apr 10 scribe notes

notes/digsigs.tex

@@ -157,9 +157,23 @@ \subsection{Insecurity in Practice: PKCSv1.5}
 We now move to a formal proof of $\UFCMA_{\DS}$ security for a hash-based RSA construction that \emph{does} provide such security.  We use a full domain hash to avoid such padding leakage issues, and to simplify our reasoning about the security of the scheme.
 
 \subsection{A Secure Scheme: Full Domain RSA}
-
-
-We now introduce the full domain hash (FDH) RSA scheme, denoted $\DS$.  Figure~\ref{fig:fulldomrsa} shows the operation of this scheme, a natural extension of plaintext RSA that simply hashes the message before exponentiating with a secret exponent.  Note that we model the hash function as a random oracle, which masks some subtle technical issues surrounding use of a hash with RSA; because $H(M)$ needs to be raised to the $d$ (mod $N$), $H(M)$ must output an element of the RSA group that can be exponentiated in the group.  So, the hash function used depends on the choice of $d$, complicating analysis.  We ignore these details in our consideration of the protocol, as they can be solved in practice by using a fixed output length hash that is indifferentiable from random oracles using existing hash functions, and mapping the output of the function to the relevant RSA group.
+\begin{figure}[h]
+\centering
+\fpage{0.22}{
+	\underline{$\sign((N,d),M)$}\\
+	$\sigma\gets \Horacle(M)^d \mod N$\\
+	Return $\sigma$
+}
+\fpage{0.22}{
+	\underline{$\ver((N,e),M,\sigma)$} \\
+	$X\gets \sigma^e \mod N$\\
+	If $X=\Horacle(M)$ then Return 1\\
+	Return 0
+}
+\caption{The full domain hash (FDH) digital signature scheme.}
+\label{fig:fulldomrsa}
+\end{figure}
+We now introduce the full domain hash (FDH) RSA scheme, denoted $\DS$.  Figure~\ref{fig:fulldomrsa} shows the operation of this scheme, a natural extension of plaintext RSA that simply hashes the message before exponentiating with a secret exponent.  Note that we model the hash function as a random oracle, which masks some subtle technical issues surrounding use of a hash with RSA; because $\Horacle(M)$ needs to be raised to the $d$ (mod $N$), $\Horacle(M)$ must output an element of the RSA group that can be exponentiated in the group.  So, the hash function used depends on the choice of $d$, complicating analysis.  We ignore these details in our consideration of the protocol, as they can be solved in practice by using a fixed output length hash that is indifferentiable from random oracles using existing hash functions, and mapping the output of the function to the relevant RSA group.
 
 We now analyze the $\UFCMA_\DS$ security of our scheme.  We do so by reduction to RSA, showing specifically that for any adversary $A$ breaking the $\UFCMA_\DS$ of full domain RSA, we can construct an adversary $B$ for the RSA game with almost the same advantage.  Formally, let $q_h$ be the number of hash oracle queries performed by $A$ and $q_s$ be the number of signing oracle queries performed by $A$:
 
@@ -227,13 +241,15 @@ \subsection{A Secure Scheme: Full Domain RSA}
 \fpage{.22}{
 \underline{$\G_0$ \;\;\; \fbox{$\G_1$}}\\
 $((N,e),(N,d)) \getsr \kg$\\
+$X \getsr \Z_N^*$\\
+$Y \gets X^e \bmod N$\\
 $i^* \getsr [1,q]$\\
 $i \gets 0$\\
 $(M^*,\sigma^*) \getsr \advA^{\HashSim}((N,e))$\\
 If $(M^* \ne M_{i^*})$ then \\
 \myInd $\badtrue$\\
 \myInd \fbox{Ret $\false$}\\
-Ret $\left(\TabH[M^*] = (\sigma^*)^e \bmod N\right)$\medskip
+Ret $\left(X = \sigma^* \right)$\medskip
 
 \underline{$\HashSim(M)$}\\
 $i \gets i+1$\\
@@ -246,13 +262,15 @@ \subsection{A Secure Scheme: Full Domain RSA}
 \fpage{.22}{
 \underline{$\G_2$}\\
 $((N,e),(N,d)) \getsr \kg$\\
+$X \getsr \Z_N^*$\\
+$Y \gets X^e \bmod N$\\
 $i^* \getsr [1,q]$\\
 $i \gets 0$\\
 $(M^*,\sigma^*) \getsr \advA^{\HashSim}((N,e))$\\
 If $(M^* \ne M_{i^*})$ then \\
 \myInd $\badtrue$\\
 \myInd Ret $\false$\\
-Ret $\left(\TabH[M^*] = (\sigma^*)^e \bmod N\right)$\medskip
+Ret $\left(X = \sigma^*\right)$\medskip
 
 \underline{$\HashSim(M)$}\\
 $i \gets i+1$\\
@@ -270,8 +288,8 @@ \subsection{A Secure Scheme: Full Domain RSA}
 \underline{$\HashSim(M)$}\\
 If $i = i^*$ then\\
 \myInd Ret $Y$\\
-$X \getsr \Z_N^*$\\
-Ret $X$
+$Y_i \getsr \Z_N^*$\\
+Ret $Y_i$
 }
   \caption{Toy example of full-domain RSA hash signing with no signing queries.}
 \label{fig:fulldomaintoy}
@@ -322,13 +340,13 @@ \subsection{A Secure Scheme: Full Domain RSA}
 
 $(1)$ follows because $\G_0$ outputs \texttt{true} iff $\TabH[M^*] = (\sigma^*)^e \bmod N$.  Note that $\TabH[M^*] = Y$ (because $\G_0$ outputs false if $M_{i^*}\neq M^*$, and by construction of the hash oracle).  So, $Y=(\sigma^*)^e \bmod N$ for B's challenge in the OWF game, and $B$ outputs $(\sigma^*)$, winning the OWF game.
 
-$(2)$ follows because $G_2, G_1$ differ only in the output of $\TabH[M^{M^*}]$ (as above, in both, either game returning true implies $M_{i^*} = M^*$).  But, in one case, a point sampled from $\calZ_N$ is returned, and in another, $Y$ is returned, which is a point sampled from $\calZ_N$ by definition of the challenge provided $B$ in the OWF game.  It is thus impossible for this difference in identically distributed random choice to affect the operation of $A$.
+$(2)$ follows because $G_2, G_1$ differ only in the output of $\TabH[M_{i^*}]$ (as above, in both, either game returning true implies $M_{i^*} = M^*$).  But, in one case, a point sampled from $\calZ_N$ is returned, and in another, $Y$ is returned, which is a point sampled from $\calZ_N$ by definition of the challenge provided $B$ in the OWF game.  It is thus impossible for this difference in identically distributed random choice to affect the operation of $A$.
 
 $(3)$ follows from basic probability, and $(4)$ follows from our variant of the fundamental lemma of game playing, above.  $(5)$ follows as the probability that the good flag is set in $G_1$ is exactly equal to the probability that $M^* = M_{i^*}$, which is by definition the probability that the $i^*$th query of $q_h$ total queries to the hash oracle has as input $M^*$.  Because $i$ is independently uniformly sampled, this probability is equal for every choice of $i$, independent of all other values. $(6)$ follows as Lemma 1 states that $M^*$ will be exactly one of the queries to the hash oracle (in this case equal to the number of total queries, $q$, as $q_s=0$), making this probability exactly equal to $\frac{1}{q}$.  Note that concretely here, $q=q_h+1$ by Lemma 1.
 
 \textbf{Generalization of toy example to full proof}  We now must do a generalization of the above to cases where $q_s \geq 1$, that is, our black-box $\UFCMA_\DS$ adversary makes at least one signing query.  In these cases, we face a substantive challenge: because the hash function in our full domain RSA construction is used by the signing routine, it is not the case that sign function outputs are independent of the outputs of our hash function.  We therefore cannot simply return random points for both the sign and hash function, as this breaks the structure of signatures; for example, any adversary that runs \texttt{ver} on outputs of \texttt{sign} would receive outputs of $1$ with a valid signature and hash function, and $0$ if we return random points, altering its execution and therefore output with overwhelming probability.
 
-We therefore must program the signature oracle to return points which constitute valid signatures for points on which the hash oracle has already been queried (by Lemma 1, we can assume this is always the case).  So, as desired, we have that $\AdvOWF{\RSAk}{\advB_{toy}} \ge \AdvUFCMA{\DS}{\advA}\cdotsm\frac{1}{q}$, completing the proof.
+We therefore must program the signature oracle to return points which constitute valid signatures for points on which the hash oracle has already been queried (by Lemma 1, we can assume this is always the case). $\HashSim$, instead of returning a random string, first chooses a corresponding signature at random for the message $M$ queried. It then returns the signature raised to the $e$th power. In this way, any queries made to $\SignSim$ will always return a valid signature for the corresponding $\HashSim$ output, unless $i=i^*$. If $\advA$ queries $\SignSim$ on the $i^*$th message, we just accept that we will fail to invert $Y$. The rest of the arguments from the toy example still hold, but now we have $q=q_h+q_s+1$. So, as desired, we have that $\AdvOWF{\RSAk}{\advB} \ge \AdvUFCMA{\DS}{\advA}\cdotsm\frac{1}{q}$, completing the proof.
 
 
 
@@ -360,7 +378,7 @@ \subsection{A Secure Scheme: Full Domain RSA}
 }
 \fpage{.30}{
 \underline{$\G_0$}\\
-$((N,e),(N,d) \getsr \kg$\\
+$((N,e),(N,d)) \getsr \kg$\\
 $X \getsr \Z_N^*$\\
 $Y \gets X^e \bmod N$\\
 $i^* \getsr [1,q]$\\
@@ -369,7 +387,7 @@ \subsection{A Secure Scheme: Full Domain RSA}
 If $(M^* \ne M_{i^*})$ then \\
 \myInd $\badtrue$\\
 \myInd $X' \getsr \Z_N^*$\\
-$X' \gets \sigma^*$\\
+Else $X' \gets \sigma^*$\\
 Ret $(X = X')$\medskip
 
 \underline{$\HashSim(M)$}\\
@@ -390,17 +408,16 @@ \subsection{A Secure Scheme: Full Domain RSA}
 }
 \fpage{.30}{
 \underline{$\G_1$}\\
-$((N,e),(N,d) \getsr \kg$\\
+$((N,e),(N,d)) \getsr \kg$\\
 $X \getsr \Z_N^*$\\
 $Y \gets X^e \bmod N$\\
 $i^* \getsr [1,q]$\\
 $i \gets 0$\\
 $(M^*,\sigma^*) \getsr \advA^{\HashSim,\SignSim}((N,e))$\\
 If $(M^* \ne M_{i^*})$ then \\
 \myInd $\badtrue$\\
-\myInd $X' \gets \sigma^*$\\
-$X' \gets \sigma^*$\\
-Ret $(X = X')$\medskip
+\myInd Return $\false$\\
+Ret $(X = \sigma^*)$\medskip
 
 \underline{$\HashSim(M)$}\\
 $i \gets i+1$\\
@@ -419,22 +436,18 @@ \subsection{A Secure Scheme: Full Domain RSA}
 Ret $\sigma_i$
 }
 
-
-\begin{align*}
-  \AdvUFCMA{\DS}{\advA} &= \Prob{\G_1\Rightarrow\true}\\
-      &\le \Prob{\G_0\Rightarrow\true} + \Prob{\bad_0}\\
-      &= \AdvOWF{\RSAk}{\advB} + \Prob{\bad_0}
-\end{align*}
-
   \caption{Extension of our toy example to a full proof, simulating signing oracle points.}
 \label{fig:fulldomainsignproof}
 \end{figure}
 
-\textbf{TODO Lucy; describe/check Figure~\ref{fig:fulldomainsignproof} and merge with the toy proof; the proof should be mainly unchanged.}
-
 \end{proof}
 
-
+\paragraph{Concrete security implications of FDH.} 
+We can get a better bound for the $\UFCMA$ security of the FDH signature scheme by embedding the challenge $Y$ for the OWF in multiple $\TabH[M]$ values. We do this by picking random $r_i$ values and assigning $Y_i=Y\cdot r_i^e\mod N$. Since we expect to lose the game if adversary $\advA$ queries the $\SignSim$ oracle on any messages corresponding to these programmed $Y_i$s, there is a balance between choosing more values to program and having a larger chance of automatically losing the game. As Coron originally proved in~\cite{coron2000exact} and as described by Boneh and Shoup in~\cite{BonehShoupBook}, we can find the optimal parameters and achieve a bound of
+\bnm
+\AdvUFCMA{\DS}{\advA}\leq 2.72\cdot(q_s+1)\cdot \AdvOWF{\RSAk}{\advB'}\,.
+\enm
+The reduction no longer relies on the number of hash oracle queries made, which makes the bound tighter. 
 \subsection{Questions}
 
 \begin{enumerate}

notes/notes.bib

@@ -550,6 +550,14 @@ @inproceedings{stevens2017first
     organization={Springer}
 }
 
+@inproceedings{coron2000exact,
+	title={On the exact security of full domain hash},
+	author={Coron, Jean-S{\'e}bastien},
+	booktitle={Annual International Cryptology Conference},
+	pages={229--235},
+	year={2000},
+	organization={Springer}
+}
 @misc{eddsa,
     title={{IRTF} {RFC} 8032: {E}dwards-curve digital signature algorithm},
     url={https://tools.ietf.org/html/rfc8032},
@@ -588,4 +596,4 @@ @inproceedings{schnorr1989efficient
 	pages={239--252},
 	year={1989},
 	organization={Springer}
-	    }
+	    }