 Requirement  Security  Classification  RSA Signature  ElGamal Signature  DSS  Other Signature Schemes  Applied Digital Signatures 11

22 Signature Scheme

 Efficiency  Unforgeability : only signer can generate  Not reusable : not to use for other message  Unalterable : No modification of signed message  Authentication of a signer  Non-repudiation : not denying the act of signing 33

 Key only or no message attack : Adv access only to public parameters and public keys  Message attack : Adv has access to pairs of message texts and corresponding signatures. Depending on Adv’s power of selecting messages signed by S. ◦ Known-messages : Adv doesn’t choose message signed by S. ◦ Generic chosen-messages : Adv chooses a set of messages to be signed before knowing the actual S targeted for attack. ◦ Directed chosen-message : Adv chooses a set of messages to be signed after selecting a specific S but the actual attack. ◦ Adaptive chosen-message : Adv chooses message for signing dynamically after inspecting signatures he obtained for previous messages.  Adv : Adversary, S : legitimate signer 44 Hard Easy

 Total break : Adv recovers the secret key of S under attack.  Universal forgery : Adv doesn’t obtain the secret key of S, but gains the ability to generate valid signatures for any message.  Selective forgery : Adv doesn’t obtain the secret key of S, but gains the ability to generate valid signatures for any set of preselected messages.  Existential forgery : Adv can create at least one new message and signature pair without knowing the secret key. The messages are only arbitrary bit strings and Adv doesn’t have any power over their composition. 55 Hard Easy

 Consists of 6 elements (M,Mh,A,K,S,V) M : message space Mh (or Ms) : signing space A : signature space K : key space For K  K,  signing alg. sig K  S and its corresponding verification alg. ver K  V. Each sig K : M  A and ver K : M x A  {t,f} are fts s.t., ver K (x,y)= t if y = sig K (x) or ver K (x,y)=f if y  sig K (x) 66

 Signature generation (a) get private key, K s (b) m’=h(m) : hash algorithm and s * =sig Ks (m’) (c) m, s * : signature  Signature verification (a) obtain public key, K p (b) compute m’=h(m) and u=ver Kp (m’,s*) (c) accept signature iff u=true. (Ex.) DSA, ElGamal, Schnorr 77

88 (a) signing M m MhMh m’ A s*=sig K (m’) h sig K (b) verification M x A true false ver K (m,s*)

 Signature generation (a) get private key, K s (b) m’=R(m) : redundancy function and s * =sig Ks (m’) (c) s * : signature  Signature verification (a) obtain public key K P (b) compute m’= ver Kp (s * ) (c) verify that m’  M R ( if m’  M R, then reject) (d) recover m from m’ by computing R -1 (m’) (Ex.) RSA, Rabin, Nyberg-Rueppel * R() and R -1 () are easy to compute. 99

 (a) signing M m MRMR m’ A s*=sig K (m’) R sig K MSMS *This scheme can be easily changed to digital signature with appendix s.t., hashing before signing. (b) verification R: redundancy ft e.g., 1:1 ft M R : image of R

 ClassificationAnalogDigital Size of Signaturefixedvariable Digital Copydifficulteasy Operationsimplemathematical Legalitypossible Forgeabilityun-countermeasuredcountermeasured Generationpencomputer Auxiliary toolnothingnecessary (hash ft.)

 Basic Computationally secure Unconditionally secure Provably secure Probably secure ID-based Certificate-based Message-recovery Message-appendix Non-arbitrator Arbitrator Randomized Deterministic Randomized Deterministic

 Proxy undeniable Advanced Undeniable Multi (n,k) Multi One-time, bounded-life Blind Fail-stop Oblivious Multi undeniable Proxy

 (preparation) n=pq, M=A=  n  K ={(n,p,q,a,b) : n=pq, ab=1 mod  (n)}  public key : {b,n}, private key : {a,p,q}  (signing) K=(n,p,q,a,b),sigK(x)=x a mod n  (verification)verK(x,y)=true  x=y b mod n, x,y  n  (Problem) If an adversary know signature of x 1 and x 2 to be s 1 and s 2, he can create signature of x 3 =x 1 x 2, i.e., s 3 {=s 1 s 2 =x 1 d x 2 d = (x 1 x 2 ) d } without knowing secret key, d. To prevent this, hash(x) or other means must be used.  Note that D(m 1 )D(m 2 )=D(m 1 m 2 ) in RSA  14 14

 p : prime,    p * : primitive element,  M =  p *, A =  p * x  p-1 *  K ={(p, ,a,  ) :  =  a mod p}  public: (p, ,  ), private: a  (signing) K=(p, ,a,  ), secret random k   p-1 * sig K (m,k) = ( ,  ) where  =  k mod p,  =(m-a  )k -1 mod (p-1)  (verification) m,    p * and    p-1 * ver K (m, ,  )=true      =  m mod p *     =  a   k  =  m mod p  15 15

 (Preparation) p=467,  =2, a=127  =  a mod p = mod467=132 message m=100 random k=213 s.t., gcd(213,466)= mod466 =431  signing  =  k = mod 467= 29  =(m-a  )k -1 mod (p-1)=( x 29) 431 mod 466=51  Verification on m,  and      =  m mod p ?     = =189 mod 467  m =2 100 =189 mod 467  16 16

 Security : without knowing a, forgery of x’s signature is reducible to DLP of finding  (  ) chosen  (  ).  Note ◦ Keep k to be secret ◦ Not to use k two times.  Generalization from  p * to any finite Abelian group is possible  17 17

 After 1991 August for 3-year public debate, NIST announced DSS (Digital Signature Standard) documented FIPS186 in 1994 December.  RSA was not selected since its patent  Introduce efficient operation under subgroup in ElGamal signature scheme  Used with DHA (Digital Hash Algorithm)  18 18

 p:512 bit prime, q:160 bit prime, q|p-1, g  p *   =g (p-1)/q mod p (q-th root of 1 mod p),  M =  p *, A=  q x  q, K={(p,q, ,a,  ):  =  a mod p}  public: (p,q, ,  ), private: a.  (signing) K=(p,q, ,a,  ), secret random k (1  k  q- 1, gcd(k,q)=1), sig K (m,k) = ( ,  ) where  = (  k mod p) mod q,  =(m+a  )k -1 mod q.  (verification) m   p * and ,    q ver K (m, ,  )=true  (  e 1  e 2 mod p)mod q = . e 1 = m  -1 mod q, e 2 =  -1 mod q.  19 19

(Ex.) q=101, p=78q+1=7879, g=3,  = 3 78 mod 7879 =170, a=75,  =  a mod 7879 = 4567 (signing) message m=1234, random k=50, k -1 mod 101=99.  = (  k mod p) mod q=( mod 7879) mod101=2518 mod101=94.  =(m+a  )k -1 mod q=( x94) 99 mod101 = 97. (verification) sig K (m,k) = ( ,  ) =(94,97), m=1234  -1 =97 -1 mod 101=25, e 1 = m  -1 mod q =1234 x 25 mod 101 =45, e 2 =  -1 mod q = 94 x 25 mod 101 = 27 (  e 1  e 2 mod p)mod q= ( mod 7879 ) mod 101 = 2518 mod 101=94  ?  =94 (valid)  20 20

 Signature Scheme with additional properties Signature Scheme with additional properties

 Blind signature  One-time signature ◦ Lamport scheme ◦ Bos-Chaum scheme  Undeniable signature ◦ Chaum-van Antwerpen scheme  Fail-stop signature ◦ van Heyst-Peterson scheme  Group Signature : group member can generate signature if dispute occurs, identify member.  22 22

  Without B’s knowing message M itself, A can get a signature of M from B.  RSA scheme, B’s public key :{n,b}, private key:{a} (1) select random k s.t. gcd(n,k)=1, 1<k<n-1 A(customer) B(Bank) (2) m*=mk b mod n m* (3) s*= (m*) a mod n s* (4) s=k -1 s*mod n (signature of M by B : k -1 (mk b ) a = k -1 m a k ba = m a ) (1)random number (2)blinding (3)signing (4)unblinding A B g(S B f(m))=S B (m) f:blinding ft g:unblinding ft only A knows f(m) : blinded message

 (Preparation) p=11, q=3, n=33,  (n)= 10 x 2=20  gcd(a,  (n))=1 => a=3, ab =1 mod  (n) => 3 b = 1 mod 20 => b=7  B: public key :{n,b}={33,7}, private key ={a}={3} (1) A’s blinding of m=5 select k s.t. gcd(k,n)=1. gcd(k,33)=1 => k=2 m* = m k b mod n= mod 33 = 640 mod 33 = 13 mod 33 (2) B’s signing without knowing the original m s*= (m*) a mod n = 13 3 mod 33 =2197 mod 33 =19 mod 33 (3) A’s unblinding s=k -1 s* mod n (2 k -1 =1 mod 33 => k=17) = mod 33 =323=26 mod 33 * Original Signature : m a mod n = 5 3 mod 33 =125 =26 mod 33  24 24

 Properties(p.299) ◦ A parameter is used to sign only one message ◦ Signing and verifying procedure is very efficient  one-time signature based on Lamport Signature ◦ Key generation  k; positive int, f: Y  Z one-way ft,  private key: y 1,0, …, y k,1, public key: z i,j =f(y i,j ), 1 ≤ i ≤ k, j=0,1 ◦ Signing for K=(y i,j, z i,j :, 1 ≤ i ≤ k, j=0,1)  sig K (x 1, …, x k ) =(y 1,x1, … y k, xk ). ◦ Verify  Signature (a 1, …, a k ) on msg (x 1, …,x k ) is verified as :  ver K ((x 1, …, x k ), (a 1, …, a k )) = true ↔ f(a i ) = z i, x1, 1 ≤ i ≤ k  25 25

 Public parameters ◦ one-way ft : f(x) = 3 x mod 7879 ◦ k=3,  Alice chooses 6 (secret) random numbers ◦ Private key y 1,0 =5831, y 1,1 = 735, y 2,0 =803, y 2,1 =2467, y 3,0 =4285, y 3,1 =6449 ◦ Public key : Alice computes 6 y’s under f Z 1,0 =2009, z 1,1 =3810, z 2,0 =4672, z 2,1 =4721, z 3,0 =268, z 3,1 =5731  Signing on msg x=(1,1,0) (y 1,1, y 2,1, y 3,0 ) = (735, 2467, 4285)  Verification mod 7879 = 3810, mod = 4721, mod = 268  26 26

 Properties(p.313) ◦ If a signer signs a message according to the mechanism, a verifier upon checking the signature should accept it ◦ A forger cannot construct signatures that pass the verification algorithm without doing an exponential amount of work ◦ If a forger succeeds in constructing a signature which passes the verification test then the true signer can produce a proof of forgery with high probability ◦ A signer cannot construct signatures which are claimed to be forgeries at some later time.  Advantages: Even if a very powerful adversary can forge a single signature, the forgery can be detected and the signing mechanism no longer used.  27 27