Digital Signature

Sheng Zhong

Digital Signature (1)

Public-key-based technique for data integrity. A digital signature scheme is a tuple (PK, SK, M, S, KG, Sign, Verify).
PK: Public key space (the set of all possible keys). SK: Private key space. M: Message space. S: Signature space.
2

Digital Signature (2)

KG: {Positive Integer} PK SK. An efficient algorithm for key generation. Sign: SK M S. An efficient algorithm for signing. Verify: PK M S {accept, reject}. An efficient algorithm for verifying signature on message.

Correctness Requirement
We require that the signature generated by a private key can definitely be verified by the corresponding public key.
For all output (pk, sk) of the key generation algorithm, for all message m, Verify(pk, m, Sign(sk, m))=accept.

Unforgeability Requirement
We require that any adversary should not be able to forge a signature on any message.
For all efficient algorithm A, for all message m, for public key pk distributed as in the output of the key generation algorithm, Pr[Verify(pk, m, A(pk, m))=accept]=negligible

RSA Signature (1)

Key generation: Same as in the RSA cryptosystem.
N=pq is an RSA modulus. ed=1 (mod (N)). Public key: (N, e). Private key: (N, d).

Signing: s=md mod N.

Note this looks like decryption in RSA cryptosystem.
6

RSA Signature (2)

Verification: return accept if and only if m=se mod N.
This looks like encryption in RSA cryptosystem, right?

Why is the scheme correct?

Because se = (md)e = mde=m (mod N).

Unforgeability
Recall RSA is a trapdoor one-way function.
Without knowing trapdoor d, it should be infeasible to find s such that se=m (mod N). The above is equivalent to that it is hard to find s=md (mod N). So the RSA signature is unforgeable in the very weak sense as we described.

Inadequacy of Simple Unforgeability

The above unforgeability property only ensures that adversary cant generate valid signature on any given message.
Bad guy cant show to people that you have borrowed $1 million from him.

But it does not ensure that adversary cant generate valid signature on random message.
Bad guy might be able to show that you have done something (which you did not really do).
9

Attack on RSA
Adversary picks a random element s of the signature space. Adversary computes m=se (mod N). Clearly, s is a valid signature on message m. Adversary can claim signer has done random things!
10

Countermeasure to the Attack

We can modify the signing procedure by adding a hash:
Signing: s=(H(m))d mod N. Verification: Return accept if and only if se=H(m) (mod N). Clearly, the scheme remains correct.

11

Random attack is no longer feasible.

Suppose the hash function is one-way.
Then the adversary can compute se; but cant compute m=H-1(se). So the attack is no longer feasible.

This is called existent unforgeability.

For all efficient algorithm A, for public key pk distributed as in the output of the key generation algorithm, Pr[Verify(pk, A(pk))=accept]=negligible
12

Rabin Signature
Another signature scheme; very similar to RSA signature. Key generation: Choose RSA modulus N=pq; N is public key; (p, q) is the private key. Signing: s= m1/2 (mod N). Verification: return accept if and only if m=s2 (mod N).
13

Rabin Signature vs. RSA Signature

Difference:
Rabin signature uses 2 as verification exponent. RSA signature uses e as verification exponent, where e is in Z* (N)

Advantage of Rabin signature:

Faster in verification.

14

Unforgeability of Rabin Signature

Rabin signature is unforgeable (in the nave sense) if factorization is hard.
Suppose adversary can forge signature s on given message m. Then we choose s randomly, computes m=(s)2, and ask adversary to forge s=m1/2. Note that s and s are two square roots of m. With probability of , we are able to factor N.
15

Attack and Countermeasure

Just like RSA signature scheme, Rabin signature scheme is existentally forgeable.
Pick s and compute m=s2 mod N. s is a valid signature on m.

To prevent such attack, we can also use hash function.

16

ElGamal Signature (1)

Yet another popular signature scheme. Key generation: like in ElGamal cryptosystem.
Pick a large prime p; pick generator g in Z*p; y=gx mod p. Public key: (p, g, y) Private key: (p, g, x)

17

ElGamal Signature (2)

Signing: r=gl mod p; s=l-1(m-xr) mod (p-1). (r,s) is signature on message m. Verification: return accept if and only if rs=gm/yr (mod p)

18

Valid signature can be verified

r ! (g ) !g
m

l l 1 ( m  xr )

(mod p )

m  xr

(mod p )
r

! g / y (mod p )

19

Verified signature should be valid

Intuitively (not rigorously): Can compute valid s=l-1(m-xr) Can compute valid m-xr Knows x

20

Looks Secure
The signature looks not giving knowledge about x.
Since in s=l-1(m-xr), x-mr is protected by l-1. And in r=xl, l is protected by hardness of discrete logarithm.

21

Attack on ElGamal Signature (1)

Can the signer reuse l in signing?
This leads to breaking of the signature scheme.

Suppose r=gl mod p; s=l-1(m-xr) mod (p-1); s=l-1(m-xr) mod (p-1). Then s-s=l-1(m-m) (mod (p-1))
Adversary can figure out l from m, m, s, s. Next, adversary computes x from l, m, r, s.
22

Attack on ElGamal Signature (2)

Even if signer does not reuse l, adversary can forge a signature.
Attacks discovered by Bleichenbacher in 1996.

One example: suppose (r,s) is a signature on message m.

u=m/m (mod p-1); s=su (mod p-1). Compute r s.t. r=ru (mod p-1) and r=r (mod p).
23

Attack on ElGamal Signature (3)

(r' ) ! r

s'

su r u

! (g / y ) !g
u '

/y

ru

! g / y (mod p )
(r,s) is a valid signature on message m.
24

r'

Attack on ElGamal Signature (4)

If g is chosen by adversary, Bleichenbacher showed a way to forge signatures.
Details in textbook. Read if you are interested.

25

Countermeasures
Do NOT reuse l. Make sure 0<r<p.
This prevents the example attack because r=ru (mod p-1) and r=r (mod p) cant be satisfied by any r between 0 and p.

Make sure g is generated randomly.

26

Existent Forgery (1)

Choose u,v in Z*p-1. r=guyv mod p. s=-rv-1 mod (p-1). m=-ruv-1 mod (p-1). Claim: (r,s) is a valid signature on message m.

27

Existent Forgery (2)

Why does the attack work?

r ! (g y ) !g
 ruv 1
m r

v  rv 1

r

! g / y (mod p)
Countermeasure: Use hash function.
28

ElGamal Signature Family (1)

There are a number of ElGamal-like signature schemes. They are different in details, but have the same basic idea:
Signature is to prove sender of message m has knowledge of private x. So it is enough to prove sender knows a function of x and m. Note the above function of x and m binds the signature to message m.
29

ElGamal Signature Family (2)

However, function of x and m cannot be the signature because adversary may compute x from it. So, the signer protect function of x and m using a random factor, to get a part of the signature. gThe random factor is the other part of the signature; the random factor is now protected by hardness of discrete logarithm.

All signature schemes using the above idea belong to the ElGamal signature family.

30

ElGamal signature belongs to the ElGamal signature family

Look at the ElGamal signature:
function of x and m : m-xr. Protect the above using a random factor: s=l-1(m-xr) Protect the random factor using discrete logarithm: r=gl
31

Schnorr Signature
Another member of ElGamal signature family:
function of x and m : H(m,r)x. Protect the above using a random factor: s=H(m,r)x+l Protect the random factor using discrete logarithm: r=gl
32

Digital Signature Standard (DSS)

Yet another member of ElGamal signature family:
function of x and m : H(m)+xr. Protect the above using a random factor: s=l-1(H(m)+xr) Protect the random factor using discrete logarithm: r=gl
33

Security of ElGamal Signature Family

There are many other members of ElGamal signature family.
Each has a lot of details that require attention.

But note that ElGamal signature family is a general method of designing signature schemes.
NOT a method for security proof. So the security of each member has to be analyzed case by case.
34

Optional Topic: Unforgeability and Chosen Message Attack

Chosen Message Attack: a strong adversary model for digital signature
Analogous to CCA2 for encryption Assumes adversary can obtain signatures from an oracle for any messages he chooses Then ask whether adversary is able to figure out a new pair of (message, signature).

35

Oracle Machine
An oracle machine is associated with a functionality.
It maps an input sequence (called queries) to a probability distribution of output sequence (called answers) . A query/answer can depend on earlier queries/answers. But it cant depend on later queries/answers. Note that the functionality does NOT need to be (efficiently) computable.
36

Use of Oracle Machine

We can let an algorithm A have access to an oracle machine M.
Whenever needed, A can send queries of his choices to M and get answers. This can help A to complete a lot of computational tasks. A cant look inside M. In other words, A does not know whats happening in M.

37

Unforgeability against Chosen Message Attack (CMA)

Suppose M is an oracle machine that returns signatures for any query messages. A digital signature is (existentally) unforgeable against Chosen Message Attack if for all efficient algorithm A that has access to M, for signing key ks and verification key kv distributed as specified in the scheme, for all polynomial p(), for all sufficiently large k, Pr[Verify(kv, AM(kv))=accept and the message in AM(kv) is not a query of A to M]<1/p(k)
38

Unforgeable Signature against CMA

Suppose {fi} is a family of trapdoor one-way permutations. Then we can construct a signature scheme that is unforgeable against CMA.
Recall {fi} should have efficient algorithms I, D, F for initialization, domain sampling, function evaluation, respectively.

We start by giving a secure signature scheme for a single bit; then we extend this signature scheme to longer messages.
39

Secure Signature for a Single Bit (1)

For key generation, we first run I to get index i and trapdoor d.
We then use D to sample two points a, b from the domain of fi, uniformly and independently. We next use F to compute fi(a) and fi(b). The public key is (i, fi(a) , fi(b) ). The private key is (a, b).

40

Secure Signature for a Single Bit (2)

Signing:
The signature of 0 is a; The signature of 1 is b.

Verification:
If the message is 0, check fi(signature)= fi(a); If the message is 1, check fi(signature)= fi(b).

41

Security Analysis
Even if adversary sees signature of 0, he cant find out signature of 1.
Because {fi} is trapdoor one-way and thus without knowing the trapdoor the adversary cant compute b from fi(b). Similarly, even if adversary sees signature of 1, he cant find out signature of 0.

Random message attack is not feasible.

Because the domain of fi is large and thus it is infeasible to find a random signature.
42

Extension to Longer Messages

A longer message consists of multiple bits.
So we only need to use the signature scheme for single bit for multiple times. For each bit of the message we have a different instance of the signature scheme for single bit. The signatures of all bits constitute the signature of the entire message.

43

Problem with Extension

The above simple extension works for a single message of multiple bits.
But it is subject to attack when there are multiple messages. Consider for example m1=1011, m2=0100, m3=1111. When you have signatures of m1 and m2, you can actually derive the signature of m3. The signatures of 1st, 3rd, and 4th bits of m3 come from the signature of m1. The signatures of 2nd bit of m3 comes from the signature of m2.
44

Fixing the Problem

To fix the problem, we need to make sure that the signatures of different messages use different instances of the signature scheme for single bit.
This can be done by having the signer re-choose the instances after signing each message. To notify verifier of the new instances, the signer must sign them and include them in the signature. In fact, a complete history of message signing and instance changing must be included in the signature. Fixed as above, the scheme can be proved to be existentally unforgeable against CMA.
45

Authentication of Fresh Message

In the above, we introduced MAC and digital signature for message authentication.
They guarantee a message was indeed sent by a specific entity. However, the message might actually be a replay of a very old message.

To guarantee the message is fresh, when we use MAC or digital signature, we should
Include time stamp as part of message, or Include a fresh nonce chosen by the receiver as part of message
46