Signature Schemes Chester Rebeiro IIT Madras CR STINSON : chapter - PowerPoint PPT Presentation

Signature Schemes Chester Rebeiro IIT Madras CR STINSON : chapter 7

Recall : MACs y = h K (x) Alice Bob h K = K “Attack at Dawn!!” Message Digest h K K unsecure channel Message Message “Attack at Dawn!!” MACs allow Bob to be certain that • the message has originated from Alice • the message was not tampered during communication MAC cannot • prevent Bob from creating forgeries (i.e., messages in the name of Alice) • cannot prove Authenticity to someone without sharing the secret key K Digital Signatures solve both these problems CR 2

Digital Signatures • A token sent along with the message that achieves – Authentication – Non-repudiation – Integrity • Based on public key cryptography CR 3

Public key Certificates TA Important application of digital signatures Bob’s Certificate{ Bob’s public key in plaintext Signature of the certifying authority other information } To communicate with Bob, Alice gets his public key from a trusted authority (TA) A trusted authority could be a Government agency, Verisign, etc. A signature from the TA, ensures that the public key is authentic. CR 4

Digital Signature Alice y = digital signature Alice’s Everyone Else sig K Private Key TRUE / FALSE (x, y) Alice’s Alice’s ver ver K unsecure channel Public Key Message x = “Attack at Dawn!!” Signing Function Verifying Function y = sig a (x) ver b (x, y) Input : Message (x) and Alice’s private key Input : digital signature, message Output: Digital Signature of Message Output : true or false true if signature valid CR false otherwise 5

Digital Signatures (Formally) CR 6

Forgery Mallory digital signature Everyone Else Forgery TRUE Algorithm (x, y) Alice’s Alice’s ver ver K unsecure channel Public Key If Mallory can create a valid digital signature such that ver K (x, y) = TRUE for a message not previously signed by Alice, then the pair (x, y) forms a forgery CR 7

Security Models for Digital Signatures Assumptions Goals of Attacker • Total break: Mallory can determine Alice’s private key (therefore can generate any number of signed messages) Difficulty Level Diff • • Selective forgery: Selective forgery: Given a message x, Mallory can determine y, such that (x, y) is a valid signature from Alice • Existential forgery: Mallory is able to create y for some x, such that (x, y) is a valid signature from Alice CR 8

Security Models for Digital Signatures Assumptions Goals of Attacker Weak • Key-only attack : Mallory only has Alice’s public key (i.e. only has access to the verification function, ver ) • • Known-message attack : Known-message attack : Mallory only has a list of messages signed by Alice (x 1 , y 1 ), (x 2 , y 2 ), (x 3 , y 3 ), (x 4 , y 4 ), ….. • Chosen-message attack : Mallory chooses messages x 1 , x 2 , x 3 , …….. and tricks Alice into providing the corresponding signatures y 1 , y 2 , y 3 (resp.) Strong CR 9

First Attempt making a digital signature (using RSA) b , n public a , p , q private = ≡ ϕ n pq ; a b- 1 mod (n) sig ( x ){ ver ( x , y ){ ≡ a y x mod n ≡ b ( x , y ) if ( x y mod n ) return TRUE return return ( ( x x , , y y ) ) else return FALSE } } x is the message here and (x, y) the signature CR 10

A Forgery for the RSA signature (First Forgery) b , n public a , p , q private = ≡ ϕ n pq ; a b- 1 mod (n) sig ( x ){ ver ( x , y ){ K ≡ a y x mod n ≡ b ( x , y ) if ( x y mod n ) return TRUE return return ( ( x x , , y y ) ) else return FALSE } } forgery (){ Key only, existential forgery select a random y ≡ b compute x y mod n return ( x , y ) } CR 11

Second Forgery Suppose Alice creates signatures of two messages x 1 and x 2 = → ≡ a y sig ( x ) y x mod n ( x , y ) 1 1 1 1 1 1 = → ≡ a y sig ( x ) y x mod n ( x , y ) 2 2 2 2 2 2 Mallory can use the multiplicative property of RSA to create a forgery Known message, existential forgery ( x x mod n , y y mod n ) is a forgery 1 2 1 2 ≡ a a y y x x mod n 1 2 1 2 CR 12

RSA Digital Signatures Incorporate a hash function in the scheme to prevent forgery b , n public a , p , q private sig sig ( x ( x ){ ){ ver ver ( ( x x , , y y ){ ){ K = z h ( x ) = z h ( x ) ( x , y ) ≡ a y z mod n ≡ b if ( z y mod n ) return TRUE return ( x , y ) else return FALSE } } x is the message here, (x, y) the signature and h is a hash function CR 13

How does the hash function help? Preventing the First Forgery forgery (){ select a random y ≡ b compute z ' y mod n st = compute I preimage : x st . z ' h ( x ) return return ( ( x x , , y y ) ) } Forgery becomes equivalent to the first preimage attack on the hash function CR 14

How does the hash function help? Preventing the Second Forgery ( x x mod n , y y mod n ) is difficult 1 2 1 2 ≡ a a y y h ( x ) h ( x ) mod n 1 2 1 2 ≡ a a x x mod n 1 2 creating such a forgery is unlikely CR 15

How does the hash function help? Another Forgery prevented forgery ( x , y ){ compute h ( x ) nd = ≠ compute II preimage : find x ' s . t . h ( x ) h ( x ' ) and x x ' return ( x ' , y ) } } Given a valid signature (x,y) find (x’,y) creating such a forgery is equivalent to solving the 2 nd preimage problem of the hash functionw CR 16

ElGamal Signature Scheme • 1985 • Variant adopted by NIST as the DSA (DSA: standard for digital signature algorithm) • Based on the difficult of the discrete log problem • Based on the difficult of the discrete log problem CR 17

ElGamal Signing Initialization Choose a large prime p α ∈ * Let Z be a primitive element p < ≤ − Choose a ( 0 a p 1 ) β ≡ α a Compute mod p α β Public Public Parameters Parameters : : p p , , , , Private key : a Signing Message x sig ( x ){ − = select a secret random k s . t . gcd( k , p 1 ) 1 The use of a random secret k for every signature makes ElGamal non-deterministic γ ≡ α k mod p δ ≡ − γ − − 1 ( x a ) k mod p 1 = γ δ y ( , ) return ( x , y ) } CR 18

ElGamal Verifying Initialization Choose a large prime p α ∈ * Let Z be a primitive element p < ≤ − Choose a ( 0 a p 1 ) β ≡ α a Compute mod p α β Public Public Parameters Parameters : : p p , , , , Private key : a Verifying Signature (x,y) γ δ ver ( x , ( , )){ ≡ α x compute t mod p 1 γ γ δ ≡ β compute t mod p 2 = if ( t t ) 1 2 return TRUE else return FALSE CR } 19

ElGamal Correctness Initialization Choose a large prime p Signing Message x Verifying Signature (x,y) α ∈ * Let Z be a primitive element p sig ( x ){ γ δ ver ( x , ( , )){ < ≤ − Choose a ( 0 a p 1 ) select a secret random k ≡ α x compute t mod p β ≡ α a Compute mod p 1 γ ≡ α k mod p γ γ δ ≡ β compute t mod p 2 − δ ≡ − γ 1 − ( x a ) k mod p 1 α β = Public Public Parameters Parameters : : p p , , , , if if ( ( t t t t ) ) return return TRUE TRUE 1 1 2 2 = = γ γ δ δ y y ( ( , , ) ) Private key : a else return FALSE return ( x , y ) } } First note that correctness γ + δ ≡ − a k x mod ( p 1 ) if the signature is valid, t 1 = t 2 ≡ β γ γ δ ≡ α x t mod p t mod p 2 1 ≡ α γ + α δ a k ( ) ( ) mod p γ + δ ≡ α a k mod p ≡ α x mod p CR 20

Example = p 467 α = 2 = a 127 β ≡ α a mod p = 127 2 mod 467 Signature of message x = 100 Signature of message x = 100 = = 132 132 = k 213 ( chosen randomly ) Verifying − − = 1 k mod p 1 431 γ = α k mod p β γ γ δ = = 29 51 mod p 132 29 mod 467 189 = 213 2 mod 467 α = = x 100 mod p 2 mod p 189 = 29 TRUE − δ = ( − γ 1 − x a ) k mod p 1 = − ⋅ ( 100 2 29 ) 431 mod 466 = 51 CR 21

Security of ElGamal Signature Scheme (against Selective forgery) γ δ γ δ = Given an x , Mallory needs to find ( , ) such that ver ( x , ( , )) TRUE Attempt 1 γ δ β γ γ δ ≡ α x Choose a value for , then try to compute s . t . mod p This is the intractable − γ δ = α x β log discrete log problem γ Attempt 2 x mod γ δ δ γ β γ ≡ α Choose a value for , then try to compute s . t . p This is not related to the discrete log problem. There is no known solution for this. Attempt 3 x mod γ δ γ δ β γ ≡ α Choose value for and simultaneo usly , s . t . p No way known. CR 22