Chapter 8 Digital Signature Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li

Zhijun LiS /Autumn08/HIT2 Outline Nonreputation & Digital Signature RSA Signature ElGamal Signature Digital Signature Algorithm Digital Signature with other Properties –Security Provable Signature –Blind Signature –Undeniable Signature –Fail-Stop Signature

Zhijun LiS /Autumn08/HIT3 Confidentiality/secrecy/privacy –Encryption Integrity –MAC Nonreputation –Identity (source or destination) can not deny transmitting the message –Use ? Security Goals

Zhijun LiS /Autumn08/HIT4 Nonreputation Nonreputation: Identity (source or destination) can not deny transmitting the message –Authentication protects two parties from third parties –Nonrepudiation protects two parties against each other Example: Alice sends IOU message to Bob –Alice can deny sending the message –Bob may forge a different message and claim that it came from Alice

Zhijun LiS /Autumn08/HIT5 IOU Protocol Review Alice Bob {KU A, KR A } M E KR A [H(M)] Judge M E KR A [H(M)] knows KU A Digital Signature Alice Bob Judge

Zhijun LiS /Autumn08/HIT6 Digital Signature Digital Signature: a data string which associates a message with some originating entity Digital Signature Scheme: for each key, there is a SECRET signature generation algorithm and a PUBLIC verification algorithm Digital Signature & PKI –Digital signature is difficult to implement in other ways

Zhijun LiS /Autumn08/HIT7 Signature Signature generation Private key Document Signer Signature verification Public key Document OK / not OK Verifier Digital Signature Scheme SIG: K  M  S k  K is the secret key VER : K’  M  S  {OK, FAIL} OK iff s is a valid signature e is the public key

Zhijun LiS /Autumn08/HIT8 Adversary of Digital Signature Adversarial goals: –Total break: adversary can forge signature on any message –Selective forgery: adversary is able to create valid signatures on a chosen message with a significant probability –Existential forgery: adversary can create a pair (message, signature), s.t. the signature of the message is valid Note: –A signature scheme can not be perfectly secure Adversary can always forge signature given enough time –Signature scheme can only be computationally secure

Zhijun LiS /Autumn08/HIT9 Attack Model to Digital Signature Key-only attack: Adversary knows only the verification function (it is supposed to be public) Known message attack: Adversary knows a list of messages previously signed by Alice Chosen message attack: Adversary can choose what messages wants Alice to sign, and knows the messages and the corresponding signatures

Zhijun LiS /Autumn08/HIT10 Outline Nonreputation & Digital Signature RSA Signature ElGamal Signature Digital Signature Algorithm Digital Signature with other Properties –Security Provable Signature –Blind Signature –Undeniable Signature –Fail-Stop Signature

Zhijun LiS /Autumn08/HIT11 RSA Signature Given RSA {(e, n), (d, p, q)} SIG(d, m) s = m d (mod n) VER(e, m, s) m = ? s e (mod n) s e = m ed (mod n) = m (mod n)

Zhijun LiS /Autumn08/HIT12 Existential Forgery Oscar can generate a valid signature by: 1. Choose signature s  Z n 2. Encrypt: m = e k pub (s) = s e mod n 3. Send (m,s) to Bob 4. Bob verifies: ver k pub (m, s): s e  m (mod n)  true Note: –m can’t be controlled, so existential forgery

Zhijun LiS /Autumn08/HIT13 Remark for This Forgery It is a key-only attack Countermeasures: –Use some redundancy in message to detect –Example: Sig(m) = (Hash(m)) d = s s e = Hash(m) : Need find m with Hash(m) = s e Hash is preimage resistant Know Hash(m), but NOT known m

Zhijun LiS /Autumn08/HIT14 Another Existential Forgery (m 1,s 1 ) and (m 2,s 2 ) are valid signatures (m=m 1 m 2, s=s 1 s 2 ) are valid (m,s) is valid signature (m -1, s -1 ) is valid Remark: –An existential forgery –Sig(m) = (Hash(m)) d is also useful

Zhijun LiS /Autumn08/HIT15 Outline Nonreputation & Digital Signature RSA Signature ElGamal Signature Digital Signature Algorithm Digital Signature with other Properties –Security Provable Signature –Blind Signature –Undeniable Signature –Fail-Stop Signature

Zhijun LiS /Autumn08/HIT16 ElGamal Signature Key generation: –Chooses a prime p, and chooses a generator g  Z p * –Selects a random integer k as the private key –Computes the public key  = g k mod p –Public key is ( , g, p) –Private key is (k)

Zhijun LiS /Autumn08/HIT17 ElGamal Signature Signing a message m: –Select random r, 1  r  p-1, r  Z p-1 * (gcd(r,p-1)=1) –Compute x  g r (mod p) –Solves y in following congruence equation m  k·x+r·y (mod p-1) –SIG k,r (m) = (x,y)

Zhijun LiS /Autumn08/HIT18 ElGamal Signature Verification: –Receive the m and s = (x, y) –Computes g m –Computes (  ) x ·x y –VER(m, s): g m  ? (  ) x ·x y (mod p)

Zhijun LiS /Autumn08/HIT19 Why This Schema Can Work? If m=m, x=x, y=y (  ) x ·x y (mod p) = g kx · g ry (mod p) ry = m - kx (mod p-1) kx+ry = m (mod p-1) (  ) x ·x y = g kx + ry = g m (mod p) Why?

Zhijun LiS /Autumn08/HIT20 ElGamal Signature Example 1.Choose p=11, g=2 and k=8 2.c = 2 8 mod 11 = 3 So: Public key (3,2,11) 3.Signing m=5 3.1 select a random integer r=9 gcd(10,9)=1 3.2 computes x = g r mod p = 2 9 mod 11 = solves 5 = 8·6+9·y mod 10; because 9 -1 = 9 mod 10;so y = 9 -1 · (5-8·6) = 3 mod signature s=(6,3) 4.Verification =21 =10 = 2 5 =10 mod 11

Zhijun LiS /Autumn08/HIT21 Security of ElGamal Signature Based on DLP BUT weaker than DLP –Existential Forgery Find (m,x,y) s.t. (  ) x ·x y =g m –Suppose x=g i  j (mod p)  g m  x (g i  j ) y (mod p) –g m-iy  x+jy mod p –Let m-iy  0 mod p-1  x+jy  0 mod p-1 –If gcd(j, p-1)=1 –y=-xj -1 (mod p-1) –m=-xij -1 (mod p-1) (if hash?) –x=g i  j (mod p)

Zhijun LiS /Autumn08/HIT22 Security of ElGamal Signature The random r must be keep secret –k=(m-ry)x -1 (mod p-1) The random r must be unique for each message –(  ) x ·x y 1 =g m 1 (mod p);(  ) x ·x y 2 =g m 2 (mod p) –g m 1 -m 2   y 1 -y 2  g k(y 1 -y 2 ) (mod p) –m 1 -m 2  k(y 1 -y 2 ) mod p-1 –d=gcd(y 1 -y 2, p-1); d|(m 1 -m 2 ) –m'=(m 1 -m 2 )/d; y'=(y 1 -y 2 )/d; p'=(p-1)/d –m'=ky' mod p' and gcd(y', p')=1 –k=m'y' -1 +ip' mod p-1 i<d and test them by  =g k mod p

Zhijun LiS /Autumn08/HIT23 Lesson of ElGamal Signature Hash function h must be used –Otherwise easy for an existential forgery attack Signature length is 2 times of the length p –p=1024 bits –For some storage limited device (smart chard)

Zhijun LiS /Autumn08/HIT24 Outline Nonreputation & Digital Signature RSA Signatures ElGamal Signatures Digital Signature Algorithm Digital Signature with other Properties –Security Provable Signature –Blind Signature –Undeniable Signature –Fail-Stop Signature

Zhijun LiS /Autumn08/HIT25 DSA Overview Published in NIST in 1992 (FIPS PUB 186) Remark: –DSA is a variant for ElGamal signature –Using SHA hash algorithms and the digest is 320 bits –Sometimes called DSS (Digital Signature Standard)

Zhijun LiS /Autumn08/HIT26 From ElGamal Signature Use a subgroup { ,  2,…,  q } in Z p *, the order of  is q –q is a 160-bits prime –p is a 1024-bits prime Introduce the hashing function –SHA1(m) is also 160-bits

Zhijun LiS /Autumn08/HIT27 From ElGamal Signature y=r -1 (m+k·x) (mod p-1) –Verify  m  x =x y mod p –ord(  ) = q, so all exponents need mod q –x = (  r mod p) mod q –y=(m-k·x)r -1 (mod q) (x can be replaced by x) –  m  x =x y mod p   my -1  xy -1 =x mod p   my -1  xy -1 =x mod p  (  my -1  xy -1 mod p) mod q = x

Zhijun LiS /Autumn08/HIT28 DSA: Key Generation Select a prime q of 160-bits Choose 0  t  8 and t <p< t with q | p-1 Let g be a generator of Z p *, and  = g (p-1)/q mod p Select 1  k  q-1 Compute  =  k mod p Public key: (p, q, ,  ) Private key: k

Zhijun LiS /Autumn08/HIT29 DSA: Signature Signing message m: 1. Compute one-way hash h = SHA-1(m) 2. Select a random signing key r, 0 < r < q 3. Compute –x = (  r mod p) mod q –y = (SHA-1(m) + xk). r -1 mod q –SIG(m)=(x, y)

Zhijun LiS /Autumn08/HIT30 DSA: Verification Verifying m, (r, s): 1. Verify 0 < r < q and 0 < y < q, if not, invalid 2. Verifier computes –w = y -1 mod q –u1= SHA-1(m). w mod q –u2= x. w mod q –v = (  u1.  u2 mod p) mod q 3. Verifier accepts the signature iff –v = x

Zhijun LiS /Autumn08/HIT31 DSA Remark Advantages: –Suitable to storage limited device –Hashing function is used –Based on discrete logarithm problem Disadvantages: –Unpublicized selection

Zhijun LiS /Autumn08/HIT32 Outline Nonreputation & Digital Signature RSA Signatures ElGamal Signatures Digital Signature Algorithm Digital Signature with other Properties –Security Provable Signature –Blind Signature –Undeniable Signature –Fail-Stop Signature

Zhijun LiS /Autumn08/HIT33 Security Provable Signature Idea: –Can reduce the forgery into the inverse of one-way Lamport One-time Signature: –P={0,1} k, f is one-way function f: Y  Z –Choose secret keys y i,j  Y, 1  i  k, j=0,1 –Let z i,j  Z, 1  i  k, j=0,1 are public keys –Sig(m 1, m 2, …, m k ) = (y 1,m 1, y 2,m 2, …,y k,m k ) –Ver((m 1, m 2, …, m k ), (a 1, a 2, …, a k )= true  f(a i )=z i,m i

Zhijun LiS /Autumn08/HIT34 Lamport Signature Example p=7879 and 3 is a generator f(x)=3 x mod 7879 y 1,0 =5831;y 1,1 =735;y 2,0 =803;y 2,1 =2467;y 3,0 =4285;y 3,1 =6449 z 1,0 =2009;z 1,1 =3810;z 2,0 =4672;z 2,1 =4721;z 3,0 =268;z 3,1 =5731 m=(1,1,0): Sig(m)=(735,2467,4285) Verification: mod 7879=3810; mod 7879=4721; mod 7879=268

Zhijun LiS /Autumn08/HIT35 One-Time Digital Signature One-time digital signatures: –Using signing at most one message –Otherwise signature can be forged –In Lamport: (1, 0, 1) + (0, 1, 0) = all 2 3 –A new public key is required for each signed message Advantage: –Signature and verification can be very efficient –Can be very secure –Is useful for cards with low resources

Zhijun LiS /Autumn08/HIT36 Lamport-Preimage(z) If we have Lamport-Forge: Lamport-Preimage(z) Select i 0  {1,…,k} and j 0  {0,1} randomly Build public key Z=(z i,j : 1  i  k, j=0,1) s.t. z=z i 0,j 0 ((m 1,…,m k ), (a 1,…,a k )) = Lamport-Forge(z) if x i 0 =j 0 then return (a i 0 ) else return (fail)

Zhijun LiS /Autumn08/HIT37 Success of Lamport-Preimage Theorem: with Lamport-Forge, the success rate of Lamport-Preimage(z)  1/2 Proof: –Let S is the set of all public keys, s=|S| –Let S z is the set of public keys contain z, s z =|S z | –Let T z is all Z  S with Lamport-Preimage success, t z =|T z | –  z  Z t z = ks; 2ks=s z |Z| –Pr(success)=1/|Z|  z  Z p z =1/|Z|  z  Z t z /s z =  z  Z t z /s z |Z|=1/2ks  z  Z t z =ks/2ks=1/2

Zhijun LiS /Autumn08/HIT38 Blind Signature Situation: Signing with unknowing the content Example: Anonymous electronic cash Scene Alice Bob Authority Sign ③ Signature ④ Unblinding ⑤ Signature ⑥ Verification ⑦ Blinding ① Blinded Message ②

Zhijun LiS /Autumn08/HIT39 RSA Blind Signature Initialization: Authority: p,q are primes, N=p  q, public key e and e  d  1 mod (p-1)(q-1) Blinding: Alice: Get N and e, choose a random r  Z N *, compute blinded message b  m  r e (mod N)

Zhijun LiS /Autumn08/HIT40 RSA Blind Signature Signing: Authority: sign the blinded message b s = b d Unblinding: Alice: Remove the r from s s = s  r -1  m d (mod N) Verify: Bob: Receive (m 1,s 1 ) Check s 1 e  ? m 1 (mod N)

Zhijun LiS /Autumn08/HIT41 Undeniable Signature Signature with following features: –Signature verification must involve the participation of the signer –Signer can prove that a signature is not valid –Signer can’t Deny a Valid Signature –So Undeniable Example: –Software distribution

Zhijun LiS /Autumn08/HIT42 Why Undeniable? The signer need to be online when verifying –The precondition for undeniability –Challenge-Response interaction The signer can prove a signature is forged –If he deny to prove –Then the signature is valid

Zhijun LiS /Autumn08/HIT43 How to Prove? In Challenge-Response interaction –If the Verification fails The signature is a fraud Signer cheats by giving “incorrect” response –So need run some protocol after fails Summary: Signing & Verification & Disavowal Protocol

Zhijun LiS /Autumn08/HIT44 Initialization: The Signer Chooses: –two primes p and q, and p=2q+1 –g  Z p * and ord(g)=q –G generated by g, so G is a subgroup of Z p * –A random k(0<k<q), k is secret and g k is public Chaum-van Antwerpen Signature

Zhijun LiS /Autumn08/HIT45 Signing: For a message m  G s=m k (mod p) Verification: Bob and Signer interact: –Challenge: Bob select two random a,b  Z q * and sends the challenge c=s a (g k ) b (mod p) –Response: r = c k -1  m a  g b (mod p) –Test: Bob checks VER( m, r ) = (r  ? m a g b (mod p)) Chaum-van Antwerpen Signature

Zhijun LiS /Autumn08/HIT46 Disavowal Protocol: (when verification fails) –Bob  Signer: select a 1,b 1  Z q * and sends c 1 =s a 1 (g k ) b 1 (mod p) –Signer  Bob: r 1 =c 1 k -1 –Test: if r 1  m a 1  g b 1 (mod p), then follow –Bob  Signer: select a 2,b 2  Z q * and sends c 2 =s a 2 (g k ) b 2 (mod p) –Signer  Bob: r 2 =c 2 k -1 –Test: r 2  m a 2  g b 2 (mod p) If (r 1  g -b 1 ) a 2  (r 2  g -b 2 ) a 1 (mod p) then forged else signer cheat Chaum-van Antwerpen Signature

Zhijun LiS /Autumn08/HIT47 Theorem: if s  m k mod p, then Bob accepts s as correct signature with prob. at most 1/q Proof: –For each c=s e 1 (g k ) e 2, there are q pairs of (e 1, e 2 ) because the order of s and g k is all q –g is a generator and ord(g)=q –c=g i, r=g j, m=g v, s=g w –c  s e 1 (g k ) e 2 (mod p); r  m e 1 g e 2 (mod p) –i  we 1 + ke 2 (mod q); j  ve 1 + e 2 (mod q) –If s  m k mod p, then w  kv mod q, then  0, and only a pair in q pairs of (e 1,e 2 ) is correct Correctness of Verification w k v 1

Zhijun LiS /Autumn08/HIT48 Theorem: If s  m k mod p, and both parties follow the protocol, then (r  g -e 2 ) f 1  (R  g -f 2 ) e 1 (mod p) (Alice can convince Bob) Proof: –r=c k -1 (mod p) –c  s e 1 (g k ) e 2 (mod p) –(r  g -e 2 ) f 1  (s e 1 (g k ) e 2 ) k -1 g -e 2 ) f 1 (mod p)  s e 1 k -1 f 1 (mod p) –R=C k -1 (mod p) –(R  g -f 2 ) e 1  s e 1 k -1 f 1 (mod p) Correctness of Disavow Protocol

Zhijun LiS /Autumn08/HIT49 Theorem: If s  m k mod p, and Bob follows the protocol, then Alice can convince Bob ((r  g -e 2 ) f 1  (R  g -f 2 ) e 1 (mod p)) with prob. 1/q Proof: –s=m k ; (r  g -e 2 ) f 1  (R  g -f 2 ) e 1 (mod p) –r  m e 1 g e 2 ; R  m f 1 g f 2 –(r  g -e 2 ) f 1  (R  g -f 2 ) e 1 (mod p) iff. R = (r 1/e 1 g -e 2 /e 1 ) f 1 g f 2 –Let r 0 =r 1/e 1 g -e 2 /e 1, which can be computed after stage one –Let stage two is the verification protocol –Suppose s is the r 0 ’s signature (s=r 0 k mod p) with prob. 1-1/q –s  m k mod p and s=r 0 k mod p  m=r 0 –r  m e 1 g e 2  m  r 1/e 1 g -e 2 /e 1  m  r 0 –Contradiction  (r  g -e 2 ) f 1  (R  g -f 2 ) e 1 (mod p) with prob. 1/q Correctness of Disavow Protocol

Zhijun LiS /Autumn08/HIT50 Situation: For the Attacker with Unlimited Computing Power Scene Alice Bob TTP Oscar Establish Parameters ① Public Keys ② ⑤ Build PROOF ③ Signatures ④ Forged Signatures ⑦ Fail-stop ⑥ Proof Fail-Stop Signatures

Zhijun LiS /Autumn08/HIT51 Initialization: TTP: two primes p and q, and p=2q+1 –g  Z p * and ord(g)=q –a random r  Z q * (0<r<q), r is known only by TTP and R=g r –(p,q,g,R) is Public and keep r is Secret Signer(Alice): Select a 1,a 2,b 1,b 2  Z q * as secret key, compute (  1  g a 1  R b 1 mod p  2  g a 2  R b 2 mod p) as public key Van Heyst & Pedersen Signature

Zhijun LiS /Autumn08/HIT52 Signing: Alice: Sig K (m)=(s 1,s 2 ) s 1 =a 1 +mb 1 mod q s 2 =a 2 +mb 2 mod q Verification: Bob: Ver K (m,s) is  1  2 m  ? g s 1  R s 2 mod p Van Heyst & Pedersen Signature

Zhijun LiS /Autumn08/HIT53 Build PROOF: Alice: –Detect a forged signature (s 1,s 2 ) for m –Compute the original signature (s 1,s 2 ) for m –Compute PROOF(s)=r  (s 1 -s 1 )(s 2 -s 2 ) -1 (mod q) r is the proof Van Heyst & Pedersen Signature

Zhijun LiS /Autumn08/HIT54 Lemma 1: Let Oscar with unlimited power, he can solve (a 1,a 2,b 1,b 2 ) with q possible solutions from the public information and a signature s=(s 1,s 2 ) for m Proof: Denote  1 =g e 1 and  2 =g e 2, so g e 1  g a 1  g rb 1 mod p g e 2  g a 2  g rb 2 mod p e 1 =a 1 +rb 1 mod q s 1 =a 1 +mb 1 mod q s 2 =a 2 +mb 2 mod q             m010 0m01 r100 00r1       s s e e        =       b b a a       Rank is 3 Find by unlimited power Van Heyst & Pedersen: Remark

Zhijun LiS /Autumn08/HIT55 Rank is 4           m010 0m01 r100 00r1      s s e e      =       b b a a             m’   2 1 s’     Van Heyst & Pedersen: Remark Lemma 2: Let a signature s=(s 1,s 2 ) for m and a signature s’=(s 1 ’,s 2 ’) for m’, then a single solution for (a 1,a 2,b 1,b 2 ) Proof: Notes: –One-time signature –Oscar can compute s’=sig K (m’) with prob. 1/q known s=sig K (m) –BUT Oscar can give a verifiable signature s’’ for m’ and s’’  s’

Zhijun LiS /Autumn08/HIT56 Lemma 3: If Signer get a forged signature s’=(s 1 ’,s 2 ’) for m and s’  s, he can compute the r=log g R Proof: –The forged signature s’ can pass the test –  1  2 m  g s’ 1  R s’ 2 mod p –For original signature –  1  2 m  g s 1  R s 2 mod p –g s’ 1  R s’ 2  g s 1  R s 2 mod p –  r=log g R  (s 1 -s 1 ’)(s 2 ’-s 2 ) -1 (mod q) Van Heyst & Pedersen: Remark

Zhijun LiS /Autumn08/HIT57 Summary Nonreputation –Digital Signature –Public Key Infrastructure RSA Signature ElGamal Signature Digital Signature Algorithm Signatures with other Properties