Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice Mallory Bob Can achieve this with publc-key cryptography as well. g a a − → First example: Schnorr Signature g m ← − m a 1024 bit prime p that fixes Z ∗ p , g ma g ma g n − → n a 360 bit prime q , such that q divides p − 1 and q is the order g b ← − b of a subgroup G q of Z ∗ p , g nb g nb a cryptographic hash function h . g ma g ma , g nb g nb ← → ← → Eike Ritter Cryptography 2013/14 152 Eike Ritter Cryptography 2013/14 153 Key generation: Signing: The single functions then work as follows: We start with the key Choose a random r from { 1 , . . . , q − 1 } . generation G . Compute s = h ( M � g r ). Generate primes p and q as well as an element g ∈ Z ∗ p that Compute t = ( r + x · s ) mod q . generates the subgroup G q . Attach the signature ( s , t ) to the message. Choose a random x from { 1 , . . . , q − 1 } . Compute y = g x mod p . (Observe that this corresponds to h Verification: in ElGamal; but here h is our hash function!) Accept the signature if h ( M �| g t y − s ) = s . Publish the public key � K = ( p , q , g , y ). Otherwise reject the signature. Retain the private key K = ( p , q , g , x ). Eike Ritter Cryptography 2013/14 154 Eike Ritter Cryptography 2013/14 155
DSA (Digital Signature Algorithm) Parameters Signature function: a 1024 bit prime p that fixes Z ∗ p , Choose a random r from { 1 , . . . , q − 1 } . Compute s = ( g r mod p ) mod q . a 160 bit prime q , such that q divides p − 1 and q is the order of a subgroup G q of Z ∗ p , Compute t = ((SHA-1( M ) + x · s ) · r − 1 ) mod q . the cryptographic hash function SHA-1. Attach the signature ( s , t ) to the message. Key generation: Verification function: Generate primes p and q such that p = z · q + 1, with z ∈ Z . Calculate u 1 = (SHA-1( M ) · t − 1 ) mod q . Choose g such that j · z ≡ g (mod p ), where 1 < j < p . Calculate u 2 = ( s · t − 1 ) mod q . Choose a random x from { 1 , . . . , q − 1 } . Accept the signature if (( g u 1 · y u 2 ) mod p ) mod q = s . Compute y = g x mod p . Otherwise reject the signature. Publish the public key � K = ( p , q , g , y ). Retain the private key K = ( p , q , g , x ). Eike Ritter Cryptography 2013/14 156 Eike Ritter Cryptography 2013/14 157 RSA Signatures Definition Define the signature game between Challenger and Attacker as follows: Key generation as for RSA. Challenger creates public and private key pair and passes We assume the message M to be a number in { 1 , . . . , n − 1 } . public key to attacker Let h be a cryptographic hash function, then we compute the Attacker does some computations and may ask challenger to signature by sign messages m 1 , . . . , m n s = h ( M ) d mod n . Challenger responds with signatures s 1 , . . . , s n Given the public key � K = ( e , n ) we can verify the signature s by The attacker outputs a pair ( m , s ) comparing h ( M ) with s e mod n . The attacker wins the signature game if ( m , s ) is not equal to ( m i , s i ) for any i and s is a valid signature for m . Eike Ritter Cryptography 2013/14 158 Eike Ritter Cryptography 2013/14 159
Definition We call a digital signature scheme secure against existential forgery if any attacker has only a negligible chance of winning the signature game. If we omit the hash function in the RSA-signature, attacker can forge a signature for an arbitrary message. Eike Ritter Cryptography 2013/14 160
Recommend
More recommend
