Digital Signature

  • Uploaded by: simplyanilkumar
  • 0
  • 0
  • May 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Digital Signature as PDF for free.

More details

  • Words: 2,059
  • Pages: 43
Digital Signatures Applied Handbook of Cryptography: Chapt 11 slides courtesy of Xuhua Ding

Outline      

Framework RSA related signature schemes DSA related signature schemes One-time digital signatures Arbitrated signature schemes Signatures with added functionality

Framework Digital Signatures can provide  Authentication  Data Integrity  Non-Repudiation One Application  Certification of public keys in large networks

Framework (cont) 

Definitions 





Digital Signature - a data string which associates a message with some originating entity Digital Signature Generation Algorithm – a method for producing a digital signature Digital Signature Scheme - consists of a signature generation algorithm and an associated verification algorithm

Framework (cont) 

Notation M message space MS signing space S R

signature space a one-one mapping from M to MS called the redundancy function MR the image of R R-1 the inverse of R h a one-way function with domain M Mh hash value space, the image of h (h: M→ Mh)

Framework (cont) 

Taxonomy of digital signatures randomized message recovery deterministic

signature schemes

randomized appendix deterministic

Framework (cont) 

Schemes with appendix 





Requires the message as input to verification algorithm Rely on cryptographic hash functions rather than customized redundancy functions DSA, ElGamal, Schnorr etc.

Framework (cont) 

Digital Signature with Appendix M

Mh

h

m

m

SA,k

h

Mh x S

VA

u ∈ {True, False}

S s* s* = SA,k(mh) u = VA(mh, s*)

Framework (cont) 

Desirable Properties 

For each k ∈ R, SA,k should be efficient to compute



VA should be efficient to compute



It should be computationally infeasible for an entity other than the signer to find an m ∈ M and an s ∈ S such that VA(m’, s*) = true, where m’ = h(m)

Framework (cont) 

Digital Signature with Message Recovery M R

m

MR m

SA,k

S s*

Mr S S s*

VA

MR m r

R-1

M m

Framework (cont) 

Desirable properties 

For each k ∈ R, SA,k should be efficient to compute



VA should be efficient to compute



It should be computationally infeasible for an entity other than A to find any s* ∈ S such that VA(s*) ∈ MR

Framework (cont)

M m

h

Mh m h

R

MR m Mr S

SA,k

S s*

Framework (cont) 

Breaking a signature scheme  



Total Break: private key is comprimised Selective forgery: adversary can create a valid signature on a preselected message Existential forgery: adversary can create a valid signature with no control over the message

Framework (cont) 

Types of attacks  

Key-only: adversary knows only the public key Message attacks 





Known-message attack: adversary has signatures for a set of messages which are known to the adversary but not chosen by him Chosen-message attack: adversary obtains valid signatures from a chosen list of his choice (non adaptive) Adaptive chosen-message attack: adversary can use the signer as an oracle

RSA  



Key generation n, p, q, e, d Sign 

Compute mr = R(m)



Compute s = mrd mod n



The signature for m is s

Verify  

Obtain authentic public key (n, e) Compute mr = se mod n



Verify that mr ∈ Mr



Recover m = R-1(mr)

RSA (cont) 

Attacks  



Reblocking problem 



Integer factorization Homomorphic property If signatures are encrypted different modulus sizes can render the message unrecoverable

Importance of the redundancy function 

ISO/IEC 9796

RSA (cont) 

Performance (p, q are k-bit primes)  



Signature O(k3) Verification O(k2)

Bandwidth 

Bandwidth is determined by R. For example, ISO/IEC 9796 maps k-bit messages to 2k-bit elements in MS for a 2k-bit signature (efficiency of ½)

DSA 

DSA Algorithm : key generation  

  

select a prime q of 160 bits Choose 0≤t≤8, select 2511+64t
DSA (cont) 

DSA signature generation     

Select a random integer k, 0 < k < q Compute r=(αk mod p) mod q compute k-1 mod q Compute s=k-1 ∗(h(m) + ar) mod q signature = (r, s)

DSA (cont) 

DSA signature verification     

Verify 0
h(m) ≡ −ar + ks (mod q ) wh(m) + arw ≡ k (mod q ) u1 + au 2 ≡ k (mod q ) α u1 y u 2 mod p (mod q ) = α k mod p (mod q )

DSA (cont) 

Security of DSA 



Parameters: 



two distinct DL problems: ZP*, cyclic subgroup order q q~160bits, p 768~1Kb, p,q, α can be system wide

Probability of failure 

Pr[s=0]= (1/2)160

DSA (cont) 

Performance 

Signature Generation   



One modular exponentiation Several 160-bit operations (if p is 768 bits) The exponentiation can be precomputed

Verification 

Two modular exponentiations

ElGamal  

Key generation: p, q, α, a, y=αa mod p Signature Generation     

Select random k, 1 ≤ k ≤ p-1, gcd(k, p-1)=1 Compute r = αk mod p Compute k-1 mod (p-1) Compute s = k-1 ∗ (h(m) - ar) mod (p-1) signature is (r,s)

ElGamal (cont) 

Signature Verification  

Verify 1 ≤ r ≤ p-1 Compute v1 = yrrs mod p



Compute h(m) and v2= αh(m) mod p



Accept iff v1=v2 −1

s ≡ k {h(m) − ar} (mod p − 1) ks ≡ h(m) − ar (mod p − 1) α

h(m)

≡α

ar + ks

a r s

≡ (α ) r (mod p )

ElGamal (cont) 

Security (based on DL problem)   

Index-calculus attack: p should be large Pohlig-Hellman attack: p-1 should not be smooth Weak generators: If p ≡ 1 mod 4, α|p-1, DL can be broken for subgroup S of order α. Forgeries are then possible

ElGamal (cont) 

In addition… 

k must be unique for each message signed 



(s1-s2)k=(h(m1)-h(m2))mod (p-1)

An existential forgery attack can be mounted if a hash function is not used

ElGamal (cont) 

Performance 

Signature Generation   



Verification 



One modular exponentiation One Euclidean Algorithm Both can be done offline Three modular exponentiations

Generalized ElGamal Signatures

One-Time Signatures 



Definition: digital schemes used to sign, at most one message; otherwise signature can be forged. A new public key is required for each signed message. Most one-time signature schemes have the property that signature generation and verification are both very efficient

Rabin One-Time Signatures 

Key generation 





Select a symmetric key encryption scheme E (e.g. DES) Generate 2n random secret strings k1,k2...k2n∈K, each of bit length l Compute yi=Eki(M0(i)), i ∈[1,2n].



Public key is (y1,y2,...y2n),



private key is (k1,k2,...k2n).

Rabin One-Time Signatures 



Signature Generation: 

compute si=Eki(h(m)), i ∈[1,2n]



signature is (s1,s2,...s2n)

Verification:  

Compute h(m) Select n distinct random number rj, rj∈[1,2n]



Request from signer, the keys krj, ∀ j: 1 ≤ j ≤ n



Verify received n keys ie. does yrj= Ekr (M0(rj))?



Verify all srj = Ekr (h(m)),

j

j

Rabin One-Time Signatures 

Resolution of disputes: signer A, verifier B and TTP    

B provides m and the signature to TTP TTP gets private key k1,...k2n from A TTP verifies authenticity of the private key TTP computes ui=Eki(h(m)), 1 ≤ i ≤ n. If ui = si for at most n values of i, it is forgery. If n+1 or more values match, it is valid signature



1 Rationale for dispute resolution protocol 2n   A can disavow with Pr  =n   

Arbitrated Digital Signatures 







Requires an unconditionally TTP as part of the signature generation and signature verification. Each entity shares a symmetric key with the TTP Symmetric key cryptography results in a very fast algorithm However, this speedup is overshadowed by the TTP as well as communication overhead

Arbitrated Digital Signatures 

Signature Generation (by A)

A

IAs, = uE =k (h(m)||I Ek (h(m)) A) T

A

TTP

Arbitrated Digital Signatures 

Signature Verification (by B)

B

IBE,kv(h(m)||I = Ek (s) A) B

B

TTP

ESIGN 





Key generation  Compute n=p2q, select k>3  Public key(n,k), private (p,q) Sign message m  compute v=h(m), random x, 0 ≤ x < pq  w = ((v-xk) mod n/ (pq), y = w(kxk-1)-1 mod p  Compute s=x+ypq mod n Verify:  compute u = sk mod n, z = h(m)  if z ≤ u ≤ z + 22 lg(n)/3 , accept the signature

ESIGN (cont) 

Why does this work? I refer you to the text p 473 



Security of ESIGN  



Based on factoring of large integers. Not known whether n=p2q is easier than factoring RSA modulus Given m and s, inkorder to forge a signature 2 lg n 3 for m’, we must  h(m' ) ≤ s mod n ≤ h(m' ) + 2 have that Assuming h behaves like a random function, we would expect to try 2lg(n)/3 different values of m’

ESIGN (cont) 

Efficiency of ESIGN  The only modular exponentiation is with parameter k which may be taken to be quite small (e.g. k=4)  For a 768-bit modulus n, ESIGN signature generation may be between one and two orders of magnitude (10 to 100 times) faster than RSA signature generation.

Blind signature scheme 



Definition: A sends a piece of information to B. B signs and returns the signature to A. From this signature, A can compute B’s signature on a priori message m of A’s choice. At the completion of the protocol, B knows neither m, nor the signature associated with it. Application: e-cash

Blind signature scheme (cont) 

Chaum  



Sender A; Signer B B’s RSA public and private key are as usual. k is a random secret integer chosen by A, satisfying 0 ≤ k
 

(blinding) A: comp m* = mke mod n, to B Note: (mke)d = mdk (signing) B comp s* = (m*)d mod n, to A (unblinding) A: computes s = k-1s* mod n

Undeniable Signature Schemes 

Definition: signature verification requires the cooperation of signer



Chaum-van Antwerpen 

Key generation    

Select random prime p=2q+1, q is prime Select a generator α for the subgroup of order q in Zp* Select random a∈{1,2,...q-1}, y= αamod p public (p, α, y), private a

Chaum-van Antwerpen 

Signature Generation 



compute s = ma mod p

Verification 

  

B selects a random secret integers x1, x2 ∈ {1,2,...q-1} B computes z = sx1yx2 mod p, and sends z to A A computes w = za-1mod p, and sends w to B B computes w′ = mx1αx2 mod p. Valid iff w= w′

w≡z

a -1

x1

x2 a −1

≡ (s y )

≡ (m

ax1

α

ax2 a −1

)

x1

≡m α

x2

≡ w' mod p

Chaum-van Antwerpen 

If s is a forgery, B accept it with pr=1/q and independent of adversary’s computation resources



A could attempt to disavow a signature   

refuse to participate in verification perform the verification incorrectly claim a signature forgery even though the verification protocol is successful.

Chaum-van Antwerpen 

Disavowal protocol 





Select two pair (x1, x2) and (x’1, x’2) and verify twice Compute c = (wα-x2)x’1 mod p and c′ = (w′α-x’2)x1 mod p, if c = c′, s is a forgery, otherwise s is valid and A is attempting to disavow the signature

Let m be message, s a signature on m 



If s ≠ ma mod p and the disavowal protocol runs correctly, then c=c′ If s = ma mod p. B follows protocol, but A does not. The Pr[c=c′] is 1/q

Related Documents


More Documents from "peterparker"

Digital Signature
May 2020 8