1 CIS 5371 Cryptography 8. Data Integrity Techniques.

1

CIS 5371 Cryptography

8. Data Integrity Techniques

Asymmetric techniques, I

Digital signaturesWith PK encryption, Alice can use her private key to decrypt a message and the resultant “ciphertext’’ can be “encrypted’’ to recover the message.

This ciphertext can serve as a Manipulation Detection Code (MDC).The verification of a MDC can be performed by anyone since the public key is available to anyone.

Example of an MDC based on RSA

• Let p = 101, q = 113. Then n = 11413.• (n) = 100 112 = 11200 = 26527• Alice takes e = 3533, d = 6597• Alice publishes: n = 11413, e = 3533.• Let the message be m = 5761• Alice computes the MDC:

57616597 (mod 11413) = 9726• Suppose Bob wants to verify that 9726 is the MDC of Alice• Bob computes 97263533 mod 11413 = 5761

Digital signature schemes

• M, message space

• S, signature space

• K, signing key space

• K’, verifying key space

• Gen: KK’, an efficient key generating algorithm

• Sign: MK S, an efficient signing algorithm

• Verify: MSK’ {true,false} an efficient verifying algorithm.

The RSA signature schemeSignature setup: n = pq, where p and q are primes.

M = S = Zn , with keyspace

K = {(n,e,d) : ed = 1 mod (n) }.

Public key = (n,e), Private key (n,d).

Signature generation: for m Zn,

Signature Verification

if and only if

Security issues for Digital Signatures

Active attacks digital signatures• Adaptive Chosen-Message Attack (CMA):

– The attacker chooses adaptively a number of messages and obtains the corresponding signatures: the task of the attacker is successful if he can sign a (new) target message.

• Existential forgery under CMA: – The algorithms (Sign,Verify) form a one-way trapdoor pair.

This means that it is easy to compute valid “message-signature” pairs

(by first selecting a signature and then finding the corresponding message).

– However, computing message-signature pairs should be hard. – A usual way to control this is add redundancy to the message.

Rabin signatures

Signature setup: Same as RSA

Public key = (n,b), Private key = (p,q).

Signature generation: Exercise

Signature Verification: Exercise

The ElGamal signature scheme

Signature setup:

Same as ElGamal encryption scheme, with:

M = Zp* , S = Zp* Zp-1, and keyspace K = Zp* Zp-1.

Public key = (p, g, y)

Private key = (p, g, x).

The ElGamal signature scheme• Signing

Let m Zp* be a message.

For public key (p,g,y), with y = gx mod p,

and a secret random number k Zp-1, define:

sigx,k (m,k) = (s,t), where• s = gk mod p• t = (m-xs) k-1 mod ( p-1)

• Verification

Verify(p,,g,y)(m,(s,t)) = true st·ys = gm mod p.

Toy example

Let p = 467, g = 2, x = 127, y = 132

message m = 100,

Choose k = 213. Then k -1mod 466 = 431.

The signature is: s = 2213 mod 467 = 29

t = (m-xs) k -1 mod (p-1)

= (100-127×29) 431 mod 466 = 51

Verification: 2100 ? 2951×13229 mod 467

The security of ElGamal signatures

• If the DL problem is feasible then ElGamal signatures can be forged.

• The converse may not be true.• The exponent k must be

• private• cannot be used twice• best: chosen at random.

The Digital Signature Algorithm

Let p be a an L-bit prime prime,

512 L 1024 and L 0 mod 64 ,

let q be a 160-bit prime that divides p-1 and

Let e Zp* be a q-th root of 1 modulo p.

Let M = Zp-1,

S = Zq x Zq and

K = {(p,q,,x,y): y = x modp }.

• The public key is (p,q,,y).• The private key is (p,q,,x).

The Digital Signature scheme

• Signing Let m Z be a message.

For public key (p,g,,y), with y = x mod p, and

secret random number k Zp-1, define: sigx,k(m) = (s,t), where

• s = ( k mod p) mod q• t = (SHA(m) + xs) k -1 mod q

• Verification Let

• e1 = (SHA(m)) t -1 mod q• e2 = s t -1 mod q

Verify(p,,y),(m,(s,t)) = true ( e1 y e2 mod p) mod q = s.

Provable security

Forging signatures

• We must how that given a message it is hard to forge a signature. Is this enough?

• There are several attacks we already discussed:• Existential forgery• Adaptive Chosen-Message Attacks

• What is really needed is a formal security model for digital signatures, that allows for all possible threat scenarios and all protocol aspects.

• One such model is the Random Oracle model.

Asymmetric techniques, IIData Integrity without source Identification

Optimal Asymmetric Encryption Padding

RSA-OAEP

RSA with OAEP

Key ParametersLet (N,e,d,G,H,n,k0,k1) U Gen (1x) satisfy:

(N,e,d) are RSA parameters

|N| = k = n+k0+k1, with 2k0, 2k1 negligible quantities

G, H hash functions with: G: {0,1}k0 {0,1}k-k0 , H: {0,1}k-k0 {0,1}k0

n is the length of the plaintext

(n, k0,k1,G,H,e) is Alice’s RSA public key,

(n, k0,k1,G,H,d) is Alice’s RSA private key.

RSA with OAEP

Encryption Let m {0,1}n be the message to be sent to Alice.

Bob (the adversary?) performs the following:

1. .r U {0,1}k0 ;

s (m || 0k1) G(r) ; t r H(s)

2. .c (s || t) e mod N

RSA with OAEP

Decryption

Upon receipt of the ciphertext c Alice performs:

1. .s || t c d mod N satisfying

|s| = n+k1 , |t| = k0

2. .u t H(s); v s G(u)

3. Output m if v = m || 0k0, else reject.

RSA with OAEP

Security

RSA with OAEP provides data-integrity, but not origin integrity.

It can be shown that RSA-OAEP is secure against adaptive chosen ciphertext (CCA2) attacks in the Random Oracle Model.

The Random Oracle Model (ROM)

• Security is defined in terms of a game involving two parties: the system and the adversary.

• All authorized parties of the system are represented by random oracles (Alice, Bob, …)

• Access to any party is via its oracle.• Access to an oracle G is by a query a, to get the

response G(a). • The system of oracles is managed by a Simulator (who

arranges that the oracles simulate the behavior of the real parties).

The Random Oracle Model• There are two phases:

• A training phase in which adversary is allowed to make queries (adaptively) and get responses.

• A test phase in which adversary must answer 0 or 1 as his educated guess to a challenge.

• The adversary wins if at the test phase he can distinguish with probability better than

0.5 + negl

between two strings. e.g. if a public-key encryption system is analyzed, the adversary must distinguish between the ciphertexts c1,c2 of two new messages m1, m2.

The Random Oracle Model

• The system is secure if the adversary cannot win.• The type of queries the adversary can make is

determined by the threat model used. • in CCA2 the adversary can adaptively chose

ciphertexts an get the corresponding plaintexts.

One-time signatures Lamport signature scheme

Let k be an integer, P = {0,1}k.

Suppose that f : Y Z is a one-way function,

and A = Y k.

Let yi,j Y be chosen at random, 1 ≤ i ≤ k, j =0,1, and

zi,j = f (yi,j),

The key K consists of the 2k pairs : (yi,j, zi,j).

The y’s are the private key, the z’s are the pubic key.

Lamport signature scheme Signing

Let x = (x1,x2, … , xk) P be a message.

For K = (yi,j, zi,j) define

sigK (x1,x2, … , xk) = (y1,x1,y2,x2

, … , yk,xk ) .

Verification

verK((x1,x2, … xk),(y1,x1,y2,x2

, … , yk,xk )) = true

f(yi) = zixi , 1 ≤ i ≤ k

The security of the Lamport signature scheme

The security of the Lamport signature scheme can

be proven if we assume that:

• The one-way function is bijective, and that• The public key consists of distinct elements.

Certificates and Public-Key Infrastructures

We have not shown how to distribute securely public keys.

We shall now show how this can be done by using public-key cryptography

Sounds circular, and is! but works.

26

Certificates and Public-Key Infrastructures

A first approach: bootstrap all public-keys to a single one using certificates.

To be concrete suppose that Charlie has generated a key pair (

Consider the certificate

Give this to Bob. Bob publishes: This authenticates the public key of Bob to anyone

who trusts Charlie.

27