Digital Signatures. Prof. Zeph Grunschlag

Similar documents
Digital Signatures. What are Signature Schemes?

Introduction. Digital Signature

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Signatures vs. MACs

Signature Schemes. CSG 252 Fall Riccardo Pucella

CIS 5371 Cryptography. 8. Encryption --

Introduction to Cryptography CS 355

DIGITAL SIGNATURES 1/1

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Crittografia e sicurezza delle reti. Digital signatures- DSA

Digital signatures. Informal properties

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Digital Signature. Raj Jain. Washington University in St. Louis

Lecture 15 - Digital Signatures

Improved Online/Offline Signature Schemes

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

1 Message Authentication

Advanced Cryptography

Chapter 12. Digital signatures Digital signature schemes

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

Digital signatures are one of the most important inventions/applications of modern cryptography.

Overview of Public-Key Cryptography

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

The application of prime numbers to RSA encryption

Computer Security: Principles and Practice

CRC Press has granted the following specific permissions for the electronic version of this book:

Computer Science A Cryptography and Data Security. Claude Crépeau

Victor Shoup Avi Rubin. Abstract

CSCE 465 Computer & Network Security

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

RSA Attacks. By Abdulaziz Alrasheed and Fatima

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

MACs Message authentication and integrity. Table of contents

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

CS 758: Cryptography / Network Security

Lecture 3: One-Way Encryption, RSA Example

Cryptography: Authentication, Blind Signatures, and Digital Cash

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Non-interactive and Reusable Non-malleable Commitment Schemes

Capture Resilient ElGamal Signature Protocols

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Public Key Cryptography: RSA and Lots of Number Theory

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Introduction to Computer Security

Discrete logarithms within computer and network security Prof Bill Buchanan, Edinburgh Napier

RSA and Primality Testing

Practice Questions. CS161 Computer Security, Fall 2008

Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Symmetric Crypto MAC. Pierre-Alain Fouque

Cryptographic Hash Functions Message Authentication Digital Signatures

Security Arguments for Digital Signatures and Blind Signatures

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Public Key Cryptography Overview

Cryptography. Jonathan Katz, University of Maryland, College Park, MD

MAC. SKE in Practice. Lecture 5

Fast Batch Verification for Modular Exponentiation and Digital Signatures

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

Cryptography Lecture 8. Digital signatures, hash functions

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

The Mathematics of the RSA Public-Key Cryptosystem

Universal Padding Schemes for RSA

Message Authentication Codes. Lecture Outline

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

Authentication requirement Authentication function MAC Hash function Security of

Public Key (asymmetric) Cryptography

Digital Signature CHAPTER 13. Review Questions. (Solution to Odd-Numbered Problems)

The Exact Security of Digital Signatures How to Sign with RSA and Rabin

Solutions for Practice problems on proofs

New Online/Offline Signature Schemes Without Random Oracles

1 Construction of CCA-secure encryption

Digital Signatures: A Panoramic View. Palash Sarkar

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

CRYPTOGRAPHY IN NETWORK SECURITY

Identity-Based Encryption from the Weil Pairing

CS549: Cryptography and Network Security

Lecture 9 - Message Authentication Codes

Public-Key Cryptanalysis

Delegation of Cryptographic Servers for Capture-Resilient Devices

Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Transcription:

Digital Signatures Prof. Zeph Grunschlag

(Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each message so individuals can verify authenticity without pre-agreed secret keys for MAC s and no interatction D C X B A 2

Notions of Security Note: Security not built-in to above. Haven t even defined conditions for V rejecting by returning 0. Chosen message attack: with non-negligible probability, Eve is able to create a valid message-signature pair after studying other message-signature pairs of of her choice where the signatures were obtained by querying a signing oracle. 3

Digital Signatures DEF: A digital signature scheme consists of a tuple (M, K, G, S, V) where M - message space K - key space with each key = (pk, sk) G - PPT key generator picks key k of k R G(1 l ) security parameter l : S - PPT algorithm for signature S sk (m) from secret key and message. Write: V - verifier which is a Las-Vegas PPT decider s.t. V pk (m,s sk (m)) = 1 if (pk,sk) is a valid key. 4

Security Definition DEF: An existential adaptive message forger is an adversarial algorithm A that has access to a signing oracle O S and outputs a valid message-signature pair (m, s) for some message m new that was not a query to O S. DEF: A signature scheme (M, K, G, S, V) is existentially unforgeable under adaptive chosen message attack if every PPT forger A succeeds in forging with following negligible probability: Pr[V sk (A O S (pk)) = 1] Note: chosen message attack doesn t mean Eve can choose which message to forge at the end. Only that she can choose which message to forge during cryptanalysis. 5

Other Notions Attack goals (just saw existential forgery) selective forgery - attacker can forge some messages of choice (non-negligibly) universal forgery - can forge any message total break - attacker can recover sk Attack methods (saw adaptive chosen message) chosen message attack - attacker chooses fixed set of messages to have signed before cryptanalysis known message attack - when given random message-signature pairs, attacker succeeds with non-negligible probability key only attack - attacker only has pk 6

Naïve RSA Signature K = (p,q,e) with p,q primes of equal size, e relatively prime to (p-1)(q-1). Set n = p q pk = (n,e), sk = (n,d ) with [same key-pair as RSA encryption] Alice signs m with Bob verifies m by applying d = e 1 mod p S sk (m) = x d mod n V pk (m) = x e mod n Same arguments as with RSA encryption show that key security is equivalent to factoring n. 7

Naïve Rabin Signature Same idea as with RSA. Sign by decrypting verify by encrypting. Need to restrict messaage to QR(n) so that square roots exists. Other numbers are un-signable. Alice signs messages in QR(n) by sending a square root of message m Bob verifies by squaring signature and checking that result equals message. Similar argument as for Rabin encryption shows: existential forgery with known messages extracting square roots factoring n 8

Naïve El-Gamal Dlog based signature scheme, similar to commercial Digital Signature Standard (DSS) sk = (prime p, primitive α, exponent x) pk = (p, α,! = " x mod p ) Signing: let m denote the message. Signer chooses random index k rel. prime to p-1 S sk (m) = [a,b] = [! k,k 1 (m! k x) mod (p 1)] Verifying: Notice that a b = a k 1 (m! k x) p (! k ) k 1 (m! k x) p In particular, to verify by ensuring that! m " a p a b 9! m! m (! x p )!k " a

El-Gamal Motivation If we can could solve Dlog, would be able to find the exponent x, thus finding the secret key and unabashedly signing any message we want to. Intuitively, for arbitrary message m, that s the only way to do it. Complete mastery of forgery expected to allow producing two distinct verifiable triples (m, a, b) & (m, a, b ) satisfying a b = (a ) b! m " a p! m " a which by previous techniques solves Dlog problem. Unknown if El-Gamal break implies Dlog alg. 10

Naïve Rabin Break Similar argument as for Rabin encryption s cracking under chosen ciphertext attack shows: Rabin is totally broken under chosen message attack. 11

Naïve RSA Break As defined, existentially forgeable under chosen signature attack Choose any desired signature, s. Use public key (n,e) and let m = s e mod n (m, s) are valid message-signature pair by definition, but had no control over m. Practical patch to this problem is to sign hash of m, not m itself. 12

Naïve El-Gamal Break Existentially forgeable as follows: Choose any number w that is relatively prime to p-1. Choose any number z at all. Let a =! z " w, b = aw 1 mod (p 1), m = azw 1 mod (p 1) Notice that a b = (! z " w ) aw 1 =! azw 1 " a =!m " a which shows that (m,a,b) is valid according to El-Gamal. Hashing before signing fixes this issue. 13

Cramer-Shoup Stateless DSA Provably secure digital signature algorithm if... collision resistant hash function exist for security parameter l s.t. strong RSA conjecture: negl. probability of extracting any non-trivial root of random number mod p q is (prod. of k-bit primes) Sophie Germain conjecture: non-negl. prob. that random number is a Sophie Germain prime (p and 2p+1 both prime) 14 h : {0,1} {0,1} l

Cramer-Shoup Keys For hash-security parameter l (size of hash function outputs) and security parameter k: SK : secret keys are factors (p,q) with (p-1)/2 and (p-1)/2 equal k-bit Sophie Germain primes. PK : public keys consist of the product n=p q, random quadratic residues g and x, and a random l+1-bit prime. Summary: ẽ pk = (n,g,x,ẽ) 15

Cramer-Shoup Signature For message m, S(m) = (e,y,ỹ) e : random l+1 bit prime defined by: ỹ : random quadratic residue mod n y : defined by: x = ỹẽ g h(m) mod n y = ( x g h( x)) e 1 mod!(n) mod n 16

Cramer-Shoup Verify 1. Check that e is an add l+1 bit odd number not divisible by 2. Compute 3. Check that ẽ x = ỹẽ g h(m) mod n x n y e h( x) g 17

Cramer-Shoup Security THM: Supposing the existence of h, the strong RSA assumption and the non-negligible proportionality of Sophie Germain primes, the Cramer-Shoup signature scheme is existentially secure against adaptively chosen message attack. 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information