Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3...

Digital Signature Schemes

1

What is digital signature?

Properties

• “Who signed what” is publicly verifiable

• Unforgeable

2

A Digital Signature Scheme

Key generation algorithm G (probabilistic)

(pk, sk) ← G(1`)

` security parameter

(pk, sk) public/secret key pair

Signing algorithm S (probabilistic or deterministic)

s ← S(pk, sk, m)

m message; s signature for m

Verification algorithm G (deterministic)

d ← V(pk, m, s)

d ∈ {true, false}

3

The RSA Scheme

public key n, e

• n = p q, where p and q are distinct odd primes

• e satisfies gcd(e, φ(n)) = 1

secret key d, p, q

• d e ≡ 1 (mod φ(n))

sign s is the signature of a message m ∈ Zn

s = md mod n

verification s is a valid signature of m if

m ≡ se (mod n)

4

The ElGamal Scheme (1/2)

public key p, g, y

• p is a prime

• g ∈ Z∗p is a primitive element modulo p

• y = gx mod p

secret key x ∈ Zp−1

5

The ElGamal Scheme (2/2)

sign (a, b) is a signature of a message m ∈ Zp−1

1. Select k ∈ Z∗p−1 randomly, that is, gcd(k, p− 1) = 1

2. a = gk mod p

3. b = (m− xa)k−1 mod p− 1

verification (a, b) is a valid signature of m if

gm ≡ yaab (mod p)

6

Misuse of the ElGamal Scheme (1/2)

Do not use the same k for signing different messages!

Suppose that k is used for signing different m1,m2

a, b1 a signature for m1

a, b2 a signature for m2, where a = gk mod p

Then, from the signing algorithm,

m1 = ax + kb1 mod p− 1

m2 = ax + kb2 mod p− 1

m1 −m2 ≡ k(b1 − b2) (mod p− 1)

7

Misuse of the ElGamal Scheme (2/2)

Let gcd(b1 − b2, p− 1) = d and

m̃ =m1 −m2

d, b̃ =

b1 − b2

d, p̃ =

p− 1

d

Then,

m̃ ≡ k b̃ (mod p̃)

Let k̃ = m̃ b̃−1 mod p̃. Then, k = i p̃ + k̃ for ∃i ∈ Zd.

The right value of k is determined by a = gk mod p.

Once k is known, the secret key x can be recovered by

x = (m1 − k b1)a−1 mod p− 1

8

The Digital Signature Algorithm (DSA)

• A modification of the ElGamal scheme

• Proposed by the U.S. National Institute of Standards and

Technology (NIST) in August 1991

• Has become a U.S. Federal Information Processing Standard

(FIPS 186) in 1994 called the Digital Signature Standard

(DSS)

9

The Digital Signature Algorithm (DSA)

public key p, q, g, y

• p, q are primes such that

– 2159 < q < 2160

– 2511+64 t < p < 2512+64 t for some 0 ≤ t ≤ 8

– q divides p− 1

• g ∈ Z∗p such that gq ≡ 1 (mod p)

• y = gx mod p

secret key x ∈ Zq

10

The Digital Signature Algorithm (DSA)

sign (a, b) is a signature of a message m ∈ Zq

1. Select k ∈ Z∗q randomly

2. a = (gk mod p) mod q

3. b = (m + x a)k−1 mod q

verification (a, b) is a valid signature of m if

(gu1yu2 mod p) mod q = a

where

u1 = mb−1 mod q

u2 = a b−1 mod q

11

How the Verification Works

From the signing algorithm,

b = (m + x a)k−1 mod q

k = (m + x a)b−1 mod q

Thus,

gk ≡ gm b−1

gx a b−1

(mod p)

gk ≡ gm b−1

ya b−1

(mod p)

12

The Schnorr Scheme

public key p, q, g, y

• p, q are primes such that q|p− 1

• g ∈ Z∗p such that gq ≡ 1 (mod p)

• y = gx mod p

secret key x ∈ Zq

This scheme also requires a collision-resistant hash function

h : {0, 1}∗ → Z∗q.

13

The Schnorr Scheme

sign (e, s) is a signature of a message m

1. Select k ∈ Z∗q randomly

2. e = h(r,m) where r = gk mod p

3. s = k − e x mod q

verification (e, s) is a valid signature of m if

e = h(r′,m)

where

r′ = gsye mod p

14

Digital Signature and Message Digest

To sign a message m with arbitrary length, a signer first compute a

message digest of m, h(m), with a hash function h and create a

signature for h(m).

The hash function h should be collision-resistant.

Def. 1 A hash function h : D → R is collision-resistant if it is

difficult to find a pair of inputs x, x′ ∈ D such that h(x) = h(x′)

and x 6= x′. ¤

15

Security of Signature Schemes (1/2)

Adversarial goal

• total break

An adversary is able to create a valid signature for any message.

• selective forgery

An adversary is able to create a valid signature for a given

message chosen by someone else.

• existential forgery

An adversary is able to create a valid signature for at least one

message.

16

Security of Signature Schemes (2/2)

Attack

• key-only attack

An adversary only knows the public key of the signer.

• known message attack

An adversary knows a list of messages and their corresponding

signatures.

• chosen message attack

An adversary is able to request signatures for messages he selects.

17

Chosen Message Attack

Adversary ASelect mi

...

���

���

s1

sq

Oracle Osi ← V(pk, sk, mi)

18

Provably Secure Signature Schemes

Efficient and provably secure schemes have been proposed based

on the intractability of number theoretic problems in the random

oracle model.

These schemes are secure against existential forgery with a chosen

message attack.

19

The Schnorr Scheme Is Provably Secure

Thm. 1 Suppose that the discrete logarithm problem is intractable.

Then, the Schnorr scheme is secure against existential forgery with a

chosen message attack in the random oracle model. ¤

(Proof sketch) In the random oracle model,

• An oracle is able to simulate the signer without the secret key.

• If an adversary is able to create a valid signature with

non-negligible probability, then an algorithm is able to be

constructed, which is able to compute the discrete logarithm of

the public key with non-negligible probability using the adversary

as a subroutine.

20

Simulation of the Signer in the Random Oracle Model

public key p, q, g, y

secret key x ∈ Zq, where y = gx mod p

Suppose that an adversary requests a signature for m. The oracle

computes (e, s) in the following way and returns it to the adversary.

1. Select e, s ∈ Z∗q randomly and compute r̃ = gsye mod p

2. Set e = h(r̃, m)

21

Simulation of the Signer in the Random Oracle Model

OracleAdversary

Random oracleh

m ie , si i

Adversary Signerm i

e , si i

Random oracleh

control

Adversaries cannot distinguish between the above two situations.