Digital Signatures

Cryptographic Goals
Cryptographic goals

Confidentiality Data integrity Authentication Non-repudiation

Symmetric-key Arbitrary length Entity authentication Digital signatures
ciphers: hash functions Authentication
Block ciphers
Stream ciphers
primitives
Message
Public-key Authentication Message authentication

ciphers codes (MACs) MACs

Digital signatures Digital

signatures 2
 Non-repudiation
m is a signed message
s is a valid signature for m

m, s
Alice Bob

Alice denies her signature if she finds:

m m : s is valid signature for m

3
 Message Authentication Codes

MAC f (x, key):{ 0,1} * { 0,1} n

knowing x and key f is easy to compute
it is infeasible to calculate f ( x ,key)
without the key

MAC are often block cipher based

message m, secret key k
specification of block cipher E
MAC (m) = E( m, key )
MAC (m) = E(hash(m), key )

4
 Use of a MAC
Used to provide
Data integrity
Message authentication
Secret key

message MAC Secret key

algorith
MAC
m Unsecured channel Ok / not Ok
message MAC verification
algorithm
Signer Verifier
5
 Digital Signatures Scheme
Used to provide
Data integrity
Message authentication
Non-repudiation
Signers private key

message Signing Signers public key

algorith
m Unsecured channelSignature Ok / not Ok
message signatur verification
e
algorithm
Signer Verifier
6
 Difference between MAC and digital signature
To prove the validity of a MAC to a third party, you need
to reveal the key

If you can verify a MAC, you can also create it

MAC does not allow a distinction to be made between the

parties sharing the key

Computing a MAC is (usually) much faster than

computing a digital signature
Important for devices with low computing power
7
 Framework
Digital Signatures can provide
Authentication
Data Integrity
Non-Repudiation
 Framework
Definitions
Digital Signature - a data string which associates a
message with some originating entity
Digital Signature Generation Algorithm a
method for producing a digital signature
Digital Signature Scheme - consists of a signature
generation algorithm and an associated
verification algorithm
 Framework (cont)
Notation
M message space
MS signing space
S signature space
R a one-one mapping from M to MS called the
redundancy function
MR the image of R
R-1 the inverse of R
h a one-way function with domain M
Mh hash value space, the image of h (h: M Mh)
 Types of attacks
Key-only: adversary knows only the public key
Message attacks
Known-message attack: adversary has signatures for
a set of messages which are known to the adversary
but not chosen by him
Chosen-message attack: adversary obtains valid
signatures from a chosen list of his choice (non
adaptive)
Adaptive chosen-message attack: adversary can use
the signer as an oracle
RSA signature algorithm

15
 Key-Generation

1. Generate two large random distinct primes

p and q, each roughly the same size

2. Compute n = pq and (n) ( p 1)(q 1)

3. Select random integer e:

1 e , such that gcd(e, ) 1
4. Compute unique integer d:
1 d , such that ed 1 mod

5. Public key is (n, e); Private key is d

16
 Notation

M is a set of elements, called the

message space = Zn

MS is a set of elements, called the

signing space = Zn

R is a 1 to 1 mapping from M to MS, called the

redundancy function

MR is the image of R: {y| y = R(x), x M}

R-1 is the inverse of R: MR M

17
 RSA signature generation and verification

To sign a messagem M A should:

Compute:
~ R( m ), an integer in the range [ 0 , n 1 ]
m
where R(m) is a redundancy function
Compute: sm ~ d mod n
As signature for m is s

To verify As signature and recover m, B should:

Obtain As authentic public key (n, e)
~ s mod n
m e
Compute:
~M
m
Verify that R ; if not, reject the signature
1 ~
Recover m R (m)
18
 Proof that signature verification works

Eulers theorem: a(n) 1modn, gcd(a, n) 1 ,where ( n ) is

the Eulers function of n

If s is a signature for m, then:

~ d mod n , m
sm ~ R( m )

Since n pq , ed 1( mod ( n )) , then:

~ ed m
se m ~ 1 ( mod ( n )) m
~ ( n )q 1

m~ ( n )q m
~m ~( mod n )
~ ) R 1( R( m )) m
R 1( m
Finally:
19
 RSA signature example

Alice
p=5 q=7 n = 35 (n) = 46=24
e = 5; d: ed = 5d=1 mod 24 => d = 5
Public key: (n=35, e=5) Private key: d=5

M = [0, n-1]
For all m M R(m)=m
m = 26;m ~ R(m) = 26 s = 265 mod 35 = 31
Bob:
m~ R(m) = 315 mod 35 = 26 [0, n-1]
m = R-1(m) = 26

20
 Possible Attacks on RSA signature

Integer factorization
If an adversary is able to factor n, then
n pq , ( n ) ( p 1 )( q 1 ) and find d : ed 1( mod ( n ))

Multiplicative property of RSA

~ d (mod n )
s1 m1
if ~m
m ~m~ then s m
~d ( m
~m~ )d s s ( modn )
s m ~ d (mod n ) 1 2 1 2 1 2
2 2

If ~ M , then s is valid signature for m:

m ~ R( m )
m
R

Hence, to avoid this attack R must not be multiplicative, i.e.

a , b M R( a b ) R( a ) R( b )

21
 RSA (cont)
Performance (p, q are k-bit primes)
Signature O(k3)
Verification O(k2)
Schnorr Signature.
Schnorr Signature - Salient Features

I Derived from Schnorr identification scheme through

Fiat-Shamir transformation
I Based on the DLP
I Security argued using oracle replay attacks
I Uses the random oracle heuristic
Proof through Contradiction

I Consider a protocol P based on a hard problem

Proof through Contradiction

I Consider a protocol P based on a hard problem

I Aim: is hard = P is not breakable
Proof through Contradiction

I Consider a protocol P based on a hard problem

I Aim: is hard = P is not breakable
P is breakable = is not hard

P P
B C A
Proof through Contradiction

I Consider a protocol P based on a hard problem

I Aim: is hard = P is not breakable
P is breakable = is not hard

P P
B C A

I Since is assumed to be hard, this leads to a contradiction.

Security Model

I Lays down the schema to be followed for giving security proofs

I Described using a game between a challenger C and an
adversary A

P P
C A

I C simulates the protocol environment for A

I A wins the game if it solves the challenge given by C
Random Oracles

I Heuristic aimed at simplifying security proofs of protocols

involving hash functions.
I In proofs, the hash function modelled as a truly random
function under the control of the challenger.
I A given oracle access to this function.
Schnorr Signature.

Random Oracles

I Heuristic aimed at simplifying security proofs of protocols

involving hash functions.
I In proofs, the hash function modelled as a truly random
function under the control of the challenger.
I A given oracle access to this function.

P
H
Schnorr Signature.

Random Oracles

I Heuristic aimed at simplifying security proofs of protocols

involving hash functions.
I In proofs, the hash function modelled as a truly random
function under the control of the challenger.
I A given oracle access to this function.

P P
P C A
H H
Schnorr Signature.

Random Oracles

I Heuristic aimed at simplifying security proofs of protocols

involving hash functions.
I In proofs, the hash function modelled as a truly random
function under the control of the challenger.
I A given oracle access to this function.

P P
P C A
H H

I Proofs without random oracles preferred.

Schnorr Signature.
Preliminaries
PKS and its Security Models

Definition Public-Key Signature

An PKS scheme consists of three PPT algorithms {K, S , V } -
Schnorr Signature.
Preliminaries
PKS and its Security Models

Definition Public-Key Signature

An PKS scheme consists of three PPT algorithms {K, S , V } -
I Key Generation:
I Used by the user to generate the public-private key pair (pk, sk)
I pk is published and the sk kept secret
I Run on a security parameter
$
(pk, sk)
K()
Schnorr Signature.
Preliminaries
PKS and its Security Models

Definition Public-Key Signature

An PKS scheme consists of three PPT algorithms {K, S , V } -
I Key Generation:
I Used by the user to generate the public-private key pair (pk, sk)
I pk is published and the sk kept secret
I Run on a security parameter
$
(pk, sk)
K()

I Signing:
I Used by the user to generate signature on some message m
I The secret key sk used for signing
$

S (sk, m)
Schnorr Signature.
Preliminaries
PKS and its Security Models

Definition Public-Key Signature

An PKS scheme consists of three PPT algorithms {K, S , V } -
I Key Generation:
I Used by the user to generate the public-private key pair (pk, sk)
I pk is published and the sk kept secret
I Run on a security parameter
$
(pk, sk)
K()

I Signing:
I Used by the user to generate signature on some message m
I The secret key sk used for signing
$

S (sk, m)

I Verification:
I Outputs 1 if is a valid signature on m; else, outputs 0
result V (, m, pk)
Schnorr Signature.
Preliminaries
Hardness Assumption

Hardness Assumption: Discrete-log Assumption

Discrete-log problem for a group G = hg i and | G |= p

(G, g , p, g )
DLP DLP

C A

ElGamal Digital Signature
Signature Generation
Verification
 One-Time Signatures
Definition: digital schemes used to sign, at
most one message; otherwise signature can
be forged. A new public key is required for
each signed message.
Most one-time signature schemes have the
property that signature generation and
verification are both very efficient
 Rabin One-Time Signatures
Key generation
Select a symmetric key encryption scheme E (e.g.
DES)
Generate 2n random secret strings k1,k2...k2nK,
each of bit length l
Compute yi=Eki(M0(i)), i [1,2n].
Public key is (y1,y2,...y2n),
private key is (k1,k2,...k2n).
 Rabin One-Time Signatures
Signature Generation:
compute si=Eki(h(m)), i [1,2n]
signature is (s1,s2,...s2n)
Verification:
Compute h(m)
Select n distinct random number rj, rj[1,2n]
Request from signer, the keys krj, j: 1 j n
Verify received n keys ie. does yrj= Ekr (M0(rj))?
j
Verify all srj = Ekr (h(m)),
j
 Rabin One-Time Signatures
Resolution of disputes: signer A, verifier B and TTP
B provides m and the signature to TTP
TTP gets private key k1,...k2n from A
TTP verifies authenticity of the private key
TTP computes ui=Eki(h(m)), 1 i n. If ui = si for at most n
values of i, it is forgery. If n+1 or more values match, it is
valid signature

Rationale for dispute resolution

1 protocol
A can disavow with Pr = 2n
n

 Blind signature scheme
Definition: A sends a piece of information to B.
B signs and returns the signature to A. From
this signature, A can compute Bs signature on
a priori message m of As choice. At the
completion of the protocol, B knows neither
m, nor the signature associated with it.
Application: e-cash
 Blind signature scheme
Chaum
Sender A; Signer B
Bs RSA public and private key are as usual. k is a
random secret integer chosen by A, satisfying 0
k<n
Protocol actions
(blinding) A: comp m* = mke mod n, to B
Note: (mke)d = mdk
(signing) B comp s* = (m*)d mod n, to A
(unblinding) A: computes s = k-1s* mod n