Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 9 Stefan Dziembowski

Published byLaureen Copeland Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 9 Stefan Dziembowski"— Presentation transcript:

1 Cryptography Lecture 9 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net

2 Plan 1.Definition od secure signature schemes 2.RSA signatures 3.Hash-and-sign paradigm 4.ElGamal signatures

3 Signature schemes digital signature schemes ≈ MACs in the public-key setting

4 Remember MACs? Alice Bob (m, t=Tag k (m)) k k m є {0,1}* Gen(1 n ) Vrfy k (m,t) є {yes,no} 1n1n

5 Signature schemes Alice Bob (m, σ=Sign sk (m)) sk pk m є {0,1}* Gen(1 n ) Vrfy pk (m,σ) є {yes,no} 1n1n

6 Anyone can verify the signatures P5P5 P1P1 P3P3 P2P2 P4P4 pk 1 pk 2 pk 3 pk 4 pk 5 1. Sign(sk 3,m) public register: Sign(sk 3,m) 2. reads pk 3 sk 3 3. computes Vrfy(pk 3,m)

7 Advantages of the signature schemes Digital signatures are: 1.publicly verifiable 2.transferable 3.provide non-repudiation (we explain it on the next slides)

8 Look at the MACs... Alice Bob (m, t=Tag k (m)) k k m є {0,1}* Carol Look, I got (m,t) from Alice Why shall I trust you? 1.You could have created t yourself (because you know k) 2.I don’t know k, so how can I verify the tag?

9 Signatures are publicly-verifiable! Alice Bob (m, σ =Sign sk (m)) sk A pk A m є {0,1}* Carol I can calculate Vrfy(pk A,m,σ) and check. Look, I got (m,σ) from Alice

10 So, the signatures are transferable P2P2 P3P3 Alice P4P4 P1P1 σ = Sign(sk 3,m) sk A (m,σ) Alice signed m pk A Alice signed m I believe it!

11 Non-repudiation Alice Bob (m, σ =Sign sk (m)) sk A pk A m є {0,1}* Judge I got (m,σ) from Alice It’s not true! I never signed m! Vrfy(pk,m,σ) = yes so you cannot repudiate signing m...

12 Digital Signature Schemes A digital signature scheme is a tuple (Gen,Sign,Vrfy) of poly-time algorithms, such that the key-generation algorithm Gen takes as input a security parameter 1 n and outputs a pair (pk,sk), the signing algorithm Sign takes as input a key sk and a message mє{0,1}* and outputs a signature σ, the verification algorithm Vrfy takes as input a key pk, a message m and a signature σ, and outputs a bit b є {yes, no}. If Vrfy pk (m,σ) = yes then we say that t is a valid signature on the message m.

13 Correctness We require that it always holds that: Vrfy pk (m,Sign sk (m)) = yes What remains is to define security of a MAC.

14 How to define security? As in the case of MACs, we need to specify: 1.how the messages m 1,...,m t are chosen, 2.what is the goal of the adversary. Good tradition: be as pessimistic as possible! Therefore we assume that 1.The adversary is allowed to chose m 1,...,m t. 2.The goal of the adversary is to produce a valid signature on some m’ such that m’ ≠ m 1,...,m t.

15 security parameter 1 n selects (pk,sk) = Gen(1 n ) oracle m1m1 mtmt... We say that the adversary breaks the MAC scheme at the end she outputs (m’, σ’) such that 1. Vrfy(m’, σ’) = yes 2. m’ ≠ m 1,...,m t adversary pk Sign sk (m 1 ) Sign sk (m t )

16 The security definition We say that (Gen,Mac,Vrfy) is existentially unforgeable under an adaptive chosen- message attack if A polynomial-time adversary A P(A breaks it) is negligible (in n) sometimes we just say: secure

17 How to design secure signature schemes? Rember the idea with the ``trapdoor permutations’’?

18 Trapdoor permutations XX easy easy: one can compute E pk -1 if one knows a trapdoor sk hard (otherwise) E pk this is denoted D sk A family of permutations indexed by pairs (pk,sk): { E : X → X } (pk,sk) є keys such that:

19 How to encrypt a message m messagesciphertext m := D sk (c) c := E pk (m) one can compute it only if one knows sk encryption decryption: Warning: in general it’s not that simple.

20 How to sign a message m signaturesmessages D sk (m) E pk (m) one can compute it only if one knows sk signing: verifying: Warning: in general it’s not that simple.

21 In general it’s not that simple 1.Not every trapdoor permutation is OK. 2.There are other ways to create signature schemes. 3.One can even construct a signature scheme from any one-way function. (this is a theoretical construction)

22 The “handbook” RSA signatures N = pq, such that p and q are large distinct primes e is such that gcd(e, φ(N)) = 1 d is such that ed = 1 (mod φ(N)) Sign d : Z N * → Z N * is defined as: Sign(m) = m d mod N. Vrfy e is defined as: Vrfy e (m,σ) = yes if σ e = m (mod N) no otherwise Correctness: follows from the fact that ( m d ) e = m (mod N) φ(N)) = (p-1)(q-1). public key: (N,e) private key: (N,d)

23 Problems with the “handbook RSA” (1/2) A “no-message attack”: The adversary can forge a signature on a “random” message m. Given the public key (N,e): he just selects a random σ and computes m = σ e mod N. Trivially, σ is a valid signature on m.

24 Problems with the “handbook RSA” (2/2) How to forge a signature on an arbitrary message m? oracle m1m1 adversary Sign sk (m 1 ) = m 1 d mod N Sign sk (m 2 ) = m 2 d mod N (N,e) chooses: 1.random m 1 2.m 2 := m / m 1 mod N m2m2 computes (mod N): m 1 d · m 2 d = (m 1 · m 2 ) d = m d this is a valid signature on m

25 Is it a problem? In many applications – probably not. But we would like to have schemes that are not application-dependent...

26 Solution Before computing the RSA function – apply some function H. N = pq, such that p and q are large distinct primes e is such that gcd(e, φ(N)) = 1 d is such that ed = 1 (mod φ(N)) Sign d : Z N * → Z N * is defined as: Sign(m) = H(m) d mod N. Vrfy e is defined as: Vrfy e (m,σ) = yes if σ e = H(m) (mod N) no otherwise

27 How to choose such H? A minimal requirement: it should be collision-resistant. (because if the adversary can find two messages m,m’ such that H(m) = H(m’) then he can forge a signature on m’ by asking the oracle for a signature on m)

28 A typical choice of H Usually H is one of the popular hash functions. Additional advantage: We can sign very long messages keeping the modulus N small (it’s much more efficient!). It is called a hash-and-sign paradigm.

29 Hash-and-Sign (1/3) 1. (Gen,Sign,Vrfy) – a signature scheme “for short messages” short x signature σ Sign sk σ yes / no Vrfy pk x m 2. a hash function H H H(m)

30 Hash-and-Sign (2/3) signature Sign sk (H(m)) Sign sk m H H(m) How to sign a message m?

31 Hash-and-Sign (3/3) How to verify? σ yes / no Vrfy pk m H H(m)

32 Hash-and-Sign It can be proven that this construction is secure. For this we need to assume that H is taken from a family of collision-resilient hash functions. {H s } s є keys Then s is a part of the public key and the private key.

33 What can be proven Suppose 1.{H s } s є keys is a family of collision-resistant hash functions, 2.(Gen,Sign,Vrfy) is a secure signature scheme. Then the signature scheme constructed on the previous slide is secure.

34 Can anything be proven about the “hashed RSA” scheme? Not really (it is provably secure only under very strong assumptions). But at least the attacks described before “look infeasible”. 1.For the first attack: one would need to invert H. 2.The second attack: Looks impossible because the adversary would need to find messages m,m 1,m 2 such that H(m) = H(m 1 ) · H(m 2 )

35 Other popular signature schemes Based on discrete log: ElGamal signatures Digital Signature Standard (DSS) (also based on other groups – elliptic curves)...

36 ElGamal signatures but remember that we can use the hash-and-sign paradigm

37 How to understand it? start with the verification condition the signature the message

38 Security of ElGamal If the discrete log in Z p * is hard, then the scheme is broken. To hope for any security one needs to hash the message before signing. Is there any proof of security of the “hashed” El Gamal? No...

Download ppt "Cryptography Lecture 9 Stefan Dziembowski"

Similar presentations

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Lecture 8 Public-Key Encryption I Stefan Dziembowski www.dziembowski.net MIM UW 23.11.12ver 1.0.

Lecture 8 Public-Key Encryption I Stefan Dziembowski MIM UW ver 1.0.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Lecture 10 Signature Schemes Stefan Dziembowski www.dziembowski.net MIM UW 7.12.12ver 1.0.

Lecture 10 Signature Schemes Stefan Dziembowski MIM UW ver 1.0.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.

Similar presentations

Ads by Google