Chapter 2 Evaluation of Public-key Cryptographic Techniques

"Empirical security" referred to here means that: a) a cryptographic technique has a solid track record of use over a relatively long period of time, b) no specific attack has been revealed in spite of extensive research, and c) no weakness for the actual operation have been detected. Note, however, that nonexistence of attacks and vulnerabilities cannot be proven by the above facts.

Also note that "provable security" referred to here does not mean that the security of a scheme has been proved. In this chapter, the expression "has provable security under a certain assumption" refers to the following: The expression "a certain public-key scheme has provable security" means that if there exits an attack against a scheme or its idealized scheme which compromises security, then it is possible to prove accurately, under a certain assumption, that this fact induces a method solving another mathematical problem with lower computational cost. An idealized scheme for a certain scheme means a virtual scheme that is exactly identical to the original scheme except that the auxiliary function (such as a hash function) used by this cryptographic scheme is replaced with a virtual one (such as a random function). The expression "under a certain assumption" means that confidences in security of a scheme varies according to differences in terms of the target of attacks (original scheme or an idealized scheme), types for mathematical problem and computational complexity, security levels, methods of attack and underlying assumptions, etc.. For signature schemes, we require to provide an existential unforgeability against adaptive chosen message attacks. For confidentiality schemes, we require to provide a semantical security against adaptive chosen ciphertext attacks.

As far as the evidence of provable security itself is correct, the fact that a certain scheme has provable security cannot be failed by the passage of time. The estimated computational complexity in a

mathematical problem, however, may change depending on the development of a theory or technological environment. Therefore, even if a scheme has provable security under a certain assumption at this time, its security may be compromised in the future. Also, large security gaps between an original scheme and idealized scheme may emerge in the future. On the other hand, even if it is not provided that a certain scheme has provable security at this point in time, it does not mean this scheme is insecure. Again, there may be cases where though a certain scheme has a track record of use and no particular security problems have not been found, one cannot demonstrate provable security by the present techniques of proof.

With regard to side-channel attacks that have been studied intensively today, we do not give high priority in the evaluation of public key cryptographic techniques since its security depends to a great extent on the implementation of the algorithm. With the current serious research trends, however, it is expected that both attacks and countermeasures will be analyzed further in the future. At this point in time, it is crucial to take into careful consideration the latest research trends on side-channel attacks in order to implementan algorithm prior to actual operation. Even if an algorithm has provable security, side-channel attacks in the actual operating environment may be possible by careless implementations. Chapter 6 provides surveys on side-channel attacks.

2.1 Overview 33

2.1.2 Evaluated cryptographic techniques

The cryptographic techniques targeted for evaluation in fiscal 2002 were put into the following three categories.

1. Submitted cryptographic techniques (full-evaluation targets)

ESIGN*1_{, ECDSA (SEC 1), RSA-PSS, RSA-OAEP, HIME(R), ECIES, ECDH (SEC 1),}

PSEC-KEM

2. Other cryptographic techniques to be evaluated

RSAES-PKCS1-v1_5, TSH-ESIGN, RSA-OAEP, RSA-PSS, DH 3. Cryptographic techniques that are specific evaluation targets

DSA, ECDSA (ANSI X9.62), RSASSA-PKCS1-v1_5, ESIGN

ESIGN is a submitted cryptographic technique that is also a specific evaluation target. RSA-OAEP and RSA-PSS are categorized both as submitted cryptographic techniques and "Other cryptographic

techniques to be evaluated".

2.1.3 Evaluation method

Only full and related investigations were carried out in fiscal 2002. We outsourced the evaluation tasks to experts in cryptographic theory at home and abroad. The Public-key Cryptography Subcommittee reviewed and summarized all evaluation results including the outsourced tasks mentioned above. Fiscal 2002 was set as the closing year of cryptographic technique evaluation activities. In fiscal 2002, we conducted detailed studies of issues that were not fully resolved in fiscal 2001. By request of the Cryptographic Advisory Committee, we also evaluated RSAES-PKCS1-v1_5 in the category of "Other cryptographic techniques to be evaluated". RSAES-PKCS1-v1_5 has a track record of use with the cryptographic protocol SSL/TLS.

2.1.3.1 Full evaluation

We have confirmed that there are no problems in public-key cryptographic techniques that have a track record of use and evaluation over a relatively long period of time. We have also discussed the provable security of new public-key cryptographic techniques that do not have a long track record and investigated whether there are problems in the methods used for parameter selection and auxiliary functions. In addition to its evaluation activities, the Public-key Cryptography Subcommittee summarized the security evaluations that were outsourced to cryptographic researchers at home and abroad (see Table 2.1).

*1 _{This signature scheme was included in Guidelines on the Law concerning Electronic Signatures and Certification}

Services (2001 Notification No. 2, Ministry of Public Management, Home Affairs, Posts and Telecommunications, Ministry of Justice, and Ministry of Economy, Trade and Industry (Extra Edition No. 86 of the Official Gazette, April 27, 2001)). This article was then deleted in an amendment made in accordance with 2001 Notification No. 13 of Ministry of Public Management, Home Affairs, Posts and Telecommunications, Ministry of Justice, and Ministry of Economy, Trade and Industry (Official Gazette No. 3492, November 21, 2001).

34 Chapter 2 Evaluation of Public-key Cryptographic Techniques

„ Full evaluation items

We carried out a security evaluation of each evaluation target cryptographic technique according to the schemes and complexities in number-theoretic problems that are crucial to security. Our efforts were focused on the following points.

• Security evaluation items involving complexities of number-theoretic problems i) Integer factoring problem

- Investigation of known solution algorithms and a comparison of their effectiveness - Comparison between pq type and pd

q type (d ≥ 2)

- Validity and workability of a research that involves implementing the general number field sieve method on a hardware circuit

ii) Discrete logarithm problem

- Investigation of known solution algorithms and a comparison of their effectiveness iii) Elliptic curve discrete logarithm problem

- Investigation of known solution algorithms and comparison of their effectiveness - Investigation of problems regarding restricted curves (such as the Koblitz curve) • Parameter selection and security

- Differences between SEC 1 and ANSI parameters with elliptic curves and their security

- Parameter selecting method used for RSA

• Security evaluation items regard ing cryptographic schemes i) DSA

- Security evaluation of primitives and schemes

- Problems in the random number generation method given by FIPS186-2 Appendix 3

ii) ECDSA

- Competence and significance of the provable security of existential unforgeability in a generic group model

- Vulnerability in the reduction function and DSKS characteristics - Security evaluation of Koblitz curve

iii) ESIGN, TSH-ESIGN

- Adequacy of the size of recommended parameters - Approximate e-th root problem and p2

q type integer factoring problem - Provable security in SO-CMA model

iv) RSA

- Security evaluation of RSASSA-PKCS1-v1_5 and RSAES-PKCS1-v1_5 signatures

- Provable security of RSA-PSS and RSA-OAEP and their reduction efficiency v) ECIES

- Investigation of vulnerability regarding MAC and KDF functions vi) HIME(R)

- Verification of overall security including provable security - p2

q type integer factoring problem vii) DH

- Security evaluation of scheme (ANSI X9.42-2001) viii) ECDH

2.1 Overview 35

ix) PSEC-KEM

- Provable security of KEM required for KEM-DEM construction - Security of hybrid-type public-key schemes by KEM-DEM construction - Security in use methods other than KEM

2.1.3.2 Evaluation of software implementation

CRYPTREC verified the performance of cryptographic techniques by evaluating the software implementation and confirmed that there are no problems regarding operation. No standards were provided for the processing speed of public-key cryptographic techniques. Public-key cryptographic techniques were verified by evaluating the software implementation only in fiscal 2000. Evaluation of the software implementation was not carried out in fiscal 2001 and 2002 because many of the full

evaluation target ciphers were already measured in fiscal 2000 or had a long track record of use indicating that there was no operation-related problem.

Table 2.1: Number of Outsourced Full Evaluations for Prospective e-Government Ciphers and Fiscal 2002 Full Evaluation Target Cryptographic Techniques

Target of evaluation Fiscal 2000 Fiscal 2001 Fiscal 2002 Total

DSA 0(1) 3(2) - 3(3) ECDSA 2(1) 3(1) 0(1) 5(3) ESIGN - 3(1) - 3(1) RSA-OAEP, RSA-PSS 0(1) 2(2) - 2(3) PKCS# v1.5 Signature, etc. - - 2(1) 2(1) ECIES 2(1) - 2(0) 4(1) HIME(R) - - 3(0) 3(0) DH 0(1) - - 0(1) ECDH 2(1) - - 2(1) Scheme PSEC-KEM - 1(2) 0(2) 1(4)

Integer factoring problem

(experiment) 0(1) 0(1) 0(1) 0(3)

Integer factoring problem

(investigation) - 0(1) 0(1) 0(2)

Integer factoring problem in

specific form - 3(1) - 3(1)

Discrete logarithm problem 0(1) 2(1) - 2(2)

Difficulty of number theoretic problems

Elliptic curve discrete

logarithm problem - 2(0) 1(0) 3(1)

36 Chapter 2 Evaluation of Public-key Cryptographic Techniques