Professional Documents
Culture Documents
Ds ppt1
Ds ppt1
Outline
Framework RSA related signature schemes DSA related signature schemes One-time digital signatures Arbitrated signature schemes Signatures with added functionality
Framework
Digital Signatures can provide Authentication Data Integrity Non-Repudiation One Application Certification of public keys in large networks
Framework (cont)
Definitions
Digital Signature - a data string which associates a message with some originating entity Digital Signature Generation Algorithm a method for producing a digital signature Digital Signature Scheme - consists of a signature generation algorithm and an associated verification algorithm
Framework (cont)
Notation
M message space MS signing space S signature space R a one-one mapping from M to MS called the redundancy function MR the image of R R-1 the inverse of R h a one-way function with domain M Mh hash value space, the image of h (h: Mp Mh)
Framework (cont)
Framework (cont)
Requires the message as input to verification algorithm Rely on cryptographic hash functions rather than customized redundancy functions DSA, ElGamal, Schnorr etc.
Framework (cont)
M m h
Mh m
h
Mh x S
VA
u {True, False}
Framework (cont)
Desirable Properties
For each k R, SA,k should be efficient to compute VA should be efficient to compute It should be computationally infeasible for an entity other than the signer to find an m M and an s S such that VA(m , s*) = true, where m = h(m)
Framework (cont)
M m R
MR mr MS
S SA,k s*
S s* VA
MR mr R-1
M m
Framework (cont)
Desirable properties
For each k R, SA,k should be efficient to compute VA should be efficient to compute It should be computationally infeasible for an entity other than A to find any s* S such that VA(s*) MR
Framework (cont)
M m h
Mh m
h
MR R mr MS
S SA,k s*
Framework (cont)
Total Break: private key is comprimised Selective forgery: adversary can create a valid signature on a preselected message Existential forgery: adversary can create a valid signature with no control over the message
Framework (cont)
Types of attacks
Known-message attack: adversary has signatures for a set of messages which are known to the adversary but not chosen by him Chosen-message attack: adversary obtains valid signatures from a chosen list of his choice (non adaptive) Adaptive chosen-message attack: adversary can use the signer as an oracle
RSA
Compute mr = R(m) Compute s = mrd mod n The signature for m is s Obtain authentic public key (n, e) Compute mr = se mod n Verify that mr Mr Recover m = R-1(mr)
Verify
RSA (cont)
Attacks
Integer factorization Homomorphic property If signatures are encrypted different modulus sizes can render the message unrecoverable ISO/IEC 9796
Reblocking problem
RSA (cont)
Signature O(k3) Verification O(k2) Bandwidth is determined by R. For example, ISO/IEC 9796 maps k-bit messages to 2k-bit elements in MS for a 2k-bit signature (efficiency of )
Bandwidth
DSA
select a prime q of 160 bits Choose 0ete8, select 2511+64t <p< 2512+64t with q|p-1 Select g in Zp*, and E = g(p-1)/q mod p, E{1 Select 1 e a eq-1, compute y= Ea mod p public key (p,q, E,y), private key a
DSA (cont)
Select a random integer k, 0 < k < q Compute r=(Ek mod p) mod q compute k-1 mod q Compute s=k-1 (h(m) + ar) mod q signature = (r, s)
DSA (cont)
Verify 0<r<q and 0<s<q, if not, invalid Compute w= s-1mod q and h(m) Compute u1=wh(m)mod q,u2=rw mod q Compute v = (Eu1yu2 mod p) mod q Valid iff v=r
DSA (cont)
Security of DSA
two distinct DL problems: ZP*, cyclic subgroup order q q~160bits, p 768~1Kb, p,q, E can be system wide Pr[s=0]= (1/2)160
Parameters:
Probability of failure
DSA (cont)
Performance
Signature Generation
One modular exponentiation Several 160-bit operations (if p is 768 bits) The exponentiation can be precomputed Two modular exponentiations
Verification
ElGamal
Select random k, 1 e k e p-1, gcd(k, p-1)=1 Compute r = Ek mod p Compute k-1 mod (p-1) Compute s = k-1 (h(m) - ar) mod (p-1) signature is (r,s)
ElGamal (cont)
Signature Verification
Verify 1 e r e p-1 Compute v1 = yrrs mod p Compute h(m) and v2= Eh(m) mod p Accept iff v1=v2
ElGamal (cont)
Index-calculus attack: p should be large Pohlig-Hellman attack: p-1 should not be smooth Weak generators: If p | 1 mod 4, E|p-1, DL can be broken for subgroup S of order E. Forgeries are then possible
ElGamal (cont)
In addition
(s1-s2)k=(h(m1)-h(m2))mod (p-1)
ElGamal (cont)
Performance
Signature Generation
One modular exponentiation One Euclidean Algorithm Both can be done offline Three modular exponentiations
Verification
One-Time Signatures
Definition: digital schemes used to sign, at most one message; otherwise signature can be forged. A new public key is required for each signed message. Most one-time signature schemes have the property that signature generation and verification are both very efficient
Key generation
Select a symmetric key encryption scheme E (e.g. DES) Generate 2n random secret strings k1,k2...k2nK, each of bit length l Compute yi=Eki(M0(i)), i [1,2n]. Public key is (y1,y2,...y2n), private key is (k1,k2,...k2n).
Signature Generation:
compute si=Eki(h(m)), i [1,2n] signature is (s1,s2,...s2n) Compute h(m) Select n distinct random number rj, rj[1,2n] Request from signer, the keys krj, j: 1 e j e n Verify received n keys ie. does yrj= Ekr (M0(rj))? j Verify all srj = Ekr (h(m)),
j
Verification:
B provides m and the signature to TTP TTP gets private key k1,...k2n from A TTP verifies authenticity of the private key TTP computes ui=Eki(h(m)), 1 e i e n. If ui = si for at most n values of i, it is forgery. If n+1 or more values match, it is valid signature
1 2n n
Requires an unconditionally TTP as part of the signature generation and signature verification. Each entity shares a symmetric key with the TTP Symmetric key cryptography results in a very fast algorithm However, this speedup is overshadowed by the TTP as well as communication overhead
TTP
TTP
ESIGN
Key generation 2 Compute n=p q, select k>3 Public key(n,k), private (p,q) Sign message m compute v=h(m), random x, 0 e x < pq k k-1)-1 mod p w = ((v-x ) mod n/ (pq), y = w(kx Compute s=x+ypq mod n Verify: k compute u = s mod n, z = h(m) 2 lg(n)/3 , accept the signature if z e u e z + 2
ESIGN (cont)
Why does this work? I refer you to the text p 473 Security of ESIGN
Based on factoring of large integers. Not known whether n=p2q is easier than factoring RSA modulus Given m and s, in order to forge a signature for m , we must have that 2 lg n 3 k
Assuming h behaves like a random function, we would expect to try 2lg(n)/3 different values of m
ESIGN (cont)
Efficiency of ESIGN The only modular exponentiation is with parameter k which may be taken to be quite small (e.g. k=4) For a 768-bit modulus n, ESIGN signature generation may be between one and two orders of magnitude (10 to 100 times) faster than RSA signature generation.
Definition: A sends a piece of information to B. B signs and returns the signature to A. From this signature, A can compute B s signature on a priori message m of A s choice. At the completion of the protocol, B knows neither m, nor the signature associated with it. Application: e-cash
Chaum
Sender A; Signer B B s RSA public and private key are as usual. k is a random secret integer chosen by A, satisfying 0 e k < n Protocol actions
(blinding) A: comp m* = mke mod n, to B Note: (mke)d = mdk (signing) B comp s* = (m*)d mod n, to A (unblinding) A: computes s = k-1s* mod n
Key generation
Select random prime p=2q+1, q is prime Select a generator E for the subgroup of order q in Zp* Select random a{1,2,...q-1}, y= Eamod p public (p, E, y), private a
Chaum-van Antwerpen
Signature Generation
compute s = ma mod p B selects a random secret integers x1, x2 {1,2,...q-1} B computes z = sx1yx2 mod p, and sends z to A A computes w = za-1mod p, and sends w to B B computes wd = mx1Ex2 mod p. Valid iff w= wd
a -1
Verification
w|z
| (s y )
x1
x 2 a 1
| (m
ax1
ax2 a 1
|m E
x1
x2
| w' mod p
Chaum-van Antwerpen
If s is a forgery, B accept it with pr=1/q and independent of adversary s computation resources A could attempt to disavow a signature
refuse to participate in verification perform the verification incorrectly claim a signature forgery even though the verification protocol is successful.
Chaum-van Antwerpen
Disavowal protocol
Select two pair (x1, x2) and (x 1, x 2) and verify twice Compute c = (wE-x2)x 1 mod p and cd = (wdE-x 2)x1 mod p, if c = cd, s is a forgery, otherwise s is valid and A is attempting to disavow the signature If s { ma mod p and the disavowal protocol runs correctly, then c=cd If s = ma mod p. B follows protocol, but A does not. The Pr[c=cd] is 1/q