View
226
Download
2
Category
Tags:
Preview:
Citation preview
Applied Cryptography
Spring 2015
Digital signatures
Digital signature
• (assuming that Alice’s key have not be compromised)only Alice should be able to sign the message on her name
• any should be able to verify that the message is signed byAlice
Undeniable digital signatures
• sometimes it could be useful to additionally require that signature could be verified only in cooperation withAlice (however, when cooperating she shouldn’t be ableto deny her signature)
Digital signature - Requirements
M – message, – its digital signature
Depending from signature scheme it could be sufficient to send just , or it might be necessary to send pair (,M)
h - a one-way hash function (easy to compute, but for a given M it is hard to find M’ with h(M) = h(M’))
Digital signature:
• Send message M
• Sign h(M) and send its digital signature together with M
Digital signature – Practicalities
Signatures are often computed by small chips. Therefore itis preferable that signing of message could be performed faster than verification of signature.
Digital signature – Practicalities
Digital signature - RSA
p,q - two large primes (100 digits or more)n = pqe - small odd integer that is relatively prime to
(p – 1)(q – 1)d - integer such that de 1 (mod (p – 1)(q – 1))
(it can be shown that it always exists)
P = (e,n) - public keyS = (d,n) - secret key
Signing: S = Md (mod n)Verifying: V(S) = Se (mod n)
H – hashes {0,1}*{0,1}k
G – hashes {0,1}k{0,1}nk1 (G1 and G2 are two parts of thisvalue)
Can be shown to be as secure as RSA
RSA – probabilistic signature scheme (PPS)
Digital signature - ElGamal Taher ElGamal, 1984
Digital signature - ElGamal
Digital signature - ElGamal
Digital signature - ElGamal
Digital signature - ElGamal
Warnings:
•Never reuse k – this will instantly allow to recover secret keyx.
•It is not difficult to generate “bad” values of g – either the implementation should be completely trusted, or use aa one way hash function to generate pseudorandom g, whoserandomness can then be verified.
•When verifying signature, check that a < p
ElGamal signatures – a closer look
ElGamal - subliminal channel
ElGamal: p,g,y=gx mod p - public; x - private
h - "signed" message, m - "secret" messagegcd(m,p–1) should be 1
Alice:
a=gm mod pand finds b: h=xa+mb mod(p–1)
Signature: a,b
ElGamal - subliminal channel
Alice:
a=gm mod pand finds b: h=xa+mb mod(p–1)
Signature: a,b
Bob:
Verification: yaab=gh mod p ?Extraction: m=(b–1(h–xa)) mod(p–1)
Implementations of digital signatures should be trusted -this can be used to "broadcast" secret keys!
Digital signature - Schnorr
p - primeq - prime factor of p–1 [can be “small” – e.g. 160 bits]a - aq=1 mod p (and a≠1) [try several a = x(p-1)/q mod p]All these are public
s < q - a random number and secret keyv = a–s mod p - public key
Signing:Pick random k<q and compute x = ak mod pCompute e = H(M,x) and y = (k+se) mod qSignature - pair (e,y)
Verification:Compute x’ = ayve mod p and check that e = H(M,x’)
Claus Peter Schnorr, 1989
Digital signature - DSA
Proposed by the National Institute of Standards and Technology(NIST) in 1991 for use in their Digital Signature Standard (DSS)adopted in 1993. Expanded further in 2000.
Design criteria secret but was given for assessment to public.
Could be considered as variation of ElGamal scheme.Intended to be free for use for everybody.
Received strong criticism from RSA Data Security:) and companies that have invested in RSA
Digital signature - DSA
Points of criticism:
1)Can’t be used for encryption and key distribution2)Developed by NSA and may contain a trapdoor3)DSA is slower than RSA4)RSA is de facto standard5)Selection process was not public, sufficient time for analysis was not provided.6)DSA may infringe on other patents.7)The key size is too small.
Digital signature - DSA
Digital signature - DSA
Digital signature - DSA
Digital signature - DSA
Digital signature - DSA
Digital signature - DSA
Discrete logarithm signature schemes
Discrete logarithm signature schemes
Undeniable digital signatures
Signature should be such that:
• Bob should be able to verify signature in cooperation with Alice• Alice should be unable to deny the signature• Signature can't be verified from message and signature pairalone
Undeniable digital signatures
p,g,y=gx mod p - public; x - private
Signing (Alice):
s=mx mod p
Verification (Bob and Alice):
1) (Bob): chooses random a,b<p, sends Alice c=sayb mod p2) (Alice): computes t=x–1 mod (p–1), sends Bob d=ct mod p3) (Bob): confirms that d=magb mod p
Undeniable digital signatures
p,g,y=gx mod p - public; x - private; signature s=mx mod p
Verification (Bob and Alice):
1) (Bob): chooses random a,b<p, sends Alice c=sayb mod p2) (Alice): computes t=x–1 mod (p–1), sends Bob d=ct mod p3) (Bob): confirms that d=magb mod p
Fake transcript:
1) generate fake pair m,s2) choose random a,b<p, and compute d=magb mod pand sayb mod p
Undeniable digital signatures (a second look)
Undeniable digital signatures (a second look)
Undeniable digital signatures (a second look)
Undeniable digital signatures (a second look)
Identification schemes
Victor wants to communicate with Peggy and be sure thatshe is the right person.
How to achieve this?
Peggy and Victor both know a secret key k. Victor sends a random message r and Peggy returns Ek(r).
Peggy has a public key d and a secret key s. Victor sends a random message r and Peggy returns Es(r).
However, it is not a particularly good idea to sign randomnumbers :)
Identification schemes
Assume RSA is used. d - public, s - secret.
Eve wants to get Alice sign m.
1) find m1 and m2 such that m = m1m2 mod n2) get Alice to sign "random" m1 and m2
3) calculate md mod n = (m1d mod n)(m2
d mod n)
However, it is not a particularly good idea to sign randomnumbers :)
Quadratic Residues
If p is prime, and a is greater than 0 and less than p, then a is a quadratic residue mod p if x2 = a (mod p) for some x
For example, if p =7, the quadratic residues are 1, 2, and 4.
1*1=1=1(mod7) 2*2=4=4(mod7) 3*3=9=2(mod7) 4*4=16=2(mod7) 5*5=25=4(mod7) 6*6=36=1(mod7)
Quadratic Residues
When p is odd, there are exactly (p - 1)/2 quadratic residues mod p
If a is a quadratic residue mod p, then a has exactly two square roots, one of them between 0 and (p - 1)/2, and the other between (p - 1)/2 and (p - 1).
One of these square roots is also a quadratic residue mod p; this is called the principal square root.
Quadratic Residues
Computation of quadratic residues mod p:
- easy if n is prime and n = 4k+3
- a probabilistic algorithm if n is prime and n = 4k+1
- if n = pq, where p,q are primes, the problem of
computing square roots mod n is as hard as is the factorization of n
Feige-Fiat-Shamir identification scheme
On July 9, 1986 the three authors submitted a U.S. patent application. Because of its potential military applications, the application was reviewed by the military. Occasionally the Patent Office responds not with a patent, but with something called a secrecy order. On January 6, 1987, three days before the end of their six-month period, the Patent Office imposed that order at the request of the Army. They stated that “...the disclosure or publication of the subject matter...would be detrimental to the national security....” The authors were ordered to notify all Americans to whom the research had been disclosed that unauthorized disclosure could lead to two years’ imprisonment, a $10,000 fine, or both. Furthermore, the authors had to inform the Commissioner of Patents and Trademarks of all foreign citizens to whom the information had been disclosed.
Feige-Fiat-Shamir identification scheme
n = pq, where p,q are primes such that p,q=3 mod 4.v - quadratic residue mod n, i.e. z2 = v mod n and v–1 mod n existss = sqrt(v–1) mod nv - public; s - private
Identification protocol:
1) (Peggy): chooses random r<n, sends Victor x=r2 mod n2) (Victor): sends random b{0,1}3) (Peggy): if b=0 sends r; if b=1 sends y=r s mod n4) (Victor): if b=0, verifies x=r2 mod n (Peggy knows r)
if b=1, verifies x = y2v mod n (Peggy knows s)
Without s Peggy can pick r such that either x=r2 mod n orx = y2v mod n, but not both. Repeat k times for probability 1–2k
Feige-Fiat-Shamir identification scheme
n = pq, where p,q are primes such that p,q=3 mod 4.v - quadratic residue mod n, i.e. z2 = v mod n and v–1 mod n existss = sqrt(v–1) mod nv - public; s - private
Identification protocol:
1) (Peggy): chooses random r<n, sends Victor x=r2 mod n2) (Victor): sends random b{0,1}3) (Peggy): if b=0 sends r; if b=1 sends y=r s mod n4) (Victor): if b=0, verifies x=r2 mod n (Peggy knows r)
if b=1, verifies x = y2v mod n (Peggy knows s)
Replacing Victor by one-way hash function we obtain digital signature scheme!
Recommended