1 / 46

Digital Signature

Digital Signature. Sheng Zhong. Digital Signature (1). Public-key-based technique for data integrity. A digital signature scheme is a tuple (PK, SK, M, S, KG, Sign, Verify). PK: Public key space (the set of all possible keys). SK: Private key space. M: Message space. S: Signature space.

aiko-woodard
Download Presentation

Digital Signature

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Digital Signature Sheng Zhong

  2. Digital Signature (1) • Public-key-based technique for data integrity. • A digital signature scheme is a tuple (PK, SK, M, S, KG, Sign, Verify). • PK: Public key space (the set of all possible keys). • SK: Private key space. • M: Message space. • S: Signature space.

  3. Digital Signature (2) • KG: {Positive Integer} → PK × SK. An efficient algorithm for key generation. • Sign: SK × M → S. An efficient algorithm for signing. • Verify: PK × M × S → {accept, reject}. An efficient algorithm for verifying signature on message.

  4. Correctness Requirement • We require that the signature generated by a private key can definitely be verified by the corresponding public key. • For all output (pk, sk) of the key generation algorithm, for all message m, Verify(pk, m, Sign(sk, m))=accept.

  5. Unforgeability Requirement • We require that any adversary should not be able to forge a signature on any message. • For all efficient algorithm A, for all message m, for public key pk distributed as in the output of the key generation algorithm, Pr[Verify(pk, m, A(pk, m))=accept]=negligible

  6. RSA Signature (1) • Key generation: Same as in the RSA cryptosystem. • N=pq is an RSA modulus. • ed=1 (mod Φ(N)). • Public key: (N, e). • Private key: (N, d). • Signing: s=md mod N. • Note this looks like decryption in RSA cryptosystem.

  7. RSA Signature (2) • Verification: return accept if and only if m=se mod N. • This looks like encryption in RSA cryptosystem, right? • Why is the scheme correct? • Because se = (md)e = mde=m (mod N).

  8. Unforgeability • Recall RSA is a trapdoor one-way function. • Without knowing trapdoor d, it should be infeasible to find s such that se=m (mod N). • The above is equivalent to that it is hard to find s=md (mod N). • So the RSA signature is unforgeable in the very weak sense as we described.

  9. Inadequacy of Simple Unforgeability • The above unforgeability property only ensures that adversary can’t generate valid signature on any given message. • Bad guy can’t show to people that you “have borrowed $1 million from him”. • But it does not ensure that adversary can’t generate valid signature on random message. • Bad guy might be able to show that you “have done something” (which you did not really do).

  10. Attack on RSA • Adversary picks a random element s of the signature space. • Adversary computes m=se (mod N). • Clearly, s is a valid signature on message m. • Adversary can claim signer has done random things!

  11. Countermeasure to the Attack • We can modify the signing procedure by adding a hash: • Signing: s=(H(m))d mod N. • Verification: Return accept if and only if se=H(m) (mod N). • Clearly, the scheme remains correct.

  12. Random attack is no longer feasible. • Suppose the hash function is one-way. • Then the adversary can compute se; but can’t compute m=H-1(se). • So the attack is no longer feasible. • This is called existent unforgeability. • For all efficient algorithm A, for public key pk distributed as in the output of the key generation algorithm, Pr[Verify(pk, A(pk))=accept]=negligible

  13. Rabin Signature • Another signature scheme; very similar to RSA signature. • Key generation: Choose RSA modulus N=pq; N is public key; (p, q) is the private key. • Signing: s= m1/2 (mod N). • Verification: return accept if and only if m=s2 (mod N).

  14. Rabin Signature vs. RSA Signature • Difference: • Rabin signature uses 2 as verification exponent. • RSA signature uses e as verification exponent, where e is in Z*Φ(N) • Advantage of Rabin signature: • Faster in verification.

  15. Unforgeability of Rabin Signature • Rabin signature is unforgeable (in the naïve sense) if factorization is hard. • Suppose adversary can forge signature s on given message m. • Then we choose s’ randomly, computes m=(s’)2, and ask adversary to forge s=m1/2. • Note that s and s’ are two square roots of m. • With probability of ½, we are able to factor N.

  16. Attack and Countermeasure • Just like RSA signature scheme, Rabin signature scheme is existentally forgeable. • Pick s and compute m=s2 mod N. • s is a valid signature on m. • To prevent such attack, we can also use hash function.

  17. ElGamal Signature (1) • Yet another popular signature scheme. • Key generation: like in ElGamal cryptosystem. • Pick a large prime p; pick generator g in Z*p; y=gx mod p. • Public key: (p, g, y) • Private key: (p, g, x)

  18. ElGamal Signature (2) • Signing: r=gl mod p; s=l-1(m-xr) mod (p-1). (r,s) is signature on message m. • Verification: return accept if and only if rs=gm/yr (mod p)

  19. Valid signature can be verified

  20. Verified signature should be valid • Intuitively (not rigorously): Can compute valid s=l-1(m-xr) → Can compute valid m-xr → Knows x

  21. “Looks” Secure • The signature looks not giving knowledge about x. • Since in s=l-1(m-xr), x-mr is protected by l-1. • And in r=xl, l is protected by hardness of discrete logarithm.

  22. Attack on ElGamal Signature (1) • Can the signer reuse l in signing? • This leads to breaking of the signature scheme. • Suppose r=gl mod p; s=l-1(m-xr) mod (p-1); s’=l-1(m’-xr) mod (p-1). • Then s-s’=l-1(m-m’) (mod (p-1)) • Adversary can figure out l from m, m’, s, s’. • Next, adversary computes x from l, m, r, s.

  23. Attack on ElGamal Signature (2) • Even if signer does not reuse l, adversary can forge a signature. • Attacks discovered by Bleichenbacher in 1996. • One example: suppose (r,s) is a signature on message m. • u=m’/m (mod p-1); s’=su (mod p-1). • Compute r’ s.t. r’=ru (mod p-1) and r’=r (mod p).

  24. Attack on ElGamal Signature (3) • (r’,s’) is a valid signature on message m’.

  25. Attack on ElGamal Signature (4) • If g is chosen by adversary, Bleichenbacher showed a way to forge signatures. • Details in textbook. Read if you are interested.

  26. Countermeasures • Do NOT reuse l. • Make sure 0<r<p. • This prevents the example attack because r’=ru (mod p-1) and r’=r (mod p) can’t be satisfied by any r between 0 and p. • Make sure g is generated randomly.

  27. Existent Forgery (1) • Choose u,v in Z*p-1. • r=guyv mod p. • s=-rv-1 mod (p-1). • m=-ruv-1 mod (p-1). • Claim: (r,s) is a valid signature on message m.

  28. Existent Forgery (2) • Why does the attack work? • Countermeasure: Use hash function.

  29. ElGamal Signature Family (1) • There are a number of ElGamal-like signature schemes. They are different in details, but have the same basic idea: • Signature is to “prove” sender of message m has knowledge of private x. • So it is enough to “prove” sender knows a function of x and m. • Note the above function of x and m binds the signature to message m.

  30. ElGamal Signature Family (2) • However, function of x and mcannot be the signature because adversary may compute x from it. • So, the signer protect function of x and musing a random factor, to get a part of the signature. • gThe random factor is the other part of the signature; the random factor is now protected by hardness of discrete logarithm. • All signature schemes using the above idea belong to the ElGamal signature family.

  31. ElGamal signature belongs to the ElGamal signature family • Look at the ElGamal signature: • function of x and m : m-xr. • Protect the above using a random factor: s=l-1(m-xr) • Protect the random factor using discrete logarithm: r=gl

  32. Schnorr Signature • Another member of ElGamal signature family: • function of x and m : H(m,r)x. • Protect the above using a random factor: s=H(m,r)x+l • Protect the random factor using discrete logarithm: r=gl

  33. Digital Signature Standard (DSS) • Yet another member of ElGamal signature family: • function of x and m : H(m)+xr. • Protect the above using a random factor: s=l-1(H(m)+xr) • Protect the random factor using discrete logarithm: r=gl

  34. Security of ElGamal Signature Family • There are many other members of ElGamal signature family. • Each has a lot of details that require attention. • But note that ElGamal signature family is a general method of designing signature schemes. • NOT a method for security proof. • So the security of each member has to be analyzed case by case.

  35. Optional Topic: Unforgeability and Chosen Message Attack • Chosen Message Attack: a strong adversary model for digital signature • Analogous to CCA2 for encryption • Assumes adversary can obtain signatures from an oracle for any messages he chooses • Then ask whether adversary is able to figure out a new pair of (message, signature).

  36. Oracle Machine • An oracle machine is associated with a functionality. • It maps an input sequence (called queries) to a probability distribution of output sequence (called answers) . • A query/answer can depend on earlier queries/answers. • But it can’t depend on later queries/answers. • Note that the functionality does NOT need to be (efficiently) computable.

  37. Use of Oracle Machine • We can let an algorithm A have access to an oracle machine M. • Whenever needed, A can send queries of his choices to M and get answers. • This can help A to complete a lot of computational tasks. • A can’t look inside M. In other words, A does not know what’s happening in M.

  38. Unforgeability against Chosen Message Attack (CMA) Suppose M is an oracle machine that returns signatures for any query messages. A digital signature is (existentally) unforgeable against Chosen Message Attack if for all efficient algorithm A that has access to M, for signing key ks and verification key kv distributed as specified in the scheme, for all polynomial p(), for all sufficiently large k, Pr[Verify(kv, AM(kv))=accept and the message in AM(kv) is not a query of A to M]<1/p(k)

  39. Unforgeable Signature against CMA • Suppose {fi} is a family of trapdoor one-way permutations. Then we can construct a signature scheme that is unforgeable against CMA. • Recall {fi} should have efficient algorithms I, D, F for initialization, domain sampling, function evaluation, respectively. • We start by giving a secure signature scheme for a single bit; then we extend this signature scheme to longer messages.

  40. Secure Signature for a Single Bit (1) • For key generation, we first run I to get index i and trapdoor d. • We then use D to sample two points a, b from the domain of fi, uniformly and independently. • We next use F to compute fi(a) and fi(b). • The public key is (i, fi(a) , fi(b) ). • The private key is (a, b).

  41. Secure Signature for a Single Bit (2) • Signing: • The signature of 0 is a; • The signature of 1 is b. • Verification: • If the message is 0, check fi(signature)= fi(a); • If the message is 1, check fi(signature)= fi(b).

  42. Security Analysis • Even if adversary sees signature of 0, he can’t find out signature of 1. • Because {fi} is trapdoor one-way and thus without knowing the trapdoor the adversary can’t compute b from fi(b). • Similarly, even if adversary sees signature of 1, he can’t find out signature of 0. • Random message attack is not feasible. • Because the domain of fi is large and thus it is infeasible to find a random signature.

  43. Extension to Longer Messages • A longer message consists of multiple bits. • So we only need to use the signature scheme for single bit for multiple times. • For each bit of the message we have a different instance of the signature scheme for single bit. • The signatures of all bits constitute the signature of the entire message.

  44. Problem with Extension • The above simple extension works for a single message of multiple bits. • But it is subject to attack when there are multiple messages. • Consider for example m1=1011, m2=0100, m3=1111. • When you have signatures of m1 and m2, you can actually derive the signature of m3. • The signatures of 1st, 3rd, and 4th bits of m3 come from the signature of m1. • The signatures of 2nd bit of m3 comes from the signature of m2.

  45. Fixing the Problem • To fix the problem, we need to make sure that the signatures of different messages use different instances of the signature scheme for single bit. • This can be done by having the signer re-choose the instances after signing each message. • To notify verifier of the new instances, the signer must sign them and include them in the signature. • In fact, a complete history of message signing and instance changing must be included in the signature. • Fixed as above, the scheme can be proved to be existentally unforgeable against CMA.

  46. Authentication of Fresh Message • In the above, we introduced MAC and digital signature for message authentication. • They guarantee a message was indeed sent by a specific entity. • However, the message might actually be a replay of a very old message. • To guarantee the message is fresh, when we use MAC or digital signature, we should • Include time stamp as part of message, or • Include a fresh nonce chosen by the receiver as part of message

More Related