Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Similar documents
Introduction to Elliptic Curve Cryptography. Anupam Datta

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Katz, Lindell Introduction to Modern Cryptrography

Public Key Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Notes for Lecture 17

MATH 158 FINAL EXAM 20 DECEMBER 2016

Introduction to Elliptic Curve Cryptography

Cryptography and Security Final Exam

CPSC 467b: Cryptography and Computer Security

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

1 Number Theory Basics

Sharing a Secret in Plain Sight. Gregory Quenell

Asymmetric Encryption

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Lecture 1: Introduction to Public key cryptography

CPSC 467: Cryptography and Computer Security

Elliptic Curve Cryptography

Elliptic Curve Cryptography

8 Elliptic Curve Cryptography

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Introduction to Cryptography. Lecture 8

Lecture V : Public Key Cryptography

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Question: Total Points: Score:

Overview. Public Key Algorithms II

Lecture 7: ElGamal and Discrete Logarithms

Discrete Logarithm Problem

The Elliptic Curve in https

Digital Signature Algorithm

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Week : Public Key Cryptosystem and Digital Signatures

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Discrete logarithm and related schemes

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Algorithmic Number Theory and Public-key Cryptography

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Digital Signatures. p1.

Other Public-Key Cryptosystems

Digital Signatures. Adam O Neill based on

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

New Variant of ElGamal Signature Scheme

Lecture 28: Public-key Cryptography. Public-key Cryptography

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Winter 2011 Josh Benaloh Brian LaMacchia

Public-key Cryptography and elliptic curves

Montgomery-Suitable Cryptosystems

CPSC 467b: Cryptography and Computer Security

Other Public-Key Cryptosystems

Cryptography IV: Asymmetric Ciphers

Public-key Cryptography and elliptic curves

Lecture 11: Key Agreement

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Points of High Order on Elliptic Curves ECDSA

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

Joseph Fadyn Kennesaw State University 1100 South Marietta Parkway Marietta, Georgia

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

On the Big Gap Between p and q in DSA

Advanced Topics in Cryptography

CPSC 467: Cryptography and Computer Security

CRYPTOGRAPHY AND NUMBER THEORY

Public Key Algorithms

Public Key Cryptography

CS 355: Topics in Cryptography Spring Problem Set 5.

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Some Security Comparisons of GOST R and ECDSA Signature Schemes

Public-Key Cryptosystems CHAPTER 4

Practice Assignment 2 Discussion 24/02/ /02/2018

An Introduction to Elliptic Curve Cryptography

Discrete Mathematics GCD, LCM, RSA Algorithm

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Mathematics of Cryptography

Arithmétique et Cryptographie Asymétrique

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Topics in Cryptography. Lecture 5: Basic Number Theory

Lecture Notes, Week 6

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

CPSC 467b: Cryptography and Computer Security

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 22: RSA Encryption. RSA Encryption

CIS 551 / TCOM 401 Computer and Network Security

Carmen s Core Concepts (Math 135)

Polynomial Interpolation in the Elliptic Curve Cryptosystem

CSC 5930/9010 Modern Cryptography: Number Theory

Introduction to Cybersecurity Cryptography (Part 4)

Chapter 10 Elliptic Curves in Cryptography

Lattice-Based Cryptography

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Short Exponent Diffie-Hellman Problems

Pairing-Based Identification Schemes

ASYMMETRIC ENCRYPTION

Ti Secured communications

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Transcription:

Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29

Group Theory Recap

Groups Definition A set G with a binary operation defined on it is called a group if the operation is associative, there exists an identity element e G such that for any a G a e = e a = a, for every a G, there exists an element b G such that a b = b a = e. Example Modulo n addition on Z n = {0, 1, 2,..., n 1} 3 / 29

Cyclic Groups Definition A finite group is a group with a finite number of elements. The order of a finite group G is its cardinality. Definition A cyclic group is a finite group G such that each element in G appears in the sequence {g, g g, g g g,...} for some particular element g G, which is called a generator of G. Example Z 6 = {0, 1, 2, 3, 4, 5} is a cyclic group with a generator 1 4 / 29

Z n and Z n For an integer n 1, Z n = {0, 1, 2,..., n 1} Operation is addition modulo n Z n is cyclic with generator 1 For an integer n 2, Z n = {i Z n \ {0} gcd(i, n) = 1} Operation is multiplication modulo n Z n = n 1 if n is a prime Z n is cyclic if n is a prime Definition: If G is a cyclic group of order q with generator g, then for h G the unique x Z q which satisfies g x = h is called the discrete logarithm of h with respect to g. Finding DLs is easy in Z n Finding DLs is hard in Z n 5 / 29

Cryptography based on the Discrete Logarithm Problem

Diffie-Hellman Protocol Alice and Bob wish to generate a shared secret key using a public channel 1. Alice runs a group generation algorithm to get (G, q, g) where G is a cyclic group of order q with generator g. 2. Alice chooses a uniform x Z q and computes h A = g x. 3. Alice sends (G, q, g, h A ) to Bob. 4. Bob chooses a uniform y Z q and computes h B = g y. He sends h B to Alice. He also computes k B = h y A. 5. Alice computes k A = h x B. By construction, k A = k B. An adversary capable of finding DLs in G can learn the key 7 / 29

El Gamal Encryption Suppose Bob wants to send Alice an encrypted message Alice publishes her public key G, q, g, h G is a cyclic group of order q with generator g h = g x where x Z q is Alice s secret key Encryption: For message m G, Bob chooses a uniform y Z q and outputs ciphertext g y, h y m. Decryption: From ciphertext c 1, c 2, Alice recovers ˆm := c 2 c x 1 8 / 29

Schnorr Identification Scheme Let G be a cyclic group of order q with generator g Identity corresponds to knowledge of private key x where h = g x A prover wants to prove that she knows x to a verifier without revealing it 1. Prover picks k Z q and sends initial message I = g k 2. Verifier sends a challenge r Z q 3. Prover sends s = rx + k mod q 4. Verifier checks g s h r? = I Passive eavesdropping does not reveal x (I, r) is uniform on G Z q and s = log g (I y r ) Transcripts with same distribution can be simulated without knowing x Choose r, s uniformly from Z q and set I = g s h r If a cheating prover can generate two responses, he can implicity compute discrete logarithm Section 19.1 of Boneh-Shoup 9 / 29

Digital Signatures

Digital Signatures Digital signatures prove that the signer knows private key Interactive protocols are not feasible in practice Message Signer (Message, Signature) Verifier Decision on Signature Validity Signer s Private Key Signer s Public Key 11 / 29

Schnorr Signature Algorithm Based on the Schnorr identification scheme Let G be a cyclic group of order q with generator g Let H : {0, 1} Z q be a cryptographic hash function Signer knows x Z q such that public key h = g x Signer: 1. On input m {0, 1}, chooses k Z q 2. Sets I := g k 3. Computes r := H(I, m) 4. Computes s = rx + k mod q 5. Outputs (r, s) as signature for m Verifier 1. On input m and (r, s) 2. Compute I := g s h r 3. Signature valid if H(I, m)? = r Example of Fiat-Shamir transform Patented by Claus Schnorr in 1988 12 / 29

Digital Signature Algorithm Part of the Digital Signature Standard issued by NIST in 1994 Based on the following identification protocol 1. Suppose prover knows x Z q such that public key h = g x 2. Prover chooses k Z q and sends I := g k 3. Verifier chooses uniform α, r Z q and sends them 4. Prover sends s := [ k 1 (α + xr) mod q ] as response 5. Verifier accepts if s 0 and g αs 1 h rs 1 Digital Signature Algorithm 1. Let H : {0, 1} Z q be a cryptographic hash function 2. Let F : G Z q be a function, not necessarily CHF 3. Signer: 3.1 On input m {0, 1}, chooses k Z q and sets r := F (gk ) 3.2 Computes s := [ k 1 (H(m) + xr) ] mod q 3.3 If r = 0 or s = 0, choose k again 3.4 Outputs (r, s) as signature for m 4. Verifier 4.1 On input m and (r, s) with r 0, s 0 checks ( F g H(m)s 1 h rs 1)? = r? = I 13 / 29

Elliptic Curves Over Real Numbers

Elliptic Curves over Reals The set E of real solutions (x, y) of y 2 = x 3 + ax + b along with a point of infinity O. Here 4a 3 + 27b 2 0. 4 4 2 2 2 2 2 2 2 2 4 y 2 = x 3 x + 2 4 y 2 = x 3 2x 15 / 29

Point Addition (1/3) P = (x 1, y 1 ), Q = (x 2, y 2 ) x 1 x 2 P + Q = R P Q R R R = (x 3, y 3 ) ( ) 2 y2 y 1 x 3 = x 1 x 2 x 2 x 1 ( ) y2 y 1 y 3 = (x 1 x 3 ) y 1 x 2 x 1 16 / 29

Point Addition (2/3) O P = (x 1, y 1 ), Q = (x 2, y 2 ) x 1 = x 2, y 1 = y 2 P + Q = O P Q 17 / 29

Point Addition (3/3) R P = (x 1, y 1 ), Q = (x 2, y 2 ) x 1 = x 2, y 1 = y 2 0 P + Q = R P R R = (x 3, y 3 ) ( ) 3x 2 2 x 3 = 1 + a 2x 1 2y 1 ( ) 3x 2 y 3 = 1 + a (x 1 x 3 ) y 1 2y 1 18 / 29

Elliptic Curves Over Finite Fields

Fields Definition A set F together with two binary operations + and is a field if F is an abelian group under + whose identity is called 0 F = F \ {0} is an abelian group under whose identity is called 1 For any a, b, c F a (b + c) = a b + a c Definition A finite field is a field with a finite cardinality. 20 / 29

Prime Fields F p = {0, 1, 2,..., p 1} where p is prime + and defined on F p as x + y = x + y mod p, x y = xy mod p. + 0 1 2 3 4 0 0 1 2 3 4 1 1 2 3 4 0 2 2 3 4 0 1 3 3 4 0 1 2 4 4 0 1 2 3 0 1 2 3 4 0 0 0 0 0 0 1 0 1 2 3 4 2 0 2 4 1 3 3 0 3 1 4 2 4 0 4 3 2 1 In fields, division is multiplication by multiplicative inverse x y = x y 1 21 / 29

Characteristic of a Field Definition Let F be a field with multiplicative identity 1. The characteristic of F is the smallest integer p such that 1 + 1 + + 1 + 1 = 0 }{{} p times Examples F 2 has characteristic 2 F 5 has characteristic 5 R has characteristic 0 Theorem The characteristic of a finite field is prime 22 / 29

Elliptic Curves over Finite Fields For char(f ) 2, 3, the set E of solutions (x, y) in F 2 of y 2 = x 3 + ax + b along with a point of infinity O. Here 4a 3 + 27b 2 0. y 10 8 6 4 2 0 y 10 8 6 4 2 0 0 2 4 6 8 10 x y 2 = x 3 + 10x + 2 over F 11 0 2 4 6 8 10 x y 2 = x 3 + 9x over F 11 23 / 29

Point Addition for Finite Field Curves Point addition formulas derived for reals are used Example: y 2 = x 3 + 10x + 2 over F 11 + O (3, 2) (3, 9) (5, 1) (5, 10) (6, 5) (6, 6) (8, 0) O O (3, 2) (3, 9) (5, 1) (5, 10) (6, 5) (6, 6) (8, 0) (3, 2) (3, 2) (6, 6) O (6, 5) (8, 0) (3, 9) (5, 10) (5, 1) (3, 9) (3, 9) O (6, 5) (8, 0) (6, 6) (5, 1) (3, 2) (5, 10) (5, 1) (5, 1) (6, 5) (8, 0) (6, 6) O (5, 10) (3, 9) (3, 2) (5, 10) (5, 10) (8, 0) (6, 6) O (6, 5) (3, 2) (5, 1) (3, 9) (6, 5) (6, 5) (3, 9) (5, 1) (5, 10) (3, 2) (8, 0) O (6, 6) (6, 6) (6, 6) (5, 10) (3, 2) (3, 9) (5, 1) O (8, 0) (6, 5) (8, 0) (8, 0) (5, 1) (5, 10) (3, 2) (3, 9) (6, 6) (6, 5) O The set E O is closed under addition In fact, its a group 24 / 29

Bitcoin s Elliptic Curve: secp256k1 y 2 = x 3 + 7 over F p where p = FFFFFFFF FFFFFFFF }{{} 48 hexadecimal digits = 2 256 2 32 2 9 2 8 2 7 2 6 2 4 1 E O has cardinality n where FFFFFFFE FFFFFC2F n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141 Private key is k {1, 2,..., n 1} Public key is kp where P = (x, y) x =79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798, y =483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8. 25 / 29

Point Multiplication using Double-and-Add Point multiplication: kp calculation from k and P Let k = k 0 + 2k 1 + 2 2 k 2 + + 2 m k m where k i {0, 1} Double-and-Add algorithm Set N = P and Q = O for i = 0, 1,..., m if k i = 1, set Q Q + N Set N 2N Return Q 26 / 29

Why ECC? For elliptic curves E(F q ), best DL algorithms are exponential in n = log 2 q C EC (n) = 2 n/2 In F p, best DL algorithms are sub-exponential in N = log 2 p ) L p(v, c) = exp (c(log p) v (log log p) (1 v) with 0 < v < 1 Using GNFS method, DLs can be found in L p (1/3, c 0 ) in F p C CONV (N) = exp (c 0 N 1/3 (log (N log 2)) 2/3) Best algorithms for factorization have same asymptotic complexity For similar security levels n = βn 1/3 (log (N log 2)) 2/3 Key size in ECC grows slightly faster than cube root of conventional key size 173 bits instead of 1024 bits, 373 bits instead of 4096 bits 27 / 29

ECDSA in Bitcoin Signer: Has private key k and message m 1. Compute e = SHA-256(SHA-256(m)) 2. Choose a random integer j from Z n 3. Compute jp = (x, y) 4. Calculate r = x mod n. If r = 0, go to step 2. 5. Calculate s = j 1 (e + kr) mod n. If s = 0, go to step 2. 6. Output (r, s) as signature for m Verifier: Has public key kp, message m, and signature (r, s) 1. Calculate e = SHA-256(SHA-256(m)) 2. Calculate j 1 = es 1 mod n and j 2 = rs 1 mod n 3. Calculate the point Q = j 1 P + j 2 (kp) 4. If Q = O, then the signature is invalid. 5. If Q O, then let Q = (x, y) F 2 p. Calculate t = x mod n. If t = r, the signature is valid. As n is a 256-bit integer, signatures are 512 bits long As j is randomly chosen, ECDSA output is random for same m 28 / 29

References Sections 10.3, 11.4, 12.5 of Introduction to Modern Cryptography, J. Katz, Y. Lindell, 2nd edition Section 19.1 of A Graduate Course in Applied Cryptography, D. Boneh, V. Shoup, www.cryptobook.us Chapter 2 of An Introduction to Bitcoin, S. Vijayakumaran, www.ee.iitb.ac.in/~sarva/bitcoin.html 29 / 29

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback