Formal Proof for the Correctness of RSA-PSS
نویسندگان
چکیده
Formal verification is getting more and more important in computer science. However the state of the art formal verification methods in cryptography are very rudimentary. This paper is one step to provide a tool box allowing the use of formal methods in every aspect of cryptography. In this paper we give a formal specification of the RSA probabilistic signature scheme (RSA-PSS) [4] which is used as algorithm for digital signatures in the PKCS #1 v2.1 standard [7]. Additionally we show the correctness of RSA-PSS. This includes the correctness of RSA, the formal treatment of SHA-1 and the correctness of the PSS encoding method. Moreover we present a proof of concept for the feasibility of verification techniques to a standard signature algorithm.
منابع مشابه
Making RSA-PSS Provably Secure against Non-random Faults
RSA–CRT is the most widely used implementation for RSA signatures. However, deterministic and many probabilistic RSA signatures based on CRT are vulnerable to fault attacks. Nevertheless, Coron and Mandal (Asiacrypt 2009) show that the randomized PSS padding protects RSA signatures against random faults. In contrast, Fouque et al. (CHES 2012) show that PSS padding does not protect against certa...
متن کاملHow to Repair ESIGN
The ESIGN signature scheme was provided with an inadequate proof of security. We propose two techniques to repair the scheme, which we name ESIGN-D and ESIGN-R. Another improvement of ESIGN is encouraged, where the public key is hashed together with the message. This allows to have a security proof in the multi key setting. Additionally, the lower security of ESIGN compared to RSA-PSS leads to ...
متن کاملOptimal Security Proofs for PSS and Other Signature Schemes
The Probabilistic Signature Scheme (PSS) designed by Bellare and Rogaway is a signature scheme provably secure against chosen message attacks in the random oracle model, whose security can be tightly related to the security of RSA. We derive a new security proof for PSS in which a much shorter random salt is used to achieve the same security level, namely we show that log2 qsig bits suffice, wh...
متن کاملTimed-Release Cryptography
Let n be a large composite number. Without factoring n, the computation of a t (mod n) given a, t with gcd(a; n) = 1 and t < n can be done in t squarings modulo n. For t n (e.g., n > 2 and t < 2), no lower complexity than t squarings is known to ful ll this task. Rivest et al suggested to use such constructions as good candidates for realising timed-release crypto problems. We argue the necessi...
متن کاملFair Encryption of RSA Keys
Cryptography is more and more concerned with elaborate protocols involving many participants. In some cases, it is crucial to be sure that players behave fairly especially when they use public key encryption. Accordingly, mechanisms are needed to check the correctness of encrypted data, without compromising secrecy. We consider an optimistic scenario in which users have pairs of public and priv...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2006 شماره
صفحات -
تاریخ انتشار 2006