Molecular Clock I. Evolutionary rate Xuhua Xia [email protected] .
Digital Signatures Applied Handbook of Cryptography: Chapt 11 slides courtesy of Xuhua Ding.
-
Upload
byron-magnus-west -
Category
Documents
-
view
218 -
download
0
Transcript of Digital Signatures Applied Handbook of Cryptography: Chapt 11 slides courtesy of Xuhua Ding.
Outline
Framework RSA related signature schemes DSA related signature schemes One-time digital signatures Arbitrated signature schemes Signatures with added functionality
Framework
Digital Signatures can provide Authentication Data Integrity Non-Repudiation
One Application Certification of public keys in large networks
Framework (cont)
Definitions Digital Signature - a data string which associates
a message with some originating entity Digital Signature Generation Algorithm – a
method for producing a digital signature Digital Signature Scheme - consists of a signature
generation algorithm and an associated verification algorithm
Framework (cont)
NotationM message space
MS signing space
S signature space
R a one-one mapping from M to MS called the redundancy function
MR the image of R
R-1 the inverse of Rh a one-way function with domain M Mh hash value space, the image of h (h: M Mh)
Framework (cont)
Taxonomy of digital signatures
signature schemes
message recovery
appendix
deterministic
randomized
randomized
deterministic
Framework (cont)
Schemes with appendix Requires the message as input to verification
algorithm Rely on cryptographic hash functions rather than
customized redundancy functions DSA, ElGamal, Schnorr etc.
Framework (cont)
Digital Signature with Appendix
M
m mh
Mh
h s*
SSA,k
Mh x Su {True, False}
VA
s* = SA,k(mh)u = VA(mh, s*)
Framework (cont)
Desirable Properties For each k R, SA,k should be efficient to compute VA should be efficient to compute It should be computationally infeasible for an
entity other than the signer to find an m M and an s S such that VA(m’, s*) = true, where m’ = h(m)
Framework (cont)
Desirable properties For each k R, SA,k should be efficient to compute VA should be efficient to compute It should be computationally infeasible for an
entity other than A to find any s* S such that VA(s*) MR
Framework (cont)
Breaking a signature scheme Total Break: private key is comprimised Selective forgery: adversary can create a valid
signature on a preselected message Existential forgery: adversary can create a valid
signature with no control over the message
Framework (cont)
Types of attacks Key-only: adversary knows only the public key Message attacks
Known-message attack: adversary has signatures for a set of messages which are known to the adversary but not chosen by him
Chosen-message attack: adversary obtains valid signatures from a chosen list of his choice (non adaptive)
Adaptive chosen-message attack: adversary can use the signer as an oracle
RSA
Key generation n, p, q, e, d Sign
Compute mr = R(m) Compute s = mr
d mod n The signature for m is s
Verify Obtain authentic public key (n, e) Compute mr = se mod n Verify that mr Mr
Recover m = R-1(mr)
RSA (cont)
Attacks Integer factorization Homomorphic property
Reblocking problem If signatures are encrypted different modulus
sizes can render the message unrecoverable Importance of the redundancy function
ISO/IEC 9796
RSA (cont)
Performance (p, q are k-bit primes) Signature O(k3) Verification O(k2)
Bandwidth Bandwidth is determined by R. For example,
ISO/IEC 9796 maps k-bit messages to 2k-bit elements in MS for a 2k-bit signature (efficiency of ½)
DSA
DSA Algorithm : key generation1. select a prime q of 160 bits2. Choose 0t8, select 2511+64t <p< 2512+64t with q|
p-13. Select g in Zp
*, and = g(p-1)/q mod p, 1
4. Select 1 a q-1, compute y= a mod p5. public key (p,q, ,y), private key a
DSA (cont)
DSA signature generation Select a random integer k, 0 < k < q Compute r=(k mod p) mod q compute k-1 mod q Compute s=k-1 (h(m) + ar) mod q signature = (r, s)
DSA (cont)
DSA signature verification Verify 0<r<q and 0<s<q, if not, invalid Compute w= s-1mod q and h(m) Compute u1=wh(m)mod q,u2=rw mod q Compute v = (u1yu2 mod p) mod q Valid iff v=r
)(modmod)(modmod
)(mod
)(mod )(
)(mod )(
21
21
qpqpy
qkauu
qkarwmwh
qksarmh
kuu
DSA (cont)
Security of DSA two distinct DL problems: ZP
*, cyclic subgroup order q
Parameters: q~160bits, p 768~1Kb, p,q, can be system
wide Probability of failure
Pr[s=0]= (1/2)160
DSA (cont)
Performance Signature Generation
One modular exponentiation Several 160-bit operations (if p is 768 bits) The exponentiation can be precomputed
Verification Two modular exponentiations
ElGamal
Key generation: p, q, , a, y=a mod p Signature Generation
Select random k, 1 k p-1, gcd(k, p-1)=1 Compute r = k mod p Compute k-1 mod (p-1) Compute s = k-1 (h(m) - ar) mod (p-1) signature is (r,s)
ElGamal (cont)
Signature Verification Verify 1 r p-1 Compute v1 = yrrs mod p Compute h(m) and v2= h(m) mod p Accept iff v1=v2
)(mod r)(
)1(mod )(
)1(mod })({
sr)(
1
p
parmhks
parmhks
aksarmh
ElGamal (cont)
Security (based on DL problem) Index-calculus attack: p should be large Pohlig-Hellman attack: p-1 should not be smooth Weak generators: If p 1 mod 4, |p-1, DL can
be broken for subgroup S of order . Forgeries are then possible
ElGamal (cont)
In addition… k must be unique for each message signed
(s1-s2)k=(h(m1)-h(m2))mod (p-1)
An existential forgery attack can be mounted if a hash function is not used
ElGamal (cont)
Performance Signature Generation
One modular exponentiation One Euclidean Algorithm Both can be done offline
Verification Three modular exponentiations
Generalized ElGamal Signatures
One-Time Signatures
Definition: digital schemes used to sign, at most one message; otherwise signature can be forged. A new public key is required for each signed message.
Most one-time signature schemes have the property that signature generation and verification are both very efficient
Rabin One-Time Signatures
Key generation Select a symmetric key encryption scheme E (e.g.
DES) Generate 2n random secret strings k1,k2...k2nK,
each of bit length l Compute yi=Eki
(M0(i)), i [1,2n].
Public key is (y1,y2,...y2n), private key is (k1,k2,...k2n).
Rabin One-Time Signatures
Signature Generation: compute si=Eki
(h(m)), i [1,2n]
signature is (s1,s2,...s2n)
Verification: Compute h(m) Select n distinct random number rj, rj[1,2n]
Request from signer, the keys krj, j: 1 j n
Verify received n keys ie. does yrj= Ekrj
(M0(rj))?
Verify all srj = Ekrj
(h(m)),
Rabin One-Time Signatures
Resolution of disputes: signer A, verifier B and TTP B provides m and the signature to TTP TTP gets private key k1,...k2n from A TTP verifies authenticity of the private key TTP computes ui=Eki
(h(m)), 1 i n. If ui = si for
at most n values of i, it is forgery. If n+1 or more values match, it is valid signature
Rationale for dispute resolution protocol A can disavow with Pr =
n
n2
1
Arbitrated Digital Signatures
Requires an unconditionally TTP as part of the signature generation and signature verification.
Each entity shares a symmetric key with the TTP
Symmetric key cryptography results in a very fast algorithm
However, this speedup is overshadowed by the TTP as well as communication overhead
ESIGN Key generation
Compute n=p2q, select k>3 Public key(n,k), private (p,q)
Sign message m compute v=h(m), random x, 0 x < pq w = ((v-xk) mod n/ (pq), y = w(kxk-1)-1 mod p Compute s=x+ypq mod n
Verify: compute u = sk mod n, z = h(m) if z u z + 22 lg(n)/3 , accept the signature
ESIGN (cont) Why does this work? I refer you to the text p 473
Security of ESIGN Based on factoring of large integers. Not known whether n=p2q is easier than factoring RSA
modulus Given m and s, in order to forge a signature for m’, we must
have that
Assuming h behaves like a random function, we would expect to try 2lg(n)/3 different values of m’
3lg22)'(mod )'( nk mhnsmh
ESIGN (cont) Efficiency of ESIGN
The only modular exponentiation is with parameter k which may be taken to be quite small (e.g. k=4)
For a 768-bit modulus n, ESIGN signature generation may be between one and two orders of magnitude (10 to 100 times) faster than RSA signature generation.
Blind signature scheme
Definition: A sends a piece of information to B. B signs and returns the signature to A. From this signature, A can compute B’s signature on a priori message m of A’s choice. At the completion of the protocol, B knows neither m, nor the signature associated with it.
Application: e-cash
Blind signature scheme (cont)
Chaum Sender A; Signer B B’s RSA public and private key are as usual. k is a
random secret integer chosen by A, satisfying 0 k < n
Protocol actions (blinding) A: comp m* = mke mod n, to B
Note: (mke)d = mdk (signing) B comp s* = (m*)d mod n, to A (unblinding) A: computes s = k-1s* mod n
Undeniable Signature Schemes
Definition: signature verification requires the cooperation of signer
Chaum-van Antwerpen Key generation
Select random prime p=2q+1, q is prime Select a generator for the subgroup of order q in Zp
*
Select random a{1,2,...q-1}, y= amod p public (p, , y), private a
Chaum-van Antwerpen
Signature Generation compute s = ma mod p
Verification B selects a random secret integers x1, x2
{1,2,...q-1} B computes z = sx1yx2 mod p, and sends z to A A computes w = za-1mod p, and sends w to B B computes w = mx1x2 mod p. Valid iff w= w
pwmmysw xxaaxaxaxx mod ')()(z 211
211
21-1a
Chaum-van Antwerpen
If s is a forgery, B accept it with pr=1/q and independent of adversary’s computation resources
A could attempt to disavow a signature refuse to participate in verification perform the verification incorrectly claim a signature forgery even though the
verification protocol is successful.
Chaum-van Antwerpen
Disavowal protocol Select two pair (x1, x2) and (x’1, x’2) and verify
twice Compute c = (w-x2)x’1 mod p and c = (w-x’2)x1
mod p, if c = c, s is a forgery, otherwise s is valid and A is attempting to disavow the signature
Let m be message, s a signature on m If s ma mod p and the disavowal protocol runs
correctly, then c=c If s = ma mod p. B follows protocol, but A does
not. The Pr[c=c] is 1/q