1. Digital Signatures Applied Handbook of Cryptography: Chapt 11
slides courtesy of Xuhua Ding

2. Outline Framework RSA related signature schemes
DSA related signature schemes
One-time digital signatures
Arbitrated signature schemes
Signatures with added functionality
Arbitrated signature schemes require a TTP for signature generation and verification, which results in computational generation and verification.
With added functionality such as blind, undeniable and fail-stop signature schemes

3. Framework Digital Signatures can provide Authentication Data Integrity
Non-Repudiation
One Application
Certification of public keys in large networks

4. Framework (cont) Definitions
Digital Signature - a data string which associates a message with some originating entity
Digital Signature Generation Algorithm – a method for producing a digital signature
Digital Signature Scheme - consists of a signature generation algorithm and an associated verification algorithm

5. Framework (cont) Notation M message space MS signing space
S signature space
R a one-one mapping from M to MS called the redundancy function
MR the image of R
R-1 the inverse of R
h a one-way function with domain M
Mh hash value space, the image of h (h: M Mh)

6. Framework (cont) Taxonomy of digital signatures randomized
signature schemes
message recovery
appendix
deterministic
randomized
We can break signature schemes into two classifications:
Digital signature schemes with appendix where the signature is appended to the message and both are required as input to the verification algorithm.
Message recovery, where where the original message signed can be obtained from the signature itself. The original message is not required as input to the verification algorithm.

7. Framework (cont) Schemes with appendix
Requires the message as input to verification algorithm
Rely on cryptographic hash functions rather than customized redundancy functions
DSA, ElGamal, Schnorr etc.
More commonly used

8. Framework (cont) Digital Signature with Appendix M m mh Mh h s* S SA,k
An entity A should obtain a public and private key. A should select an element k if the algorithm is randomized. Compute h(m) mapping m to the hash value space and apply the signing algorithm using A’s private key on this value to obtain s*.
A’s signature for m is s* which are both made available to entities which may wish to verify the signature
Verification involves obtaining A’s authentic public key VA, compute h(m) and apply the verification algorithm to h(m) and s*, if this results in true the signature is valid. If it results in false, the signature is invalid.
s* = SA,k(mh)
u = VA(mh, s*)
Mh x S
u  {True, False} VA

9. Framework (cont) Desirable Properties
For each k  R, SA,k should be efficient to compute
VA should be efficient to compute
It should be computationally infeasible for an entity other than the signer to find an m  M and an s  S such that VA(m’, s*) = true, where m’ = h(m)

10. Framework (cont) Digital Signature with Message Recovery M m mr MR R
SA,k MS
An entity A has a public and private key. A should select an element k if the algorithm is randomized. Compute mr by applying the redundancy function. Apply the signing algorithm using A’s private key on this value to obtain s*.
A’s signature is s*, only s* is made available for verifiers to recover the plaintext m.
Verification involves obtaining A’s authentic public key VA, compute mr. If mr is not an element of the image of R then we reject the signature. Apply the inverse of the redundancy function to obtain m.
It becomes clear that the redundancy function is very important. For example, if R were simply the identity mapping, one could simply choose and arbitrary s* and a corresponding message m is found simply by applying the verification algorithm. S MR M VA
R-1 m s* mr

11. Framework (cont) Desirable properties
For each k  R, SA,k should be efficient to compute
VA should be efficient to compute
It should be computationally infeasible for an entity other than A to find any s*  S such that VA(s*)  MR

12. Framework (cont) mr MR R s* S SA,k MS M m mh Mh h
We can turn any digital signature scheme with message recovery into a digital signature scheme with appendix simply by first hashing our message m. The message is now required as input to the verification algorithm. Notice that R is no longer critical to the security of the signature scheme.

13. Framework (cont) Breaking a signature scheme
Total Break: private key is comprimised
Selective forgery: adversary can create a valid signature on a preselected message
Existential forgery: adversary can create a valid signature with no control over the message
Total break can simply occur if the adversary finds an efficient algorithm that is functionally equivalent to the valid signing algorithm

14. Framework (cont) Types of attacks
Key-only: adversary knows only the public key
Message attacks
Known-message attack: adversary has signatures for a set of messages which are known to the adversary but not chosen by him
Chosen-message attack: adversary obtains valid signatures from a chosen list of his choice (non adaptive)
Adaptive chosen-message attack: adversary can use the signer as an oracle

15. RSA Key generation n, p, q, e, d Sign Verify Compute mr = R(m)
Compute s = mrd mod n
The signature for m is s
Verify
Obtain authentic public key (n, e)
Compute mr = se mod n
Verify that mr  Mr
Recover m = R-1(mr)
n, e are public, p q and d are private. d = e inverse mod phi(n)

16. RSA (cont) Attacks Reblocking problem
Integer factorization
Homomorphic property
Reblocking problem
If signatures are encrypted different modulus sizes can render the message unrecoverable
Importance of the redundancy function
ISO/IEC 9796
For s1 and s2, we have that s1s2 is a signature for m1m2 given that m1m2 is an element of the image of the redundancy function. Thus it is important that our redundancy function is not multiplicative.
Various solutions to this problem, one effective solution is to ensure that each modulus is of a special form. Or have one set t bits for signing and one set t+1 bits for encrypting.
Where k is the number of bits in p and q.

17. RSA (cont) Performance (p, q are k-bit primes) Bandwidth
Signature O(k3)
Verification O(k2)
Bandwidth
Bandwidth is determined by R. For example, ISO/IEC 9796 maps k-bit messages to 2k-bit elements in MS for a 2k-bit signature (efficiency of ½)

18. DSA DSA Algorithm : key generation select a prime q of 160 bits
Choose 0t8, select t <p< t with q|p-1
Select g in Zp*, and  = g(p-1)/q mod p, 1
Select 1  a q-1, compute y= a mod p
public key (p,q, ,y), private key a
Two primes p and q. We are dealing with two groups, one Z*p and a subgroup of that of order q. Here alpha is a generator of that subgroup. Notice that the security of our key is based on the discrete logarithm problem.

19. DSA (cont) DSA signature generation
Select a random integer k, 0 < k < q
Compute r=(k mod p) mod q
compute k-1 mod q
Compute s=k-1 (h(m) + ar) mod q
signature = (r, s)
Randomized! Vs. deterministic

20. DSA (cont) DSA signature verification
Verify 0<r<q and 0<s<q, if not, invalid
Compute w= s-1mod q and h(m)
Compute u1=wh(m)mod q,u2=rw mod q
Compute v = (u1yu2 mod p) mod q
Valid iff v=r

21. DSA (cont) Security of DSA Parameters: Probability of failure
two distinct DL problems: ZP*, cyclic subgroup order q
Parameters:
q~160bits, p 768~1Kb, p,q,  can be system wide
Probability of failure
Pr[s=0]= (1/2)160
Note that Z*p we have the index-calculus methods such as coppersmiths algorithms which run in subexponential time. However, in the second group we are left with “square root” time with algorithms such as Pohlig Hellman
Verification requires the computation of s inverse, if s is zero then an inverse does not exist

22. DSA (cont) Performance Signature Generation Verification
One modular exponentiation
Several 160-bit operations (if p is 768 bits)
The exponentiation can be precomputed
Verification
Two modular exponentiations
So we have that DSA signing is cheap and verification expensive, but RSA signing expensive, verification cheap.

23. ElGamal Key generation: p, q, , a, y=a mod p Signature Generation
Select random k, 1  k  p-1, gcd(k, p-1)=1
Compute r = k mod p
Compute k-1 mod (p-1)
Compute s = k-1  (h(m) - ar) mod (p-1)
signature is (r,s)
Here alpha is a generator of Z*p
p alpha and y are public and a is private key
Again, this is randomized as apposed to deterministic

24. ElGamal (cont) Signature Verification Verify 1  r  p-1
Compute v1 = yrrs mod p
Compute h(m) and v2= h(m) mod p
Accept iff v1=v2

25. ElGamal (cont) Security (based on DL problem)
Index-calculus attack: p should be large
Pohlig-Hellman attack: p-1 should not be smooth
Weak generators: If p  1 mod 4, |p-1, DL can be broken for subgroup S of order . Forgeries are then possible
We can solve this by letting alpha be a generator for a subgroup of Z*p of prime order rather than Z*p itself

26. ElGamal (cont) In addition… k must be unique for each message signed
(s1-s2)k=(h(m1)-h(m2))mod (p-1)
An existential forgery attack can be mounted if a hash function is not used
If gcd((s1-s2),p-1)=1 then we can easily find k and from there we can find private key a
p. 255

27. ElGamal (cont) Performance Generalized ElGamal Signatures
Signature Generation
One modular exponentiation
One Euclidean Algorithm
Both can be done offline
Verification
Three modular exponentiations
Generalized ElGamal Signatures
Euclidean is for inversion
Also requires two modular multiplications
We can use any cyclic group, preferably one where discrete logarithms are known to be quite hard, such as elliptic curve groups which also give us the benefit of shorter key lenghts.

28. One-Time Signatures
Definition: digital schemes used to sign, at most one message; otherwise signature can be forged. A new public key is required for each signed message.
Most one-time signature schemes have the property that signature generation and verification are both very efficient

29. Rabin One-Time Signatures
Key generation
Select a symmetric key encryption scheme E (e.g. DES)
Generate 2n random secret strings k1,k2...k2nK, each of bit length l
Compute yi=Eki(M0(i)), i [1,2n].
Public key is (y1,y2,...y2n),
private key is (k1,k2,...k2n).
Here M0(I) is the binary representation of I prepended with enough 0’s to construct an l-bit string

30. Rabin One-Time Signatures
Signature Generation:
compute si=Eki(h(m)), i [1,2n]
signature is (s1,s2,...s2n)
Verification:
Compute h(m)
Select n distinct random number rj, rj[1,2n]
Request from signer, the keys krj,  j: 1  j  n
Verify received n keys ie. does yrj= Ekrj(M0(rj))?
Verify all srj = Ekrj(h(m)),
Here note that we are using n or half of 2n, the original number of keys

31. Rabin One-Time Signatures
Resolution of disputes: signer A, verifier B and TTP
B provides m and the signature to TTP
TTP gets private key k1,...k2n from A
TTP verifies authenticity of the private key
TTP computes ui=Eki(h(m)), 1  i  n. If ui = si for at most n values of i, it is forgery. If n+1 or more values match, it is valid signature
Rationale for dispute resolution protocol
A can disavow with Pr =
B cannot provide more than n encrypted values because it does not have another key or find a collision in the hash function
A would need to find n values such that ui equals si and hope that B chooses these values.

32. Arbitrated Digital Signatures
Requires an unconditionally TTP as part of the signature generation and signature verification.
Each entity shares a symmetric key with the TTP
Symmetric key cryptography results in a very fast algorithm
However, this speedup is overshadowed by the TTP as well as communication overhead

33. Arbitrated Digital Signatures
Signature Generation (by A)
IA, u = EkA(h(m))
s = EkT(h(m)||IA) A
TTP
A simply hashes its message and sends that hash along with an identifier for A to the TTP encrypted with their shared key. The TTP simply decrypts that value and returns a signature s encrypted with TTP secret key.

34. Arbitrated Digital Signatures
Signature Verification (by B)
IB, v = EkB(s)
EkB(h(m)||IA) B
TTP
B sends the signature encrypted with it’s shared key. TTP decrypts v then decrypts s and returns the identifier for A and the hashed message.

35. ESIGN Key generation Compute n=p2q, select k>3
Public key(n,k), private (p,q)
Sign message m
compute v=h(m), random x, 0  x < pq
w = ((v-xk) mod n/ (pq), y = w(kxk-1)-1 mod p
Compute s=x+ypq mod n
Verify:
compute u = sk mod n, z = h(m)
if z  u  z + 22 lg(n)/3 , accept the signature
Here p and q are prime
This s will be our signature

36. ESIGN (cont) Why does this work? I refer you to the text p 473 
Security of ESIGN
Based on factoring of large integers.
Not known whether n=p2q is easier than factoring RSA modulus
Given m and s, in order to forge a signature for m’, we must have that Assuming h behaves like a random function, we would expect to try 2lg(n)/3 different values of m’
For any reasonably large size n, this value is sufficiently large

37. ESIGN (cont) Efficiency of ESIGN
The only modular exponentiation is with parameter k which may be taken to be quite small (e.g. k=4)
For a 768-bit modulus n, ESIGN signature generation may be between one and two orders of magnitude (10 to 100 times) faster than RSA signature generation.
For any reasonably large size n, this value is sufficiently large

38. Blind signature scheme
Definition: A sends a piece of information to B. B signs and returns the signature to A. From this signature, A can compute B’s signature on a priori message m of A’s choice. At the completion of the protocol, B knows neither m, nor the signature associated with it.
Application: e-cash

39. Blind signature scheme (cont)
Chaum
Sender A; Signer B
B’s RSA public and private key are as usual. k is a random secret integer chosen by A, satisfying 0  k < n
Protocol actions
(blinding) A: comp m* = mke mod n, to B Note: (mke)d = mdk
(signing) B comp s* = (m*)d mod n, to A
(unblinding) A: computes s = k-1s* mod n

40. Undeniable Signature Schemes
Definition: signature verification requires the cooperation of signer
Chaum-van Antwerpen
Key generation
Select random prime p=2q+1, q is prime
Select a generator  for the subgroup of order q in Zp*
Select random a{1,2,...q-1}, y= amod p
public (p, , y), private a
Applications might include copyright of software. The book outlines a bank example where a required signature at the time a cusomer views a safety deposit box cannot be used later in the future.

41. Chaum-van Antwerpen Signature Generation Verification
compute s = ma mod p
Verification
B selects a random secret integers x1, x2 {1,2,...q-1}
B computes z = sx1yx2 mod p, and sends z to A
A computes w = za-1mod p, and sends w to B
B computes w = mx1x2 mod p. Valid iff w= w

42. Chaum-van Antwerpen
If s is a forgery, B accept it with pr=1/q and independent of adversary’s computation resources
A could attempt to disavow a signature
refuse to participate in verification
perform the verification incorrectly
claim a signature forgery even though the verification protocol is successful.
The first is quite easy, the second and third require a disavowal protocol

43. Chaum-van Antwerpen Disavowal protocol
Select two pair (x1, x2) and (x’1, x’2) and verify twice
Compute c = (w-x2)x’1 mod p and c = (w-x’2)x1 mod p, if c = c, s is a forgery, otherwise s is valid and A is attempting to disavow the signature
Let m be message, s a signature on m
If s  ma mod p and the disavowal protocol runs correctly, then c=c
If s = ma mod p. B follows protocol, but A does not. The Pr[c=c] is 1/q
ie if s is a forgery