370 likes | 704 Views
Chapter 7-2. Signature Schemes. Outline. [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants of the ElGamal Signature Scheme The Schnorr Signature Scheme The Digital Signature Algorithm The Elliptic Curve DSA
E N D
Chapter 7-2 Signature Schemes
Outline • [1] Introduction • [2] Security Requirements for Signature Schemes • [3] The ElGamal Signature Scheme • [4] Variants of the ElGamal Signature Scheme • The Schnorr Signature Scheme • The Digital Signature Algorithm • The Elliptic Curve DSA • [5] Signatures with additional functionality • Blind Signatures • Undeniable Signatures • Fail-stop Signatures
[4] Variants of the ElGamal Signature Scheme • Schnorr Signature Scheme • Proposed in 1989 • Greatly reduced the signature size • Digital Signature Algorithm (DSA) • Proposed in 1991 • Was adopted as a standard on December 1, 1994 • Elliptic Curve DSA (ECDSA) • FIPS 186-2 in 2000
Schnorr Signature Scheme Let p be a prime such that the DL problem in Zp* is intractable, and let q be a prime that divides p-1. Let α be a qth root of 1 modulo p. Define K={ (p,q,α,a,β):β=αa mod p } p,q,α,β are the public key, a is private
For a (secret) random number k, define sig(x,k)=(γ,δ), where γ=hash(x||αk ) andδ=k+aγ mod q • For amessage (x,(γ,δ)), verification is done by performing the following computations: ver(x,(γ,δ))=true iff. hash(x||αδβ-γ)=γ
If the signature was construct correctly, the verification will succeed since αδβ-γ=αk+aγα-aγ=αk
Schnorr Signature Scheme Example • We take q=101, p=78q+1=7879, α=170, a=75, then β=17075 mod 7879=4567 • To sign the message m=15, Alice selects k=50; Then γ=hash(15||17050), δ=5+75*γ mod 101 (15,(γ,δ)) is the signed message
L=0 mod 64, 512≤L≤1024 Digital Signature Algorithm • Let p be a L-bit prime such that the DL problem in Zp* is intractable, and let q be a 160-bit prime that divides p-1. Let α be a qth root of 1 modulo p. Define K={ (p,q,α,a,β): β=αa mod p } p,q,α,β are the public key, a is private
For a (secret) random number k, define sig(x,k)=(γ,δ), where γ=(αk mod p) mod q and δ=(SHA-1(x)+aγ)k-1 mod q • For amessage (x,(γ,δ)), verification is done by performing the following computations: e1=SHA-1(x)*δ-1 mod q e2=γ*δ-1 mod q ver(x,(γ,δ))=true iff. (αe1βe2 mod p) mod q=γ
Notice that the verification requires to compute: e1=SHA-1(x)*δ-1 mod q e2=γ*δ-1 mod q when δ=0 (it is possible!), Alice should re-construct a new signature with a new k
DSA Example • Take q=101, p=78q+1=7879, α=170, a=75; then β=4567 • To sign the message SHA-1(x)=22, Alice selects k=50; Then γ=(17050 mod 7879) mod 101=94, δ=(22+75*94)50-1 mod 101=97 (x, (94,97)) is the signed message
The signature (94,97) on the message digest 22 can be verify by the following computations: δ-1=97-1 mod 101=25 e1=22*25 mod 101=45 e2=94*25 mod 101=27 (17045*456727 mod 7879) mod 101 = 94 =γ
Elliptic Curve DSA • Let p be a prime or a power of two, and let E be an elliptic curve defined over Fp. Let A be a point on E having prime order q, such that DL problem in <A> is infeasible. Define K={ (p,q,E,A,m,B): B=mA } p,q,E,A,B are the public key, m is private
For a (secret) random number k, define sigk(x,k)=(r,s), where rA=(u,v), r=u mod q and s=k-1(SHA-1(x)+mr) mod q • For amessage (x,(r,s)), verification is done by performing the following computations: i=SHA-1(x)*s-1 mod q j=r*s-1 mod q (u,v)=iA+jB ver(x,(r,s))=true if and only if u mod q=r
[5] Signatures with additional functionality • Blind signature schemes (1983) • Undeniable signature schemes (1989) • Fail-stop signature schemes (1992)
Blind signature schemes • A sends a piece of information to B which B signs and returns to A. From this signature, A can compute B’s signature on an a priori message x of A’s choice (B is a signer here!) • B knows neither the message x nor the signature associated with it
Chaum’s blind signature protocol (1983) (A is a verifier and B is a signer, (n,e) is RSA public key of B and d is RSA private key of B) 1. A randomly select a secret integer k 2. A computes x*=xke mod n and sends it to B 3. B computes y*=(x*)d mod n and sends it to A 4. A computes y=k-1y* mod n, which is B’s signature on x (Note the signer B does not know (x,y) but (x,y) is a B’s signed message.)
Undeniable Signatures • A signature can not be verified without the cooperation of the signer • First introduced by Chaum and van Antwerpen in 1989 • Protects Alice against the possibility that documents signed by her are duplicated and distributed electronically without her approval
Since a signature should be verified with the cooperation of the signer, it is possible for a signer to evillydisavow a signature which signed by him previously • An undeniable signature scheme should consists of a disavowal protocol between the verifier B and the signer A, such that: • For a signature which is not signed by A, B will recognize it as a forgery • For a signature which is signed by A, A can fool B to recognized it as a forgery with very low probability
An application of the undeniable signature • A large corporation A creates a software package. A signs the package and sells it to B, who decides to make copies of this package and resell it to a third party C. Cis unable to verify the authenticity of the software without the cooperation of A
Chaum-van Antwerpen undenial signature scheme • Let p=2q+1 be a prime such that q is prime And the DL problem in Zp is intractable. Let α be an element of order q. Define: K={ (p,α,a,β) :β=αa mod p } 1. Signing algorithm • To sign a message x, Alice computes y=sig(x)=xa mod p
2. Verification protocol • Bob chooses e1,e2 from Zq* randomly • Bob computes c=ye1βe2 mod p and sends it to Alice • Alice computes d=ca-1 mod q mod p and sends it to Bob • Bob accepts s as a valid signature if and only if d = xe1αe2 mod p
Signer Verifier message x, signature y c=ye1βe2mod p d=ca-1mod q mod p d ≠ xe1αe2mod p • Two possibilities: • y is not a valid signature of x • y is the signature of x, she is fooling me by sending garbled dto me
(Correctness of the signature protocol) • Bob will accept a valid signature, since if s is valid: y=xa mod p, then c = ye1βe2 = xae1αae2 mod p Hence d = xe1αe2 mod p as desired
I doubt that you are fooling me to disavow your signature on x Signer Verifier c=ye1βe2 d=(c)a-1 c’=ye1’βe2’ d’=(c’)a-1 (dα-e2)e1’=(d’α-e2’)e1 I blame her wrongly, y is not signed by her Fact: if y≠xa, (dα-e2)e1’=(d’α-e2’)e1
Signer Verifier c=ye1βe2 d=(c)a-1 c’=ye1’βe2’ d’=(c’)a-1 Fact: if y=xa, she can make (dα-e2)e1’=(d’α-e2’)e1 holds with a very small probability 1/q
3. Disavowal protocol (1/3) B selects random secret integers e1,e2 and computes c=ye1βe2 mod p, and sends c to A A computes d=(c)a-1 mod p and sends d to B B checks if d=xe1αe2, then he concludes that y is a valid signature of x, otherwise go to next step
Disavowal protocol (2/3) B selects random secret integers e1’,e2’ and computes c’=ye1’βe2’ mod p, and sends c’ to A A computes d’=(c’)a-1 mod p and sends d’ to B B checks if d’=xe1’αe2’, then he concludes that y is a valid signature of x, otherwise go to next step
Disavowal protocol (3/3) B checks(dα-e2)e1’=(d’α-e2’)e1if it holds, he concludes that y is a forgery Otherwise, he concludes that A is trying to disavow the signature
Fact Let x be a message and suppose that y is A’s (purported) signature on x • If y is a forgery, i.e., y≠xa mod p, then (dα-e2)e1’=(d’α-e2’)e1 holds • Suppose that y is indeed A’s signature for x, i.e., y=xa mod p, then (dα-e2)e1’=(d’α-e2’)e1 holds with probability 1/q
Fail-stop Signatures • In a fail-stop signature scheme, when Oscar is able to forge Alice’s signature on a message, Alice will (with high probability) be able to prove that Oscar’s signature is a forgery • A fail-stop signature scheme consists of a singing algorithm, a verification algorithm and a “proof of forgery” algorithm
Van Heyst and Pedersen scheme (1992) • Let p=2q+1 be a prime such that q is prime and the DL problem in Zp is intractable. Let α be an element of order q. Let 1≤a0≤q-1 and defineβ=αa0 mod p. • The value of a0 is kept secret from everyone • The values p,q,α,β and a0 are chosen by a trusted central authority
A key has the form K=(γ1,γ2,a1,a2,b1,b2) where γ1=αa1βa2 mod p γ2=αb1βb2 mod p (γ1,γ2) is the public key and (a1,a2,b1,b2) is private
To sign a message x, sig(x)=(y1,y2) where y1=a1+xb1 mod q y2=a2+xb2 mod q • To verify a signed message (x,(y1,y2)) ver(x,(y1,y2))=true iff. γ1γ2x =αy1βy2 mod p
Proof of forgery – the argument • If there is a signature (y1’’,y2’’) on a message x’ which can be verified as signing by Alice, but actually it is not signed by Alice, i.e. (y1’’,y2’’)≠sig(x’) then Alice can calculate the secret a0 which was not given to her • Alice shows a0 to prove that she is innocent
Proof of forgery – calculation of a0 • Since (y1’’,y2’’) is a valid signature on x’ γ1γ2x’ =αy1’’βy2’’ mod p • Alice can compute her own signature (y1’,y2’) on x’ γ1γ2x’ =αy1’βy2’ mod p Hence αy1’’βy2’’=αy1’βy2’ mod p αy1’’αa0y2’’=αy1’αa0y2’ mod p
Thus y1’’+a0y2’’=y1’+a0y2’ (mod q) a0=(y1’’-y1’)(y2’-y2’’)-1 (mod q) It is computable by Alice!