Digital Signatures

Applied Handbook of Cryptography: Chapt 11

slides courtesy of Xuhua Ding

Outline
     

Framework RSA related signature schemes DSA related signature schemes One-time digital signatures Arbitrated signature schemes Signatures with added functionality

Framework
Digital Signatures can provide  Authentication  Data Integrity  Non-Repudiation One Application  Certification of public keys in large networks

Framework (cont)


Definitions


Digital Signature - a data string which associates a message with some originating entity Digital Signature Generation Algorithm a method for producing a digital signature Digital Signature Scheme - consists of a signature generation algorithm and an associated verification algorithm

Framework (cont)


Notation
M message space MS signing space S signature space R a one-one mapping from M to MS called the redundancy function MR the image of R R-1 the inverse of R h a one-way function with domain M Mh hash value space, the image of h (h: Mp Mh)

Framework (cont)


Taxonomy of digital signatures

randomized message recovery deterministic signature schemes randomized appendix deterministic

Framework (cont)


Schemes with appendix

 

Requires the message as input to verification algorithm Rely on cryptographic hash functions rather than customized redundancy functions DSA, ElGamal, Schnorr etc.

Framework (cont)


Digital Signature with Appendix

M m h

Mh m
h

S SA,k s* s* = SA,k(mh) u = VA(mh, s*)

Mh x S

VA

u {True, False}

Framework (cont)


Desirable Properties
  

For each k R, SA,k should be efficient to compute VA should be efficient to compute It should be computationally infeasible for an entity other than the signer to find an m M and an s S such that VA(m , s*) = true, where m = h(m)

Framework (cont)


Digital Signature with Message Recovery

M m R

MR mr MS

S SA,k s*

S s* VA

MR mr R-1

M m

Framework (cont)


Desirable properties
  

For each k R, SA,k should be efficient to compute VA should be efficient to compute It should be computationally infeasible for an entity other than A to find any s* S such that VA(s*) MR

Framework (cont)

M m h

Mh m
h

MR R mr MS

S SA,k s*

Framework (cont)


Breaking a signature scheme

 

Total Break: private key is comprimised Selective forgery: adversary can create a valid signature on a preselected message Existential forgery: adversary can create a valid signature with no control over the message

Framework (cont)


Types of attacks
 

Key-only: adversary knows only the public key Message attacks



Known-message attack: adversary has signatures for a set of messages which are known to the adversary but not chosen by him Chosen-message attack: adversary obtains valid signatures from a chosen list of his choice (non adaptive) Adaptive chosen-message attack: adversary can use the signer as an oracle

RSA
 

Key generation n, p, q, e, d Sign

  

Compute mr = R(m) Compute s = mrd mod n The signature for m is s Obtain authentic public key (n, e) Compute mr = se mod n Verify that mr Mr Recover m = R-1(mr)

Verify
   

RSA (cont)


Attacks
 

Integer factorization Homomorphic property If signatures are encrypted different modulus sizes can render the message unrecoverable ISO/IEC 9796

Reblocking problem


Importance of the redundancy function



RSA (cont)


Performance (p, q are k-bit primes)

 

Signature O(k3) Verification O(k2) Bandwidth is determined by R. For example, ISO/IEC 9796 maps k-bit messages to 2k-bit elements in MS for a 2k-bit signature (efficiency of )

Bandwidth


DSA


DSA Algorithm : key generation

1. 2. 3. 4. 5.

select a prime q of 160 bits Choose 0ete8, select 2511+64t <p< 2512+64t with q|p-1 Select g in Zp*, and E = g(p-1)/q mod p, E{1 Select 1 e a eq-1, compute y= Ea mod p public key (p,q, E,y), private key a

DSA (cont)


DSA signature generation

    

Select a random integer k, 0 < k < q Compute r=(Ek mod p) mod q compute k-1 mod q Compute s=k-1 (h(m) + ar) mod q signature = (r, s)

DSA (cont)


DSA signature verification

    

Verify 0<r<q and 0<s<q, if not, invalid Compute w= s-1mod q and h(m) Compute u1=wh(m)mod q,u2=rw mod q Compute v = (Eu1yu2 mod p) mod q Valid iff v=r

h( ) |  ar  ks (mod q ) wh ( )  arw | k (mod q ) u1  au 2 | k (mod q ) E u1 y u2 mod p (mod q ) ! E k mod p (mod q )

DSA (cont)


Security of DSA


two distinct DL problems: ZP*, cyclic subgroup order q q~160bits, p 768~1Kb, p,q, E can be system wide Pr[s=0]= (1/2)160

Parameters:


Probability of failure


DSA (cont)


Performance


Signature Generation
  

One modular exponentiation Several 160-bit operations (if p is 768 bits) The exponentiation can be precomputed Two modular exponentiations

Verification


ElGamal
 

Key generation: p, q, E, a, y=Ea mod p Signature Generation

    

Select random k, 1 e k e p-1, gcd(k, p-1)=1 Compute r = Ek mod p Compute k-1 mod (p-1) Compute s = k-1  (h(m) - ar) mod (p-1) signature is (r,s)

ElGamal (cont)


Signature Verification
   

Verify 1 e r e p-1 Compute v1 = yrrs mod p Compute h(m) and v2= Eh(m) mod p Accept iff v1=v2

s | k 1{h(m)  ar} (mod p  1) ks | h(m)  ar (mod p  1) E h ( m ) | E ar  ks | (E a ) r r s (mod p )

ElGamal (cont)


Security (based on DL problem)

  

Index-calculus attack: p should be large Pohlig-Hellman attack: p-1 should not be smooth Weak generators: If p | 1 mod 4, E|p-1, DL can be broken for subgroup S of order E. Forgeries are then possible

ElGamal (cont)


In addition


k must be unique for each message signed



(s1-s2)k=(h(m1)-h(m2))mod (p-1)

An existential forgery attack can be mounted if a hash function is not used

ElGamal (cont)


Performance


Signature Generation
  

One modular exponentiation One Euclidean Algorithm Both can be done offline Three modular exponentiations

Verification


Generalized ElGamal Signatures

One-Time Signatures


Definition: digital schemes used to sign, at most one message; otherwise signature can be forged. A new public key is required for each signed message. Most one-time signature schemes have the property that signature generation and verification are both very efficient

Rabin One-Time Signatures



Key generation
 

  

Select a symmetric key encryption scheme E (e.g. DES) Generate 2n random secret strings k1,k2...k2nK, each of bit length l Compute yi=Eki(M0(i)), i [1,2n]. Public key is (y1,y2,...y2n), private key is (k1,k2,...k2n).

Rabin One-Time Signatures



Signature Generation:
 

compute si=Eki(h(m)), i [1,2n] signature is (s1,s2,...s2n) Compute h(m) Select n distinct random number rj, rj[1,2n] Request from signer, the keys krj,  j: 1 e j e n Verify received n keys ie. does yrj= Ekr (M0(rj))? j Verify all srj = Ekr (h(m)),
j

Verification:
    

Rabin One-Time Signatures



Resolution of disputes: signer A, verifier B and TTP

   

B provides m and the signature to TTP TTP gets private key k1,...k2n from A TTP verifies authenticity of the private key TTP computes ui=Eki(h(m)), 1 e i e n. If ui = si for at most n values of i, it is forgery. If n+1 or more values match, it is valid signature

Rationale for dispute resolution protocol



A can disavow with Pr =

1 2n n

Arbitrated Digital Signatures



 

Requires an unconditionally TTP as part of the signature generation and signature verification. Each entity shares a symmetric key with the TTP Symmetric key cryptography results in a very fast algorithm However, this speedup is overshadowed by the TTP as well as communication overhead

Arbitrated Digital Signatures



Signature Generation (by A)

IA, = EkT(h(m)||IA) s u = EkA(h(m))

TTP

Arbitrated Digital Signatures



Signature Verification (by B)

IE, Bv = EkB(s)) B k (h(m)||IA

TTP

ESIGN


Key generation 2  Compute n=p q, select k>3  Public key(n,k), private (p,q) Sign message m  compute v=h(m), random x, 0 e x < pq k k-1)-1 mod p  w = ((v-x ) mod n/ (pq), y = w(kx  Compute s=x+ypq mod n Verify: k  compute u = s mod n, z = h(m) 2 lg(n)/3 , accept the signature  if z e u e z + 2

ESIGN (cont)


Why does this work? I refer you to the text p 473 Security of ESIGN
  

Based on factoring of large integers. Not known whether n=p2q is easier than factoring RSA modulus Given m and s, in order to forge a signature for m , we must have that 2 lg n 3 k

h(m' ) e s mod n e h(m' )  2

Assuming h behaves like a random function, we would expect to try 2lg(n)/3 different values of m

ESIGN (cont)


Efficiency of ESIGN  The only modular exponentiation is with parameter k which may be taken to be quite small (e.g. k=4)  For a 768-bit modulus n, ESIGN signature generation may be between one and two orders of magnitude (10 to 100 times) faster than RSA signature generation.

Blind signature scheme



Definition: A sends a piece of information to B. B signs and returns the signature to A. From this signature, A can compute B s signature on a priori message m of A s choice. At the completion of the protocol, B knows neither m, nor the signature associated with it. Application: e-cash

Blind signature scheme (cont)



Chaum
 

Sender A; Signer B B s RSA public and private key are as usual. k is a random secret integer chosen by A, satisfying 0 e k < n Protocol actions


 

(blinding) A: comp m* = mke mod n, to B Note: (mke)d = mdk (signing) B comp s* = (m*)d mod n, to A (unblinding) A: computes s = k-1s* mod n

Undeniable Signature Schemes



Definition: signature verification requires the cooperation of signer Chaum-van Antwerpen



Key generation
   

Select random prime p=2q+1, q is prime Select a generator E for the subgroup of order q in Zp* Select random a{1,2,...q-1}, y= Eamod p public (p, E, y), private a

Chaum-van Antwerpen


Signature Generation


compute s = ma mod p B selects a random secret integers x1, x2 {1,2,...q-1} B computes z = sx1yx2 mod p, and sends z to A A computes w = za-1mod p, and sends w to B B computes wd = mx1Ex2 mod p. Valid iff w= wd
a -1

Verification
   

w|z

| (s y )

x1

x 2 a 1

| (m

ax1

ax2 a 1

|m E

x1

x2

| w' mod p

Chaum-van Antwerpen


If s is a forgery, B accept it with pr=1/q and independent of adversary s computation resources A could attempt to disavow a signature
  

refuse to participate in verification perform the verification incorrectly claim a signature forgery even though the verification protocol is successful.

Chaum-van Antwerpen


Disavowal protocol
 

Select two pair (x1, x2) and (x 1, x 2) and verify twice Compute c = (wE-x2)x 1 mod p and cd = (wdE-x 2)x1 mod p, if c = cd, s is a forgery, otherwise s is valid and A is attempting to disavow the signature If s { ma mod p and the disavowal protocol runs correctly, then c=cd If s = ma mod p. B follows protocol, but A does not. The Pr[c=cd] is 1/q

Let m be message, s a signature on m