ABSTRACT
The RSA PKCS#1 v1.5 signature algorithm is the most widely used digital signature scheme in practice. Its two main strengths are its extreme simplicity, which makes it very easy to implement, and that verification of signatures is significantly faster than for DSA or ECDSA. Despite the huge practical importance of RSA PKCS#1 v1.5 signatures, providing formal evidence for their security based on plausible cryptographic hardness assumptions has turned out to be very difficult. Therefore the most recent version of PKCS#1 (RFC 8017) even recommends a replacement the more complex and less efficient scheme RSA-PSS, as it is provably secure and therefore considered more robust. The main obstacle is that RSA PKCS#1 v1.5 signatures use a deterministic padding scheme, which makes standard proof techniques not applicable. We introduce a new technique that enables the first security proof for RSA-PKCS#1 v1.5 signatures. We prove full existential unforgeability against adaptive chosen-message attacks (EUF-CMA) under the standard RSA assumption. Furthermore, we give a tight proof under the Phi-Hiding assumption. These proofs are in the random oracle model and the parameters deviate slightly from the standard use, because we require a larger output length of the hash function. However, we also show how RSA-PKCS#1 v1.5 signatures can be instantiated in practice such that our security proofs apply. In order to draw a more complete picture of the precise security of RSA PKCS#1 v1.5 signatures, we also give security proofs in the standard model, but with respect to weaker attacker models (key-only attacks) and based on known complexity assumptions. The main conclusion of our work is that from a provable security perspective RSA PKCS#1 v1.5 can be safely used, if the output length of the hash function is chosen appropriately.
Supplemental Material
- Giuseppe Ateniese, Bernardo Magri, and Daniele Venturi. 2015. Subversion-Resilient Signature Schemes. In ACM CCS 15: 22nd Conference on Computer and Communications Security, Indrajit Ray, Ninghui Li, and Christopher Kruegel: (Eds.). ACM Press, Denver, CO, USA, 364--375. Google ScholarDigital Library
- Christoph Bader, Tibor Jager, Yong Li, and Sven Sch"age. 2016. On the Impossibility of Tight Cryptographic Reductions. In Advances in Cryptology -- EUROCRYPT 2016, Part II (Lecture Notes in Computer Science), Marc Fischlin and Jean-Sé bastien Coron (Eds.), Vol. 9666. Springer, Heidelberg, Germany, Vienna, Austria, 273--304.Google ScholarCross Ref
- Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Lorenzo Simionato, Graham Steel, and Joe-Kai Tsay. 2012. Efficient Padding Oracle Attacks on Cryptographic Hardware. In Advances in Cryptology -- CRYPTO 2012 (Lecture Notes in Computer Science),, Reihaneh Safavi-Naini and Ran Canetti (Eds.), Vol. 7417. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 608--625. Google ScholarDigital Library
- Mihir Bellare and Phillip Rogaway. 1993. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In ACM CCS 93: 1st Conference on Computer and Communications Security,, V. Ashby (Ed.). ACM Press, Fairfax, Virginia, USA, 62--73. Google ScholarDigital Library
- Mihir Bellare and Phillip Rogaway. 1995. Optimal Asymmetric Encryption. In Advances in Cryptology -- EUROCRYPT'94 (Lecture Notes in Computer Science),, Alfredo De Santis (Ed.), Vol. 950. Springer, Heidelberg, Germany, Perugia, Italy, 92--111.Google Scholar
- Mihir Bellare and Phillip Rogaway. 1996. The Exact Security of Digital Signatures: How to Sign with RSA and Rabin. In Advances in Cryptology -- EUROCRYPT'96 (Lecture Notes in Computer Science), Ueli M. Maurer (Ed.), Vol. 1070. Springer, Heidelberg, Germany, Saragossa, Spain, 399--416. Google ScholarDigital Library
- Mihir Bellare and Moti Yung. 1993. Certifying Cryptographic Tools: The Case of Trapdoor Permutations. In Advances in Cryptology -- CRYPTO'92 (Lecture Notes in Computer Science), Ernest F. Brickell (Ed.), Vol. 740. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 442--460. Google ScholarDigital Library
- Mihir Bellare and Moti Yung. 1996. Certifying Permutations: Noninteractive Zero-Knowledge Based on Any Trapdoor Permutation. Journal of Cryptology, Vol. 9, 3 (1996), 149--166. Google ScholarDigital Library
- Daniel J. Bernstein. 1998. Detecting Perfect Powers in Essentially Linear Time. Math. Comput., Vol. 67, 223 (July 1998), 1253--1283. Google ScholarDigital Library
- G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche. 2011. The Keccak SHA-3 submission. Submission to NIST (Round 3). (2011). http://keccak.noekeon.org/Keccak-submission-3.pdfGoogle Scholar
- Daniel Bleichenbacher. 1998. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. In Advances in Cryptology -- CRYPTO'98 (Lecture Notes in Computer Science), Hugo Krawczyk (Ed.), Vol. 1462. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 1--12. Google ScholarDigital Library
- Hanno Bö ck, Juraj Somorovsky, and Craig Young. 2017. Return Of Bleichenbacher's Oracle Threat (ROBOT). Cryptology ePrint Archive, Report 2017/1189. (2017). https://eprint.iacr.org/2017/1189.Google Scholar
- Florian Böhl, Dennis Hofheinz, Tibor Jager, Jessica Koch, Jae Hong Seo, and Christoph Striecks. 2013. Practical Signatures from Standard Assumptions. In Advances in Cryptology -- EUROCRYPT 2013 (Lecture Notes in Computer Science),, Thomas Johansson and Phong Q. Nguyen (Eds.), Vol. 7881. Springer, Heidelberg, Germany, Athens, Greece, 461--485.Google Scholar
- Ernest F. Brickell and John M. DeLaurentis. 1986. An Attack on a Signature Scheme Proposed by Okamoto and Shiraishi. In Advances in Cryptology -- CRYPTO'85 (Lecture Notes in Computer Science), Hugh C. Williams (Ed.), Vol. 218. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 28--32. Google ScholarDigital Library
- Ernest F Brickell and Andrew M Odlyzko. 1988. Cryptanalysis: A survey of recent results. Proc. IEEE, Vol. 76, 5 (1988), 578--593.Google ScholarCross Ref
- Christian Cachin, Silvio Micali, and Markus Stadler. 1999. Computationally Private Information Retrieval with Polylogarithmic Communication. In Advances in Cryptology -- EUROCRYPT'99 (Lecture Notes in Computer Science), Jacques Stern (Ed.), Vol. 1592. Springer, Heidelberg, Germany, Prague, Czech Republic, 402--414. Google ScholarDigital Library
- J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer. 2007. OpenPGP Message Format. RFC 4880 (Proposed Standard). (Nov. 2007), 90 pages. Updated by RFC 5581.Google Scholar
- Don Coppersmith. 1997. Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Journal of Cryptology, Vol. 10, 4 (1997), 233--260. Google ScholarDigital Library
- Don Coppersmith, Matthew K. Franklin, Jacques Patarin, and Michael K. Reiter. 1996. Low-Exponent RSA with Related Messages. In Advances in Cryptology -- EUROCRYPT'96 (Lecture Notes in Computer Science),, Ueli M. Maurer (Ed.), Vol. 1070. Springer, Heidelberg, Germany, Saragossa, Spain, 1--9. Google ScholarDigital Library
- Jean-Sébastien Coron. 2000. On the Exact Security of Full Domain Hash. In Advances in Cryptology -- CRYPTO 2000 (Lecture Notes in Computer Science),, Mihir Bellare (Ed.), Vol. 1880. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 229--235. Google ScholarDigital Library
- Jean-Sébastien Coron. 2001. Optimal security proofs for PSS and other signature schemes. Cryptology ePrint Archive, Report 2001/062. (2001). http://eprint.iacr.org/2001/062.Google Scholar
- Jean-Sébastien Coron. 2002. Optimal Security Proofs for PSS and Other Signature Schemes. In Advances in Cryptology -- EUROCRYPT 2002 (Lecture Notes in Computer Science), Lars R. Knudsen (Ed.), Vol. 2332. Springer, Heidelberg, Germany, Amsterdam, The Netherlands, 272--287. Google Scholar
- Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier. 2000. New Attacks on PKCS#1 v1.5 Encryption. In Advances in Cryptology -- EUROCRYPT 2000 (Lecture Notes in Computer Science),, Bart Preneel (Ed.), Vol. 1807. Springer, Heidelberg, Germany, Bruges, Belgium, 369--381. Google ScholarDigital Library
- Ronald Cramer and Victor Shoup. 1999. Signature Schemes Based on the Strong RSA Assumption. In ACM CCS 99: 6th Conference on Computer and Communications Security. ACM Press, Kent Ridge Digital Labs, Singapore, 46--51. Google ScholarDigital Library
- Jean Paul Degabriele, Anja Lehmann, Kenneth G. Paterson, Nigel P. Smart, and Mario Strefler. 2012. On the Joint Security of Encryption and Signature in EMV. In Topics in Cryptology -- CT-RSA 2012 (Lecture Notes in Computer Science),, Orr Dunkelman (Ed.), Vol. 7178. Springer, Heidelberg, Germany, San Francisco, CA, USA, 116--135. Google ScholarDigital Library
- T. Dierks and C. Allen. 1999. The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard). (Jan. 1999), 80 pages. Obsoleted by RFC 4346, updated by RFCs 3546, 5746, 6176, 7465, 7507, 7919. Google ScholarDigital Library
- T. Dierks and E. Rescorla. 2006. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard). (April 2006), 87 pages. Obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746, 6176, 7465, 7507, 7919.Google Scholar
- T. Dierks and E. Rescorla. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). (Aug. 2008), 104 pages. Updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685, 7905, 7919.Google Scholar
- Marc Fischlin. 2003. The Cramer-Shoup Strong-RSA Signature Scheme Revisited. In PKC 2003: 6th International Workshop on Theory and Practice in Public Key Cryptography (Lecture Notes in Computer Science),, Yvo Desmedt (Ed.), Vol. 2567. Springer, Heidelberg, Germany, Miami, FL, USA, 116--129. Google ScholarDigital Library
- David Mandell Freeman, Oded Goldreich, Eike Kiltz, Alon Rosen, and Gil Segev. 2013. More Constructions of Lossy and Correlation-Secure Trapdoor Functions. Journal of Cryptology, Vol. 26, 1 (Jan. 2013), 39--74. Google ScholarDigital Library
- Rosario Gennaro, Shai Halevi, and Tal Rabin. 1999. Secure Hash-and-Sign Signatures Without the Random Oracle. In Advances in Cryptology -- EUROCRYPT'99 (Lecture Notes in Computer Science), Jacques Stern (Ed.), Vol. 1592. Springer, Heidelberg, Germany, Prague, Czech Republic, 123--139. Google ScholarDigital Library
- Marc Girault, Philippe Toffin, and Brigitte Vallée. 1990. Computation of Approximate L-th Roots Modulo n and Application to Cryptography. In Advances in Cryptology -- CRYPTO'88 (Lecture Notes in Computer Science), Shafi Goldwasser (Ed.), Vol. 403. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 100--117. Google ScholarDigital Library
- Dennis Hofheinz, Tibor Jager, and Eike Kiltz. 2011. Short Signatures from Weaker Assumptions. In Advances in Cryptology -- ASIACRYPT 2011 (Lecture Notes in Computer Science),, Dong Hoon Lee and Xiaoyun Wang (Eds.), Vol. 7073. Springer, Heidelberg, Germany, Seoul, South Korea, 647--666. Google ScholarDigital Library
- Susan Hohenberger and Brent Waters. 2009. Realizing Hash-and-Sign Signatures under Standard Assumptions. In Advances in Cryptology -- EUROCRYPT 2009 (Lecture Notes in Computer Science), Antoine Joux (Ed.), Vol. 5479. Springer, Heidelberg, Germany, Cologne, Germany, 333--350.Google Scholar
- R. Housley. 2002. Cryptographic Message Syntax (CMS) Algorithms. RFC 3370 (Proposed Standard). (Aug. 2002), 24 pages. Updated by RFC 5754. Google ScholarDigital Library
- Tibor Jager, Jörg Schwenk, and Juraj Somorovsky. 2015a. On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1. 5 Encryption. In ACM CCS 15: 22nd Conference on Computer and Communications Security,, Indrajit Ray, Ninghui Li, and Christopher Kruegel: (Eds.). ACM Press, Denver, CO, USA, 1185--1196. Google ScholarDigital Library
- Tibor Jager, Jörg Schwenk, and Juraj Somorovsky. 2015b. Practical Invalid Curve Attacks on TLS-ECDH. In ESORICS 2015: 20th European Symposium on Research in Computer Security, Part I (Lecture Notes in Computer Science), Günther Pernul, Peter Y. A. Ryan, and Edgar R. Weippl (Eds.), Vol. 9326. Springer, Heidelberg, Germany, Vienna, Austria, 407--425. Google ScholarDigital Library
- M. Jones, J. Bradley, and N. Sakimura. 2015. JSON Web Signature (JWS). RFC 7515 (Proposed Standard). (May 2015), 59 pages.Google Scholar
- J. Jonsson and B. Kaliski. 2003. Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. RFC 3447 (Informational). (Feb. 2003), 72 pages. Obsoleted by citerfc8017. Google ScholarDigital Library
- Saqib A. Kakvi and Eike Kiltz. 2012. Optimal Security Proofs for Full Domain Hash, Revisited. In Advances in Cryptology -- EUROCRYPT 2012 (Lecture Notes in Computer Science), David Pointcheval and Thomas Johansson (Eds.), Vol. 7237. Springer, Heidelberg, Germany, Cambridge, UK, 537--553. Google ScholarDigital Library
- Saqib A. Kakvi and Eike Kiltz. 2018. Optimal Security Proofs for Full Domain Hash, Revisited. Journal of Cryptology, Vol. 31, 1 (Jan. 2018), 276--306. Google ScholarDigital Library
- Saqib A. Kakvi, Eike Kiltz, and Alexander May. 2012. Certifying RSA. In Advances in Cryptology -- ASIACRYPT 2012 (Lecture Notes in Computer Science),, Xiaoyun Wang and Kazue Sako (Eds.), Vol. 7658. Springer, Heidelberg, Germany, Beijing, China, 404--414. Google ScholarDigital Library
- B. Kaliski. 1998. PKCS #1: RSA Encryption Version 1.5. RFC 2313 (Informational). (March 1998), 19 pages. Obsoleted by citerfc2437. Google ScholarDigital Library
- B. Kaliski and J. Staddon. 1998. PKCS #1: RSA Cryptography Specifications Version 2.0. RFC 2437 (Informational). (Oct. 1998), 39 pages. Obsoleted by citerfc3447. Google ScholarDigital Library
- Eike Kiltz, Adam O'Neill, and Adam Smith. 2010. Instantiability of RSA-OAEP under Chosen-Plaintext Attack. In Advances in Cryptology -- CRYPTO 2010 (Lecture Notes in Computer Science), Tal Rabin (Ed.), Vol. 6223. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 295--313. Google ScholarDigital Library
- Eike Kiltz and Krzysztof Pietrzak. 2009. On the Security of Padding-Based Encryption Schemes - or - Why We Cannot Prove OAEP Secure in the Standard Model. In Advances in Cryptology -- EUROCRYPT 2009 (Lecture Notes in Computer Science),, Antoine Joux (Ed.), Vol. 5479. Springer, Heidelberg, Germany, Cologne, Germany, 389--406.Google Scholar
- Eike Kiltz, Krzysztof Pietrzak, and Mario Szegedy. 2013. Digital Signatures with Minimal Overhead from Indifferentiable Random Invertible Functions. In Advances in Cryptology -- CRYPTO 2013, Part I (Lecture Notes in Computer Science), Ran Canetti and Juan A. Garay (Eds.), Vol. 8042. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 571--588.Google ScholarCross Ref
- Vlastimil Kl'ima, Ondrej Pokorný, and Tomás Rosa. 2003. Attacking RSA-Based Sessions in SSL/TLS. In Cryptographic Hardware and Embedded Systems -- CHES 2003 (Lecture Notes in Computer Science), Colin D. Walter, cCetin Kaya Kocc, and Christof Paar (Eds.), Vol. 2779. Springer, Heidelberg, Germany, Cologne, Germany, 426--440.Google Scholar
- Mark Lewko, Adam O'Neill, and Adam Smith. 2013. Regularity of Lossy RSA on Subdomains and Its Applications. In Advances in Cryptology -- EUROCRYPT 2013 (Lecture Notes in Computer Science), Thomas Johansson and Phong Q. Nguyen (Eds.), Vol. 7881. Springer, Heidelberg, Germany, Athens, Greece, 55--75.Google Scholar
- Christopher Meyer, Juraj Somorovsky, Eugen Weiss, Jö rg Schwenk, Sebastian Schinzel, and Erik Tews. 2014. Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20--22, 2014.,, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 733--748. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/meyer Google ScholarDigital Library
- K. Moriarty (Ed.), B. Kaliski, J. Jonsson, and A. Rusch. 2016. PKCS #1: RSA Cryptography Specifications Version 2.2. RFC 8017 (Informational). (Nov. 2016), 78 pages.Google Scholar
- Tatsuski Okamoto and Akira Shibaishi. 1985. A fast signature scheme based on quadratic inequalities. In Security and Privacy, 1985 IEEE Symposium on. IEEE, 123--123.Google ScholarCross Ref
- Tatsuaki Okamoto and Jacques Stern. 2003. Almost Uniform Density of Power Residues and the Provable Security of ESIGN. In Advances in Cryptology -- ASIACRYPT 2003 (Lecture Notes in Computer Science), Chi-Sung Laih (Ed.), Vol. 2894. Springer, Heidelberg, Germany, Taipei, Taiwan, 287--301.Google Scholar
- Chris Peikert and Brent Waters. 2008. Lossy trapdoor functions and their applications. In 40th Annual ACM Symposium on Theory of Computing, Richard E. Ladner and Cynthia Dwork (Eds.). ACM Press, Victoria, British Columbia, Canada, 187--196. Google ScholarDigital Library
- J. Schaad, B. Kaliski, and R. Housley. 2005. Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 4055 (Proposed Standard). (June 2005), 25 pages. Updated by RFC 5756.Google Scholar
- Sven Sch"age. 2011. Tight Proofs for Signature Schemes without Random Oracles. In Advances in Cryptology -- EUROCRYPT 2011 (Lecture Notes in Computer Science), Kenneth G. Paterson (Ed.), Vol. 6632. Springer, Heidelberg, Germany, Tallinn, Estonia, 189--206. Google ScholarDigital Library
- Yannick Seurin. 2014. On the Lossiness of the Rabin Trapdoor Function. In PKC 2014: 17th International Conference on Theory and Practice of Public Key Cryptography (Lecture Notes in Computer Science), Hugo Krawczyk (Ed.), Vol. 8383. Springer, Heidelberg, Germany, Buenos Aires, Argentina, 380--398. Google ScholarDigital Library
- Victor Shoup. 2002. OAEP Reconsidered. Journal of Cryptology, Vol. 15, 4 (2002), 223--249. Google ScholarDigital Library
- Adam Smith and Ye Zhang. 2015. On the Regularity of Lossy RSA - Improved Bounds and Applications to Padding-Based Encryption. In TCC 2015: 12th Theory of Cryptography Conference, Part I (Lecture Notes in Computer Science),, Yevgeniy Dodis and Jesper Buus Nielsen (Eds.), Vol. 9014. Springer, Heidelberg, Germany, Warsaw, Poland, 609--628.Google Scholar
- Ron Steinfeld, Josef Pieprzyk, and Huaxiong Wang. 2007. How to Strengthen Any Weakly Unforgeable Signature into a Strongly Unforgeable Signature. In Topics in Cryptology -- CT-RSA 2007 (Lecture Notes in Computer Science), Masayuki Abe (Ed.), Vol. 4377. Springer, Heidelberg, Germany, San Francisco, CA, USA, 357--371. Google ScholarDigital Library
- B. Weis. 2006. The Use of RSA/SHA-1 Signatures within Encapsulating Security Payload (ESP) and Authentication Header (AH). RFC 4359 (Proposed Standard). (Jan. 2006), 12 pages.Google Scholar
- Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2014. Cross-Tenant Side-Channel Attacks in PaaS Clouds. In ACM CCS 14: 21st Conference on Computer and Communications Security, Gail-Joon Ahn, Moti Yung, and Ninghui Li (Eds.). ACM Press, Scottsdale, AZ, USA, 990--1003. Google ScholarDigital Library
Index Terms
- On the Security of the PKCS#1 v1.5 Signature Scheme
Recommendations
On the Security of RSA-PSS in the Wild
SSR'19: Proceedings of the 5th ACM Workshop on Security Standardisation Research WorkshopThe RSA Probabilistic Signature Scheme (RSA-PSS) due to Bellare and Rogaway (EUROCRYPT 1996) is a widely deployed signature scheme. In particular it is a suggested replacement for the deterministic RSA Full Domain Hash (RSA-FDH) by Bellare and Rogaway (...
Optimal Security Proofs for Full Domain Hash, Revisited
RSA Full Domain Hash (RSA-FDH) is a digital signature scheme, secure against chosen message attacks in the random oracle model. The best known security reduction from the RSA assumption is non-tight, i.e., it loses a factor of $$q_s$$qs, where $$q_s$$qs ...
SoK: Comparison of the Security of Real World RSA Hash-and-Sign Signatures
Security Standardisation ResearchAbstractIn this modern day and age, where the majority of our communication occurs online, digital signatures are more important than ever before. Of the utmost importance are the standardised signatures that are deployed not only across the Internet, but ...
Comments