digital signatures
play

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn - PowerPoint PPT Presentation

Feb 02, 2023 •208 likes •944 views

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-17 1 Outline RSA-based signature schemes RSA-FDH: Full Domain Hash Random Oracle Model RSA-FDH: Security Digital

  1. Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-17 1

  2. Outline RSA-based signature schemes RSA-FDH: Full Domain Hash Random Oracle Model RSA-FDH: Security Digital Signatures 2020-03-17 2

  3. Recap: RSA problem/assumption Setting: • N = P · Q , for large primes P , Q • ϕ ( N ) = ( P − 1)( Q − 1) = | Z ∗ N | • Choose e ∈ N uniformly between 1 and ϕ ( N ) with gcd( e , ϕ ( N )) = 1. • Then d ∈ N with e · d ≡ 1 mod ϕ ( N ) can be found efficiently from ϕ ( N ) and e . • For x ∈ Z N , we have x e · d ≡ x mod N . Digital Signatures 2020-03-17 3

  4. Recap: RSA problem/assumption RSA problem: • Given N , e as above and y ← Z N , find x ∈ Z N with x e ≡ y mod N . Digital Signatures 2020-03-17 4

  5. Recap: RSA problem/assumption RSA problem: • Given N , e as above and y ← Z N , find x ∈ Z N with x e ≡ y mod N . RSA assumption: • ∀ PPT A :   N , e as above : x e = y mod N Pr y ← Z N     x ← A (1 k , N , e , y ) negligible. Digital Signatures 2020-03-17 4

  6. “Textbook RSA” • Gen (1 k ) : – choose P , Q , N , e as above – d := e − 1 mod ϕ ( N ) – pk = ( N , e ) – sk = ( N , d ) • Sign ( sk , m ) : σ := m d (mod N ) • Vfy ( pk , m , σ ) : σ e ? = m (mod N ) Digital Signatures 2020-03-17 5

  7. “Textbook RSA” • Gen (1 k ) : – choose P , Q , N , e as above – d := e − 1 mod ϕ ( N ) – pk = ( N , e ) – sk = ( N , d ) • Sign ( sk , m ) : σ := m d (mod N ) • Vfy ( pk , m , σ ) : σ e ? = m (mod N ) Correctness: Digital Signatures 2020-03-17 5

  8. “Textbook RSA” • Gen (1 k ) : – choose P , Q , N , e as above – d := e − 1 mod ϕ ( N ) – pk = ( N , e ) – sk = ( N , d ) • Sign ( sk , m ) : σ := m d (mod N ) • Vfy ( pk , m , σ ) : σ e ? = m (mod N ) Correctness: σ e ≡ ( m d ) e ≡ m de mod ϕ ( N ) ≡ m 1 ≡ m (mod N ) Digital Signatures 2020-03-17 5

  9. Security • Not EUF-NMA secure: – Choose σ ∗ ← Z N – Compute m ∗ := ( σ ∗ ) e mod N – Output ( m ∗ , σ ∗ ) as forgery Digital Signatures 2020-03-17 6

  10. Security • Not EUF-NMA secure: – Choose σ ∗ ← Z N – Compute m ∗ := ( σ ∗ ) e mod N – Output ( m ∗ , σ ∗ ) as forgery • (Multiplicatively) homomorphic: – If σ 1 , σ 2 are valid signatures for m 1 , m 2 , – then σ 3 := σ 1 σ 2 mod N is valid for m 3 := m 1 m 2 mod N : 3 ≡ ( σ 1 σ 2 ) e ≡ σ e σ e 1 σ e 2 ≡ m 1 m 2 ≡ m 3 (mod N ) Digital Signatures 2020-03-17 6

  11. Security • Not EUF-NMA secure: – Choose σ ∗ ← Z N – Compute m ∗ := ( σ ∗ ) e mod N – Output ( m ∗ , σ ∗ ) as forgery • (Multiplicatively) homomorphic: – If σ 1 , σ 2 are valid signatures for m 1 , m 2 , – then σ 3 := σ 1 σ 2 mod N is valid for m 3 := m 1 m 2 mod N : 3 ≡ ( σ 1 σ 2 ) e ≡ σ e σ e 1 σ e 2 ≡ m 1 m 2 ≡ m 3 (mod N ) • Exercise : Textbook-RSA is UUF-NMA secure if the RSA assumption holds. Digital Signatures 2020-03-17 6

  12. RSA-based signatures Secure signatures based on RSA Often: suitable preprocessing /encoding of m • RSA PKCS #1 v1.5 • RSA-FDH (Full Domain Hash) • RSA-PSS (Probabilistic Signature Scheme, not in notes ) More schemes: • Gennaro-Halevi-Rabin scheme: – EUF-naCMA secure under stronger assumption • Hohenberger-Waters scheme (not covered here): – similar to GHR, but under standard RSA assumption Digital Signatures 2020-03-17 7

  13. RSA PKCS #1 v1.5 PKCS #1: • Public-Key Cryptography Standard #1 • Originally developed by RSA Security • Version 1.5: November 1993 • Today: Version 2.2 (October 2012) • Contains also variant of RSA-PSS – https://www.emc.com/emc-plus/rsa-labs/standards-initiatives/ pkcs-rsa-cryptography-standard.htm – https://tools.ietf.org/html/rfc3447 Digital Signatures 2020-03-17 8

  14. RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA Digital Signatures 2020-03-17 9

  15. RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) Digital Signatures 2020-03-17 9

  16. RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature Digital Signatures 2020-03-17 9

  17. RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as padding m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature Digital Signatures 2020-03-17 9

  18. RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as padding m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature boundary Digital Signatures 2020-03-17 9

  19. RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as padding which H ? m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature boundary Digital Signatures 2020-03-17 9

  20. RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as padding which H ? m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature boundary hash value Digital Signatures 2020-03-17 9

  21. RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as padding which H ? m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature boundary hash value – σ := ( m ′ ) d (mod N ) Digital Signatures 2020-03-17 9

  22. RSA PKCS #1 v1.5 • Gen (1 k ) : as with Textbook-RSA • Sign ( sk , m ) : – let H be a collision-resistant hash function – encode m as padding which H ? m ′ := 0x00 � 0x01 � 0xFF � ... � 0xFF � 0x00 � spec. H � H ( m ) type of encoding: signature boundary hash value – σ := ( m ′ ) d (mod N ) • Vfy ( pk , m , σ ) : – compute m ′ := σ e (mod N ) – check if m ′ valid encoding of m Digital Signatures 2020-03-17 9

  23. RSA PKCS #1 v1.5: security Security? • not clear, but at least not (obviously) homomorphic • no attacks known, but also no security proof • exception: attack on implementation flaws Why relevant? • old, used in practice Digital Signatures 2020-03-17 10

  24. Socrative Self-checking with quizzes • Use following URL: https://b.socrative.com/login/student • . . . and enter room “HOFHEINZ8872” • Will also be in chat (so you can click on link) • No registration necessary • First quiz (about textbook RSA) start now! Digital Signatures 2020-03-17 11

  25. RSA-FDH • Let H := { 0, 1 } ∗ → Z N be a collision-resistant hash function • Idea: sign H ( m ) with Textbook RSA – Message space/domain of Textbook RSA: Z N – Hence naming: H hashes to full domain Z N Digital Signatures 2020-03-17 12

  26. RSA-FDH • Let H := { 0, 1 } ∗ → Z N be a collision-resistant hash function • Idea: sign H ( m ) with Textbook RSA – Message space/domain of Textbook RSA: Z N – Hence naming: H hashes to full domain Z N Specifically: • Gen (1 k ) as with Textbook RSA • Sign ( sk , m ) : Digital Signatures 2020-03-17 12

  27. RSA-FDH • Let H := { 0, 1 } ∗ → Z N be a collision-resistant hash function • Idea: sign H ( m ) with Textbook RSA – Message space/domain of Textbook RSA: Z N – Hence naming: H hashes to full domain Z N Specifically: • Gen (1 k ) as with Textbook RSA • Sign ( sk , m ) : σ := H ( m ) d (mod N ) Digital Signatures 2020-03-17 12

  28. RSA-FDH • Let H := { 0, 1 } ∗ → Z N be a collision-resistant hash function • Idea: sign H ( m ) with Textbook RSA – Message space/domain of Textbook RSA: Z N – Hence naming: H hashes to full domain Z N Specifically: • Gen (1 k ) as with Textbook RSA • Sign ( sk , m ) : σ := H ( m ) d (mod N ) • Vfy ( pk , m , σ ) : Digital Signatures 2020-03-17 12

  29. RSA-FDH • Let H := { 0, 1 } ∗ → Z N be a collision-resistant hash function • Idea: sign H ( m ) with Textbook RSA – Message space/domain of Textbook RSA: Z N – Hence naming: H hashes to full domain Z N Specifically: • Gen (1 k ) as with Textbook RSA • Sign ( sk , m ) : σ := H ( m ) d (mod N ) • Vfy ( pk , m , σ ) : σ e ? ≡ H ( m ) (mod N ) Digital Signatures 2020-03-17 12

  30. RSA-FDH • Let H := { 0, 1 } ∗ → Z N be a collision-resistant hash function • Idea: sign H ( m ) with Textbook RSA – Message space/domain of Textbook RSA: Z N – Hence naming: H hashes to full domain Z N Specifically: • Gen (1 k ) as with Textbook RSA • Sign ( sk , m ) : σ := H ( m ) d (mod N ) • Vfy ( pk , m , σ ) : σ e ? ≡ H ( m ) (mod N ) Correctness: clear Digital Signatures 2020-03-17 12

  31. Security of RSA-FDH Theorem If the RSA assumption holds, then RSA-FDH is EUF-CMA secure Digital Signatures 2020-03-17 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

M. Kutyowski Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital Signatures Qualified Signatures and Legal Framework Validity of the Signature Standard Implementation Risk Issues Reasons of

436 views • 42 slides
Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General model Foundations of security RSA, DSA, ECDSA signatures Zero knowledge (Guillo-Quisquater) One-time signature Special

675 views • 46 slides
Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and

Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and

Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s, but adversary given VK Sig SK Ver VK s i = Sign SK (M i ) Ver VK (M,s) (M,s) M i VK Advantage =

693 views • 10 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-19 1 Outline Waters signatures Overview over course topics General remarks Digital Signatures 2020-05-19 2 Recap:

250 views • 20 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

627 views • 52 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-31 1 Outline Gennaro-Halevi-Rabin signatures Chameleon hash functions Digital Signatures 2020-03-31 2 RSA

785 views • 29 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-24 1 Outline Parameter choices RSA-PSS Genaro-Halevi-Rabin signatures Digital Signatures 2020-03-24 2 Recap Last

661 views • 53 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-10 1 Outline Recap: one-time signatures From EUF-naCMA security to EUF-CMA security Interlude: proof strategies Security proof

336 views • 20 slides
DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA Flipping coins over the phone Why are digital signatures important? Compare with paper signatures Danger: Eve would like to use your

423 views • 7 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-04-07 1 Outline Chameleon Signatures CH functions are one-time signatures sEUF-CMA from chameleon hashing Digital

585 views • 44 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-05 1 Outline More on BLS signatures Programmable Hash Functions Waters PHF Digital Signatures 2020-05-05 2

441 views • 13 slides
Background memCellsF09 Allen Tanner built an SRAM/ROM generator program back in 2004 Single-

Background memCellsF09 Allen Tanner built an SRAM/ROM generator program back in 2004 Single-

Background memCellsF09 Allen Tanner built an SRAM/ROM generator program back in 2004 Single- and Double-port SRAM the ROM seems to work fine there are building blocks fabricated examples that work the SRAM isnt as good

301 views • 6 slides
Branding on a Budget Public Health Communications Webinar Series June 17, 2019 Webinar

Branding on a Budget Public Health Communications Webinar Series June 17, 2019 Webinar

Branding on a Budget Public Health Communications Webinar Series June 17, 2019 Webinar Objectives Understand the importance of a strong brand Discuss basic principles of branding and tips for defining your brand Share recommendations

627 views • 59 slides
Slide 1 / 38 Slide 2 / 38 1 A student throws a ball upward where the initial potential energy

Slide 1 / 38 Slide 2 / 38 1 A student throws a ball upward where the initial potential energy

Slide 1 / 38 Slide 2 / 38 1 A student throws a ball upward where the initial potential energy is 0. At a height of 15 meters the ball has a potential energy of 60 joules and is moving upward with a kinetic energy of 40 joules. AP Physics C

199 views • 7 slides
CS 354 Autonomous Robotics Particle Filters Instructors: Dr. Kevin Molloy and Dr. Nathan

CS 354 Autonomous Robotics Particle Filters Instructors: Dr. Kevin Molloy and Dr. Nathan

CS 354 Autonomous Robotics Particle Filters Instructors: Dr. Kevin Molloy and Dr. Nathan Sprague SA-1 Objectives Process of determining where a mobile Localization robot is located with respect to its environment. Methods we know so far:

352 views • 31 slides
Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD

Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD

Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD 1/9/13 Bellare, Stanford RWC Workshop 1 The work reported on here is very much work in progress. The UCE definition has evolved since this talk and

774 views • 44 slides
Implementing Existing Management Protocols on Constrained Devices J urgen Sch onw alder

Implementing Existing Management Protocols on Constrained Devices J urgen Sch onw alder

Implementing Existing Management Protocols on Constrained Devices J urgen Sch onw alder IETF 81, Quebec, 2011-07-26 1 / 22 SNMP on Constrained Devices 1 SNMP on Constrained Devices 2 NETCONF on Constrained Devices (NETCONF Light) 3

340 views • 22 slides
Silberschatz and Galvin Chapter 5 CPU Scheduling CPSC 410--Richard Furuta 01/19/99 1 Topics

Silberschatz and Galvin Chapter 5 CPU Scheduling CPSC 410--Richard Furuta 01/19/99 1 Topics

Silberschatz and Galvin Chapter 5 CPU Scheduling CPSC 410--Richard Furuta 01/19/99 1 Topics covered Basic concepts/Scheduling criteria Non-preemptive and Preemptive scheduling Scheduling algorithms Algorithm evaluation CPSC

422 views • 20 slides
Process/CPU scheduling (contd.) Indranil Sen Gupta (odd section) and Mainack Mondal (even

Process/CPU scheduling (contd.) Indranil Sen Gupta (odd section) and Mainack Mondal (even

Process/CPU scheduling (contd.) Indranil Sen Gupta (odd section) and Mainack Mondal (even section) CS39002 Spring 2019-20 The key concepts so far CPU burst, I/O burst CPU scheduler (which process should execute next) The key concepts

767 views • 66 slides

More recommend