Lecture 10 Signature Schemes Stefan Dziembowski MIM UW ver 1.0

Plan 1.The definition of secure signature schemes 2.Signatures based on RSA, “hash-and- sign”, “full-domain-hash” 3.Other constructions a)based on discrete-log b)theoretical constructions

Signature schemes digital signature schemes ≈ MACs in the public-key setting

4 Alice Bob (m, t=Tag k (m)) k k m є {0,1}* k is chosen randomly from some set K Vrfy k (m) є {yes,no} Message Authentication Codes

Signature Schemes Alice Bob k k 1n1n 1n1n Alice Bob (m, t=Tag sk (m)) sk pk m є {0,1}* (pk,sk) := Gen(1 n ) Vrfy k (m) є {yes,no}

Advantages of the signature schemes Digital signatures are: 1.publicly verifiable 2.transferable 3.provide non-repudiation

Anyone can verify the signatures P5P5 P1P1 P2P2 P4P4 pk 1 pk 2 pk 3 pk 4 pk 5 1. Sign(sk 3,m) public register: Sign(sk 3,m) 2. reads pk 3 sk 3 3. computes Vrfy(pk 3,m) P3P3

Look at the MACs... Alice Bob (m, t=Tag k (m)) k k m є {0,1}* Carol Look, I got (m,t) from Alice Why shall I trust you? 1.You could have created t yourself (because you know k) 2.I don’t know k, so how can I verify the tag? Why shall I trust you? 1.You could have created t yourself (because you know k) 2.I don’t know k, so how can I verify the tag?

Signatures are publicly-verifiable! Alice Bob (m, σ =Sign sk (m)) sk A pk A m є {0,1}* Carol I can calculate Vrfy(pk A,m,σ) and check. I can calculate Vrfy(pk A,m,σ) and check. Look, I got (m,σ) from Alice

So, the signatures are transferable P2P2 P3P3 Alice P4P4 P1P1 σ = Sign(sk 3,m) sk A (m,σ) “Alice signed m” pk A “Alice signed m” I believe it!

Non-repudiation Alice Bob (m, σ =Sign sk (m)) sk A pk A m є {0,1}* Judge “I’ve got (m,σ) from Alice” It’s not true! I never signed m! Vrfy(pk,m,σ) = yes so you cannot repudiate signing m...

Digital Signature Schemes A digital signature scheme is a tuple (Gen,Sign,Vrfy) of poly-time algorithms, such that: the key-generation algorithm Gen takes as input a security parameter 1 n and outputs a pair (pk,sk), the signing algorithm Sign takes as input a key sk and a message mє{0,1}* and outputs a signature σ, the verification algorithm Vrfy takes as input a key pk, a message m and a signature σ, and outputs a bit b є {yes, no}. the key-generation algorithm Gen takes as input a security parameter 1 n and outputs a pair (pk,sk), the signing algorithm Sign takes as input a key sk and a message mє{0,1}* and outputs a signature σ, the verification algorithm Vrfy takes as input a key pk, a message m and a signature σ, and outputs a bit b є {yes, no}. If Vrfy pk (m,σ) = yes then we say that σ is a valid signature on the message m.

Correctness We require that it always holds that: P ( Vrfy pk (m,Sign sk (m)) ≠ yes ) is negligible What remains is to define security.

How to define security? We have to assume that the adversary can see some pairs (m 1,σ 1 ),..., (m t,σ t ) As in the case of MACs, we need to specify: 1.how the messages m 1,...,m t are chosen, 2.what is the goal of the adversary. Good tradition: be as pessimistic as possible! Therefore we assume that 1.The adversary is allowed to chose m 1,...,m t. 2.The goal of the adversary is to produce a valid signature on some m’ such that m’ ≠ m 1,...,m t.

security parameter 1 n selects (pk,sk) = Gen(1 n ) oracle m1m1 mtmt... We say that the adversary breaks the signature scheme if at the end she outputs (m’, σ’) such that 1. Vrfy(m’, σ’) = yes 2. m’ ≠ m 1,...,m t We say that the adversary breaks the signature scheme if at the end she outputs (m’, σ’) such that 1. Vrfy(m’, σ’) = yes 2. m’ ≠ m 1,...,m t adversary pk Sign sk (m 1 ) Sign sk (m t )

The security definition We say that (Gen,Sign,Vrfy) is existentially unforgeable under an adaptive chosen- message attack if A polynomial-time adversary A P(A breaks it) is negligible (in n) sometimes we just say: unforgeable (if the context is clear)

signatures messages check if m’=m messages check if m’=m σ := D sk (m) m’ := E pk (σ) signing: verifying: We said: In general it’s not that simple. How to design secure signature schemes? { E : X → X } (pk,sk) є keys -- a family of trapdoor permutations Remember this idea?

In general it’s not that simple 1.Not every trapdoor permutation is OK. 2.There exist other ways to create signature schemes. 3.One can even construct a signature scheme from any one-way function. (this is a theoretical construction)

Plan 1.The definition of secure signature schemes 2.Signatures based on RSA, “hash-and- sign”, “full-domain-hash” 3.Other constructions a)based on discrete-log b)theoretical constructions

signatures Z N * signatures Z N * messages Z N * check if m’=m messages ZN*ZN* check if m’=m σ := m d mod N m’ := σ e mod N signing: verifying: The “handbook RSA signatures” public key: (N,e) private key: (N,d) ed = 1 mod  (N)

The “handbook RSA signatures” N = pq - RSA modulus e is such that gcd(e, φ(N)) = 1, d is such that ed = 1 (mod φ(N)) Sign (d,N) (m) = m d mod N and Vrfy (e,N) (m, σ) = yes iff σ e = m mod N N = pq - RSA modulus e is such that gcd(e, φ(N)) = 1, d is such that ed = 1 (mod φ(N)) Sign (d,N) (m) = m d mod N and Vrfy (e,N) (m, σ) = yes iff σ e = m mod N Correctness: σ e = (m d ) e = m de = m 1 = m Correctness: σ e = (m d ) e = m de = m 1 = m

Problems with the “handbook RSA” [1/2] The adversary can forge a signature on a “random” message m. Given the public key (N,e): he just selects a random σ and computes m = σ e mod N. Trivially, σ is a valid signature on m. The adversary can forge a signature on a “random” message m. Given the public key (N,e): he just selects a random σ and computes m = σ e mod N. Trivially, σ is a valid signature on m. A “no-message attack”:

Problems with the “handbook RSA” (2/2) How to forge a signature on an arbitrary message m? Use the homomorphic properties of RSA. oracle m1m1 adversary Sign sk (m 1 ) = m 1 d mod N Sign sk (m 2 ) = m 2 d mod N (N,e) chooses: 1.random m 1 2.m 2 := m / m 1 mod N m2m2 computes (mod N): m 1 d · m 2 d = (m 1 · m 2 ) d = m d this is a valid signature on m

Is it a problem? In many applications – probably not. But we would like to have schemes that are not application-dependent...

Solution Before computing the RSA function – apply some function H. N = pq, such that p and q are large random primes e is such that gcd(e, φ(N)) = 1 d is such that ed = 1 (mod φ(N)) Sign d : Z N * → Z N * is defined as: Sign(m) = m d mod N. Vrfy e is defined as: Vrfy e (m,σ) = yes iff σ e =m (mod N) Sign d : Z N * → Z N * is defined as: Sign(m) = H(m) d mod N. Vrfy e is defined as: Vrfy e (m,σ) = yes iff σ e = H(m) (mod N)

How to choose such H? A minimal requirement: it should be collision-resistant. (because if the adversary can find two messages m,m’ such that H(m) = H(m’) then he can forge a signature on m’ by asking the oracle for a signature on m)

A typical choice of H Usually H is one of the popular hash functions. Additional advantage: We can sign very long messages keeping the modulus N small (it’s much more efficient!). It is called a hash-and-sign paradigm.

Hash-and-Sign [1/5] Hash and sign is a generic construction that takes as input: a signature scheme that works on “short messages”, and a hash function, and transforms it into a a signature scheme that works on “long messages”. Hash and sign is a generic construction that takes as input: a signature scheme that works on “short messages”, and a hash function, and transforms it into a a signature scheme that works on “long messages”.

Hash-and-Sign [2/5] 1. (Gen,Sign,Vrfy) – a signature scheme “for short messages” short x signature σ Sign sk σ σ yes / no Vrfy pk x x m m 2. a hash function H H H H(m)

Hash-and-Sign [3/5] signature Sign sk (H(m)) Sign sk m m H H H(m) How to sign a message m?

Hash-and-Sign [4/5] How to verify? σ σ yes / no Vrfy pk m m H H H(m)

Hash-and-Sign [5/5] It can be proven that this construction is secure. For this we need to assume that H is taken from a family of collision-resilient hash functions. {H s } s є keys Then s becomes a part of the public key and the private key.

What can be proven Suppose 1.{H s } s є keys is a family of collision-resistant hash functions, 2.(Gen,Sign,Vrfy) is a secure signature scheme. Then the signature scheme constructed on the previous slide is secure.

Can anything be proven about the “hashed RSA” scheme? In the plain model - not really. But at least the attacks described before “look infeasible”. 1.For the “no message attack”: one would need to invert H. 2.The secod (“homomorphic”) attack: Looks impossible because the adversary would need to find messages m,m 1,m 2 such that H(m) = H(m 1 ) · H(m 2 )

Fact (security of the Full Domain Hash) Let H : {0,1}* → Z N * be a hash function modeled as a random oracle. Suppose the RSA assumption holds Then the “hashed RSA” is existentially unforgeable under an adaptive chosen-message attack Let H : {0,1}* → Z N * be a hash function modeled as a random oracle. Suppose the RSA assumption holds Then the “hashed RSA” is existentially unforgeable under an adaptive chosen-message attack N = pq, such that p and q are large random primes e is such that gcd(e, φ(N)) = 1 d is such that ed = 1 (mod φ(N)) Sign d : Z N * → Z N * is defined as: Sign(m) = H(m) d mod N. Vrfy e is defined as: Vrfy e (m,σ) = yes iff σ e = H(m) (mod N) hashed RSA

Remember the Random Oracle Model? H : {0,1}* → {0,1} L a completely random function xH(x)

Why does it help? RSA assumption For any polynomial time algorithm A we have: P ( (A(x,N,e)) e = x mod N ) is negligible where N = pq where p and q are random primes such that |p| = |q|, and x is a random element of Z N *, and e is random element of Z φ(N)* here we require that x is random

Intuition If we just use a “normal hash function” then the distribution of H(m 0 ),H(m 1 ),H(m 2 ),... (for any m 0,m 1,m 2,..) can be “complicated”. If H is a random oracle then H(m 0 ),H(m 1 ),H(m 2 ),... are uniform and independent (for pairwise different m i ’s). This helps a lot in the proof!

Plan 1.The definition of secure signature schemes 2.Signatures based on RSA, “hash-and- sign”, “full-domain-hash” 3.Other constructions a)based on discrete-log b)theoretical constructions

Other popular signature schemes Rabin signatures (based on squaring mod N=pq) Based on discrete log: ElGamal signatures Digital Signature Standard (DSS) Schnorr signatures (also based on other groups – elliptic curves)

Plan 1.The definition of secure signature schemes 2.Signatures based on RSA, “hash-and- sign”, “full-domain-hash” 3.Other constructions a)based on discrete-log b)theoretical constructions

Signatures schemes can be constructed from any one-way function signature schemes exist one way functions exist another member of minicrypt!

One-time signatures (Leslie Lamport) How to sign one bit? f – a one way function random x 0 y 0 =f(x 0 ) f f random x 1 y 1 =f(x 1 ) f f private keypublic key Sign((x 0,x 1 ), b) = x b Vrfy((y 0,y 1 ), x, b) = yes iff f(x) = y b

Why is it secure? To forge a signature on bit b the adversary needs to calculate x b from y b xbxb xbxb y b =f(x b ) f f This should be infeasible, since f is one-way...

Lamport Constructing Digital Signatures from a One Way Function SRI International Technical Report CSL-98 (October 1979). At a coffee house in Berkeley around 1975, Whitfield Diffie described a problem to me that he had been trying to solve: constructing a digital signature for a document. I immediately proposed a solution. Though not very practical--it required perhaps 64 bits of published key to sign a single bit--it was the first digital signature algorithm. In 1978, Michael Rabin published a paper titled Digitalized Signatures containing a more practical scheme for generating digital signatures of documents. (I don't remember what other digital signature algorithms had already been proposed.) However, his solution had some drawbacks that limited its utility. [...] I didn't feel that it added much to what Rabin had done. However, I've been told that this paper is cited in the cryptography literature and is considered significant, so perhaps I was wrong. from: what about the RSA ???

How to sign longer messages? We show a one-time signature scheme (one public key can be used at most once). f – one way function n – length of the message x 0,1...x 0,n x 1,1...x 1,n y 0,1 =f(x 0,1 )...y 0,n =f(x 0,n ) y 1,1 =f(x 1,1 )...y 1,n =f(x 1,n ) private key sk: public key pk: Sign Lamport (sk,(m 0,...,m n )) = (x m 0,...,x m n ) Vrfy Lamport pk,(m 0,...,m n ), (x m 0,...,x m n )) = check if (f(x m 0 ),...,f(x m n )) = (y m 0,...,y m n ) all x ij ’s are random strings

Example n=8 x 0,1 x 0,2 x 0,3 x 0,4 x 0,5 x 0,6 x 0,7 x 0,8 x 1,1 x 1,2 x 1,3 x 1,4 x 1.5 x 1,6 x 1,7 x 1,8 m = (1,0,1,1,0,0,1,0) x 1,1 x 0,2 x 1,3 x 1,4 x 0,5 x 0,6 x 1,7 x 0,8 signature: private key: (,,,,,,, ) f(x 0,1 )f(x 0,2 )f(x 0,3 )f(x 0,4 )f(x 0,5 )f(x 0,6 )f(x 0,7 )f(x 0,8 ) f(x 1,1 )f(x 1,2 )f(x 0,3 )f(x 1,4 )f(x 1,5 )f(x 1,6 )f(x 1,7 )f(x 1,8 ) public key:

Why each key can be used at most once? x 0,1 x 0,2 x 0,3 x 0,4 x 0,5 x 0,6 x 1,1 x 1,2 x 1,3 x 1,4 x 1.5 x 1,6 x 1,1 x 0,2 x 1,3 x 1,4 x 0,5 x 0,6 signature: private key: (,,,,, ) x 0,1 x 0,2 x 0,3 x 0,4 x 0,5 x 0,6 x 1,1 x 1,2 x 1,3 x 1,4 x 1.5 x 1,6 x 1,1 x 1,2 x 0,3 x 0,4 x 0,5 x 1,6 signature: private key: (,,,,, ) x 0,1 x 0,2 x 0,3 x 0,4 x 0,5 x 0,6 x 1,1 x 1,2 x 1,3 x 1,4 x 1.5 x 1,6 x 1,1 x 0,2 x 1,3 x 1,4 x 0,5 x 1,6 signature: private key: (,,,,, ) knows can calculate

Problem Signature is much longer that the message! (and can be used only once)

How to sign long messages? Use hash functions hash H Sign Lamport a long message m Sign Lamport (sk,m) denote it: Sign HL

Idea: use “certification” m1m1 m1m1 Sign HL (sk 1,m 1 || pk 2 ) pk 2 m2m2 m2m2 Sign HL (sk 2,m 2 || pk 3 ) pk 3 generate a new pair (sk 2,pk 2 ) generate a new pair (sk 3,pk 3 ) m3m3 m3m3 Sign HL (sk 3,m 3 || pk 4 ) pk 4 generate a new pair (sk 4,pk 4 )...

How to verify? The signer needs to include the “certificate chain” in the signature. Sign HL (sk 1,m 1 || pk 2 ) Sign HL (sk 2,m 2 || pk 3 ) Sign HL (sk 1,m 1 || pk 2 ) Sign HL (sk 2,m 2 || pk 3 ) Sign HL (sk 3,m 3 || pk 4 ) Sign(sk 1,m 1 ) = Sign(sk 1,m 2 ) = Sign(sk 1,m 3 ) = verify using pk 1 verify using pk 2 verify using pk 1 verify using pk 2 verify using pk 3 m1m1 m1m1 m1m1 m1m1 m2m2 m2m2

Problems 1.The signing algorithm needs to have a state (“memory”) 2.The length of the signature grows linearly

Solution to the second problem Sign HL (sk, pk L || pk R ) pk L pk R Instead of a chain use a binary tree: “certify each time two public keys”

The tree: (sk, pk) (sk 0, pk 0 ) (sk 1, pk 1 ) (sk 00, pk 00 ) (sk 01, pk 01 ) (sk 10, pk 10 ) (sk 11, pk 11 ) (sk 010, pk 010 ) (sk 011, pk 011 )...

The details m2m2 m2m2 m1m1 m1m1 mtmt mtmt... m = (m 1,...,m t ) start in root if m i =0 go LEFT if m i =1 go RIGHT use the key in the LEAF to sign m now the “chain” has length |m| = t

The key pairs are generated on-fly (sk, pk) (sk 1, pk 1 ) (sk 00, pk 00 ) (sk 01, pk 01 ) (sk 010, pk 010 ) (sk 011, pk 011 ) (sk 010, pk 010 ) (sk 011, pk 011 ) (sk 0, pk 0 ) “old” public keys have to remembered and reused Sign(sk,(0,1,0)) = Sign HL (sk,pk 0 ||pk 1 ) Sign HL (sk 0,pk 00 ||pk 01 ) Sign HL (sk 01,pk 010 ||pk 011 ) Sign HL (sk 010,(0,1,0)) Sign(sk,(0,0,0)) = Sign HL (sk,pk 0 ||pk 1 ) Sign HL (sk 0,pk 00 ||pk 01 ) Sign HL (sk 00,pk 000 ||pk 001 ) Sign HL (sk 000,(0,0,0)) 1 1

Why we have to remember the old keys? (sk w, pk w ) (sk w0, pk w0 ) (sk w1, pk w1 ) (sk w, pk w ) (sk w0, pk w0 ) (sk’ w1, pk’ w1 ) Sign HL (sk w,pk w0 ||pk w1 ) Sign HL (sk w,pk w0 ||pk’ w1 ) Suppose we don’t: so we signed two different messages with the same key!

Problem The tree is constructed on-fly, so we need to remember the state. A stupid solution: generate the whole tree beforehand. A better solution: generate the whole tree pseudorandomly and just remember the seed.

Remember the pseudorandom functions (PRFs)? F k : {0,1} m → {0,1} m x x F k (x) For a random key k and any x 1,...,x t the values F k (x 1 ),..., F k (x t ) “look random”

Solution sk w := F k (w) node w Take some PRF F private key: (sk,k) sk – a private key for hashed Lamport k – a key for PRF F public key: pk – a public key for hashed Lamport

We have shown that signature schemes exist one way functions exist hash functions exist pseudorandom functions exist and

But we know that one way functions exist hash functions exist pseudorandom functions exist

Therefore we have shown that signature schemes exist hash functions exist

The proof that signature schemes exist one-way functions exist is more complicated

© 2012 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.