Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Digital Signature Schemes
1
What is digital signature?
Properties
• “Who signed what” is publicly verifiable
• Unforgeable
2
A Digital Signature Scheme
Key generation algorithm G (probabilistic)
(pk, sk) ← G(1`)
` security parameter
(pk, sk) public/secret key pair
Signing algorithm S (probabilistic or deterministic)
s ← S(pk, sk, m)
m message; s signature for m
Verification algorithm G (deterministic)
d ← V(pk, m, s)
d ∈ {true, false}
3
The RSA Scheme
public key n, e
• n = p q, where p and q are distinct odd primes
• e satisfies gcd(e, φ(n)) = 1
secret key d, p, q
• d e ≡ 1 (mod φ(n))
sign s is the signature of a message m ∈ Zn
s = md mod n
verification s is a valid signature of m if
m ≡ se (mod n)
4
The ElGamal Scheme (1/2)
public key p, g, y
• p is a prime
• g ∈ Z∗p is a primitive element modulo p
• y = gx mod p
secret key x ∈ Zp−1
5
The ElGamal Scheme (2/2)
sign (a, b) is a signature of a message m ∈ Zp−1
1. Select k ∈ Z∗p−1 randomly, that is, gcd(k, p− 1) = 1
2. a = gk mod p
3. b = (m− xa)k−1 mod p− 1
verification (a, b) is a valid signature of m if
gm ≡ yaab (mod p)
6
Misuse of the ElGamal Scheme (1/2)
Do not use the same k for signing different messages!
Suppose that k is used for signing different m1,m2
a, b1 a signature for m1
a, b2 a signature for m2, where a = gk mod p
Then, from the signing algorithm,
m1 = ax + kb1 mod p− 1
m2 = ax + kb2 mod p− 1
m1 −m2 ≡ k(b1 − b2) (mod p− 1)
7
Misuse of the ElGamal Scheme (2/2)
Let gcd(b1 − b2, p− 1) = d and
m̃ =m1 −m2
d, b̃ =
b1 − b2
d, p̃ =
p− 1
d
Then,
m̃ ≡ k b̃ (mod p̃)
Let k̃ = m̃ b̃−1 mod p̃. Then, k = i p̃ + k̃ for ∃i ∈ Zd.
The right value of k is determined by a = gk mod p.
Once k is known, the secret key x can be recovered by
x = (m1 − k b1)a−1 mod p− 1
8
The Digital Signature Algorithm (DSA)
• A modification of the ElGamal scheme
• Proposed by the U.S. National Institute of Standards and
Technology (NIST) in August 1991
• Has become a U.S. Federal Information Processing Standard
(FIPS 186) in 1994 called the Digital Signature Standard
(DSS)
9
The Digital Signature Algorithm (DSA)
public key p, q, g, y
• p, q are primes such that
– 2159 < q < 2160
– 2511+64 t < p < 2512+64 t for some 0 ≤ t ≤ 8
– q divides p− 1
• g ∈ Z∗p such that gq ≡ 1 (mod p)
• y = gx mod p
secret key x ∈ Zq
10
The Digital Signature Algorithm (DSA)
sign (a, b) is a signature of a message m ∈ Zq
1. Select k ∈ Z∗q randomly
2. a = (gk mod p) mod q
3. b = (m + x a)k−1 mod q
verification (a, b) is a valid signature of m if
(gu1yu2 mod p) mod q = a
where
u1 = mb−1 mod q
u2 = a b−1 mod q
11
How the Verification Works
From the signing algorithm,
b = (m + x a)k−1 mod q
k = (m + x a)b−1 mod q
Thus,
gk ≡ gm b−1
gx a b−1
(mod p)
gk ≡ gm b−1
ya b−1
(mod p)
12
The Schnorr Scheme
public key p, q, g, y
• p, q are primes such that q|p− 1
• g ∈ Z∗p such that gq ≡ 1 (mod p)
• y = gx mod p
secret key x ∈ Zq
This scheme also requires a collision-resistant hash function
h : {0, 1}∗ → Z∗q.
13
The Schnorr Scheme
sign (e, s) is a signature of a message m
1. Select k ∈ Z∗q randomly
2. e = h(r,m) where r = gk mod p
3. s = k − e x mod q
verification (e, s) is a valid signature of m if
e = h(r′,m)
where
r′ = gsye mod p
14
Digital Signature and Message Digest
To sign a message m with arbitrary length, a signer first compute a
message digest of m, h(m), with a hash function h and create a
signature for h(m).
The hash function h should be collision-resistant.
Def. 1 A hash function h : D → R is collision-resistant if it is
difficult to find a pair of inputs x, x′ ∈ D such that h(x) = h(x′)
and x 6= x′. ¤
15
Security of Signature Schemes (1/2)
Adversarial goal
• total break
An adversary is able to create a valid signature for any message.
• selective forgery
An adversary is able to create a valid signature for a given
message chosen by someone else.
• existential forgery
An adversary is able to create a valid signature for at least one
message.
16
Security of Signature Schemes (2/2)
Attack
• key-only attack
An adversary only knows the public key of the signer.
• known message attack
An adversary knows a list of messages and their corresponding
signatures.
• chosen message attack
An adversary is able to request signatures for messages he selects.
17
Chosen Message Attack
Adversary ASelect mi
...
���
���
s1
sq
Oracle Osi ← V(pk, sk, mi)
18
Provably Secure Signature Schemes
Efficient and provably secure schemes have been proposed based
on the intractability of number theoretic problems in the random
oracle model.
These schemes are secure against existential forgery with a chosen
message attack.
19
The Schnorr Scheme Is Provably Secure
Thm. 1 Suppose that the discrete logarithm problem is intractable.
Then, the Schnorr scheme is secure against existential forgery with a
chosen message attack in the random oracle model. ¤
(Proof sketch) In the random oracle model,
• An oracle is able to simulate the signer without the secret key.
• If an adversary is able to create a valid signature with
non-negligible probability, then an algorithm is able to be
constructed, which is able to compute the discrete logarithm of
the public key with non-negligible probability using the adversary
as a subroutine.
20
Simulation of the Signer in the Random Oracle Model
public key p, q, g, y
secret key x ∈ Zq, where y = gx mod p
Suppose that an adversary requests a signature for m. The oracle
computes (e, s) in the following way and returns it to the adversary.
1. Select e, s ∈ Z∗q randomly and compute r̃ = gsye mod p
2. Set e = h(r̃, m)
21
Simulation of the Signer in the Random Oracle Model
OracleAdversary
Random oracleh
m ie , si i
Adversary Signerm i
e , si i
Random oracleh
control
Adversaries cannot distinguish between the above two situations.