Advanced digital signatures. October 31, 2004 Jussipekka Leiwo

Transcription

1 dvanced digital signatures October Jussiekka Leiwo 004

2 General roerties of signatures Signature is authentic Convinces reciient that the signer deliberately signed the docuent Signature is unforgeable The signer nobody else deliberately signed the docuent 3 Signature is not reusable Signature is art of the docuent it can not be oved to a different docuent 4 Signed docuent is unalterable fter signing the signature can not be altered 5 Signature can not be reudiated The signer can not later clai not having signed the docuent October Jussiekka Leiwo 004

3 Signatures with syetric cryto Requires a trusted arbitrator T T E K T T E K T "received fro " 3 roof D K T "received fro " October Jussiekka Leiwo 004 3

4 Observations Universally trusted arbitrators not always ractical in the real world syetric crytograhy reoves the need for an arbitrator Usually a hash eg 60-bit value of the docuent signed instead of the full docuent Tiestas used to revent reciient fro cheating Non-reudiation only achieved through asyetric crytograhy October Jussiekka Leiwo 004 4

5 October Jussiekka Leiwo Signatures with asyetric cryto signs essage verifies the signature? V H h H H S h H 5 4 3

6 dvanced signature schees Grou signatures lind signatures Undeniable signatures Proy signatures etc October Jussiekka Leiwo 004 6

7 Grou signatures Only ebers of a grou can sign essages Reciient can verify that the received signature is a valid signature fro the grou Reciient can not deterine which eber of the grou is the actual signer In case of a disute the identity of the original signer can be revealed October Jussiekka Leiwo 004 7

8 October Jussiekka Leiwo grou signature rotocol n grou ebers have key airs one of which is used for signing sg In disute T knows the identity of the signer Note different fro ultisignature schees! sg e sg i R i i i i i i i i i i n n K d V sg h S K e G d d d K T G e e e K G T d e d e d e d e K T verify Seek corresonding select To sign } { keysbut not identities Publish ublic eber for each grou } { } { 5 4 3

9 lind signatures sends soe inforation disguised for to sign signs it returns the signature to Fro s signature can coute s signature for any arbitrary essage e will not learn or the fact that lice requested a signature for can not observe the essage signed and later associate it to lications in anonyous ecash ental oker etc October Jussiekka Leiwo 004 9

10 Requireents for blind signatures ust have access to a digital signing echanis ie signing function for any S Must eist blinding function f and unblinding function g f is called blinded essage g S f S October Jussiekka Leiwo 004 0

11 linded RS Let k be an integer in RS schee such that gcd k n Let f be the blinding function f k e od n Corresonding unblinding function is then g k od n October Jussiekka Leiwo 004

12 linding a essage in blinded RS Let ed be s RS key air e d od n Select k ass to the blinded essage f k e od n Coute s signature on f d e d f k od n f d ed k od n k od n Unblind s signature on f d g f k k od n d d od n October Jussiekka Leiwo 004

13 October Jussiekka Leiwo Chau s blind signature rotocol den is the RS key air of receives fro the signature of a blinded essage gains no knowledge of or the signature n k n n k n k n k RND k d e od od * * od * gcd 4 3

14 Eale evoting Each voter generates 0 sets of essages of valid vote for each ossible outcoe rando integer Voter blinds essages sends to CTF with blinding factors 3 CTF checks voter has not subitted blinded votes reviously oens 9 sets of votes signs each essage in the set returns to voter stores nae of voter in database 4 Voter unblinds essages results in votes signed by CTF 5 Voter chooses one of the essages encryts with CTF s ublic key sends the vote in 6 CTF decryts votes checks signatures checks database saves serial nubers tabulates votes October Jussiekka Leiwo 004 4

15 Undeniable signatures Signature schees where co-oeration of the signer is required in the verification For eale the signer requires that the verifier can not roof signer s actions without signer s concent Chau-van ntweren undeniable signature schee October Jussiekka Leiwo 004 5

16 Chau-van ntweren key gen To selet a key air does the following Selects a rando rie q is a rie q Select a generator for the subgrou of order Z* a Select a rando eleent * / q Z od n q c if = goto a Select rando integer a{q-} coute y a od 4 s ublic key is y rivate key is a October Jussiekka Leiwo 004 6

17 October Jussiekka Leiwo Chau-van ntweren signing signs essage so that can verify the signature with co-oeration of a od Verification ccet iff od od od od } { w w w a a z w y z q a R 5 4 3

18 Disavowal can disavow a valid signature by Refusing to articiate in the verification rotocol Deliberately erforing the verification rotocol incorrectly or 3 Claiing that the signature is fake even if it verifies correctly disavowal rotocol can be established to guard against and 3 dis a vow trv dis a vowed dis a vow ing dis a vows To disclai knowledge of resonsibility for or association with dictionaryco October Jussiekka Leiwo 004 8

19 October Jussiekka Leiwo Chau-van ntweren disavowal a R a R w c w c a w z w y z q a w z w y z q y od 9 ccet Halt od od od } { select ccet Halt od od od } { select Obtain If c=c concludes signature is a forgery otherwise signature is valid and attets to disavow it

20 Proy signatures To allow a designated erson roy signer to sign on behalf of an original signer Only original signer s ublic key is needed for verification Various degrees of delegation of the signing caabilities fro the original signer to the roy signer are ossible 3 Effective revokation of rights deelgated to dishonest roy signers 4 More efficient in signing/verification coleity and signature size than consquetive signing October Jussiekka Leiwo 004 0

21 Tyes of delegation Full delegation Proy signer has an identical secret than that used by the original signer for signature coutation Partial delegation new secret is constructed fro the original signer s secret for roy signer Proy signature is verified by a odified verification equation 3 Delegation by warrant Original signer issues a warrant of trustowrthiness to the roy signer and the signature constructed by the roy together with the warrant is attached to the signed docuent October Jussiekka Leiwo 004

22 Requireents for roy signatures Unforgeability Only a designated roy signer can construct a roy signature Proy signer s deviation Each roy signature can be associated to a secific roy signer 3 Secret keys deendence Proy secret is couted fro the original signer s secret 4 Verifiability Proy signature conveys original signer s intention to sign the articular essage 5 Distinguishability Valid roy signatures are can not be distinguished fro self-signing signatures in olynoial tie 6 Identifiability Oridinal signer can deterine the identity of the roy signer for any roy signature 7 Indeniability Valid roy signatures can not be disavowed by the roy signer October Jussiekka Leiwo 004

23 asic rotocol -- reliinaries Verification equation with ublic value v is odified so signatures generated with new secret satisfy it Follow the notation v is the ublic value of an original signer ssue a discrete logarith schee where s is the secret of the original signer 3 g is generator for Z* s * v g od s Z \{ 0} R Denote original signer as roy signer as October Jussiekka Leiwo 004 3

24 basic rotocol -- rotocol stes Proy generation icks rando k coutes K and k K g od s k K od Proy delivery through secure channel K 3 Proy verification g? vk K od 4 Signing of by the roy signer Pr oy S K 5 Verification of the roy signature Regular signature verification using v as ublic value v v K K od October Jussiekka Leiwo 004 4

25 Proy ElGaal -- reliinaries Let v be the ublic key of original signer such that v=g s od Let s be a secret of the roy signer and v be the roy signer s ublic key such that v g s od 3 Proy K should satisfy the congruence where s k K od K g K od and k R Z \{ 0} October Jussiekka Leiwo 004 5

26 Proy ElGaal -- signing verification Signing Proy signer icks rando r coutes =gr od To sign essage roy signer coutes y sends y K to the verifier r y od Verification Verifier checks y K by congruence K v g v K od 3 If the check succeeds y K is a valid signature October Jussiekka Leiwo 004 6

27 Proy revokation strategies Publicly available revokation list Hard to ileent in ractice counication overhead Change of original signer s key udate roies of honest roy signers Still needs a revokation list lot of adinistrative overhead 3 Constrcuct an on-line roy udating rotocol Proosed in the original aer on roy signatures Mabo et al CM CCS 996 October Jussiekka Leiwo 004 7

28 dvanced roy signature schees Proy schees based on other schees Multi-roy signatures Proy ulti-signatures Multi-roy ulti-signatures ID-based ulti-roy signatures Designated-receiver roy signatures Proy blind signatures Proy ring signature schees nd so forth October Jussiekka Leiwo 004 8

29 Questions? October Jussiekka Leiwo 004 9