Evaluation of Public-key Cryptographic Techniques
Definition 2 (AER assumption): The approximate e-th root problem is difficult if the following expression is valid with every constant c and a large enough value k for any probabilistic
polynomial time algorithm Adv:
Pr[Adv(k, n, e, y) → x] < 1/kc
Where, 0||y= [xe mod n]k and the probability is taken from the probability spaces G and Adv. The
assumption that the approximation of e-th root problem is difficult is called "approximate e-th root assumption" (AER assumption).
• Cases of e = 2 and e = 3
If e = 2, a signature is successfully forged by using Brickell and DeLaurentis's method [1]. The overview of this method is as follows:
Assume that x is an integer close to n1/2, where x2 mod n is O(n1/2) that satisfies the ESIGN
signature verification equation if message m = 0. The method allows this principle to be applied to an arbitrary m by using continued-fraction expansion to find the approximate value of the square root.
The method by Brickell and DeLaurentis can be extended easily to the case of e = 3.
Valée, Girault and Toffin presented a signature forgery method against ESIGN signature that uses the lattice basis reduction algorithm such as the LLL algorithm if e = 2 [16, 17]. With regard to solving multivariable polynomial over the finite field by using the lattice basis reduction algorithm, the improvement by Coppersmith is well known [2, 3].
• Case of e ≥ 4
In the case of e ≥ 4, no solution has been reported that is more effective than factoring modulus n. n = p2
q type integer factoring problem
If factoring modulus n is given, the approximate e-th root problem can be solved. Unlike the type n = pq (p and q are of the same size) that is used in RSA cryptography, the modulus of ESIGN signature is the type n = p2
q (p and q are of the same size). It is necessary to review the difficulty of the integer factoring problem of this type. See 2.4.1 for the difficulty of the integer factoring problem.
2.3.3.5 Security of the scheme
As described in the previous section, ESIGN signature has multiple specifications. They are categorized into two specification groups; ESIGN that does not have the provable security at present, and
TSH-ESIGN that is considered to have provable security that is existentially unforgeable against adaptive chosen-message attacks, under the assumption n=p2
q integer factoring, the approximate e-th root assumption, and under the random oracle model. Evaluation of the security in each case is described below.
Security of the signature
Evaluation of the security categorizes the types of attacks against the signature scheme and performs the following:
1. Security evaluation of mathematical problems used (in the case of ESIGN signature, the approximate e-th root problem or the integer factoring problem)
2.3 Evaluation of Individual Cryptographic Techniques 57
2. Evaluation of the correlation between mathematical problems used and the signature scheme In the previous section, 1 was evaluated, and 2 is evaluated in this section. Tables 2.6 and 2.7 lists the types of attacks against the signature scheme and the types of forgeries [15, 14]. The strongest security in the signature scheme is assured by:
"existential unforgeability against an adaptive chosen-message attack (CMA)."
Table 2.6 Type of attacks against the signature scheme
Attack Description
Key-only attack This attack uses a public key only. Passive attack
Known message attack This attack is applicable when signatures for some random message are available.
Chosen-message attack This attack is applicable when signatures for some messages specified by the attacker in advance is available. However, all the message to be signed by the signer must be selected before the attack.)
Single-occurrence adaptive chosen-message attack
This attack is applicable when signature selection for chosen-message attack can be determined by referring to the information on the signature obtained and the corresponding message. However, only one signature can be obtained for a message.
Active attack
Adaptive chosen-message attack
This attack is applicable when signature selection for chosen-message attack can be determined by referring to the information on the signature obtained and the corresponding message .
Table 2.7: Type of signature forgery
Type of forgery Description
Universal forgery A signature can be forged for arbitrary message.
Selective forgery A signature can be forged for some message selected by the attacker in advance. Existential forgery A signature can be forged for at least specific message.
If the signature scheme is non-deterministic, multiple valid signatures may exist for one message. In the CMA, two or more inquiries to the signature oracle per message can be made (multiple signatures can be obtained). On the other hand, Stern defined an attack model [14]:
"Single-Occurrence adaptive chosen-message attack (SO-CMA)"
In the SO-CMA, only one inquiry to the signature oracle per message is permitted (only one signature can be obtained).
TSH-ESIGN
In message encoding of TSH-ESIGN, a hash function H with output length of k-1 bits is used to calculate the hash value of message m, and m is encoded as follows.
58 Chapter 2 Evaluation of Public-key Cryptographic Techniques
Stern proved the security of TSH-ESIGN signature in the random oracle model as shown below [14]. Theorem 3 (Stern [14]): Let A be a SO-CMA adversary against TSH-ESIGN signature scheme that produses an existential forgery, with success probability ε, within time τ, making qH queries to
the hash function and qs distinct requests to the signing oracle respectively. Then approximate
e-th root problem can be solved with probability ε' and within time τ', where
1 2 1 4 3 ) ( ' − − × + − ≥ k k s H H q q q ε ε
( )
k T q q k( s H) exp '≤τ+ + ⋅ τWhere Texp(k) denotes the computing time of modular exponentiation.
The approach and proof of deriving this theorem are associated with the Shoup's discussion on OAEP [13]. In this discussion, a Shoup-style approach with a game was used. Note that what is proven by this theorem is not the existential unforgeability against general adaptive chosen-message attacks (CMA) but the existential unforgeability against SO-CMA. Stern also pointed out the following:
• The proof [12] provided by the submitter implicitly assumes SO-CAM as an attack model. • A method to extend the provable security of TSH-ESIGN to the provable security of
general CMAs, is not known yet at present.
Although specific attacks or signature forgery schemes against TSH-ESIGN have not been found, it is not desirable that the provable security is provided for SO-CMA only, but not for general CMAs.
Granboulan has already proposed the ESIGN signature modified so that TSH-ESIGN will have the provable security against general CMAs [4, 5]. [4, 5] show two schemes; the deterministic scheme ESIGN-D and the probabilistic scheme ESIGN-R. TSH-ESIGN has also been submitted to NESSIE. Note the TSH-ESIGN and ESIGN-D are mutually compatible. The signature generated with
TSH-ESIGN is verified correctly by ESIGN-D and vice versa. This is obvious from both algorithms. ESIGN
In ESIGN signature listed in the Guidelines on the Law concerning Electronic Signatures and Certification Services, that is, the ESIGN signature submitted to CRYPTREC for 2001, a message encoding method EMSA is used [10]. Stern reported that signature forgery would be successful against ESIGN at an unignorable probability [14]. This report is outlined below.
The overview of the EMSA encoding method is as follows: In this conversion, the hash value of message m is calculated first using the hash function H that outputs a hLen ≤ k - 16-bit string, and then the k- hLen-bit string is added to the hash value. The format is expressed in hexadecimal notation as follows:
00||PS||FF||H (m)
where, PS is a byte string other than FF. In this way, message m is converted to k-bit string. This padding string PS has an adverse effect on the security. The security does not result in the approximate e-th root problem, but is associated with the following variant of the approximate e-th root problem:
Definition 4 (variant of approximate e-th root problem [14]): Given n of bit-size 3k and a bit string v of lenth hLen, find x such that the binary expansion of xe mod n has a window of bits which coincide with
2.3 Evaluation of Individual Cryptographic Techniques 59
This variant of the approximate e-th root problem can be easily solved if e is small. Signature can be forged if the following condition holds [14]:
2k ≥ e (hLen + log2 + 8)
The Guidelines on the Law concerning Electronic Signatures and Certification Services specified SHA -1 and MD5 as hash functions until November 2002. In the case of SHA-1 (hLen = 160), the above expression becomes as follows:
e n > 04 . 205
Therefore, if SHA -1 is used, signature forgery will be successful in the following cases, for example: • |n| = 1024 and e ≤ 4
• |n| = 2048 and e ≤ 8
For MD5 (hLen = 128), signature can be forged in the following case:
e n > 04 . 205
For example, signature forgery will be successful in the following cases: • |n| = 1024 and e ≤ 4
• |n| = 2048 and e ≤ 9
These parameters include those specified in the Guidelines on the Law concerning Electronic Signatures and Certification Services (e.g. where |n| = 2048 and e = 8).
2.3.3.6 Auxiliary function
ESIGN signature uses hash functions as auxiliary functions. ESIGN adopts two schemes; a scheme specifying the use of MD5 as the hash function and another specifying the use of SHA-1. The former scheme is not recommended. For the security of hash functions, see Chapter 4 and Reference [7].
2.3.3.7 Implementability
In the implementation [11] by the submitter, key generation, signature generation, and signature verification required 610 ms, 1.04 ms, and 0.70 ms, respectively, on Celeron 800Mz, when modulus n was 1152 bits and the security parameter e was 1024.
RSA signature and ECDSA signature have been implemented on various platforms by various researchers and their speeds have been measured. However, ESIGN implementations other than those by submitters are rarely known. Therefore, it is not known to what extent it will be speeded up. Note, however, that a part of the speedup technique used for speeding up of RSA such as exponentiation operation can also be applied to ESIGN signature.
60 Chapter 2 Evaluation of Public-key Cryptographic Techniques 2.3.3.8 Summary of ESIGN signature
• ESIGN: When some security parameters described in the Guidelines on the Law
concerning Electronic Signatures and Certification Services (e.g. n is 2048 bits and e is 8 or smaller using SHA-1) are used, signature forgery will be successful at an unignorable probability. Therefore, ESIGN was deleted at the time of amendment of the Guidelines in November 2002.
• TSH-ESIGN: The proved security is not existentially unforgery against general adaptive chosen-message attacks, but is existential unforgery against the single-occurrence adaptive chosen-message attacks.