Computer Science 308-547A Cryptography and Data Security. Claude Crépeau



Similar documents
Signature Schemes. CSG 252 Fall Riccardo Pucella

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Introduction to Cryptography CS 355

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Digital Signature. Raj Jain. Washington University in St. Louis

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Crittografia e sicurezza delle reti. Digital signatures- DSA

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Digital signatures. Informal properties

Overview of Public-Key Cryptography

CSCE 465 Computer & Network Security

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Public Key (asymmetric) Cryptography

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

Digital signatures are one of the most important inventions/applications of modern cryptography.

Authentication requirement Authentication function MAC Hash function Security of

Cryptography Lecture 8. Digital signatures, hash functions

Computer Security: Principles and Practice

The application of prime numbers to RSA encryption

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Introduction. Digital Signature

2. Cryptography 2.4 Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures

CS 758: Cryptography / Network Security

Evaluation of Digital Signature Process

CIS 5371 Cryptography. 8. Encryption --

Cryptography: Authentication, Blind Signatures, and Digital Cash

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

1 Message Authentication

Discrete logarithms within computer and network security Prof Bill Buchanan, Edinburgh Napier

Cryptography and Network Security

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

DIGITAL SIGNATURES 1/1

CS549: Cryptography and Network Security

Public Key Cryptography. Performance Comparison and Benchmarking

Randomized Hashing for Digital Signatures

EXAM questions for the course TTM Information Security May Part 1

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Digital Signatures. What are Signature Schemes?

Practice Questions. CS161 Computer Security, Fall 2008

Digital Signature CHAPTER 13. Review Questions. (Solution to Odd-Numbered Problems)

Capture Resilient ElGamal Signature Protocols

Elliptic Curve Cryptography

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

A New Generic Digital Signature Algorithm

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

RSA and Primality Testing

SECURITY IN NETWORKS

1 Signatures vs. MACs

Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks

Lecture 9 - Message Authentication Codes

Cryptography and Network Security Digital Signature

Princeton University Computer Science COS 432: Information Security (Fall 2013)

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

THE UNIVERSITY OF TRINIDAD & TOBAGO

Introduction to Computer Security

An Introduction to Digital Signature Schemes

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

An Introduction to Cryptography as Applied to the Smart Grid

An Approach to Shorten Digital Signature Length

Blinding Self-Certified Key Issuing Protocols Using Elliptic Curves

CRC Press has granted the following specific permissions for the electronic version of this book:

Schnorr Signcryption. Combining public key encryption with Schnorr digital signature. Laura Savu, University of Bucharest, Romania

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

A Factoring and Discrete Logarithm based Cryptosystem

Lukasz Pater CMMS Administrator and Developer

Public Key Cryptography of Digital Signatures

Notes on Network Security Prof. Hemant K. Soni

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Network Security Technology Network Management

Table of Contents. Bibliografische Informationen digitalisiert durch

The Mathematics of the RSA Public-Key Cryptosystem

Authentication, digital signatures, PRNG

Elements of Applied Cryptography Public key encryption

Lecture 9: Application of Cryptography

IMPROVED SECURITY MEASURES FOR DATA IN KEY EXCHANGES IN CLOUD ENVIRONMENT

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

RSA Attacks. By Abdulaziz Alrasheed and Fatima

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

Fast Batch Verification for Modular Exponentiation and Digital Signatures

Transcription:

Computer Science 308-547A Cryptography and Data Security Claude Crépeau

These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A) that was given by prof. Claude Crépeau at McGill University during the autumn of 1998-1999. These notes are updated and revised by Claude Crépeau. 2

15 Digital signatures A digital signature scheme allows Alice to compute a signature s for a message m in a way that Bob, and others, can verify that s was in fact computed by Alice and no one else. Formally, a digital signature scheme is defined as follows: Definition 15.1 Let M be a finite set of messages and T a finite set of digital signatures such that for each (k a, k v ) K, there is a signing algorithm sig ka and a corresponding verification algorithm ver kv such that sig ka : M T and ver kv : M T {true, false} are polynomial-time computable functions and ver kv (m, y) = { true : if y = sigka (x) false : if y sig ka (x) A major difference between an authentication scheme and a signature scheme is that in an authentication scheme where Alice authenticates herself to Bob, Bob can fake Alice s authentication for any message. authentication M K a K v T verification 76

15.1 RSA signature scheme The RSA cryptographic scheme can be directly used as a signature scheme: the decryption function is used as the signature function and the verification function is obtained by comparing the message with the encryption of the signature. 15.2 ElGamal signature scheme We use the same keys as in the ElGamal encryption scheme, that is we have K = {(p, α, a, β) : β α a (mod p), α a generator of Z p }, p, α and β are public, a is kept secret. Unlike RSA, the functions for the ElGamal signature scheme are not identical to those of the ElGamal encryption scheme. The functions are constructed to try to make forgery difficult. Algorithm 15.1 ( ElGamal signature ) 1: Pick a random k such that 1 k p 2 and gcd(k,p 1) = 1. 2: γ α k mod p, δ (x aγ) k 1 mod p 1. 3: RETURN s = (γ,δ). Verification: V er K (x, γ, δ) = true β γ γ δ = α x mod p If the signature was constructed correctly, then the verification will succeed since 15.3 Bad usage β γ γ δ = β γ (α k ) δ mod p = β γ (α k ) (x aγ)k 1 mod p = (α a ) γ (α) (x aγ) mod p = α x mod p Revealing k or using the same k twice can cause forgery of chosen messages. If k is known, one can compute information on a from: aγ x δk mod p 1. 77

If the same k is used for two messages, we obtain the following Thus δ 1 = k 1 (x 1 aγ) mod p 1 δ 2 = k 1 (x 2 aγ) mod p 1 (δ 1 δ 2 )k = x 1 x 2 mod p 1. If δ 1 δ 2 0 mod p 1, we can compute d gcd(δ 1 δ 2, p 1). Since d δ 1 δ 2 and d p 1, we know that d (x 1 x 2 ). Thus we can write The equation becomes x := x 1 x 2 d δ := δ 2 δ 1 d p := p 1 d. x = kδ mod p Since gcd(δ, p ) = 1, we can compute (δ ) 1, then k = x (δ ) 1 mod p This yields d candidate values for k, we can choose the right k by verifying with the signature verification function. From k we can then deduce a. 15.4 Forgeries Some forgeries are now discussed by categories corresponding to the way Oscar forges a signature: Given x, set a γ and then try to find δ. The problem at hand would be to solve for δ given β γ γ δ = α x mod p, which is equivalent to solving for δ given γ δ = (α x )(β γ ) 1 mod p this is equivalent to the DLP modp. 78

Given x, set a δ, try to find γ. This reduces to trying to find γ given β γ γ δ = α x mod p. No efficient solution to this problem is known, this problem is not known to be related to any well-studied problem like DLP. Given x, try to simultaneously find δ and γ. There is no known way of doing this. Is it possible for Oscar to sign a random message? If Oscar chooses γ and δ and then tries to solve for x, he must compute log α (β γ γ δ ), yet another instance of the DLP. However, there is a way for Oscar to sign a random message by choosing γ, δ and x simultaneously, it is described by the following algorithm Algorithm 15.2 ( Forge ElGamal ) 1: Pick i and j such that 0 i,j p 2 and gcd(j,p 1) = 1. 2: γ α i β j mod p. 3: δ = γj 1 mod p 1, x γij 1 mod p 1. Theorem 15.2 The above algorithm gives a valid signature. Proof. β γ γ δ = β γ (α i β j ) γj 1 mod p = β γ (α γij 1 β γ ) mod p = α γij 1 mod p = α x mod p Note: in a variation of the ElGamal signature scheme, one uses h(x) instead of x, where h is a cryptographic hash function. Other than the fact that this enables signatures of data of arbitrary size, it also prevents the above forgery from being successful. 79

It is also possible for Oscar to forge some message given a previous message and signature (x, γ, δ). Algorithm 15.3 ( Forge From Previous ElGamal ) 1: Pick h,i,j such that 0 h,i,j p 2 and gcd(hγ jδ,p 1) = 1. 2: λ γ h α i β j mod p 3: µ δλ(hγ jδ) 1 mod p 1 4: x = λ(hx + iδ)(hγ jδ) 1 mod p 1. Theorem 15.3 The above algorithm gives (x, λ, µ) such that β λ λ µ = α x mod p 15.5 Digital Signature Standard The Digital Signature Standard (DSS) describes a Digital Signature Algorithm (DSA) in FIPS 186, it is a variation of the ElGamal system. DSS relieves the burden of oversized signatures (with ElGamal signing a 160-bit message using a 512 bit prime, for example, produces a signature that is 1024 bits long, DSS would produce a 320-bit signature). Algorithm 15.4 ( DSA key generation ) 1: Choose a 512-bit prime p 2: Pick a 160-bit prime q such that q p 1. 3: Choose α Z p a qth primitive root of 1 mod p. 4: Compute β α a mod p. 5: RETURN public p,q,α,β and private a Note: To pick α, you can start by picking α o a primitive element of Z p and then computing α α (p 1)/q o. 80

Algorithm 15.5 ( DSS signature ) 1: Pick a random k such that 1 k p 2. 2: γ (α k mod p) mod q 3: δ (x + aγ)k 1 mod q. 4: IF δ = 0, GOTO step 1 5: RETURN s = (γ,δ). Verification: e 1 xδ 1 mod q e 2 γδ 1 mod q V er K (x, γ, δ) = true (α e 1 β e 2 mod p) mod q = γ. If the signature was constructed correctly, then the verification will succeed since (α e 1 β e 2 mod p) mod q α e 1 α ae 2 α xδ 1 α aγδ 1 α δ 1 (x+aγ) α k = (γ mod p) mod q. 15.6 Undeniable signatures In this type of signature scheme, the verification protocol requires the cooperation of the signer. The scheme is composed of three components: a signing algorithm, a verification protocol and a disavowal protocol. A disavowal protocol enables one to determine whether the signer is attempting to disavow a valid signature or whether the signature was forged. 81

15.6.1 Chaum-Van Antwerpen s scheme The first undeniable signature scheme was introduced in [?]. Algorithm 15.6 ( Chaum-Van Antwerpen key generation ) 1: Select a random prime p = 2q + 1, where q is also prime. 2: Select α y 2 mod p, for a random y R {2,3,...,p 2}. 3: Select a random a R {1,2,...,q 1}, β α a mod p. 4: RETURN public (p, α, β) and private a. α is selected in such a way as to be a generator of the subgroup of order q in Z p. The scheme operates in Z p, however, we need to be able to compute in a multiplicative subgroup of Z p. Picking p = 2q + 1, p, q primes, enables us to do this, and in a large as possible subgroup. Algorithm 15.7 ( Chaum-Van Antwerpen signature ) 1: s x a mod p. 2: RETURN s Algorithm 15.8 ( Chaum-Van Antwerpen verification ) 1: Bob selects random secret integers e 1,e 2 R {1,2,...,q 1}. 2: Bob computes z s e 1 β e 2 mod p and sends z to Alice. 3: Alice computes w = (z) a 1 mod p and sends w to Bob. 4: Bob accepts w = x e 1 α e 2 mod p If Alice is honest, Bob will accept: w = (z) a 1 mod p = (s e 1 β e 2 ) a 1 mod p = (x ae 1 α ae 2 ) a 1 mod p = x e 1 α e 2 mod p Theorem 15.4 Suppose s x a mod p is a forged signature, the probability 82

that Bob will accept the signature in the above algorithm is 1/q. The following disavowal protocol allows Alice to convince Bob that a certain value is not a valid signature. However, Alice might attempt to disavow a valid signature. The following protocol essentially performs the verification protocol twice and checks that Alice is not cheating: Algorithm 15.9 ( Chaum-Van Antwerpen Disavowal ) 1: Bob randomly selects e 1,e 2 R {1,2,...,q 1} 2: Bob computes z s e 1 β e 2 mod p, sends z to Alice. 3: Alice computes w = (z) a 1 mod p and sends w to Bob. 4: IF w = x e 1 α e 2 mod p THEN RETURN valid /* Bob concludes that Alice is trying to disavow a valid sig */ 5: Bob selects random e 3,e 4 R {1,2,...,q 1} 6: Bob computes z s e 3 β e 4 mod p, sends z to Alice. 7: Alice computes w (z ) a 1 mod p and sends w to Bob. 8: IF w = x e 3 α e 4 mod p THEN RETURN valid /* Bob concludes that Alice is trying to disavow a valid sig */ 9: Bob computes c (wα e 2 ) e 3 mod p, c (w α e 4 ) e 1 mod p 10: IF c = c THEN RETURN forgery /* Bob concludes that the sig was a forgery */ 11: ELSE RETURN valid /* Bob concludes that Alice is trying to disavow a valid sig */ Theorem 15.5 The probability for Alice to successfully disavow a valid signature s = x a mod p, in the above algorithm, is 1/q. 83

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information