Professional Documents
Culture Documents
Chapter 7-2: Signature Schemes
Chapter 7-2: Signature Schemes
Signature Schemes
1
Outline
[1] Introduction
[2] Security Requirements for Signature Schemes
[3] The ElGamal Signature Scheme
[4] Variants of the ElGamal Signature Scheme
The Schnorr Signature Scheme
The Digital Signature Algorithm
The Elliptic Curve DSA
[5] Signatures with additional functionality
Blind Signatures
Undeniable Signatures
Fail-stop Signatures
2
[4] Variants of the ElGamal Signature
Scheme
Schnorr Signature Scheme
Proposed in 1989
Greatly reduced the signature size
αδβ-γ=αk+aγα-aγ=αk
6
Schnorr Signature Scheme Example
7
L=0 mod 64,
512≤L≤1024
Digital Signature Algorithm
8
For a (secret) random number k, define
sig (x,k)=(γ,δ), where
γ=(αk mod p) mod q and
δ=(SHA-1(x)+aγ)k-1 mod q
e1=SHA-1(x)*δ-1 mod q
e2=γ*δ-1 mod q
e1=SHA-1(x)*δ-1 mod q
e2=γ*δ-1 mod q
11
The signature (94,97) on the message digest 22
can be verify by the following computations:
i=SHA-1(x)*s-1 mod q
j=r*s-1 mod q
(u,v)=iA+jB
15
Blind signature schemes
A sends a piece of information to B
which B signs and returns to A. From
this signature, A can compute B’s
signature on an a priori message x of
A’s choice (B is a signer here!)
16
Chaum’s blind signature protocol (1983)
(A is a verifier and B is a signer, (n,e) is RSA public key
of B and d is RSA private key of B)
1. A randomly select a secret integer k
2. A computes x*=xke mod n and sends it to B
3. B computes y*=(x*)d mod n and sends it to A
4. A computes y=k-1y* mod n, which is B’s signature on x
(Note the signer B does not know (x,y) but (x,y) is a B’s
signed message.)
17
Undeniable Signatures
A signature can not be verified without the
cooperation of the signer
18
Since a signature should be verified with the
cooperation of the signer, it is possible for a signer
to evilly disavow a signature which signed by him
previously
y=sig(x)=xa mod p
21
2. Verification protocol
Bob chooses e ,e from Z * randomly
1 2 q
Bob computes c=ye1βe2 mod p and sends it
to Alice
Alice computes d=ca-1 mod q mod p and sends
it to Bob
Bob accepts s as a valid signature if and
only if
d = xe1αe2 mod p
22
Verifier Signer
message x, signature y
c=ye1βe2 mod p
d=ca-1 mod q
mod p
d ≠ xe1αe2 mod p
Two possibilities:
• y is not a valid signature of x
• y is the signature of x, she is
fooling me by sending garbled
d to me
23
(Correctness of the signature protocol)
24
I doubt that you are fooling me
to disavow your signature on x
Verifier Signer
c=ye1βe2
d=(c)a-1
c’=ye1’βe2’
d’=(c’)a-1
(dα-e2)e1’=(d’α-e2’)e1
I blame her wrongly, y is not signed by her
c=ye1βe2
d=(c)a-1
c’=ye1’βe2’
d’=(c’)a-1
29
Fact Let x be a message and suppose that y is
A’s (purported) signature on x
30
Fail-stop Signatures
31
Van Heyst and Pedersen scheme (1992)
32
A key has the form
K=(γ1,γ2,a1,a2,b1,b2)
where
γ1=αa1βa2 mod p
γ2=αb1βb2 mod p
33
To sign a message x,
sig(x)=(y1,y2)
where
y1=a1+xb1 mod q
y2=a2+xb2 mod q
34
Proof of forgery – the argument
35
Proof of forgery – calculation of a0
Hence
αy1’’βy2’’=αy1’βy2’ mod p
αy1’’αa0y2’’=αy1’αa0y2’ mod p
36
Thus
y1’’+a0y2’’=y1’+a0y2’ (mod q)
a0=(y1’’-y1’)(y2’-y2’’)-1 (mod q)
It is computable by Alice!
37