Replacing a Random Oracle
Full Domain Hash From Indistinguishabilitly Obfuscation
UbiCrypt Seminar Lecture Series, 22.01.2015
Felix Heuer
Horst Görtz Institute for IT Security
Ruhr University Bochum
Recap: RSA Full Domain Hash Signatures
§
Gen: (N, e, d) ← RSAGen s.t. N = p ·q and e ·d = 1 mod Φ(N).
pk = (N, e), sk = (N, d).
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
2/7
Recap: RSA Full Domain Hash Signatures
§
Gen: (N, e, d) ← RSAGen s.t. N = p ·q and e ·d = 1 mod Φ(N).
pk = (N, e), sk = (N, d).
§
Sign(m):
σ = H(m)d
mod N.
H : {0, 1}∗ → Z∗N is modeled as a Random Oracle.
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
2/7
Recap: RSA Full Domain Hash Signatures
§
Gen: (N, e, d) ← RSAGen s.t. N = p ·q and e ·d = 1 mod Φ(N).
pk = (N, e), sk = (N, d).
§
Sign(m):
σ = H(m)d
§
mod N.
Vrfy(m, σ):
?
σ e = H(m) mod N.
H : {0, 1}∗ → Z∗N is modeled as a Random Oracle.
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
2/7
Proof idea
Theorem 1 (Bellare, Rogaway ’93)
RSA FDH Hash is selectively secure in the Random Oracle Model if
the RSA Assumption holds.
A has to commit to the message m∗ for which he is going to provide a
forgery in advance.
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
3/7
Proof idea
Theorem 1 (Bellare, Rogaway ’93)
RSA FDH Hash is selectively secure in the Random Oracle Model if
the RSA Assumption holds.
A has to commit to the message m∗ for which he is going to provide a
forgery in advance.
$
Given (N, e) and y = x e mod N for some x ← Z∗N , find x .
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
3/7
Proof idea
Theorem 1 (Bellare, Rogaway ’93)
RSA FDH Hash is selectively secure in the Random Oracle Model if
the RSA Assumption holds.
A has to commit to the message m∗ for which he is going to provide a
forgery in advance.
$
Given (N, e) and y = x e mod N for some x ← Z∗N , find x .
$
Answer Hash queries H(mi ) with σie for random σi ← Z∗N .
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
3/7
Proof idea
Theorem 1 (Bellare, Rogaway ’93)
RSA FDH Hash is selectively secure in the Random Oracle Model if
the RSA Assumption holds.
A has to commit to the message m∗ for which he is going to provide a
forgery in advance.
$
Given (N, e) and y = x e mod N for some x ← Z∗N , find x .
$
Answer Hash queries H(mi ) with σie for random σi ← Z∗N .
Program H(m∗ ) := y and hope A provides a valid forgery σ ∗ , then σ ∗
solves the RSA Challenge:
σ ∗ = H(m∗ )d = y d = x
mod N.
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
3/7
EUROCRYPT ’14 (Hohenberger, Sahai and Waters)
Replacing a Random Oracle:
Full Domain Hash From Indistinguishability Obfuscation
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
4/7
EUROCRYPT ’14 (Hohenberger, Sahai and Waters)
Replacing a Random Oracle:
Full Domain Hash From Indistinguishability Obfuscation
Theorem
Let F be a (punctured) PRF, i O be an Indistinguishability Obfuscator.
RSA FDH is selectively secure in the Standard Model if the RSA
Assumption holds.
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
4/7
Indistinguishability Obfuscators
A ppt algorithm i O that obfuscates a given program P such that
§
Given P, i O outputs a program P such that P(x ) = P (x ) for
all possible inputs x .
§
Given Programs P1 and P2 such that P1 (x ) = P2 (x ) for all possible
inputs x ,
P1 ≈c P2 .
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
5/7
Proof in the Standard Model
G0
(
H(·) :=
Fk (·)e
We can sign messages without knowing d since σi = (H(mi ))d =
Fk (mi ) and k is known.
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
6/7
Proof in the Standard Model
G0 ; G1
(
H(·) :=
Fk (·)e
z∗
for m 6= m∗
for m = m∗
We can sign messages without knowing d since σi = (H(mi ))d =
Fk (mi ) and k is known.
Let z ∗ := Fk (m∗ )e
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
6/7
Proof in the Standard Model
G0 ; G1 ; G 2
(
H(·) :=
Fk (·)e
z∗
for m 6= m∗
for m = m∗
We can sign messages without knowing d since σi = (H(mi ))d =
Fk (mi ) and k is known.
Let z ∗ := x e for uniformly random x .
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
6/7
Proof in the Standard Model
G0 ; G1 ; G 2
(
H(·) :=
Fk (·)e
z∗
for m 6= m∗
for m = m∗
We can sign messages without knowing d since σi = (H(mi ))d =
Fk (mi ) and k is known.
Let z ∗ := x e for uniformly random x .
We can embed a given RSA Challenge by setting z ∗ := y = x e for
unknown x .
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
6/7
Many thanks for your attention!
QUESTIONS?
RSA Full Domain Hash in the Standard Model|UbiCrypt Seminar Lecture Series|22.01.2015
7/7