Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Transcription

1 Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from

2 Setting the Stage We will cover in more depth some issues for digital signatures we touched on last time.

3 Setting the Stage We will cover in more depth some issues for digital signatures we touched on last time. Lack of tightness in security proof for RSA- FDH, implications & alternatives.

4 Setting the Stage We will cover in more depth some issues for digital signatures we touched on last time. Lack of tightness in security proof for RSA- FDH, implications & alternatives. Discrete-log sigs: DSA vs Schnorr.

5 Setting the Stage We will cover in more depth some issues for digital signatures we touched on last time. Lack of tightness in security proof for RSA- FDH, implications & alternatives. Discrete-log sigs: DSA vs Schnorr. Then we will have a taste of some more exotic variants of digital signatures.

6 Recall: FDH Signatures Signer pk =(N, e) andsk =(N, d) algorithm S H N,d (M) return H(M) d mod N algorithm VN,e H (M, x) if x e H(M) (modn) then return 1 else return 0 Here H: {0, 1} Z N is a random oracle. A good choice of H might be something like H(M) = first n bytes of SHA1(1 M) SHA1(2 M) SHA1(11 M)

7 Recall: FDH Signatures Signer pk =(N, e) andsk =(N, d) algorithm S H N,d (M) return H(M) d mod N algorithm VN,e H (M, x) if x e H(M) (modn) then return 1 else return 0 Here H: {0, 1} Z N is a random oracle. Modulus length A good choiceofh might be something like H(M) = first n bytes of SHA1(1 M) SHA1(2 M) SHA1(11 M)

8 Security Theorem Theorem: [BR96] Let K rsa be a RSA generator and DS =(K, S, V) the associated FDH RO-model signature scheme. Let A be a uf-cma adversary making q s signing queries and q H queries to the RO H and having running time at most t. Then there is an inverter I such that Adv uf-cma DS (A) (q s + q H +1) Adv owf K rsa (I ). Furthermore the running time of I is that of A plus the time for O(q s + q H +1)computationsoftheRSAfunction.

9 Choosing a Modulus Size Say we want 80-bits of security, meaning a time t attacker should have advantage at most t 2 80 : For inverting RSA, this is provided by a 1024 bit modulus assuming NFS is the best attack. But according to the BR96-reduction, FDH could be less secure than RSA by a factor of q s + q H +1, sothatabigger modulus would be needed for 80-bit security.

10 Choosing a Modulus Size Say we want 80-bits of security, meaning a time t attacker should have advantage at most t 2 80.Thefollowingshowsmodulussizek and cost c of one exponentiation, with q H =2 60 and q s =2 45 in the FDH case: Task k c Inverting RSA Breaking FDH as per [BR96] reduction This (for simplicity) neglects the running time difference between A, I. This motivates getting tighter reductions for FDH, or alternative schemes with tighter reductions.

11 PSS Signatures Signer pk =(N, e) andsk =(N, d) algorithm S h,g 1,g 2 (M) N,d $ r {0, 1} 160 w h(m r) r g 1 (w) r y 0 w r g 2 (w) return y d mod N algorithm V h,g 1,g 2 N,e (M, x) y x e mod N b w r P y r r g 1 (w) if (g 2 (w) P) then return 0 if (b =1)then return 0 if (h(m r) w) then return 0 return 1 Here h, g 1 : {0, 1} {0, 1} 160 and g 2 : {0, 1} {0, 1} k 321 are random oracles where k = N.

12 PSS Benefits & Drawbacks Tight security reduction: [BR 96] show that in the random oracle model, forging against PSS is just as hard as inverting RSA.

13 PSS Benefits & Drawbacks Tight security reduction: [BR 96] show that in the random oracle model, forging against PSS is just as hard as inverting RSA. But now fresh randomness is needed per signature, which is expensive.

14 PSS Benefits & Drawbacks Tight security reduction: [BR 96] show that in the random oracle model, forging against PSS is just as hard as inverting RSA. But now fresh randomness is needed per signature, which is expensive. PSS is widely standardized (e.g. in RSA PKCS #1 v2.1), although has not seen widespread use perhaps for this reason.

15 Recall DSA Fix primes p, q such that q divides p 1 Let G = Z p = h and g = h (p 1)/q so that g G has order q H: {0, 1} Z q ahashfunction Signer keys: pk = X = g x Z p and sk = x $ Z q Algorithm S x (M) m H(M) k $ Z q r (g k mod p) modq s (m + xr) k 1 mod q return (r, s) Algorithm V X (M, (r, s)) m H(M) w s 1 mod q u 1 mw mod q u 2 rw mod q v (g u 1 X u 2 mod p) modq if (v = r) then return 1 else return 0

16 Discussion ECDSA is the version where G is replaced with an appropriate elliptic curve group.

17 Discussion ECDSA is the version where G is replaced with an appropriate elliptic curve group. Proof of security is known for a similar scheme due to Schnorr we will see next, although the reduction is quite loose.

18 Discussion ECDSA is the version where G is replaced with an appropriate elliptic curve group. Proof of security is known for a similar scheme due to Schnorr we will see next, although the reduction is quite loose. Both schemes have similar performance and support elliptic curves patent issues may have prevented adoption of Schnorr.

19 Schnorr Signatures Let G = g be a cyclic group of prime order p H: {0, 1} Z p ahashfunction Signer keys: pk = X = g x G and sk = x $ Z p Algorithm S x (M) $ r Z p R g r c H(R M) a xc + r mod p return (R, a) Algorithm V X (M, (R, a)) if R G then return 0 c H(R M) if g a = RX c then return 1 else return 0

20 Design Rationale Obtained via a general paradigm of converting a proof of knowledge to signature scheme using a hash function (called Fiat-Shamir).

21 Design Rationale Obtained via a general paradigm of converting a proof of knowledge to signature scheme using a hash function (called Fiat-Shamir). Schnorr starts with a challenge-response protocol where the prover proves knowledge of x; the challenge is a random c.

22 Design Rationale Obtained via a general paradigm of converting a proof of knowledge to signature scheme using a hash function (called Fiat-Shamir). Schnorr starts with a challenge-response protocol where the prover proves knowledge of x; the challenge is a random c. For the signature, the signer generates the challenge itself by hashing the message.

23 Multisignatures Allows signatures from different signers, all on the same message, to be combined (without the signing keys) into one multisignature".

24 Multisignatures Allows signatures from different signers, all on the same message, to be combined (without the signing keys) into one multisignature". Main benefit is bandwidth savings but security can benefit too since it can be hard to recover individual signatures from a multisignature.

25 Multisignatures Allows signatures from different signers, all on the same message, to be combined (without the signing keys) into one multisignature". Main benefit is bandwidth savings but security can benefit too since it can be hard to recover individual signatures from a multisignature. First efficient realization in [Boldyreva 02] based on bilinear maps (special elliptic curves).

26 Threshold Signatures A t-out-of-n threshold signature scheme allows any of n players to issue partial signatures on messages of their choosing.

27 Threshold Signatures A t-out-of-n threshold signature scheme allows any of n players to issue partial signatures on messages of their choosing. Given partial signatures on m by at least t of the players, anyone can produce a valid signature on m.

28 Threshold Signatures A t-out-of-n threshold signature scheme allows any of n players to issue partial signatures on messages of their choosing. Given partial signatures on m by at least t of the players, anyone can produce a valid signature on m. But less than t partial signatures on m gives no information

29 Threshold Signatures A t-out-of-n threshold signature scheme allows any of n players to issue partial signatures on messages of their choosing. Given partial signatures on m by at least t of the players, anyone can produce a valid signature on m. But less than t partial signatures on m gives no information Again, see [Boldyreva 02] for an efficient realization based on bilinear maps.