Digital Signature

Document Sample
Digital Signature Powered By Docstoc
					Digital Signature

   Sheng Zhong
         Digital Signature (1)
• Public-key-based technique for data
• A digital signature scheme is a tuple (PK,
  SK, M, S, KG, Sign, Verify).
  – PK: Public key space (the set of all possible
  – SK: Private key space.
  – M: Message space.
  – S: Signature space.

         Digital Signature (2)
• KG: {Positive Integer} → PK × SK. An
  efficient algorithm for key generation.
• Sign: SK × M → S. An efficient algorithm
  for signing.
• Verify: PK × M × S → {accept, reject}. An
  efficient algorithm for verifying signature
  on message.

    Correctness Requirement
• We require that the signature generated
  by a private key can definitely be verified
  by the corresponding public key.
  – For all output (pk, sk) of the key generation
    algorithm, for all message m,
          Verify(pk, m, Sign(sk, m))=accept.

   Unforgeability Requirement
• We require that any adversary should not
  be able to forge a signature on any
  – For all efficient algorithm A, for all message
    m, for public key pk distributed as in the
    output of the key generation algorithm,
    Pr[Verify(pk, m, A(pk, m))=accept]=negligible

          RSA Signature (1)
• Key generation: Same as in the RSA
  – N=pq is an RSA modulus.
  – ed=1 (mod Φ(N)).
  – Public key: (N, e).
  – Private key: (N, d).
• Signing: s=md mod N.
  – Note this looks like decryption in RSA

          RSA Signature (2)
• Verification: return accept if and only if
  m=se mod N.
  – This looks like encryption in RSA
    cryptosystem, right?
• Why is the scheme correct?
  – Because se = (md)e = mde=m (mod N).

• Recall RSA is a trapdoor one-way
  – Without knowing trapdoor d, it should be
    infeasible to find s such that se=m (mod N).
  – The above is equivalent to that it is hard to
    find s=md (mod N).
  – So the RSA signature is unforgeable in the
    very weak sense as we described.

         Inadequacy of Simple
• The above unforgeability property only
  ensures that adversary can’t generate
  valid signature on any given message.
  – Bad guy can’t show to people that you “have
    borrowed $1 million from him”.
• But it does not ensure that adversary can’t
  generate valid signature on random
  – Bad guy might be able to show that you “have
    done something” (which you did not really do).
            Attack on RSA
• Adversary picks a random element s of the
  signature space.
• Adversary computes m=se (mod N).
• Clearly, s is a valid signature on message
• Adversary can claim signer has done
  random things!

 Countermeasure to the Attack
• We can modify the signing procedure by
  adding a hash:
  – Signing: s=(H(m))d mod N.
  – Verification: Return accept if and only if
    se=H(m) (mod N).
  – Clearly, the scheme remains correct.

     Random attack is no longer
• Suppose the hash function is one-way.
  – Then the adversary can compute se; but can’t
    compute m=H-1(se).
  – So the attack is no longer feasible.
• This is called existent unforgeability.
  – For all efficient algorithm A, for public key pk
    distributed as in the output of the key
    generation algorithm,
        Pr[Verify(pk, A(pk))=accept]=negligible
           Rabin Signature
• Another signature scheme; very similar to
  RSA signature.
• Key generation: Choose RSA modulus
  N=pq; N is public key; (p, q) is the private
• Signing: s= m1/2 (mod N).
• Verification: return accept if and only if
  m=s2 (mod N).
Rabin Signature vs. RSA Signature
• Difference:
  – Rabin signature uses 2 as verification
  – RSA signature uses e as verification
    exponent, where e is in Z*Φ(N)
• Advantage of Rabin signature:
  – Faster in verification.

 Unforgeability of Rabin Signature
• Rabin signature is unforgeable (in the
  naïve sense) if factorization is hard.
  – Suppose adversary can forge signature s on
    given message m.
  – Then we choose s’ randomly, computes
    m=(s’)2, and ask adversary to forge s=m 1/2.
  – Note that s and s’ are two square roots of m.
  – With probability of ½, we are able to factor N.

  Attack and Countermeasure
• Just like RSA signature scheme, Rabin
  signature scheme is existentally forgeable.
  – Pick s and compute m=s2 mod N.
  – s is a valid signature on m.
• To prevent such attack, we can also use
  hash function.

       ElGamal Signature (1)
• Yet another popular signature scheme.
• Key generation: like in ElGamal
  – Pick a large prime p; pick generator g in Z*p;
    y=gx mod p.
  – Public key: (p, g, y)
  – Private key: (p, g, x)

       ElGamal Signature (2)
• Signing:
                    r=gl mod p;
              s=l-1(m-xr) mod (p-1).
(r,s) is signature on message m.
• Verification: return accept if and only if
                rs=gm/yr (mod p)

Valid signature can be verified

             l l 1 ( m  xr )
  r  (g )
                                 (mod p)
            m  xr
       g            (mod p)
        g / y (mod p)
            m        r

 Verified signature should be valid
• Intuitively (not rigorously):
   Can compute valid s=l-1(m-xr)
→ Can compute valid m-xr
→ Knows x

             “Looks” Secure
• The signature looks not giving knowledge
  about x.
  – Since in s=l-1(m-xr), x-mr is protected by l-1.
  – And in r=xl, l is protected by hardness of
    discrete logarithm.

Attack on ElGamal Signature (1)
• Can the signer reuse l in signing?
   – This leads to breaking of the signature scheme.
• Suppose
                      r=gl mod p;
                s=l-1(m-xr) mod (p-1);
               s’=l-1(m’-xr) mod (p-1).
• Then s-s’=l-1(m-m’) (mod (p-1))
   – Adversary can figure out l from m, m’, s, s’.
   – Next, adversary computes x from l, m, r, s.
Attack on ElGamal Signature (2)
• Even if signer does not reuse l, adversary
  can forge a signature.
  – Attacks discovered by Bleichenbacher in
• One example: suppose (r,s) is a signature
  on message m.
  – u=m’/m (mod p-1); s’=su (mod p-1).
  – Compute r’ s.t. r’=ru (mod p-1) and r’=r (mod

Attack on ElGamal Signature (3)
      (r' )  r
           s'      su

                 (g / y )
                        m        r u

                g   mu
                            /y   ru

                 g / y (mod p )
                     m'      r'

• (r’,s’) is a valid signature on message
Attack on ElGamal Signature (4)
• If g is chosen by adversary,
  Bleichenbacher showed a way to forge
  – Details in textbook. Read if you are interested.

• Do NOT reuse l.
• Make sure 0<r<p.
  – This prevents the example attack because
    r’=ru (mod p-1) and r’=r (mod p) can’t be
    satisfied by any r between 0 and p.
• Make sure g is generated randomly.

           Existent Forgery (1)
•   Choose u,v in Z*p-1.
•   r=guyv mod p.
•   s=-rv -1 mod (p-1).
•   m=-ruv -1 mod (p-1).
•   Claim: (r,s) is a valid signature on
    message m.

         Existent Forgery (2)
• Why does the attack work?
                          v  rv 1
         r  (g y )
           s         u

                     ruv 1       r
               g              y
                g / y (mod p)
                    m          r

• Countermeasure: Use hash function.

 ElGamal Signature Family (1)
• There are a number of ElGamal-like
  signature schemes. They are different in
  details, but have the same basic idea:
  – Signature is to “prove” sender of message m
    has knowledge of private x.
  – So it is enough to “prove” sender knows a
    function of x and m.
  – Note the above function of x and m binds
    the signature to message m.
  ElGamal Signature Family (2)
  – However, function of x and m cannot be the
    signature because adversary may compute x from it.
  – So, the signer protect function of x and m using a
    random factor, to get a part of the signature.
  – gThe random factor is the other part of the signature; the
    random factor is now protected by hardness of
    discrete logarithm.
• All signature schemes using the above idea
  belong to the ElGamal signature family.

 ElGamal signature belongs to the
    ElGamal signature family
• Look at the ElGamal signature:
  – function of x and m :
  – Protect the above using a random factor:
  – Protect the random factor using discrete

          Schnorr Signature
• Another member of ElGamal signature
  – function of x and m :
  – Protect the above using a random factor:
  – Protect the random factor using discrete

 Digital Signature Standard (DSS)
• Yet another member of ElGamal signature
  – function of x and m :
  – Protect the above using a random factor:
  – Protect the random factor using discrete

   Security of ElGamal Signature
• There are many other members of
  ElGamal signature family.
  – Each has a lot of details that require attention.
• But note that ElGamal signature family is a
  general method of designing signature
  – NOT a method for security proof.
  – So the security of each member has to be
    analyzed case by case.

 Optional Topic: Unforgeability and
      Chosen Message Attack
• Chosen Message Attack: a strong
  adversary model for digital signature
  – Analogous to CCA2 for encryption
  – Assumes adversary can obtain signatures
    from an oracle for any messages he chooses
  – Then ask whether adversary is able to figure
    out a new pair of (message, signature).

            Oracle Machine
• An oracle machine is associated with a
  – It maps an input sequence (called queries) to
    a probability distribution of output sequence
    (called answers) .
  – A query/answer can depend on earlier
  – But it can’t depend on later queries/answers.
  – Note that the functionality does NOT need to
    be (efficiently) computable.
      Use of Oracle Machine
• We can let an algorithm A have access to
  an oracle machine M.
  – Whenever needed, A can send queries of his
    choices to M and get answers.
  – This can help A to complete a lot of
    computational tasks.
  – A can’t look inside M. In other words, A does
    not know what’s happening in M.

    Unforgeability against Chosen
       Message Attack (CMA)
Suppose M is an oracle machine that returns
  signatures for any query messages. A digital
  signature is (existentally) unforgeable against
  Chosen Message Attack if for all efficient
  algorithm A that has access to M, for signing key
  ks and verification key kv distributed as specified
  in the scheme, for all polynomial p(), for all
  sufficiently large k,
Pr[Verify(kv, AM(kv))=accept and the message in
  AM(kv) is not a query of A to M]<1/p(k)
   Unforgeable Signature against
• Suppose {fi} is a family of trapdoor one-way
  permutations. Then we can construct a
  signature scheme that is unforgeable
  against CMA.
  – Recall {fi} should have efficient algorithms I, D,
    F for initialization, domain sampling, function
    evaluation, respectively.
• We start by giving a secure signature
  scheme for a single bit; then we extend this
  signature scheme to longer messages.
  Secure Signature for a Single Bit
• For key generation, we first run I to get
  index i and trapdoor d.
  – We then use D to sample two points a, b from
    the domain of fi, uniformly and independently.
  – We next use F to compute fi(a) and fi(b).
  – The public key is (i, fi(a) , fi(b) ).
  – The private key is (a, b).

  Secure Signature for a Single Bit
• Signing:
  – The signature of 0 is a;
  – The signature of 1 is b.
• Verification:
  – If the message is 0, check fi(signature)= fi(a);
  – If the message is 1, check fi(signature)= fi(b).

           Security Analysis
• Even if adversary sees signature of 0, he
  can’t find out signature of 1.
  – Because {fi} is trapdoor one-way and thus
    without knowing the trapdoor the adversary
    can’t compute b from fi(b).
  – Similarly, even if adversary sees signature of
    1, he can’t find out signature of 0.
• Random message attack is not feasible.
  – Because the domain of fi is large and thus it is
    infeasible to find a random signature.
Extension to Longer Messages
• A longer message consists of multiple bits.
  – So we only need to use the signature scheme
    for single bit for multiple times.
  – For each bit of the message we have a
    different instance of the signature scheme for
    single bit.
  – The signatures of all bits constitute the
    signature of the entire message.

      Problem with Extension
• The above simple extension works for a single
  message of multiple bits.
  – But it is subject to attack when there are multiple
  – Consider for example m1=1011, m2=0100, m3=1111.
  – When you have signatures of m1 and m2, you can
    actually derive the signature of m3.
  – The signatures of 1st, 3rd, and 4th bits of m3 come
    from the signature of m1.
  – The signatures of 2nd bit of m3 comes from the
    signature of m2.

           Fixing the Problem
• To fix the problem, we need to make sure that the
  signatures of different messages use different
  instances of the signature scheme for single bit.
  – This can be done by having the signer re-choose the
    instances after signing each message.
  – To notify verifier of the new instances, the signer must
    sign them and include them in the signature.
  – In fact, a complete history of message signing and
    instance changing must be included in the signature.
  – Fixed as above, the scheme can be proved to be
    existentally unforgeable against CMA.
  Authentication of Fresh Message
• In the above, we introduced MAC and digital
  signature for message authentication.
  – They guarantee a message was indeed sent by a
    specific entity.
  – However, the message might actually be a replay of a
    very old message.
• To guarantee the message is fresh, when we
  use MAC or digital signature, we should
  – Include time stamp as part of message, or
  – Include a fresh nonce chosen by the receiver as part
    of message


Shared By:
Lingjuan Ma Lingjuan Ma