v3PA assumption in order to replace a two-prime modulus N with a three-prime modulus More preciselywe begin with considering the RSA-PKCS1-v15 [2 2n] defined over a two-prime modulus Then we replacethis scheme with RSA-PKCS1-v15 [3 2n n] Now we can apply the proof from Theorem 2

The following theorem can be proven similarly by extending the proof of Theorem 3 with an additionalstep that uses the 2v3PA assumption

Theorem 5 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function and 2v3PA is (tprimeprime εprimeprime)-hard Then for any (qh qs) RSA-PKCS1-v15 [2 n+ `] is (t ε qh qs)-UF-CMA secure in the RandomOracle Model where

ε le 2γ minus 1

γ minus 1middot εprime + εprimeprime

tprime le t+ tprimeprime + qh middot O(n4)

4 Proofs in the Standard Model

In order to give a more complete picture of what security properties of RSA PKCS1 v15 signatures can beproved we now present different approaches to provide security proofs without random oracles

41 Proof based on The Phi-Hiding Assumption

We now present our proof based on the lossiness of RSA and the ΦHA In this proof we rely on the fact thatwhen e|ϕ(N) the ethroots modulo N are close to uniformly distributed Okamoto and Stern [OS03] showthat in any interval of length L ge N12 the number of eth powers is close to its expectation However weneed the same statement for intervals of size 2` which is usually smaller than N

12 So [OS03] gives us an

indication that our assumption in Theorem 6 is plausible but we cannot direct apply [OS03]The main idea of the proof of Theorem 6 is that for lossy RSA keys with e|ϕ(N) with high probability

there does not even exist a valid RSA PKCS1 v15 signature

18

Theorem 6 Assume ΦHA is (tprime εprime)-hard Further assume that e-th powers S = σe | σ isin ZlowastN areuniformly distributed in ZlowastN when e|ϕ(N) Then RSA-PKCS1-v15 with an `-bit hash function H is (t ε)-UF-NMA secure in the Standard Model where

ε 6

(1minus 2`

e

)εprime

t asymp tprime

PROOF We prove this theorem via game hops which we show in Figures 7a7b amp 7c G0 is the UF-NMAgame In G1 we switch to ldquosimulatedrdquo real keys There is no change since we consider no message attacks(NMA) and therefore never need a secret key Secondly in G2 we switch to ldquosimulatedrdquo lossy keys Thedifference here is εprime unless the forger breaks the ΦHA Finally in this game we show that the adversarycannot win except with a very small probability

Game G0

Initialize(1n)

(pk sk)larr$ RSA-PKCS1-v15[2 n]return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(a) Standard UF-NMA Game

Game G1

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(b) UF-NMA Game with simulatedpublic key

Game G2

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(c) UF-NMA Game with lossy simu-lated public key

Lemma 6 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF From G0 to G1 we changed from the RSA-PKCS1-v15 key generation to the ΦHA instance genera-tion It is clear to see that the distributions are the same thus there is no change from the view of the forger

Lemma 7 There exists a distinguisher D against the ΦHA which runs in time tprime asymp t and such that|Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]| = AdvΦHA

D

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) We nowbuild a distinguisher D against the ΦHA using these games The distinguisher will run F and after F callsFinalize D returns the output of Finalize Thus we can see that Pr [1larr D1(N e)] = Pr

[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

]Hence we have |Pr

[GF1 rArr 1

]minusPr

[GF2 rArr 1

]| = |Pr [1larr D1(N e)]minus

Pr[1larr D1(N e)]| = AdvΦHAD

19

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

The proof proceeds in a sequence of games which are given in Figures 6a 6b The idea is to move fromthe UF-CMA game to one the forger cannot win The original UF-CMA game is given in G0 The first gamehop we make is from normal signing to simulating signatures using our Encode algorithm which does notchange anything from the view of the forger The next step is to move from the ldquonormalrdquo public key wheregcd(e ϕ(N)) = 1 to the lossy key (N e) were now we have a 1-to-e signing function The forger does notnotice this unless it breaks the ΦHA Now a new abort condition is introduced the reduction aborts if theforgery is the same signature it picked in the simulation phase Since the signature is picked from the setof e signatures independently from the view of the forger this happens with probability at most 1

e Finallythe keys are switched back to ldquonormalrdquo keys which now means any valid forgery leads to an abort from thereduction If we combine the bounds from all the games we get exactly the bounds stated in the proof Weprove the Theorem step by step with Lemmata 1 2 3 4 amp 5

Lemma 1 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF In G0 we modelled the hash function as a random oracle In G1 we modify the random oracle andthe signing queries On any m the random oracle now ldquoprecomputesrdquo a signature for m using the Encodealgorithm Note that signing no longer requires the secret key It can be seen that all our signatures willverify due to the fact that σem = PAD||zm for all m Thus our simulation of the signatures is correct SinceEncode gives us uniformly distributed values s z the distribution of our hash queries in G1 is identical tothe distribution in G0 Thus we have Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

Lemma 2 There exists a distinguisher D1 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat

∣∣Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]∣∣ = AdvΦHA

D1

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) howeverthe oracles are identical in both games We now build a distinguisher D1 against the ΦHA using thesegames The distinguisher will run F and simulates the oracles Sign(middot)Hash(middot) as described in games G1

and G2 Note that D1 does not require the signing key to simulate the oracles After F calls Finalize D1

returns the output of Finalize Thus we can see that Pr[1larr D1(N e)] = Pr[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

] Hence we have∣∣Pr

[GF1 rArr 1

]minus Pr

[GF2 rArr 1

]∣∣ = |Pr[1larr D1(N e)]minus Pr[1larr D1(N e)]| = AdvΦHAD1

Lemma 3 Pr[GF3 rArr 1

]=(eminus1e

)Pr[GF2 rArr 1

]

PROOF In G3 we introduce a new rule which aborts the reduction if the forgery σlowast provided by F is thesame as the simulated signature σmlowast for the target message mlowast If this is the case the forger loses the gameie G3 outputs 0 σmlowast is independent of Frsquos view and is uniformly distributed in the set of pre-images ofymlowast Due to the fact that the function xe mod N is e-regular lossy the probability of a collision is 1eThus we see that this abort condition reduces the probability of the forger winning the game by 1e hence

Pr[GF3 rArr 1

]=

(1minus 1

e

)Pr[GF2 rArr 1

]=

(eminus 1

e

)Pr[GF2 rArr 1

]

16

Lemma 4 There exists a distinguisher D2 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat |Pr[GF3 rArr 1]minus Pr[GF4 rArr 1]| = AdvΦHA

D2

PROOF From G3 to G4 we change the key generation from a lossy key (N e) to a normal key (N e)however the oracles are identical in both games We now build a distinguisher D2 against ΦHA using thesegames The distinguisher runs F and simulates the oracles Sign(middot)Hash(middot) as described in games G3ampG4Note that D2 does not require the signing key to simulate the oracles After F calls Finalize D2 returns theoutput of Finalize Thus we can see that Pr[1larr D2(N e)] = Pr

[GF4 rArr 1

]and

Pr [1larr D2(N e)] = Pr[GF3 rArr 1

]Hence we have∣∣Pr

[GF4 rArr 1

]minus Pr

[GF3 rArr 1

]∣∣ = |Pr[1larr D2(N e)]minus Pr[1larr D2(N e)]| = AdvΦHAD2

Lemma 5 Pr[G4 rArr 1] = 0

PROOF In G4 we are using the normal keys ie xe mod N is a 1-to-1 function Since our signing functionis now injective any forgery implies a collision Therefore whenever the forger is able to produce a validforgery the game outputs 0 due to it failing the check as forallmlowast σm = σlowast Whenever the forger is unableto make a forgery the game outputs 0 Thus we can see that in all cases the game will output 0 hencePr[G4 rArr 1] = 0

We combine Lemmata 1 to 5 to get

Pr[1larr G0] = AdvΦHAD1

+

(e

eminus 1

)AdvΦHA

D2

Because D1 and D2 run in time at most t + qh middot O(n3) by our assumption both distinguishers have anadvantage of at most εprime giving us

ε le 2eminus 1

eminus 1middot εprime

As we have an e-regular lossy permutation we see that for γ = e we get exactly the bounds we need

34 The Case of Two Prime Factors

We can easily lift our results for three prime factors presented in the previous section to the standard caseof two prime factors by additionally assuming that breaking the UF-CMA-security of RSA PKCS1 v15signatures with 2 prime factors is not significantly easier than with 3 prime factors To make this moreprecise we define the 2 vs 3 Primes Assumption denoted by 2v3PA which states that

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

for small ε and all efficient UF-CMA-forgers F

Assumption 3 (Two vs Three Primes Assumption) We say that 2v3PA is (t ε)-hard if for all F running intime at most t we have

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

17

Note that breaking RSA PKCS1 v15 signatures should only become easier if the modulus N is aproduct of more prime factors For instance let N2 = PQ be a product of two primes of approximatelyequal size and N3 = PQR be a product of three primes of approximately equal size such that N2 and N3

have the same size With known factoring algorithms it should be easier to compute the factorisation of N3

than that of N2 Hence even though 2v3PA is a very specific and non-standard assumption we consider itas very plausible for sufficiently large moduli With this additional assumption we get the following result

Theorem 4 Assume the (2 n)-RSA assumption is (tprime εprime)-hard and 2v3PA is (tprimeprime εprimeprime)-hard Then forany (qh qs) the RSA-PKCS1-v15 [2 2n n] scheme is (t ε qh qs)-UF-CMA secure in the Random Ora-cle Model where

εprime + εprimeprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ tprimeprime + qh middot O(n4)

PROOF SKETCH The proof works nearly identically to the proof of Theorem 2 except that we use the2v3PA assumption in order to replace a two-prime modulus N with a three-prime modulus More preciselywe begin with considering the RSA-PKCS1-v15 [2 2n] defined over a two-prime modulus Then we replacethis scheme with RSA-PKCS1-v15 [3 2n n] Now we can apply the proof from Theorem 2

The following theorem can be proven similarly by extending the proof of Theorem 3 with an additionalstep that uses the 2v3PA assumption

Theorem 5 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function and 2v3PA is (tprimeprime εprimeprime)-hard Then for any (qh qs) RSA-PKCS1-v15 [2 n+ `] is (t ε qh qs)-UF-CMA secure in the RandomOracle Model where

ε le 2γ minus 1

γ minus 1middot εprime + εprimeprime

tprime le t+ tprimeprime + qh middot O(n4)

4 Proofs in the Standard Model

In order to give a more complete picture of what security properties of RSA PKCS1 v15 signatures can beproved we now present different approaches to provide security proofs without random oracles

41 Proof based on The Phi-Hiding Assumption

We now present our proof based on the lossiness of RSA and the ΦHA In this proof we rely on the fact thatwhen e|ϕ(N) the ethroots modulo N are close to uniformly distributed Okamoto and Stern [OS03] showthat in any interval of length L ge N12 the number of eth powers is close to its expectation However weneed the same statement for intervals of size 2` which is usually smaller than N

12 So [OS03] gives us an

indication that our assumption in Theorem 6 is plausible but we cannot direct apply [OS03]The main idea of the proof of Theorem 6 is that for lossy RSA keys with e|ϕ(N) with high probability

there does not even exist a valid RSA PKCS1 v15 signature

18

Theorem 6 Assume ΦHA is (tprime εprime)-hard Further assume that e-th powers S = σe | σ isin ZlowastN areuniformly distributed in ZlowastN when e|ϕ(N) Then RSA-PKCS1-v15 with an `-bit hash function H is (t ε)-UF-NMA secure in the Standard Model where

ε 6

(1minus 2`

e

)εprime

t asymp tprime

PROOF We prove this theorem via game hops which we show in Figures 7a7b amp 7c G0 is the UF-NMAgame In G1 we switch to ldquosimulatedrdquo real keys There is no change since we consider no message attacks(NMA) and therefore never need a secret key Secondly in G2 we switch to ldquosimulatedrdquo lossy keys Thedifference here is εprime unless the forger breaks the ΦHA Finally in this game we show that the adversarycannot win except with a very small probability

Game G0

Initialize(1n)

(pk sk)larr$ RSA-PKCS1-v15[2 n]return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(a) Standard UF-NMA Game

Game G1

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(b) UF-NMA Game with simulatedpublic key

Game G2

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(c) UF-NMA Game with lossy simu-lated public key

Lemma 6 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF From G0 to G1 we changed from the RSA-PKCS1-v15 key generation to the ΦHA instance genera-tion It is clear to see that the distributions are the same thus there is no change from the view of the forger

Lemma 7 There exists a distinguisher D against the ΦHA which runs in time tprime asymp t and such that|Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]| = AdvΦHA

D

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) We nowbuild a distinguisher D against the ΦHA using these games The distinguisher will run F and after F callsFinalize D returns the output of Finalize Thus we can see that Pr [1larr D1(N e)] = Pr

[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

]Hence we have |Pr

[GF1 rArr 1

]minusPr

[GF2 rArr 1

]| = |Pr [1larr D1(N e)]minus

Pr[1larr D1(N e)]| = AdvΦHAD

19

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

Lemma 4 There exists a distinguisher D2 against the ΦHA which runs in time t = t+ qh middot O(n4) and suchthat |Pr[GF3 rArr 1]minus Pr[GF4 rArr 1]| = AdvΦHA

D2

PROOF From G3 to G4 we change the key generation from a lossy key (N e) to a normal key (N e)however the oracles are identical in both games We now build a distinguisher D2 against ΦHA using thesegames The distinguisher runs F and simulates the oracles Sign(middot)Hash(middot) as described in games G3ampG4Note that D2 does not require the signing key to simulate the oracles After F calls Finalize D2 returns theoutput of Finalize Thus we can see that Pr[1larr D2(N e)] = Pr

[GF4 rArr 1

]and

Pr [1larr D2(N e)] = Pr[GF3 rArr 1

]Hence we have∣∣Pr

[GF4 rArr 1

]minus Pr

[GF3 rArr 1

]∣∣ = |Pr[1larr D2(N e)]minus Pr[1larr D2(N e)]| = AdvΦHAD2

Lemma 5 Pr[G4 rArr 1] = 0

PROOF In G4 we are using the normal keys ie xe mod N is a 1-to-1 function Since our signing functionis now injective any forgery implies a collision Therefore whenever the forger is able to produce a validforgery the game outputs 0 due to it failing the check as forallmlowast σm = σlowast Whenever the forger is unableto make a forgery the game outputs 0 Thus we can see that in all cases the game will output 0 hencePr[G4 rArr 1] = 0

We combine Lemmata 1 to 5 to get

Pr[1larr G0] = AdvΦHAD1

+

(e

eminus 1

)AdvΦHA

D2

Because D1 and D2 run in time at most t + qh middot O(n3) by our assumption both distinguishers have anadvantage of at most εprime giving us

ε le 2eminus 1

eminus 1middot εprime

As we have an e-regular lossy permutation we see that for γ = e we get exactly the bounds we need

34 The Case of Two Prime Factors

We can easily lift our results for three prime factors presented in the previous section to the standard caseof two prime factors by additionally assuming that breaking the UF-CMA-security of RSA PKCS1 v15signatures with 2 prime factors is not significantly easier than with 3 prime factors To make this moreprecise we define the 2 vs 3 Primes Assumption denoted by 2v3PA which states that

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

for small ε and all efficient UF-CMA-forgers F

Assumption 3 (Two vs Three Primes Assumption) We say that 2v3PA is (t ε)-hard if for all F running intime at most t we have

AdvUF-CMAF RSA-PKCS1-v15[2n`] le AdvUF-CMA

F RSA-PKCS1-v15[3n`] + ε

17

Note that breaking RSA PKCS1 v15 signatures should only become easier if the modulus N is aproduct of more prime factors For instance let N2 = PQ be a product of two primes of approximatelyequal size and N3 = PQR be a product of three primes of approximately equal size such that N2 and N3

have the same size With known factoring algorithms it should be easier to compute the factorisation of N3

than that of N2 Hence even though 2v3PA is a very specific and non-standard assumption we consider itas very plausible for sufficiently large moduli With this additional assumption we get the following result

Theorem 4 Assume the (2 n)-RSA assumption is (tprime εprime)-hard and 2v3PA is (tprimeprime εprimeprime)-hard Then forany (qh qs) the RSA-PKCS1-v15 [2 2n n] scheme is (t ε qh qs)-UF-CMA secure in the Random Ora-cle Model where

εprime + εprimeprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ tprimeprime + qh middot O(n4)

PROOF SKETCH The proof works nearly identically to the proof of Theorem 2 except that we use the2v3PA assumption in order to replace a two-prime modulus N with a three-prime modulus More preciselywe begin with considering the RSA-PKCS1-v15 [2 2n] defined over a two-prime modulus Then we replacethis scheme with RSA-PKCS1-v15 [3 2n n] Now we can apply the proof from Theorem 2

The following theorem can be proven similarly by extending the proof of Theorem 3 with an additionalstep that uses the 2v3PA assumption

Theorem 5 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function and 2v3PA is (tprimeprime εprimeprime)-hard Then for any (qh qs) RSA-PKCS1-v15 [2 n+ `] is (t ε qh qs)-UF-CMA secure in the RandomOracle Model where

ε le 2γ minus 1

γ minus 1middot εprime + εprimeprime

tprime le t+ tprimeprime + qh middot O(n4)

4 Proofs in the Standard Model

In order to give a more complete picture of what security properties of RSA PKCS1 v15 signatures can beproved we now present different approaches to provide security proofs without random oracles

41 Proof based on The Phi-Hiding Assumption

We now present our proof based on the lossiness of RSA and the ΦHA In this proof we rely on the fact thatwhen e|ϕ(N) the ethroots modulo N are close to uniformly distributed Okamoto and Stern [OS03] showthat in any interval of length L ge N12 the number of eth powers is close to its expectation However weneed the same statement for intervals of size 2` which is usually smaller than N

12 So [OS03] gives us an

indication that our assumption in Theorem 6 is plausible but we cannot direct apply [OS03]The main idea of the proof of Theorem 6 is that for lossy RSA keys with e|ϕ(N) with high probability

there does not even exist a valid RSA PKCS1 v15 signature

18

Theorem 6 Assume ΦHA is (tprime εprime)-hard Further assume that e-th powers S = σe | σ isin ZlowastN areuniformly distributed in ZlowastN when e|ϕ(N) Then RSA-PKCS1-v15 with an `-bit hash function H is (t ε)-UF-NMA secure in the Standard Model where

ε 6

(1minus 2`

e

)εprime

t asymp tprime

PROOF We prove this theorem via game hops which we show in Figures 7a7b amp 7c G0 is the UF-NMAgame In G1 we switch to ldquosimulatedrdquo real keys There is no change since we consider no message attacks(NMA) and therefore never need a secret key Secondly in G2 we switch to ldquosimulatedrdquo lossy keys Thedifference here is εprime unless the forger breaks the ΦHA Finally in this game we show that the adversarycannot win except with a very small probability

Game G0

Initialize(1n)

(pk sk)larr$ RSA-PKCS1-v15[2 n]return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(a) Standard UF-NMA Game

Game G1

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(b) UF-NMA Game with simulatedpublic key

Game G2

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(c) UF-NMA Game with lossy simu-lated public key

Lemma 6 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF From G0 to G1 we changed from the RSA-PKCS1-v15 key generation to the ΦHA instance genera-tion It is clear to see that the distributions are the same thus there is no change from the view of the forger

Lemma 7 There exists a distinguisher D against the ΦHA which runs in time tprime asymp t and such that|Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]| = AdvΦHA

D

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) We nowbuild a distinguisher D against the ΦHA using these games The distinguisher will run F and after F callsFinalize D returns the output of Finalize Thus we can see that Pr [1larr D1(N e)] = Pr

[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

]Hence we have |Pr

[GF1 rArr 1

]minusPr

[GF2 rArr 1

]| = |Pr [1larr D1(N e)]minus

Pr[1larr D1(N e)]| = AdvΦHAD

19

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

Note that breaking RSA PKCS1 v15 signatures should only become easier if the modulus N is aproduct of more prime factors For instance let N2 = PQ be a product of two primes of approximatelyequal size and N3 = PQR be a product of three primes of approximately equal size such that N2 and N3

have the same size With known factoring algorithms it should be easier to compute the factorisation of N3

than that of N2 Hence even though 2v3PA is a very specific and non-standard assumption we consider itas very plausible for sufficiently large moduli With this additional assumption we get the following result

Theorem 4 Assume the (2 n)-RSA assumption is (tprime εprime)-hard and 2v3PA is (tprimeprime εprimeprime)-hard Then forany (qh qs) the RSA-PKCS1-v15 [2 2n n] scheme is (t ε qh qs)-UF-CMA secure in the Random Ora-cle Model where

εprime + εprimeprime gtε

qsmiddot(

1minus 1

qs + 1

)qs+1

asymp ε

qs

tprime 6 t+ tprimeprime + qh middot O(n4)

PROOF SKETCH The proof works nearly identically to the proof of Theorem 2 except that we use the2v3PA assumption in order to replace a two-prime modulus N with a three-prime modulus More preciselywe begin with considering the RSA-PKCS1-v15 [2 2n] defined over a two-prime modulus Then we replacethis scheme with RSA-PKCS1-v15 [3 2n n] Now we can apply the proof from Theorem 2

The following theorem can be proven similarly by extending the proof of Theorem 3 with an additionalstep that uses the 2v3PA assumption

Theorem 5 Assume that ΦHA is (tprime εprime)-hard and defines a γ-regular lossy function and 2v3PA is (tprimeprime εprimeprime)-hard Then for any (qh qs) RSA-PKCS1-v15 [2 n+ `] is (t ε qh qs)-UF-CMA secure in the RandomOracle Model where

ε le 2γ minus 1

γ minus 1middot εprime + εprimeprime

tprime le t+ tprimeprime + qh middot O(n4)

4 Proofs in the Standard Model

In order to give a more complete picture of what security properties of RSA PKCS1 v15 signatures can beproved we now present different approaches to provide security proofs without random oracles

41 Proof based on The Phi-Hiding Assumption

We now present our proof based on the lossiness of RSA and the ΦHA In this proof we rely on the fact thatwhen e|ϕ(N) the ethroots modulo N are close to uniformly distributed Okamoto and Stern [OS03] showthat in any interval of length L ge N12 the number of eth powers is close to its expectation However weneed the same statement for intervals of size 2` which is usually smaller than N

12 So [OS03] gives us an

indication that our assumption in Theorem 6 is plausible but we cannot direct apply [OS03]The main idea of the proof of Theorem 6 is that for lossy RSA keys with e|ϕ(N) with high probability

there does not even exist a valid RSA PKCS1 v15 signature

18

Theorem 6 Assume ΦHA is (tprime εprime)-hard Further assume that e-th powers S = σe | σ isin ZlowastN areuniformly distributed in ZlowastN when e|ϕ(N) Then RSA-PKCS1-v15 with an `-bit hash function H is (t ε)-UF-NMA secure in the Standard Model where

ε 6

(1minus 2`

e

)εprime

t asymp tprime

PROOF We prove this theorem via game hops which we show in Figures 7a7b amp 7c G0 is the UF-NMAgame In G1 we switch to ldquosimulatedrdquo real keys There is no change since we consider no message attacks(NMA) and therefore never need a secret key Secondly in G2 we switch to ldquosimulatedrdquo lossy keys Thedifference here is εprime unless the forger breaks the ΦHA Finally in this game we show that the adversarycannot win except with a very small probability

Game G0

Initialize(1n)

(pk sk)larr$ RSA-PKCS1-v15[2 n]return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(a) Standard UF-NMA Game

Game G1

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(b) UF-NMA Game with simulatedpublic key

Game G2

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(c) UF-NMA Game with lossy simu-lated public key

Lemma 6 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF From G0 to G1 we changed from the RSA-PKCS1-v15 key generation to the ΦHA instance genera-tion It is clear to see that the distributions are the same thus there is no change from the view of the forger

Lemma 7 There exists a distinguisher D against the ΦHA which runs in time tprime asymp t and such that|Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]| = AdvΦHA

D

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) We nowbuild a distinguisher D against the ΦHA using these games The distinguisher will run F and after F callsFinalize D returns the output of Finalize Thus we can see that Pr [1larr D1(N e)] = Pr

[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

]Hence we have |Pr

[GF1 rArr 1

]minusPr

[GF2 rArr 1

]| = |Pr [1larr D1(N e)]minus

Pr[1larr D1(N e)]| = AdvΦHAD

19

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

Theorem 6 Assume ΦHA is (tprime εprime)-hard Further assume that e-th powers S = σe | σ isin ZlowastN areuniformly distributed in ZlowastN when e|ϕ(N) Then RSA-PKCS1-v15 with an `-bit hash function H is (t ε)-UF-NMA secure in the Standard Model where

ε 6

(1minus 2`

e

)εprime

t asymp tprime

PROOF We prove this theorem via game hops which we show in Figures 7a7b amp 7c G0 is the UF-NMAgame In G1 we switch to ldquosimulatedrdquo real keys There is no change since we consider no message attacks(NMA) and therefore never need a secret key Secondly in G2 we switch to ldquosimulatedrdquo lossy keys Thedifference here is εprime unless the forger breaks the ΦHA Finally in this game we show that the adversarycannot win except with a very small probability

Game G0

Initialize(1n)

(pk sk)larr$ RSA-PKCS1-v15[2 n]return pk

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(a) Standard UF-NMA Game

Game G1

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(b) UF-NMA Game with simulatedpublic key

Game G2

Initialize(1n)

(N e e)larr$ ΦHALook-up α-bit IDH for Hν = nminus `minus αminus 23PAD = 015||1ν ||08||IDHreturn (pk = (N e PADH)

Finalize(mlowast σlowast)

if Verify(pkmlowast σlowast) = 1return 1

elsereturn 0

(c) UF-NMA Game with lossy simu-lated public key

Lemma 6 Pr[GF0 rArr 1] = Pr[GF1 rArr 1]

PROOF From G0 to G1 we changed from the RSA-PKCS1-v15 key generation to the ΦHA instance genera-tion It is clear to see that the distributions are the same thus there is no change from the view of the forger

Lemma 7 There exists a distinguisher D against the ΦHA which runs in time tprime asymp t and such that|Pr[GF1 rArr 1]minus Pr[GF2 rArr 1]| = AdvΦHA

D

PROOF From G1 to G2 we change the key generation from a normal key (N e) to a lossy (N e) We nowbuild a distinguisher D against the ΦHA using these games The distinguisher will run F and after F callsFinalize D returns the output of Finalize Thus we can see that Pr [1larr D1(N e)] = Pr

[GF1 rArr 1

]and

Pr[1larr D1(N e)] = Pr[GF2 rArr 1

]Hence we have |Pr

[GF1 rArr 1

]minusPr

[GF2 rArr 1

]| = |Pr [1larr D1(N e)]minus

Pr[1larr D1(N e)]| = AdvΦHAD

19

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

Lemma 8 Pr[GF2 rArr 1] 6(

2`

e

)Pr[GF1 rArr 1]]

PROOF We show that with overwhelming probability there are no valid signatures in the desired PKCSinterval ie 6 existσ isin ZlowastN st σe isin JPAD||0` PAD||1`K For lossy keys e|ϕ(N) the mapping

ZlowastN rarr ZlowastN x 7rarr xe mod N

is e-to-1 for all x isin ZlowastN Hence m = |S| = ϕ(N)e Let S = s1 sm and define a 0 1-random variable

Xi that takes value 1 iff si isin JPAD||0` PAD||1`K for i = 1 m By assumption we have

Pr[Xi = 1] =2`

ϕ(N)for all i

Let X = X1 + +Xm denote the number of signatures in the desired interval JPAD||0` PAD||1`K Thenwe have expectation E[X] = ϕ(N)

e middot 2`

ϕ(N) = 2`

e Since X is a non-negative integer-valued random variableit follows that

Pr[X ge 1] le E[X] =2`

e

Thus there is a valid signature in the desired interval with probability at most 2`

e If we combine Lemmata 6 to 8 we get

ε 6

(1minus 2`

e

)εprime

as required This completes the proof

42 Proof based on a Variant of the Approximate e-th Root Assumption

The Approximate e-th Root (AER) assumption was introduced in 1985 by Okomoto and Shibaishi [OS85]to prove the security of the ESIGN signature scheme (see also [OS03]) In the AER problem one requiresthe adversary not to find the root of a specific target value but one also accept a root of any value ldquocloserdquoto the target By close we mean that the adversary can submit a root for any value that it is most ∆ awayfrom our target value where ∆ is part of the challenge The AER assumption has been thoroughly studiedin cryptanalysis [BD86 BO88 GTV90]

Assumption 4 (Approximate e-th Root (AER)) The Approximate e-th Root assumption denoted by AERstates that given (N e y∆) where N is the product of two distinct random n2-bit prime numbers P andQ e isin Zlowastϕ(N) y isinR ZlowastN and ∆ le N

eminus1e it is hard to compute x such that |y minus xe| 6 ∆ AER is said to be

(t ε)-hard if for all adversaries A running in time at most t we have

AdvAER = Pr [x = A(N e y∆) and |y minus xe mod N | 6 ∆] 6 ε

The first thing that we can see is that we select ∆ = 0 we get exactly the RSA Assumption Thisis because if ∆ = 0 we require that the adversary finds x such that |y minus xe mod N | 6 0 which meansy minus xe = 0 mod N ie y = xe mod N Beyond this we must note that the the Approximate e-th rootproblem becomes ldquoeasierrdquo as the value of ∆ grows In fact we can see that for ∆ ge (N minus 1)2 AER istrivially solvable as all x isin ZN are valid that is to say forallx y isin ZN |y minus xe| 6 ∆

20

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

The problem is also easily solvable if there exists an e-th root over the integers nearby y Let us look atthe following algorithm We define as our AER solution x = by1ec isin N the rounded e-th root of y overthe integers How close is then xe to y Let us define x = y1e isin R with x ge x and xminus x lt 1 By the MeanValue Theorem for every continuous function g(x) on the interval [x0 x1] there exists some xprime isin [x0 x1]such that

gprime(xprime) =g(x1)minus g(x0)

x1 minus x0

where gprime(x) is the first derivative of g(x) For g(x) = xe this implies

0 le y minus xe = xe minus xe le gprime(x) middot (xminus x) lt exeminus1 lt eNeminus1e

Hence we can efficiently solve AER for ∆ ge eNeminus1e To the best of our knowledge this is the best known

bound for solving AER Thankfully the value of ∆ we need for PKCS1 signatures is much smaller thanthis which means that we are not susceptible to this attack

Let us look more closely as to how we apply the AER assumption to the securoty of PKCS1 v15signatures The first thing we need to note is that if we fix our modulus length n and our hash function H theprefix PAD is the same regardless of the choice of (N e) Let us call the set of message representatives YnHWe can compute the boundaries of YnH by simply setting the hash to all zeros and all ones respectivelyThis gives us a lower bound of PAD||0` and an upper bound of PAD||1` thus YnH = JPAD||0` PAD||1`K

To take this into account we consider a specific case of the AER Assumption which we will calledFixed-Range Approximate e-th Root Assumption Essentially we fix our values y∆ so that we havePAD||0` = y minus ∆ and PAD||1` = y + ∆ For notional simplicity we write YnH in place of (y∆) andassume it to be publically known

Assumption 5 (Fixed-Range Approximate e-th Root Assumption) The Fixed-Range Approximate e-th RootAssumption denoted by YnH-FAER states that given (N e) where N is the product of two distinctrandom n2-bit prime numbers P and Q e isin Zlowastϕ(N) it is hard to compute x such that xe mod N isin YnHYnH-FAER is said to be (t ε)-hard if for all adversaries A running in time at most t we have

AdvYnH-FAERA = Pr [x = A(N e) and xe mod N isin YnH] 6 ε

Theorem 7 Assume the YnH-FAER assumption is (tprime εprime)-hard then RSA-PKCS1-v15 is (t ε)-UF-NMAsecure in the Standard Model where

ε = εprime

t asymp tprime

PROOF Given (N e) from the challenger and knowing YnH we can compute our public key pk =(N e PADH) We simply take (N e) from the challenge and knowing YnH = JPAD||0` PAD||1`K wecan derive the value PAD and the hash function as the identifier IDH is contained in PAD We now sendthis public key to the forger If the forger produces a valid forgery σlowast for message mlowast we know thatσlowaste mod N = PAD||H(mlowast) isin YnH Thus we can submit σlowast as our approximate root We see that any validforgery by the adversary is a valid solution to our YnH-FAER challenge Thus we are successful wheneverthe forger is successful which gives us ε = εprime as required

21

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

5 Conclusions

This paper presents the first security proofs for PKCS1 v15 signatures under plausible cryptographic hard-ness assumptions In particular we prove full UF-CMA-security in the random oracle model for a threeprime modulus variant of PKCS1 v15 signatures based on the standard RSA assumption and give a tightsecurity proof under the ϕ-Hiding assumption This matches the known security proofs of other practicalRSA-based signature schemes such as RSA-PSS and RSA-FDH Using an additional assumption we areable to lift our results from our variant to the more standard two prime modulus instantiation of PKCS1v15 signatures Hence PKCS1 v15 signatures can be used securely in practice when instantiated suchthat the bounds on the length of the hash function output and the modulus from our proofs apply

An interesting research direction for future work is to improve the provided bounds on the size of thepadding and the hash function ideally such that standard hash functions such as SHA-512 are coveredFurthermore an interesting question is whether one can directly prove the security of two prime modulusPKCS1 v15 signatures without any additional assumptions

Acknowledgements

We would like to thank the CCS 2018 anonymous reviewer for their insightful comments We would alsolike to thank Jan Bobolz for pointing us to the SHAKE XOFs

References

[AMV15] Giuseppe Ateniese Bernardo Magri and Daniele Venturi Subversion-resilient signatureschemes In Indrajit Ray Ninghui Li and Christopher Kruegel editors ACM CCS 15 22ndConference on Computer and Communications Security pages 364ndash375 Denver CO USAOctober 12ndash16 2015 ACM Press

[BD86] Ernest F Brickell and John M DeLaurentis An attack on a signature scheme proposed byOkamoto and Shiraishi In Hugh C Williams editor Advances in Cryptology ndash CRYPTOrsquo85volume 218 of Lecture Notes in Computer Science pages 28ndash32 Santa Barbara CA USAAugust 18ndash22 1986 Springer Heidelberg Germany

[BDPA11] G Bertoni J Daemen M Peeters and G Van Assche The Keccak SHA-3 submissionSubmission to NIST (Round 3) 2011 Available at httpskeccakteamfilesKeccak-reference-30pdf

[Ber98] Daniel J Bernstein Detecting perfect powers in essentially linear time Math Comput67(223)1253ndash1283 July 1998

[BFK+12] Romain Bardou Riccardo Focardi Yusuke Kawamoto Lorenzo Simionato Graham Steel andJoe-Kai Tsay Efficient padding oracle attacks on cryptographic hardware In Reihaneh Safavi-Naini and Ran Canetti editors Advances in Cryptology ndash CRYPTO 2012 volume 7417 ofLecture Notes in Computer Science pages 608ndash625 Santa Barbara CA USA August 19ndash232012 Springer Heidelberg Germany

[BHJ+13] Florian Bohl Dennis Hofheinz Tibor Jager Jessica Koch Jae Hong Seo and ChristophStriecks Practical signatures from standard assumptions In Thomas Johansson and Phong Q

22

Nguyen editors Advances in Cryptology ndash EUROCRYPT 2013 volume 7881 of Lecture Notesin Computer Science pages 461ndash485 Athens Greece May 26ndash30 2013 Springer HeidelbergGermany

[BJLS16] Christoph Bader Tibor Jager Yong Li and Sven Schage On the impossibility of tight crypto-graphic reductions In Marc Fischlin and Jean-Sebastien Coron editors Advances in Cryptol-ogy ndash EUROCRYPT 2016 Part II volume 9666 of Lecture Notes in Computer Science pages273ndash304 Vienna Austria May 8ndash12 2016 Springer Heidelberg Germany

[Ble98] Daniel Bleichenbacher Chosen ciphertext attacks against protocols based on the RSA encryp-tion standard PKCS 1 In Hugo Krawczyk editor Advances in Cryptology ndash CRYPTOrsquo98volume 1462 of Lecture Notes in Computer Science pages 1ndash12 Santa Barbara CA USAAugust 23ndash27 1998 Springer Heidelberg Germany

[BO88] Ernest F Brickell and Andrew M Odlyzko Cryptanalysis A survey of recent results Proceed-ings of the IEEE 76(5)578ndash593 1988

[BR93] Mihir Bellare and Phillip Rogaway Random oracles are practical A paradigm for design-ing efficient protocols In V Ashby editor ACM CCS 93 1st Conference on Computer andCommunications Security pages 62ndash73 Fairfax Virginia USA November 3ndash5 1993 ACMPress

[BR95] Mihir Bellare and Phillip Rogaway Optimal asymmetric encryption In Alfredo De Santiseditor Advances in Cryptology ndash EUROCRYPTrsquo94 volume 950 of Lecture Notes in ComputerScience pages 92ndash111 Perugia Italy May 9ndash12 1995 Springer Heidelberg Germany

[BR96] Mihir Bellare and Phillip Rogaway The exact security of digital signatures How to sign withRSA and Rabin In Ueli M Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo96 vol-ume 1070 of Lecture Notes in Computer Science pages 399ndash416 Saragossa Spain May 12ndash16 1996 Springer Heidelberg Germany

[BSY17] Hanno Bock Juraj Somorovsky and Craig Young Return of bleichenbacherrsquos oracle threat(ROBOT) Cryptology ePrint Archive Report 20171189 2017 httpseprintiacrorg20171189

[BY93] Mihir Bellare and Moti Yung Certifying cryptographic tools The case of trapdoor permu-tations In Ernest F Brickell editor Advances in Cryptology ndash CRYPTOrsquo92 volume 740 ofLecture Notes in Computer Science pages 442ndash460 Santa Barbara CA USA August 16ndash201993 Springer Heidelberg Germany

[BY96] Mihir Bellare and Moti Yung Certifying permutations Noninteractive zero-knowledge basedon any trapdoor permutation Journal of Cryptology 9(3)149ndash166 1996

[CFPR96] Don Coppersmith Matthew K Franklin Jacques Patarin and Michael K Reiter Low-exponent RSA with related messages In Ueli M Maurer editor Advances in Cryptology ndashEUROCRYPTrsquo96 volume 1070 of Lecture Notes in Computer Science pages 1ndash9 SaragossaSpain May 12ndash16 1996 Springer Heidelberg Germany

23

[CJNP00] Jean-Sebastien Coron Marc Joye David Naccache and Pascal Paillier New attacks onPKCS1 v15 encryption In Bart Preneel editor Advances in Cryptology ndash EURO-CRYPT 2000 volume 1807 of Lecture Notes in Computer Science pages 369ndash381 BrugesBelgium May 14ndash18 2000 Springer Heidelberg Germany

[CMS99] Christian Cachin Silvio Micali and Markus Stadler Computationally private informationretrieval with polylogarithmic communication In Jacques Stern editor Advances in Cryptol-ogy ndash EUROCRYPTrsquo99 volume 1592 of Lecture Notes in Computer Science pages 402ndash414Prague Czech Republic May 2ndash6 1999 Springer Heidelberg Germany

[Cop97] Don Coppersmith Small Solutions to Polynomial Equations and Low Exponent RSA Vulner-abilities Journal of Cryptology 10(1)233ndash260 November 1997

[Cor00] Jean-Sebastien Coron On the exact security of full domain hash In Mihir Bellare editorAdvances in Cryptology ndash CRYPTO 2000 volume 1880 of Lecture Notes in Computer Sci-ence pages 229ndash235 Santa Barbara CA USA August 20ndash24 2000 Springer HeidelbergGermany

[Cor01] Jean-Sebastien Coron Optimal security proofs for PSS and other signature schemes Cryptol-ogy ePrint Archive Report 2001062 2001 httpeprintiacrorg2001062

[Cor02] Jean-Sebastien Coron Optimal security proofs for PSS and other signature schemes In Lars RKnudsen editor Advances in Cryptology ndash EUROCRYPT 2002 volume 2332 of Lecture Notesin Computer Science pages 272ndash287 Amsterdam The Netherlands April 28 ndash May 2 2002Springer Heidelberg Germany

[CS99] Ronald Cramer and Victor Shoup Signature schemes based on the strong RSA assumption InACM CCS 99 6th Conference on Computer and Communications Security pages 46ndash51 KentRidge Digital Labs Singapore November 1ndash4 1999 ACM Press

[dC86] Wiebren de Jonge and David Chaum Attacks on some RSA signatures In Hugh C Williamseditor Advances in Cryptology ndash CRYPTOrsquo85 volume 218 of Lecture Notes in Computer Sci-ence pages 18ndash27 Santa Barbara CA USA August 18ndash22 1986 Springer Heidelberg Ger-many

[DLP+12] Jean Paul Degabriele Anja Lehmann Kenneth G Paterson Nigel P Smart and Mario StreflerOn the joint security of encryption and signature in EMV In Orr Dunkelman editor Topics inCryptology ndash CT-RSA 2012 volume 7178 of Lecture Notes in Computer Science pages 116ndash135 San Francisco CA USA February 27 ndash March 2 2012 Springer Heidelberg Germany

[FGK+13] David Mandell Freeman Oded Goldreich Eike Kiltz Alon Rosen and Gil Segev More con-structions of lossy and correlation-secure trapdoor functions Journal of Cryptology 26(1)39ndash74 January 2013

[Fis03] Marc Fischlin The Cramer-Shoup strong-RSA signature scheme revisited In Yvo Desmedteditor PKC 2003 6th International Workshop on Theory and Practice in Public Key Cryptog-raphy volume 2567 of Lecture Notes in Computer Science pages 116ndash129 Miami FL USAJanuary 6ndash8 2003 Springer Heidelberg Germany

24

[FIPS 202] Information Technology Laboratory and National Institute of Standards and Technology SHA-3 standard Permutation-based hash and extendable-output functions Federal InformationProccessing Standards Publication 202 August 2015

[GM97] Marc Girault and Jean-Francois Misarsky Selective forgery of RSA signatures using redun-dancy In Walter Fumy editor Advances in Cryptology ndash EUROCRYPTrsquo97 volume 1233 ofLecture Notes in Computer Science pages 495ndash507 Konstanz Germany May 11ndash15 1997Springer Heidelberg Germany

[GHR99] Rosario Gennaro Shai Halevi and Tal Rabin Secure hash-and-sign signatures without therandom oracle In Jacques Stern editor Advances in Cryptology ndash EUROCRYPTrsquo99 volume1592 of Lecture Notes in Computer Science pages 123ndash139 Prague Czech Republic May 2ndash6 1999 Springer Heidelberg Germany

[GTV90] Marc Girault Philippe Toffin and Brigitte Vallee Computation of approximate l-th roots mod-ulo n and application to cryptography In Shafi Goldwasser editor Advances in Cryptology ndashCRYPTOrsquo88 volume 403 of Lecture Notes in Computer Science pages 100ndash117 Santa Bar-bara CA USA August 21ndash25 1990 Springer Heidelberg Germany

[HJK11] Dennis Hofheinz Tibor Jager and Eike Kiltz Short signatures from weaker assumptions InDong Hoon Lee and Xiaoyun Wang editors Advances in Cryptology ndash ASIACRYPT 2011volume 7073 of Lecture Notes in Computer Science pages 647ndash666 Seoul South Korea De-cember 4ndash8 2011 Springer Heidelberg Germany

[HW09] Susan Hohenberger and Brent Waters Realizing hash-and-sign signatures under standard as-sumptions In Antoine Joux editor Advances in Cryptology ndash EUROCRYPT 2009 volume5479 of Lecture Notes in Computer Science pages 333ndash350 Cologne Germany April 26ndash302009 Springer Heidelberg Germany

[JSS15a] Tibor Jager Jorg Schwenk and Juraj Somorovsky On the security of TLS 13 and QUICagainst weaknesses in PKCS1 v15 encryption In Indrajit Ray Ninghui Li and ChristopherKruegel editors ACM CCS 15 22nd Conference on Computer and Communications Securitypages 1185ndash1196 Denver CO USA October 12ndash16 2015 ACM Press

[JSS15b] Tibor Jager Jorg Schwenk and Juraj Somorovsky Practical invalid curve attacks on TLS-ECDH In Gunther Pernul Peter Y A Ryan and Edgar R Weippl editors ESORICS 201520th European Symposium on Research in Computer Security Part I volume 9326 of Lec-ture Notes in Computer Science pages 407ndash425 Vienna Austria September 21ndash25 2015Springer Heidelberg Germany

[KK12] Saqib A Kakvi and Eike Kiltz Optimal security proofs for full domain hash revisitedIn David Pointcheval and Thomas Johansson editors Advances in Cryptology ndash EURO-CRYPT 2012 volume 7237 of Lecture Notes in Computer Science pages 537ndash553 CambridgeUK April 15ndash19 2012 Springer Heidelberg Germany

[KK18] Saqib A Kakvi and Eike Kiltz Optimal security proofs for full domain hash revisited Journalof Cryptology 31(1)276ndash306 January 2018

25

[KKM12] Saqib A Kakvi Eike Kiltz and Alexander May Certifying RSA In Xiaoyun Wang and KazueSako editors Advances in Cryptology ndash ASIACRYPT 2012 volume 7658 of Lecture Notes inComputer Science pages 404ndash414 Beijing China December 2ndash6 2012 Springer HeidelbergGermany

[KOS10] Eike Kiltz Adam OrsquoNeill and Adam Smith Instantiability of RSA-OAEP under chosen-plaintext attack In Tal Rabin editor Advances in Cryptology ndash CRYPTO 2010 volume 6223of Lecture Notes in Computer Science pages 295ndash313 Santa Barbara CA USA August 15ndash19 2010 Springer Heidelberg Germany

[KP09] Eike Kiltz and Krzysztof Pietrzak On the security of padding-based encryption schemes - or -why we cannot prove OAEP secure in the standard model In Antoine Joux editor Advances inCryptology ndash EUROCRYPT 2009 volume 5479 of Lecture Notes in Computer Science pages389ndash406 Cologne Germany April 26ndash30 2009 Springer Heidelberg Germany

[KPR03] Vlastimil Klıma Ondrej Pokorny and Tomas Rosa Attacking RSA-based sessions inSSLTLS In Colin D Walter Cetin Kaya Koc and Christof Paar editors CryptographicHardware and Embedded Systems ndash CHES 2003 volume 2779 of Lecture Notes in ComputerScience pages 426ndash440 Cologne Germany September 8ndash10 2003 Springer HeidelbergGermany

[KPS13] Eike Kiltz Krzysztof Pietrzak and Mario Szegedy Digital signatures with minimal overheadfrom indifferentiable random invertible functions In Ran Canetti and Juan A Garay editorsAdvances in Cryptology ndash CRYPTO 2013 Part I volume 8042 of Lecture Notes in ComputerScience pages 571ndash588 Santa Barbara CA USA August 18ndash22 2013 Springer HeidelbergGermany

[LOS13] Mark Lewko Adam OrsquoNeill and Adam Smith Regularity of lossy RSA on subdomains and itsapplications In Thomas Johansson and Phong Q Nguyen editors Advances in Cryptology ndashEUROCRYPT 2013 volume 7881 of Lecture Notes in Computer Science pages 55ndash75 AthensGreece May 26ndash30 2013 Springer Heidelberg Germany

[MSW+14] Christopher Meyer Juraj Somorovsky Eugen Weiss Jorg Schwenk Sebastian Schinzel andErik Tews Revisiting SSLTLS implementations New bleichenbacher side channels and at-tacks In Kevin Fu and Jaeyeon Jung editors Proceedings of the 23rd USENIX Security Sym-posium San Diego CA USA August 20-22 2014 pages 733ndash748 USENIX Association2014

[OS85] Tatsuski Okamoto and Akira Shibaishi A fast signature scheme based on quadratic inequali-ties In Security and Privacy 1985 IEEE Symposium on pages 123ndash123 IEEE 1985

[OS03] Tatsuaki Okamoto and Jacques Stern Almost uniform density of power residues and the prov-able security of ESIGN In Chi-Sung Laih editor Advances in Cryptology ndash ASIACRYPT 2003volume 2894 of Lecture Notes in Computer Science pages 287ndash301 Taipei Taiwan Novem-ber 30 ndash December 4 2003 Springer Heidelberg Germany

[PW08] Chris Peikert and Brent Waters Lossy trapdoor functions and their applications In Richard ELadner and Cynthia Dwork editors 40th Annual ACM Symposium on Theory of Computingpages 187ndash196 Victoria British Columbia Canada May 17ndash20 2008 ACM Press

26

[RSA78] Ronald L Rivest A Shamir and Leonard M Adleman A method for obtaining digital signa-tures and public-key cryptosystems Commun ACM 21(2)120ndash126 Feb 1978

[Sch11] Sven Schage Tight proofs for signature schemes without random oracles In Kenneth G Pa-terson editor Advances in Cryptology ndash EUROCRYPT 2011 volume 6632 of Lecture Notes inComputer Science pages 189ndash206 Tallinn Estonia May 15ndash19 2011 Springer HeidelbergGermany

[Seu14] Yannick Seurin On the lossiness of the Rabin trapdoor function In Hugo Krawczyk editorPKC 2014 17th International Conference on Theory and Practice of Public Key Cryptog-raphy volume 8383 of Lecture Notes in Computer Science pages 380ndash398 Buenos AiresArgentina March 26ndash28 2014 Springer Heidelberg Germany

[Sho02] Victor Shoup OAEP reconsidered Journal of Cryptology 15(4)223ndash249 2002

[SPW07] Ron Steinfeld Josef Pieprzyk and Huaxiong Wang How to strengthen any weakly unforgeablesignature into a strongly unforgeable signature In Masayuki Abe editor Topics in Cryptologyndash CT-RSA 2007 volume 4377 of Lecture Notes in Computer Science pages 357ndash371 SanFrancisco CA USA February 5ndash9 2007 Springer Heidelberg Germany

[SZ15] Adam Smith and Ye Zhang On the regularity of lossy RSA - improved bounds and applicationsto padding-based encryption In Yevgeniy Dodis and Jesper Buus Nielsen editors TCC 201512th Theory of Cryptography Conference Part I volume 9014 of Lecture Notes in ComputerScience pages 609ndash628 Warsaw Poland March 23ndash25 2015 Springer Heidelberg Germany

[ZJRR14] Yinqian Zhang Ari Juels Michael K Reiter and Thomas Ristenpart Cross-tenant side-channel attacks in PaaS clouds In Gail-Joon Ahn Moti Yung and Ninghui Li editorsACM CCS 14 21st Conference on Computer and Communications Security pages 990ndash1003Scottsdale AZ USA November 3ndash7 2014 ACM Press

Primary RFC References

[2246] T Dierks and C Allen The TLS Protocol Version 10 RFC 2246 (Proposed Standard) January1999 Obsoleted by RFCs [4346] updated by RFC [3546 5746 6176 7465 7507 7919] httpswwwrfc-editororgrfcrfc2246txt

[2313] B Kaliski PKCS 1 RSA Encryption Version 15 RFC Editor Fremont CA USA March 1998Obsoleted by RFC [2437] httpswwwrfc-editororgrfcrfc2313txt

[2437] B Kaliski and J Staddon PKCS 1 RSA Cryptography Specifications Version 20 RFC 2437(Informational) October 1998 Obsoleted by RFC [3447] httpswwwrfc-editororgrfcrfc2437txt

[3370] R Housley Cryptographic Message Syntax (CMS) Algorithms RFC 3370 (Proposed Standard)August 2002 Updated by RFC [5754] httpswwwrfc-editororgrfcrfc3370txt

27

[KKM12] Saqib A Kakvi Eike Kiltz and Alexander May Certifying RSA In Xiaoyun Wang and KazueSako editors Advances in Cryptology ndash ASIACRYPT 2012 volume 7658 of Lecture Notes inComputer Science pages 404ndash414 Beijing China December 2ndash6 2012 Springer HeidelbergGermany

[KOS10] Eike Kiltz Adam OrsquoNeill and Adam Smith Instantiability of RSA-OAEP under chosen-plaintext attack In Tal Rabin editor Advances in Cryptology ndash CRYPTO 2010 volume 6223of Lecture Notes in Computer Science pages 295ndash313 Santa Barbara CA USA August 15ndash19 2010 Springer Heidelberg Germany

[KP09] Eike Kiltz and Krzysztof Pietrzak On the security of padding-based encryption schemes - or -why we cannot prove OAEP secure in the standard model In Antoine Joux editor Advances inCryptology ndash EUROCRYPT 2009 volume 5479 of Lecture Notes in Computer Science pages389ndash406 Cologne Germany April 26ndash30 2009 Springer Heidelberg Germany

[KPR03] Vlastimil Klıma Ondrej Pokorny and Tomas Rosa Attacking RSA-based sessions inSSLTLS In Colin D Walter Cetin Kaya Koc and Christof Paar editors CryptographicHardware and Embedded Systems ndash CHES 2003 volume 2779 of Lecture Notes in ComputerScience pages 426ndash440 Cologne Germany September 8ndash10 2003 Springer HeidelbergGermany

[KPS13] Eike Kiltz Krzysztof Pietrzak and Mario Szegedy Digital signatures with minimal overheadfrom indifferentiable random invertible functions In Ran Canetti and Juan A Garay editorsAdvances in Cryptology ndash CRYPTO 2013 Part I volume 8042 of Lecture Notes in ComputerScience pages 571ndash588 Santa Barbara CA USA August 18ndash22 2013 Springer HeidelbergGermany

[LOS13] Mark Lewko Adam OrsquoNeill and Adam Smith Regularity of lossy RSA on subdomains and itsapplications In Thomas Johansson and Phong Q Nguyen editors Advances in Cryptology ndashEUROCRYPT 2013 volume 7881 of Lecture Notes in Computer Science pages 55ndash75 AthensGreece May 26ndash30 2013 Springer Heidelberg Germany

[MSW+14] Christopher Meyer Juraj Somorovsky Eugen Weiss Jorg Schwenk Sebastian Schinzel andErik Tews Revisiting SSLTLS implementations New bleichenbacher side channels and at-tacks In Kevin Fu and Jaeyeon Jung editors Proceedings of the 23rd USENIX Security Sym-posium San Diego CA USA August 20-22 2014 pages 733ndash748 USENIX Association2014

[OS85] Tatsuski Okamoto and Akira Shibaishi A fast signature scheme based on quadratic inequali-ties In Security and Privacy 1985 IEEE Symposium on pages 123ndash123 IEEE 1985

[OS03] Tatsuaki Okamoto and Jacques Stern Almost uniform density of power residues and the prov-able security of ESIGN In Chi-Sung Laih editor Advances in Cryptology ndash ASIACRYPT 2003volume 2894 of Lecture Notes in Computer Science pages 287ndash301 Taipei Taiwan Novem-ber 30 ndash December 4 2003 Springer Heidelberg Germany

[PW08] Chris Peikert and Brent Waters Lossy trapdoor functions and their applications In Richard ELadner and Cynthia Dwork editors 40th Annual ACM Symposium on Theory of Computingpages 187ndash196 Victoria British Columbia Canada May 17ndash20 2008 ACM Press

26

[RSA78] Ronald L Rivest A Shamir and Leonard M Adleman A method for obtaining digital signa-tures and public-key cryptosystems Commun ACM 21(2)120ndash126 Feb 1978

[Sch11] Sven Schage Tight proofs for signature schemes without random oracles In Kenneth G Pa-terson editor Advances in Cryptology ndash EUROCRYPT 2011 volume 6632 of Lecture Notes inComputer Science pages 189ndash206 Tallinn Estonia May 15ndash19 2011 Springer HeidelbergGermany

[Seu14] Yannick Seurin On the lossiness of the Rabin trapdoor function In Hugo Krawczyk editorPKC 2014 17th International Conference on Theory and Practice of Public Key Cryptog-raphy volume 8383 of Lecture Notes in Computer Science pages 380ndash398 Buenos AiresArgentina March 26ndash28 2014 Springer Heidelberg Germany

[Sho02] Victor Shoup OAEP reconsidered Journal of Cryptology 15(4)223ndash249 2002

[SPW07] Ron Steinfeld Josef Pieprzyk and Huaxiong Wang How to strengthen any weakly unforgeablesignature into a strongly unforgeable signature In Masayuki Abe editor Topics in Cryptologyndash CT-RSA 2007 volume 4377 of Lecture Notes in Computer Science pages 357ndash371 SanFrancisco CA USA February 5ndash9 2007 Springer Heidelberg Germany

[SZ15] Adam Smith and Ye Zhang On the regularity of lossy RSA - improved bounds and applicationsto padding-based encryption In Yevgeniy Dodis and Jesper Buus Nielsen editors TCC 201512th Theory of Cryptography Conference Part I volume 9014 of Lecture Notes in ComputerScience pages 609ndash628 Warsaw Poland March 23ndash25 2015 Springer Heidelberg Germany

[ZJRR14] Yinqian Zhang Ari Juels Michael K Reiter and Thomas Ristenpart Cross-tenant side-channel attacks in PaaS clouds In Gail-Joon Ahn Moti Yung and Ninghui Li editorsACM CCS 14 21st Conference on Computer and Communications Security pages 990ndash1003Scottsdale AZ USA November 3ndash7 2014 ACM Press

Primary RFC References

[2246] T Dierks and C Allen The TLS Protocol Version 10 RFC 2246 (Proposed Standard) January1999 Obsoleted by RFCs [4346] updated by RFC [3546 5746 6176 7465 7507 7919] httpswwwrfc-editororgrfcrfc2246txt

[2313] B Kaliski PKCS 1 RSA Encryption Version 15 RFC Editor Fremont CA USA March 1998Obsoleted by RFC [2437] httpswwwrfc-editororgrfcrfc2313txt

[2437] B Kaliski and J Staddon PKCS 1 RSA Cryptography Specifications Version 20 RFC 2437(Informational) October 1998 Obsoleted by RFC [3447] httpswwwrfc-editororgrfcrfc2437txt

[3370] R Housley Cryptographic Message Syntax (CMS) Algorithms RFC 3370 (Proposed Standard)August 2002 Updated by RFC [5754] httpswwwrfc-editororgrfcrfc3370txt

27

[RSA78] Ronald L Rivest A Shamir and Leonard M Adleman A method for obtaining digital signa-tures and public-key cryptosystems Commun ACM 21(2)120ndash126 Feb 1978

[Sch11] Sven Schage Tight proofs for signature schemes without random oracles In Kenneth G Pa-terson editor Advances in Cryptology ndash EUROCRYPT 2011 volume 6632 of Lecture Notes inComputer Science pages 189ndash206 Tallinn Estonia May 15ndash19 2011 Springer HeidelbergGermany

[Seu14] Yannick Seurin On the lossiness of the Rabin trapdoor function In Hugo Krawczyk editorPKC 2014 17th International Conference on Theory and Practice of Public Key Cryptog-raphy volume 8383 of Lecture Notes in Computer Science pages 380ndash398 Buenos AiresArgentina March 26ndash28 2014 Springer Heidelberg Germany

[Sho02] Victor Shoup OAEP reconsidered Journal of Cryptology 15(4)223ndash249 2002

[SPW07] Ron Steinfeld Josef Pieprzyk and Huaxiong Wang How to strengthen any weakly unforgeablesignature into a strongly unforgeable signature In Masayuki Abe editor Topics in Cryptologyndash CT-RSA 2007 volume 4377 of Lecture Notes in Computer Science pages 357ndash371 SanFrancisco CA USA February 5ndash9 2007 Springer Heidelberg Germany

[SZ15] Adam Smith and Ye Zhang On the regularity of lossy RSA - improved bounds and applicationsto padding-based encryption In Yevgeniy Dodis and Jesper Buus Nielsen editors TCC 201512th Theory of Cryptography Conference Part I volume 9014 of Lecture Notes in ComputerScience pages 609ndash628 Warsaw Poland March 23ndash25 2015 Springer Heidelberg Germany

[ZJRR14] Yinqian Zhang Ari Juels Michael K Reiter and Thomas Ristenpart Cross-tenant side-channel attacks in PaaS clouds In Gail-Joon Ahn Moti Yung and Ninghui Li editorsACM CCS 14 21st Conference on Computer and Communications Security pages 990ndash1003Scottsdale AZ USA November 3ndash7 2014 ACM Press

Primary RFC References

[2246] T Dierks and C Allen The TLS Protocol Version 10 RFC 2246 (Proposed Standard) January1999 Obsoleted by RFCs [4346] updated by RFC [3546 5746 6176 7465 7507 7919] httpswwwrfc-editororgrfcrfc2246txt

[2313] B Kaliski PKCS 1 RSA Encryption Version 15 RFC Editor Fremont CA USA March 1998Obsoleted by RFC [2437] httpswwwrfc-editororgrfcrfc2313txt

[2437] B Kaliski and J Staddon PKCS 1 RSA Cryptography Specifications Version 20 RFC 2437(Informational) October 1998 Obsoleted by RFC [3447] httpswwwrfc-editororgrfcrfc2437txt

[3370] R Housley Cryptographic Message Syntax (CMS) Algorithms RFC 3370 (Proposed Standard)August 2002 Updated by RFC [5754] httpswwwrfc-editororgrfcrfc3370txt

27

[3447] J Jonsson and B Kaliski Public-Key Cryptography Standards (PKCS) 1 RSA CryptographySpecifications Version 21 RFC 3447 (Informational) February 2003 Obsoleted by RFC [8017]httpswwwrfc-editororgrfcrfc3447txt

[4055] J Schaad B Kaliski and R Housley Additional Algorithms and Identifiers for RSA Cryptographyfor use in the Internet X509 Public Key Infrastructure Certificate and Certificate Revocation List(CRL) Profile RFC 4055 (Proposed Standard) June 2005 Updated by RFC [5756] httpswwwrfc-editororgrfcrfc4055txt

[4346] T Dierks and E Rescorla The Transport Layer Security (TLS) Protocol Version 11 RFC 4346(Proposed Standard) April 2006 Obsoleted by RFC [5246] updated by RFCs [4366 4680 46815746 6176 7465 7507 7919] httpswwwrfc-editororgrfcrfc4346txt

[4359] B Weis The Use of RSASHA-1 Signatures within Encapsulating Security Payload (ESP) andAuthentication Header (AH) RFC 4359 (Proposed Standard) January 2006 httpswwwrfc-editororgrfcrfc4359txt

[4880] J Callas L Donnerhacke H Finney D Shaw and R Thayer OpenPGP Message FormatRFC 4880 (Proposed Standard) November 2007 Updated by RFC [5581] httpswwwrfc-editororgrfcrfc4880txt

[5246] T Dierks and E Rescorla The Transport Layer Security (TLS) Protocol Version 12 RFC 5246(Proposed Standard) August 2008 Updated by RFC [5746 5878 6176 7465 7507 7568 76277685 7905 7919] httpswwwrfc-editororgrfcrfc5246txt

[7515] M Jones J Bradley and N Sakimura JSON Web Signature (JWS) RFC 7515 (Proposed Stan-dard) May 2015 httpswwwrfc-editororgrfcrfc7515txt

[8017] K Moriarty (Ed) B Kaliski J Jonsson and A Rusch PKCS 1 RSA Cryptography Specifica-tions Version 22 RFC 8017 (Informational) November 2016 httpswwwrfc-editororgrfcrfc8017txt

Secondary RFC References

[3546] S Blake-Wilson M Nystrom D Hopwood J Mikkelsen and T Wright Transport Layer Security(TLS) Extensions RFC 3546 (Proposed Standard) June 2003 Obsoleted by RFC [4366] httpswwwrfc-editororgrfcrfc3456txt

[4366] S Blake-Wilson M Nystrom D Hopwood J Mikkelsen and T Wright Transport Layer Security(TLS) Extensions RFC 4366 (Proposed Standard) April 2006 Obsoleted by RFCs [5246 6066]updated by RFC [5746] httpswwwrfc-editororgrfcrfc4366txt

[4680] S Santesson TLS Handshake Message for Supplemental Data RFC 4680 (Proposed Standard)October 2006 httpswwwrfc-editororgrfcrfc4680txt

[4681] S Santesson A Medvinsky and J Ball TLS User Mapping Extension RFC 4681 (ProposedStandard) October 2006 httpswwwrfc-editororgrfcrfc4681txt

28

[5581] D Shaw The Camellia Cipher in OpenPGP RFC 5581 (Informational) June 2009 httpswwwrfc-editororgrfcrfc4880txt

[5746] E Rescorla M Ray S Dispensa and N Oskov Transport Layer Security (TLS) Renegotia-tion Indication Extension RFC 5746 (Proposed Standard) February 2010 httpswwwrfc-editororgrfcrfc5746txt

[5754] S Turner Using SHA2 Algorithms with Cryptographic Message Syntax RFC 5754 (ProposedStandard) January 2010 httpswwwrfc-editororgrfcrfc5754txt

[5756] S Turner D Brown K Yiu R Housley and T Polk Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters RFC 5756 (Proposed Standard) January 2010 httpswwwrfc-editororgrfcrfc5756txt

[5878] M Brown and R Housley Transport Layer Security (TLS) Authorization Extensions RFC 5878(Experimental) May 2010 httpswwwrfc-editororgrfcrfc5878txt

[6066] D Eastlake 3rd Transport Layer Security (TLS) Extensions Extension Definitions RFC 6066(Proposed Standard) January 2011 httpswwwrfc-editororgrfcrfc6066txt

[6176] S Turner and T Polk Prohibiting Secure Sockets Layer (SSL) Version 20 RFC 6176 (ProposedStandard) March 2011 httpswwwrfc-editororgrfcrfc6176txt

[7465] A Popov Prohibiting RC4 Cipher Suites RFC 7465 (Proposed Standard) February 2015 httpswwwrfc-editororgrfcrfc7465txt

[7507] B Moeller and A Langley TLS Fallback Signaling Cipher Suite Value (SCSV) for PreventingProtocol Downgrade Attacks RFC 7507 (Proposed Standard) April 2015 httpswwwrfc-editororgrfcrfc7505txt

[7568] R Barnes M Thomson A Pironti and A Langley Deprecating Secure Sockets Layer Version30 RFC 7568 (Proposed Standard) June 2015 httpswwwrfc-editororgrfcrfc7568txt

[7627] K Bhargavan (Ed) A Delignat-Lavaud A Pironti A Langley and M Ray Transport Layer Se-curity (TLS) Session Hash and Extended Master Secret Extension RFC 7627 (Proposed Standard)September 2015 httpswwwrfc-editororgrfcrfc7627txt

[7685] A Langley A Transport Layer Security (TLS) ClientHello Padding Extension RFC 7685 (ProposedStandard) October 2015 httpswwwrfc-editororgrfcrfc7685txt

[7905] A Langley W Chang N Mavrogiannopoulos J Strombergson and S Josefsson ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS) RFC 7905 (Proposed Standard) June2016 httpswwwrfc-editororgrfcrfc7905txt

[7919] D Gillmor Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport LayerSecurity (TLS) RFC 7919 (Proposed Standard) August 2016 httpswwwrfc-editororgrfcrfc7919txt

29