Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a − → g m ← − m g ma g ma g n n − → g b ← − b g nb g nb g ma g ma , g nb g nb ← → ← → Eike Ritter Cryptography 2014/15 106
Want to guarantee authenticity. Can achieve this with publc-key cryptography as well. First example: Schnorr Signature a 1024 bit prime p that fixes Z ∗ p , a 360 bit prime q , such that q divides p − 1 and q is the order of a subgroup G q of Z ∗ p , a cryptographic hash function h . Eike Ritter Cryptography 2014/15 107
Key generation: The single functions then work as follows: We start with the key generation G . Generate primes p and q as well as an element g ∈ Z ∗ p that generates the subgroup G q . Choose a random x from { 1 , . . . , q − 1 } . Compute y = g x mod p . (Observe that this corresponds to h in ElGamal; but here h is our hash function!) Publish the public key � K = ( p , q , g , y ). Retain the private key K = ( p , q , g , x ). Eike Ritter Cryptography 2014/15 108
Signing: Choose a random r from { 1 , . . . , q − 1 } . Compute s = h ( M � g r ). Compute t = ( r + x · s ) mod q . Attach the signature ( s , t ) to the message. Verification: Accept the signature if h ( M �| g t y − s ) = s . Otherwise reject the signature. Eike Ritter Cryptography 2014/15 109
DSA (Digital Signature Algorithm) Parameters a 1024 bit prime p that fixes Z ∗ p , a 160 bit prime q , such that q divides p − 1 and q is the order of a subgroup G q of Z ∗ p , the cryptographic hash function SHA-1. Key generation: Generate primes p and q such that p = z · q + 1, with z ∈ Z . Choose g such that j · z ≡ g (mod p ), where 1 < j < p . Choose a random x from { 1 , . . . , q − 1 } . Compute y = g x mod p . Publish the public key � K = ( p , q , g , y ). Retain the private key K = ( p , q , g , x ). Eike Ritter Cryptography 2014/15 110
Signature function: Choose a random r from { 1 , . . . , q − 1 } . Compute s = ( g r mod p ) mod q . Compute t = ((SHA-1( M ) + x · s ) · r − 1 ) mod q . Attach the signature ( s , t ) to the message. Verification function: Calculate u 1 = (SHA-1( M ) · t − 1 ) mod q . Calculate u 2 = ( s · t − 1 ) mod q . Accept the signature if (( g u 1 · y u 2 ) mod p ) mod q = s . Otherwise reject the signature. Eike Ritter Cryptography 2014/15 111
RSA Signatures Key generation as for RSA. We assume the message M to be a number in { 1 , . . . , n − 1 } . Let h be a cryptographic hash function, then we compute the signature by s = h ( M ) d mod n . Given the public key � K = ( e , n ) we can verify the signature s by comparing h ( M ) with s e mod n . Eike Ritter Cryptography 2014/15 112
Definition Define the signature game between Challenger and Attacker as follows: Challenger creates public and private key pair and passes public key to attacker Attacker does some computations and may ask challenger to sign messages m 1 , . . . , m n Challenger responds with signatures s 1 , . . . , s n The attacker outputs a pair ( m , s ) The attacker wins the signature game if ( m , s ) is not equal to ( m i , s i ) for any i and s is a valid signature for m . Eike Ritter Cryptography 2014/15 113
Definition We call a digital signature scheme secure against existential forgery if any attacker has only a negligible chance of winning the signature game. If we omit the hash function in the RSA-signature, attacker can forge a signature for an arbitrary message. Eike Ritter Cryptography 2014/15 114
Recommend
More recommend