Upload
others
View
19
Download
1
Embed Size (px)
Citation preview
David PointchevalLIENS-CNRSEcole normale supérieure
Provable SecurityRSA-PKCS
Encryption - SignatureLawrence Berkeley National Lab
August 2003
Provable Security - RSA-PKCS - Encryption-Signature - 2David Pointcheval
SummarySummary
• Encryption– PKCS #1 v1.5– PKCS #1 v2.0 : OAEP
• Signature– PKCS #1 v1.5/2.0– PKCS #1 v2.1 : PSS
• Conclusion
Provable Security - RSA-PKCS - Encryption-Signature - 3David Pointcheval
SummarySummary
• Encryption– PKCS #1 v1.5– PKCS #1 v2.0 : OAEP
• Signature– PKCS #1 v1.5/2.0– PKCS #1 v2.1 : PSS
• Conclusion
Provable Security - RSA-PKCS - Encryption-Signature - 4David Pointcheval
RSARSA
• n=pq : public modulus e : public exponent
• d=e-1 mod ϕ(n) : private
en/de-cryption�(m) = me mod n
�(c) = cd mod n
Relies on the so-called RSA problem:extracting e-th roots mod n
Rivest - Shamir - Adleman 1978
Provable Security - RSA-PKCS - Encryption-Signature - 5David Pointcheval
• One-Wayness = RSA Problem• Deterministic:
cannot achieve Semantic SecurityDoes c encrypt m0 or m1?Re-encrypt m0, and check whether it is c
• Multiplicativity:cannot prevent Chosen-Ciphertext Attacks
With c = �e(m) = me mod n
Compute c’ = 2e c mod n, ask for m’
Note that c’ = (2m)e mod n, thus m = m’ /2 mod n
⇒ need of padding
Plain-RSA: Weak SecurityPlain-RSA: Weak Security
Provable Security - RSA-PKCS - Encryption-Signature - 6David Pointcheval
PKCS #PKCS #1 v 1.51 v 1.5
00 02 00 Data BlockPadding String
length ≥ 8bytes ≠ 0
• Efficient encoding/decoding• Probabilistic encryption• Breaks multiplicativity• But…
a random ciphertext is validwith non-negligible probability ≈ 2-16
EM
Provable Security - RSA-PKCS - Encryption-Signature - 7David Pointcheval
PKCS #PKCS #1 v 1.51 v 1.5
00 02 00 Data BlockPadding String
length ≥ 8bytes ≠ 0
Valid ciphertext⇒ the MSB of the encoded message is at zero– The bit-security of RSA says that any bit
of the e-th root is as hard as the whole e-th root
– Any bit-leakage is serious– Here: 2 full bytes are leaked!
EM
Provable Security - RSA-PKCS - Encryption-Signature - 8David Pointcheval
Breaking PKCS #1 v 1.5Breaking PKCS #1 v 1.5
00 02 00 Data BlockPadding String
length ≥ 8bytes ≠ 0
Valid ciphertext C = EMe mod n
⇒ 2 × 256k-2 ≤ EM < 3 × 256k-2
Challenge ciphertext C = EMe mod n– Find small S such that C’ = C × Se mod n valid:
for some 0 < r < S,
2 × 256k-2 - rn ≤ EM S < 3 × 256k-2 - rn
⇒ EM lies in a small interval [a, b]
EM
*
Provable Security - RSA-PKCS - Encryption-Signature - 9David Pointcheval
Breaking PKCS #1 v 1.5Breaking PKCS #1 v 1.5
00 02 00 Data BlockPadding String
length ≥ 8bytes ≠ 0
Choose a new S such that the sets{ a S mod n, (a+1) S mod n, …, b S mod n}and [2 × 256k-2, 3 × 256k-2[ overlap
Validity of C’ = C Se mod n tells in which part it is
⇒ new small inverval [a’, b’] for EM
Approx.: any new valid ciphertextreduces the interval by 1/2
EM
*
Provable Security - RSA-PKCS - Encryption-Signature - 10David Pointcheval
Breaking PKCS #1 v 1.5Breaking PKCS #1 v 1.5
00 02 00 Data BlockPadding String
length ≥ 8bytes ≠ 0
• Reaction Attack (validity requests)breaks the One-Wayness
• Given a challenge ciphertext c*,after a few thousand of requests c,one can recover the plaintext m*
EM
Provable Security - RSA-PKCS - Encryption-Signature - 11David Pointcheval
SummarySummary
• Encryption– PKCS #1 v1.5– PKCS #1 v2.0 : OAEP
• Signature– PKCS #1 v1.5/2.0– PKCS #1 v2.1 : PSS
• Conclusion
Provable Security - RSA-PKCS - Encryption-Signature - 12David Pointcheval
OAEPOAEP BellareBellare--RogawayRogaway ‘94 ‘94
M
r
s
t
G HM = m||0k
r random
�(m,r) : Compute a,b then c=f (s||t) = EMe mod n�(c) : Compute EM = s||t = f -1(c) = cd mod n,
invert OAEP, and check redundancy
f a trapdoor one-way permutation (e.g. RSA)then (with G → {0,1}n and H → {0,1}�)
EM
Provable Security - RSA-PKCS - Encryption-Signature - 13David Pointcheval
In 1994, Bellare and Rogaway proved that• the OAEP construction provides an IND-CPA
cryptosystem under the OW of f• it is plaintext-aware (PA94)
proven: IND-CPA + PA94 ⇒ IND-CCA1But widely believed:
not proven: IND-CPA + PA94 ⇒ IND-CCA2and namely for OAEP…
IND-CCA2 under OW of IND-CCA2 under OW of ff
Provable Security - RSA-PKCS - Encryption-Signature - 14David Pointcheval
In 1998, improved plaintext-awareness (PA98)
proven: IND-CPA + PA98 ⇒ IND-CCA2But… PA98 of OAEP never studiedAnd IND-CCA2 of OAEP still widely believed
under the sole OW of fand namely for RSA-OAEP
RSA-OAEP: the most efficientand “provably secure” construction
⇒ became the new PKCS #1 v2.0
IND-CCA2 under OW of IND-CCA2 under OW of ff
Provable Security - RSA-PKCS - Encryption-Signature - 15David Pointcheval
However, in 2000,Shoup showed a counter-example:– a trapdoor one-way permutation f
– so that f -OAEP can be broken: malleablefrom a ciphertext c of an unknown message m,
one can build a ciphertext c’ of m’ = m ⊕ 1
⇒ break OW-CCA2, and thus IND-CCAGiven a challenge c, the encryption of m,
one derives the ciphertext c’ of m ⊕ 1one request to the decryption oracle is enough!
IND-CCA2 under OW of IND-CCA2 under OW of ff
Provable Security - RSA-PKCS - Encryption-Signature - 16David Pointcheval
• Let g be a trapdoor one-way permutationso that their exists an algorithm �,which on a and g(x) computes g(x ⊕ a)
• Let us define f (s,t) = s || g(t), which is clearlya trapdoor one-way permutation
Counter-ExampleCounter-Example *
Provable Security - RSA-PKCS - Encryption-Signature - 17David Pointcheval
MalleabilityMalleability
m 0k r
G
H
ts
⊕ δ → m’
⊕ δ || 0k → s’ ⊕ T → t’
T = H(s)⊕H(s’ )
*
Provable Security - RSA-PKCS - Encryption-Signature - 18David Pointcheval
One receives c = �(m,r) = f (s,t) = s || g(t) where
M= m ||0k, s = M ⊕ G(r), t = r ⊕ H(s)– One gets s, and computes s’ = s ⊕ ∆
for some ∆ = δ || 0k
– One computes T = H(s) ⊕ H(s’), and t’ = t ⊕Tas well as g(t ⊕T) granted � on g(t) and T
r’ = t’ ⊕H(s’) = t ⊕T ⊕H(s’) = t ⊕H(s) = rM’ = s’⊕G(r) = s⊕∆⊕G(r) = M⊕∆ = (m⊕δ) || 0k
– c’ = f (s’,t’) is a new ciphertext: of m ⊕ δ
Malleability (details)Malleability (details) *
Provable Security - RSA-PKCS - Encryption-Signature - 19David Pointcheval
From c = �(m,r) = f (s,t)
⇒ c’ = �(m ⊕ δ,r) for any δ of his choice
• without asking G(r) ⇒ OW of f not broken
• but asking H(s) ⇒ partial-domain OW of f
This intuition can be made formal:Break IND-CCA2 of f -OAEP,
⇒ partially invert fFujisaki-Okamoto-Pointcheval-Stern Crypto ‘01
Partial-Domain One-Partial-Domain One-WaynessWayness
Provable Security - RSA-PKCS - Encryption-Signature - 20David Pointcheval
The RSA permutation is particular:Partial Domain One-Wayness
⇔ One-WaynessConsequence:
RSA-OAEP is IND-CCA2 underthe classical RSA assumptionNote: Shoup repaired the proof
for RSA exponent 3 only,we repaired it for any exponent
RSA: a Particular CaseRSA: a Particular Case
Provable Security - RSA-PKCS - Encryption-Signature - 21David Pointcheval
PKCS #PKCS #1 v 1 v 2.02.0
After Bleichenbacher’s attack,the OAEP construction was adoptedby RSA in PKCS #1 v 2.0 (and still in v 2.1)
Even if a construction is provably secure,careless implementations often lead tovery weak cryptosystemse.g. invalidity reasons must be indistinguishable– MSB different of zero
– Redundancy not satisfied
Provable Security - RSA-PKCS - Encryption-Signature - 22David Pointcheval
SummarySummary
• Encryption– PKCS #1 v1.5– PKCS #1 v2.0 : OAEP
• Signature– PKCS #1 v1.5/2.0– PKCS #1 v2.1 : PSS
• Conclusion
Provable Security - RSA-PKCS - Encryption-Signature - 23David Pointcheval
�(m) = md mod n
�(m,σ) = (m = σe mod n)
Plain-RSA SignaturePlain-RSA Signature
• n=pq : public modulus e : public exponent
• d=e-1 mod ϕ(n) : private
Existential forgery:– choose a random σ– compute m = σe mod n
Provable Security - RSA-PKCS - Encryption-Signature - 24David Pointcheval
PKCS #PKCS #1 v 1.1 v 1.5/2.05/2.0
00 01 00 Digest InfoPadding String
length ≥ 8bytes ≠ 0
EM
)EM((),(?
== fm�)EM()( 1−= fm�
Provable Security - RSA-PKCS - Encryption-Signature - 25David Pointcheval
PKCS #PKCS #1 v 1.1 v 1.5/2.05/2.0
00 01 00 Digest InfoPadding String
length ≥ 8bytes ≠ 0
• Digest Info = HashID and H(m)It is small, and the padding string can be long…
under the control of the adversary
• Using the multiplicativity of RSAa weakness has been found in 1999
EM
Provable Security - RSA-PKCS - Encryption-Signature - 26David Pointcheval
Attack IdeaAttack Idea
• A lot of freedom in the Padding String• Get many EMi for several i such that
EM = Π EMi ⇒ σ = Π σi
After several queries to the signing oracle,one can build a new signature
*
Provable Security - RSA-PKCS - Encryption-Signature - 27David Pointcheval
New VersionNew Version
Applied on a slight variant of ISO 9796-1But theoretical only on PKCS #1 v1.5… less efficient than factoring!
Anyway, a provably secure constructionwas better.
Provable Security - RSA-PKCS - Encryption-Signature - 28David Pointcheval
SummarySummary
• Encryption– PKCS #1 v1.5– PKCS #1 v2.0 : OAEP
• Signature– PKCS #1 v1.5/2.0– PKCS #1 v2.1 : PSS
• Conclusion
Provable Security - RSA-PKCS - Encryption-Signature - 29David Pointcheval
Probabilistic Signature SchemeProbabilistic Signature SchemeBellareBellare--RogawayRogaway ‘96 ‘96
m r
H
w
G
F
s t
⊕
0
k2 k1 k0
k = k0 + k1 + k2 + 1{0,1}k-1 ⊂ X ⊂ {0,1}k
f : X → X
y = 0||w||s||tσ = f -1(y)
Provable Security - RSA-PKCS - Encryption-Signature - 30David Pointcheval
RSA - PSSRSA - PSS
• n, k-bit RSA modulus (k = k0 + k1 + k2 + 1)• n,e : public key• d : private key
{ } { } { } { }{ } { } 2
1202
0,10,1 :
0,10,1 :0,10,1 :* k
kkkk
H
GF
→→→ and
nytswy
wFtrwGsrmHwd mod 0
)(,)(),,(
===⊕==
and
Provable Security - RSA-PKCS - Encryption-Signature - 31David Pointcheval
• Provably secure
no existential forgeriesunder chosen-message attacks
• Efficient security proof
⇒ practical security
• Probabilistic
⇒ PKCS #1 v2.1
RSA - PSSRSA - PSS
Provable Security - RSA-PKCS - Encryption-Signature - 32David Pointcheval
SummarySummary
• Encryption– PKCS #1 v1.5– PKCS #1 v2.0 : OAEP
• Signature– PKCS #1 v1.5/2.0– PKCS #1 v2.1 : PSS
• Conclusion
Provable Security - RSA-PKCS - Encryption-Signature - 33David Pointcheval
ConclusionConclusion
Almost all the previously defined paddings,without any security proof,have been showed to be flawed
Any new standard(ISO, IEEE, IETF, PKCS, …)needs a security proof