Chapter 8 Digital Signature Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li lizhijun.

Chapter 8 Digital Signature

Cryptography-Principles and PracticeHarbin Institute of TechnologySchool of Computer Science and Technology

Zhijun Lihttp://cst.hit.edu.cn/~lizhijun

[email protected]

Zhijun Li S1034040/Autumn08/HIT 2

Outline

• Nonreputation & Digital Signature • RSA Signature• ElGamal Signature• Digital Signature Algorithm• Digital Signature with other Properties

– Security Provable Signature– Blind Signature– Undeniable Signature– Fail-Stop Signature


• Confidentiality/secrecy/privacy– Encryption

• Integrity– MAC

• Nonreputation– Identity (source or destination) can not deny transmitti

ng the message – Use ?

Security Goals


Nonreputation

• Nonreputation: Identity (source or destination) can not deny transmitting the message– Authentication protects two parties from third parties

– Nonrepudiation protects two parties against each other

• Example: Alice sends IOU message to Bob– Alice can deny sending the message– Bob may forge a different message and claim that it

came from Alice


IOU Protocol Review

AliceBob

{KUA, KRA}

M EKRA[H(M)]

Judge

M EKRA[H(M)]

knows KUA

knows KUA

Digital Signature

Alice Bob

Judge


Digital Signature

• Digital Signature: a data string which associates a message with some originating entity

• Digital Signature Scheme: for each key, there is a SECRET signature generation algorithm and a PUBLIC verification algorithm

• Digital Signature & PKI– Digital signature is difficult to implement in

other ways


SignatureSignature generation

Private key

Document

Signer

Signature verification

Public key

Document

OK / not OK

Verifier

Digital Signature Scheme

SIG: KM S kK is the secret key

VER : K’MS {OK, FAIL}

OK iff s is a valid signature

e is the public key


Adversary of Digital Signature

• Adversarial goals: – Total break: adversary can forge signature on any message

– Selective forgery: adversary is able to create valid signatures on a chosen message with a significant probability

– Existential forgery: adversary can create a pair (message, signature), s.t. the signature of the message is valid

• Note:– A signature scheme can not be perfectly secure

• Adversary can always forge signature given enough time

– Signature scheme can only be computationally secure


Attack Model to Digital Signature

• Key-only attack: Adversary knows only the verification function (it is supposed to be public)

• Known message attack: Adversary knows a list of messages previously signed by Alice

• Chosen message attack: Adversary can choose what messages wants Alice to sign, and knows the messages and the corresponding signatures


Outline




RSA Signature

• Given RSA {(e, n), (d, p, q)}

• SIG(d, m) s = md (mod n)

• VER(e, m, s)

m =? se (mod n)

• se = med (mod n) = m (mod n)


Existential Forgery

• Oscar can generate a valid signature by: 1. Choose signature sZn

2. Encrypt: m = ekpub(s) = se mod n

3. Send (m,s) to Bob

4. Bob verifies:

verkpub(m, s): se m (mod n) true

• Note: – m can’t be controlled, so existential forgery


Remark for This Forgery

• It is a key-only attack

• Countermeasures: – Use some redundancy in message to detect

– Example: • Sig(m) = (Hash(m))d = s• se = Hash(m) : Need find m with Hash(m) = se

• Hash is preimage resistant • Know Hash(m), but NOT known m


Another Existential Forgery

• (m1,s1) and (m2,s2) are valid signatures

• (m=m1m2, s=s1s2) are valid

• (m,s) is valid signature• (m-1, s-1) is valid

• Remark: – An existential forgery – Sig(m) = (Hash(m))d is also useful


Outline




ElGamal Signature

• Key generation:– Chooses a prime p, and chooses a generator

gZp*

– Selects a random integer k as the private key– Computes the public key = gk mod p – Public key is (, g, p) – Private key is (k)


ElGamal Signature

• Signing a message m:

– Select random r, 1rp-1, rZp-1* (gcd(r,p-1)=

1)– Compute x gr (mod p)– Solves y in following congruence equation

m k·x+r·y (mod p-1)

– SIGk,r(m) = (x,y)


ElGamal Signature

• Verification: – Receive the m and s = (x, y)– Computes gm

– Computes ()x·xy

– VER(m, s): gm ?()x ·xy(mod p)


Why This Schema Can Work?

• If m=m, x=x, y=y

• ()x·xy (mod p) = gkx · gry (mod p)• ry = m - kx (mod p-1) • kx+ry = m (mod p-1)

• ()x·xy = gkx + ry = gm (mod p)

• Why?


ElGamal Signature Example

1. Choose p=11, g=2 and k=8 2. c = 28 mod 11 = 3 So: Public key (3,2,11)3. Signing m=5 3.1 select a random integer r=9 gcd(10,9)=1 3.2 computes x = gr mod p = 29 mod 11 = 6 3.3 solves 5 = 8·6+9·y mod 10; because 9-1 =

9 mod 10;so y = 9-1· (5-8·6) = 3 mod 10 3.4 signature s=(6,3) 4. Verification

36.63 =21 =10 = 25 =10 mod 11


Security of ElGamal Signature

• Based on DLP BUT weaker than DLP– Existential Forgery

• Find (m,x,y) s.t. ()x·xy=gm

– Suppose x=gij (mod p) gmx(gij)y (mod p)– gm-iyx+jy mod p – Let m-iy0 mod p-1 x+jy0 mod p-1– If gcd(j, p-1)=1– y=-xj-1(mod p-1)– m=-xij-1(mod p-1) (if hash?)– x=gij(mod p)


Security of ElGamal Signature

• The random r must be keep secret– k=(m-ry)x-1 (mod p-1)

• The random r must be unique for each message– ()x·xy1=gm1 (mod p);()x·xy2=gm2 (mod p)– gm1-m2 y1-y2 gk(y1-y2) (mod p)– m1-m2 k(y1-y2) mod p-1– d=gcd(y1-y2, p-1); d|(m1-m2) – m'=(m1-m2)/d; y'=(y1-y2)/d; p'=(p-1)/d– m'=ky' mod p' and gcd(y', p')=1 – k=m'y'-1+ip' mod p-1 i<d and test them by =gk mod p


Lesson of ElGamal Signature

• Hash function h must be used– Otherwise easy for an existential forgery

attack

• Signature length is 2 times of the length p – p=1024 bits– For some storage limited device (smart chard)


Outline

• Nonreputation & Digital Signature • RSA Signatures• ElGamal Signatures• Digital Signature Algorithm• Digital Signature with other Properties



DSA Overview

• Published in NIST in 1992 (FIPS PUB 186) • Remark:

– DSA is a variant for ElGamal signature– Using SHA hash algorithms and the digest is 320 bi

ts– Sometimes called DSS (Digital Signature Standard)


From ElGamal Signature

• Use a subgroup {,2,…,q} in Zp*, the order of is q– q is a 160-bits prime– p is a 1024-bits prime

• Introduce the hashing function– SHA1(m) is also 160-bits


From ElGamal Signature

• y=r-1(m+k·x) (mod p-1)– Verify mx=xy mod p – ord() = q, so all exponents need mod q– x = (r mod p) mod q– y=(m-k·x)r-1 (mod q) (x can be replaced by x) mx=xy mod p my-1xy-1=x mod p

my-1xy-1=x mod p

(my-1xy-1mod p) mod q = x


DSA: Key Generation

• Select a prime q of 160-bits• Choose 0t8 and 2511+64t<p<2512+64t with q | p-1

• Let g be a generator of Zp*, and = g(p-1)/q mod p

• Select 1 k q-1• Compute = k mod p

• Public key: (p, q, , )• Private key: k


DSA: Signature

• Signing message m:• 1. Compute one-way hash h = SHA-1(m)• 2. Select a random signing key r, 0 < r < q• 3. Compute

– x = (r mod p) mod q– y = (SHA-1(m) + xk).r-1 mod q– SIG(m)=(x, y)


DSA: Verification

• Verifying m, (r, s): 1. Verify 0 < r < q and 0 < y < q, if not, invalid

2. Verifier computes – w = y-1 mod q – u1= SHA-1(m).w mod q – u2= x.w mod q – v = (u1.u2 mod p) mod q

3. Verifier accepts the signature iff – v = x


DSA Remark

• Advantages:– Suitable to storage limited device– Hashing function is used– Based on discrete logarithm problem

• Disadvantages:– Unpublicized selection


Outline

• Nonreputation & Digital Signature • RSA Signatures• ElGamal Signatures• Digital Signature Algorithm• Digital Signature with other Properties



Security Provable Signature

• Idea: – Can reduce the forgery into the inverse of one-way

• Lamport One-time Signature:– P={0,1}k, f is one-way function f: YZ

– Choose secret keys yi,jY, 1ik, j=0,1

– Let zi,jZ, 1ik, j=0,1 are public keys

– Sig(m1, m2, …, mk) = (y1,m1, y2,m2

, …,yk,mk)

– Ver((m1, m2, …, mk), (a1, a2, …, ak)= true f(ai)=zi,mi


Lamport Signature Example

• p=7879 and 3 is a generator• f(x)=3x mod 7879

• y1,0=5831;y1,1=735;y2,0=803;y2,1=2467;y3,0=4285;y3,1=6449

• z1,0=2009;z1,1=3810;z2,0=4672;z2,1=4721;z3,0=268;z3,1=5731

• m=(1,1,0): • Sig(m)=(735,2467,4285)• Verification: 3735 mod 7879=3810; 32467 mod 7879=4721; 342

85 mod 7879=268


One-Time Digital Signature

• One-time digital signatures:– Using signing at most one message– Otherwise signature can be forged– In Lamport: (1, 0, 1) + (0, 1, 0) = all 23 – A new public key is required for each signed message

• Advantage: – Signature and verification can be very efficient– Can be very secure– Is useful for cards with low resources


Lamport-Preimage(z)

• If we have Lamport-Forge:• Lamport-Preimage(z)

Select i0{1,…,k} and j0{0,1} randomly

Build public key Z=(zi,j: 1ik, j=0,1) s.t. z=zi0,j0

((m1,…,mk), (a1,…,ak)) = Lamport-Forge(z)

if xi0=j0

then return (ai0)

else return (fail)


Success of Lamport-Preimage

• Theorem: with Lamport-Forge, the success rate of Lamport-Preimage(z) 1/2

• Proof: – Let S is the set of all public keys, s=|S|

– Let Sz is the set of public keys contain z, sz=|Sz|

– Let Tz is all ZS with Lamport-Preimage success, tz=|Tz

| zZtz = ks; 2ks=sz|Z|

– Pr(success)=1/|Z|zZpz=1/|Z|zZtz/sz

=zZtz/sz|Z|=1/2kszZtz=ks/2ks=1/2


Blind Signature

• Situation: Signing with unknowing the content• Example: Anonymous electronic cash

• Scene

Alice Bob

Authority Sign③

Signature④

Unblinding⑤

Signature ⑥

Verification⑦Blinding

①Blin

ded Mess

age②


RSA Blind Signature

• Initialization: • Authority: p,q are primes, N=pq, public key e a

nd ed 1 mod (p-1)(q-1)

• Blinding:

• Alice: Get N and e, choose a random rZN*, compute blinded message

b m re (mod N)


RSA Blind Signature

• Signing: • Authority: sign the blinded message b s = bd

• Unblinding: • Alice: Remove the r from s s = s r -1 md (mod N)

• Verify: • Bob: Receive (m1,s1) Check s1

e ? m1 (mod N)


Undeniable Signature

• Signature with following features:– Signature verification must involve the participation of

the signer– Signer can prove that a signature is not valid– Signer can’t Deny a Valid Signature

– So Undeniable

• Example:– Software distribution


Why Undeniable?

• The signer need to be online when verifying – The precondition for undeniability – Challenge-Response interaction

• The signer can prove a signature is forged– If he deny to prove – Then the signature is valid


How to Prove?

• In Challenge-Response interaction– If the Verification fails

• The signature is a fraud • Signer cheats by giving “incorrect” response

– So need run some protocol after fails

• Summary:

Signing & Verification & Disavowal Protocol


• Initialization: • The Signer Chooses:

– two primes p and q, and p=2q+1

– gZp* and ord(g)=q

– G generated by g, so G is a subgroup of Zp*

– A random k(0<k<q), k is secret and gk is public

Chaum-van Antwerpen Signature


• Signing: For a message mG

s=mk (mod p)

• Verification: Bob and Signer interact:

– Challenge: Bob select two random a,bZq* and sends the challenge c=sa(gk)b (mod p)

– Response: r = ck-1magb (mod p)– Test: Bob checks

VER( m, r ) = (r ? m agb (mod p))



• Disavowal Protocol: (when verification fails)– BobSigner: select a1,b1Zq* and sends c1=sa1(gk)b1

(mod p)

– SignerBob: r1=c1k-1

– Test: if r1 ma1gb1 (mod p), then follow

– BobSigner: select a2,b2Zq* and sends c2=sa2(gk)b2

(mod p)

– SignerBob: r2=c2k-1

– Test: r2 ma2gb2 (mod p)

If (r1g-b1)a2 (r2g-b2)a1 (mod p)

then forged

else signer cheat



• Theorem: if s mk mod p, then Bob accepts s as correct signature with prob. at most 1/q

• Proof: – For each c=se1(gk)e2, there are q pairs of (e1, e2) becaus

e the order of s and gk is all q

– g is a generator and ord(g)=q– c=gi, r=gj, m=gv, s=gw

– cse1(gk)e2 (mod p); rme1ge2 (mod p)– iwe1 + ke2 (mod q); jve1 + e2 (mod q)– If smk mod p, then wkv mod q, then 0, and o

nly a pair in q pairs of (e1,e2) is correct

Correctness of Verification

w kv 1


• Theorem: If s mk mod p, and both parties follow the protocol, then (rg-e2)f1 (Rg-f2)e1 (mod p) (Alice can convince Bob)

• Proof:– r=ck-1 (mod p)– cse1(gk)e2 (mod p)

– (rg-e2)f1 (se1(gk)e2)k-1g-e2)f1 (mod p)

se1k-1f1 (mod p)

– R=Ck-1 (mod p)

– (Rg-f2)e1se1k-1f1 (mod p)

Correctness of Disavow Protocol


• Theorem: If s mk mod p, and Bob follows the protocol, then Alice can convince Bob ((rg-e2)f1 (Rg-f2)e1 (mod p)) with prob. 1/q

• Proof:– s=mk; (rg-e2)f1 (Rg-f2)e1 (mod p) – r me1ge2; R mf1gf2

– (rg-e2)f1 (Rg-f2)e1 (mod p) iff. R = (r1/e1g-e2/e1)f1gf2

– Let r0=r1/e1g-e2/e1, which can be computed after stage one– Let stage two is the verification protocol– Suppose s is the r0’s signature (s=r0

k mod p) with prob. 1-1/q– s mk mod p and s=r0

k mod p m=r0

– r me1ge2 m r1/e1g-e2/e1 m r0

– Contradiction (rg-e2)f1 (Rg-f2)e1 (mod p) with prob. 1/q

Correctness of Disavow Protocol


• Situation: For the Attacker with Unlimited Computing Power

• Scene

Alice Bob

TTP

Oscar

EstablishParameters

①

Public Keys ②

⑤Build PROOF

③Signatures

④

Forged Signatures

⑦Fail-stop⑥

Proof

Fail-Stop Signatures


• Initialization:• TTP: two primes p and q, and p=2q+1

– gZp* and ord(g)=q

– a random rZq* (0<r<q), r is known only by TTP and R=gr

– (p,q,g,R) is Public and keep r is Secret

• Signer(Alice): Select a1,a2,b1,b2Zq* as secret key, compute (1ga1Rb1 mod p 2ga2Rb2 mod p) as public key

Van Heyst & Pedersen Signature


• Signing:

• Alice: SigK(m)=(s1,s2)

s1=a1+mb1 mod q

s2=a2+mb2 mod q

• Verification:

• Bob: VerK(m,s) is 12m?gs1Rs2 mod p



• Build PROOF:• Alice:

– Detect a forged signature (s1,s2) for m

– Compute the original signature (s1,s2) for m

– Compute

PROOF(s)=r(s1-s1)(s2-s2)-1 (mod q)

r is the proof



• Lemma 1: Let Oscar with unlimited power, he can solve (a1,a2,b1,b2) with q possible solutions from the public information and a signature s=(s1,s2) for m

• Proof: Denote 1=ge1 and 2=ge2 , so

ge1 ga1grb1 mod p ge2 ga2grb2 mod p

e1=a1+rb1 mod q e1=a1+rb1 mod q s1=a1+mb1 mod q s2=a2+mb2 mod q

m010

0m01

r100

00r1

2

1

2

1

s

s

e

e

=

2

1

2

1

b

b

a

a

Rank is 3

Find by unlimited power

Van Heyst & Pedersen: Remark


Rank is 4

m010

0m01

r100

00r1

2

1

2

1

s

se

e

=

2

1

2

1

b

b

a

a

m’010

0m’01

2

1

s’s’


• Lemma 2: Let a signature s=(s1,s2) for m and a signature s’=(s1’,s2’) for m’, then a single solution for (a1,a2,b1,b2)

• Proof:

• Notes:– One-time signature– Oscar can compute s’=sigK(m’) with prob. 1/q known s=sigK(m)– BUT Oscar can give a verifiable signature s’’ for m’ and s’’s’


• Lemma 3: If Signer get a forged signature s’=(s1’,s2’) for m

and s’s, he can compute the r=loggR

• Proof: – The forged signature s’ can pass the test 12

mgs’1Rs’2 mod p

– For original signature 12

mgs1Rs2 mod p

– gs’1Rs’2 gs1Rs2 mod p r=loggR (s1-s1’)(s2’-s2)-1 (mod q)



Summary

• Nonreputation – Digital Signature – Public Key Infrastructure

• RSA Signature• ElGamal Signature• Digital Signature Algorithm • Signatures with other Properties

Chapter 8 Digital Signature Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li lizhijun.

Documents

signature szn

message use

iou message

pair message

different message

alicechosen message

publicknown message

med mod n