Scribd Logo
Upload

Welcome to Scribd!

  • Cryptography CS 555: Topic 21: Digital Schemes

    Uploaded by

    privy manmar
    13 views12 pages
    This document provides an overview of digital signatures including: - Digital signatures allow one party to generate a signature and many parties to verify it, providing authentication, data integrity, and non-repudiation. - RSA signatures are insecure if used directly on messages, but are secure if a hash of the message is signed instead. - The hash and sign paradigm makes signing arbitrary long messages possible by hashing the message first before signing. - Non-repudiation ensures a party cannot deny something like their signature or sending of a message. Digital signatures can provide non-repudiation while email alone does not.

    Original Description:

    Original Title

    555_Spring12_topic21

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides an overview of digital signatures including: - Digital signatures allow one party to generate a signature and many parties to verify it, providing authentication, data integrity, and non-repudiation. - RSA signatures are insecure if used directly on messages, but are secure if a hash of the message is signed instead. - The hash and sign paradigm makes signing arbitrary long messages possible by hashing the message first before signing. - Non-repudiation ensures a party cannot deny something like their signature or sending of a message. Digital signatures can provide non-repudiation while email alone does not.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views12 pages

    Cryptography CS 555: Topic 21: Digital Schemes

    Uploaded by

    privy manmar
    This document provides an overview of digital signatures including: - Digital signatures allow one party to generate a signature and many parties to verify it, providing authentication, data integrity, and non-repudiation. - RSA signatures are insecure if used directly on messages, but are secure if a hash of the message is signed instead. - The hash and sign paradigm makes signing arbitrary long messages possible by hashing the message first before signing. - Non-repudiation ensures a party cannot deny something like their signature or sending of a message. Digital signatures can provide non-repudiation while email alone does not.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    Cryptography

    CS 555

    Topic 21: Digital Schemes (1)

    CS555 Topic 21 1
    Outline and Readings

    • Outline
    • Digital signature
    • RSA signatures
    • Hash and sign

    • Readings:
    • Katz and Lindell: Chapter 12.1-
    12.4

    CS555 Topic 21 2
    Digital Signatures: The Problem

    • Consider the real-life example where a person pays by


    credit card and signs a bill; the seller verifies that the
    signature on the bill is the same with the signature on the
    card
    • Contracts are valid if they are signed.
    • Signatures provide non-repudiation.
    – ensuring that a party in a dispute cannot repudiate, or refute the
    validity of a statement or contract.
    • Can we have a similar service in the electronic world?
    – Does Message Authentication Code provide non-repudiation? Why?

    CS555 Topic 21 3
    Digital Signatures
    • MAC: One party generates MAC, one party verifies integrity.
    • Digital signatures: One party generates signature, many
    parties can verify.
    • Digital Signature: a data string which associates a message
    with some originating entity.
    • Digital Signature Scheme:
    – a signing algorithm: takes a message and a (private) signing key,
    outputs a signature
    – a verification algorithm: takes a (public) verification key, a message,
    and a signature
    • Provides:
    – Authentication, Data integrity, Non-Repudiation

    CS555 Topic 21 4
    Digital Signature
    • A signature scheme consists of the following three PPT
    algorithms
    – (pk,sk)  Gen(1n) key generation
       Signsk(m) signing
    – b := Vrfypk(m,t) verification algorithm b=1 meaning
    valid, b=0 meaning invalid
    Must satisfy  (pk,sk) m Vrfypk(m, Signsk(m)) = 1

    Assume that receiver has an authentic copy of the sender’s public


    key, then receiver can verify that a document is indeed sent by the
    sender.

    CS555 Topic 21 5
    Security of Signature Schemes

    • The experiment Sig-forgeA,


    – (pk,sk) Gen(1n)
    – Adversary A is given pk and oracle access to Signsk()
    – Adversary outputs (m, ). Let Q denote the set of all queries that
    A asked to the oracle.
    – Adversary wins if Vrfypk(m, t) = 1 and m  Q

    • A signature  is existential unforgeable under an adaptive


    chosen-message attack (or just secure) if for all PPT A,
    there exists a negligible function negl such that
    Pr[Mac-forgeA,=1]  negl(n)

    CS555 Topic 21 6
    “Textbook RSA” Signatures
    Key generation (as in RSA encryption):

    Public key: (e, n) used for verification


    Private key: d, used for generation

    Signing message m with private key


    • Compute  = md mod n
    Verifying signature  using public key (e, n)
    • Check whether e mod n = m

    CS555 Topic 21 7
    Insecurity of “Textbook RSA”
    • A no-message attack
    – Choose arbitrary , compute m= e mod n
    – (m,) is a valid pair
    – One cannot control what is m
    • Forging signature on arbitrary message
    – To forge signature on message m, query signing oracle
    for m1 (obtaining 1) and m2=m/m1 (mod n) (obtaining
    2)
    – (m, 1 2) is a valid pair

    CS555 Topic 21 8
    RSA Signatures with Hash
    Use a hash function H: {0,1}* Zn*

    Signing message m with private key (n,d)


    • Compute  = H(m)d mod n
    Verifying signature  using public key (e, n)
    • Check whether e mod n = H(m)

    Can be proven secure assuming that H is random


    oracle. (This is not considered a valid proof of
    security, but means that no known attack exists.)

    CS555 Topic 21 9
    Hash and Sign Paradigm
    • Enabling the signing of arbitrary long message.

    • Given a secure signing scheme (for a fixed


    message space), and a collision-resistant hash
    function, first hash and then sign is also secure.
    – “Textbook RSA” is insecure, so this result does not
    apply to hash and sign with RSA
    – Any attack either finds a collision or breaks the security
    of the signing scheme.

    CS555 Topic 21 10
    Non-repudiation
    • Nonrepudiation is the assurance that someone cannot
    deny something. Typically, nonrepudiation refers to the
    ability to ensure that a party to a contract or a
    communication cannot deny the authenticity of their
    signature on a document or the sending of a message
    that they originated.

    • Can one deny a signature one has made?

    • Does email provide non-repudiation?

    CS555 Topic 21 11
    Coming Attractions …
    • Other Signature Schemes

    • Reading: Katz & Lindell: Chapter


    12.5,12.7
    • ignat

    CS555 Topic 21 12

    You might also like