Cryptography Lecture 9 Stefan Dziembowski
Plan 1.Definition od secure signature schemes 2.RSA signatures 3.Hash-and-sign paradigm 4.ElGamal signatures
Signature schemes digital signature schemes ≈ MACs in the public-key setting
Remember MACs? Alice Bob (m, t=Tag k (m)) k k m є {0,1}* Gen(1 n ) Vrfy k (m,t) є {yes,no} 1n1n
Signature schemes Alice Bob (m, σ=Sign sk (m)) sk pk m є {0,1}* Gen(1 n ) Vrfy pk (m,σ) є {yes,no} 1n1n
Anyone can verify the signatures P5P5 P1P1 P3P3 P2P2 P4P4 pk 1 pk 2 pk 3 pk 4 pk 5 1. Sign(sk 3,m) public register: Sign(sk 3,m) 2. reads pk 3 sk 3 3. computes Vrfy(pk 3,m)
Advantages of the signature schemes Digital signatures are: 1.publicly verifiable 2.transferable 3.provide non-repudiation (we explain it on the next slides)
Look at the MACs... Alice Bob (m, t=Tag k (m)) k k m є {0,1}* Carol Look, I got (m,t) from Alice Why shall I trust you? 1.You could have created t yourself (because you know k) 2.I don’t know k, so how can I verify the tag?
Signatures are publicly-verifiable! Alice Bob (m, σ =Sign sk (m)) sk A pk A m є {0,1}* Carol I can calculate Vrfy(pk A,m,σ) and check. Look, I got (m,σ) from Alice
So, the signatures are transferable P2P2 P3P3 Alice P4P4 P1P1 σ = Sign(sk 3,m) sk A (m,σ) Alice signed m pk A Alice signed m I believe it!
Non-repudiation Alice Bob (m, σ =Sign sk (m)) sk A pk A m є {0,1}* Judge I got (m,σ) from Alice It’s not true! I never signed m! Vrfy(pk,m,σ) = yes so you cannot repudiate signing m...
Digital Signature Schemes A digital signature scheme is a tuple (Gen,Sign,Vrfy) of poly-time algorithms, such that the key-generation algorithm Gen takes as input a security parameter 1 n and outputs a pair (pk,sk), the signing algorithm Sign takes as input a key sk and a message mє{0,1}* and outputs a signature σ, the verification algorithm Vrfy takes as input a key pk, a message m and a signature σ, and outputs a bit b є {yes, no}. If Vrfy pk (m,σ) = yes then we say that t is a valid signature on the message m.
Correctness We require that it always holds that: Vrfy pk (m,Sign sk (m)) = yes What remains is to define security of a MAC.
How to define security? As in the case of MACs, we need to specify: 1.how the messages m 1,...,m t are chosen, 2.what is the goal of the adversary. Good tradition: be as pessimistic as possible! Therefore we assume that 1.The adversary is allowed to chose m 1,...,m t. 2.The goal of the adversary is to produce a valid signature on some m’ such that m’ ≠ m 1,...,m t.
security parameter 1 n selects (pk,sk) = Gen(1 n ) oracle m1m1 mtmt... We say that the adversary breaks the MAC scheme at the end she outputs (m’, σ’) such that 1. Vrfy(m’, σ’) = yes 2. m’ ≠ m 1,...,m t adversary pk Sign sk (m 1 ) Sign sk (m t )
The security definition We say that (Gen,Mac,Vrfy) is existentially unforgeable under an adaptive chosen- message attack if A polynomial-time adversary A P(A breaks it) is negligible (in n) sometimes we just say: secure
How to design secure signature schemes? Rember the idea with the ``trapdoor permutations’’?
Trapdoor permutations XX easy easy: one can compute E pk -1 if one knows a trapdoor sk hard (otherwise) E pk this is denoted D sk A family of permutations indexed by pairs (pk,sk): { E : X → X } (pk,sk) є keys such that:
How to encrypt a message m messagesciphertext m := D sk (c) c := E pk (m) one can compute it only if one knows sk encryption decryption: Warning: in general it’s not that simple.
How to sign a message m signaturesmessages D sk (m) E pk (m) one can compute it only if one knows sk signing: verifying: Warning: in general it’s not that simple.
In general it’s not that simple 1.Not every trapdoor permutation is OK. 2.There are other ways to create signature schemes. 3.One can even construct a signature scheme from any one-way function. (this is a theoretical construction)
The “handbook” RSA signatures N = pq, such that p and q are large distinct primes e is such that gcd(e, φ(N)) = 1 d is such that ed = 1 (mod φ(N)) Sign d : Z N * → Z N * is defined as: Sign(m) = m d mod N. Vrfy e is defined as: Vrfy e (m,σ) = yes if σ e = m (mod N) no otherwise Correctness: follows from the fact that ( m d ) e = m (mod N) φ(N)) = (p-1)(q-1). public key: (N,e) private key: (N,d)
Problems with the “handbook RSA” (1/2) A “no-message attack”: The adversary can forge a signature on a “random” message m. Given the public key (N,e): he just selects a random σ and computes m = σ e mod N. Trivially, σ is a valid signature on m.
Problems with the “handbook RSA” (2/2) How to forge a signature on an arbitrary message m? oracle m1m1 adversary Sign sk (m 1 ) = m 1 d mod N Sign sk (m 2 ) = m 2 d mod N (N,e) chooses: 1.random m 1 2.m 2 := m / m 1 mod N m2m2 computes (mod N): m 1 d · m 2 d = (m 1 · m 2 ) d = m d this is a valid signature on m
Is it a problem? In many applications – probably not. But we would like to have schemes that are not application-dependent...
Solution Before computing the RSA function – apply some function H. N = pq, such that p and q are large distinct primes e is such that gcd(e, φ(N)) = 1 d is such that ed = 1 (mod φ(N)) Sign d : Z N * → Z N * is defined as: Sign(m) = H(m) d mod N. Vrfy e is defined as: Vrfy e (m,σ) = yes if σ e = H(m) (mod N) no otherwise
How to choose such H? A minimal requirement: it should be collision-resistant. (because if the adversary can find two messages m,m’ such that H(m) = H(m’) then he can forge a signature on m’ by asking the oracle for a signature on m)
A typical choice of H Usually H is one of the popular hash functions. Additional advantage: We can sign very long messages keeping the modulus N small (it’s much more efficient!). It is called a hash-and-sign paradigm.
Hash-and-Sign (1/3) 1. (Gen,Sign,Vrfy) – a signature scheme “for short messages” short x signature σ Sign sk σ yes / no Vrfy pk x m 2. a hash function H H H(m)
Hash-and-Sign (2/3) signature Sign sk (H(m)) Sign sk m H H(m) How to sign a message m?
Hash-and-Sign (3/3) How to verify? σ yes / no Vrfy pk m H H(m)
Hash-and-Sign It can be proven that this construction is secure. For this we need to assume that H is taken from a family of collision-resilient hash functions. {H s } s є keys Then s is a part of the public key and the private key.
What can be proven Suppose 1.{H s } s є keys is a family of collision-resistant hash functions, 2.(Gen,Sign,Vrfy) is a secure signature scheme. Then the signature scheme constructed on the previous slide is secure.
Can anything be proven about the “hashed RSA” scheme? Not really (it is provably secure only under very strong assumptions). But at least the attacks described before “look infeasible”. 1.For the first attack: one would need to invert H. 2.The second attack: Looks impossible because the adversary would need to find messages m,m 1,m 2 such that H(m) = H(m 1 ) · H(m 2 )
Other popular signature schemes Based on discrete log: ElGamal signatures Digital Signature Standard (DSS) (also based on other groups – elliptic curves)...
ElGamal signatures but remember that we can use the hash-and-sign paradigm
How to understand it? start with the verification condition the signature the message
Security of ElGamal If the discrete log in Z p * is hard, then the scheme is broken. To hope for any security one needs to hash the message before signing. Is there any proof of security of the “hashed” El Gamal? No...