Digital Signatures. p1.

Transcription

1 Digital Signatures p1.

2 Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message m Sign sk (m) p2.

3 Digital signature: 1. Bob has a key pair ( sk, pk). 2. Bob sends m Sign sk ( m) to Alice. 3. Alice verifies the received m s by checking if Vrfy ( m, s ) = 1? Sign ( m) is called a signature for sk pk m. Security reuirement: infeasible to produce a valid pair m, Sign ( m) without knowing sk. sk p3.

4 Encryption (using RSA): Alice PK Bob SK Bob Bob m E c D m Signing (using RSA -1 ): Alice E(s) =m? PK Bob E s SK Bob D Bob m Verify the signature Sign p4.

5 Basic RSA Signature Keys are generated as for RSA encryption: Public key: pk = ( N, e). Secret key: sk = ( N, d). Signing Verifying a message m N : d σ = Sign ( m) = m mod N. That sk is, σ = RSA ( m). a signature ( m, σ ) : e Vrfy ( m, σ) = 1 if and only if m= σ mod N pk or m = RSA( σ ). p5.

6 Correctness: ( ) RSA pk RSA sk ( m) = m. A message m signed with sk will be verified and accepted with the correspondin g pk. p6.

7 Remarks: Basic RSA signature is the reverse of basic RSA encryption. Because of this, digital signatures are often mistakenly viewed as the reverse of public-key encryption. As will be seen, secure RSA signature is not the reverse of secure RSA encryption. Neither is ElGamal signature. p7.

8 Existentially forgeable: 1. Every message m is a valid signature of its ciphertext c, since RSA ( c) = m. 2. If Bob signed m and m, then the signature for mm can be easily forged: σ( mm ) = σ( m) σ( m ). Remedy: hash then sign: Sign sk ( Hm ( )) RSA sk ( Hm ( )), using some σ = = hash function H. p8.

9 Question: Does hash-then-sign make RSA signature secure against chosen-message attacks? Answer: Yes, if H is a full-domain random oracle, i.e., H is Theorem: a random oracle mapping {0,1} ( N is the full domain of RSA ) Full-domain hash RSA signature is secure against any chosen-message attack under the random oracle model. N p9.

10 Problem with full-domain hash: In practice, H is not full-domain. 160 For instance, the range of SHA-1 is {0,1}, { } 1024 while N 0,1,..., N 1 {0,1}, i = f N = Desired : a secure signatue r reuire a full-domain hash. scheme that does not p10.

11 Probabilistic signature scheme l Hash function H :{0,1} {0,1} N (not full domain). l n= N. (E.g., SHA-1, l = 160; RSA, n= 1024.) Idea: pad m m r {0,1} x Hm ( r) {0,1} hash = y= x ( r 0 ) Gx ( ) {0,1} expand n l k n l σ = RSA ( y) sign N where r k {0,1} for some k G l n 1 l :{0,1} {0,1} (pseudorandom generator) p11.

12 Signing a message {0,1} : m k 1. choose a random r {0,1} ; compute x= Hm ( r); 2. compute y = xr G ( x) G ( x) ; // G = G G // 3. The signature is RSA ( ). σ = Verifying a signature ( m, σ ) : compute RSA( σ ) = x t u; y ( m t G x ) check if u = G ( x) and x= H ( ). 2 1 p12.

13 Remarks PSS is secure against chosen-message attacks in the random oracle model (i.e., if H and G are random oracles). PSS is adopted in PKCS #1 v.2.1. Hash functions such as SHA-1 are used for H and G. For instance, let n= 1024, and l = k = 160 let H = SHA-1 G( x) = H( x0) H( x1) H( x2),... p13.

14 DLP-based Digital Signatures p14.

15 Ideas behind DLP-based signature { x g } G = g, g, g,,,, g, a cyclic group of order. { 0, 1, 2,, x,, 1 }. ( ) ( ) = x sk = G, g,, x, pk = G, g,, h where h= g. To sign a message m, Alice needs to show that she knows the secret key x. Besides, non-deterministic signature is desired. So, the signature should be a function of ( mxk,, ), where k is random. We have x, suggesting that m, k. So, let the signature s be a function of ( mxk,, ) whose m x k validity can be verified using g, g, g. k The signer needs to send r: = g along with s. p15.

16 The signature s is a function of ( mxk,, ). s = km + k x mod where k, k k s = km + F( r) x mod where r = g, F : G ( ) s= m Fr ( ) k mod // m= ks + F( r) x mod // ElGamal signature: ( rs, ) G, s= m Frx ( ) k mod To verify a signature ( rs, ), ( ) u ( ) m s F( r) the verifier checks if without knowing and : s= m Frxk ( ) mod m = ks + F( r) x mod m = g g ks g = rh g F ( r) x m s F( r) g = rh x k // in G // p16.

17 ( ) k ( m Fr () ) ( Fr s) = ( + ) Shnorr signature: ( ), s m Fr k ( Fr s) To verify a signature ( ),, ( ) mod (( ) ) m F( r) t the verifier checks if Fr ( ) = F gh : s= m+ Frxk ( ) mod = + ( ( ) ) ( m F( r) ) (( ) ) m F( r) t t mod // mod // k m F r x g = g g // in G // t x t t = s r = g h // in G // F( r) = F g h // in // p17.

18 ElGamal signature in p 1. Key generation: same as in ElGamal encryption. a large prime p and a generator g p. x a randomly chosen number x and h= g mod p; sk = ( p, g, x) and pk = ( p, g, h). 2. To sign a message m, p randomly choose k p; p k compute r g mod p and s ( m rx) k mod ( p 1) ; = = the signature is Sign sk( m) ( r, s) p p. = 3. Verification: Vrfy ( m, r, s) = true if and only if pk m s r ( m, r, s) and g r h mod p. p p p p18.

19 Security of ElGamal signature Based on the assumed intractability of discrete logarithm. Shoud use a new k for each si gning, or the adversary can compute k from two signatures s = ( m rx) k and s = ( m rx) k s s m m k p ( ) mod( 1) k = m m s s p ( )( ) mod( 1) Knowing k, the adversary can compute x s = ( m rxk ) mod ( p) x= m sk r p r p with high probability: ( ) mod( 1), if mod( 1) exists. p19.

20 Security of ElGamal signature (cont'd) Existential forgery. Construct a message m and a valid signature ( rs, ) as follows. a) choose k, c p. k c b) set = mod, = mod( ), and r g h p s rc p m = rkc 1 mod( p ). Countermeasure: hash then sign. p20.

21 Digital Signature Algorithm (DSA) - an NIST standard 0. Shnorr's idea: working in a subgroup of p of prime order p will shorten the signature, desired for Smart Card applications. ElGamal signature scheme uses: p { p 2 α α α α } p { 012 p 2} =,,,,. =,,,,. A signature is (, ) p p p p. DSA uses: { 0 1 } rs Z Z Z Z b,,, p, where g = α, p 1. g = g g g b = A signature is ( rs ˆ, ) Z Z p21.

22 1. Key generation choose two primes p and such that ( p ). ( p, e.g., = 160, p = 1024.) g let p be an element of order. x randomly choose 0 x and compute h= g mod p; ss ytem parameters: ( p,, g) sk = ( x) and pk = ( h). ( R emark: The DLP will be working in g.) p22.

23 2. Signing: to sign a message m, k Z rˆ = g p k randomly choose ; compute ( mod ) mod. s = H m + rx ˆ k compute ( ( ) ) mod. // choose a different k if rˆ = 0 or s = 0 // r ( mrs, ˆ, ) is the signed message. Verification: 3. accept (,, ) iff, and ( H m rˆ t ) mrs ˆ rs ˆ Z ( ) ˆ ( ) mod mod, where 1 mod. r = g h p t = s p23.

24 DSA Correctness: if the message is signed correctly, the signature will be verified/accepted. s = H m + rx ˆ k ( ( ) ) mod k Hm+ rx ˆ t t = s ( ( ) ) mod ( mod ) ( ( ) ˆ ) g g g k H m rx t mod p k ( H( m) rˆ g g h ) t mod p ( ( ) ˆ ) g mod p= g h k H m r t mod p rˆ ( ( ) ˆ h mod p) k H m r t ( g mod p) mod = ( g ) mod p24.

25 Remarks on DSA SHA-1 is suggested for use as the hash function. = 160 bits, p = t, 0 t 8. Because a hash is used, there is no restriction on m. Why use g instead of p? g is a subgroup of of order. Shorter message length: ( rˆ, s) = 2 bits, rather than 2 p. Reason: The Index Calculus method works for p Why not work in? The message length would be 2, too. but not for g. p25.