Chapter 8 Digital Signature Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li lizhijun

Chapter 8 Digital Signature

Cryptography-Principles and PracticeHarbin Institute of TechnologySchool of Computer Science and Technology

Zhijun Lihttp://cst.hit.edu.cn/~lizhijun

[email protected]

Zhijun Li S1034040/Autumn08/HIT 2

Outline

• Nonreputation & Digital Signature • RSA Signature• ElGamal Signature• Digital Signature Algorithm• Digital Signature with other Properties

– Security Provable Signature– Blind Signature– Undeniable Signature– Fail-Stop Signature


• Confidentiality/secrecy/privacy– Encryption

• Integrity– MAC

• Nonreputation– Identity (source or destination) can not deny transmitti

ng the message – Use ?

Security Goals


Nonreputation

• Nonreputation: Identity (source or destination) can not deny transmitting the message– Authentication protects two parties from third parties

– Nonrepudiation protects two parties against each other

• Example: Alice sends IOU message to Bob– Alice can deny sending the message– Bob may forge a different message and claim that it

came from Alice


IOU Protocol Review

AliceBob

{KUA, KRA}

M EKRA[H(M)]

Judge

M EKRA[H(M)]

knows KUA

knows KUA

Digital Signature

Alice Bob

Judge


Digital Signature

• Digital Signature: a data string which associates a message with some originating entity

• Digital Signature Scheme: for each key, there is a SECRET signature generation algorithm and a PUBLIC verification algorithm

• Digital Signature & PKI– Digital signature is difficult to implement in

other ways


SignatureSignature generation

Private key

Document

Signer

Signature verification

Public key

Document

OK / not OK

Verifier

Digital Signature Scheme

SIG: KM S kK is the secret key

VER : K’MS {OK, FAIL}

OK iff s is a valid signature

e is the public key


Adversary of Digital Signature

• Adversarial goals: – Total break: adversary can forge signature on any message

– Selective forgery: adversary is able to create valid signatures on a chosen message with a significant probability

– Existential forgery: adversary can create a pair (message, signature), s.t. the signature of the message is valid

• Note:– A signature scheme can not be perfectly secure

• Adversary can always forge signature given enough time

– Signature scheme can only be computationally secure


Attack Model to Digital Signature

• Key-only attack: Adversary knows only the verification function (it is supposed to be public)

• Known message attack: Adversary knows a list of messages previously signed by Alice

• Chosen message attack: Adversary can choose what messages wants Alice to sign, and knows the messages and the corresponding signatures


Outline




RSA Signature

• Given RSA {(e, n), (d, p, q)}

• SIG(d, m) s = md (mod n)

• VER(e, m, s)

m =? se (mod n)

• se = med (mod n) = m (mod n)


Existential Forgery

• Oscar can generate a valid signature by: 1. Choose signature sZn

2. Encrypt: m = ekpub(s) = se mod n

3. Send (m,s) to Bob

4. Bob verifies:

verkpub(m, s): se m (mod n) true

• Note: – m can’t be controlled, so existential forgery


Remark for This Forgery

• It is a key-only attack

• Countermeasures: – Use some redundancy in message to detect

– Example: • Sig(m) = (Hash(m))d = s• se = Hash(m) : Need find m with Hash(m) = se

• Hash is preimage resistant • Know Hash(m), but NOT known m


Another Existential Forgery

• (m1,s1) and (m2,s2) are valid signatures

• (m=m1m2, s=s1s2) are valid

• (m,s) is valid signature• (m-1, s-1) is valid

• Remark: – An existential forgery – Sig(m) = (Hash(m))d is also useful


Outline




ElGamal Signature

• Key generation:– Chooses a prime p, and chooses a generator

gZp*

– Selects a random integer k as the private key– Computes the public key = gk mod p – Public key is (, g, p) – Private key is (k)


ElGamal Signature

• Signing a message m:

– Select random r, 1rp-1, rZp-1* (gcd(r,p-1)=

1)– Compute x gr (mod p)– Solves y in following congruence equation

m k·x+r·y (mod p-1)

– SIGk,r(m) = (x,y)


ElGamal Signature

• Verification: – Receive the m and s = (x, y)– Computes gm

– Computes ()x·xy

– VER(m, s): gm ?()x ·xy(mod p)


Why This Schema Can Work?

• If m=m, x=x, y=y

• ()x·xy (mod p) = gkx · gry (mod p)• ry = m - kx (mod p-1) • kx+ry = m (mod p-1)

• ()x·xy = gkx + ry = gm (mod p)

• Why?


ElGamal Signature Example

1. Choose p=11, g=2 and k=8 2. c = 28 mod 11 = 3 So: Public key (3,2,11)3. Signing m=5 3.1 select a random integer r=9 gcd(10,9)=1 3.2 computes x = gr mod p = 29 mod 11 = 6 3.3 solves 5 = 8·6+9·y mod 10; because 9-1 =

9 mod 10;so y = 9-1· (5-8·6) = 3 mod 10 3.4 signature s=(6,3) 4. Verification

36.63 =21 =10 = 25 =10 mod 11


Security of ElGamal Signature

• Based on DLP BUT weaker than DLP– Existential Forgery

• Find (m,x,y) s.t. ()x·xy=gm

– Suppose x=gij (mod p) gmx(gij)y (mod p)– gm-iyx+jy mod p – Let m-iy0 mod p-1 x+jy0 mod p-1– If gcd(j, p-1)=1– y=-xj-1(mod p-1)– m=-xij-1(mod p-1) (if hash?)– x=gij(mod p)


Security of ElGamal Signature

• The random r must be keep secret– k=(m-ry)x-1 (mod p-1)

• The random r must be unique for each message– ()x·xy1=gm1 (mod p);()x·xy2=gm2 (mod p)– gm1-m2 y1-y2 gk(y1-y2) (mod p)– m1-m2 k(y1-y2) mod p-1– d=gcd(y1-y2, p-1); d|(m1-m2) – m'=(m1-m2)/d; y'=(y1-y2)/d; p'=(p-1)/d– m'=ky' mod p' and gcd(y', p')=1 – k=m'y'-1+ip' mod p-1 i<d and test them by =gk mod p


Lesson of ElGamal Signature

• Hash function h must be used– Otherwise easy for an existential forgery

attack

• Signature length is 2 times of the length p – p=1024 bits– For some storage limited device (smart chard)


Outline

• Nonreputation & Digital Signature • RSA Signatures• ElGamal Signatures• Digital Signature Algorithm• Digital Signature with other Properties



DSA Overview

• Published in NIST in 1992 (FIPS PUB 186) • Remark:

– DSA is a variant for ElGamal signature– Using SHA hash algorithms and the digest is 320 bi

ts– Sometimes called DSS (Digital Signature Standard)


From ElGamal Signature

• Use a subgroup {,2,…,q} in Zp*, the order of is q– q is a 160-bits prime– p is a 1024-bits prime

• Introduce the hashing function– SHA1(m) is also 160-bits


From ElGamal Signature

• y=r-1(m+k·x) (mod p-1)– Verify mx=xy mod p – ord() = q, so all exponents need mod q– x = (r mod p) mod q– y=(m-k·x)r-1 (mod q) (x can be replaced by x) mx=xy mod p my-1xy-1=x mod p

my-1xy-1=x mod p

(my-1xy-1mod p) mod q = x


DSA: Key Generation

• Select a prime q of 160-bits• Choose 0t8 and 2511+64t<p<2512+64t with q | p-1

• Let g be a generator of Zp*, and = g(p-1)/q mod p

• Select 1 k q-1• Compute = k mod p

• Public key: (p, q, , )• Private key: k


DSA: Signature

• Signing message m:• 1. Compute one-way hash h = SHA-1(m)• 2. Select a random signing key r, 0 < r < q• 3. Compute

– x = (r mod p) mod q– y = (SHA-1(m) + xk).r-1 mod q– SIG(m)=(x, y)


DSA: Verification

• Verifying m, (r, s): 1. Verify 0 < r < q and 0 < y < q, if not, invalid

2. Verifier computes – w = y-1 mod q – u1= SHA-1(m).w mod q – u2= x.w mod q – v = (u1.u2 mod p) mod q

3. Verifier accepts the signature iff – v = x


DSA Remark

• Advantages:– Suitable to storage limited device– Hashing function is used– Based on discrete logarithm problem

• Disadvantages:– Unpublicized selection


Outline

• Nonreputation & Digital Signature • RSA Signatures• ElGamal Signatures• Digital Signature Algorithm• Digital Signature with other Properties



Security Provable Signature

• Idea: – Can reduce the forgery into the inverse of one-way

• Lamport One-time Signature:– P={0,1}k, f is one-way function f: YZ

– Choose secret keys yi,jY, 1ik, j=0,1

– Let zi,jZ, 1ik, j=0,1 are public keys

– Sig(m1, m2, …, mk) = (y1,m1, y2,m2

, …,yk,mk)

– Ver((m1, m2, …, mk), (a1, a2, …, ak)= true f(ai)=zi,mi


Lamport Signature Example

• p=7879 and 3 is a generator• f(x)=3x mod 7879

• y1,0=5831;y1,1=735;y2,0=803;y2,1=2467;y3,0=4285;y3,1=6449

• z1,0=2009;z1,1=3810;z2,0=4672;z2,1=4721;z3,0=268;z3,1=5731

• m=(1,1,0): • Sig(m)=(735,2467,4285)• Verification: 3735 mod 7879=3810; 32467 mod 7879=4721; 342

85 mod 7879=268


One-Time Digital Signature

• One-time digital signatures:– Using signing at most one message– Otherwise signature can be forged– In Lamport: (1, 0, 1) + (0, 1, 0) = all 23 – A new public key is required for each signed message

• Advantage: – Signature and verification can be very efficient– Can be very secure– Is useful for cards with low resources


Lamport-Preimage(z)

• If we have Lamport-Forge:• Lamport-Preimage(z)

Select i0{1,…,k} and j0{0,1} randomly

Build public key Z=(zi,j: 1ik, j=0,1) s.t. z=zi0,j0

((m1,…,mk), (a1,…,ak)) = Lamport-Forge(z)

if xi0=j0

then return (ai0)

else return (fail)


Success of Lamport-Preimage

• Theorem: with Lamport-Forge, the success rate of Lamport-Preimage(z) 1/2

• Proof: – Let S is the set of all public keys, s=|S|

– Let Sz is the set of public keys contain z, sz=|Sz|

– Let Tz is all ZS with Lamport-Preimage success, tz=|Tz

| zZtz = ks; 2ks=sz|Z|

– Pr(success)=1/|Z|zZpz=1/|Z|zZtz/sz

=zZtz/sz|Z|=1/2kszZtz=ks/2ks=1/2


Blind Signature

• Situation: Signing with unknowing the content• Example: Anonymous electronic cash

• Scene

Alice Bob

Authority Sign③

Signature④

Unblinding⑤

Signature ⑥

Verification⑦Blinding

①Blin

ded Mess

age②


RSA Blind Signature

• Initialization: • Authority: p,q are primes, N=pq, public key e a

nd ed 1 mod (p-1)(q-1)

• Blinding:

• Alice: Get N and e, choose a random rZN*, compute blinded message

b m re (mod N)


RSA Blind Signature

• Signing: • Authority: sign the blinded message b s = bd

• Unblinding: • Alice: Remove the r from s s = s r -1 md (mod N)

• Verify: • Bob: Receive (m1,s1) Check s1

e ? m1 (mod N)


Undeniable Signature

• Signature with following features:– Signature verification must involve the participation of

the signer– Signer can prove that a signature is not valid– Signer can’t Deny a Valid Signature

– So Undeniable

• Example:– Software distribution


Why Undeniable?

• The signer need to be online when verifying – The precondition for undeniability – Challenge-Response interaction

• The signer can prove a signature is forged– If he deny to prove – Then the signature is valid


How to Prove?

• In Challenge-Response interaction– If the Verification fails

• The signature is a fraud • Signer cheats by giving “incorrect” response

– So need run some protocol after fails

• Summary:

Signing & Verification & Disavowal Protocol


• Initialization: • The Signer Chooses:

– two primes p and q, and p=2q+1

– gZp* and ord(g)=q

– G generated by g, so G is a subgroup of Zp*

– A random k(0<k<q), k is secret and gk is public

Chaum-van Antwerpen Signature


• Signing: For a message mG

s=mk (mod p)

• Verification: Bob and Signer interact:

– Challenge: Bob select two random a,bZq* and sends the challenge c=sa(gk)b (mod p)

– Response: r = ck-1magb (mod p)– Test: Bob checks

VER( m, r ) = (r ? m agb (mod p))



• Disavowal Protocol: (when verification fails)– BobSigner: select a1,b1Zq* and sends c1=sa1(gk)b1

(mod p)

– SignerBob: r1=c1k-1

– Test: if r1 ma1gb1 (mod p), then follow

– BobSigner: select a2,b2Zq* and sends c2=sa2(gk)b2

(mod p)

– SignerBob: r2=c2k-1

– Test: r2 ma2gb2 (mod p)

If (r1g-b1)a2 (r2g-b2)a1 (mod p)

then forged

else signer cheat



• Theorem: if s mk mod p, then Bob accepts s as correct signature with prob. at most 1/q

• Proof: – For each c=se1(gk)e2, there are q pairs of (e1, e2) becaus

e the order of s and gk is all q

– g is a generator and ord(g)=q– c=gi, r=gj, m=gv, s=gw

– cse1(gk)e2 (mod p); rme1ge2 (mod p)– iwe1 + ke2 (mod q); jve1 + e2 (mod q)– If smk mod p, then wkv mod q, then 0, and o

nly a pair in q pairs of (e1,e2) is correct

Correctness of Verification

w kv 1


• Theorem: If s mk mod p, and both parties follow the protocol, then (rg-e2)f1 (Rg-f2)e1 (mod p) (Alice can convince Bob)

• Proof:– r=ck-1 (mod p)– cse1(gk)e2 (mod p)

– (rg-e2)f1 (se1(gk)e2)k-1g-e2)f1 (mod p)

se1k-1f1 (mod p)

– R=Ck-1 (mod p)

– (Rg-f2)e1se1k-1f1 (mod p)

Correctness of Disavow Protocol


• Theorem: If s mk mod p, and Bob follows the protocol, then Alice can convince Bob ((rg-e2)f1 (Rg-f2)e1 (mod p)) with prob. 1/q

• Proof:– s=mk; (rg-e2)f1 (Rg-f2)e1 (mod p) – r me1ge2; R mf1gf2

– (rg-e2)f1 (Rg-f2)e1 (mod p) iff. R = (r1/e1g-e2/e1)f1gf2

– Let r0=r1/e1g-e2/e1, which can be computed after stage one– Let stage two is the verification protocol– Suppose s is the r0’s signature (s=r0

k mod p) with prob. 1-1/q– s mk mod p and s=r0

k mod p m=r0

– r me1ge2 m r1/e1g-e2/e1 m r0

– Contradiction (rg-e2)f1 (Rg-f2)e1 (mod p) with prob. 1/q

Correctness of Disavow Protocol


• Situation: For the Attacker with Unlimited Computing Power

• Scene

Alice Bob

TTP

Oscar

EstablishParameters

①

Public Keys ②

⑤Build PROOF

③Signatures

④

Forged Signatures

⑦Fail-stop⑥

Proof

Fail-Stop Signatures


• Initialization:• TTP: two primes p and q, and p=2q+1

– gZp* and ord(g)=q

– a random rZq* (0<r<q), r is known only by TTP and R=gr

– (p,q,g,R) is Public and keep r is Secret

• Signer(Alice): Select a1,a2,b1,b2Zq* as secret key, compute (1ga1Rb1 mod p 2ga2Rb2 mod p) as public key

Van Heyst & Pedersen Signature


• Signing:

• Alice: SigK(m)=(s1,s2)

s1=a1+mb1 mod q

s2=a2+mb2 mod q

• Verification:

• Bob: VerK(m,s) is 12m?gs1Rs2 mod p



• Build PROOF:• Alice:

– Detect a forged signature (s1,s2) for m

– Compute the original signature (s1,s2) for m

– Compute

PROOF(s)=r(s1-s1)(s2-s2)-1 (mod q)

r is the proof



• Lemma 1: Let Oscar with unlimited power, he can solve (a1,a2,b1,b2) with q possible solutions from the public information and a signature s=(s1,s2) for m

• Proof: Denote 1=ge1 and 2=ge2 , so

ge1 ga1grb1 mod p ge2 ga2grb2 mod p

e1=a1+rb1 mod q e1=a1+rb1 mod q s1=a1+mb1 mod q s2=a2+mb2 mod q

m010

0m01

r100

00r1

2

1

2

1

s

s

e

e

=

2

1

2

1

b

b

a

a

Rank is 3

Find by unlimited power

Van Heyst & Pedersen: Remark


Rank is 4

m010

0m01

r100

00r1

2

1

2

1

s

se

e

=

2

1

2

1

b

b

a

a

m’010

0m’01

2

1

s’s’


• Lemma 2: Let a signature s=(s1,s2) for m and a signature s’=(s1’,s2’) for m’, then a single solution for (a1,a2,b1,b2)

• Proof:

• Notes:– One-time signature– Oscar can compute s’=sigK(m’) with prob. 1/q known s=sigK(m)– BUT Oscar can give a verifiable signature s’’ for m’ and s’’s’


• Lemma 3: If Signer get a forged signature s’=(s1’,s2’) for m

and s’s, he can compute the r=loggR

• Proof: – The forged signature s’ can pass the test 12

mgs’1Rs’2 mod p

– For original signature 12

mgs1Rs2 mod p

– gs’1Rs’2 gs1Rs2 mod p r=loggR (s1-s1’)(s2’-s2)-1 (mod q)



Summary

• Nonreputation – Digital Signature – Public Key Infrastructure

• RSA Signature• ElGamal Signature• Digital Signature Algorithm • Signatures with other Properties

Documents

Chapter 8 Digital Signature Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li lizhijun