Digital Signature Schemes 1 What is digital signature? Properties - - PowerPoint PPT Presentation

Digital Signature Schemes

1

What is digital signature? Properties

• “Who signed what” is publicly verifiable
• Unforgeable

2

A Digital Signature Scheme Key generation algorithm G (probabilistic) (pk, sk) ← G(1ℓ) ℓ security parameter (pk, sk) public/secret key pair Signing algorithm S (probabilistic or deterministic) s ← S(pk, sk, m) m message; s signature for m Verification algorithm G (deterministic) d ← V(pk, m, s) d ∈ {true, false}

3

The RSA Scheme public key n, e

• n = p q, where p and q are distinct odd primes
• e satisfies gcd(e, φ(n)) = 1

secret key d, p, q

• d e ≡ 1 (mod φ(n))

sign s is the signature of a message m ∈ Zn s = md mod n verification s is a valid signature of m if m ≡ se (mod n)

4

The ElGamal Scheme (1/2) public key p, g, y

• p is a prime
• g ∈ Z∗

p is a primitive element modulo p

• y = gx mod p

secret key x ∈ Zp−1

5

The ElGamal Scheme (2/2) sign (a, b) is a signature of a message m ∈ Zp−1

• 1. Select k ∈ Z∗

p−1 randomly, that is, gcd(k, p − 1) = 1

• 2. a = gk mod p
• 3. b = (m − xa)k−1 mod p − 1

verification (a, b) is a valid signature of m if gm ≡ yaab (mod p)

6

Misuse of the ElGamal Scheme (1/2) Do not use the same k for signing different messages! Suppose that k is used for signing different m1, m2 a, b1 a signature for m1 a, b2 a signature for m2, where a = gk mod p Then, from the signing algorithm,    m1 = ax + kb1 mod p − 1 m2 = ax + kb2 mod p − 1 m1 − m2 ≡ k(b1 − b2) (mod p − 1)

7

Misuse of the ElGamal Scheme (2/2) Let gcd(b1 − b2, p − 1) = d and ˜ m = m1 − m2 d , ˜ b = b1 − b2 d , ˜ p = p − 1 d Then, ˜ m ≡ k ˜ b (mod ˜ p) Let ˜ k = ˜ m˜ b−1 mod ˜

• p. Then, k = i ˜

p + ˜ k for ∃i ∈ Zd. The right value of k is determined by a = gk mod p. Once k is known, the secret key x can be recovered by x = (m1 − k b1)a−1 mod p − 1

8

The Digital Signature Algorithm (DSA)

• A modification of the ElGamal scheme
• Proposed by the U.S. National Institute of Standards and

Technology (NIST) in August 1991

• Has become a U.S. Federal Information Processing Standard

(FIPS 186) in 1994 called the Digital Signature Standard (DSS)

9

The Digital Signature Algorithm (DSA) public key p, q, g, y

• p, q are primes such that

– 2159 < q < 2160 – 2511+64 t < p < 2512+64 t for some 0 ≤ t ≤ 8 – q divides p − 1

• g ∈ Z∗

p such that gq ≡ 1 (mod p)

• y = gx mod p

secret key x ∈ Zq

10

The Digital Signature Algorithm (DSA) sign (a, b) is a signature of a message m ∈ Zq

• 1. Select k ∈ Z∗

q randomly

• 2. a = (gk mod p) mod q
• 3. b = (m + x a)k−1 mod q

verification (a, b) is a valid signature of m if (gu1yu2 mod p) mod q = a where u1 = m b−1 mod q u2 = a b−1 mod q

11

How the Verification Works From the signing algorithm, b = (m + x a)k−1 mod q k = (m + x a)b−1 mod q Thus, gk ≡ gm b−1gx a b−1 (mod p) gk ≡ gm b−1ya b−1 (mod p)

12

The Schnorr Scheme public key p, q, g, y

• p, q are primes such that q|p − 1
• g ∈ Z∗

p such that gq ≡ 1 (mod p)

• y = gx mod p

secret key x ∈ Zq This scheme also requires a collision-resistant hash function h : {0, 1}∗ → Z∗

q.

13

The Schnorr Scheme sign (e, s) is a signature of a message m

• 1. Select k ∈ Z∗

q randomly

• 2. e = h(r, m) where r = gk mod p
• 3. s = k − e x mod q

verification (e, s) is a valid signature of m if e = h(r′, m) where r′ = gsye mod p

14

Digital Signature and Message Digest To sign a message m with arbitrary length, a signer first compute a message digest of m, h(m), with a hash function h and create a signature for h(m). The hash function h should be collision-resistant.

• Def. 1 A hash function h : D → R is collision-resistant if it is

difficult to find a pair of inputs x, x′ ∈ D such that h(x) = h(x′) and x = x′.

15

Security of Signature Schemes (1/2) Adversarial goal

• total break

An adversary is able to create a valid signature for any message.

• selective forgery

An adversary is able to create a valid signature for a given message chosen by someone else.

• existential forgery

An adversary is able to create a valid signature for at least one message.

16

Security of Signature Schemes (2/2) Attack

• key-only attack

An adversary only knows the public key of the signer.

• known message attack

An adversary knows a list of messages and their corresponding signatures.

• chosen message attack

An adversary is able to request signatures for messages he selects.

17

Chosen Message Attack Adversary A Select mi

...

s1 sq

Oracle O si ← V(pk, sk, mi)

18

Provably Secure Signature Schemes Efficient and provably secure schemes have been proposed based

• n the intractability of number theoretic problems in the random
• racle model.

These schemes are secure against existential forgery with a chosen message attack.

19

The Schnorr Scheme Is Provably Secure

• Thm. 1 Suppose that the discrete logarithm problem is intractable.

Then, the Schnorr scheme is secure against existential forgery with a chosen message attack in the random oracle model.

• (Proof sketch) In the random oracle model,
• An oracle is able to simulate the signer without the secret key.
• If an adversary is able to create a valid signature with

non-negligible probability, then an algorithm is able to be constructed, which is able to compute the discrete logarithm of the public key with non-negligible probability using the adversary as a subroutine.

20

Simulation of the Signer in the Random Oracle Model public key p, q, g, y secret key x ∈ Zq, where y = gx mod p Suppose that an adversary requests a signature for m. The oracle computes (e, s) in the following way and returns it to the adversary.

• 1. Select e, s ∈ Z∗

q randomly and compute ˜

r = gsye mod p

• 2. Set e = h(˜

r, m)

21

Simulation of the Signer in the Random Oracle Model

Oracle Adversary Random oracle h mi e , s

i i

Adversary Signer mi e , s

i i

Random oracle h control

Adversaries cannot distinguish between the above two situations.