Professional Documents
Culture Documents
Sheng Zhong
Correctness Requirement
We require that the signature generated by a private key can definitely be verified by the corresponding public key.
For all output (pk, sk) of the key generation algorithm, for all message m, Verify(pk, m, Sign(sk, m))=accept.
Unforgeability Requirement
We require that any adversary should not be able to forge a signature on any message.
For all efficient algorithm A, for all message m, for public key pk distributed as in the output of the key generation algorithm, Pr[Verify(pk, m, A(pk, m))=accept]=negligible
Unforgeability
Recall RSA is a trapdoor one-way function.
Without knowing trapdoor d, it should be infeasible to find s such that se=m (mod N). The above is equivalent to that it is hard to find s=md (mod N). So the RSA signature is unforgeable in the very weak sense as we described.
But it does not ensure that adversary cant generate valid signature on random message.
Bad guy might be able to show that you have done something (which you did not really do).
9
Attack on RSA
Adversary picks a random element s of the signature space. Adversary computes m=se (mod N). Clearly, s is a valid signature on message m. Adversary can claim signer has done random things!
10
11
Rabin Signature
Another signature scheme; very similar to RSA signature. Key generation: Choose RSA modulus N=pq; N is public key; (p, q) is the private key. Signing: s= m1/2 (mod N). Verification: return accept if and only if m=s2 (mod N).
13
14
16
17
18
r ! (g ) !g
m
l l 1 ( m xr )
(mod p )
m xr
(mod p )
r
! g / y (mod p )
19
20
Looks Secure
The signature looks not giving knowledge about x.
Since in s=l-1(m-xr), x-mr is protected by l-1. And in r=xl, l is protected by hardness of discrete logarithm.
21
Suppose r=gl mod p; s=l-1(m-xr) mod (p-1); s=l-1(m-xr) mod (p-1). Then s-s=l-1(m-m) (mod (p-1))
Adversary can figure out l from m, m, s, s. Next, adversary computes x from l, m, r, s.
22
(r' ) ! r
s'
su r u
! (g / y ) !g
u '
/y
ru
! g / y (mod p )
(r,s) is a valid signature on message m.
24
r'
25
Countermeasures
Do NOT reuse l. Make sure 0<r<p.
This prevents the example attack because r=ru (mod p-1) and r=r (mod p) cant be satisfied by any r between 0 and p.
26
27
r ! (g y ) !g
ruv 1
m r
v rv 1
r
! g / y (mod p)
Countermeasure: Use hash function.
28
All signature schemes using the above idea belong to the ElGamal signature family.
30
Schnorr Signature
Another member of ElGamal signature family:
function of x and m : H(m,r)x. Protect the above using a random factor: s=H(m,r)x+l Protect the random factor using discrete logarithm: r=gl
32
But note that ElGamal signature family is a general method of designing signature schemes.
NOT a method for security proof. So the security of each member has to be analyzed case by case.
34
35
Oracle Machine
An oracle machine is associated with a functionality.
It maps an input sequence (called queries) to a probability distribution of output sequence (called answers) . A query/answer can depend on earlier queries/answers. But it cant depend on later queries/answers. Note that the functionality does NOT need to be (efficiently) computable.
36
37
We start by giving a secure signature scheme for a single bit; then we extend this signature scheme to longer messages.
39
40
Verification:
If the message is 0, check fi(signature)= fi(a); If the message is 1, check fi(signature)= fi(b).
41
Security Analysis
Even if adversary sees signature of 0, he cant find out signature of 1.
Because {fi} is trapdoor one-way and thus without knowing the trapdoor the adversary cant compute b from fi(b). Similarly, even if adversary sees signature of 1, he cant find out signature of 0.
43
To guarantee the message is fresh, when we use MAC or digital signature, we should
Include time stamp as part of message, or Include a fresh nonce chosen by the receiver as part of message
46