Signature Schemes Chester Rebeiro IIT Madras CR CR STINSON : - PowerPoint PPT Presentation

Signature Schemes Chester Rebeiro IIT Madras CR CR STINSON : chapter 7

Recall : MACs y = h K (x) Alice Bob h K = K “A=ack at Dawn!!” Message Digest h K K unsecure channel Message “A=ack at Dawn!!” MACs allow Bob to be certain that • the message has originated from Alice • the message was not tampered during communicaHon MAC cannot • prevent Bob from creaHng forgeries (i.e., messages in the name of Alice) • cannot prove AuthenHcity to someone without sharing the secret key K Digital Signatures solve both these problems CR CR 2

Digital Signatures • A token sent along with the message that achieves – AuthenHcaHon – Non-repudiaHon – Integrity • Based on public key cryptography CR CR 3

Public key Cer@ficates TA Important applicaHon of digital signatures Bob’s CerHficate{ Bob’s public key in plaintext Signature of the cerHfying authority other informaHon } To communicate with Bob, Alice gets his public key from a trusted authority (TA) A trusted authority could be a Government agency, Verisign, etc. A signature from the TA, ensures that the public key is authenHc. CR CR 4

Digital Signature Alice y = digital signature Alice’s Everyone Else sig K Private Key TRUE / FALSE (x, y) Alice’s ver K unsecure channel Public Key Message x = “A=ack at Dawn!!” Signing Func@on Verifying Func@on y = sig a (x) ver b (x, y) Input : Message (x) and Alice’s private key Input : digital signature, message Output: Digital Signature of Message Output : true or false true if signature valid CR CR false otherwise 5

Digital Signatures (Formally) CR CR 6

Forgery Mallory digital signature Everyone Else Forgery TRUE Algorithm (x, y) Alice’s ver K unsecure channel Public Key If Mallory can create a valid digital signature such that ver K (x, y) = TRUE for a message not previously signed by Alice, then the pair (x, y) forms a forgery CR CR 7

Security Models for Digital Signatures AssumpHons Goals of AQacker Total break: • Mallory can determine Alice’s private key (therefore can generate any number of signed messages) Difficulty Level Selec@ve forgery: • Given a message x, Mallory can determine y, such that (x, y) is a valid signature from Alice Existen@al forgery: • Mallory is able to create y for some x, such that (x, y) is a valid signature from Alice CR CR 8

Security Models for Digital Signatures Assump@ons Goals of A=acker Weak (needs a strong a=acker) Key-only aQack : • Mallory only has Alice’s public key (i.e. only has access to the verificaHon funcHon, ver ) Known-message aQack : • Mallory only has a list of messages signed by Alice (x 1 , y 1 ), (x 2 , y 2 ), (x 3 , y 3 ), (x 4 , y 4 ), ….. Chosen-message aQack : • Mallory chooses messages x 1 , x 2 , x 3 , …….. and tricks Alice into providing the corresponding signatures y 1 , y 2 , y 3 (resp.) Strong CR CR 9

First AQempt making a digital signature (using RSA) b , n public a , p , q private n = pq ; a ≡ b - 1 mod φ (n) sig ( x ){ ver ( x , y ){ a y x mod n ≡ b ( x , y ) if ( x y mod n ) return TRUE ≡ return ( x , y ) else return FALSE } } x is the message here and (x, y) the signature CR CR 10

A Forgery for the RSA signature (First Forgery) b , n public a , p , q private n pq ; a b- 1 mod (n) = ≡ ϕ sig ( x ){ ver ( x , y ){ K a y x mod n ≡ ( x , y ) b if ( x y mod n ) return TRUE ≡ return ( x , y ) else return FALSE } } forgery (){ Key only, existenHal forgery select a random y b compute x y mod n ≡ return ( x , y ) } CR CR 11

Second Forgery Suppose Alice creates signatures of two messages x 1 and x 2 a y sig ( x ) y x mod n ( x , y ) = → ≡ 1 1 1 1 1 1 a y sig ( x ) y x mod n ( x , y ) = → ≡ 2 2 2 2 2 2 Mallory can use the mul@plica@ve property of RSA to create a forgery Known message, existenHal forgery ( x x mod n , y y mod n ) is a forgery 1 2 1 2 a a y y x x mod n ≡ 1 2 1 2 CR CR 12

RSA Digital Signatures Incorporate a hash funcHon in the scheme to prevent forgery b , n public a , p , q private sig ( x ){ ver ( x , y ){ K z h ( x ) = z h ( x ) = ( x , y ) a y z mod n ≡ b if ( z y mod n ) return TRUE ≡ return ( x , y ) else return FALSE } } x is the message here, (x, y) the signature and h is a hash funcHon CR CR 13

How does the hash func@on help? PrevenHng the First Forgery forgery (){ select a random y b compute z ' y mod n ≡ st compute I preimage : x st . z ' h ( x ) = return ( x , y ) } Forgery becomes equivalent to the first preimage a=ack on the hash funcHon CR CR 14

How does the hash func@on help? PrevenHng the Second Forgery ( x x mod n , y y mod n ) is difficult 1 2 1 2 a a y y h ( x ) h ( x ) mod n ≡ 1 2 1 2 a a x x mod n ≡ 1 2 creaHng such a forgery is unlikely CR CR 15

How does the hash func@on help? Another Forgery prevented forgery ( x , y ){ compute h ( x ) nd compute II preimage : find x ' s . t . h ( x ) h ( x ' ) and x x ' = ≠ return ( x ' , y ) } Given a valid signature (x,y) find (x’,y) creaHng such a forgery is equivalent to solving the 2 nd preimage problem of the hash funcHonw CR CR 16

ElGamal Signature Scheme • 1985 • Variant adopted by NIST as the DSA (DSA: standard for digital signature algorithm) • Based on the difficult of the discrete log problem CR CR 17

ElGamal Signing IniHalizaHon Choose a large prime p * Let Z be a primitive element α ∈ p Choose a ( 0 a p 1 ) < ≤ − a Compute mod p β ≡ α Public Parameters : p , , α β Private key : a Signing Message x sig ( x ){ The use of a random secret k for every select a secret random k s . t . gcd( k , p 1 ) 1 − = signature makes ElGamal non-determinisHc k mod p γ ≡ α 1 ( x a ) k mod p 1 − δ ≡ − γ − y ( , ) = γ δ return ( x , y ) } CR CR 18

ElGamal Verifying IniHalizaHon Choose a large prime p * Let Z be a primitive element α ∈ p Choose a ( 0 a p 1 ) < ≤ − a Compute mod p β ≡ α Public Parameters : p , , α β Private key : a Verifying Signature (x,y) ver ( x , ( , )){ γ δ x compute t mod p ≡ α 1 compute t mod p γ γ δ ≡ β 2 if ( t t ) = 1 2 return TRUE else return FALSE CR CR } 19

ElGamal Correctness IniHalizaHon Choose a large prime p Signing Message x Verifying Signature (x,y) * Let Z be a primitive element α ∈ p sig ( x ){ ver ( x , ( , )){ Choose a ( 0 a p 1 ) γ δ < ≤ − select a secret random k x compute t mod p a Compute mod p ≡ α β ≡ α 1 k mod p γ ≡ α compute t γ γ δ mod p ≡ β 2 1 ( x a ) k − mod p 1 δ ≡ − γ − Public Parameters : p , , if ( t t ) return TRUE α β = 1 2 y ( , ) = γ δ Private key : a else return FALSE return ( x , y ) } } First note that correctness a γ + k δ ≡ x mod( p − 1) if the signature is valid, t 1 = t 2 t 2 ≡ β γ γ δ mod p t 1 ≡ α x mod p ≡ ( α a ) γ ⋅ ( α k ) δ mod p ≡ α a γ + k δ mod p ≡ α x mod p CR CR 20

Example p 467 = α = 2 a 127 = a mod p β ≡ α 127 2 mod 467 = Signature of message x = 100 132 = k 213 ( chosen randomly ) = Verifying 1 k mod p 1 431 − − = k mod p γ = α 29 51 mod p 132 29 mod 467 189 γ δ β γ = = 213 2 mod 467 = x 100 mod p 2 mod p 189 α = = 29 = TRUE 1 x a ) k mod p 1 − δ = ( − γ − ( 100 2 29 ) 431 mod 466 = − ⋅ 51 = CR CR 21

Security of ElGamal Signature Scheme (against Selec3ve forgery) Given an x , Mallory needs to find ( , ) such that ver ( x , ( , )) TRUE γ δ γ δ = A=empt 1 x Choose a value for , then try to compute s . t . mod p γ δ γ δ β γ ≡ α This is the intractable discrete log problem x log − γ δ = α β γ A=empt 2 x mod Choose a value for , then try to compute s . t . γ δ p δ γ β γ ≡ α This is not related to the discrete log problem. There is no known soluHon for this. A=empt 3 x mod Choose value for and simultaneo usly , s . t . γ δ p γ δ β γ ≡ α No way known. CR CR 22

Security of ElGamal Signature Scheme (against Existen@al forgery) Mallory needs to find an ( x, ( , )) such that ver ( x , ( , )) TRUE γ δ γ δ = The one-parameter forgery choose some i (0 ≤ i ≤ p − 2). form γ ≡ α i β mod p forgery δ ≡ − γ mod( p − 1) x ≡ i δ mod( p − 1). then , ver ( x ,( γ , δ )) = TRUE α x ≡ β γ γ δ mod p RHS ≡ β γ ( α i β ) δ mod p ≡ β γ + δ α i δ mod p proof ≡ α a γ + a δ α i δ mod p ≡ α a γ − a γ + i δ mod p ≡ α i δ mod p ≡ α x mod p = LHS CR CR 23