You are on page 1of 43

Digital Signatures

Applied Handbook of Cryptography:


Chapt 11

slides courtesy of Xuhua Ding


Outline
 Framework
 RSA related signature schemes
 DSA related signature schemes
 One-time digital signatures
 Arbitrated signature schemes
 Signatures with added functionality
Framework
Digital Signatures can provide
 Authentication

 Data Integrity

 Non-Repudiation

One Application
 Certification of public keys in large networks
Framework (cont)
 Definitions
 Digital Signature - a data string which associates
a message with some originating entity
 Digital Signature Generation Algorithm – a
method for producing a digital signature
 Digital Signature Scheme - consists of a signature
generation algorithm and an associated
verification algorithm
Framework (cont)
 Notation
M message space
MS signing space
S signature space
R a one-one mapping from M to MS called the
redundancy function
MR the image of R
R-1 the inverse of R
h a one-way function with domain M
Mh hash value space, the image of h (h: M→ Mh)
Framework (cont)
 Taxonomy of digital signatures

randomized
message recovery
deterministic

signature schemes
randomized

appendix

deterministic
Framework (cont)
 Schemes with appendix
 Requires the message as input to verification
algorithm
 Rely on cryptographic hash functions rather than
customized redundancy functions
 DSA, ElGamal, Schnorr etc.
Framework (cont)
 Digital Signature with Appendix

M
Mh S
h SA,k
m m s*
h
s* = SA,k(mh)
u = VA(mh,
Mh x S VA s*)
u ∈ {True,
False}
Framework (cont)
 Desirable Properties
 For each k ∈ R, SA,k should be efficient to compute
 VA should be efficient to compute
 It should be computationally infeasible for an
entity other than the signer to find an m ∈ M and
an s ∈ S such that VA(m’, s*) = true, where m’ =
h(m)
Framework (cont)
 Digital Signature with Message Recovery

M MR S
m R SA,k
m s*
Mr S

S MR M
VA R-1
s* m m
r
Framework (cont)
 Desirable properties
 For each k ∈ R, SA,k should be efficient to compute
 VA should be efficient to compute
 It should be computationally infeasible for an
entity other than A to find any s* ∈ S such that VA(s*)
∈ MR
Framework (cont)

M Mh MR S
m h R SA,k
m m s*
h
Mr S
Framework (cont)
 Breaking a signature scheme
 Total Break: private key is comprimised
 Selective forgery: adversary can create a valid
signature on a preselected message
 Existential forgery: adversary can create a valid
signature with no control over the message
Framework (cont)
 Types of attacks
 Key-only: adversary knows only the public key
 Message attacks

Known-message attack: adversary has signatures for a
set of messages which are known to the adversary but
not chosen by him

Chosen-message attack: adversary obtains valid
signatures from a chosen list of his choice (non adaptive)

Adaptive chosen-message attack: adversary can use the
signer as an oracle
RSA
 Key generation n, p, q, e, d
 Sign
 Compute mr = R(m)
 Compute s = mrd mod n
 The signature for m is s
 Verify
 Obtain authentic public key (n, e)
 Compute mr = se mod n
 Verify that mr ∈ Mr
 Recover m = R-1(mr)
RSA (cont)
 Attacks
 Integer factorization
 Homomorphic property
 Reblocking problem
 If signatures are encrypted different modulus
sizes can render the message unrecoverable
 Importance of the redundancy function
 ISO/IEC 9796
RSA (cont)
 Performance (p, q are k-bit primes)
 Signature O(k3)
 Verification O(k2)
 Bandwidth
 Bandwidth is determined by R. For example,
ISO/IEC 9796 maps k-bit messages to 2k-bit
elements in MS for a 2k-bit signature (efficiency of
½)
DSA
 DSA Algorithm : key generation
 select a prime q of 160 bits
 Choose 0≤t≤8, select 2511+64t <p< 2512+64t with q|
p-1
 Select g in Zp*, and α = g(p-1)/q mod p, α≠1
 Select 1 ≤ a ≤q-1, compute y= αa mod p
 public key (p,q, α,y), private key a
DSA (cont)
 DSA signature generation
 Select a random integer k, 0 < k < q
 Compute r=(αk mod p) mod q
 compute k-1 mod q
 Compute s=k-1 ∗(h(m) + ar) mod q
 signature = (r, s)
DSA (cont)
 DSA signature verification
 Verify 0<r<q and 0<s<q, if not, invalid
 Compute w= s-1mod q and h(m)
 Compute u1=w∗h(m)mod q,u2=r∗w mod q
 Compute v = (αu1yu2 mod p) mod q
 Valid iff v=r

h(m) ≡ −ar + ks (mod q )


wh(m) + arw ≡ k (mod q )
u1 + au 2 ≡ k (mod q )
α u1 y u 2 mod p (mod q ) = α k mod p (mod q )
DSA (cont)
 Security of DSA
 two distinct DL problems: ZP*, cyclic subgroup
order q
 Parameters:
 q~160bits, p 768~1Kb, p,q, α can be system
wide
 Probability of failure
 Pr[s=0]= (1/2)160
DSA (cont)
 Performance
 Signature Generation

One modular exponentiation

Several 160-bit operations (if p is 768 bits)

The exponentiation can be precomputed
 Verification

Two modular exponentiations
ElGamal
 Key generation: p, q, α, a, y=αa mod p
 Signature Generation
 Select random k, 1 ≤ k ≤ p-1, gcd(k, p-1)=1
 Compute r = αk mod p
 Compute k-1 mod (p-1)
 Compute s = k-1 ∗ (h(m) - ar) mod (p-1)
 signature is (r,s)
ElGamal (cont)
 Signature Verification
 Verify 1 ≤ r ≤ p-1
 Compute v1 = yrrs mod p
 Compute h(m) and v2= αh(m) mod p
 Accept iff v1=v2

−1
s ≡ k {h(m) − ar} (mod p − 1)
ks ≡ h(m) − ar (mod p − 1)
h(m) ar + ks a r s
α ≡α ≡ (α ) r (mod p )
ElGamal (cont)
 Security (based on DL problem)
 Index-calculus attack: p should be large
 Pohlig-Hellman attack: p-1 should not be smooth
 Weak generators: If p ≡ 1 mod 4, α|p-1, DL can
be broken for subgroup S of order α. Forgeries
are then possible
ElGamal (cont)
 In addition…
 k must be unique for each message signed
 (s1-s2)k=(h(m1)-h(m2))mod (p-1)
 An existential forgery attack can be mounted if a
hash function is not used
ElGamal (cont)
 Performance
 Signature Generation

One modular exponentiation

One Euclidean Algorithm

Both can be done offline
 Verification

Three modular exponentiations

 Generalized ElGamal Signatures


One-Time Signatures
 Definition: digital schemes used to sign, at
most one message; otherwise signature can
be forged. A new public key is required for
each signed message.
 Most one-time signature schemes have the
property that signature generation and
verification are both very efficient
Rabin One-Time Signatures
 Key generation
 Select a symmetric key encryption scheme E (e.g.
DES)
 Generate 2n random secret strings k1,k2...k2n∈K,
each of bit length l
 Compute yi=Eki(M0(i)), i ∈[1,2n].
 Public key is (y1,y2,...y2n),
 private key is (k1,k2,...k2n).
Rabin One-Time Signatures
 Signature Generation:
 compute si=Eki(h(m)), i ∈[1,2n]
 signature is (s1,s2,...s2n)
 Verification:
 Compute h(m)
 Select n distinct random number rj, rj∈[1,2n]
 Request from signer, the keys krj, ∀ j: 1 ≤ j ≤ n
 Verify received n keys ie. does yrj= Ekr (M0(rj))?
j

 Verify all srj = Ekr (h(m)),


j
Rabin One-Time Signatures
 Resolution of disputes: signer A, verifier B
and TTP
 B provides m and the signature to TTP
 TTP gets private key k1,...k2n from A
 TTP verifies authenticity of the private key
 TTP computes ui=Eki(h(m)), 1 ≤ i ≤ n. If ui = si for at
most n values of i, it is forgery. If n+1 or more
values match, it is valid signature

1
 Rationale for dispute resolution
2n  protocol
 A can disavow with Pr 
=n 
 
Arbitrated Digital Signatures
 Requires an unconditionally TTP as part of
the signature generation and signature
verification.
 Each entity shares a symmetric key with the
TTP
 Symmetric key cryptography results in a
very fast algorithm
 However, this speedup is overshadowed by
the TTP as well as communication overhead
Arbitrated Digital Signatures
 Signature Generation (by A)

A IAs, =
uE=k (h(m)||I
T Ek (h(m))
A A) TTP
Arbitrated Digital Signatures
 Signature Verification (by B)

B IBE,kv(h(m)||I
B = Ek (s)
B A) TTP
ESIGN
 Key generation
 Compute n=p2q, select k>3

 Public key(n,k), private (p,q)

 Sign message m
 compute v=h(m), random x, 0 ≤ x < pq

 w = ((v-xk) mod n/ (pq), y = w(kxk-1)-1 mod p

 Compute s=x+ypq mod n

 Verify:
 compute u = sk mod n, z = h(m)

 if z ≤ u ≤ z + 22 lg(n)/3 , accept the signature


ESIGN (cont)
 Why does this work? I refer you to the text p 473 

 Security of ESIGN
 Based on factoring of large integers.
 Not known whether n=p2q is easier than factoring RSA
modulus
 Given m and s, inkorder to forge a signature
 2 lg n 3 for m’, we must
h(m' ) ≤ s mod n ≤ h(m' ) + 2
have that

Assuming h behaves like a random function, we would


expect to try 2lg(n)/3 different values of m’
ESIGN (cont)
 Efficiency of ESIGN
 The only modular exponentiation is with

parameter k which may be taken to be quite


small (e.g. k=4)
 For a 768-bit modulus n, ESIGN signature

generation may be between one and two orders


of magnitude (10 to 100 times) faster than RSA
signature generation.
Blind signature scheme
 Definition: A sends a piece of information to
B. B signs and returns the signature to A.
From this signature, A can compute B’s
signature on a priori message m of A’s
choice. At the completion of the protocol, B
knows neither m, nor the signature
associated with it.
 Application: e-cash
Blind signature scheme
(cont)
 Chaum
 Sender A; Signer B
 B’s RSA public and private key are as usual. k is a
random secret integer chosen by A, satisfying 0 ≤
k<n
 Protocol actions
 (blinding) A: comp m* = mke mod n, to B
Note: (mke)d = mdk

(signing) B comp s* = (m*)d mod n, to A

(unblinding) A: computes s = k-1s* mod n
Undeniable Signature
Schemes

 Definition: signature verification


requires the cooperation of signer

 Chaum-van Antwerpen
 Key generation

Select random prime p=2q+1, q is prime
 Select a generator α for the subgroup of order q in Zp*

Select random a∈{1,2,...q-1}, y= αamod p

public (p, α, y), private a
Chaum-van Antwerpen
 Signature Generation
 compute s = ma mod p
 Verification
 B selects a random secret integers x1, x2 ∈
{1,2,...q-1}
 B computes z = sx1yx2 mod p, and sends z to A
 A computes w = za-1mod p, and sends w to B
 B computes w′ = mx1αx2 mod p. Valid iff w= w′
a -1 x1 x2 a −1 ax1 ax2 a −1 x1 x2
w≡z ≡ (s y ) ≡ (m α ) ≡m α ≡ w' mod p
Chaum-van Antwerpen
 If s is a forgery, B accept it with pr=1/q and
independent of adversary’s computation
resources

 A could attempt to disavow a signature


 refuse to participate in verification
 perform the verification incorrectly
 claim a signature forgery even though the
verification protocol is successful.
Chaum-van Antwerpen
 Disavowal protocol
 Select two pair (x1, x2) and (x’1, x’2) and verify
twice
 Compute c = (wα-x2)x’1 mod p and c′ = (w′α-x’2)x1
mod p, if c = c′, s is a forgery, otherwise s is valid
and A is attempting to disavow the signature
 Let m be message, s a signature on m
 If s ≠ ma mod p and the disavowal protocol runs
correctly, then c=c′
 If s = ma mod p. B follows protocol, but A does
not. The Pr[c=c′] is 1/q