Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Similar documents
Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Computer Science A Cryptography and Data Security. Claude Crépeau

Introduction to Cryptography CS 355

Digital Signature. Raj Jain. Washington University in St. Louis

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Digital Signature CHAPTER 13. Review Questions. (Solution to Odd-Numbered Problems)

Digital Signatures. Prof. Zeph Grunschlag

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Introduction. Digital Signature

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Digital signatures. Informal properties

Crittografia e sicurezza delle reti. Digital signatures- DSA

Digital signatures are one of the most important inventions/applications of modern cryptography.

Overview of Public-Key Cryptography

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Authentication requirement Authentication function MAC Hash function Security of

DIGITAL SIGNATURES 1/1

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

2. Cryptography 2.4 Digital Signatures

Cryptography Lecture 8. Digital signatures, hash functions

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Signatures vs. MACs

One-Way Encryption and Message Authentication

CRYPTOGRAPHY IN NETWORK SECURITY

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

CSCE 465 Computer & Network Security

Practice Questions. CS161 Computer Security, Fall 2008

CIS 5371 Cryptography. 8. Encryption --

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

Introduction to Computer Security

Public Key Cryptography. Performance Comparison and Benchmarking

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

CS549: Cryptography and Network Security

CRC Press has granted the following specific permissions for the electronic version of this book:

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Digital Signatures. What are Signature Schemes?

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Lecture 15 - Digital Signatures

Message Authentication Codes. Lecture Outline

Cryptographic Hash Functions Message Authentication Digital Signatures

Computer Security: Principles and Practice

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

Lecture 6 - Cryptography

Public Key Cryptography Overview

Security Arguments for Digital Signatures and Blind Signatures

Evaluation of Digital Signature Process

Notes on Network Security Prof. Hemant K. Soni

Public Key (asymmetric) Cryptography

CS 758: Cryptography / Network Security

to hide away details from prying eyes. Pretty Good Privacy (PGP) utilizes many

Capture Resilient ElGamal Signature Protocols

Hash Functions. Integrity checks

Table of Contents. Bibliografische Informationen digitalisiert durch

Lecture 9: Application of Cryptography


3-6 Toward Realizing Privacy-Preserving IP-Traceback

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar

Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks

A New Generic Digital Signature Algorithm

Lecture 9 - Message Authentication Codes

A Factoring and Discrete Logarithm based Cryptosystem

Cryptography: RSA and Factoring; Digital Signatures; Ssh

Advanced Cryptography

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

Public-Key Cryptanalysis

Blinding Self-Certified Key Issuing Protocols Using Elliptic Curves

1 Message Authentication

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

An Approach to Shorten Digital Signature Length

Cryptography and Network Security Chapter 10

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

An Introduction to Digital Signature Schemes

EXAM questions for the course TTM Information Security May Part 1

Identity-Based Encryption from the Weil Pairing

CIS433/533 - Computer and Network Security Cryptography

Cryptography and Network Security

Application of Digital Signature for Securing Communication Using RSA Scheme based on MD5

Cryptography & Network Security

Chapter 12. Digital signatures Digital signature schemes

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Elements of Applied Cryptography Public key encryption

Cryptography: Authentication, Blind Signatures, and Digital Cash

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

The Mathematics of the RSA Public-Key Cryptosystem

Randomized Hashing for Digital Signatures

Study of algorithms for factoring integers and computing discrete logarithms

CPSC 467b: Cryptography and Computer Security

Digital Signature Standard (DSS)

Cryptography and Network Security Digital Signature

Transcription:

Signature Schemes CSG 252 Fall 2006 Riccardo Pucella

Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by the person, or that the person agrees with the document Attached to a particular document Easily verifiable by third parties We want a similar mechanism for digital documents Some difficulties: Need to bind signature to document Need to ensure verifiability (and avoid forgeries)

Formal Definition A signature scheme is a tuple (P,A,K,S,V) where: P is a finite set of possible messages A is a finite set of possible signatures K (the keyspace) is a finite set of possible keys For all k, there is a signature algorithm sig k in Sand a verification algorithm ver k in V such that sig k : P A ver k : P A {true,false} ver k (x,y) = true iff y=sig k (x) A pair (x,y) P A is called a signed message

Example: RSA Signatures The RSA cryptosystem (in fact, most public key cryptosystems) can be used as a signature scheme Take: sig k (x) = d k (x) ver k (x,y) = (x =? e k (y)) Only user can sign (because decryption is private) Anyone can verify (because encryption is public)

Signing and Encrypting Suppose you want to sign and encrypt a piece of data Where encryption is public key (why is this important?) Public key cryptography does not say anything about the sender Two possibilities: First encrypt, then sign: x (e ke (x), sig ks (e ke (x))) But adversary could replace by sig ke (e ke (x)) making it seem the message came from someone else First sign, then encrypt: x (e ke (x), sig ks (x)) Better make sure signature does not leak info!

Possible Attacks (Alice is the signer, Oscar the attacker) Key-only attack Oscar possesses Alice s public verification algorithm Known message attack Oscar possesses a list of signed messages (x i, y i ) Chosen message attack Oscar queries Alice for the signatures of a list of messages x i

Possible Adversarial Goals Total break Oscar can derive Alice s private signing algorithm Selective forgery Oscar can create a valid signature on a message chosen by someone else, with some nonnegligible probability Existential forgery Oscar can create a valid signature for at least one message

Some Comments Cannot have unconditional security, only computational or provable security Attacks above are similar to those against MACs We mostly concentrated on existential forgeries against chosen message attacks What Graham was asking was for total break against (some) attacks Existential forgeries against chosen message attacks: Least damage against worst attacker The minimum you should ask for

Security of RSA Signatures Existential forgery using a key-only attack: Choose a random y Compute x = e k (y) We have y = sig k (x), a valid signature of x Existential forgery using a known-message attack: Suppose y = sig k (x) and y = sig k (x ) Can check e k (y y mod n) = x x mod n So y y mod n = sig k (x x mod n) Existential forgery using a chosen message attack: To get a signature for x, find x 1 x 2 = x mod n Query for signatures of x 1 and x 2 Apply previous attack

Signatures and Hashing The easiest way to get around the above problems is to use a cryptographic hash function Given message x Produce digest h(x) Sign digest h(x) to create (x,sig k (h(x))) To verify: Get (x,y) Compute h(x) Check ver k (h(x),y)

Use of Hashing for Signatures Existential forgery using a chosen messge attack Oscar finds x,x s.t. h(x)=h(x ) He gives x to Alice and gets her to sign h(x) Then (x,sig k (h(x))) is a valid signed message Prevented by having h collision resistant Existential forgery using a known message attack Oscar starts with (x,y), where y = sig k (h(x)) He computes h(x) and tries to find x s.t. h(x ) = h(x) Prevented by having h second preimage resistant Existential forgery using a key-only attack (If signature scheme has existential forgery using a key-only attack) Oscar chooses message digest and finds a forgery z for it Then tries to find x s.t. h(x)=z Prevented by having h preimage resistant

Example: ElGamal Signature Scheme Let p be a prime s.t. discrete log in Z p is hard Let a be a primitive element in Z p P = Z p, A = Z p Z p-1 K = {(p,α,a,β) β= α a (mod p)} For k = (p,α,a,β) and t Z p-1 γ = α t mod p sig k (x,t) = (γ, (x-aγ)t -1 (mod p-1)) ver k (x,(γ,δ)) = ( β γ γ δ =? α x (mod p) )

Security of ElGamal Scheme Forging a signature (γ,δ) without knowing a Choosing γ and finding corresponding δ amounts to finding discrete log Choosing δ and finding corresponding γ amounts to solving β γ γ δ = α x (mod p) No one knows the difficulty of this problem (believed to be hard) Choosing γ and δ and solving for the message amounts to finding discrete log Existential forgery with a key-only attack: Sign a random message by choosing γ, δ and message simultaneously (p.289)

Variant 1: Schnorr Signature Scheme ElGamal requires a large modulus p to be secure A 1024 bit modulus leads to a 2048 bit signature Too large for some uses of signatures (smartcards) Idea: use a subgroup of Z p of size q (q << p) Let p be a prime s.t. discrete log is hard in Z p Let q be a prime that divides p-1 Let α in Z p be a q-th root of 1 mod p Let h : {0,1} Z q be a secure hash function P = {0,1}, A = Z q Z q K = {(p,q,α,a,β) β = α a (mod p)} For k=(p,q,α,a,β) and 1 t q-1: γ = h(x α t mod p) sig k (x,t) = (γ, t+aγ mod q) ver k (x,(γ,δ)) = (h(x α γ β -γ mod p) =? γ

Variant 2: DSA Let p be a prime s.t. discrete log is hard in Z p bitlength of p = 0 (mod 64), 512 bitlength 1024 Let q be a 160 bit prime that divides p-1 Let α in Z p be a q-th root of 1 mod p Let h : {0,1} Z q be a secure hash function P = {0,1}, A = Z q Z q K = {(p,q,α,a,β) β = α a (mod p)} For k=(p,q,α,a,β) and 1 t q-1: γ = (α t mod p) mod q sig k (x,t) = (γ, (SHA1(x)+aγ)t -1 mod q) ver k (x,(γ,δ)) = (α e1 β e2 mod p) mod q =? γ e1 = SHA1(x)δ -1 mod q e2 = γδ -1 mod q

Variant 3: Elliptic Curve DSA Modification of the DSA to use elliptic curves Instead of choosing α, β, use A and B two points on an elliptic curve over Z p Roughly speaking, instead of: (α t mod p) mod q use the x coordinate of the point ta, mod q The rest of the computation is as before

Provably Secure Signature Schemes The previous examples were (to the best of our knowledge) computationally secure signature scheme Here is a provably secure signature scheme As long as only one message is signed Let m be a positive integer Let f : Y Z be a one-way function P = {0,1} m, A = Y m Choose y i,j in Y at random for 1 i m, j=0,1 Let z i,j = f(y i,j ) A key = 2m y s and 2m z s (y s private, z s public) sig k (x 1,...,x m ) = (y 1,x1,...,y m,xm ) ver k ((x 1,...,x m ),(a 1,...,a m )) = (f (a i ) =? z i,xi ) for all i

Argument for Security Argument for provable security: Existential forgeries using a key-only attack Assume that f is a one-way function Show that if there is an existential forgery using a key-only attack, then there is an algorithm that finds preimage of random elements in the image of f with probability at least 1/2 We need the restriction to one signature only If the attacker gets two messages signed with the same key, then can easily construct signatures for other messages (0,1,1) and (1,0,1) can give signatures for (0,0,1), (1,1,1)

Undeniable Signature Schemes Introduced by Chaum and van Antwerpen in 1989 A signature cannot be verified without the signer Prevent signer from disavowing signature Let p,q primes, p = 2q+1, and discrete log hard in Z p Let α in Z p be an element of order q G = multiplicative subgroup of Z p of order q P = A = G K = {(p,α,a,β} β = α a mod p} For key k=(p,α,a,β) and x in G: sig k (x) = x a mod p To verify (x,y): pick e 1,e 2 at random in Z q Compute c = y e1 β e2 Signer computes d = c inv(a) mod q mod p (where inv(a) = a -1 ) y is a valid signature iff d = x e1 α e2 mod p

Disavowal Protocol Can prove that Alice cannot fool Bob into accepting a fraudulent signature (except with very small probability = 1/q) What if Bob wants to make sure that a claimed forgery is one? 1. Bob chooses e 1,e 2 at random in Z q 2.Bob computes c = y e1 β e2 mod p; sends it to Alice 3.Alice computes d = c inv(a) mod q mod p; sends it to Bob 4.Bob verifies d x e1 α e2 mod p 5.Bob chooses f 1,f 2 at random, in Z q 6.Bob computes C = y f1 β f2 mod p; sends it to Alice 7.Alice computes D = C inv(a) mod q mod p; sends it to Bob 8.Bob verifies D x f1 α f2 mod p 9.Bob concludes y is a forgery iff (dα -e2 ) f1 = (Dα -f2 ) e1 mod p

Why Does This Work? Alice can convince Bob that an invalid signature is a forgery If y x a mod p and Alice and Bob follow the protocol, then the check in last step succeeds Alice cannot make Bob believe that a valid signature is a forgery except with a very small probability Intuition: since she cannot recover e 1,e 2,f 1,f 2, she will have difficulty coming up with d and D that fail steps 4 and 8, but still pass step 9 See Stinson for details

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information