Digital Signature

Document Sample
Digital Signature Powered By Docstoc
					Digital Signature

   Sheng Zhong
         Digital Signature (1)
• Public-key-based technique for data
  integrity.
• A digital signature scheme is a tuple (PK,
  SK, M, S, KG, Sign, Verify).
  – PK: Public key space (the set of all possible
    keys).
  – SK: Private key space.
  – M: Message space.
  – S: Signature space.

                                                    2
         Digital Signature (2)
• KG: {Positive Integer} → PK × SK. An
  efficient algorithm for key generation.
• Sign: SK × M → S. An efficient algorithm
  for signing.
• Verify: PK × M × S → {accept, reject}. An
  efficient algorithm for verifying signature
  on message.


                                                3
    Correctness Requirement
• We require that the signature generated
  by a private key can definitely be verified
  by the corresponding public key.
  – For all output (pk, sk) of the key generation
    algorithm, for all message m,
          Verify(pk, m, Sign(sk, m))=accept.




                                                    4
   Unforgeability Requirement
• We require that any adversary should not
  be able to forge a signature on any
  message.
  – For all efficient algorithm A, for all message
    m, for public key pk distributed as in the
    output of the key generation algorithm,
    Pr[Verify(pk, m, A(pk, m))=accept]=negligible



                                                     5
          RSA Signature (1)
• Key generation: Same as in the RSA
  cryptosystem.
  – N=pq is an RSA modulus.
  – ed=1 (mod Φ(N)).
  – Public key: (N, e).
  – Private key: (N, d).
• Signing: s=md mod N.
  – Note this looks like decryption in RSA
    cryptosystem.

                                             6
          RSA Signature (2)
• Verification: return accept if and only if
  m=se mod N.
  – This looks like encryption in RSA
    cryptosystem, right?
• Why is the scheme correct?
  – Because se = (md)e = mde=m (mod N).




                                               7
              Unforgeability
• Recall RSA is a trapdoor one-way
  function.
  – Without knowing trapdoor d, it should be
    infeasible to find s such that se=m (mod N).
  – The above is equivalent to that it is hard to
    find s=md (mod N).
  – So the RSA signature is unforgeable in the
    very weak sense as we described.


                                                    8
         Inadequacy of Simple
             Unforgeability
• The above unforgeability property only
  ensures that adversary can’t generate
  valid signature on any given message.
  – Bad guy can’t show to people that you “have
    borrowed $1 million from him”.
• But it does not ensure that adversary can’t
  generate valid signature on random
  message.
  – Bad guy might be able to show that you “have
    done something” (which you did not really do).
                                                  9
            Attack on RSA
• Adversary picks a random element s of the
  signature space.
• Adversary computes m=se (mod N).
• Clearly, s is a valid signature on message
  m.
• Adversary can claim signer has done
  random things!

                                           10
 Countermeasure to the Attack
• We can modify the signing procedure by
  adding a hash:
  – Signing: s=(H(m))d mod N.
  – Verification: Return accept if and only if
    se=H(m) (mod N).
  – Clearly, the scheme remains correct.




                                                 11
     Random attack is no longer
            feasible.
• Suppose the hash function is one-way.
  – Then the adversary can compute se; but can’t
    compute m=H-1(se).
  – So the attack is no longer feasible.
• This is called existent unforgeability.
  – For all efficient algorithm A, for public key pk
    distributed as in the output of the key
    generation algorithm,
        Pr[Verify(pk, A(pk))=accept]=negligible
                                                       12
           Rabin Signature
• Another signature scheme; very similar to
  RSA signature.
• Key generation: Choose RSA modulus
  N=pq; N is public key; (p, q) is the private
  key.
• Signing: s= m1/2 (mod N).
• Verification: return accept if and only if
  m=s2 (mod N).
                                                 13
Rabin Signature vs. RSA Signature
• Difference:
  – Rabin signature uses 2 as verification
    exponent.
  – RSA signature uses e as verification
    exponent, where e is in Z*Φ(N)
• Advantage of Rabin signature:
  – Faster in verification.



                                             14
 Unforgeability of Rabin Signature
• Rabin signature is unforgeable (in the
  naïve sense) if factorization is hard.
  – Suppose adversary can forge signature s on
    given message m.
  – Then we choose s’ randomly, computes
    m=(s’)2, and ask adversary to forge s=m 1/2.
  – Note that s and s’ are two square roots of m.
  – With probability of ½, we are able to factor N.

                                                      15
  Attack and Countermeasure
• Just like RSA signature scheme, Rabin
  signature scheme is existentally forgeable.
  – Pick s and compute m=s2 mod N.
  – s is a valid signature on m.
• To prevent such attack, we can also use
  hash function.



                                            16
       ElGamal Signature (1)
• Yet another popular signature scheme.
• Key generation: like in ElGamal
  cryptosystem.
  – Pick a large prime p; pick generator g in Z*p;
    y=gx mod p.
  – Public key: (p, g, y)
  – Private key: (p, g, x)


                                                     17
       ElGamal Signature (2)
• Signing:
                    r=gl mod p;
              s=l-1(m-xr) mod (p-1).
(r,s) is signature on message m.
• Verification: return accept if and only if
                rs=gm/yr (mod p)


                                               18
Valid signature can be verified

             l l 1 ( m  xr )
  r  (g )
   s
                                 (mod p)
            m  xr
       g            (mod p)
        g / y (mod p)
            m        r




                                           19
 Verified signature should be valid
• Intuitively (not rigorously):
   Can compute valid s=l-1(m-xr)
→ Can compute valid m-xr
→ Knows x




                                      20
             “Looks” Secure
• The signature looks not giving knowledge
  about x.
  – Since in s=l-1(m-xr), x-mr is protected by l-1.
  – And in r=xl, l is protected by hardness of
    discrete logarithm.




                                                      21
Attack on ElGamal Signature (1)
• Can the signer reuse l in signing?
   – This leads to breaking of the signature scheme.
• Suppose
                      r=gl mod p;
                s=l-1(m-xr) mod (p-1);
               s’=l-1(m’-xr) mod (p-1).
• Then s-s’=l-1(m-m’) (mod (p-1))
   – Adversary can figure out l from m, m’, s, s’.
   – Next, adversary computes x from l, m, r, s.
                                                       22
Attack on ElGamal Signature (2)
• Even if signer does not reuse l, adversary
  can forge a signature.
  – Attacks discovered by Bleichenbacher in
    1996.
• One example: suppose (r,s) is a signature
  on message m.
  – u=m’/m (mod p-1); s’=su (mod p-1).
  – Compute r’ s.t. r’=ru (mod p-1) and r’=r (mod
    p).

                                                    23
Attack on ElGamal Signature (3)
      (r' )  r
           s'      su


                 (g / y )
                        m        r u


                g   mu
                            /y   ru


                 g / y (mod p )
                     m'      r'


• (r’,s’) is a valid signature on message
m’.
                                            24
Attack on ElGamal Signature (4)
• If g is chosen by adversary,
  Bleichenbacher showed a way to forge
  signatures.
  – Details in textbook. Read if you are interested.




                                                   25
          Countermeasures
• Do NOT reuse l.
• Make sure 0<r<p.
  – This prevents the example attack because
    r’=ru (mod p-1) and r’=r (mod p) can’t be
    satisfied by any r between 0 and p.
• Make sure g is generated randomly.



                                                26
           Existent Forgery (1)
•   Choose u,v in Z*p-1.
•   r=guyv mod p.
•   s=-rv -1 mod (p-1).
•   m=-ruv -1 mod (p-1).
•   Claim: (r,s) is a valid signature on
    message m.


                                           27
         Existent Forgery (2)
• Why does the attack work?
                          v  rv 1
         r  (g y )
           s         u


                     ruv 1       r
               g              y
                g / y (mod p)
                    m          r



• Countermeasure: Use hash function.

                                        28
 ElGamal Signature Family (1)
• There are a number of ElGamal-like
  signature schemes. They are different in
  details, but have the same basic idea:
  – Signature is to “prove” sender of message m
    has knowledge of private x.
  – So it is enough to “prove” sender knows a
    function of x and m.
  – Note the above function of x and m binds
    the signature to message m.
                                                  29
  ElGamal Signature Family (2)
  – However, function of x and m cannot be the
    signature because adversary may compute x from it.
  – So, the signer protect function of x and m using a
    random factor, to get a part of the signature.
  – gThe random factor is the other part of the signature; the
    random factor is now protected by hardness of
    discrete logarithm.
• All signature schemes using the above idea
  belong to the ElGamal signature family.


                                                                 30
 ElGamal signature belongs to the
    ElGamal signature family
• Look at the ElGamal signature:
  – function of x and m :
                        m-xr.
  – Protect the above using a random factor:
                      s=l-1(m-xr)
  – Protect the random factor using discrete
    logarithm:
                          r=gl

                                               31
          Schnorr Signature
• Another member of ElGamal signature
  family:
  – function of x and m :
                       H(m,r)x.
  – Protect the above using a random factor:
                     s=H(m,r)x+l
  – Protect the random factor using discrete
    logarithm:
                          r=gl

                                               32
 Digital Signature Standard (DSS)
• Yet another member of ElGamal signature
  family:
  – function of x and m :
                      H(m)+xr.
  – Protect the above using a random factor:
                    s=l-1(H(m)+xr)
  – Protect the random factor using discrete
    logarithm:
                          r=gl

                                               33
   Security of ElGamal Signature
               Family
• There are many other members of
  ElGamal signature family.
  – Each has a lot of details that require attention.
• But note that ElGamal signature family is a
  general method of designing signature
  schemes.
  – NOT a method for security proof.
  – So the security of each member has to be
    analyzed case by case.

                                                    34
 Optional Topic: Unforgeability and
      Chosen Message Attack
• Chosen Message Attack: a strong
  adversary model for digital signature
  – Analogous to CCA2 for encryption
  – Assumes adversary can obtain signatures
    from an oracle for any messages he chooses
  – Then ask whether adversary is able to figure
    out a new pair of (message, signature).



                                               35
            Oracle Machine
• An oracle machine is associated with a
  functionality.
  – It maps an input sequence (called queries) to
    a probability distribution of output sequence
    (called answers) .
  – A query/answer can depend on earlier
    queries/answers.
  – But it can’t depend on later queries/answers.
  – Note that the functionality does NOT need to
    be (efficiently) computable.
                                                36
      Use of Oracle Machine
• We can let an algorithm A have access to
  an oracle machine M.
  – Whenever needed, A can send queries of his
    choices to M and get answers.
  – This can help A to complete a lot of
    computational tasks.
  – A can’t look inside M. In other words, A does
    not know what’s happening in M.


                                                    37
    Unforgeability against Chosen
       Message Attack (CMA)
Suppose M is an oracle machine that returns
  signatures for any query messages. A digital
  signature is (existentally) unforgeable against
  Chosen Message Attack if for all efficient
  algorithm A that has access to M, for signing key
  ks and verification key kv distributed as specified
  in the scheme, for all polynomial p(), for all
  sufficiently large k,
Pr[Verify(kv, AM(kv))=accept and the message in
  AM(kv) is not a query of A to M]<1/p(k)
                                                    38
   Unforgeable Signature against
               CMA
• Suppose {fi} is a family of trapdoor one-way
  permutations. Then we can construct a
  signature scheme that is unforgeable
  against CMA.
  – Recall {fi} should have efficient algorithms I, D,
    F for initialization, domain sampling, function
    evaluation, respectively.
• We start by giving a secure signature
  scheme for a single bit; then we extend this
  signature scheme to longer messages.
                                                    39
  Secure Signature for a Single Bit
                (1)
• For key generation, we first run I to get
  index i and trapdoor d.
  – We then use D to sample two points a, b from
    the domain of fi, uniformly and independently.
  – We next use F to compute fi(a) and fi(b).
  – The public key is (i, fi(a) , fi(b) ).
  – The private key is (a, b).



                                                 40
  Secure Signature for a Single Bit
                (2)
• Signing:
  – The signature of 0 is a;
  – The signature of 1 is b.
• Verification:
  – If the message is 0, check fi(signature)= fi(a);
  – If the message is 1, check fi(signature)= fi(b).




                                                       41
           Security Analysis
• Even if adversary sees signature of 0, he
  can’t find out signature of 1.
  – Because {fi} is trapdoor one-way and thus
    without knowing the trapdoor the adversary
    can’t compute b from fi(b).
  – Similarly, even if adversary sees signature of
    1, he can’t find out signature of 0.
• Random message attack is not feasible.
  – Because the domain of fi is large and thus it is
    infeasible to find a random signature.
                                                     42
Extension to Longer Messages
• A longer message consists of multiple bits.
  – So we only need to use the signature scheme
    for single bit for multiple times.
  – For each bit of the message we have a
    different instance of the signature scheme for
    single bit.
  – The signatures of all bits constitute the
    signature of the entire message.


                                                 43
      Problem with Extension
• The above simple extension works for a single
  message of multiple bits.
  – But it is subject to attack when there are multiple
    messages.
  – Consider for example m1=1011, m2=0100, m3=1111.
  – When you have signatures of m1 and m2, you can
    actually derive the signature of m3.
  – The signatures of 1st, 3rd, and 4th bits of m3 come
    from the signature of m1.
  – The signatures of 2nd bit of m3 comes from the
    signature of m2.

                                                     44
           Fixing the Problem
• To fix the problem, we need to make sure that the
  signatures of different messages use different
  instances of the signature scheme for single bit.
  – This can be done by having the signer re-choose the
    instances after signing each message.
  – To notify verifier of the new instances, the signer must
    sign them and include them in the signature.
  – In fact, a complete history of message signing and
    instance changing must be included in the signature.
  – Fixed as above, the scheme can be proved to be
    existentally unforgeable against CMA.
                                                          45
  Authentication of Fresh Message
• In the above, we introduced MAC and digital
  signature for message authentication.
  – They guarantee a message was indeed sent by a
    specific entity.
  – However, the message might actually be a replay of a
    very old message.
• To guarantee the message is fresh, when we
  use MAC or digital signature, we should
  – Include time stamp as part of message, or
  – Include a fresh nonce chosen by the receiver as part
    of message

                                                           46

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:9/23/2011
language:English
pages:46
Lingjuan Ma Lingjuan Ma
About