Signature Schemes Chester Rebeiro IIT Madras CR CR STINSON : - - PowerPoint PPT Presentation

CR CR

Signature Schemes

Chester Rebeiro IIT Madras

STINSON : chapter 7

CR CR

Recall : MACs

Alice Bob Message “A=ack at Dawn!!”

2

“A=ack at Dawn!!” Message Digest MACs allow Bob to be certain that

• the message has originated from Alice
• the message was not tampered during communicaHon

y = hK(x)

hK

unsecure channel

hK =

K K MAC cannot

• prevent Bob from creaHng forgeries (i.e., messages in the name of Alice)
• cannot prove AuthenHcity to someone without sharing the secret key K

Digital Signatures solve both these problems

CR CR

Digital Signatures

• A token sent along with the message that achieves

– AuthenHcaHon – Non-repudiaHon – Integrity

• Based on public key cryptography

3

CR CR

Public key Cer@ficates

To communicate with Bob, Alice gets his public key from a trusted authority (TA) A trusted authority could be a Government agency, Verisign, etc. A signature from the TA, ensures that the public key is authenHc.

4

TA Bob’s CerHficate{ Bob’s public key in plaintext Signature of the cerHfying authority

• ther informaHon

} Important applicaHon of digital signatures

CR CR

Digital Signature

Alice Message x = “A=ack at Dawn!!”

5

(x, y) Signing Func@on y = siga(x) Input : Message (x) and Alice’s private key Output: Digital Signature of Message sigK unsecure channel

Alice’s Private Key

y = digital signature Everyone Else verK Alice’s Public Key Verifying Func@on verb(x, y) Input : digital signature, message Output : true or false

true if signature valid false otherwise

TRUE / FALSE

CR CR

Digital Signatures (Formally)

6

CR CR

Forgery Algorithm

Forgery

Mallory Everyone Else

7

(x, y) If Mallory can create a valid digital signature such that verK(x, y) = TRUE for a message not previously signed by Alice, then the pair (x, y) forms a forgery unsecure channel verK Alice’s Public Key digital signature TRUE

CR CR

Security Models for Digital Signatures

• Total break:

Mallory can determine Alice’s private key (therefore can generate any number of signed messages)

• Selec@ve forgery:

Given a message x, Mallory can determine y, such that (x, y) is a valid signature from Alice

• Existen@al forgery:

Mallory is able to create y for some x, such that (x, y) is a valid signature from Alice

8

Difficulty Level Goals of AQacker AssumpHons

CR CR

Security Models for Digital Signatures

• Key-only aQack :

Mallory only has Alice’s public key (i.e. only has access to the verificaHon funcHon, ver)

• Known-message aQack :

Mallory only has a list of messages signed by Alice (x1, y1), (x2, y2), (x3, y3), (x4, y4), …..

• Chosen-message aQack :

Mallory chooses messages x1, x2, x3, …….. and tricks Alice into providing the corresponding signatures y1, y2, y3 (resp.)

9

Strong Weak (needs a strong a=acker) Goals of A=acker Assump@ons

CR CR

First AQempt making a digital signature (using RSA)

10

} ) , ( mod ){ ( y x return n x y x sig

a

≡ } ) mod ( ){ , ( FALSE return else TRUE return n y x if y x ver

b

≡ ) , ( y x x is the message here and (x, y) the signature b,n public a, p,q private n = pq; a ≡ b-1 modφ(n)

CR CR

A Forgery for the RSA signature (First Forgery)

11

} ) , ( mod ){ ( y x return n x y x sig

a

≡ } ) mod ( ){ , ( FALSE return else TRUE return n y x if y x ver

b K

≡ ) , ( y x } ) , ( mod random a select (){ y x return n y x compute y forgery

b

≡

Key only, existenHal forgery

(n) b- a pq n q p a n b ϕ mod 1 ; private , , public , ≡ =

CR CR

Second Forgery

Suppose Alice creates signatures of two messages x1 and x2

12

) , ( mod ) ( ) , ( mod ) (

2 2 2 2 2 2 1 1 1 1 1 1

y x n x y x sig y y x n x y x sig y

a a

≡ → = ≡ → = n x x y y forgery a is n y y n x x

a a

mod ) mod , mod (

2 1

2 1 2 1 2 1

≡

Mallory can use the mul@plica@ve property of RSA to create a forgery

Known message, existenHal forgery

CR CR

RSA Digital Signatures

13

} ) , ( mod ) ( ){ ( y x return n z y x h z x sig

a

≡ = private , , public , q p a n b } ) mod ( ) ( ){ , ( FALSE return else TRUE return n y z if x h z y x ver

b K

≡ = ) , ( y x x is the message here, (x, y) the signature and h is a hash funcHon Incorporate a hash funcHon in the scheme to prevent forgery

CR CR

How does the hash func@on help?

Forgery becomes equivalent to the first preimage a=ack on the hash funcHon

14

PrevenHng the First Forgery

} ) , ( ) ( ' . : mod ' random a select (){ y x return x h z st x preimage I compute n y z compute y forgery

st b

= ≡

CR CR

How does the hash func@on help?

creaHng such a forgery is unlikely

15

PrevenHng the Second Forgery

n x x n x h x h y y difficult is n y y n x x

a a a a

mod mod ) ( ) ( ) mod , mod (

2 1 2 1 2 1 2 1 2 1

≡ ≡

CR CR

How does the hash func@on help?

Given a valid signature (x,y) find (x’,y) creaHng such a forgery is equivalent to solving the 2nd preimage problem of the hash funcHonw

16

Another Forgery prevented

} ) , ' ( ' ) ' ( ) ( . . ' : ) ( ){ , ( y x return x x and x h x h t s x find preimage II compute x h compute y x forgery

nd

≠ =

CR CR

ElGamal Signature Scheme

• 1985
• Variant adopted by NIST as the DSA

(DSA: standard for digital signature algorithm)

• Based on the difficult of the discrete log problem

17

CR CR

ElGamal Signing

18

a p p p a a Z p

a p

: key Private , , : Parameters Public mod Compute ) 1 ( Choose element primitive a be Let prime large a Choose

*

β α α β α ≡ − ≤ < ∈

IniHalizaHon

} ) , ( ) , ( 1 mod ) ( mod 1 ) 1 , gcd( . . random secret a select ){ (

1

y x return y p k a x p p k t s k x sig

k

δ γ γ δ α γ = − − ≡ ≡ = −

−

Signing Message x

The use of a random secret k for every signature makes ElGamal non-determinisHc

CR CR

ElGamal Verifying

19

a p p p a a Z p

a p

: key Private , , : Parameters Public mod Compute ) 1 ( Choose element primitive a be Let prime large a Choose

*

β α α β α ≡ − ≤ < ∈ } ) ( mod mod )){ , ( , (

2 1 2 1

FALSE return else TRUE return t t if p t compute p t compute x ver

x

= ≡ ≡

δ γγ

β α δ γ

Verifying Signature (x,y) IniHalizaHon

CR CR

ElGamal Correctness

20

a p p p a a Z p

a p

: key Private , , : Parameters Public mod Compute ) 1 ( Choose element primitive a be Let prime large a Choose

*

β α α β α ≡ − ≤ < ∈

IniHalizaHon

} ) , ( ) , ( 1 mod ) ( mod random secret a select ){ (

1

y x return y p k a x p k x sig

k

δ γ γ δ α γ = − − ≡ ≡

−

Signing Message x

} ) ( mod mod )){ , ( , (

2 1 2 1

FALSE return else TRUE return t t if p t compute p t compute x ver

x

= ≡ ≡

δ γγ

β α δ γ

Verifying Signature (x,y)

First note that aγ + kδ ≡ xmod(p−1) t2 ≡ βγγ δ mod p t1≡α x mod p ≡(α a)γ ⋅(α k)δ mod p ≡α aγ+kδ mod p ≡α x mod p

if the signature is valid, t1 = t2 correctness

CR CR

Example

21

132 467 mod 2 mod 127 a 467

127

= = ≡ = 2 = = p p

a

α β α

51 466 mod 431 ) 29 2 100 ( 1 mod ) 29 467 mod 2 mod 431 1 mod ) ( 213

1 213 1

= ⋅ − = − − ( = = = = = − =

− −

p k a x p p k randomly chosen k

k

γ δ α γ

Signature of message x = 100

TRUE p p p

x

189 mod 2 mod 189 467 mod 29 132 mod

100 51 29

= = = = α γ β

δ γ

Verifying

CR CR Security of ElGamal Signature Scheme (against Selec3ve forgery)

22

TRUE x ver x = )) , ( , ( that such ) , ( find to needs Mallory , an Given δ γ δ γ

γ γ δ γ

β α δ α γ β δ γ

−

= ≡

x x

p t s log mod . . compute to try then , for value a Choose

This is the intractable discrete log problem A=empt 1

p t s

x mod

. . compute to try then , for value a Choose α γ β γ δ

δ γ

≡

This is not related to the discrete log problem. There is no known soluHon for this. A=empt 2

p t s

x mod

. . , usly simultaneo and for value Choose α γ β δ γ

δ γ

≡

No way known. A=empt 3

CR CR

Security of ElGamal Signature Scheme (against Existen@al forgery)

23

TRUE x ver x, = )) , ( , ( that such )) , ( ( an find to needs Mallory δ γ δ γ choose some i (0 ≤ i ≤ p− 2). form γ ≡α iβ mod p δ ≡ −γ mod(p−1) x ≡ iδ mod(p−1). then, ver(x,(γ,δ)) = TRUE α x ≡ βγγ δ mod p RHS ≡ βγ (α iβ)δ mod p ≡ βγ+δα iδ mod p ≡α aγ+aδα iδ mod p ≡α aγ−aγ+iδ mod p ≡α iδ mod p ≡α x mod p = LHS

The one-parameter forgery proof forgery

CR CR

Security of ElGamal Signature Scheme (against Existen@al forgery)

24

TRUE x ver x, = )) , ( , ( that such )) , ( ( an find to needs Mallory δ γ δ γ TRUE x ver then p ij x p j p form p j p j i j i some choose

j i

= − ≡ − − ≡ ≡ = − − ≤ ≤

− −

)) , ( , ( , ). 1 mod( ) 1 mod( mod ). 1 ) 1 , gcd( ; 2 , ( ,

1 1

δ γ γ γ δ β α γ

The two-parameter forgery forgery Prevent ExistenHal Forgeries by hashing the message

CR CR

Improper use of ElGamal’s Signature Scheme

• 1. What if k is not a secret?

25

} ) , ( ) , ( 1 mod ) ( mod random secret a select ){ (

1

y x return y p k a x p k x sig

k

δ γ γ δ α γ = − − ≡ ≡

−

The secret key ‘a’ is retrieved and Mallory can create many forgeries

). 1 mod( ) ( follows as computed be can secret 1 ) 1 , gcd(

1

− − = = −

−

p k x a a then p if γ δ γ

CR CR

Improper use of ElGamal’s Signature Scheme

26

} ) , ( ) , ( 1 mod ) ( mod random secret a select ){ (

1

y x return y p k a x p k x sig

k

δ γ γ δ α γ = − − ≡ ≡

−

, ) ( ) (

2 1

then and are signatures The k same the with signed x and x messages different two have we say Lets

2 1

, , δ γ δ γ

• 2. What if k is reused?

dividing RepresenHng in terms of α =>

CR CR

Improper use of ElGamal’s Signature Scheme

27

CR CR

ElGamal Signature Length

• Generally p is a prime of length 1024 bits
• The signature comprises of which is of length 2048 bits

Schnorr’s Signature Scheme is a modificaHon of the ElGamal signature scheme with signatures of length around 320 bits

28

) ,δ γ (

CR CR

Schnorr Group

29

Let pbealargeprime and Z p

* thecorresponding multiplicative group

Selectanother primeq (< p) such that p ≡1modq i.e. q |(p−1) or p = qr +1 Choose a random h in the range 1< h < p s.t. hr ≠1mod p This hr isthe generatorof asubgroupof orderq note hr

q ≡1mod p

CR CR

Schnorr Group and Discrete Log

• When p is used, best known technique to solve discrete log is index-

calculus

For a 1024 bit prime, the complexity of index calculus is approx 280

• In the subgroup q, the best a=ack is pollard-rho which has a birthday

paradox complexity.

Thus a subgroup of size 2^160 will provide the same level of security

30

CR CR

DSA (Digital Signature Standard)

31

a q p p q a a q q p q t s bit q bit p

a

: key Private , , , : Parameters Public mod Compute ) 1 ( Choose )

• rder
• f

subgroup a creates (

• rder
• f

Find 1 | . . ) 160 ( prime another Choose ) 1024 ( prime large a Choose β α α β α α ≡ − ≤ < −

IniHalizaHon α(p-1)/q mod p

CR CR

DSA (Signing Func@on)

32

a q p p q a a q q p q t s bit q bit p

a

: key Private , , , : Parameters Public mod Compute ) 1 ( Choose )

• rder
• f

subgroup a creates (

• rder
• f

Find 1 | . . ) 160 ( prime another Choose ) 1024 ( prime large a Choose β α α β α α ≡ − ≤ < −

IniHalizaHon

} ) , ( ) , ( mod ) ) ( ( mod ) mod ( 1 ) , gcd( . . random secret a select ){ (

1

y x return y q k a x SHA q p q k t s k x sig

k

δ γ γ δ α γ = + ≡ ≡ =

−

Signing Message x

The use of a random secret k for every signature makes ElGamal non-determinisHc

CR CR

DSA (Verifying Func@on)

33

a q p p q a a q q p q t s bit q bit p

a

: key Private , , , : Parameters Public mod Compute ) 1 ( Choose )

• rder
• f

subgroup a creates (

• rder
• f

Find 1 | . . ) 160 ( prime another Choose ) 1024 ( prime large a Choose β α α β α α ≡ − ≤ < −

IniHalizaHon

} ) , ( ) , ( mod ) ) ( ( mod ) mod ( 1 ) , gcd( . . random secret a select ){ (

1

y x return y q k a x SHA q p q k t s k x sig

k

δ γ γ δ α γ = + ≡ ≡ =

−

Signing Message x

} ) mod ( mod ) mod ( mod mod ) ( mod )){ , ( , (

2 1

2 1 1

FALSE return else TRUE return q v if q p v compute q w t compute q x SHA w t compute q w compute x ver

t t

γ β α γ δ δ γ ≡ ⋅ ≡ ⋅ ≡ ⋅ ≡ ≡

−

Verifying Signature

CR CR

DSA (Correctness)

34

a p q p

a

: key Private ) mod ( , , , : Parameters Public α β β α ≡

IniHalizaHon

} ) , ( ) , ( mod ) ) ( ( mod ) mod ( 1 ) , gcd( . . random secret a select ){ (

1

y x return y q k a x SHA q p q k t s k x sig

k

δ γ γ δ α γ = + ≡ ≡ =

−

Signing Message x

} ) mod ( mod ) mod ( mod mod ) ( mod )){ , ( , (

2 1

2 1 1

FALSE return else TRUE return q v if q p v compute q w t compute q x SHA w t compute q w compute x ver

t t

γ β α γ δ δ γ ≡ ⋅ ≡ ⋅ ≡ ⋅ ≡ ≡

−

Verifying Signature

q at t k q wa x wSHA q a x SHA k q k a x SHA mod ) ( mod ) ) ( mod ) ) ( mod ) ) (

2 1 1 1

+ ≡ + ( = + ( ≡ + ( ≡

− −

γ δ γ γ δ q p sides both

• n

q Take p p

t t t t k q at t k

mod ) mod ( mod mod mod

2 1 2 1 2 1

mod ) (

β α γ β α α α α ≡ ≡ ≡

+

CR CR

Security of DSA

• There are two ways to a=ack the DSA

(a=empt to recover the secret a)

– Target the large cyclic group Zp – Target the smaller group Zq

35

Could you techniques such as Index Calculus. For a 1024 bit p, this method offers security of 80 bits Cannot apply Index Calculus relies on Pollard rho for solving the discrete log, For 160 bit q, this offers security of 80 bits

CR CR

Security of DSA

• There are two ways to a=ack the DSA

(a=empt to recover the secret a)

– Target the large cyclic group Zp – Target the smaller group Zq

36

Could you techniques such as Index Calculus. For a 1024 bit p, this method offers security of 80 bits Cannot apply Index Calculus relies on Pollard rho for solving the discrete log, For 160 bit q, this offers security of 80 bits Thus the size of p dictates the size of q.

CR CR Schnorr Signature Scheme (uses a hash func@on to get smaller signatures)

37

q p a q q a a p p Z p q and bits size

• f

q bits size

• f

p

a q p p

, , : Private : Private mod Compute ) ( from randomly Choose mod 1

• f

root q the is mod then element primitive a be Let ) 1 ( | ) 160 ( prime smaller a Choose ) 1024 ( prime large a Choose

th / ) 1 ( *

β α α β α α α , = < ≤ = ∈ −

−

IniHalizaHon

} ) , ( ) , ( mod ) mod || ( . 1 1 . . random secret a select ){ ( y x return y p a k p x h q k t s k x sig

k

δ γ γ δ α γ = + = = − ≤ ≤

Signing Message x

} ) ( ) mod || ( )){ , ( , (

1 1

FALSE return else TRUE return t if p x h t compute x ver γ β α δ γ

γ δ

= ≡

−

Verifying Signature (x,y)