II. Digital signatures

Size: px

Start display at page:

Download "II. Digital signatures"

Susanna Kelly
6 years ago
Views:

1 II. Digital signatures Alice m Bob Eve 1. Did Bob send message m, or was it Eve? 2. Did Eve modify the message m, that was sent by Bob? 1

2 Digital signatures Digital signature - are equivalent of handwritten signatures - guarantee authenticity and integrity of documents - are publicly verifiable (unlike MACs) - are transferable (unlike MACs). 2

3 Digital signatures Definition 2.1 A digital signatur scheme Π is a triple of ppts ( Gen,Sign, Vrfy), where 1. Gen( 1 n ) outputs a key pair ( pk,sk) with pk = sk = n. 2. Sign takes as input a secret key sk and a message m { 0,1} and outputs a signature σ, σ Sign ( sk m). 3. Vrfy takes as input a public key pk, a message m { 0,1}, and a signature σ. It ouputs b { 0,1}, 1 valid, 0 invalid. Vrfy determinitic, b: = Vrfy ( pk m,σ). For every key pair ( pk,sk)and message m: Vrfy ( pk m,sign ( sk m) ) = 1. 3

4 Digital signatures pk pk Alice ( m,σ) pk ( pk,sk) Gen( 1 n ) Bob Vrfy pk? ( m,σ) = 1 Eve σ Sign sk ( m) 4

5 The forging game Signature forging game Sig-forge A,Π 1. ( pk,sk) Gen( 1 n ). ( n) 2. A is given 1 n,pk and oracle access to Sign ( sk ). It outputs pair ( m, σ). Q: = set of queries made by A to Sign ( sk ). 3. Output of experiment is 1, if and only if (1) Vrfy ( pk m,σ) = 1, and (2) m Q. Definition 2.2 Π is called existentially unforgeable under an adaptive chosen-message attack, or secure, if for every ppt adversary A there is a negligible function µ : N R + such that Pr Sig-forge A,Π ( n) = 1 µ ( n ). 5

6 Oracle access Algorithm D has oracle access to function f : U R, if 1. can write elements x U into special memory cells, 2. in one step receives function value f ( x). Notation Write D f ( ) to denote that algorithm D has oracle access to f ( ). 6

7 Existence of secure sigatures Theorem 2.3 Secure digital signature schemes exist if and only if one-way functions exist. 7

8 RSA signatures - prerequisits Z N := ring of integers modulo N Z N := { a Z N : gcd( a,n) = 1} φ ( N) := Z N gcd( a,m) = 1 u,v Z u a + v m = 1 (EEA) u a = 1mod m u = a 1 mod m N = K e p i i φ N i=1 K i=1 ( ) = N ( ) = p i e i p i e i 1 K i=1 ( 1 1 p ) i 8

9 RSA signatures Gen 1 n Sign sk Vrfy pk ( ) : choose 2 random primes p,q 2 n 1,2 n 1 N:= p q,e Z φ N ( ) pk := ( N,e),sk := ( N,d).,d:= e 1 mod φ ( N), ( m) m { 0,1} 2n 3 interpreted as element in Z N, σ := m d mod N. ( m,σ) output 1, if and only if σ e = m mod N., 9

10 RSA signatures - correctness For special case m Z N based on Lemma 2.4 Let N N and m Z N, then m φ ( N ) = 1mod N. 10

11 RSA signatures - efficiency Prime generation 1. choose p 2 n 1,2 n Test whether p is prime, if so output p, otherwise go back to 1. Efficiency based on 1. In 2 n 1,2 n 1 many primes exist (prime number theorem). 2. Efficient primality test exist (Miller-Rabin, AKS) 11

12 RSA signatures - efficiency Exponent generation 1. choose e Z φ ( N ). 2. Test whether gcd( e,φ ( N) ) = 1, if so compute d with e d = 1mod φ ( N), otherwise go back to 1. Efficiency based on 1. In Z M many elements relatively prime to M exist. 2. Can check efficiently whether a,b Z are relatively prime using Eucledean algorithm. 12

13 RSA signatures - efficiency Efficiency of Sign and Vrfy based on 1. arithmetic in Z N can be done efficiently. 2. Exponentiation requires few arithmetic operations using Square-and-Multiply. 13

14 RSA signatures - forgeries existential forgeries Sign ( sk 0) = 0 Sign ( sk 1) = 1 Sign ( sk 1) = 1 selective forgery of Sign sk ( m) query signature oracle with input ˆm := 2 e m mod N and obtain ˆσ. compute σ = 2 1 ˆσ mod N. 14

15 General problem of public-key cryptography Secret key sk must not be efficiently computable from public key pk! General problem for RSA Given e,n ( ) element d Z φ N be efficiently computable. ( ) with e d = 1mod φ ( N) must not Theorem 2.5 Given e,d,n, N = p q for primes p,q, and with e d = 1mod ϕ ( N), then the primes p,q can be computed in time polynomial in log( N). 15

16 Status of factoring problem Two factoring algorithms Number fielde sieve running time ( ( ) 1 3 loglog( N) 2 3 ) exp log N Elliptic curve method running time exp ( log( p) 1 2 loglog( p) 1 2 ), where p smallest prime factor 16

17 Hash-and-Sign ( ) signature scheme with message Π = Ge n,sig n,vrf y length n, Π H = ( Gen H,H) hash function with hash length n. Construction 2.6 Signature scheme Π = ( Gen,sign, Vrfy) defined as: Gen 1 n Sign sk ( ) : p ( k,s k ) Ge n pk := ( p k,s), sk := s k,s ( m) : σ := Sig n s ( k H s ( m) ). ( 1 n ),s Gen ( H 1 n ), ( ) Vrfy pk ( ) = 1. ( m,σ) : output = 1 Vrf y p k H s ( m),σ 17

18 Hash-and-Sign Construction 2.6 Signature scheme Π = ( Gen,sign, Vrfy) defined as: Gen 1 n Sign sk ( ) : p ( k,s k ) Ge n pk := ( p k,s),sk := s k,s ( m) : σ := Sig n s ( k H s ( m) ). ( 1 n ),s Gen ( H 1 n ), ( ) Vrfy pk ( ) = 1. ( m,σ) : output = 1 Vrf y p k H s ( m),σ Theorem 2.7 If Π is secure and Π H is collision-resistant, then Π is secure. 18

19 Hash-and-Sign Construction 2.6 Signature scheme Π = ( Gen,sign, Vrfy) defined as: Gen 1 n Sign sk ( ) : p ( k,s k ) Ge n pk := ( p k,s),sk := s k,s ( m) : σ := Sig n s ( k H s ( m) ). ( 1 n ),s Gen ( H 1 n ), ( ) Vrfy pk ( ) = 1. ( m,σ) : output = 1 Vrf y p k H s ( m),σ Theorem 2.7 If Π is secure and Π H is collision-resistant, then Π is secure. 19

20 RSA signatures ( ) n n 1 n Gen 1 : choose 2 random primes p,q 2,2 1, sk ( ) { } ( σ) N: = p q, pk : = N, 1 e Z φ( N),d: = e mo φ( N) ( e ),sk: = ( N,d). 2n 3 Sign m m 0,1 interpreted as element in Z, σ d : = m mod N. d, e Vrfyp k m, output 1, if and only if σ = m mod N. N 20

21 Random oracle model (ROM) Goal Construct H: { 0,1} R, R <,"random" function. H( x)? Q = ( x 1,H( x 1 )),( x 2,H( x 2 )), { } x Q? H( x) = y If x = x i for x i Q, return H( x i ). If x x i for all x i Q, a) y R b) return H x ( ) = y ( ) c) add pair x,h x ( ) to Q 21

22 Random oracle model (ROM) Q = {( x 1,H( x 1 )),( x 2,H( x 2 )), } H( x)? H x x Q? ( ) = y Random oracel model idealization of - one-way functions - random functions - collision-resistant hash functions. 22

23 RSA-Full-Domain-Hash (RSA-FDH) n By Gen denote an algorithm that on input 1 computes n 1 n 2 random primes p,q 2,2 1,p q, sets N= p q, choos, sets d : e mod N, and outputs 1 es e Z φ( N) = φ( ) ( N,e), sk: ( N, d). pk : = = Construction 2.11 (RSA-FDH) Run Gen 1 n ( ) to obtain pk := N,e ( ) and sk := N,d ( ). Let H: { 0,1} Z N be modeled as a random oracle. Sign on input m { 0,1} and ( N,d) outputs σ := ( H( m) ) d mod N. Vrfy on input m,σ, N,e ( ) outputs 1 σ e = H m ( ) mod N. 23

24 RSA assumption RSA inverting game RSA-inv A,Gen 1. Run Gen to obtain ( N,e). 2. y Z N. ( n) 3. A is given ( N,e) and y. A outputs x Z N. 4. Output of experiment is 1, if and only if x e = y mod N. Write RSA-inv A,Gen ( n) = 1, if output is 1. Definition 2.12 The RSA problem is hard relative to the generation algorithm Gen if for every ppt adversary A there is a negligible function µ : N R + such that Pr RSA-inv A,Gen ( n) = 1 µ ( n ). 24

25 RSA assumption Construction 2.11 (RSA-FDH) Run Gen 1 n ( ) to obtain pk := N,e ( ) and sk := N,d ( ). Let H: { 0,1} Z N be modeled as a random oracle. Sign on input m { 0,1} and ( N,d) outputs σ := ( H( m) ) d mod N. on input m,σ, ( N,e) output 1 σ e = H( m) mod N. Theorem 2.13 If the RSA problem is hard relative to the generation algorithm Gen, then RSA-FDH (Construction 2.11) is existentially unforgeable under an adaptive chosen-message attack. 25

26 From forger to inverter Signature forging game Sig-forge A,Π 1. ( pk,sk) Gen( 1 n ). ( n) 2. A is given 1 n,pk and oracle access to Sign ( sk ). It outputs pair ( m, σ). Q: = set of queries made by A to Sign ( sk ). 3. Output of experiment is 1, if and only if (1) Vrfy ( pk m,σ) = 1, and (2) m Q. ( ) Let q = q n denote number of queries made A, q bounded by polynomial in n. 26

27 From forger to inverter ( ) I on input N,e,y 1. Choose j { 1,,q}. 2. Simulate A with public key ( N,e). Table T stores triples ( m i,σ i,y i ) with meaning that I has set H( m i ) = y i and σ e i = y i mod N. 3. When A makes i-th random oracle query H( m i ), do if i = j, return y otherwise, σ i Z N,y i := σ e i mod N, return y, i add ( m i,σ i,y i ) to T. When A makes signature query m = m i, do if i j, then T contains triple ( m i,σ i,y i ), return σ i. if i = j, then abort experiment. ( ) be A's output. If m = m j and σ e = y mod N, then output σ Let m, σ

28 Existence of secure sigatures Theorem 2.3 Secure digital signature schemes exist if and only if one-way functions exist. 28

29 One-time signatures one One-time signature forging game Sig-forge A,Π 1. ( pk,sk) Gen( 1 n ). ( n) 2. A is given 1 n,pk and may ask single query m to Sign sk It outputs pair ( m,σ),where m m. ( ). 3. Output of experiment is 1, if and only if (1) Vrfy ( pk m,σ) = 1. Definition 2.8 Π is called existentially unforgeable under a single message attack, if for every ppt adversary A there is a negligible function µ : N R + such that one Pr Sig-forge A,Π ( n) = 1 µ ( n ). 29

30 Lamport s one-time signature Construction 2.9 f: { 0,1} { 0,1}, signature scheme Π f = ( Gen,Sign,Vrfy) for messages of length l( n) defined as: Gen( 1 n ) : x i,b { 0,1} n,y i,b = f ( x i,b ),i = 1,,l ( n), b { 0,1}. pk := sk := y 1,0 y 2,0 y l ( n ),0 y 1,1 y 2,1 y l ( n ),1 x 1,0 x 2,0 x l ( n ),0 x 1,1 x 2,1 x l ( n ),1,, Sign sk ( m) : output σ := x 1,m1,,x l n ( ),m = m 1 m l n ( ),m l ( n ) ( ). Vrfy pk ( m,σ) : output = 1 y i,mi = f ( x ) i,mi for i = 1,,l ( n). 30

31 Lamport s one-time signature Construction 2.9 f: 0,1 { } { 0,1} function. Signature scheme Π f = ( Gen,Sign,Vrfy) for messages of length l( n) defined as: Gen( 1 n ) : x i,b { 0,1} n,y i,b = f ( x i,b ),i = 1,,l ( n), b { 0,1}. pk := sk := y 1,0 y 2,0 y l ( n ),0 y 1,1 y 2,1 y l ( n ),1 x 1,0 x 2,0 x l ( n ),0 x 1,1 x 2,1 x l ( n ),1 Sign sk ( m) : output σ := x 1,m1,,x l n Vrfy pk ( ),m l ( n ) ( m,σ) : output = 1 y i,mi = f x i,mi,, ( ),m = m 1 m l n ( ) for i = 1,,l n ( ). ( ). Theorem 2.10 If f is a one-way function, then Π f from Construction 2.9 is existentially unforgeable under a single message attack. 31

32 One-time signatures one One-time signature forging game Sig-forge A,Π 1. ( pk,sk) Gen( 1 n ). ( n) 2. A is given 1 n,pk and may ask single query m to Sign sk It outputs pair ( m,σ),where m m. ( ). 3. Output of experiment is 1, if and only if (1) Vrfy ( pk m,σ) = 1. Definition 2.8 Π is called existentially unforgeable under a single message attack, if for every ppt adversary A there is a negligible function µ : N R + such that one Pr Sig-forge A,Π ( n) = 1 µ ( n ). 32

33 Lamport s one-time signature Theorem 2.10 If f is a one-way function, then Π f from Construction 2.9 is existentially unforgeable under a single message attack. m := message whose signature is requested by A ( m,σ) := A's final output Adverary A outputs forgery at ( i,b),if Vrfy ( pk m,σ) = 1 m i = b and m i m i 33

34 From forger to inverter I on input y * 1. Choose i * { 1,,l},b { 0,1}. 2. For all i { 1,,l},b 0,1 choose x i,b 0,1 { } with ( i,b) i *,b * { } n, set y i,b := f x i,b ( ) do ( ),y i *,b * := y * 3. y 1,0 y 2,0 y l ( n ),0 Simulate A on input pk: = y 1,1 y 2,1 y l ( n ),1 4. When A requests a signature on message m : if m i * = b *, stop otherwise return the correct signature σ = x 1, m1,,x l, ml ( ) with σ = ( x 1,,x l ) 5. When A outputs m, σ if A outputs a forgery at ( i *,b * ), output x i *. ( ) 34

35 Certificates and trusted authorities How can we guarantee that pk A belongs to A? - certificates from trusted authorities (TA) - certificates are signatures - leads to hierarchie of certificates/signatures - must stop at (really) trusted authority 35

Katz, Lindell Introduction to Modern Cryptrography

Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key