Digital Signature Schemes
1 What is digital signature? Properties • “Who signed what” is publicly verifiable • Unforgeable
2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) ← G (1 ℓ ) ℓ security parameter ( pk, sk ) public/secret key pair Signing algorithm S (probabilistic or deterministic) s ← S ( pk, sk, m ) m message; s signature for m Verification algorithm G (deterministic) d ← V ( pk, m, s ) d ∈ { true , false }
3 The RSA Scheme public key n , e • n = p q , where p and q are distinct odd primes • e satisfies gcd( e, φ ( n )) = 1 secret key d , p , q • d e ≡ 1 (mod φ ( n )) sign s is the signature of a message m ∈ Z n s = m d mod n verification s is a valid signature of m if m ≡ s e (mod n )
4 The ElGamal Scheme (1/2) public key p , g , y • p is a prime • g ∈ Z ∗ p is a primitive element modulo p • y = g x mod p secret key x ∈ Z p − 1
5 The ElGamal Scheme (2/2) sign ( a, b ) is a signature of a message m ∈ Z p − 1 1. Select k ∈ Z ∗ p − 1 randomly, that is, gcd( k, p − 1) = 1 2. a = g k mod p 3. b = ( m − xa ) k − 1 mod p − 1 verification ( a, b ) is a valid signature of m if g m ≡ y a a b (mod p )
6 Misuse of the ElGamal Scheme (1/2) Do not use the same k for signing different messages! Suppose that k is used for signing different m 1 , m 2 a signature for m 1 a, b 1 a signature for m 2 , where a = g k mod p a, b 2 Then, from the signing algorithm, m 1 = ax + kb 1 mod p − 1 m 2 = ax + kb 2 mod p − 1 m 1 − m 2 ≡ k ( b 1 − b 2 ) (mod p − 1)
7 Misuse of the ElGamal Scheme (2/2) Let gcd( b 1 − b 2 , p − 1) = d and m = m 1 − m 2 b = b 1 − b 2 p = p − 1 , ˜ ˜ , ˜ d d d Then, m ≡ k ˜ ˜ (mod ˜ p ) b b − 1 mod ˜ Let ˜ m ˜ p + ˜ k = ˜ p . Then, k = i ˜ k for ∃ i ∈ Z d . The right value of k is determined by a = g k mod p . Once k is known, the secret key x can be recovered by x = ( m 1 − k b 1 ) a − 1 mod p − 1
8 The Digital Signature Algorithm (DSA) • A modification of the ElGamal scheme • Proposed by the U.S. National Institute of Standards and Technology (NIST) in August 1991 • Has become a U.S. Federal Information Processing Standard (FIPS 186) in 1994 called the Digital Signature Standard (DSS)
9 The Digital Signature Algorithm (DSA) public key p , q , g , y • p , q are primes such that – 2 159 < q < 2 160 – 2 511+64 t < p < 2 512+64 t for some 0 ≤ t ≤ 8 – q divides p − 1 p such that g q ≡ 1 (mod p ) • g ∈ Z ∗ • y = g x mod p secret key x ∈ Z q
10 The Digital Signature Algorithm (DSA) sign ( a, b ) is a signature of a message m ∈ Z q 1. Select k ∈ Z ∗ q randomly 2. a = ( g k mod p ) mod q 3. b = ( m + x a ) k − 1 mod q verification ( a, b ) is a valid signature of m if ( g u 1 y u 2 mod p ) mod q = a where m b − 1 mod q = u 1 a b − 1 mod q = u 2
11 How the Verification Works From the signing algorithm, ( m + x a ) k − 1 mod q = b ( m + x a ) b − 1 mod q = k Thus, g m b − 1 g x a b − 1 g k ≡ (mod p ) g m b − 1 y a b − 1 g k ≡ (mod p )
12 The Schnorr Scheme public key p , q , g , y • p , q are primes such that q | p − 1 p such that g q ≡ 1 (mod p ) • g ∈ Z ∗ • y = g x mod p secret key x ∈ Z q This scheme also requires a collision-resistant hash function h : { 0 , 1 } ∗ → Z ∗ q .
13 The Schnorr Scheme sign ( e, s ) is a signature of a message m 1. Select k ∈ Z ∗ q randomly 2. e = h ( r, m ) where r = g k mod p 3. s = k − e x mod q verification ( e, s ) is a valid signature of m if e = h ( r ′ , m ) where r ′ = g s y e mod p
14 Digital Signature and Message Digest To sign a message m with arbitrary length, a signer first compute a message digest of m , h ( m ) , with a hash function h and create a signature for h ( m ) . The hash function h should be collision-resistant. Def. 1 A hash function h : D → R is collision-resistant if it is difficult to find a pair of inputs x, x ′ ∈ D such that h ( x ) = h ( x ′ ) and x � = x ′ . �
15 Security of Signature Schemes (1/2) Adversarial goal • total break An adversary is able to create a valid signature for any message. • selective forgery An adversary is able to create a valid signature for a given message chosen by someone else. • existential forgery An adversary is able to create a valid signature for at least one message.
16 Security of Signature Schemes (2/2) Attack • key-only attack An adversary only knows the public key of the signer. • known message attack An adversary knows a list of messages and their corresponding signatures. • chosen message attack An adversary is able to request signatures for messages he selects.
17 Chosen Message Attack �✂✁ s 1 Oracle O Adversary A ... s i ← V ( pk, sk, m i ) Select m i ✄✆☎ s q
18 Provably Secure Signature Schemes Efficient and provably secure schemes have been proposed based on the intractability of number theoretic problems in the random oracle model. These schemes are secure against existential forgery with a chosen message attack.
19 The Schnorr Scheme Is Provably Secure Thm. 1 Suppose that the discrete logarithm problem is intractable. Then, the Schnorr scheme is secure against existential forgery with a chosen message attack in the random oracle model. � (Proof sketch) In the random oracle model, • An oracle is able to simulate the signer without the secret key. • If an adversary is able to create a valid signature with non-negligible probability, then an algorithm is able to be constructed, which is able to compute the discrete logarithm of the public key with non-negligible probability using the adversary as a subroutine.
20 Simulation of the Signer in the Random Oracle Model public key p , q , g , y secret key x ∈ Z q , where y = g x mod p Suppose that an adversary requests a signature for m . The oracle computes ( e, s ) in the following way and returns it to the adversary. r = g s y e mod p 1. Select e, s ∈ Z ∗ q randomly and compute ˜ 2. Set e = h (˜ r, m )
21 Simulation of the Signer in the Random Oracle Model Random oracle h m i Adversary Signer e , s i i Random oracle h control m i Adversary Oracle e , s i i Adversaries cannot distinguish between the above two situations.
Recommend
More recommend