03.›F“ª/‚SŒÊŁÏ“X*

Size: px

Start display at page:

Download "03.›F“ª/‚SŒÊŁÏ“X*"

れいなほうねん
5 years ago
Views:

1 RSA RSA RSA GemplusCoron Naccache Stern Coron-Naccache-SternRSA ISO/IEC IC RSA Coron RSA ISO/IEC Coron-Naccache-Stern ISO/IEC JTC1/SC

2 RSA RSARSA RSA IC GemplusCoron Naccache Stern RSA Coron-Naccache-SternCNS RSA ISO/IEC ISO/IEC IC RSA ISO/IEC JTC1/SC CNS ISO/IEC EMV SC RSA ISO/IEC CNS ISO/IEC ISO/IEC JTC1/SCCNS CNS IC

3 RSA RSARivest Shamir Aleman RSA RSA RSA Rivest, Shamir an AlemanRSARSA RSA ISO RSA p qn = pqp 1 q L = LCM p 1, q 1GCD e, L =e e = 1 mo L e, n C = M e mo nm C M = C mo n RSAISO/IEC ISO/IEC Information technology Security techniques Digital signature schemes with appenix ISO/IEC ISO Banking Key management by means of asymmetric algorithms Approve algorithms using the RSA cryptosystem ISO FIPS NIST ANSI X9.31 ANSIRSA

4 RSA RSA M m=h MH MS S = m mo n S M H M = S e mo n RSA # RSA ISO/IEC SS-R Menezes, Oorschot an Vanstone

5 RSA PSSPSS-R PSSPSS-R RSAKaliski an Robshaw Misarsky CoronISO/IEC Coron et al.

6 n RSAn n(= p q) p 1q 1 P 1P 1 p q p q np qp q p q p qaleman-lenstra RSA MHz ISO/IEC ISO/IEC ISO/TR ISOan RSA bit RSA RSADesmet-Olyzko Desmet an Olyzko MIPS1 MIPS MIPS1 MIPS

7 Desmet-Olyzko n M HM H M H M =p 1 p 2 p k 1 p k p i k M M S S S = H M mo n = p 1 p 2 p k 1 p k mo n iii H M p 1 p 2 p k 1 p k p i mo n p i mo n iv p i mo n RSA Misarsky PKCS ISO/IEC PKCS # RSA PKCS #Netscape HTTPSSL PKCS#Version 2.0 RSA Laboratories PKCS Public-Key Cryptosystem Stanar PKCS PKCS Version Version 1.5 RSA Laboratories Optimal Asymmetric Encryption Paing, Bellare an Rogaway BleichenbacherOAEPVersion OAEP

8 e,nn k byte MHashh bytesr M H=Hash M IDTt byte PSPSk t 3 byte bit SRk byte SR = PS T = FF...FF T 5SR S S = SR mo n ISO/IEC ISO/IEC 9796 Information technology Security techniques Digital signature schemes giving message recovery IC ISO/IEC bytebit bit Part Part ISO/IEC JTC1/SC27/WG2Part Part 4 Part 3

9 Part RSA Girault an Misarsky 1997, Misarsky 1997 an a ISO/IEC ISO/IEC nformation technology Security techniques Digital signature schemes giving message recovery Part 1: Mechanisms using reunancy ISO/IEC Information technology Security techniques Digital signature schemes giving message recovery ISO/IEC 1991Coron et al bitbit ISO/IEC 9796 EitorGuilloun ISO/IEC 9796 Guillou et al.

10 b ISO/IEC ISO/IEC Information technology Security techniques Digital signature schemes giving message recovery Part 2: Mechanisms using a hash-function SCISO/IEC WD ISO/IEC ISO/IEC H M = 2 M mo Girault Misarsky Girault an Misarsky ISO/IEC ISO/IEC ISO/IEC ISO/IEC bit bit c ISO/IEC ISO/IEC Information technology Security techniques Digital signature schemes giving message recovery Part 3: Mechanisms using a check-function ISO/IEC WDSC C=M mo + 1 Girault-Misarsky Misarsky Misarsky WD Working Draft New Work Item ProposalISO ISO MisarskyISO/IEC N m N/280 < m bit bit

11 MU M MU M U X =U Y mo n X Y iix YX Y U X mo n U Y mo n iii U M U X =U Y mo nu M U X =U Ymo n U M = U Y / U X mo n M U M mo n Misarsky ISO/IEC bitbitpentium MHz Misarsky ISO/IEC JTC ISO/IEC ISO/IEC CNS Coron et al ISO/IEC bit bit ID RSA

12 UMU MU M L bitiso/iec bit p k 2k n, ersa n = p q p q RSA p k U Mp k -smooth M M U M mo n U M mo nm U M mo n M U M p k -smooth CNS MM U Mp k -smooth p k -smoothp k p k -smoothp k -smooth u k v j u = p j j= 1 p j p k j =1,...,k

13 Lk (loge) k ln k O ρ ( L/ log2( k ln k)) O k log e L k en n ISO/IEC SHA bit bit k e e k+1 k e U Mp k -smoothm ISO/IEC M n n M CoronISO/IEC ISO/IEC PKCS #1 Version 2.0 ANSI X ISO/IEC Coron et al. PKCS #1 Version 2.0 ANSI X

14 Silverman an Naccache CoronCoron et al.pkcs #1 Version 2.0 ANSI X n n=2 k c n=2 k c ANSI X9n=2 k c bit SHA bit ISO/IEC Coron et al. U M F n, U M U M p k -smoothm ISO/IEC U Mbit nbit M bitf n, U M= n 2U M n 2U M bit n bit a n abitbit = bit + bitx = a n bit F nu M= a n U M = X U M X U M bit X bit X bit XbitX bit X

15 X X [1] X [0] bit bit y M X [1] y X [1] y U M Mbit bit U Mbit U (M) X [1] SHA-1(M) 2 8 U (M) X [1] SHA-1(M) M Heaer, More-ata bit, Paing fiel =bit Data fiel = X 1848 bit Hash fiel = SHA-1 M160 bit Trailer = bit bit X 2 8 U M U Mbit bitx X SHA-1 M

16 X 2 8 U (M) X [1] X [0] X [1] SHA-1(M) X [0]SHA-1(M ) X 2 8 U M p k -smoothy k v X 8 U( M) p j j 1 j 2 = = yx 2 8 U Mp k -smooth MX 2 8 U M Lbit bit MM U M mo n U M mo n M U M mo n ke 17 n X 2 8 U M X 2 8 U M bit ISO/IEC M M CoronISO/IEC SHA L bitbit

17 CoronCNSISO/IEC ISO/IEC Coron et al.iso/iec ISO/IEC ISO/IEC bit Coronbit ISO/IEC bitbit bit U 1(M ) Sh(m 32) m 32 Sh(m1) m 1 Sh(m 32) m 32 Sh(m1) m 1 U 2(M ) Sh(m 32) m 32 Sh(m1) m1 Sh(m 32) m 32 Sh(m1) m 1 M M= m32, m31,...,m2, m1 mi i =1bitU1 MISO/IEC U2 MISO/IEC

18 U1 M U2 M bitbit Sh bit bitbit ISO/IEC bitbit a U Mbitm bit U M = m,m,...,m mm b m p k -smoothmm m p k -smoothm Ma bitms = A, B, C, A B Cbit A Sh A bit M MS MS MS MS MS MS MS MS MS A B C U Mm m 64 bit U M bit

19 U(M) m m m m m m m m m m m m m m m m Sh m Sh(A) A Sh(B) B Sh(C) C U MmU M = m Γ Γ = m p k -smootha B C m p k -smooth m ml bit bit m m p k -smoothm U M U( M ) k v p j j 1 = = MU M mo n j + 2 Γ = i = i U M mo n M M U M U( M ) k j 1 = = v p j j Γ L bit k en U Mm mbit

20 Coron Pentium 200MHzU Mp k -smooth M k ISO/IEC CNSRSA PSS-R PSS Probabilistic Signature SchemeBellare Rogaway Bellare an Rogaway 1996PSS RSA Coron et al. e k= = k+1

21 RSA PSS bit bit PSS RSA RSA h k bit g 1 k bit k bit g 2 k bit k k k bit Mk bit S w = h M rr = g 1 w r S = X mo nx = 0 w R g 2 w XS e mo nx = b y z αbbit y k bit z k bit α bit R =g 1 y z h M R = y g 2 y = α b RSA e, n n 1YY = x e mo nx RSA

22 M h g 2 (w) w=h(m r) (k 1 bit ) r (k 0 bit) g 1 (w) (k 0 bit) R (k 0 bit ) (k- k 0 - k 1-1 bit ) X= ( 0 w R g 2 (w)) (k bit ) S=X mo n n bit PSS-R PSS Bellare an RogawayPSS-R PSS PSS-RPSSX g w 2 g 2 w Mg 2 w M g 2 w M PSS X ISO/IEC ISO/IEC JTC1/SC27/WG2 Coron Naccache Stern SC27/WG2 SC27/WG2 Silverman an Naccache

23 CNSEuropay MasterCar VisaICEMV 96 Europay et al. 1996EMV 96ANNEX EISO/IEC EMV 96IC ISO/IEC EMV 96 ISO/IEC IC CNS SSLBleichenbacher CNS PSSPSS-R OAEP EPOC TSH-ESIGN OAEP Bleichenbacher EPOCOkamoto, Uchiyama an Fujisaki TSH-ESIGNOkamoto, Fujisaki an Morita

24 ISO/IEC bit bit bitbitiso/iec U M bit Mbit m1, m2,..., m31, m32 U(M) MR1 MR2 MR1 Sh (m 32) m32 Sh (m1) m1 MR2 Sh (m 32) m32 Sh(m1) m1 U MMR1 MR2bit MR1 MR2bit mi i =1,...,32mi ShbitSh mi m Sh m32 MR bit MR bit U MS S = U M mo n

25 ISO/IEC ISO/IEC bitbit bit bitsha-1 bit U M bit SO/IEC SHA -1(M ) U(M) SHA -1(M ) U M Heaer U M bit More-ata bit Heaebit Paing fiel U M bit bit =bit bit Heaer 1 bit More-ata bit bit Recovery fiel 160 bit Hash fiel 8 bit Trailer Recovery fielm bit bit =bit bit Hash fielm SHA-1 M SHAbit TrailerSHA bit ISO/IEC Information technology Security techniques Hash-functions ISO/IEC, Matyas-Meyer-OseasMDC-2 RIPEMD-160 SHA-1

26 U M S=U M mo n ISO/IEC C = M mo bit Misarskybit bit M C = M mo (2 79 1) C SF M U(M ) SF bitsf bit Heaer 8 bit Paing fielbit bit Trailer bitcc =M mo C bit SF SF bit bitbit = bit bit U M U M S=U M mo n

27 UMU MU M L bit p k k n, e M U M p k -smoothm U( M ) = k v p j j j= 1 p j p k M U M p k -smoothu M U M na n b U ML bit a bm 27 bp k -smooth ISO/IEC bitbit a = 0 b = 1 Γ bitl bit ISO/IEC bit b = an bitnlbit

28 b a n b U Mp k -smoothm aba b M a n b U( M ) = k v j p j j= 1 M U M mo n p k -smooth a n b U M mo n ( a n b U( M )) mo n= {( a n) ( a n) 1 + ( b U( M )) + + ( b U ( M )) } mo n nmo n ( a n b U( M )) mo n = ( b U( M )) mo n = ( b) U ( M ) mo n U M mo n U ( M ) mo n = ( b) ( a n b U ( M )) mo n k U M n b v j ( ) mo ( ) pj mo n j 1 = = bp k -smoothu M mo np k -smooth p k a n b U M p k -smoothx a n b U Mp k -smoothy X Y a n b U Ma n b U ML bit 2 L L bit p k -smoothp k log p 2 k bitl ρ(t) t =L / log p 2 k

29 ζ s 1 / 2 ρ ( t) (2π t) exp γ tζ + e 1 s s 0 ζ e 1 = t ζ γ Mρ L / log p 2 k L 160 bit p k bit t ρ t smooth bit M a n b U ML bit O( L k ln k ) ab M C L,k C L, k L k ln k = O ρ ( L/ log2( kln k)) C L,k p k M 1, M 2,..., M r 1, M r U M i mo n U( M ) i k p ( i, j = (mo n ) j = 1 v j ) M r+1 M r+1 U M i mo nm r+1 U M i mo nu M r+1 mo n Pollar-BrentCoron et al CoronPollar-Brent CNS

30 U M i kv i e RSA U ( Mi ) Vi = { vi,1 mo e, vi,2 mo e,..., vi, k moe} V i e k {p 1, p 2, p 3,...,p k } M r+1 U M r+1 k V r+1 V r+1 rv i V r+1 b i i=1,...,r 0 b i e 1 V r = bivi mo e { vr+ 1,1 mo e, vr + 1,2 mo e,..., vr 1, k mo e} r+ 1 = + i = 1 V i = {v i,1 mo e, v i,2 mo e,...,v i,k mo e } r i i = 1 r b V mo e b { vi, 1mo e, v,2 mo e,..., vi, k mo e} mo e i = i = 1 i moe v r+1,j a v r+ 1, j i r r r = bi vi,1 mo e, bi vi,2 mo e,..., bivi, k i= 1 i = 1 i= 1 r r + 1, j = i i = 1 v b v i, j mo e v bi vi r+ 1, j, j i= 1 r = aje M r+ 1 U M r+ 1 mo n U ( M k r+ 1 ) = j = 1 p ( v r + 1, j ) j mo n U ( M r k bi vi, j a j e i 1 = p = mo n = r+ 1) j 1 j r k = i 1 p = j= 1 j b iv i, j k j = 1 p ( a j e) j mo n

31 RSA e mo p 1 q 1 =1 U ( M r b i v i, j k k i 1 = ( aj ) r 1) = p + p j j= 1 j j= 1 mo n U ( M k ( b v ) p 1v1, j + b 2v 2, j b r r, j k r + 1 ) = j j= 1 j= 1 p a j j mo n U ( M k r k ( v p i, j ) b i r+ 1) = j j = 1 i = 1 j = 1 p a j j mo n b i k j ) = j = 1 r k ( v p i, j i= 1 j= 1 pj a j mo n U ( M r k U M bi r+ 1 ) = ( ( i ) ) i = 1 j= 1 a j j p mo n M r+1 U M i mo nu M r+1 mo n M i k e O k log e C L,k O k log e Lk(loge) k ln k O ρ ( L/ log2( k ln k))

32 EPOCIMES Discussion Paper ID American National Stanars Institute, X 9.31 Digital Signatures Using Reversible Public Key Cryptography rdsa, Bellare, M., an P. Rogaway, Optimal asymmetric encryption, Avances in Cryptology Proceeings of EUROCRYPT 94, Lecture Notes in Computer Science, Vol. 950, Springer-Verlag, 1995, pp , an, The Exact Security of Digital Signatures How to Sign with RSA an Rabin, Avances in Cryptology Proceeings of EUROCRYPT 96, Lecture Notes in Computer Science, Vol. 1070, Springer-Verlag, 1996, pp Bleichenbacher, D., Chosen Ciphertext Attacks Against Protocols Base on the RSA Encryption Stanar PKCS #1, Avances in Cryptology Proceeings of CRYPTO 98, Lecture Notes in Computer Science, Vol. 1462, Springer-Verlag, 1998, pp Coron, J. S., D. Naccache, an P. Stern, On the Security of RSA Paing, to appear CRYPTO 99, Desmet, Y. G., an A. M. Olyzko, A chosen text attack on the RSA cyptosystem an some iscrete logarithm schemes, Avances in Cryptology Proceeings of CRYPTO 85, Lecture Notes in Computer Science, Vol. 218, Springer-Verlag, 1986, pp Europay International S.A., MasterCar International Incorporate, an Visa International Service Association, EMV 96: Integrate Circuit Car Specification for Payment Systems, July /ownloa.html Girault, M., an J. F. Misarsky, Selective Forgery of RSA Signatures Using Reunancy, Avances in Cryptology Proceeings of EUROCRYPT 97, Lecture Notes in Computer Science, Vol. 1233, Springer-Verlag, 1997, pp Guillou, L. C., J.-J. Quisquater, M. Walker, P. Lanrock, an C. Shaer, Precautions taken against various potential attack in ISO/IEC DIS 9796 Digital signature scheme giving message recovery, Avances in Cryptology Proceeings of EUROCRYPT 90, Lecture Notes in Computer Science, Vol. 473, Springer-Verlag, 1991, pp International Organization for Stanarization, ISO Banking Key management by means of asymmetric algorithms Part 2: Approve algorithms using the RSA cryptosystem, 1994.

33 , ISO/TR Banking an relate financial services Information security guielines, October 1997., ISO/TR Banking an relate financial services Information security guielines, Amenment 1, December 1998., an nternational Electrotechnical Commission, ISO/IEC 9796 Information technology Security techniques Digital signature scheme giving message, 1991., an, ISO/IEC Information technology Information techniques Hashfunctions Part 2: Hash-functions using an n-bit block cipher algorithm, 1994., an, ISO/IEC Information technology Security techniques Digital signature scheme giving message recovery Part 2: Mechanisms using a hash-function, 1997., an, ISO/IEC Information technology Information techniques Hashfunctions Part 3: Deicate hash-functions, 1998a., an, ISO/IEC Information technology Security techniques Digital signature with appenix Part 3: Certificate-base mechanism, 1998b. Kaliski, B., an M. Robshaw, The Secure Use of RSA, RSA Laboratories CryptoBytes, Vol. 1, No. 3, Menezes, A. J., P. C. Oorschot, an S. A. Vanstone, Hanbook of Applie Cryptography, CRC Press, Misarsky, J. F., A Multiplicative Attack Using LLL Algorithm on RSA Signatures with Reunancy, Avances in Cryptology Proceeings of CRYPTO 97, Lecture Notes in Computer Science, Vol. 1294, Springer-Verlag, 1997, pp , How not to esign RSA signature schemes, Proceeings of Public Key Cryptography 98, Lecture Notes in Computer Science, Vol. 1431, Springer-Verlag, 1998, pp National Institute for Stanars an Technology, Specifications for a igital signature stanar, Feeral Information Processing Stanar Publication FIPS PUB186-1, Okamoto, T., E. Fujisaki, an H. Morita, TSH-ESIGN: Efficient Digital Signature Scheme Using Trisection Size Hash, Submission to IEEE P1363a, November 1998., S. Uchiyama, an E. Fujisaki, EPOC: Efficient Probabilistic Public-Key Encryption, Submission to IEEE P1363a, November Rivest, R. L., A. Shamir, an L. Aleman, A metho of obtaining igital signatures an public key cryptosystems, Communications of the ACM, Vol. 21, No. 2, 1978, pp RSA Laboratories, PKCS #1: RSA Encryption Stanar Version 1.5, November 1993., PKCS #1: RSA Cryptography Specifications Version 2.0, September 1998 ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1v2.asc Silverman, R. D., an D. Naccache, Recent Results on Signature Forgery, April

ICカードに利用される暗号アルゴリズムの安全性について：ENV仕様の実装上の問題点を中心に

ICカードに利用される暗号アルゴリズムの安全性について：ENV仕様の実装上の問題点を中心に IC IC IC ICIC EMVEMV IC EMVIC EMV ICEMVRSAkey TDES TDES-MAC E-mail: masataka.suzuki@boj.or.jp NTTE-mail: kanda.masayuki@lab.ntt.co.jp IC IC IC IC EMV JCCA ICJCCA ICEMV EMVIC EMV EMV EMVEMVCo EMV EMV EMVICIC