Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

Transcription

1 Chapter 7: Signature Schemes COMP Lih-Yuan Deng

2 Overview Introduction Security requirements for signature schemes ElGamal signature scheme Variants of ElGamal signature scheme DSA: Digital Signature Algorithm Provably secure signature schemes Undeniable signatures Fail-stop signatures

3 Introduction digital signature is an electronic analogue of a conventional written signature. Applications: as a proof to the recipient that the message was signed by the originator. for stored data and programs so that the integrity may be verified.

4 conventional (cs) vs. digital signatures (ds) signing method: cs is a part of signed physical document. ds is not attached physically to the document. We need to bind ds to the message. (why?) verification method: cs compares it with authentic signature (e.g. credit card signature on the back). Not very secure. (why not?) ds can be verified using public verification program. (secure ds can prevent forgery).

5 difference between cs and ds identical copy of ds can be easily made we need to prevent re-use of ds. e.g. A authorized (by signing a digital signature) B to withdraw $100 from her bank account. Obviously, this ds is meant to be used only once. identical copy of cs is hard to make. e.g. A can send B a signed check. Copy of check is not useful to withdraw from bank.

6 Signature Scheme Definition Five tuples: (P,A,K,S,V) P: set of possible messages A: set of possible signatures K: set of possible keys S: set of signing algorithms, sig K : P A. y= sig k (x), for a private k ε K. V: set of verification algorithms, ver K : P x A {true, false}. ver k (x,y)=0/1 (w/o k).

7 RSA Encryption Rivest-Shamir-Adelman (RSA) Encryption (1977) Choose n=p q, where p and q are large primes Choose e with gcd(e,(p-1)(q-1))=1. Find d = e -1 mod (p-1)(q-1). i.e., d x e = 1 mod (p-1)(q-1) To encrypt: C = P e mod n To decrypt: P = C d mod n

8 RSA Signature Scheme Cryptosystem 7.1 (page 283) Same setup as RSA encryption n=pq, p and q are large primes, d: private decryption key, e: public encrytion key. x=message. y=sig K (x) = x d mod n. ver K (x,y) = true, if and only if x=y e mod n.

9 Attack on RSA Signature In general, (x,y) is called a signed message, if ver K (x,y)=true. If ver K (x,y)=true and x was not previously signed by its owner, then y is called a forgery. Q: can one forge RSA signature? A: choose any y first, then compute x=e K (y). Then (x,y) is a forgery. (why?)

10 Attack on Digital Signature Choose any y first, then compute x=e K (y). Then (x,y) is a forgery. not unique problem to RSA signature. message x may not be meaningful. possible prevention: message x contains sufficient redundancy that is hard to forge. use of hash function in conjunction with signature scheme (more later).

11 Combining signing and public-key encryption So far, we assume that the message to be signed and sent without encryption. Q: How to send a signed and encrypted message from A (Alice) to B (Bob)? A: Two possibilities: 1. y=sig A (x), send z= e B (x,y). 2. z= e B (x), y=sig A (z). send (z,y) Which one is better? (1) (why?)

12 Security requirements for signature schemes Like a cryptosystem, there are similar attack models for a signature scheme: 1. key-only attack. Attack based only on public key. 2. known message attack. Attack based previous signed messages. 3. chosen message attack. Attack based chosen messages signed by A.

13 Goals of adversaries Possible goals of adversaries: 1. total break. Alice s private key is determined. 2. selective forgery. Pr (ability to find a valid signature y for some unseen x) > ε. 3. existential forgery. ability to find a valid signature y for at least one unseen x.

14 Attacks on RSA Signature Choose y first, then compute x=e K (y). existential forgery using key-only. Suppose y 1 =sig K (x 1 ), and y 2 =sig K (x 2 ) were signed by Alice, then y 1 y 2 mod n is a valid signature for x=x 1 x 2 mod n existential forgery using a known message. Suppose x=x 1 x 2 mod n, and we ask Alice for y 1 =sig K (x 1 ) and y 2 =sig K (x 2 ), then y 1 y 2 mod n is a valid signature. selective forgery using a chosen message.

15 Signatures and Hash Functions Signature schemes are almost always used with a fast public cryptographic hash function (e.g. SHA). (how? why?) x=message, z=h(x), a hash function. y=sig K (z). Send (x,y) (plaintext or encrypted) over a communication channel. Even when x=x 1 x 2, h(x) h(x 1 ) h(x 2 ).

16 Digital signature generation and verification standard Source: FIPS-186-2

17 ElGamal Cryptosystems key space K={(p, α, a, β):β= α a mod p} secret key: a α is a generator (primitive element) in Z p * choose random number k ε Z p * e K (x,k) = (y 1, y 2 ) where y 1 = α k mod p, y 2 = x β k mod p. d K (y 1, y 2 ) = y 2 (y 1a ) -1 mod p. Q: Can we design a signature scheme?

18 ElGamal signature scheme (Motivation) K={(p, α, a, β):β= α a mod p}, k=random from Z p * sig K (x,k) = (r, δ) r = α k mod p, find δ such that β r r δ = α x mod p. How to find δ? β r r δ = α x mod p α ar α kδ = α x mod p ar+kδ = x mod (p-1) why (p-1)? Hence, δ = (x-ar)k -1 mod (p-1)

19 Cryptosystem 7.2 (page 288) ElGamal Signature Scheme P=Z p *, A = Z p * x Z p-1 key space K={(p, α, a, β):β= α a mod p} public keys: p, α, β, secret key: a randomly select k from Z p-1 * [gcd(k,p-1)=1.] sig K (x,k) = (r, δ), where r = α k mod p, δ = (x-ar)k -1 mod (p-1) ver K (x,(r, δ)) = true, if β r r δ = α x mod p.

20 Example 7.1 (page 288) Signature Generation K={(p, α, a, β):β= α a mod p} public keys: p, α, β, secret key: a randomly select k from Z p-1 * [gcd(k,p-1)=1.] sig K (x,k) = (r, δ), where r = α k mod p, δ = (x-ar)k -1 mod (p-1) ver K (x,(r, δ)) = true, if β r r δ = α x mod p. p=467, (p-1)/2=233 both are prime numbers α=2 is a primitive element in Z p *. (why?) = -1 mod = 4 mod 467 private key a=127. β= mod 467=132. Let x=100 and k=213. r=2 213 mod 467=29. δ=( *29)*213-1 mod 466=51.

21 Example 7.1 (page 288) Signature Verification K={(p, α, a, β):β= α a mod p} public keys: p, α, β. sig K (x,k) = (r, δ), where r = α k mod p, δ = (x-ar)k -1 mod (p-1) ver K (x,(r, δ)) = true, if β r r δ = α x mod p. p=467, α=2, β=132. message x=100 signature (r,δ)=(29,51). verification? = mod 467? 216*176 = 189 mod 467. (true)

22 Security of the ElGamal Signature Scheme Suppose your opponent, Oscar, tries to forge a signature (r, δ) for a message x. Suppose Oscar guess a correct r, he then has to solve δ in β r r δ = α x mod p. δ = log α (α x β r ) is a hard DL problem. Suppose Oscar guess a correct δ, it appears to be hard to solve for r.

23 Security of the ElGamal Signature Scheme Suppose Oscar tries to find x so that (r, δ) is a signature. He then has to solve x in β r r δ = α x mod p. again, it is a hard DL problem. How about finding any (x, (r, δ)) random message with random valid signature? existential forgery under key-only attack is possible if hash function is not used.

24 Attack on ElGamal Signature Scheme Choose i, j from Z p. gcd(i,p-1)=gcd(j,p-1)=1. Let r= α i β j mod p. Plug it in β r r δ = α x mod p, we have β r (α i β j ) δ = α x mod p. Rearranging the above equation, α x-iδ = β r+jδ mod p. Q: Conditions for this equation? if (why?) x-iδ=0 mod (p-1) r+jδ=0 mod (p-1) With two unknowns (x,δ), we can solve the above equations. δ= -r j -1 mod (p-1) x= -r i j -1 mod (p-1) r= α i β j mod p. (r, δ) is a valid signature for x.

25 Example 7.2 (page 290) r= α i β j mod p. δ= -r j -1 mod (p-1) x= -r i j -1 mod (p-1) (r, δ) is a valid signature for x. ver K (x,(r, δ)) = true, if β r r δ = α x mod p * = mod 467 = 303. (true) See example 7.1 p=467, α=2, β=132. choose i=99, j=179. j -1 mod 466= 151. r= mod 467 r=117. δ=-117(151)mod 466 =41. x=-117*99*(151)mod 466 =331.

26 Second Type of Attack on ElGamal Signature Scheme Assume (x,(r,δ)) is signed previously. Choose h, i, j ε Z p. gcd(hr-jδ,p-1)=1. r = r h α i β j mod p. Plug it in β r r δ = α x mod p, we can find. δ = δ r (hr-jδ) -1 mod (p-1) x = r (hx+iδ)(hr-jδ) -1 mod (p-1) r = r h α i β j mod p. (r, δ ) is a valid signature for x. both attacks are existential forgeries, can be avoided with a hash function

27 Security on the choice of k If k is known and gcd(r,p-1)=1, then a can be easily solved with one (x,(r,δ)) signed message. (why?) δ = (x-ar)k -1 mod (p-1) a = (x-k δ) r -1 mod (p-1). Q: What if k is used more than once? A: It will make the problem of finding a much easier. See page 291. (skip)

28 Summary Digital signature and its applications RSA signature scheme Attacks on RSA signature scheme Security requirements for signature schemes ElGamal signature scheme Attacks on ElGamal signature scheme.