Digital Signatures Presented by Olga Shishenina

2 Outline  Cryptographic goals  Message Authentication Codes (MACs)  Digital signatures RSA digital signature Elliptic curve digital signature  Comparison of ECDSA and RSA signature

3 Symmetric-key ciphers:  Block ciphers  Stream ciphers Public-key ciphers Cryptographic Goals Cryptographic goals ConfidentialityData integrityAuthenticationNon-repudiation Message authentication Entity authentication Arbitrary length hash functions Message Authentication codes (MACs) Digital signatures Authentication primitives Digital signatures MACs Digital signatures

4 Non-repudiation Alice Bob m is a signed message s is a valid signature for m m, s Alice denies her signature if she finds: m’ ≠ m : s is valid signature for m’

5 Message Authentication Codes  MAC f(x, key):{0,1}*  {0,1} n knowing x and key f is easy to compute it is infeasible to calculate f(x, key) without the key  MAC are often block cipher based message m, secret key k specification of block cipher E  MAC (m) = E( m, key )  MAC (m) = E(hash(m), key )

6 CBC-based MAC algorithm E key 0 X 1 (n bit) E key X 2 (n bit) h1h1 … h2h2 E key X t (n bit) h t-1 H = MAC Optional output transformation h 1 = E key (x 1 ) h i = E key (h i-1 x i ), 2 ≤ i ≤ t Algorithm CBC-MAC INPUT: data x; specification of block cipher E; secret MAC key for E OUTPUT: n-bit MAC on x n bit h 1 (n bit) h 2 (n bit)

7 Use of a MAC message MAC algorithm messageMAC Secret key Unsecured channel Signer MAC verification algorithm Secret key Verifier Ok / not Ok  Used to provide Data integrity Message authentication

8 Digital Signatures Scheme  Used to provide Data integrity Message authentication Non-repudiation message Signing algorithm messagesignature Signer’s private key Unsecured channel Signer Signature verification algorithm Signer’s public key Verifier Ok / not Ok

9 Difference between MAC and digital signature  To prove the validity of a MAC to a third party, you need to reveal the key  If you can verify a MAC, you can also create it  MAC does not allow a distinction to be made between the parties sharing the key  Computing a MAC is (usually) much faster than computing a digital signature Important for devices with low computing power

10 RSA signature algorithm

11 RSA  Developed in 1978 by Rivest, Shamir and Adleman (RSA)  Most popular public key cryptosystem  Based on the hard problem of “integer factorization”

12 Key-Generation for RSA(1) 1.Generate two large random distinct primes p and q, each roughly the same size 2.Compute n = pq and 3.Select random integer e: 4.Compute unique integer d: 5.Public key is (n, e); Private key is d

13 Key-Generation for RSA(2)  Usually numbers with the right bit length are chosen randomly and tested for primality  Statistical tests are used to determine the probability that these numbers are primes i.e. Strassen – Test Miller – Rabin – Test  There is always an insignificantly low chance that number is not prime

14 Used notation  M is a set of elements, called the message space = Z n  M S is a set of elements, called the signing space = Z n  R is a 1 to 1 mapping from M to M S, called the redundancy function  M R is the image of R: {y| y = R(x), x Є M}  R -1 is the inverse of R : M R M

15 RSA signature generation and verification  To sign a message A should : Compute: where R(m) is a redundancy function Compute: A’s signature for m is s  To verify A’s signature and recover m, B should : Obtain A’s authentic public key ( n, e ) Compute: Verify that ; if not, reject the signature Recover

16 Proof that signature verification works  Euler’s theorem:, where is the Euler’s function of n  If s is a signature for m, then:  Since, then:  Finally:

17 RSA signature example Alice  p =5 q =7 n = 35 φ(n) = 4·6=24  e = 5; d : ed = 5 d =1 mod 24 => d = 5 Public key: ( n =35, e =5) Private key: d =5  M = [0, n -1]  For all m Є M R(m)=m  m = 26 ; R(m) = 26 s = 26 5 mod 35 = 31 Bob: R(m) = 31 5 mod 35 = 26 Є [0, n-1] m = R -1 (m) = 26

18 Possible Attacks on RSA signature  Integer factorization If an adversary is able to factor n, then  Multiplicative property of RSA If, then s is valid signature for m: Hence, to avoid this attack R must not be multiplicative, i.e.

19 Performance characteristics  n=pq, where n is 2 k -bit, p&q – k -bit primes  takes bit operations  Verification is significantly faster that signing if e is chosen to be a small number, e.g.  It is not recommended to restrict the size of d

20  n=pq, where n is 2k -bits, p&q – k -bits primes  ISO/IEC 9796 R:  To sign a kt -bits message m: Divide m = m 1 || m 2 || m 3 ||… || m t and sign each block individually one transmits 2kt bits. Sign a l -bits hash( m ), l ≤ k. Then one transmits kt+2k bits. ( kt – to transmit the message) If t > 2, then kt+2k < 2kt 2k bits Short vs. long messages m k bits

21 The Elliptic Curve Digital Signature Algorithm (ECDSA)

22 Elliptic curves (EC) over the reals  A non-singular EC is the set E of solutions to the equation together with a special point O, where  has three distinct roots

23 An EC over the reals  y 2 = x 3 – 4x 4a b 2 = -256

24 Addition – Geometric Approach  Chord-and-tangent rule P + Q = R, P ≠ Q  Point doubling P + P = 2 P = R x y (x 1, y 1 ) = P Q = (x 2, y 2 ) R = (x 3, y 3 ) x y P = (x 1, y 1 ) R = (x 3, y 3 ) -R = (x 3, -y 3 )

25 Addition – Algebraic Approach E is elliptic curve over the reals 1. ( is the identity element ) 2.If P

26 Galois Fields (Finite Fields) GF (q)  Is a set of elements ( G, +, *) that satisfy certain arithmetic properties  Finite Field exists iff q is a prime power  If q = p, p is prime {0, 1,..., p - 1 } are the field elements ADDITION: MULTIPLICATION: INVERSION:

27 Elliptic Curves Over Finite Fields Over GF(p), p is prime, p > 3  Elliptic curve E equation where  E consists of all pairs satisfying curve equation special point - point at infinity

28 Example 1: elliptic curve over GF(23)  p = 23  The points in E are and the following: (0, 2) (0, 21) (1, 11) (1, 12) (4, 7) (4, 16) (7, 3) (7, 20) (8, 8) (8, 15) (9, 11) (9, 12) … 28 points + = 29 points  Let’s consider (4, 7) = 72 = 3 (mod 23) 49 = 3 (mod 23)

29 Basic Facts Let E(GF(q)) be an EC over GF(q)  The points of E(GF(q)), form a group under addition  Hasse’s theorem: Number of points on E (group order):  If #E is prime then the group is cyclic and  If #E has a prime factor, that there exists a cyclic subgroup

30 Example 2: elliptic curve over GF(23)  p = 23   The points in E are and the following: P = (0, 2) 2P = (13, 12) 3P = (11, 9) 4P = (1, 12) 5P = (7, 20) 6P = (9, 11) 7P = (15, 9) 8P = (14, 5) 9P = (4, 7) 10P = (22, 5) 11P = (10, 5) 12P = (17, 9) 13P = (8, 15) 14P = (18, 9) 15P = (18, 14) 16P = (8, 8) 17P = (17, 14) 18P = (10, 18) 19P = (22, 18) 20P = (4, 16) 21P = (14, 18) 22P = (15, 17) 23P = (9, 12) 24P = (7, 3) 25P = (1, 11) 26P = (11, 14) 27P = (13, 11) 28P = (0, 21) 29P = O 30P = P 29 points

31 ECDSA parameters setup  Create (random) public abstract groups  Domain Parameter Generate: Complex & public. DP often taken from published list.  Domain Parameter Validate: Easy & public  Key Pair Generate: Easy & private.  Key Pair Validate: Easy & public.

32 ECDSA Domain Parameters  Domain parameters D = (q, a, b, G, n, h) Field size q, q = p or q = 2 m Coefficients a, b in GF(q) of E=E a,b (GF(q)): Seed s of length ≥ 160 bits (Optional) Base point G=(x G, y G ) on curve E, i.e. Order n of G: n is prime, Cofactor h : #E(GF(q)) = hn

33 Curve parameters generation(1)  Input: GF(p), p is prime  Output: seed, curve coefficients a & b  Used notations: Hash algorithm g > 160 bits W0W0 v-1 bits Arbitrary SEED 160 bits hash(z + 1)hash(z + 2) … hash(z + s) (v-1)+ s·160 < log 2 p bits W0W0

34 Curve parameters generation(2) if abort and start again 3. Choose a,b 4. Result: y 2 = x 3 + ax + b  if  Exclude singular curves

35 Isomorphism classes of ECs(1)  E 1 : y 2 = x 3 +a 1 x +b 1 and E 2 : y 2 = x 3 +a 2 x +b 2 are isomorphic  Step 3: Choose a,b  There only 2 variants for a and b on step 3

36 Isomorphism classes of ECs(2)  Let’s prove that there are precisely 2 choices for (a, b) on step 3 : We can find a 1, b 1 and a 2, b 2 : We can not find a 3, b 3 : E 3 is not isomorphic to E 1 or E 2

37 Domain Parameter Generation  Domain parameters D = (q, a, b, G, n, h) 1.Generate EC coeffs a & b E ( GF(q) ): y 2 = x 3 + ax + b 2.Compute #E( GF(q) ) (e.g. Schoof’s algorithm) 3.Verify that, n is prime, 4.if not, go to step 1 5.Verify that if not, go to step 1 6.Verify that n≠q if not, go to step 1 7.Select an arbitrary point Set Repeat until

38 Alice(signer) Key pair D = (q, a, b, G, n, h) Key generation: 1.Select random d: 1 ≤ d ≤ n-1 2.Q = d·G Q(x Q, y Q ) is public G is private Bob(verifier) (D, Q) Q is valid or not??? Key validation: Check that: 1.Q ≠ nQ = 5.If any check fails -> Q is invalid else -> Q is valid

39 Bob Parameters D = (q, a, b, G, n, h) Alice’s public key Q Alice’s signature (r, s) on m To sign message m: 1.k randomly chosen 0 < k < n-1 2.k·G = (x 1, y 1 ) r =x 1 mod n 3.if r = 0 abort and start again 4.e = SHA-1(m) 5.s = k -1 · ( e + d·r) mod n 6.if s = 0 abort and start again Output: (r, s) ECDSA generation & verification Alice Parameters D = (q, a, b, G, n, h) Associated keys (d, Q) Proof that signature verification works: To verify signature (r, s): 1.check: 1 ≤ r ≤ n-1, 1 ≤ s ≤ n -1 2.e = SHA-1(m) 3.w = s -1 mod n 4.u 1 = e·w mod n u 2 = r·w mod n 5.X = u 1 ·G + u 2 ·Q, if 6.X=(x 1, y 1 ) v = x 1 mod n 7. D, Q, m, r, s

40 Ordinary DLP  Definition: Given: prime p, generator g of GF(p), non ‑ zero element y   GF(p), Find: the unique integer k, 0  k  p – 2: y  g k (mod p) k is called the discrete logarithm of y to the base g  Known attacks The most efficient: Index Calculus Method O( )

41 Elliptic Curve DLP  Identified in 1985 – Koblitz and Miller suggested using it in place of DLP  Definition: Given: EC E defined over GF( q ), point PE( F( q ) ) of order n, point QE( GF( q ) ), Determine: the integer l, 0  l  n – 1: Q = lP  Arises in groups defined on EC  Hard Problem  Only exponential algorithms known

42 Known Attacks on ECDLP  Pollard’s Rho Algorithm O( )  Parallelized Pollard’s Rho O( ) r is the number of processors used Precautions:  Pohlig-Hellman Algorithm O( ) Precautions:  Menezez-Okamoto-Vanstone (MOV) O( ) Precautions:  No index calculus method found

43 Pollard’s Rho Algorithm(1) To find k where Q=kP, and n is the group order:  Use a pseudo-random walk through the group  Start at a known point  When a collision occurs, we can find k  Because there is not enough room to store all visited points, we only store distinguished points (points with some distinguishing property, such as the first i lower order bits equal to zero).

44 Pollard’s Rho Algorithm(2)  The random walk is defined as:  Where the S i are three sets of points (e.g. S i may be points such that x mod 3  i ), and the r i are randomly chosen.

45 Pollard’s Rho Algorithm(3)  R 0 is chosen to be a known multiple of P and Q.  For each iteration, R i+1 is found, and also what multiple of P and Q it is.  When a collision occurs, we have:

46 Pollard’s Rho Algorithm(4)  The number of iterations is  With this approach, the path of the pseudo-random walk depends on Q.  There is no precomputation.  Calculations from previous ECDLP’s are of limited usefulness in subsequent ECDLP’s, because collisions are only detected for distinguished points.

47 Duplicate-Signature Key Selection  An adversary Selects arbitrary c: Computes: Forms: AliceBob Adversary E D, Q, m, r, s D E, Q E, m, r, s Proof of work:

48 Key Size Comparisons Sym. key: 80, 112, 128, 192, 256 ECC n: 161, 224, 256, 384, 512 RSA n: 1024, 2048, 3072, 7680, 15360

49 ECDSA Advantages  Elliptic curves offer a much shorter key length than RSA.  There are some environments where 1024-bit RSA can not be implemented, while 163-bit ECC can.  No subexponential-time algorithm is known for the EC discrete logarithm problem.

50 Discussion ???

51 Exercises(1)  Does this equation define an EC over GF(17)? y 2 = x x + 5  Do the points P(2,0) and Q(6,3) lie on the elliptic curve y 2 = x 3 + x + 7 over GF(17)?  What are the negatives of the following elliptic curve points over GF(17)? P(5,8) Q(3,0) R(0,6)  In the elliptic curve group defined by y 2 = x 3 + x + 7 over GF(17), what is P + Q if P = (2,0) and Q = (1,3)?

52 Exercises(2)  Suppose that p > 3 is an odd prime a, b Є GF( p )  Further suppose that has 3 distinct roots in GF( p )  Prove that the corresponding elliptic curve E is not cyclic

53 References  Don Johnson, Alfred Menezes, The Elliptic Curve Digital Signature, February  A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied cryptography, CRC Press  Douglas R. Stinson Cryptography, Theory and Practice, CRC Press

54 Elliptic Curves Over Finite Fields Over GF(2 m )  Elliptic curve E equation where  E consists of all pairs satisfying curve equation special point - point at infinity

55 Example 2: elliptic curve over GF(2 4 )  Generator polynomial f(x) = x 4 + x + 1   The points in E are and the following: 15 points + = 16 points

56 Addition – Algebraic Approach E – elliptic curve over GF(2 m ) 1. 2.If P

57 Curve parameters generation  Used notations:  Input: prime p  Output: seed, curve coefficients a & b  Algorithm: 1.Choose a bit string seedE: g = |seedE| ≥ 160 bits 2.H = SHA-1(seedE) 3.z = (int) seedE 4.For i from 1 to s do:  s i = (z+i) mod 2 g  W i = SHA-1 (s i ) 5. 6.r = (int) W, if r = 0 or 4r + 27 ( 0 mod p ) go to step 1 7.Choose a,b 8.The elliptic curve is: y 2 = x 3 + ax + b 9.Output (seedE, a, b) H 160 bits W0W0 v-1 bits W0W0 W1W1 … WsWs W =

58 Alice domain D = (q, FR, a, b, G, n, h) D is valid or not? D validation: Check that: n is prime AND n > #E ≠ q If any check fails -> D is invalid else -> D is valid Domain Parameters Validation Bob domain D

59 Verifying the order of an EC  Hasses’s theorem:  Hence, check implies that  Also since:  Hence if:

60 Potential CA Services  POP - Proof of possession of private key. Can use zero-knowledge proof.  PKV - Public Key Validation shows public key makes arithmetic sense.  POP and PKV can be considered duals of each other. Doing both provides strong assurance.

61 Security Considerations  Per-message secret k:  Repeated usage of k:  Check: 1 ≤ r ≤ n-1, 1 ≤ s ≤ n -1 To verify signature (r, s): 1. check: 1 ≤ r ≤ n-1, 1 ≤ s ≤ n e = SHA-1(m) 3. w = s-1 mod n 4. u1 = e·w mod n u2 = r·w mod n 5. X = u1·G + u2·Q, if 6. X(x1, y1) v = x1 mod n 7.

62 Attacks on Hash function  SHA-1 Preimage resistance hard to find x: H(x) = y Collision resistance hard to find x 1 and x 2 : H(x 1 ) = H(x 2 )  If not preimage resistant One can forge signature: Calculate parameters r, s, e, m : e = SHA-1(m), where (r, s) is valid signature for m  If not collision resistant One can repudiate messages: Generate m’: SHA-1(m) = SHA-1(m’)

63 Signature Forgery  Signature Forgery A forgery is a signature computed without the signer’s private key selective forgery: an adversary is able to create a valid signature for a particular message chosen a priori existential forgery – an adversary is able to forge a signature for at least one message