Signature Schemes Chester Rebeiro IIT Madras CR STINSON : chapter - - PowerPoint PPT Presentation

Signature Schemes

CR Chester Rebeiro IIT Madras

STINSON : chapter 7

Recall : MACs

Alice Bob Message “Attack at Dawn!!” Message Digest

y = hK(x)

hK

unsecure channel

hK =

K K

CR

Message “Attack at Dawn!!”

2

MACs allow Bob to be certain that

• the message has originated from Alice
• the message was not tampered during communication

MAC cannot

• prevent Bob from creating forgeries (i.e., messages in the name of Alice)
• cannot prove Authenticity to someone without sharing the secret key K

Digital Signatures solve both these problems

Digital Signatures

• A token sent along with the message that achieves

– Authentication – Non-repudiation – Integrity

CR

• Based on public key cryptography

3

Public key Certificates

TA Bob’s Certificate{ Bob’s public key in plaintext Signature of the certifying authority

• ther information

} Important application of digital signatures

CR

To communicate with Bob, Alice gets his public key from a trusted authority (TA) A trusted authority could be a Government agency, Verisign, etc. A signature from the TA, ensures that the public key is authentic.

4

Digital Signature

Alice (x, y) sigK

Alice’s Private Key

y = digital signature Everyone Else ver Alice’s TRUE / FALSE

CR

Message x = “Attack at Dawn!!”

5

Signing Function y = siga(x) Input : Message (x) and Alice’s private key Output: Digital Signature of Message unsecure channel verK Alice’s Public Key Verifying Function verb(x, y) Input : digital signature, message Output : true or false

true if signature valid false otherwise

Digital Signatures (Formally)

CR

6

Forgery Algorithm

Forgery

Mallory Everyone Else (x, y) ver Alice’s digital signature TRUE

CR

7

If Mallory can create a valid digital signature such that verK(x, y) = TRUE for a message not previously signed by Alice, then the pair (x, y) forms a forgery unsecure channel verK Alice’s Public Key

Security Models for Digital Signatures

• Total break:

Mallory can determine Alice’s private key (therefore can generate any number of signed messages)

• Selective forgery:

Diff Goals of Attacker Assumptions

CR

• Selective forgery:

Given a message x, Mallory can determine y, such that (x, y) is a valid signature from Alice

• Existential forgery:

Mallory is able to create y for some x, such that (x, y) is a valid signature from Alice

8

Difficulty Level

Security Models for Digital Signatures

• Key-only attack :

Mallory only has Alice’s public key (i.e. only has access to the verification function, ver)

• Known-message attack :

Weak Goals of Attacker Assumptions

CR

• Known-message attack :

Mallory only has a list of messages signed by Alice (x1, y1), (x2, y2), (x3, y3), (x4, y4), …..

• Chosen-message attack :

Mallory chooses messages x1, x2, x3, …….. and tricks Alice into providing the corresponding signatures y1, y2, y3 (resp.)

9

Strong

First Attempt making a digital signature (using RSA)

) , ( mod ){ ( y x return n x y x sig

a

≡ ) mod ( ){ , ( TRUE return n y x if y x ver

b

≡ ) , ( y x (n) b- a pq n q p a n b ϕ mod 1 ; private , , public , ≡ =

CR

10

} ) , ( y x return } FALSE return else x is the message here and (x, y) the signature

A Forgery for the RSA signature (First Forgery)

) , ( mod ){ ( y x return n x y x sig

a

≡ ) mod ( ){ , ( TRUE return n y x if y x ver

b K

≡ ) , ( y x (n) b- a pq n q p a n b ϕ mod 1 ; private , , public , ≡ =

CR

11

} ) , ( y x return } FALSE return else } ) , ( mod random a select (){ y x return n y x compute y forgery

b

≡ Key only, existential forgery

Second Forgery

Suppose Alice creates signatures of two messages x1 and x2

) , ( mod ) ( ) , ( mod ) (

2 2 2 2 2 2 1 1 1 1 1 1

y x n x y x sig y y x n x y x sig y

a a

≡ → = ≡ → =

CR

12

n x x y y forgery a is n y y n x x

a a

mod ) mod , mod (

2 1

2 1 2 1 2 1

≡

Mallory can use the multiplicative property of RSA to create a forgery

Known message, existential forgery

RSA Digital Signatures

){ (x sig private , , public , q p a n b ){ , ( y x ver Incorporate a hash function in the scheme to prevent forgery

CR

13

} ) , ( mod ) ( ){ ( y x return n z y x h z x sig

a

≡ = } ) mod ( ) ( ){ , ( FALSE return else TRUE return n y z if x h z y x ver

b K

≡ = ) , ( y x x is the message here, (x, y) the signature and h is a hash function

How does the hash function help?

Preventing the First Forgery ) , ( ) ( ' . : mod ' random a select (){ y x return x h z st x preimage I compute n y z compute y forgery

st b

= ≡

CR

Forgery becomes equivalent to the first preimage attack on the hash function

14

} ) , ( y x return

How does the hash function help?

Preventing the Second Forgery n x x n x h x h y y difficult is n y y n x x

a a a a

mod mod ) ( ) ( ) mod , mod (

2 1 2 1 2 1 2 1 2 1

≡ ≡

CR

creating such a forgery is unlikely

15

How does the hash function help?

Another Forgery prevented } ) , ' ( ' ) ' ( ) ( . . ' : ) ( ){ , ( y x return x x and x h x h t s x find preimage II compute x h compute y x forgery

nd

≠ =

CR

Given a valid signature (x,y) find (x’,y) creating such a forgery is equivalent to solving the 2nd preimage problem of the hash functionw

16

}

ElGamal Signature Scheme

• 1985
• Variant adopted by NIST as the DSA

(DSA: standard for digital signature algorithm)

• Based on the difficult of the discrete log problem

CR

• Based on the difficult of the discrete log problem

17

ElGamal Signing

p p p a a Z p

a p

, , : Parameters Public mod Compute ) 1 ( Choose element primitive a be Let prime large a Choose

*

β α α β α ≡ − ≤ < ∈

Initialization

CR

18

a p : key Private , , : Parameters Public } ) , ( ) , ( 1 mod ) ( mod 1 ) 1 , gcd( . . random secret a select ){ (

1

y x return y p k a x p p k t s k x sig

k

δ γ γ δ α γ = − − ≡ ≡ = −

−

Signing Message x

The use of a random secret k for every signature makes ElGamal non-deterministic

ElGamal Verifying

p p p a a Z p

a p

, , : Parameters Public mod Compute ) 1 ( Choose element primitive a be Let prime large a Choose

*

β α α β α ≡ − ≤ < ∈

Initialization

CR

19

a p : key Private , , : Parameters Public } ) ( mod mod )){ , ( , (

2 1 2 1

FALSE return else TRUE return t t if p t compute p t compute x ver

x

= ≡ ≡

δ γγ

β α δ γ

Verifying Signature (x,y)

ElGamal Correctness

p p p a a Z p

a p

, , : Parameters Public mod Compute ) 1 ( Choose element primitive a be Let prime large a Choose

*

β α α β α ≡ − ≤ < ∈

Initialization

) , ( 1 mod ) ( mod random secret a select ){ (

1

y p k a x p k x sig

k

δ γ γ δ α γ = − − ≡ ≡

−

Signing Message x

) ( mod mod )){ , ( , (

2 1 2 1

TRUE return t t if p t compute p t compute x ver

x

= ≡ ≡

δ γγ

β α δ γ

Verifying Signature (x,y)

CR

20

a p : key Private , , : Parameters Public } ) , ( ) , ( y x return y δ γ = } ) (

2 1

FALSE return else TRUE return t t if p p p p t p t p x k a that note First

x k a k a x

mod mod mod ) ( ) ( mod mod ) 1 ( mod

1 2

α α α α α γ β δ γ

δ γ δ γ δ γ

≡ ≡ + ≡ ≡ ≡ − ≡ +

+

if the signature is valid, t1 = t2 correctness

Example

132 467 mod 2 mod 127 a 467

127

= = ≡ = 2 = = p p

a

α β α

Signature of message x = 100

CR

21

132 =

51 466 mod 431 ) 29 2 100 ( 1 mod ) 29 467 mod 2 mod 431 1 mod ) ( 213

1 213 1

= ⋅ − = − − ( = = = = = − =

− −

p k a x p p k randomly chosen k

k

γ δ α γ

Signature of message x = 100

TRUE p p p

x

189 mod 2 mod 189 467 mod 29 132 mod

100 51 29

= = = = α γ β

δ γ

Verifying

Security of ElGamal Signature Scheme (against Selective forgery)

TRUE x ver x = )) , ( , ( that such ) , ( find to needs Mallory , an Given δ γ δ γ

γ γ δ γ

β α δ α γ β δ γ

−

= ≡

x x

p t s log mod . . compute to try then , for value a Choose

This is the intractable discrete log problem Attempt 1

CR

22

p t s

x mod

. . compute to try then , for value a Choose α γ β γ δ

δ γ

≡

This is not related to the discrete log problem. There is no known solution for this. Attempt 2

p t s

x mod

. . , usly simultaneo and for value Choose α γ β δ γ

δ γ

≡

No way known. Attempt 3

Security of ElGamal Signature Scheme (against Existential forgery)

TRUE x ver x, = )) , ( , ( that such )) , ( ( an find to needs Mallory δ γ δ γ p p form p i i some choose

i

− − ≡ ≡ − ≤ ≤ ) 1 mod( mod ). 2 ( γ δ β α γ

The one-parameter forgery rgery

CR

23

LHS p p p p p p RHS p TRUE x ver then p i x p

x i i a a i a a i i x

= ≡ ≡ ≡ ≡ ≡ ≡ ≡ = − ≡ − − ≡

+ − + +

mod mod mod mod mod mod ) ( mod )) , ( , ( , ). 1 mod( ) 1 mod( α α α α α α β β α β γ β α δ γ δ γ δ

δ δ γ γ δ δ γ δ δ γ δ γ δ γ

proof forger

Security of ElGamal Signature Scheme (against Existential forgery)

TRUE x ver x, = )) , ( , ( that such )) , ( ( an find to needs Mallory δ γ δ γ p j p j i j i some choose = − − ≤ ≤ ). 1 ) 1 , gcd( ; 2 , ( ,

The two-parameter forgery

CR

24

TRUE x ver then p ij x p j p form p j p j i j i some choose

j i

= − ≡ − − ≡ ≡ = − − ≤ ≤

− −

)) , ( , ( , ). 1 mod( ) 1 mod( mod ). 1 ) 1 , gcd( ; 2 , ( ,

1 1

δ γ γ γ δ β α γ

forgery Prevent Existential Forgeries by hashing the message

Improper use of ElGamal’s Signature Scheme

1. What if k is not a secret?

) , ( ) , ( 1 mod ) ( mod random secret a select ){ (

1

y x return y p k a x p k x sig

k

δ γ γ δ α γ = − − ≡ ≡

−

). 1 mod( ) ( follows as computed be can secret 1 ) 1 , gcd(

1

− − = = −

−

p k x a a then p if γ δ γ

CR

25

} ) , ( y x return

The secret key ‘a’ is retrieved and Mallory can create many forgeries

Improper use of ElGamal’s Signature Scheme

mod random secret a select ){ ( p k x sig

k

α γ ≡

−

, ) ( ) (

2 1

then and are signatures The k same the with signed x and x messages different two have we say Lets

2 1

, , δ γ δ γ

• 2. What if k is reused?

CR

26

} ) , ( ) , ( 1 mod ) (

1

y x return y p k a x δ γ γ δ = − − ≡

−

dividing Representing in terms of α =>

Improper use of ElGamal’s Signature Scheme

CR

27

ElGamal Signature Length

• Generally p is a prime of length 1024 bits
• The signature comprises of which is of length 2048 bits

) ,δ γ (

CR

Schnorr’s Signature Scheme is a modification of the ElGamal signature scheme with signatures of length around 320 bits

28

DSA (Digital Signature Standard)

q p p q a a q q p q t s bit q bit p

a

, , , : Parameters Public mod Compute ) 1 ( Choose )

• rder
• f

subgroup a creates (

• rder
• f

Find 1 | . . ) 160 ( prime another Choose ) 1024 ( prime large a Choose β α α β α α ≡ − ≤ < −

Initialization choose some α And compute

CR

29

a q p : key Private , , , : Parameters Public β α

And compute α(p-1)/q mod p

DSA (Signing Function)

q p p q a a q q p q t s bit q bit p

a

, , , : Parameters Public mod Compute ) 1 ( Choose )

• rder
• f

subgroup a creates (

• rder
• f

Find 1 | . . ) 160 ( prime another Choose ) 1024 ( prime large a Choose β α α β α α ≡ − ≤ < −

Initialization

CR

30

a q p : key Private , , , : Parameters Public β α } ) , ( ) , ( mod ) ) ( ( mod ) mod ( 1 ) , gcd( . . random secret a select ){ (

1

y x return y q k a x SHA q p q k t s k x sig

k

δ γ γ δ α γ = + ≡ ≡ =

−

Signing Message x

The use of a random secret k for every signature makes ElGamal non-deterministic

DSA (Verifying Function)

q p p q a a q q p q t s bit q bit p

a

, , , : Parameters Public mod Compute ) 1 ( Choose )

• rder
• f

subgroup a creates (

• rder
• f

Find 1 | . . ) 160 ( prime another Choose ) 1024 ( prime large a Choose β α α β α α ≡ − ≤ < −

Initialization

CR

31

a q p : key Private , , , : Parameters Public β α } ) , ( ) , ( mod ) ) ( ( mod ) mod ( 1 ) , gcd( . . random secret a select ){ (

1

y x return y q k a x SHA q p q k t s k x sig

k

δ γ γ δ α γ = + ≡ ≡ =

−

Signing Message x

} ) mod ( mod ) mod ( mod mod ) ( mod )){ , ( , (

2 1

2 1 1

FALSE return else TRUE return q v if q p v compute q w t compute q x SHA w t compute q w compute x ver

t t

γ β α γ δ δ γ ≡ ⋅ ≡ ⋅ ≡ ⋅ ≡ ≡

−

Verifying Signature

DSA (Correctness)

a p q p

a

: key Private ) mod ( , , , : Parameters Public α β β α ≡

Initialization

mod ) ) ( ( mod ) mod ( 1 ) , gcd( . . random secret a select ){ (

1

q k a x SHA q p q k t s k x sig

k

γ δ α γ + ≡ ≡ =

−

Signing Message x

mod ) mod ( mod mod ) ( mod )){ , ( , (

2 1

2 1 1

q p v compute q w t compute q x SHA w t compute q w compute x ver

t t

β α γ δ δ γ ⋅ ≡ ⋅ ≡ ⋅ ≡ ≡

−

Verifying Signature

CR

32

} ) , ( ) , ( mod ) ) ( ( y x return y q k a x SHA δ γ γ δ = + ≡ } ) mod ( mod ) mod ( FALSE return else TRUE return q v if q p v compute γ β α ≡ ⋅ ≡

q at t k q wa x wSHA q a x SHA k q k a x SHA mod ) ( mod ) ) ( mod ) ) ( mod ) ) (

2 1 1 1

+ ≡ + ( = + ( ≡ + ( ≡

− −

γ δ γ γ δ q p sides both

• n

q Take p p

t t t t k q at t k

mod ) mod ( mod mod mod

2 1 2 1 2 1

mod ) (

β α γ β α α α α ≡ ≡ ≡

+

Security of DSA

• There are two ways to attack the DSA (attempt

to recover the secret a)

– Target the large cyclic group Zp – Target the smaller group Zq

CR

– Target the smaller group Zq

33

Could you techniques such as Index Calculus. For a 1024 bit p, this method offers security of 80 bits Cannot apply Index Calculus relies on Pollard rho for solving the discrete log, For 160 bit q, this offers security of 80 bits

Security of DSA

• There are two ways to attack the DSA (attempt

to recover the secret a)

– Target the large cyclic group Zp – Target the smaller group Zq

CR

– Target the smaller group Zq

34

Could you techniques such as Index Calculus. For a 1024 bit p, this method offers security of 80 bits Cannot apply Index Calculus relies on Pollard rho for solving the discrete log, For 160 bit q, this offers security of 80 bits Thus the size of p dictates the size of q.

Schnorr Signature Scheme (uses a hash function to get smaller signatures)

a q q a a p p Z p q and bits size

• f

q bits size

• f

p

a q p p

: Private mod Compute ) ( from randomly Choose mod 1

• f

root q the is mod then element primitive a be Let ) 1 ( | ) 160 ( prime smaller a Choose ) 1024 ( prime large a Choose

th / ) 1 ( *

α β α α α = < ≤ = ∈ −

−

Initialization

CR

35

q p a , , : Private : Private β α, } ) , ( ) , ( mod ) mod || ( . 1 1 . . random secret a select ){ ( y x return y p a k p x h q k t s k x sig

k

δ γ γ δ α γ = + = = − ≤ ≤

Signing Message x

} ) ( ) mod || ( )){ , ( , (

1 1

FALSE return else TRUE return t if p x h t compute x ver γ β α δ γ

γ δ

= ≡

−

Verifying Signature (x,y)