# Digital Signature by pptfiles

VIEWS: 8 PAGES: 46

• pg 1
```									Digital Signature

Sheng Zhong
Digital Signature (1)
• Public-key-based technique for data
integrity.
• A digital signature scheme is a tuple (PK,
SK, M, S, KG, Sign, Verify).
– PK: Public key space (the set of all possible
keys).
– SK: Private key space.
– M: Message space.
– S: Signature space.

2
Digital Signature (2)
• KG: {Positive Integer} → PK × SK. An
efficient algorithm for key generation.
• Sign: SK × M → S. An efficient algorithm
for signing.
• Verify: PK × M × S → {accept, reject}. An
efficient algorithm for verifying signature
on message.

3
Correctness Requirement
• We require that the signature generated
by a private key can definitely be verified
by the corresponding public key.
– For all output (pk, sk) of the key generation
algorithm, for all message m,
Verify(pk, m, Sign(sk, m))=accept.

4
Unforgeability Requirement
• We require that any adversary should not
be able to forge a signature on any
message.
– For all efficient algorithm A, for all message
m, for public key pk distributed as in the
output of the key generation algorithm,
Pr[Verify(pk, m, A(pk, m))=accept]=negligible

5
RSA Signature (1)
• Key generation: Same as in the RSA
cryptosystem.
– N=pq is an RSA modulus.
– ed=1 (mod Φ(N)).
– Public key: (N, e).
– Private key: (N, d).
• Signing: s=md mod N.
– Note this looks like decryption in RSA
cryptosystem.

6
RSA Signature (2)
• Verification: return accept if and only if
m=se mod N.
– This looks like encryption in RSA
cryptosystem, right?
• Why is the scheme correct?
– Because se = (md)e = mde=m (mod N).

7
Unforgeability
• Recall RSA is a trapdoor one-way
function.
– Without knowing trapdoor d, it should be
infeasible to find s such that se=m (mod N).
– The above is equivalent to that it is hard to
find s=md (mod N).
– So the RSA signature is unforgeable in the
very weak sense as we described.

8
Unforgeability
• The above unforgeability property only
valid signature on any given message.
– Bad guy can’t show to people that you “have
borrowed \$1 million from him”.
• But it does not ensure that adversary can’t
generate valid signature on random
message.
– Bad guy might be able to show that you “have
done something” (which you did not really do).
9
Attack on RSA
• Adversary picks a random element s of the
signature space.
• Adversary computes m=se (mod N).
• Clearly, s is a valid signature on message
m.
• Adversary can claim signer has done
random things!

10
Countermeasure to the Attack
• We can modify the signing procedure by
– Signing: s=(H(m))d mod N.
– Verification: Return accept if and only if
se=H(m) (mod N).
– Clearly, the scheme remains correct.

11
Random attack is no longer
feasible.
• Suppose the hash function is one-way.
– Then the adversary can compute se; but can’t
compute m=H-1(se).
– So the attack is no longer feasible.
• This is called existent unforgeability.
– For all efficient algorithm A, for public key pk
distributed as in the output of the key
generation algorithm,
Pr[Verify(pk, A(pk))=accept]=negligible
12
Rabin Signature
• Another signature scheme; very similar to
RSA signature.
• Key generation: Choose RSA modulus
N=pq; N is public key; (p, q) is the private
key.
• Signing: s= m1/2 (mod N).
• Verification: return accept if and only if
m=s2 (mod N).
13
Rabin Signature vs. RSA Signature
• Difference:
– Rabin signature uses 2 as verification
exponent.
– RSA signature uses e as verification
exponent, where e is in Z*Φ(N)
– Faster in verification.

14
Unforgeability of Rabin Signature
• Rabin signature is unforgeable (in the
naïve sense) if factorization is hard.
– Suppose adversary can forge signature s on
given message m.
– Then we choose s’ randomly, computes
– Note that s and s’ are two square roots of m.
– With probability of ½, we are able to factor N.

15
Attack and Countermeasure
• Just like RSA signature scheme, Rabin
signature scheme is existentally forgeable.
– Pick s and compute m=s2 mod N.
– s is a valid signature on m.
• To prevent such attack, we can also use
hash function.

16
ElGamal Signature (1)
• Yet another popular signature scheme.
• Key generation: like in ElGamal
cryptosystem.
– Pick a large prime p; pick generator g in Z*p;
y=gx mod p.
– Public key: (p, g, y)
– Private key: (p, g, x)

17
ElGamal Signature (2)
• Signing:
r=gl mod p;
s=l-1(m-xr) mod (p-1).
(r,s) is signature on message m.
• Verification: return accept if and only if
rs=gm/yr (mod p)

18
Valid signature can be verified

l l 1 ( m  xr )
r  (g )
s
(mod p)
m  xr
g            (mod p)
 g / y (mod p)
m        r

19
Verified signature should be valid
• Intuitively (not rigorously):
Can compute valid s=l-1(m-xr)
→ Can compute valid m-xr
→ Knows x

20
“Looks” Secure
• The signature looks not giving knowledge
– Since in s=l-1(m-xr), x-mr is protected by l-1.
– And in r=xl, l is protected by hardness of
discrete logarithm.

21
Attack on ElGamal Signature (1)
• Can the signer reuse l in signing?
– This leads to breaking of the signature scheme.
• Suppose
r=gl mod p;
s=l-1(m-xr) mod (p-1);
s’=l-1(m’-xr) mod (p-1).
• Then s-s’=l-1(m-m’) (mod (p-1))
– Adversary can figure out l from m, m’, s, s’.
– Next, adversary computes x from l, m, r, s.
22
Attack on ElGamal Signature (2)
• Even if signer does not reuse l, adversary
can forge a signature.
– Attacks discovered by Bleichenbacher in
1996.
• One example: suppose (r,s) is a signature
on message m.
– u=m’/m (mod p-1); s’=su (mod p-1).
– Compute r’ s.t. r’=ru (mod p-1) and r’=r (mod
p).

23
Attack on ElGamal Signature (3)
(r' )  r
s'      su

 (g / y )
m        r u

g   mu
/y   ru

 g / y (mod p )
m'      r'

• (r’,s’) is a valid signature on message
m’.
24
Attack on ElGamal Signature (4)
• If g is chosen by adversary,
Bleichenbacher showed a way to forge
signatures.
– Details in textbook. Read if you are interested.

25
Countermeasures
• Do NOT reuse l.
• Make sure 0<r<p.
– This prevents the example attack because
r’=ru (mod p-1) and r’=r (mod p) can’t be
satisfied by any r between 0 and p.
• Make sure g is generated randomly.

26
Existent Forgery (1)
•   Choose u,v in Z*p-1.
•   r=guyv mod p.
•   s=-rv -1 mod (p-1).
•   m=-ruv -1 mod (p-1).
•   Claim: (r,s) is a valid signature on
message m.

27
Existent Forgery (2)
• Why does the attack work?
v  rv 1
r  (g y )
s         u

 ruv 1       r
g              y
 g / y (mod p)
m          r

• Countermeasure: Use hash function.

28
ElGamal Signature Family (1)
• There are a number of ElGamal-like
signature schemes. They are different in
details, but have the same basic idea:
– Signature is to “prove” sender of message m
has knowledge of private x.
– So it is enough to “prove” sender knows a
function of x and m.
– Note the above function of x and m binds
the signature to message m.
29
ElGamal Signature Family (2)
– However, function of x and m cannot be the
signature because adversary may compute x from it.
– So, the signer protect function of x and m using a
random factor, to get a part of the signature.
– gThe random factor is the other part of the signature; the
random factor is now protected by hardness of
discrete logarithm.
• All signature schemes using the above idea
belong to the ElGamal signature family.

30
ElGamal signature belongs to the
ElGamal signature family
• Look at the ElGamal signature:
– function of x and m :
m-xr.
– Protect the above using a random factor:
s=l-1(m-xr)
– Protect the random factor using discrete
logarithm:
r=gl

31
Schnorr Signature
• Another member of ElGamal signature
family:
– function of x and m :
H(m,r)x.
– Protect the above using a random factor:
s=H(m,r)x+l
– Protect the random factor using discrete
logarithm:
r=gl

32
Digital Signature Standard (DSS)
• Yet another member of ElGamal signature
family:
– function of x and m :
H(m)+xr.
– Protect the above using a random factor:
s=l-1(H(m)+xr)
– Protect the random factor using discrete
logarithm:
r=gl

33
Security of ElGamal Signature
Family
• There are many other members of
ElGamal signature family.
– Each has a lot of details that require attention.
• But note that ElGamal signature family is a
general method of designing signature
schemes.
– NOT a method for security proof.
– So the security of each member has to be
analyzed case by case.

34
Optional Topic: Unforgeability and
Chosen Message Attack
• Chosen Message Attack: a strong
– Analogous to CCA2 for encryption
– Assumes adversary can obtain signatures
from an oracle for any messages he chooses
out a new pair of (message, signature).

35
Oracle Machine
• An oracle machine is associated with a
functionality.
– It maps an input sequence (called queries) to
a probability distribution of output sequence
– A query/answer can depend on earlier
– But it can’t depend on later queries/answers.
– Note that the functionality does NOT need to
be (efficiently) computable.
36
Use of Oracle Machine
an oracle machine M.
– Whenever needed, A can send queries of his
choices to M and get answers.
– This can help A to complete a lot of
– A can’t look inside M. In other words, A does
not know what’s happening in M.

37
Unforgeability against Chosen
Message Attack (CMA)
Suppose M is an oracle machine that returns
signatures for any query messages. A digital
signature is (existentally) unforgeable against
Chosen Message Attack if for all efficient
ks and verification key kv distributed as specified
in the scheme, for all polynomial p(), for all
sufficiently large k,
Pr[Verify(kv, AM(kv))=accept and the message in
AM(kv) is not a query of A to M]<1/p(k)
38
Unforgeable Signature against
CMA
• Suppose {fi} is a family of trapdoor one-way
permutations. Then we can construct a
signature scheme that is unforgeable
against CMA.
– Recall {fi} should have efficient algorithms I, D,
F for initialization, domain sampling, function
evaluation, respectively.
• We start by giving a secure signature
scheme for a single bit; then we extend this
signature scheme to longer messages.
39
Secure Signature for a Single Bit
(1)
• For key generation, we first run I to get
index i and trapdoor d.
– We then use D to sample two points a, b from
the domain of fi, uniformly and independently.
– We next use F to compute fi(a) and fi(b).
– The public key is (i, fi(a) , fi(b) ).
– The private key is (a, b).

40
Secure Signature for a Single Bit
(2)
• Signing:
– The signature of 0 is a;
– The signature of 1 is b.
• Verification:
– If the message is 0, check fi(signature)= fi(a);
– If the message is 1, check fi(signature)= fi(b).

41
Security Analysis
• Even if adversary sees signature of 0, he
can’t find out signature of 1.
– Because {fi} is trapdoor one-way and thus
without knowing the trapdoor the adversary
can’t compute b from fi(b).
– Similarly, even if adversary sees signature of
1, he can’t find out signature of 0.
• Random message attack is not feasible.
– Because the domain of fi is large and thus it is
infeasible to find a random signature.
42
Extension to Longer Messages
• A longer message consists of multiple bits.
– So we only need to use the signature scheme
for single bit for multiple times.
– For each bit of the message we have a
different instance of the signature scheme for
single bit.
– The signatures of all bits constitute the
signature of the entire message.

43
Problem with Extension
• The above simple extension works for a single
message of multiple bits.
– But it is subject to attack when there are multiple
messages.
– Consider for example m1=1011, m2=0100, m3=1111.
– When you have signatures of m1 and m2, you can
actually derive the signature of m3.
– The signatures of 1st, 3rd, and 4th bits of m3 come
from the signature of m1.
– The signatures of 2nd bit of m3 comes from the
signature of m2.

44
Fixing the Problem
• To fix the problem, we need to make sure that the
signatures of different messages use different
instances of the signature scheme for single bit.
– This can be done by having the signer re-choose the
instances after signing each message.
– To notify verifier of the new instances, the signer must
sign them and include them in the signature.
– In fact, a complete history of message signing and
instance changing must be included in the signature.
– Fixed as above, the scheme can be proved to be
existentally unforgeable against CMA.
45
Authentication of Fresh Message
• In the above, we introduced MAC and digital
signature for message authentication.
– They guarantee a message was indeed sent by a
specific entity.
– However, the message might actually be a replay of a
very old message.
• To guarantee the message is fresh, when we
use MAC or digital signature, we should
– Include time stamp as part of message, or
– Include a fresh nonce chosen by the receiver as part
of message

46

```
To top