Digital Signatures

Applied Handbook of Cryptography: Chapt 11

slides courtesy of Xuhua Ding

Outline

Framework RSA related signature schemes DSA related signature schemes One-time digital signatures Arbitrated signature schemes Signatures with added functionality

Framework

Digital Signatures can provide Authentication Data Integrity Non-Repudiation

One Application Certification of public keys in large networks

Framework (cont)

Definitions Digital Signature - a data string which associates

a message with some originating entity Digital Signature Generation Algorithm – a

method for producing a digital signature Digital Signature Scheme - consists of a signature

generation algorithm and an associated verification algorithm

Framework (cont)

NotationM message space

MS signing space

S signature space

R a one-one mapping from M to MS called the redundancy function

MR the image of R

R-1 the inverse of Rh a one-way function with domain M Mh hash value space, the image of h (h: M Mh)

Framework (cont)

Taxonomy of digital signatures

signature schemes

message recovery

appendix

deterministic

randomized

randomized

deterministic

Framework (cont)

Schemes with appendix Requires the message as input to verification

algorithm Rely on cryptographic hash functions rather than

customized redundancy functions DSA, ElGamal, Schnorr etc.

Framework (cont)

Digital Signature with Appendix

M

m mh

Mh

h s*

SSA,k

Mh x Su {True, False}

VA

s* = SA,k(mh)u = VA(mh, s*)

Framework (cont)

Desirable Properties For each k R, SA,k should be efficient to compute VA should be efficient to compute It should be computationally infeasible for an

entity other than the signer to find an m M and an s S such that VA(m’, s*) = true, where m’ = h(m)

Framework (cont)

Digital Signature with Message Recovery

M

m mr

MR

R s*

SSA,k

MS

M

mmr

MR

R-1s*

SVA

Framework (cont)

Desirable properties For each k R, SA,k should be efficient to compute VA should be efficient to compute It should be computationally infeasible for an

entity other than A to find any s* S such that VA(s*) MR

Framework (cont)

mr

MR

R s*

SSA,k

MS

M

m mh

Mh

h

Framework (cont)

Breaking a signature scheme Total Break: private key is comprimised Selective forgery: adversary can create a valid

signature on a preselected message Existential forgery: adversary can create a valid

signature with no control over the message

Framework (cont)

Types of attacks Key-only: adversary knows only the public key Message attacks

Known-message attack: adversary has signatures for a set of messages which are known to the adversary but not chosen by him

Chosen-message attack: adversary obtains valid signatures from a chosen list of his choice (non adaptive)

Adaptive chosen-message attack: adversary can use the signer as an oracle

RSA

Key generation n, p, q, e, d Sign

Compute mr = R(m) Compute s = mr

d mod n The signature for m is s

Verify Obtain authentic public key (n, e) Compute mr = se mod n Verify that mr Mr

Recover m = R-1(mr)

RSA (cont)

Attacks Integer factorization Homomorphic property

Reblocking problem If signatures are encrypted different modulus

sizes can render the message unrecoverable Importance of the redundancy function

ISO/IEC 9796

RSA (cont)

Performance (p, q are k-bit primes) Signature O(k3) Verification O(k2)

Bandwidth Bandwidth is determined by R. For example,

ISO/IEC 9796 maps k-bit messages to 2k-bit elements in MS for a 2k-bit signature (efficiency of ½)

DSA

DSA Algorithm : key generation1. select a prime q of 160 bits2. Choose 0t8, select 2511+64t <p< 2512+64t with q|

p-13. Select g in Zp

*, and = g(p-1)/q mod p, 1

4. Select 1 a q-1, compute y= a mod p5. public key (p,q, ,y), private key a

DSA (cont)

DSA signature generation Select a random integer k, 0 < k < q Compute r=(k mod p) mod q compute k-1 mod q Compute s=k-1 (h(m) + ar) mod q signature = (r, s)

DSA (cont)

DSA signature verification Verify 0<r<q and 0<s<q, if not, invalid Compute w= s-1mod q and h(m) Compute u1=wh(m)mod q,u2=rw mod q Compute v = (u1yu2 mod p) mod q Valid iff v=r

)(modmod)(modmod

)(mod

)(mod )(

)(mod )(

21

21

qpqpy

qkauu

qkarwmwh

qksarmh

kuu

DSA (cont)

Security of DSA two distinct DL problems: ZP

*, cyclic subgroup order q

Parameters: q~160bits, p 768~1Kb, p,q, can be system

wide Probability of failure

Pr[s=0]= (1/2)160

DSA (cont)

Performance Signature Generation

One modular exponentiation Several 160-bit operations (if p is 768 bits) The exponentiation can be precomputed

Verification Two modular exponentiations

ElGamal

Key generation: p, q, , a, y=a mod p Signature Generation

Select random k, 1 k p-1, gcd(k, p-1)=1 Compute r = k mod p Compute k-1 mod (p-1) Compute s = k-1 (h(m) - ar) mod (p-1) signature is (r,s)

ElGamal (cont)

Signature Verification Verify 1 r p-1 Compute v1 = yrrs mod p Compute h(m) and v2= h(m) mod p Accept iff v1=v2

)(mod r)(

)1(mod )(

)1(mod })({

sr)(

1

p

parmhks

parmhks

aksarmh

ElGamal (cont)

Security (based on DL problem) Index-calculus attack: p should be large Pohlig-Hellman attack: p-1 should not be smooth Weak generators: If p 1 mod 4, |p-1, DL can

be broken for subgroup S of order . Forgeries are then possible

ElGamal (cont)

In addition… k must be unique for each message signed

(s1-s2)k=(h(m1)-h(m2))mod (p-1)

An existential forgery attack can be mounted if a hash function is not used

ElGamal (cont)

Performance Signature Generation

One modular exponentiation One Euclidean Algorithm Both can be done offline

Verification Three modular exponentiations

Generalized ElGamal Signatures

One-Time Signatures

Definition: digital schemes used to sign, at most one message; otherwise signature can be forged. A new public key is required for each signed message.

Most one-time signature schemes have the property that signature generation and verification are both very efficient

Rabin One-Time Signatures

Key generation Select a symmetric key encryption scheme E (e.g.

DES) Generate 2n random secret strings k1,k2...k2nK,

each of bit length l Compute yi=Eki

(M0(i)), i [1,2n].

Public key is (y1,y2,...y2n), private key is (k1,k2,...k2n).

Rabin One-Time Signatures

Signature Generation: compute si=Eki

(h(m)), i [1,2n]

signature is (s1,s2,...s2n)

Verification: Compute h(m) Select n distinct random number rj, rj[1,2n]

Request from signer, the keys krj, j: 1 j n

Verify received n keys ie. does yrj= Ekrj

(M0(rj))?

Verify all srj = Ekrj

(h(m)),

Rabin One-Time Signatures

Resolution of disputes: signer A, verifier B and TTP B provides m and the signature to TTP TTP gets private key k1,...k2n from A TTP verifies authenticity of the private key TTP computes ui=Eki

(h(m)), 1 i n. If ui = si for

at most n values of i, it is forgery. If n+1 or more values match, it is valid signature

Rationale for dispute resolution protocol A can disavow with Pr =

n

n2

1

Arbitrated Digital Signatures

Requires an unconditionally TTP as part of the signature generation and signature verification.

Each entity shares a symmetric key with the TTP

Symmetric key cryptography results in a very fast algorithm

However, this speedup is overshadowed by the TTP as well as communication overhead

Arbitrated Digital Signatures

Signature Generation (by A)

A TTPIA, u = EkA(h(m))s = EkT(h(m)||IA)

Arbitrated Digital Signatures

Signature Verification (by B)

B TTPIB, v = EkB(s)EkB(h(m)||IA)

ESIGN Key generation

Compute n=p2q, select k>3 Public key(n,k), private (p,q)

Sign message m compute v=h(m), random x, 0 x < pq w = ((v-xk) mod n/ (pq), y = w(kxk-1)-1 mod p Compute s=x+ypq mod n

Verify: compute u = sk mod n, z = h(m) if z u z + 22 lg(n)/3 , accept the signature

ESIGN (cont) Why does this work? I refer you to the text p 473

Security of ESIGN Based on factoring of large integers. Not known whether n=p2q is easier than factoring RSA

modulus Given m and s, in order to forge a signature for m’, we must

have that

Assuming h behaves like a random function, we would expect to try 2lg(n)/3 different values of m’

3lg22)'(mod )'( nk mhnsmh

ESIGN (cont) Efficiency of ESIGN

The only modular exponentiation is with parameter k which may be taken to be quite small (e.g. k=4)

For a 768-bit modulus n, ESIGN signature generation may be between one and two orders of magnitude (10 to 100 times) faster than RSA signature generation.

Blind signature scheme

Definition: A sends a piece of information to B. B signs and returns the signature to A. From this signature, A can compute B’s signature on a priori message m of A’s choice. At the completion of the protocol, B knows neither m, nor the signature associated with it.

Application: e-cash

Blind signature scheme (cont)

Chaum Sender A; Signer B B’s RSA public and private key are as usual. k is a

random secret integer chosen by A, satisfying 0 k < n

Protocol actions (blinding) A: comp m* = mke mod n, to B

Note: (mke)d = mdk (signing) B comp s* = (m*)d mod n, to A (unblinding) A: computes s = k-1s* mod n

Undeniable Signature Schemes

Definition: signature verification requires the cooperation of signer

Chaum-van Antwerpen Key generation

Select random prime p=2q+1, q is prime Select a generator for the subgroup of order q in Zp

*

Select random a{1,2,...q-1}, y= amod p public (p, , y), private a

Chaum-van Antwerpen

Signature Generation compute s = ma mod p

Verification B selects a random secret integers x1, x2

{1,2,...q-1} B computes z = sx1yx2 mod p, and sends z to A A computes w = za-1mod p, and sends w to B B computes w = mx1x2 mod p. Valid iff w= w

pwmmysw xxaaxaxaxx mod ')()(z 211

211

21-1a

Chaum-van Antwerpen

If s is a forgery, B accept it with pr=1/q and independent of adversary’s computation resources

A could attempt to disavow a signature refuse to participate in verification perform the verification incorrectly claim a signature forgery even though the

verification protocol is successful.

Chaum-van Antwerpen

Disavowal protocol Select two pair (x1, x2) and (x’1, x’2) and verify

twice Compute c = (w-x2)x’1 mod p and c = (w-x’2)x1

mod p, if c = c, s is a forgery, otherwise s is valid and A is attempting to disavow the signature

Let m be message, s a signature on m If s ma mod p and the disavowal protocol runs

correctly, then c=c If s = ma mod p. B follows protocol, but A does

not. The Pr[c=c] is 1/q