You are on page 1of 47

Digital Signatures

Cryptographic Goals
Cryptographic goals

Confidentiality Data integrity Authentication Non-repudiation
Symmetric-key Arbitrary length Entity authentication Digital signatures
ciphers: hash functions Authentication
Block ciphers
Stream ciphers
primitives
Message
Public-key Authentication Message authentication

ciphers codes (MACs) MACs

Digital signatures Digital
signatures 2

Non-repudiation
m is a signed message
s is a valid signature for m

m, s
Alice Bob

Alice denies her signature if she finds:
m’ ≠ m : s is valid signature for m’

3

Message Authentication Codes

• MAC f (x, key):{ 0,1} *  { 0,1} n
– knowing x and key f is easy to compute
– it is infeasible to calculate f ( x ,key)
without the key

• MAC are often block cipher based
– message m, secret key k
– specification of block cipher E
• MAC (m) = E( m, key )
• MAC (m) = E(hash(m), key )

4

Use of a MAC • Used to provide – Data integrity – Message authentication Secret key message MAC Secret key algorith MAC m Unsecured channel Ok / not Ok message MAC verification algorithm Signer Verifier 5 .

Digital Signatures Scheme • Used to provide – Data integrity – Message authentication – Non-repudiation Signer’s private key message Signing Signer’s public key algorith m Unsecured channelSignature Ok / not Ok message signatur verification e algorithm Signer Verifier 6 .

Difference between MAC and digital signature • To prove the validity of a MAC to a third party. you can also create it • MAC does not allow a distinction to be made between the parties sharing the key • Computing a MAC is (usually) much faster than computing a digital signature – Important for devices with low computing power 7 . you need to reveal the key • If you can verify a MAC.

.

.

.

Framework Digital Signatures can provide • Authentication • Data Integrity • Non-Repudiation .

Framework • Definitions – Digital Signature .a data string which associates a message with some originating entity – Digital Signature Generation Algorithm – a method for producing a digital signature – Digital Signature Scheme .consists of a signature generation algorithm and an associated verification algorithm .

the image of h (h: M Mh) . Framework (cont) • Notation M message space MS signing space S signature space R a one-one mapping from M to MS called the redundancy function MR the image of R R-1 the inverse of R h a one-way function with domain M Mh hash value space.

Types of attacks • Key-only: adversary knows only the public key • Message attacks – Known-message attack: adversary has signatures for a set of messages which are known to the adversary but not chosen by him – Chosen-message attack: adversary obtains valid signatures from a chosen list of his choice (non adaptive) – Adaptive chosen-message attack: adversary can use the signer as an oracle .

RSA signature algorithm 15 .

e). such that gcd(e. such that ed  1 mod  5. Key-Generation 1. Private key is d 16 . Compute unique integer d: 1  d   .  )  1 4. each roughly the same size 2. Generate two large random distinct primes p and q. Public key is (n. Select random integer e: 1  e   . Compute n = pq and  (n)  ( p  1)(q  1) 3.

called the redundancy function • MR is the image of R: {y| y = R(x). called the signing space = Zn • R is a 1 to 1 mapping from M to MS. called the message space = Zn • MS is a set of elements. Notation • M is a set of elements. xЄ M} • R-1 is the inverse of R: MR M 17 .

n  1 ] m where R(m) is a redundancy function – Compute: sm ~ d mod n – A’s signature for m is s • To verify A’s signature and recover m. if not. RSA signature generation and verification • To sign a messagem  M A should: – Compute: ~  R( m ). e) ~  s mod n m e – Compute: ~M m – Verify that R . B should: – Obtain A’s authentic public key (n. an integer in the range [ 0 . reject the signature 1 ~ – Recover m  R (m) 18 .

then: ~ d mod n . ed  1( mod  ( n )) . Proof that signature verification works • Euler’s theorem: a(n)  1modn. gcd(a. m sm ~  R( m ) • Since n  pq . n)  1 .where ( n ) is the Euler’s function of n • If s is a signature for m. then: ~ ed  m se  m ~ 1 ( mod ( n ))  m ~  ( n )q 1  m~  ( n )q  m ~m ~( mod n ) ~ )  R 1( R( m ))  m R 1( m • Finally: 19 .

RSA signature example Alice • p=5 q=7 n = 35 φ(n) = 4·6=24 • e = 5. d: ed = 5d=1 mod 24 => d = 5 Public key: (n=35. n-1] – m = R-1(m) = 26 20 . n-1] • For all m Є M R(m)=m • m = 26.m ~ R(m) = 26 s = 265 mod 35 = 31 Bob: – m~ R(m) = 315 mod 35 = 26 Є [0. e=5) Private key: d=5 • M = [0.

Possible Attacks on RSA signature • Integer factorization – If an adversary is able to factor n.e. then s is valid signature for m: m ~  R( m ) m R – Hence.  ( n )  ( p  1 )( q  1 ) and find d : ed  1( mod ( n )) • Multiplicative property of RSA ~ d (mod n ) s1  m1  if ~m m ~m~ then s  m ~d  ( m ~m~ )d  s s ( modn ) s m ~ d (mod n ) 1 2 1 2 1 2 2 2 – If ~  M . b  M R( a  b )  R( a )  R( b ) 21 . a . then n  pq . to avoid this attack R must not be multiplicative. i.

q are k-bit primes) – Signature O(k3) – Verification O(k2) . RSA (cont) • Performance (p.

.Schnorr Signature.

Schnorr Signature .Salient Features I Derived from Schnorr identification scheme through Fiat-Shamir transformation I Based on the DLP I Security argued using oracle replay attacks I Uses the random oracle heuristic .

Proof through Contradiction I Consider a protocol P based on a hard problem Π .

Proof through Contradiction I Consider a protocol P based on a hard problem Π I Aim: Π is hard =⇒ P is not breakable .

Proof through Contradiction I Consider a protocol P based on a hard problem Π I Aim: Π is hard =⇒ P is not breakable ≡ P is breakable =⇒ Π is not hard Π Π P P B C A .

Proof through Contradiction I Consider a protocol P based on a hard problem Π I Aim: Π is hard =⇒ P is not breakable ≡ P is breakable =⇒ Π is not hard Π Π P P B C A I Since Π is assumed to be hard. . this leads to a contradiction.

Security Model I Lays down the schema to be followed for giving security proofs I Described using a game between a challenger C and an adversary A P P C A I C simulates the protocol environment for A I A wins the game if it solves the challenge given by C .

I A given oracle access to this function. the hash function modelled as a truly random function under the control of the challenger. . I In proofs.Random Oracles I Heuristic aimed at simplifying security proofs of protocols involving hash functions.

I In proofs.Schnorr Signature. Random Oracles I Heuristic aimed at simplifying security proofs of protocols involving hash functions. the hash function modelled as a truly random function under the control of the challenger. I A given oracle access to this function. P H .

I A given oracle access to this function. P P P C A H H . Random Oracles I Heuristic aimed at simplifying security proofs of protocols involving hash functions. I In proofs.Schnorr Signature. the hash function modelled as a truly random function under the control of the challenger.

P P P C A H H I Proofs without random oracles preferred. the hash function modelled as a truly random function under the control of the challenger.Schnorr Signature. Random Oracles I Heuristic aimed at simplifying security proofs of protocols involving hash functions. I A given oracle access to this function. . I In proofs.

V } - .Schnorr Signature. Preliminaries PKS and its Security Models Definition – Public-Key Signature An PKS scheme consists of three PPT algorithms {K. S .

sk) ← − K(κ) .Schnorr Signature. S . Preliminaries PKS and its Security Models Definition – Public-Key Signature An PKS scheme consists of three PPT algorithms {K. V } - I Key Generation: I Used by the user to generate the public-private key pair (pk. sk) I pk is published and the sk kept secret I Run on a security parameter κ $ (pk.

S . sk) I pk is published and the sk kept secret I Run on a security parameter κ $ (pk. V } - I Key Generation: I Used by the user to generate the public-private key pair (pk. m) . Preliminaries PKS and its Security Models Definition – Public-Key Signature An PKS scheme consists of three PPT algorithms {K. sk) ← − K(κ) I Signing: I Used by the user to generate signature on some message m I The secret key sk used for signing $ σ← − S (sk.Schnorr Signature.

pk) . m) I Verification: I Outputs 1 if σ is a valid signature on m. sk) I pk is published and the sk kept secret I Run on a security parameter κ $ (pk. else. V } - I Key Generation: I Used by the user to generate the public-private key pair (pk.Schnorr Signature. outputs 0 result ← V (σ. m. S . sk) ← − K(κ) I Signing: I Used by the user to generate signature on some message m I The secret key sk used for signing $ σ← − S (sk. Preliminaries PKS and its Security Models Definition – Public-Key Signature An PKS scheme consists of three PPT algorithms {K.

Schnorr Signature. Preliminaries Hardness Assumption Hardness Assumption: Discrete-log Assumption Discrete-log problem for a group G = hg i and | G |= p (G. p. g α ) DLP DLP C A α . g .

ElGamal Digital Signature .

Signature Generation .

Verification .

at most one message. otherwise signature can be forged. One-Time Signatures • Definition: digital schemes used to sign. • Most one-time signature schemes have the property that signature generation and verification are both very efficient . A new public key is required for each signed message.

i [1.y2n).k2nK.... – private key is (k1.. Rabin One-Time Signatures • Key generation – Select a symmetric key encryption scheme E (e. DES) – Generate 2n random secret strings k1. – Public key is (y1... each of bit length l – Compute yi=Eki(M0(i)).2n]..k2.k2. .g.y2.k2n)..

does yrj= Ekr (M0(rj))? j – Verify all srj = Ekr (h(m)).2n] – signature is (s1. rj[1.s2n) • Verification: – Compute h(m) – Select n distinct random number rj.. i [1.  j: 1  j  n – Verify received n keys ie.s2.. Rabin One-Time Signatures • Signature Generation: – compute si=Eki(h(m)).. the keys krj. j .2n] – Request from signer.

If n+1 or more values match. it is forgery. Rabin One-Time Signatures • Resolution of disputes: signer A. If ui = si for at most n values of i. verifier B and TTP – B provides m and the signature to TTP – TTP gets private key k1..k2n from A – TTP verifies authenticity of the private key – TTP computes ui=Eki(h(m))... it is valid signature • Rationale for dispute resolution 1 protocol – A can disavow with Pr =  2n  n   . 1  i  n.

• Application: e-cash . nor the signature associated with it. B signs and returns the signature to A. B knows neither m. A can compute B’s signature on a priori message m of A’s choice. Blind signature scheme • Definition: A sends a piece of information to B. At the completion of the protocol. From this signature.

to A • (unblinding) A: computes s = k-1s* mod n . satisfying 0  k<n – Protocol actions • (blinding) A: comp m* = mke mod n. Blind signature scheme • Chaum – Sender A. Signer B – B’s RSA public and private key are as usual. k is a random secret integer chosen by A. to B Note: (mke)d = mdk • (signing) B comp s* = (m*)d mod n.