650 likes | 993 Views
Digital Signatures. Presented by Olga Shishenina. Outline. Cryptographic goals Message Authentication Codes (MACs) Digital signatures RSA digital signature Elliptic curve digital signature Comparison of ECDSA and RSA signature. Message authentication. Entity authentication.
E N D
Digital Signatures Presented by Olga Shishenina
Outline • Cryptographic goals • Message Authentication Codes (MACs) • Digital signatures • RSA digital signature • Elliptic curve digital signature • Comparison of ECDSA and RSA signature
Message authentication Entity authentication Cryptographic Goals Cryptographic goals Confidentiality Data integrity Authentication Non-repudiation • Symmetric-key • ciphers: • Block ciphers • Stream ciphers • Public-key • ciphers Arbitrary length hash functions Message Authentication codes (MACs) Digital signatures Digital signatures Authentication primitives MACs Digital signatures
Non-repudiation mis a signed message s is a valid signature for m m, s Alice Bob Alice denies her signature if she finds: m’ ≠ m : s is valid signature for m’
Message Authentication Codes • MAC f(x, key):{0,1}* {0,1}n • knowing x and key f is easy to compute • it is infeasible to calculate f(x, key) without the key • MAC are often block cipher based • message m, secret key k • specification of block cipher E • MAC (m) = E( m, key ) • MAC (m) = E(hash(m), key )
h1 = Ekey(x1) hi = Ekey(hi-1 xi ), 2 ≤ i ≤ t CBC-based MAC algorithm Algorithm CBC-MAC INPUT: data x; specification of block cipher E; secret MAC key for E OUTPUT:n-bit MAC on x X1(n bit) X2 (n bit) Xt (n bit) h1 h2 ht-1 0 … key key key E E E n bit h1(n bit) h2(n bit) Optional output transformation n bit H = MAC
Secret key MAC algorithm Secret key message MAC verification algorithm Unsecured channel Ok / not Ok message MAC Signer Verifier Use of a MAC • Used to provide • Data integrity • Message authentication
Signer’s private key Signing algorithm Signer’s public key message Signature verification algorithm Unsecured channel Ok / not Ok message signature Signer Verifier Digital Signatures Scheme • Used to provide • Data integrity • Message authentication • Non-repudiation
Difference between MAC and digital signature • To prove the validity of a MAC to a third party, you need to reveal the key • If you can verify a MAC, you can also create it • MAC does not allow a distinction to be made between the parties sharing the key • Computing a MAC is (usually) much faster than computing a digital signature • Important for devices with low computing power
RSA • Developed in 1978 by Rivest, Shamir and Adleman (RSA) • Most popular public key cryptosystem • Based on the hard problem of “integer factorization”
Key-Generation for RSA(1) • Generate two large random distinct primes p and q, each roughly the same size • Compute n = pq and • Select random integer e: • Compute unique integer d: • Public key is (n, e); Private key is d
Key-Generation for RSA(2) • Usually numbers with the right bit length are chosen randomly and tested for primality • Statistical tests are used to determine the probability that these numbers are primes i.e. Strassen – Test Miller – Rabin – Test • There is always an insignificantly low chance that number is not prime
Used notation • Misa set of elements, called the message space = Zn • MSisa set of elements, called the signing space = Zn • Risa 1 to 1 mapping from M to MS, called the redundancy function • MRisthe image of R: {y| y = R(x), xЄ M} • R-1 isthe inverse of R: MRM
RSA signature generation and verification • To sign a message A should: • Compute: where R(m) is a redundancy function • Compute: • A’s signature for m is s • To verify A’s signature and recover m, B should: • Obtain A’s authentic public key (n, e) • Compute: • Verify that ; if not, reject the signature • Recover
Proof that signature verification works • Euler’s theorem: , where is the Euler’s function of n • If s is a signature for m, then: • Since , then: • Finally:
RSA signature example Alice • p=5 q=7 n = 35 φ(n) = 4·6=24 • e = 5; d: ed = 5d=1 mod 24 => d = 5 Public key: (n=35, e=5) Private key: d=5 • M = [0, n-1] • For all mЄMR(m)=m • m = 26;R(m) = 26 s = 265 mod 35 = 31 Bob: • R(m) = 315 mod 35 = 26 Є [0, n-1] • m = R-1(m) = 26
Possible Attacks on RSA signature • Integer factorization • If an adversary is able to factor n, then • Multiplicative property of RSA • If , then s is valid signature for m: • Hence, to avoid this attack R must not be multiplicative, i.e.
Performance characteristics • n=pq , where n is 2k-bit, p&q – k-bit primes • takes bit operations • Verification is significantly faster that signing if e is chosen to be a small number, e.g. • It is not recommended to restrict the size of d
m 2k bits k bits Short vs. long messages • n=pq , where n is 2k-bits, p&q – k-bits primes • ISO/IEC 9796 R: • To sign a kt-bits message m: • Divide m = m1 || m2 || m3 ||… || mt and sign each block individually one transmits 2kt bits. • Sign a l-bits hash(m), l ≤ k. Then one transmits kt+2k bits. (kt – to transmit the message) • If t > 2, then kt+2k < 2kt
Elliptic curves (EC) over the reals • A non-singular EC is the set E of solutions to the equation together with a special point O, where • has three distinct roots
An EC over the reals • y2 = x3 – 4x 4a3 + 27b2 = -256
Addition – Geometric Approach y • Chord-and-tangent rule P + Q = R, P ≠ Q • Point doubling P + P = 2 P = R Q = (x2, y2) -R = (x3, -y3) x (x1, y1) = P R = (x3, y3) y -R = (x3, -y3) P = (x1, y1) x R = (x3, y3)
Addition – Algebraic Approach E iselliptic curve over the reals • ( is the identity element ) • If -P
Galois Fields (Finite Fields) GF (q) • Is a set of elements (G, + , *) that satisfy certain arithmetic properties • Finite Field exists iff q is a prime power • If q = p, p is prime • {0, 1, ... , p - 1 } are the field elements • ADDITION: • MULTIPLICATION: • INVERSION:
Elliptic Curves Over Finite Fields Over GF(p), p is prime, p > 3 • Elliptic curve E equation where • E consists of • all pairs satisfying curve equation • special point - point at infinity
Example 1: elliptic curve over GF(23) • p = 23 • The points in E are and the following: (0, 2) (0, 21) (1, 11) (1, 12) (4, 7) (4, 16) (7, 3) (7, 20) (8, 8) (8, 15) (9, 11) (9, 12) … 28 points + = 29 points • Let’s consider (4, 7) 64 + 4 + 4 = 72 = 3 (mod 23) 49 = 3 (mod 23)
Basic Facts Let E(GF(q)) be an EC over GF(q) • The points of E(GF(q)), form a group under addition • Hasse’s theorem: Number of points on E (group order): • If #E is prime then the group is cyclic and • If #E has a prime factor, that there exists a cyclic subgroup
Example 2: elliptic curve over GF(23) • p = 23 • The points in E are and the following: P = (0, 2) 2P = (13, 12) 3P = (11, 9) 4P = (1, 12) 5P = (7, 20) 6P = (9, 11) 7P = (15, 9) 8P = (14, 5) 9P = (4, 7) 10P = (22, 5) 11P = (10, 5) 12P = (17, 9) 13P = (8, 15) 14P = (18, 9) 15P = (18, 14) 16P = (8, 8) 17P = (17, 14) 18P = (10, 18) 19P = (22, 18) 20P = (4, 16) 21P = (14, 18) 22P = (15, 17) 23P = (9, 12) 24P = (7, 3) 25P = (1, 11) 26P = (11, 14) 27P = (13, 11) 28P = (0, 21) 29P = O 30P = P 29 points
ECDSA parameters setup • Create (random) public abstract groups • Domain Parameter Generate: Complex & public.DP often taken from published list. • Domain Parameter Validate: Easy & public • Key Pair Generate: Easy & private. • Key Pair Validate: Easy & public.
ECDSA Domain Parameters • Domain parameters D = (q, a, b, G, n, h) • Field size q, q = p or q = 2m • Coefficients a, b in GF(q) of E=Ea,b(GF(q)): • Seed s of length ≥ 160 bits (Optional) • Base point G=(xG, yG) on curve E, i.e. • Ordern of G: nis prime, • Cofactor h: #E(GF(q)) = hn
Hash algorithm W0 Arbitrary SEED v-1 bits g > 160 bits 160 bits hash(z+ 1) hash(z+ 2) … hash(z+ s) W0 (v-1)+s·160 < log2p bits Curve parameters generation(1) • Input:GF(p), p is prime • Output: seed, curve coefficients a & b • Used notations:
Curve parameters generation(2) • ifabort and start again • Choose a,b • Result:y2 = x3 + ax + b • if • Exclude singular curves
Isomorphism classes of ECs(1) • E1: y2 =x3+a1x +b1 and E2: y2 =x3+a2x +b2are isomorphic • Step 3: Choose a,b • There only 2 variants for a and b on step 3
Isomorphism classes of ECs(2) • Let’s prove that there are precisely 2 choices for (a, b) on step 3 : • We can find a1, b1 and a2, b2: • We can not find a3, b3 : E3 is not isomorphic to E1 orE2
Domain Parameter Generation • Domain parameters D = (q, a, b, G, n, h) • Generate EC coeffs a & b E (GF(q) ): y2 = x3 + ax + b • Compute #E( GF(q) ) (e.g. Schoof’s algorithm) • Verify that , n is prime, • if not, go to step 1 • Verify that if not, go to step 1 • Verify that n≠q if not, go to step 1 • Select an arbitrary point Set Repeat until
Key pair Alice(signer) D = (q, a, b, G, n, h) Key generation: • Select random d: 1 ≤ d ≤ n-1 • Q = d·G Q(xQ, yQ) ispublic G isprivate • Key validation: • Check that: • Q ≠ • nQ = • If any check fails • -> Q is invalid • else • -> Q is valid (D, Q) Bob(verifier) Q is valid or not???
To verify signature (r, s): • check: 1 ≤ r ≤ n-1, 1 ≤ s ≤ n -1 • e = SHA-1(m) • w = s-1 mod n • u1 = e·w mod n u2 = r·w mod n • X = u1·G + u2·Q, if • X=(x1, y1) v = x1 mod n ECDSA generation & verification Alice Parameters D = (q, a, b, G, n, h) Associated keys (d, Q) Bob Parameters D = (q, a, b, G, n, h) Alice’s public key Q Alice’s signature (r, s) on m To sign message m: • k randomly chosen 0 < k < n-1 • k·G = (x1, y1) r =x1mod n • if r = 0 abort and start again • e =SHA-1(m) • s = k-1·( e + d·r) mod n • if s = 0 abort and start again • Output:(r, s) D, Q, m, r, s Proof that signature verification works:
Ordinary DLP • Definition: Given: prime p, generator g of GF(p), non‑zero element y GF(p), Find: the unique integer k, 0 k p – 2: y gk(mod p) k is called the discrete logarithm of y to the base g • Known attacks The most efficient: Index Calculus Method O( )
Elliptic Curve DLP • Identified in 1985 – Koblitz and Miller suggested using it in place of DLP • Definition: Given: EC E defined over GF(q), point PE( F(q) )of order n, point QE( GF(q) ), Determine: the integer l, 0 l n – 1: Q = lP • Arises in groups defined on EC • Hard Problem • Only exponential algorithms known
Known Attacks on ECDLP • Pollard’s Rho Algorithm O( ) • Parallelized Pollard’s RhoO( ) r is the number of processors used Precautions: • Pohlig-Hellman Algorithm O( ) Precautions: • Menezez-Okamoto-Vanstone (MOV) O( ) Precautions: • No index calculus method found
Pollard’s Rho Algorithm(1) To find k where Q=kP, and n is the group order: • Use a pseudo-random walk through the group • Start at a known point • When a collision occurs, we can find k • Because there is not enough room to store all visited points, we only store distinguished points (points with some distinguishing property, such as the first i lower order bits equal to zero).
Pollard’s Rho Algorithm(2) • The random walk is defined as: • Where the Si are three sets of points (e.g. Si may be points such that x mod 3 i), and the ri are randomly chosen.
Pollard’s Rho Algorithm(3) • R0 is chosen to be a known multiple of P and Q. • For each iteration, Ri+1 is found, and also what multiple of P and Q it is. • When a collision occurs, we have:
Pollard’s Rho Algorithm(4) • The number of iterations is • With this approach, the path of the pseudo-random walk depends on Q. • There is no precomputation. • Calculations from previous ECDLP’s are of limited usefulness in subsequent ECDLP’s, because collisions are only detected for distinguished points.
Proof of work: Duplicate-Signature Key Selection D, Q, m, r, s • An adversary • Selects arbitrary c: • Computes: • Forms: Alice Bob DE, QE, m, r, s Adversary E
Key Size Comparisons Sym. key: 80, 112, 128, 192, 256 ECC n: 161, 224, 256, 384, 512 RSA n: 1024, 2048, 3072, 7680, 15360
ECDSA Advantages • Elliptic curves offer a much shorter key length than RSA. • There are some environments where 1024-bit RSA cannot be implemented, while 163-bit ECC can. • No subexponential-time algorithm is known for the EC discrete logarithm problem.
Discussion ???