Digital Signatures Presented by Olga Shishenina. 2 Outline Cryptographic goals Message...
-
Upload
madison-carroll -
Category
Documents
-
view
227 -
download
3
Transcript of Digital Signatures Presented by Olga Shishenina. 2 Outline Cryptographic goals Message...
2Outline
Cryptographic goals Message Authentication Codes (MACs)
Digital signatures RSA digital signature Elliptic curve digital signature
Comparison of ECDSA and RSA signature
3
Symmetric-key ciphers:Block ciphersStream ciphers
Public-keyciphers
Cryptographic Goals
Cryptographic goals
Confidentiality Data integrity Authentication Non-repudiation
Message authentication
Entity authenticationArbitrary lengthhash functions
Message Authentication codes (MACs)
Digital signatures
Authentication primitives
Digital signatures
MACs
Digitalsignatures
4Non-repudiation
Alice Bob
m is a signed messages is a valid signature for m
m, s
Alice denies her signature if she finds:
m’ ≠ m : s is valid signature for m’
5Message Authentication Codes
MAC f(x, key):{0,1}* {0,1}n
knowing x and key f is easy to compute it is infeasible to calculate f(x, key)
without the key
MAC are often block cipher based message m, secret key k specification of block cipher E
MAC (m) = E( m, key ) MAC (m) = E(hash(m), key )
6CBC-based MAC algorithm
Ekey
0
X1(n bit)
Ekey
X2 (n bit)
h1
…h2
Ekey
Xt (n bit)
ht-1
H = MAC
Optional output transformationh1 = Ekey(x1)
hi = Ekey(hi-1 xi ), 2 ≤ i ≤ t
Algorithm CBC-MAC
INPUT: data x; specification of block cipher E; secret MAC key for E
OUTPUT: n-bit MAC on x
n bit
n bit
h1(n bit) h2(n bit)
7Use of a MAC
messageMAC
algorithm
message MAC
Secret key
Unsecured channel
Signer
MAC
verification
algorithm
Secret key
Verifier
Ok / not Ok
Used to provide Data integrity Message authentication
8Digital Signatures Scheme
Used to provide Data integrity Message authentication Non-repudiation
messageSigning
algorithm
message signature
Signer’s private key
Unsecured channel
Signer
Signature
verification
algorithm
Signer’s public key
Verifier
Ok / not Ok
9Difference between MAC and digital signature
To prove the validity of a MAC to a third party, you need to reveal the key
If you can verify a MAC, you can also create it
MAC does not allow a distinction to be made between the parties sharing the key
Computing a MAC is (usually) much faster than computing a digital signature Important for devices with low computing power
11RSA
Developed in 1978 by Rivest, Shamir and Adleman (RSA)
Most popular public key cryptosystem
Based on the hard problem of “integer factorization”
12Key-Generation for RSA(1)
1. Generate two large random distinct primes p and q, each roughly the same size
2. Compute n = pq and
3. Select random integer e:
4. Compute unique integer d:
5. Public key is (n, e); Private key is d
( ) ( 1)( 1)n p q
1 , such that gcd( , ) 1e e
1 , such that 1 modd ed
13Key-Generation for RSA(2)
Usually numbers with the right bit length are chosen randomly and tested for primality
Statistical tests are used to determine the probability that these numbers are primesi.e. Strassen – Test
Miller – Rabin – Test
There is always an insignificantly low chance that number is not prime
14Used notation
M is a set of elements, called the message space = Zn
MS is a set of elements, called the signing space = Zn
R is a 1 to 1 mapping from M to MS, called the redundancy function
MR is the image of R: {y| y = R(x), xЄ M}
R-1 is the inverse of R: MR M
15RSA signature generation and verification
To sign a message A should:
Compute:
where R(m) is a redundancy function
Compute: A’s signature for m is s
To verify A’s signature and recover m, B should: Obtain A’s authentic public key (n, e) Compute: Verify that ; if not, reject the signature Recover
]n,[),m(Rm~ 10 range the ininteger an
nmodm~s d
nmodsm~ eRMm~
)m~(Rm 1
Mm
16Proof that signature verification works
Euler’s theorem: ,
where is the Euler’s function of n
If s is a signature for m, then:
Since , then:
Finally:
)m(Rm~,nm~s d mod
))n((ed,pqn mod1
)n(m~m~m~m~m~m~s
q)n(
q)n())n((ede
mod
mod
11
m))m(R(R)m~(R 11
11 )n,agcd(,na )n( mod
)n(
17RSA signature example
Alice p=5 q=7 n = 35 φ(n) = 4·6=24 e = 5; d: ed = 5d=1 mod 24 => d = 5
Public key: (n=35, e=5) Private key: d=5
M = [0, n-1] For all m Є M R(m)=m m = 26; R(m) = 26 s = 265 mod 35 = 31Bob:
R(m) = 315 mod 35 = 26 Є [0, n-1] m = R-1(m) = 26
m~
m~
18Possible Attacks on RSA signature
Integer factorization If an adversary is able to factor n, then
Multiplicative property of RSA
If , then s is valid signature for m: Hence, to avoid this attack R must not be
multiplicative, i.e.
))n((ed:d)q)(p()n(,pqn mod find and 111
)n(ss)m~m~(m~sm~m~m~)n(modm~s
)n(modm~s dd
d
d
mod then if 212121
22
11
RMm~ )m(Rm~
)b(R)a(R)ba(RMb,a
19Performance characteristics
n=pq , where n is 2k-bit, p&q – k-bit primes
takes bit operations
Verification is significantly faster that signing if e is chosen to be a small number, e.g.
It is not recommended to restrict the size of d
nms dmod )k(O 3
111
123 16
))q)(p(,egcd(qp
,e,e
that so chosen bemust and
or
20
n=pq , where n is 2k-bits, p&q – k-bits primes ISO/IEC 9796
R:
To sign a kt-bits message m:
Divide m = m1 || m2 || m3 ||… || mt and sign each block
individually one transmits 2kt bits.
Sign a l-bits hash(m), l ≤ k. Then one transmits kt+2k bits. (kt – to transmit the message)
If t > 2, then kt+2k < 2kt
2k bits
m~
Short vs. long messages
m
k bits
22Elliptic curves (EC) over the reals
A non-singular EC is the set E of solutions to the equation
together with a special point O, where
has three distinct roots
RR)y,x( baxxy 32
0274 23 ba,Rb,a
00274 323 baxxba
24Addition – Geometric Approach
Chord-and-tangent rule P + Q = R, P ≠ Q
Point doublingP + P = 2 P = R
x
y
(x1, y1) = P
Q = (x2, y2)
R = (x3, y3)
x
y
P = (x1, y1)
R = (x3, y3)
-R = (x3, -y3)
-R = (x3, -y3)
25Addition – Algebraic Approach
E is elliptic curve over the reals
1. ( is the identity
element )2. If
3.
4.
)y,x()y,x(,E)y,x(P then
PPPEP
where Then
andLet
),y,x(QP
.QP,E)y,x(Q,E)y,x(P
33
2211
21
2
3 12
12 xxx xxyy
131312
12 yxxyxxyy
where2 ThenLet ),y,x(P.PP,E)y,x(P 3311
1
2
23
3 21
21 xxy
ax
1312
33
1
21 yxxyy
ax
-P
26Galois Fields (Finite Fields) GF (q)
Is a set of elements (G, + , *) that satisfy certain arithmetic properties
Finite Field exists iff q is a prime power
If q = p, p is prime
{0, 1, ... , p - 1 } are the field elements ADDITION: MULTIPLICATION:
INVERSION:
prbaqba mod),GF(, prbaqba mod),GF(, paaaa mod1:0 11
27Elliptic Curves Over Finite Fields
Over GF(p), p is prime, p > 3
Elliptic curve E equation
where
E consists of all pairs
satisfying curve equation special point - point at infinity
baxxy 32
)p(modba),p(b,a 0274 23 andGF
)p(y),p(x),y,x( GFGF
),( 00
28Example 1: elliptic curve over GF(23)
p = 23
The points in E are and the following:(0, 2) (0, 21) (1, 11) (1, 12) (4, 7) (4, 16)
(7, 3) (7, 20) (8, 8) (8, 15) (9, 11) (9, 12) …
28 points + = 29 points
Let’s consider (4, 7) 64 + 4 + 4 = 72 = 3 (mod 23) 49 = 3 (mod 23)
2322274
41423
32
mod
ba
b,a,xxy:E
),( 00
29Basic Facts
Let E(GF(q)) be an EC over GF(q) The points of E(GF(q)), form a group under
addition Hasse’s theorem:
Number of points on E (group order):
If #E is prime then the group is cyclic and
If #E has a prime factor, that there exists a cyclic subgroup
qt,tq))q(GF(E 21 #
#Ek:kP))q(GF(E:))q(GF(EP 0
30Example 2: elliptic curve over GF(23)
p = 23
The points in E are and the following: P = (0, 2) 2P = (13, 12) 3P = (11, 9) 4P = (1, 12)
5P = (7, 20) 6P = (9, 11) 7P = (15, 9) 8P = (14, 5)
9P = (4, 7) 10P = (22, 5) 11P = (10, 5) 12P = (17, 9)
13P = (8, 15) 14P = (18, 9) 15P = (18, 14) 16P = (8, 8)
17P = (17, 14) 18P = (10, 18) 19P = (22, 18) 20P = (4, 16)
21P = (14, 18) 22P = (15, 17) 23P = (9, 12) 24P = (7, 3)
25P = (1, 11) 26P = (11, 14) 27P = (13, 11) 28P = (0, 21)
29P = O 30P = P
29 points
cyclic is group#
29
429 32
E
xxy:E
31ECDSA parameters setup
Create (random) public abstract groups
Domain Parameter Generate: Complex & public. DP often taken from published list.
Domain Parameter Validate: Easy & public
Key Pair Generate: Easy & private.
Key Pair Validate: Easy & public.
32ECDSA Domain Parameters
Domain parameters D = (q, a, b, G, n, h)
Field size q, q = p or q = 2m
Coefficients a, b in GF(q) of E=Ea,b(GF(q)):
Seed s of length ≥ 160 bits (Optional)
Base point G=(xG, yG) on curve E, i.e.
Order n of G: n is prime,
Cofactor h: #E(GF(q)) = hn
qnn 4and2160
0274 23 ba
)q(GFy,x GG
33Curve parameters generation(1)
Input: GF(p), p is prime Output: seed, curve coefficients a & b Used notations: stv,
ps
160160
12log
Hash algorithm
g > 160 bits
zW0
v-1 bits
Arbitrary SEED
160 bits
W stringbit
hash(z + 1) hash(z + 2) … hash(z + s)
(v-1)+ s·160 < log2 p bits
W0
34Curve parameters generation(2)
1.
2. if abort and start again
3. Choose a,b
4. Result: y2 = x3 + ax + b
if
Exclude singular curves
rW
pr
r
mod0274
0
pabrb,a)p( mod:GF 3200
pb
a
ba
pbamod
andEC)(singular mod
4
27
00
02742
323
35Isomorphism classes of ECs(1)
E1: y2 = x3 +a1x +b1 and E2: y2 = x3
+a2x +b2
are isomorphic
Step 3: Choose a,b
There only 2 variants for a and b on step 3
22
32
21
31
26
124
10b
a
b
a.e.i,bubauau),p(u and :GF
pmodabrb,a)p(b,a 3200 :GF
36Isomorphism classes of ECs(2)
Let’s prove that there are precisely 2 choices for (a, b) on step 3 : We can find a1, b1 and a2, b2:
We can not find a3, b3 : E3 is not isomorphic to E1 or E2
isomorphicnot are curves and pmodrb
a
b
a
pmodku:k
pmodbub
pmodaua
22
32
21
31
2
13
2
12
2
2
1
to isomoprhic i.e. Else
to isomoprhic i.e.
If
sLet'
sLet'
E,pmodaapmodaua
pmodaua
E
,pmodblbub,pmodalauapmodul:l
pmodbub,pmodauapmodub
b
a
a:u
pmodrb
a
b
a
b
a
uu
2
2
3
12
2
1233
16
13331
41
2333
2
13331
233
632
1
23
31
33
3
23
33
22
32
21
31
3
37Domain Parameter Generation
Domain parameters D = (q, a, b, G, n, h)
1. Generate EC coeffs a & b
E ( GF(q) ): y2 = x3 + ax + b
2. Compute #E( GF(q) ) (e.g. Schoof’s algorithm)
3. Verify that , n is prime,
4. if not, go to step 1
5. Verify that if not, go to step 1
6. Verify that n≠q if not, go to step 1
7. Select an arbitrary point
Set
Repeat until
nhE # qnn 4and2160
2011 k,q|n k
)).q((E'G GF'.G)n/N(G
G
38
Alice(signer)
Key pair
D = (q, a, b, G, n, h)Key generation:1. Select random d: 1 ≤ d ≤ n-12. Q = d·GQ(xQ, yQ) is public G is private
Bob(verifier)
(D, Q)
Q is valid or not???
Key validation:
Check that:
1. Q ≠
2.
3.
4. nQ =
5. If any check fails
-> Q is invalid
else
-> Q is valid
)q(GFy,x QQ
baxxy QQQ 32
39
BobParameters D = (q, a, b, G, n, h)Alice’s public key QAlice’s signature (r, s) on m
To sign message m:1. k randomly chosen 0 < k < n-12. k·G = (x1, y1) r =x1 mod n
3. if r = 0 abort and start again4. e = SHA-1(m) 5. s = k-1· ( e + d·r) mod n
6. if s = 0 abort and start againOutput: (r, s)
ECDSA generation & verification
rvkGG)duu(QuGu
nduuwrdwerdsesdreskndreks
2121
211111 modmod
accept if rv
AliceParameters D = (q, a, b, G, n, h)Associated keys (d, Q)
Proof that signature verification works:
To verify signature (r, s):1. check: 1 ≤ r ≤ n-1, 1 ≤ s ≤ n -12. e = SHA-1(m) 3. w = s-1 mod n4. u1 = e·w mod n u2 = r·w mod n
5. X = u1·G + u2·Q, if
6. X=(x1, y1) v = x1 mod n
7.
reject X
D, Q, m, r, s
40Ordinary DLP
Definition:Given: prime p,
generator g of GF(p), non‑zero element y GF(p),
Find: the unique integer k, 0 k p – 2: y gk(mod p)
k is called the discrete logarithm of y to the base g
Known attacksThe most efficient:Index Calculus Method O( )
ppoe lnlnln))1(2/1(
41Elliptic Curve DLP
Identified in 1985 – Koblitz and Miller suggested using it in place of DLP
Definition:
Given: EC E defined over GF(q), point PE( F(q) ) of order n,
point QE( GF(q) ), Determine: the integer l, 0 l n – 1: Q = lP
Arises in groups defined on EC
Hard Problem
Only exponential algorithms known
42Known Attacks on ECDLP
Pollard’s Rho Algorithm O( )
Parallelized Pollard’s Rho O( )r is the number of processors used
Precautions:
Pohlig-Hellman Algorithm O( )Precautions:
Menezez-Okamoto-Vanstone (MOV) O( )Precautions:
No index calculus method found
n
r/n
q
)log(qk
1602n
primeisn
2011 k,q|n k
43Pollard’s Rho Algorithm(1)
To find k where Q=kP, and n is the group
order: Use a pseudo-random walk through the group
Start at a known point
When a collision occurs, we can find k
Because there is not enough room to store all
visited points, we only store distinguished points
(points with some distinguishing property, such as
the first i lower order bits equal to zero).
44Pollard’s Rho Algorithm(2)
The random walk is defined as:
Where the Si are three sets of points (e.g. Si may be points such that x mod 3 i), and the ri are randomly chosen.
365
243
121
1
SRQrPrR
SRQrPrR
SR,QrPrR
R
ii
ii
ii
i
for
for
for
45Pollard’s Rho Algorithm(3)
R0 is chosen to be a known multiple of P and Q.
For each iteration, Ri+1 is found, and also what
multiple of P and Q it is. When a collision occurs, we have:
Pdb
acQ
dQcPbQaP
RR ji
46Pollard’s Rho Algorithm(4)
The number of iterations is
With this approach, the path of the pseudo-random walk depends on Q.
There is no precomputation.
Calculations from previous ECDLP’s are of limited usefulness in subsequent ECDLP’s, because collisions are only detected for distinguished points.
nO
47Duplicate-Signature Key Selection
An adversary Selects arbitrary c:
Computes:
Forms:
0
1111 )nmod)rcses((t
nc
:
)rQeG(GX)nmodt(G
)m(SHAerQseGsX
rce
11
11 1 ) where (
GcQ)h,n,G,b,a,FR,q(D EE and
Alice Bob
Adversary E
D, Q, m, r, s
DE, QE, m, r, s
Proof of work:
kGG)wrdwe(wrdGweGwrQweGw)rce(
)rwcew()cuu(GcuGuQuGuX
rcerQeG
rcerQeG
rcerQeG
E
212121
48Key Size Comparisons
Sym. key: 80, 112, 128, 192, 256
ECC n: 161, 224, 256, 384, 512
RSA n: 1024, 2048, 3072, 7680, 15360
49ECDSA Advantages
Elliptic curves offer a much shorter key length than RSA.
There are some environments where 1024-bit RSA can not be implemented, while 163-bit ECC can.
No subexponential-time algorithm is known for the EC discrete logarithm problem.
51Exercises(1)
Does this equation define an EC over GF(17)?
y2 = x3 + 10x + 5 Do the points P(2,0) and Q(6,3) lie on the
elliptic curve y2 = x3 + x + 7 over GF(17)?
What are the negatives of the following elliptic curve points over GF(17)?
P(5,8) Q(3,0) R(0,6)
In the elliptic curve group defined by y2 = x3 + x + 7 over GF(17), what is P + Q if P = (2,0) and Q = (1,3)?
52Exercises(2)
Suppose that p > 3 is an odd primea, b Є GF(p)
Further suppose thathas 3 distinct roots in GF(p)
Prove that the corresponding elliptic curve E is not cyclic
pbaxx mod03
53References
Don Johnson, Alfred Menezes, The Elliptic Curve Digital Signature, February 2000http://www.cacr.math.uwaterloo.ca
A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied cryptography, CRC Press 1996http://www.cacr.math.uwaterloo.ca/hac
Douglas R. Stinson Cryptography, Theory and Practice, CRC Press
54Elliptic Curves Over Finite Fields
Over GF(2m) Elliptic curve E equation
where
E consists of all pairs
satisfying curve equation special point - point at infinity
baxxxyy 232
02 b),(GFb,a m and
)(GFy),(GFx),y,x( mm 22
55Example 2: elliptic curve over GF(24)
Generator polynomial f(x) = x4 + x + 1 The points in E are and the following:
15 points + = 16 points
042432 1 b,a,xxxyy:E
)()()(
)()( )()(
)()()()(
)()()()(
121212810
10139109146
8611535133
83136
0
1110
,,,
,,,,
,,,,
,,,,
56Addition – Algebraic Approach
E – elliptic curve over GF(2m)
1. 2. If
3.
4.
)yx,x()y,x(,E)y,x(P then
PPPEP
where Then
andLet
),y,x(QP
.QP,E)y,x(Q,E)y,x(P
33
2211
axxxxxyy
xxyy
21
2
321
21
21
21 1331321
21 yxxxyxxyy
where2 ThenLet ),y,x(P.PP,E)y,x(P 3311
21
213 x
bxx 3312
131
1 xxxxyxy
-P
57Curve parameters generation
Used notations: Input: prime p Output: seed, curve coefficients a & b Algorithm:
1. Choose a bit string seedE: g = |seedE| ≥ 160 bits2. H = SHA-1(seedE)3. z = (int) seedE4. For i from 1 to s do:
si = (z+i) mod 2g
Wi = SHA-1 (si)
5.
6. r = (int) W, if r = 0 or 4r + 27 ( 0 mod p ) go to step 1
7. Choose a,b
8. The elliptic curve is: y2 = x3 + ax + b
9. Output (seedE, a, b)
stv,/ts,plogt 16016012
H
160 bits
W0
v-1 bits
W0 W1… WsW =
pmodabrb,a)p(GF 3200 :
58
Alice domain
D = (q, FR, a, b, G, n, h)
D is valid or not?
D validation:Check that:
1.
2.
3.
4. 5. n is prime AND n > 2160 6. #E ≠ q 7.
8.
9.
10. If any check fails-> D is invalid
else-> D is valid
mqorpq 2
Domain Parameters Validation
2011 k,q|n k
)|n(qn E# 24Bob domain
D
0274 23 baGnG
'hhn/)q('h ,21
59Verifying the order of an EC
Hasses’s theorem:
Hence, check implies that
Also since:
Hence if:
22 1121 )q(E)q(qt,tqE ##
qn 422 16 nEqn #
n)q(h,qqnhqq:h
212121!
q)q()q( 411 22
nhE
n)q(hqn,nG
to equal indeed is #
and
214
60Potential CA Services
POP - Proof of possession of private key.
Can use zero-knowledge proof.
PKV - Public Key Validation shows public key makes arithmetic sense.
POP and PKV can be considered duals of each other. Doing both provides strong assurance.
61Security Considerations
Per-message secret k:
Repeated usage of k:
Check: 1 ≤ r ≤ n-1, 1 ≤ s ≤ n -1
)m(SHAs,r),b,(G 100
0001
01 21
1
rv)b,(X,GGX
u,eeu
i.e.
nmod)eks(rdnmod)dre(ks 11
nmod)ee()ss(k
nmodee)ss(k
nmoddreks
nmoddreks
nmod)dre(ks
nmod)dre(ks
211
21
2121
22
11
21
2
11
1
To verify signature (r, s):
1. check: 1 ≤ r ≤ n-1, 1 ≤ s ≤ n -1
2. e = SHA-1(m)
3. w = s-1 mod n
4. u1 = e·w mod n u2 = r·w mod n
5. X = u1·G + u2·Q, if
6. X(x1, y1) v = x1 mod n
7.
reject X
accept if rv
62Attacks on Hash function
SHA-1 Preimage resistance hard to find x: H(x) = y Collision resistance hard to find x1 and x2 : H(x1) = H(x2)
If not preimage resistant One can forge signature:
Calculate parameters r, s, e, m : e = SHA-1(m),where (r, s) is valid signature for m
If not collision resistant One can repudiate messages:
Generate m’: SHA-1(m) = SHA-1(m’)
63Signature Forgery
Signature Forgery A forgery is a signature computed without
the signer’s private key
selective forgery: an adversary is able to create a valid signature for a particular message chosen a priori
existential forgery – an adversary is able to forge a signature for at least one message