VIEWS: 8 PAGES: 46 POSTED ON: 9/23/2011
Digital Signature Sheng Zhong Digital Signature (1) • Public-key-based technique for data integrity. • A digital signature scheme is a tuple (PK, SK, M, S, KG, Sign, Verify). – PK: Public key space (the set of all possible keys). – SK: Private key space. – M: Message space. – S: Signature space. 2 Digital Signature (2) • KG: {Positive Integer} → PK × SK. An efficient algorithm for key generation. • Sign: SK × M → S. An efficient algorithm for signing. • Verify: PK × M × S → {accept, reject}. An efficient algorithm for verifying signature on message. 3 Correctness Requirement • We require that the signature generated by a private key can definitely be verified by the corresponding public key. – For all output (pk, sk) of the key generation algorithm, for all message m, Verify(pk, m, Sign(sk, m))=accept. 4 Unforgeability Requirement • We require that any adversary should not be able to forge a signature on any message. – For all efficient algorithm A, for all message m, for public key pk distributed as in the output of the key generation algorithm, Pr[Verify(pk, m, A(pk, m))=accept]=negligible 5 RSA Signature (1) • Key generation: Same as in the RSA cryptosystem. – N=pq is an RSA modulus. – ed=1 (mod Φ(N)). – Public key: (N, e). – Private key: (N, d). • Signing: s=md mod N. – Note this looks like decryption in RSA cryptosystem. 6 RSA Signature (2) • Verification: return accept if and only if m=se mod N. – This looks like encryption in RSA cryptosystem, right? • Why is the scheme correct? – Because se = (md)e = mde=m (mod N). 7 Unforgeability • Recall RSA is a trapdoor one-way function. – Without knowing trapdoor d, it should be infeasible to find s such that se=m (mod N). – The above is equivalent to that it is hard to find s=md (mod N). – So the RSA signature is unforgeable in the very weak sense as we described. 8 Inadequacy of Simple Unforgeability • The above unforgeability property only ensures that adversary can’t generate valid signature on any given message. – Bad guy can’t show to people that you “have borrowed $1 million from him”. • But it does not ensure that adversary can’t generate valid signature on random message. – Bad guy might be able to show that you “have done something” (which you did not really do). 9 Attack on RSA • Adversary picks a random element s of the signature space. • Adversary computes m=se (mod N). • Clearly, s is a valid signature on message m. • Adversary can claim signer has done random things! 10 Countermeasure to the Attack • We can modify the signing procedure by adding a hash: – Signing: s=(H(m))d mod N. – Verification: Return accept if and only if se=H(m) (mod N). – Clearly, the scheme remains correct. 11 Random attack is no longer feasible. • Suppose the hash function is one-way. – Then the adversary can compute se; but can’t compute m=H-1(se). – So the attack is no longer feasible. • This is called existent unforgeability. – For all efficient algorithm A, for public key pk distributed as in the output of the key generation algorithm, Pr[Verify(pk, A(pk))=accept]=negligible 12 Rabin Signature • Another signature scheme; very similar to RSA signature. • Key generation: Choose RSA modulus N=pq; N is public key; (p, q) is the private key. • Signing: s= m1/2 (mod N). • Verification: return accept if and only if m=s2 (mod N). 13 Rabin Signature vs. RSA Signature • Difference: – Rabin signature uses 2 as verification exponent. – RSA signature uses e as verification exponent, where e is in Z*Φ(N) • Advantage of Rabin signature: – Faster in verification. 14 Unforgeability of Rabin Signature • Rabin signature is unforgeable (in the naïve sense) if factorization is hard. – Suppose adversary can forge signature s on given message m. – Then we choose s’ randomly, computes m=(s’)2, and ask adversary to forge s=m 1/2. – Note that s and s’ are two square roots of m. – With probability of ½, we are able to factor N. 15 Attack and Countermeasure • Just like RSA signature scheme, Rabin signature scheme is existentally forgeable. – Pick s and compute m=s2 mod N. – s is a valid signature on m. • To prevent such attack, we can also use hash function. 16 ElGamal Signature (1) • Yet another popular signature scheme. • Key generation: like in ElGamal cryptosystem. – Pick a large prime p; pick generator g in Z*p; y=gx mod p. – Public key: (p, g, y) – Private key: (p, g, x) 17 ElGamal Signature (2) • Signing: r=gl mod p; s=l-1(m-xr) mod (p-1). (r,s) is signature on message m. • Verification: return accept if and only if rs=gm/yr (mod p) 18 Valid signature can be verified l l 1 ( m xr ) r (g ) s (mod p) m xr g (mod p) g / y (mod p) m r 19 Verified signature should be valid • Intuitively (not rigorously): Can compute valid s=l-1(m-xr) → Can compute valid m-xr → Knows x 20 “Looks” Secure • The signature looks not giving knowledge about x. – Since in s=l-1(m-xr), x-mr is protected by l-1. – And in r=xl, l is protected by hardness of discrete logarithm. 21 Attack on ElGamal Signature (1) • Can the signer reuse l in signing? – This leads to breaking of the signature scheme. • Suppose r=gl mod p; s=l-1(m-xr) mod (p-1); s’=l-1(m’-xr) mod (p-1). • Then s-s’=l-1(m-m’) (mod (p-1)) – Adversary can figure out l from m, m’, s, s’. – Next, adversary computes x from l, m, r, s. 22 Attack on ElGamal Signature (2) • Even if signer does not reuse l, adversary can forge a signature. – Attacks discovered by Bleichenbacher in 1996. • One example: suppose (r,s) is a signature on message m. – u=m’/m (mod p-1); s’=su (mod p-1). – Compute r’ s.t. r’=ru (mod p-1) and r’=r (mod p). 23 Attack on ElGamal Signature (3) (r' ) r s' su (g / y ) m r u g mu /y ru g / y (mod p ) m' r' • (r’,s’) is a valid signature on message m’. 24 Attack on ElGamal Signature (4) • If g is chosen by adversary, Bleichenbacher showed a way to forge signatures. – Details in textbook. Read if you are interested. 25 Countermeasures • Do NOT reuse l. • Make sure 0<r<p. – This prevents the example attack because r’=ru (mod p-1) and r’=r (mod p) can’t be satisfied by any r between 0 and p. • Make sure g is generated randomly. 26 Existent Forgery (1) • Choose u,v in Z*p-1. • r=guyv mod p. • s=-rv -1 mod (p-1). • m=-ruv -1 mod (p-1). • Claim: (r,s) is a valid signature on message m. 27 Existent Forgery (2) • Why does the attack work? v rv 1 r (g y ) s u ruv 1 r g y g / y (mod p) m r • Countermeasure: Use hash function. 28 ElGamal Signature Family (1) • There are a number of ElGamal-like signature schemes. They are different in details, but have the same basic idea: – Signature is to “prove” sender of message m has knowledge of private x. – So it is enough to “prove” sender knows a function of x and m. – Note the above function of x and m binds the signature to message m. 29 ElGamal Signature Family (2) – However, function of x and m cannot be the signature because adversary may compute x from it. – So, the signer protect function of x and m using a random factor, to get a part of the signature. – gThe random factor is the other part of the signature; the random factor is now protected by hardness of discrete logarithm. • All signature schemes using the above idea belong to the ElGamal signature family. 30 ElGamal signature belongs to the ElGamal signature family • Look at the ElGamal signature: – function of x and m : m-xr. – Protect the above using a random factor: s=l-1(m-xr) – Protect the random factor using discrete logarithm: r=gl 31 Schnorr Signature • Another member of ElGamal signature family: – function of x and m : H(m,r)x. – Protect the above using a random factor: s=H(m,r)x+l – Protect the random factor using discrete logarithm: r=gl 32 Digital Signature Standard (DSS) • Yet another member of ElGamal signature family: – function of x and m : H(m)+xr. – Protect the above using a random factor: s=l-1(H(m)+xr) – Protect the random factor using discrete logarithm: r=gl 33 Security of ElGamal Signature Family • There are many other members of ElGamal signature family. – Each has a lot of details that require attention. • But note that ElGamal signature family is a general method of designing signature schemes. – NOT a method for security proof. – So the security of each member has to be analyzed case by case. 34 Optional Topic: Unforgeability and Chosen Message Attack • Chosen Message Attack: a strong adversary model for digital signature – Analogous to CCA2 for encryption – Assumes adversary can obtain signatures from an oracle for any messages he chooses – Then ask whether adversary is able to figure out a new pair of (message, signature). 35 Oracle Machine • An oracle machine is associated with a functionality. – It maps an input sequence (called queries) to a probability distribution of output sequence (called answers) . – A query/answer can depend on earlier queries/answers. – But it can’t depend on later queries/answers. – Note that the functionality does NOT need to be (efficiently) computable. 36 Use of Oracle Machine • We can let an algorithm A have access to an oracle machine M. – Whenever needed, A can send queries of his choices to M and get answers. – This can help A to complete a lot of computational tasks. – A can’t look inside M. In other words, A does not know what’s happening in M. 37 Unforgeability against Chosen Message Attack (CMA) Suppose M is an oracle machine that returns signatures for any query messages. A digital signature is (existentally) unforgeable against Chosen Message Attack if for all efficient algorithm A that has access to M, for signing key ks and verification key kv distributed as specified in the scheme, for all polynomial p(), for all sufficiently large k, Pr[Verify(kv, AM(kv))=accept and the message in AM(kv) is not a query of A to M]<1/p(k) 38 Unforgeable Signature against CMA • Suppose {fi} is a family of trapdoor one-way permutations. Then we can construct a signature scheme that is unforgeable against CMA. – Recall {fi} should have efficient algorithms I, D, F for initialization, domain sampling, function evaluation, respectively. • We start by giving a secure signature scheme for a single bit; then we extend this signature scheme to longer messages. 39 Secure Signature for a Single Bit (1) • For key generation, we first run I to get index i and trapdoor d. – We then use D to sample two points a, b from the domain of fi, uniformly and independently. – We next use F to compute fi(a) and fi(b). – The public key is (i, fi(a) , fi(b) ). – The private key is (a, b). 40 Secure Signature for a Single Bit (2) • Signing: – The signature of 0 is a; – The signature of 1 is b. • Verification: – If the message is 0, check fi(signature)= fi(a); – If the message is 1, check fi(signature)= fi(b). 41 Security Analysis • Even if adversary sees signature of 0, he can’t find out signature of 1. – Because {fi} is trapdoor one-way and thus without knowing the trapdoor the adversary can’t compute b from fi(b). – Similarly, even if adversary sees signature of 1, he can’t find out signature of 0. • Random message attack is not feasible. – Because the domain of fi is large and thus it is infeasible to find a random signature. 42 Extension to Longer Messages • A longer message consists of multiple bits. – So we only need to use the signature scheme for single bit for multiple times. – For each bit of the message we have a different instance of the signature scheme for single bit. – The signatures of all bits constitute the signature of the entire message. 43 Problem with Extension • The above simple extension works for a single message of multiple bits. – But it is subject to attack when there are multiple messages. – Consider for example m1=1011, m2=0100, m3=1111. – When you have signatures of m1 and m2, you can actually derive the signature of m3. – The signatures of 1st, 3rd, and 4th bits of m3 come from the signature of m1. – The signatures of 2nd bit of m3 comes from the signature of m2. 44 Fixing the Problem • To fix the problem, we need to make sure that the signatures of different messages use different instances of the signature scheme for single bit. – This can be done by having the signer re-choose the instances after signing each message. – To notify verifier of the new instances, the signer must sign them and include them in the signature. – In fact, a complete history of message signing and instance changing must be included in the signature. – Fixed as above, the scheme can be proved to be existentally unforgeable against CMA. 45 Authentication of Fresh Message • In the above, we introduced MAC and digital signature for message authentication. – They guarantee a message was indeed sent by a specific entity. – However, the message might actually be a replay of a very old message. • To guarantee the message is fresh, when we use MAC or digital signature, we should – Include time stamp as part of message, or – Include a fresh nonce chosen by the receiver as part of message 46