Digital Signature And Hash Function - PowerPoint PPT Presentation

Digital Signature And Hash Function 密碼學與應用 海洋大學資訊工程系 丁培毅 丁培毅 1

Electronic Signature Electronic Signature  El  Electronic Signature t i Si t  Digital Signature  Biometric Signature  Electronic Signature Act  ROC, 2002/04/01, http://www.moea.gov.tw/~meco/doc/ndoc/s5_p05.htm http://www esign org tw/statutes asp http://www.esign.org.tw/statutes.asp  US Federal, 2000/06  Japan 2000/05  Japan, 2000/05 2

RSA RSA  RSA  RSA two large prime numbers p q two large prime numbers p , q modulus n = p ꞏ q public key e , gcd( e ,  ( n )) = 1 ( ,  ( )) p y , g private key d , e ꞏ d  1 (mod  ( n ))  RSA cryptosystem S yp y message m  Z n encryption: ciphertext c  m e (mod n ) decryption: plaintext m  c d (mod n ) d  RSA signature scheme message digest (document) m  Z n signing: signature s  m d (mod n ) verification: document m  s e (mod n ) e ( ifi ti d t d ) 3

RSA Signature Scheme RSA Signature Scheme  The signature s in RSA signature scheme is required to satisfy m  s e (mod n ) m  s (mod n )  The signature in every digital signature scheme has to satisfy an equation similar to the above equation which is formed by a q q y trapdoor one way function.  Given the signature s , it is easy to verify its validity.  Given the document m , it is difficult to forge a signature s for the  Gi th d t it i diffi lt t f i t f th document m without the trapdoor information.  Eve’s attack #1: Given a pair of document and Alice’s signature ( m , s )  wants to forge the signature of Alice for a second document m 1  ( m 1 , s ) does not work, since m 1  s e (mod n ). The same tough  needs to solve m 1  s 1 e (mod n ) for s 1 e ( problem as decrypting problem as decrypting d l d ) f an RSA ciphertext.  Eve’s attack #2:  wants to forge the signature of Alice  wants to forge the signature of Alice  chooses s 1 first and calculate m 1  s 1 e (mod n ) It is very unlikely that m 1 will be meaningful. 4

Attack RSA Signature Attack RSA Signature  RSA signature scheme: s  m d (mod n )  suppose Alice is not willing to sign the message m almost always is meaningless almost always is meaningless  Eve’s attacking scheme:  decompose the message: m  m 1 ꞏ m 2 (mod n )  ask Alice to sign m 1 and m 2 independently and get d (mod n ) and s 2  m 2 d (mod n ) s 1  m 1  multiply the two signatures together to get l i l h i h d  ( m 1 m 2 ) d  m d (mod n ) d ꞏ m 2 s  s 1 ꞏ s 2  m 1  Morale: never sign a message that does not make any sense to you (never sign a message that contains sense to you (never sign a message that contains unrecognized binary data) 5

Rabin Signature Scheme Rabin Signature Scheme  Key generation: public key n = p ꞏ q , private key p , y g p y p q , p y p , q i.e. QR n  Signing:  Si i  for a plaintext m , 0< m <n, m  QR p  QR q  signature is s , such that m  s 2 (mod n ) 2 ( i i h h d ) This is not easy if m is  Verification  Verification required to be plaintext required to be plaintext.  m  s 2 (mod n )  Chosen Message Attack  Eve chooses x and computes m  x 2 (mod n ) Making Rabin signature only on hashed message only on hashed message  Ask Alice for a signature s on m can avoid this attack. Never take square root directly!!  Pr{ s   x } = 0.5 6

ElGamal Signature Scheme ElGamal Signature Scheme  Probabilistic: There are many signatures that are valid for a given message.  Key generation : Alice chooses a large prime number p , a primitive  in Z p * , a secret integer a , and calculates  a * (mod p ) ( p ,  ,  ) are the public key, a is the secret key  Signing : Alice signs a message m  select a secret random k such that gcd( k , p -1) = 1  r   k (mod p ) k ( r , s ) is the signature  s  k -1 ( m - a r ) (mod p -1)  Verification : anyone can verify the signature ( r , s ) V ifi ti  compute v 1   r r s (mod p ) and v 2   m (mod p )  signature is valid iff v 1  v 2 (mod p ) i t i lid iff ( d ) 7

ElGamal Signature Scheme ElGamal Signature Scheme  Proof: v 2   m   sk+ar  (  a ) r (  k ) s   r r s  v 1 (mod p ) r r k s k+  Example  Alice wants to sign a message ‘one’ i.e. m 1 = 151405  She chooses p=225119,  =11, a secret a=141421,  a  18191 (mod p)  To sign the message, she chooses a random number k=239, r  k  164130,  o s g e essage, s e c ooses a a do u be 39, 6 30, s 1  k -1 (m 1 - a r)  130777 (mod p-1) …. (m 1 , r, s 1 ) is the signature  Bob wants to verify if Alice signs the message m 1  He calculates  r r s 1  128841*193273  173527  m 1  173527  He calculates  r 1  128841*193273  173527 ,  1  173527  Signature with Appendix  message can not be recovered from the signature  message can not be recovered from the signature  ElGamal, DSA  Message Recovery Scheme  message is readily obtained from the signature i dil bt i d f th i t   RSA, Rabin 8

ElGamal Signature Scheme ElGamal Signature Scheme  Security: Discrete Log Decisional Diffie-Hellman ?   given public  , solving for a is a discrete log problem  fixed r , solving v 2   r r s (mod p ) for s is a discrete log problem r  fixed s , solving v 2   r r s (mod p ) for r is not proven to be as hard as a discrete log problem ( believed to be non-polynomial h d di t l bl b li d t b l i l time )  it is not known whether there is a way to choose r and s  it is not known whether there is a way to choose r and s simultaneously which satisfy v 2   r r s (mod p )  Bleichenbacher “Generating ElGamal signatures without  Bleichenbacher, Generating ElGamal signatures without knowing the secret key,” Eurocrypt96  forging ElGamal signature is sometimes easier than the  forging ElGamal signature is sometimes easier than the underlying discrete logarithm problem 9

Existential Forgeries Existential Forgeries  RSA  RSA Choose s  R Z n * Let m  s e (mod n) (m, s) is a valid message signature pair  ElGamal 1-parameter 1 parameter Choose e  R Z q Let r  g e ꞏ y (mod p), s  -r (mod q), m  e ꞏ s (mod p) (m, (r,s)) is a valid message signature pair 2-parameter p Choose e, v  R Z q Let r  g e ꞏ y v (mod p), s  -r ꞏ v -1 (mod q), m  e ꞏ s (mod p) (m, (r,s)) is a valid message signature pair 10

ElGamal Signature Scheme ElGamal Signature Scheme  Security:  Should not use the same random number k twice for two distinct messages. Eve can easily know this by comparing r in both signatures. Eve can then break this system completely and i t E th b k thi t l t l d forge signatures at will. s 1 k - m 1  - a r  s 2 k - m 2 (mod p -1) m (mod p 1) s k m a r s k ( s 1 - s 2 ) k  m 1 - m 2 (mod p -1) There are gcd( s 1 - s 2 , p -1) solutions for k. Th d( 1) l ti f k Eve can enumerate all  k until she finds r. After knowing k, Eve can solve the following equation for a Aft k i k E l th f ll i ti f a r  m 1 - s 1 k (mod p -1) Th There are gcd( r , p -1) solutions for a . d( 1) l i f Eve can enumerate all  a until she finds  . 11

Example Example  Example continued  Alice wants to sign a second message ‘two’ i.e. m 2 = 202315  She uses the same ElGamal parameters as before p=225119,  =11, a secret a=141421,  a  18191 (mod p)  She signs this message with the same random number k=239, r   k  164130, s 2  k -1 (m 2 - a r)  164899 (mod p-1) …. (m 2 , r, s 2 ) k 164130 k 1 ( ) 164899 ( d 1) ( ) is the signature  Eve can compute ( s 1 - s 2 ) k  -34122 k  m 1 - m 2  -50910 (mod  E t ( ) k 34122 k 50910 ( d p -1).  Since gcd( 34122 p 1) = 2 k has two solutions 239 or 112798  Since gcd(-34122, p-1) = 2, k has two solutions 239 or 112798  Because r   k (mod p), Eve can verify easily that k = 239  k s  m  k s 1  m 1 - a r (mod p -1)  a = 28862 or 141421 a r (mod p 1)  a = 28862 or 141421     a (mod p)  a = 141421 12

ElGamal Signature Scheme ElGamal Signature Scheme  General ElGamal Signature Schemes  Horster, Michels, and Petersen, “Meta-ElGamal Signature Schemes,” Tech. Report TR-94-5, Univ. of Technology Chemnitz-Zwichau, 1994  6 t  6 types, 6500+ variations 6500+ i ti  ex. Rearrange m , r , s of m  a r + k s (mod p -1) as A  a B + k C (mod p -1) A  a B + k C (mod p 1) verification equation  A   B r C (mod p ) A B C  m   r r s m  a r + k s m r s  m   s r r m  a s + k r m s r  s   r r m s  a r + k m  r s m s r m k  s   m r r s  a m + k r s m r  r   s r m m  a s + k m m  a s + k m    r r r s s m m  r   m r s r  a m + k s r m s 13

ElGamal Signature Scheme ElGamal Signature Scheme  Signing two messages at the same time  Signing two messages at the same time  r   k (mod p )  m 1  a m 2 r + k s (mod p -1) + k ( d 1)   ( r , s ) is the signature for m 1 and m 2 together  Signing three messages at the same time  r   k (mod p )  r   (mod p )  m 1  a m 2 r + k m 3 s (mod q )  ( r , s ) is the signature for m 1 , m 2 and m 3 together 14