Digital Signatures Applied Handbook of Cryptography: Chapt 11 slides courtesy of Xuhua Ding
Outline Framework RSA related signature schemes DSA related signature schemes One-time digital signatures Arbitrated signature schemes Signatures with added functionality Arbitrated signature schemes require a TTP for signature generation and verification, which results in computational generation and verification. With added functionality such as blind, undeniable and fail-stop signature schemes
Framework Digital Signatures can provide Authentication Data Integrity Non-Repudiation One Application Certification of public keys in large networks
Framework (cont) Definitions Digital Signature - a data string which associates a message with some originating entity Digital Signature Generation Algorithm – a method for producing a digital signature Digital Signature Scheme - consists of a signature generation algorithm and an associated verification algorithm
Framework (cont) Notation M message space MS signing space S signature space R a one-one mapping from M to MS called the redundancy function MR the image of R R-1 the inverse of R h a one-way function with domain M Mh hash value space, the image of h (h: M Mh)
Framework (cont) Taxonomy of digital signatures randomized signature schemes message recovery appendix deterministic randomized We can break signature schemes into two classifications: Digital signature schemes with appendix where the signature is appended to the message and both are required as input to the verification algorithm. Message recovery, where where the original message signed can be obtained from the signature itself. The original message is not required as input to the verification algorithm.
Framework (cont) Schemes with appendix Requires the message as input to verification algorithm Rely on cryptographic hash functions rather than customized redundancy functions DSA, ElGamal, Schnorr etc. More commonly used
Framework (cont) Digital Signature with Appendix M m mh Mh h s* S SA,k An entity A should obtain a public and private key. A should select an element k if the algorithm is randomized. Compute h(m) mapping m to the hash value space and apply the signing algorithm using A’s private key on this value to obtain s*. A’s signature for m is s* which are both made available to entities which may wish to verify the signature Verification involves obtaining A’s authentic public key VA, compute h(m) and apply the verification algorithm to h(m) and s*, if this results in true the signature is valid. If it results in false, the signature is invalid. s* = SA,k(mh) u = VA(mh, s*) Mh x S u {True, False} VA
Framework (cont) Desirable Properties For each k R, SA,k should be efficient to compute VA should be efficient to compute It should be computationally infeasible for an entity other than the signer to find an m M and an s S such that VA(m’, s*) = true, where m’ = h(m)
Framework (cont) Digital Signature with Message Recovery M m mr MR R SA,k MS An entity A has a public and private key. A should select an element k if the algorithm is randomized. Compute mr by applying the redundancy function. Apply the signing algorithm using A’s private key on this value to obtain s*. A’s signature is s*, only s* is made available for verifiers to recover the plaintext m. Verification involves obtaining A’s authentic public key VA, compute mr. If mr is not an element of the image of R then we reject the signature. Apply the inverse of the redundancy function to obtain m. It becomes clear that the redundancy function is very important. For example, if R were simply the identity mapping, one could simply choose and arbitrary s* and a corresponding message m is found simply by applying the verification algorithm. S MR M VA R-1 m s* mr
Framework (cont) Desirable properties For each k R, SA,k should be efficient to compute VA should be efficient to compute It should be computationally infeasible for an entity other than A to find any s* S such that VA(s*) MR
Framework (cont) mr MR R s* S SA,k MS M m mh Mh h We can turn any digital signature scheme with message recovery into a digital signature scheme with appendix simply by first hashing our message m. The message is now required as input to the verification algorithm. Notice that R is no longer critical to the security of the signature scheme.
Framework (cont) Breaking a signature scheme Total Break: private key is comprimised Selective forgery: adversary can create a valid signature on a preselected message Existential forgery: adversary can create a valid signature with no control over the message Total break can simply occur if the adversary finds an efficient algorithm that is functionally equivalent to the valid signing algorithm
Framework (cont) Types of attacks Key-only: adversary knows only the public key Message attacks Known-message attack: adversary has signatures for a set of messages which are known to the adversary but not chosen by him Chosen-message attack: adversary obtains valid signatures from a chosen list of his choice (non adaptive) Adaptive chosen-message attack: adversary can use the signer as an oracle
RSA Key generation n, p, q, e, d Sign Verify Compute mr = R(m) Compute s = mrd mod n The signature for m is s Verify Obtain authentic public key (n, e) Compute mr = se mod n Verify that mr Mr Recover m = R-1(mr) n, e are public, p q and d are private. d = e inverse mod phi(n)
RSA (cont) Attacks Reblocking problem Integer factorization Homomorphic property Reblocking problem If signatures are encrypted different modulus sizes can render the message unrecoverable Importance of the redundancy function ISO/IEC 9796 For s1 and s2, we have that s1s2 is a signature for m1m2 given that m1m2 is an element of the image of the redundancy function. Thus it is important that our redundancy function is not multiplicative. Various solutions to this problem, one effective solution is to ensure that each modulus is of a special form. Or have one set t bits for signing and one set t+1 bits for encrypting. Where k is the number of bits in p and q.
RSA (cont) Performance (p, q are k-bit primes) Bandwidth Signature O(k3) Verification O(k2) Bandwidth Bandwidth is determined by R. For example, ISO/IEC 9796 maps k-bit messages to 2k-bit elements in MS for a 2k-bit signature (efficiency of ½)
DSA DSA Algorithm : key generation select a prime q of 160 bits Choose 0t8, select 2511+64t <p< 2512+64t with q|p-1 Select g in Zp*, and = g(p-1)/q mod p, 1 Select 1 a q-1, compute y= a mod p public key (p,q, ,y), private key a Two primes p and q. We are dealing with two groups, one Z*p and a subgroup of that of order q. Here alpha is a generator of that subgroup. Notice that the security of our key is based on the discrete logarithm problem.
DSA (cont) DSA signature generation Select a random integer k, 0 < k < q Compute r=(k mod p) mod q compute k-1 mod q Compute s=k-1 (h(m) + ar) mod q signature = (r, s) Randomized! Vs. deterministic
DSA (cont) DSA signature verification Verify 0<r<q and 0<s<q, if not, invalid Compute w= s-1mod q and h(m) Compute u1=wh(m)mod q,u2=rw mod q Compute v = (u1yu2 mod p) mod q Valid iff v=r
DSA (cont) Security of DSA Parameters: Probability of failure two distinct DL problems: ZP*, cyclic subgroup order q Parameters: q~160bits, p 768~1Kb, p,q, can be system wide Probability of failure Pr[s=0]= (1/2)160 Note that Z*p we have the index-calculus methods such as coppersmiths algorithms which run in subexponential time. However, in the second group we are left with “square root” time with algorithms such as Pohlig Hellman Verification requires the computation of s inverse, if s is zero then an inverse does not exist
DSA (cont) Performance Signature Generation Verification One modular exponentiation Several 160-bit operations (if p is 768 bits) The exponentiation can be precomputed Verification Two modular exponentiations So we have that DSA signing is cheap and verification expensive, but RSA signing expensive, verification cheap.
ElGamal Key generation: p, q, , a, y=a mod p Signature Generation Select random k, 1 k p-1, gcd(k, p-1)=1 Compute r = k mod p Compute k-1 mod (p-1) Compute s = k-1 (h(m) - ar) mod (p-1) signature is (r,s) Here alpha is a generator of Z*p p alpha and y are public and a is private key Again, this is randomized as apposed to deterministic
ElGamal (cont) Signature Verification Verify 1 r p-1 Compute v1 = yrrs mod p Compute h(m) and v2= h(m) mod p Accept iff v1=v2
ElGamal (cont) Security (based on DL problem) Index-calculus attack: p should be large Pohlig-Hellman attack: p-1 should not be smooth Weak generators: If p 1 mod 4, |p-1, DL can be broken for subgroup S of order . Forgeries are then possible We can solve this by letting alpha be a generator for a subgroup of Z*p of prime order rather than Z*p itself
ElGamal (cont) In addition… k must be unique for each message signed (s1-s2)k=(h(m1)-h(m2))mod (p-1) An existential forgery attack can be mounted if a hash function is not used If gcd((s1-s2),p-1)=1 then we can easily find k and from there we can find private key a p. 255
ElGamal (cont) Performance Generalized ElGamal Signatures Signature Generation One modular exponentiation One Euclidean Algorithm Both can be done offline Verification Three modular exponentiations Generalized ElGamal Signatures Euclidean is for inversion Also requires two modular multiplications We can use any cyclic group, preferably one where discrete logarithms are known to be quite hard, such as elliptic curve groups which also give us the benefit of shorter key lenghts.
One-Time Signatures Definition: digital schemes used to sign, at most one message; otherwise signature can be forged. A new public key is required for each signed message. Most one-time signature schemes have the property that signature generation and verification are both very efficient
Rabin One-Time Signatures Key generation Select a symmetric key encryption scheme E (e.g. DES) Generate 2n random secret strings k1,k2...k2nK, each of bit length l Compute yi=Eki(M0(i)), i [1,2n]. Public key is (y1,y2,...y2n), private key is (k1,k2,...k2n). Here M0(I) is the binary representation of I prepended with enough 0’s to construct an l-bit string
Rabin One-Time Signatures Signature Generation: compute si=Eki(h(m)), i [1,2n] signature is (s1,s2,...s2n) Verification: Compute h(m) Select n distinct random number rj, rj[1,2n] Request from signer, the keys krj, j: 1 j n Verify received n keys ie. does yrj= Ekrj(M0(rj))? Verify all srj = Ekrj(h(m)), Here note that we are using n or half of 2n, the original number of keys
Rabin One-Time Signatures Resolution of disputes: signer A, verifier B and TTP B provides m and the signature to TTP TTP gets private key k1,...k2n from A TTP verifies authenticity of the private key TTP computes ui=Eki(h(m)), 1 i n. If ui = si for at most n values of i, it is forgery. If n+1 or more values match, it is valid signature Rationale for dispute resolution protocol A can disavow with Pr = B cannot provide more than n encrypted values because it does not have another key or find a collision in the hash function A would need to find n values such that ui equals si and hope that B chooses these values.
Arbitrated Digital Signatures Requires an unconditionally TTP as part of the signature generation and signature verification. Each entity shares a symmetric key with the TTP Symmetric key cryptography results in a very fast algorithm However, this speedup is overshadowed by the TTP as well as communication overhead
Arbitrated Digital Signatures Signature Generation (by A) IA, u = EkA(h(m)) s = EkT(h(m)||IA) A TTP A simply hashes its message and sends that hash along with an identifier for A to the TTP encrypted with their shared key. The TTP simply decrypts that value and returns a signature s encrypted with TTP secret key.
Arbitrated Digital Signatures Signature Verification (by B) IB, v = EkB(s) EkB(h(m)||IA) B TTP B sends the signature encrypted with it’s shared key. TTP decrypts v then decrypts s and returns the identifier for A and the hashed message.
ESIGN Key generation Compute n=p2q, select k>3 Public key(n,k), private (p,q) Sign message m compute v=h(m), random x, 0 x < pq w = ((v-xk) mod n/ (pq), y = w(kxk-1)-1 mod p Compute s=x+ypq mod n Verify: compute u = sk mod n, z = h(m) if z u z + 22 lg(n)/3 , accept the signature Here p and q are prime This s will be our signature
ESIGN (cont) Why does this work? I refer you to the text p 473 Security of ESIGN Based on factoring of large integers. Not known whether n=p2q is easier than factoring RSA modulus Given m and s, in order to forge a signature for m’, we must have that Assuming h behaves like a random function, we would expect to try 2lg(n)/3 different values of m’ For any reasonably large size n, this value is sufficiently large
ESIGN (cont) Efficiency of ESIGN The only modular exponentiation is with parameter k which may be taken to be quite small (e.g. k=4) For a 768-bit modulus n, ESIGN signature generation may be between one and two orders of magnitude (10 to 100 times) faster than RSA signature generation. For any reasonably large size n, this value is sufficiently large
Blind signature scheme Definition: A sends a piece of information to B. B signs and returns the signature to A. From this signature, A can compute B’s signature on a priori message m of A’s choice. At the completion of the protocol, B knows neither m, nor the signature associated with it. Application: e-cash
Blind signature scheme (cont) Chaum Sender A; Signer B B’s RSA public and private key are as usual. k is a random secret integer chosen by A, satisfying 0 k < n Protocol actions (blinding) A: comp m* = mke mod n, to B Note: (mke)d = mdk (signing) B comp s* = (m*)d mod n, to A (unblinding) A: computes s = k-1s* mod n
Undeniable Signature Schemes Definition: signature verification requires the cooperation of signer Chaum-van Antwerpen Key generation Select random prime p=2q+1, q is prime Select a generator for the subgroup of order q in Zp* Select random a{1,2,...q-1}, y= amod p public (p, , y), private a Applications might include copyright of software. The book outlines a bank example where a required signature at the time a cusomer views a safety deposit box cannot be used later in the future.
Chaum-van Antwerpen Signature Generation Verification compute s = ma mod p Verification B selects a random secret integers x1, x2 {1,2,...q-1} B computes z = sx1yx2 mod p, and sends z to A A computes w = za-1mod p, and sends w to B B computes w = mx1x2 mod p. Valid iff w= w
Chaum-van Antwerpen If s is a forgery, B accept it with pr=1/q and independent of adversary’s computation resources A could attempt to disavow a signature refuse to participate in verification perform the verification incorrectly claim a signature forgery even though the verification protocol is successful. The first is quite easy, the second and third require a disavowal protocol
Chaum-van Antwerpen Disavowal protocol Select two pair (x1, x2) and (x’1, x’2) and verify twice Compute c = (w-x2)x’1 mod p and c = (w-x’2)x1 mod p, if c = c, s is a forgery, otherwise s is valid and A is attempting to disavow the signature Let m be message, s a signature on m If s ma mod p and the disavowal protocol runs correctly, then c=c If s = ma mod p. B follows protocol, but A does not. The Pr[c=c] is 1/q ie if s is a forgery