Electronic Signature Electronic Signature El Electronic Signature - PowerPoint PPT Presentation

Electronic Signature Electronic Signature  El  Electronic Signature t i Si t  Digital Signature Digital Signature And Hash Function  Biometric Signature  Electronic Signature Act 密碼學與應用  ROC, 2002/04/01, 海洋大學資訊工程系 http://www.moea.gov.tw/~meco/doc/ndoc/s5_p05.htm 丁培毅 丁培毅 http://www.esign.org.tw/statutes.asp http://www esign org tw/statutes asp  US Federal, 2000/06  Japan 2000/05  Japan, 2000/05 1 2 RSA RSA RSA Signature Scheme RSA Signature Scheme  The signature s in RSA signature scheme is required to satisfy  RSA  RSA m  s e (mod n ) two large prime numbers p , q two large prime numbers p q m  s (mod n ) modulus n = p ꞏ q  The signature in every digital signature scheme has to satisfy an public key e , gcd( e ,  ( n )) = 1 ( ,  ( )) p y , g equation similar to the above equation which is formed by a q q y trapdoor one way function. private key d , e ꞏ d  1 (mod  ( n ))  Given the signature s , it is easy to verify its validity.  RSA cryptosystem S yp y  Gi  Given the document m , it is difficult to forge a signature s for the th d t it i diffi lt t f i t f th message m  Z n document m without the trapdoor information. encryption: ciphertext c  m e (mod n )  Eve’s attack #1: Given a pair of document and Alice’s signature ( m , s ) decryption: plaintext m  c d (mod n ) d  wants to forge the signature of Alice for a second document m 1  ( m 1 , s ) does not work, since m 1  s e (mod n ).  RSA signature scheme The same tough  needs to solve m 1  s 1 e (mod n ) for s 1 e ( problem as decrypting problem as decrypting d l d ) f message digest (document) m  Z n an RSA ciphertext. signing: signature s  m d (mod n )  Eve’s attack #2: verification: document m  s e (mod n ) e (  wants to forge the signature of Alice  wants to forge the signature of Alice ifi ti d t d )  chooses s 1 first and calculate m 1  s 1 e (mod n ) It is very unlikely that m 1 will be meaningful. 3 4

Attack RSA Signature Attack RSA Signature Rabin Signature Scheme Rabin Signature Scheme  RSA signature scheme: s  m d (mod n )  Key generation: public key n = p ꞏ q , private key p , y g p y p q , p y p ,  suppose Alice is not willing to sign the message m q i.e. QR n almost always is meaningless almost always is meaningless  Si  Signing: i  Eve’s attacking scheme:  for a plaintext m , 0< m <n, m  QR p  QR q  decompose the message: m  m 1 ꞏ m 2 (mod n )  signature is s , such that m  s 2 (mod n ) 2 ( i i h h d )  ask Alice to sign m 1 and m 2 independently and get d (mod n ) and s 2  m 2 d (mod n ) s 1  m 1 This is not easy if m is  Verification  Verification required to be plaintext required to be plaintext.  multiply the two signatures together to get l i l h i h  m  s 2 (mod n ) d  ( m 1 m 2 ) d  m d (mod n ) d ꞏ m 2 s  s 1 ꞏ s 2  m 1  Chosen Message Attack  Morale: never sign a message that does not make any  Eve chooses x and computes m  x 2 (mod n ) Making Rabin signature sense to you (never sign a message that contains sense to you (never sign a message that contains only on hashed message only on hashed message  Ask Alice for a signature s on m can avoid this attack. Never unrecognized binary data) take square root directly!!  Pr{ s   x } = 0.5 5 6 ElGamal Signature Scheme ElGamal Signature Scheme ElGamal Signature Scheme ElGamal Signature Scheme  Proof:  Probabilistic: There are many signatures that are valid for a v 2   m   sk+ar  (  a ) r (  k ) s   r r s  v 1 (mod p ) r k s r given message. k+  Example  Key generation : Alice chooses a large prime number p , a primitive  in Z p * , a secret integer a , and calculates  a *  Alice wants to sign a message ‘one’ i.e. m 1 = 151405  She chooses p=225119,  =11, a secret a=141421,  a  18191 (mod p) (mod p ) ( p ,  ,  ) are the public key, a is the secret key  To sign the message, she chooses a random number k=239, r  k  164130,  o s g e essage, s e c ooses a a do u be 39, 6 30,  Signing : Alice signs a message m s 1  k -1 (m 1 - a r)  130777 (mod p-1) …. (m 1 , r, s 1 ) is the signature  Bob wants to verify if Alice signs the message m 1  select a secret random k such that gcd( k , p -1) = 1  He calculates  r 1  128841*193273  173527 ,   He calculates  r r s 1  128841*193273  173527  m 1  173527 1  173527  r   k (mod p ) k ( r , s ) is the signature  s  k -1 ( m - a r ) (mod p -1)  Signature with Appendix  message can not be recovered from the signature  message can not be recovered from the signature  Verification : anyone can verify the signature ( r , s ) V ifi ti  ElGamal, DSA  compute v 1   r r s (mod p ) and v 2   m (mod p )  Message Recovery Scheme  signature is valid iff v 1  v 2 (mod p ) i t i lid iff ( d )  message is readily obtained from the signature i dil bt i d f th i t   RSA, Rabin 7 8

ElGamal Signature Scheme ElGamal Signature Scheme Existential Forgeries Existential Forgeries  Security:  RSA  RSA Choose s  R Z n * Let m  s e (mod n) Discrete Log Decisional Diffie-Hellman ?   given public  , solving for a is a discrete log problem (m, s) is a valid message signature pair  fixed r , solving v 2   r r s (mod p ) for s is a discrete log problem r  ElGamal  fixed s , solving v 2   r r s (mod p ) for r is not proven to be as 1-parameter 1 parameter h d hard as a discrete log problem ( believed to be non-polynomial di t l bl b li d t b l i l Choose e  R Z q time ) Let r  g e ꞏ y (mod p), s  -r (mod q), m  e ꞏ s (mod p)  it is not known whether there is a way to choose r and s  it is not known whether there is a way to choose r and s (m, (r,s)) is a valid message signature pair simultaneously which satisfy v 2   r r s (mod p ) 2-parameter p  Bleichenbacher “Generating ElGamal signatures without  Bleichenbacher, Generating ElGamal signatures without Choose e, v  R Z q knowing the secret key,” Eurocrypt96 Let r  g e ꞏ y v (mod p), s  -r ꞏ v -1 (mod q),  forging ElGamal signature is sometimes easier than the  forging ElGamal signature is sometimes easier than the m  e ꞏ s (mod p) underlying discrete logarithm problem (m, (r,s)) is a valid message signature pair 9 10 ElGamal Signature Scheme ElGamal Signature Scheme Example Example  Security:  Example continued  Should not use the same random number k twice for two distinct  Alice wants to sign a second message ‘two’ i.e. m 2 = 202315 messages. Eve can easily know this by comparing r in both  She uses the same ElGamal parameters as before p=225119,  =11, a secret a=141421,  a  18191 (mod p) signatures. Eve can then break this system completely and i t E th b k thi t l t l d forge signatures at will.  She signs this message with the same random number k=239, r  s 1 k - m 1  - a r  s 2 k - m 2 (mod p -1) m (mod p 1)  k  164130, s 2  k -1 (m 2 - a r)  164899 (mod p-1) …. (m 2 , r, s 2 ) k 164130 k 1 ( s k m a r s k ) 164899 ( d 1) ( ) ( s 1 - s 2 ) k  m 1 - m 2 (mod p -1) is the signature  Eve can compute ( s 1 - s 2 ) k  -34122 k  m 1 - m 2  -50910 (mod Th There are gcd( s 1 - s 2 , p -1) solutions for k. d( 1) l ti f  E t ( ) k 34122 k 50910 ( d k Eve can enumerate all  k until she finds r. p -1).  Since gcd(-34122, p-1) = 2, k has two solutions 239 or 112798  Since gcd( 34122 p 1) = 2 k has two solutions 239 or 112798 Aft After knowing k, Eve can solve the following equation for a k i k E l th f ll i ti f  Because r   k (mod p), Eve can verify easily that k = 239 a r  m 1 - s 1 k (mod p -1)  k s  m  k s 1  m 1 - a r (mod p -1)  a = 28862 or 141421 a r (mod p 1)  a = 28862 or 141421 Th There are gcd( r , p -1) solutions for a . d( 1) l i f     a (mod p)  a = 141421 Eve can enumerate all  a until she finds  . 11 12