This action might not be possible to undo. Are you sure you want to continue?

Sheng Zhong

Digital Signature (1)

• Public-key-based technique for data integrity. • A digital signature scheme is a tuple (PK, SK, M, S, KG, Sign, Verify).

– PK: Public key space (the set of all possible keys). – SK: Private key space. – M: Message space. – S: Signature space.

2

Digital Signature (2)

• KG: {Positive Integer} → PK × SK. An efficient algorithm for key generation. • Sign: SK × M → S. An efficient algorithm for signing. • Verify: PK × M × S → {accept, reject}. An efficient algorithm for verifying signature on message.

3

Correctness Requirement

• We require that the signature generated by a private key can definitely be verified by the corresponding public key.

– For all output (pk, sk) of the key generation algorithm, for all message m, Verify(pk, m, Sign(sk, m))=accept.

4

Pr[Verify(pk. m. for all message m. – For all efficient algorithm A. A(pk. for public key pk distributed as in the output of the key generation algorithm. m))=accept]=negligible 5 .Unforgeability Requirement • We require that any adversary should not be able to forge a signature on any message.

e). – Public key: (N. d). – Private key: (N. • Signing: s=md mod N.RSA Signature (1) • Key generation: Same as in the RSA cryptosystem. – Note this looks like decryption in RSA cryptosystem. – N=pq is an RSA modulus. 6 . – ed=1 (mod Φ(N)).

right? • Why is the scheme correct? – Because se = (md)e = mde=m (mod N). 7 .RSA Signature (2) • Verification: return accept if and only if m=se mod N. – This looks like encryption in RSA cryptosystem.

– So the RSA signature is unforgeable in the very weak sense as we described. 8 .Unforgeability • Recall RSA is a trapdoor one-way function. – The above is equivalent to that it is hard to find s=md (mod N). it should be infeasible to find s such that se=m (mod N). – Without knowing trapdoor d.

9 . • But it does not ensure that adversary can’t generate valid signature on random message. – Bad guy might be able to show that you “have done something” (which you did not really do). – Bad guy can’t show to people that you “have borrowed $1 million from him”.Inadequacy of Simple Unforgeability • The above unforgeability property only ensures that adversary can’t generate valid signature on any given message.

s is a valid signature on message m. • Adversary computes m=se (mod N). • Adversary can claim signer has done random things! 10 . • Clearly.Attack on RSA • Adversary picks a random element s of the signature space.

11 . the scheme remains correct.Countermeasure to the Attack • We can modify the signing procedure by adding a hash: – Signing: s=(H(m))d mod N. – Verification: Return accept if and only if se=H(m) (mod N). – Clearly.

A(pk))=accept]=negligible 12 . – For all efficient algorithm A. Pr[Verify(pk. • This is called existent unforgeability. but can’t compute m=H-1(se).Random attack is no longer feasible. • Suppose the hash function is one-way. – So the attack is no longer feasible. – Then the adversary can compute se. for public key pk distributed as in the output of the key generation algorithm.

• Key generation: Choose RSA modulus N=pq. N is public key.Rabin Signature • Another signature scheme. very similar to RSA signature. q) is the private key. • Verification: return accept if and only if m=s2 (mod N). • Signing: s= m1/2 (mod N). 13 . (p.

Rabin Signature vs. RSA Signature • Difference: – Rabin signature uses 2 as verification exponent. – RSA signature uses e as verification exponent. where e is in Z*Φ(N) • Advantage of Rabin signature: – Faster in verification. 14 .

Unforgeability of Rabin Signature • Rabin signature is unforgeable (in the naïve sense) if factorization is hard. – Then we choose s’ randomly. – Suppose adversary can forge signature s on given message m. and ask adversary to forge s=m1/2. – Note that s and s’ are two square roots of m. 15 . – With probability of ½. computes m=(s’)2. we are able to factor N.

we can also use hash function.Attack and Countermeasure • Just like RSA signature scheme. Rabin signature scheme is existentally forgeable. • To prevent such attack. – Pick s and compute m=s2 mod N. 16 . – s is a valid signature on m.

– Public key: (p. pick generator g in Z*p. • Key generation: like in ElGamal cryptosystem. g. y) – Private key: (p. x) 17 . – Pick a large prime p. y=gx mod p.ElGamal Signature (1) • Yet another popular signature scheme. g.

(r. s=l-1(m-xr) mod (p-1).s) is signature on message m. • Verification: return accept if and only if rs=gm/yr (mod p) 18 .ElGamal Signature (2) • Signing: r=gl mod p.

Valid signature can be verified r (g ) s l l 1 ( m xr ) (mod p) g m xr m (mod p) r g / y (mod p) 19 .

Verified signature should be valid • Intuitively (not rigorously): Can compute valid s=l-1(m-xr) → Can compute valid m-xr → Knows x 20 .

21 . l is protected by hardness of discrete logarithm. – And in r=xl.“Looks” Secure • The signature looks not giving knowledge about x. – Since in s=l-1(m-xr). x-mr is protected by l-1.

• Then s-s’=l-1(m-m’) (mod (p-1)) – Adversary can figure out l from m. s’. 22 . s’=l-1(m’-xr) mod (p-1). adversary computes x from l. – Next. m. s=l-1(m-xr) mod (p-1). m’.Attack on ElGamal Signature (1) • Can the signer reuse l in signing? – This leads to breaking of the signature scheme. s. r. • Suppose r=gl mod p. s.

t. adversary can forge a signature. – Compute r’ s. – Attacks discovered by Bleichenbacher in 1996. r’=ru (mod p-1) and r’=r (mod p). – u=m’/m (mod p-1). • One example: suppose (r.Attack on ElGamal Signature (2) • Even if signer does not reuse l. s’=su (mod p-1).s) is a signature on message m. 23 .

24 .Attack on ElGamal Signature (3) (r' ) r s' su m r u (g / y ) g mu m' /y ru g / y (mod p ) r' • (r’.s’) is a valid signature on message m’.

– Details in textbook. Read if you are interested.Attack on ElGamal Signature (4) • If g is chosen by adversary. Bleichenbacher showed a way to forge signatures. 25 .

– This prevents the example attack because r’=ru (mod p-1) and r’=r (mod p) can’t be satisfied by any r between 0 and p.Countermeasures • Do NOT reuse l. 26 . • Make sure 0<r<p. • Make sure g is generated randomly.

27 .s) is a valid signature on message m. m=-ruv-1 mod (p-1).v in Z*p-1.Existent Forgery (1) • • • • • Choose u. Claim: (r. s=-rv-1 mod (p-1). r=guyv mod p.

28 .Existent Forgery (2) • Why does the attack work? r (g y ) s u v rv 1 g ruv 1 m y r r g / y (mod p) • Countermeasure: Use hash function.

29 . They are different in details. – Note the above function of x and m binds the signature to message m. but have the same basic idea: – Signature is to “prove” sender of message m has knowledge of private x. – So it is enough to “prove” sender knows a function of x and m.ElGamal Signature Family (1) • There are a number of ElGamal-like signature schemes.

30 . – So.ElGamal Signature Family (2) – However. – gThe random factor is the other part of the signature. the random factor is now protected by hardness of discrete logarithm. the signer protect function of x and m using a random factor. • All signature schemes using the above idea belong to the ElGamal signature family. function of x and m cannot be the signature because adversary may compute x from it. to get a part of the signature.

ElGamal signature belongs to the ElGamal signature family • Look at the ElGamal signature: – function of x and m : m-xr. – Protect the above using a random factor: s=l-1(m-xr) – Protect the random factor using discrete logarithm: r=gl 31 .

– Protect the above using a random factor: s=H(m.Schnorr Signature • Another member of ElGamal signature family: – function of x and m : H(m.r)x+l – Protect the random factor using discrete logarithm: r=gl 32 .r)x.

Digital Signature Standard (DSS) • Yet another member of ElGamal signature family: – function of x and m : H(m)+xr. – Protect the above using a random factor: s=l-1(H(m)+xr) – Protect the random factor using discrete logarithm: r=gl 33 .

34 . – Each has a lot of details that require attention. – NOT a method for security proof. – So the security of each member has to be analyzed case by case. • But note that ElGamal signature family is a general method of designing signature schemes.Security of ElGamal Signature Family • There are many other members of ElGamal signature family.

35 . signature).Optional Topic: Unforgeability and Chosen Message Attack • Chosen Message Attack: a strong adversary model for digital signature – Analogous to CCA2 for encryption – Assumes adversary can obtain signatures from an oracle for any messages he chooses – Then ask whether adversary is able to figure out a new pair of (message.

– A query/answer can depend on earlier queries/answers. – But it can’t depend on later queries/answers. 36 . – Note that the functionality does NOT need to be (efficiently) computable. – It maps an input sequence (called queries) to a probability distribution of output sequence (called answers) .Oracle Machine • An oracle machine is associated with a functionality.

Use of Oracle Machine • We can let an algorithm A have access to an oracle machine M. 37 . – This can help A to complete a lot of computational tasks. In other words. – Whenever needed. A can send queries of his choices to M and get answers. – A can’t look inside M. A does not know what’s happening in M.

Unforgeability against Chosen Message Attack (CMA) Suppose M is an oracle machine that returns signatures for any query messages. for signing key ks and verification key kv distributed as specified in the scheme. AM(kv))=accept and the message in AM(kv) is not a query of A to M]<1/p(k) 38 . for all sufficiently large k. Pr[Verify(kv. A digital signature is (existentally) unforgeable against Chosen Message Attack if for all efficient algorithm A that has access to M. for all polynomial p().

F for initialization. function evaluation. – Recall {fi} should have efficient algorithms I. respectively. then we extend this signature scheme to longer messages. • We start by giving a secure signature scheme for a single bit.Unforgeable Signature against CMA • Suppose {fi} is a family of trapdoor one-way permutations. domain sampling. Then we can construct a signature scheme that is unforgeable against CMA. 39 . D.

fi(a) . – We next use F to compute fi(a) and fi(b). b from the domain of fi. b). – The public key is (i. – We then use D to sample two points a.Secure Signature for a Single Bit (1) • For key generation. 40 . – The private key is (a. uniformly and independently. we first run I to get index i and trapdoor d. fi(b) ).

Secure Signature for a Single Bit (2) • Signing: – The signature of 0 is a. – If the message is 1. check fi(signature)= fi(a). • Verification: – If the message is 0. – The signature of 1 is b. check fi(signature)= fi(b). 41 .

even if adversary sees signature of 1. he can’t find out signature of 0. – Because {fi} is trapdoor one-way and thus without knowing the trapdoor the adversary can’t compute b from fi(b). he can’t find out signature of 1. – Because the domain of fi is large and thus it is infeasible to find a random signature.Security Analysis • Even if adversary sees signature of 0. – Similarly. 42 . • Random message attack is not feasible.

43 . – For each bit of the message we have a different instance of the signature scheme for single bit.Extension to Longer Messages • A longer message consists of multiple bits. – So we only need to use the signature scheme for single bit for multiple times. – The signatures of all bits constitute the signature of the entire message.

– But it is subject to attack when there are multiple messages. – When you have signatures of m1 and m2. m2=0100. you can actually derive the signature of m3. and 4th bits of m3 come from the signature of m1. – The signatures of 2nd bit of m3 comes from the signature of m2.Problem with Extension • The above simple extension works for a single message of multiple bits. – Consider for example m1=1011. 44 . 3rd. – The signatures of 1st. m3=1111.

we need to make sure that the signatures of different messages use different instances of the signature scheme for single bit.Fixing the Problem • To fix the problem. – In fact. – This can be done by having the signer re-choose the instances after signing each message. the scheme can be proved to be existentally unforgeable against CMA. a complete history of message signing and instance changing must be included in the signature. 45 . – Fixed as above. – To notify verifier of the new instances. the signer must sign them and include them in the signature.

when we use MAC or digital signature. the message might actually be a replay of a very old message. – They guarantee a message was indeed sent by a specific entity. we introduced MAC and digital signature for message authentication. we should – Include time stamp as part of message. – However. • To guarantee the message is fresh.Authentication of Fresh Message • In the above. or – Include a fresh nonce chosen by the receiver as part of message 46 .

Sign up to vote on this title

UsefulNot useful- ijnsa040612
- 9A05709 Information Security
- TEC Analyst Report Key Evaluation Criteria for E Signature Software 1
- IT Act 2000
- 339526_634032565222261250
- IT Laws Related to E-Commerce
- Rsa Material
- Digital Signature Standard and DSA Algorithm
- 10.1.1.396.9985
- Ppt 2
- How Toe File
- Digital Signature
- Blind Signature Scheme Based On Elliptical Curve Cryptography (ECC)
- "SL-SKE (Signature Less-Secret Key Encryption) For DataSharing in Clouds"
- SCCS 420 Ch 31 (Message security)
- CV
- 11519424 Excellent Presentation on Cyber Security
- Security in Many Layers Seminar Hpcn
- 10.1.1.2.8294
- cyber law
- e Commerce 8
- 2012016 Rain Ville
- 9 ElGamal Method
- Cryptography and Network Security Principles and Practice, 5th Edition
- 66656322 Mu Sigma Interview
- e Commerce Lecture
- NETWORK SECURITY & CRYPTOGRAPHY
- 525167 A
- Gpg4win Compendium En
- RSA SecurID and Microsoft MIS Server 2002 Integration
- Lec8