Problem with ElGamal Signature Schemedengl/comp7120-8120/Chap-7-b.pdfProblem with ElGamal Signature...

Problem with ElGamalSignature Scheme

needs signature twice as large as its message. in order to be secure, one needs the prime modulus p of size 1024 bits. (Hence, 2048 bits signature)

maybe too large for certain applicationse.g. smart cards need shorter signature

No hash function is built-in in the signature scheme.

Variants of ElGamal signature scheme

Schnorr Signature Schemeproposed in 1989 by Schnorr. (paper appeared in 1991).use of hash functiongreatly reduce the signature size

Digital Signature Algorithm (DSA)published as adopted as a standard in 1994incorporated the Schnorr Signature Scheme

Schnorr Signature Scheme(Motivation)

Zp* is a cyclic group of order p-1.Let a prime q | (p-1), q is large but it is much smaller than p.Let α ε Zp* and its order is q. (how?)

That is, <α> is a subgrup of Zp* with q elements.α = g(p-1)/q, g is a generator for Zp* .

K={(p, q, α, a, β):β= αa mod p}, only a is private.h(x) ε Zq* is a secure hash function.k=random selection from Zq*,

Schnorr Signature Scheme(Motivation)

sigK(x,k) = (r, δ) r = h( x || (αk mod p)),

δ = k + a r mod qchoose δ so that (β-r αδ = αk) mod p.

note that ((αa)-r αδ = αk) mod p.how about verk(x, (r, δ) ) ?

verK(x, (r, δ))=true, if h( x || (β-r αδ mod p))=r.

Q: why not simply (β-r αδ = αk) mod p ?

Schnorr Signature Scheme(Cryptosystem 7.3)

K={(p, q, α, a, β):β= αa mod p}, only a is private. k=random from Zq*.

sigK(x,k) = (r, δ) r = h( x || (αk mod p)),

δ = k + a r mod q[So that (β-r αδ = αk ) mod p.]

verK(x, (r, δ))=true, if h( x || (β-r αδmod p))=r.

Schnorr Signature SchemeParameters

p ≈ 21024, q ≈ 2 160. (so that SHA-1 can be used as a secure hash function)

q | (p-1). it is easier to fix q and then search for a prime p of the form p=cq+1.

We can find α of order q byα = g(p-1)/q, g is a generator for Zp* .(why?)

Example 7.3K={(p, q, α, a, β):β= αa mod p}, q|p-1. p=cq+1.

α = g(p-1)/q, g is a generator for Zp* .a is private key.

k=random from Zq*.sigK(x,k) = (r, δ)

r = h( x || (αk mod p)),δ = k + a r mod q

verK(x, (r, δ))=true, if h( x || (β-r

αδ mod p))=r.[why ? β-r αδ = αk mod p.]how about collision ?

1. q=101, p= 78*q+1 =7879. a=75.

2. g=3 is a generator of Z7879*. (how to check ?)

3. α = 378 mod p= 170.4. β= αa mod p = 4567.5. choose k=50.6. αk mod p=17050 mod p

=2518.7. r=h(x||2518)=96 (say)8. δ = k + a r mod q = 50+

170*96 mod 101=79.

9. 4567-96 17079 = 2518 mod 7879.

Digital Signature Algorithm (DSA) Cryptosystem 7.4

Same as Schnorr Signature Scheme.sigK(x,k) = (r, δ)

r = (αk mod p) mod q,δ = (SHA-1(x) + a r)k-1 mod q

verK(x, (r, δ))=true, if (αe1βe2 mod p) mod q =r. (why?)

e1 = SHA-1(x) δ-1 mod q, e2 = r δ-1 mod q,

Example 7.4K={(p, q, α, a, β):β= αa mod p}, q|p-1. p=cq+1.

α = g(p-1)/q, g is a generator for Zp* .a is private key.

k=random from Zq*.sigK(x,k) = (r, δ)

r = (αk mod p) mod q,δ = (SHA-1(x) + a r)k-1 mod q

verK(x, (r, δ))=true, if (αe1βe2 mod p) mod q =r. (why?)

e1 = SHA-1(x) δ-1 mod q, e2 = r δ-1 mod q,

1. q=101, p= 78*q+1 =7879. a=75.

2. g=3 is a generator of Z7879*. 3. α = 378 mod p= 170.4. β= αa mod p = 4567.5. choose k=50. k-1mod 101=996. αk mod p=17050 mod p =2518.7. r=(17050 mod p) mod q=948. assume SHA-1(x)=22. 9. δ = 22 + a r mod q = 22+

170*96 mod 101=97.10. e1= 22*97-1 mod 101= 45.11. e2= 94*97-1 mod 101= 27.

12. (αe1βe2 mod p) mod q =(17045 456727 mod 7879) mod 101 = 94.

Elliptic Curve DSA (ECDSA)

ECDSA was approved as in FIPS 186-2 in 2000.DSA: αk mod p vs. ECDSA: kA

multiplicative group vs. additive group.

See Cryptosystem 7.5. (page 298)(skip)

Elliptic Curves (Review)

y2 = x3 + a x + b, where

4 a3 + 27 b2 ≠ 0.

EC Curve over real (Fig 6.1, page 256)Result of P1 + P2 is shown.

Elliptic Curves Over Zp

y2 = x3 + a x + b, where4 a3 + 27 b2 ≠ 0.

EC Curve over Zp or a finite field can be similarly defined. We can show that it is a group in which DL problem is also intractable. (skip)

Provably secure signature schemes

One-Time SignatureCryptosystem 7.6 (page 300)

Full Domain HashCryptosystem 7.7 (page 304)

(skip)

Undeniable signatures

Chaum and Antwerpen (1989).Requires cooperation of the signer (A) to verify the signature.

using challenge-and-respond protocol.most ElGamal-like signature scheme has pair of as signature for x: (x, (r, δ))easy to copy (x, (r, δ)) w/o A approval.

only one part of the signature given.

Chaum and AntwerpenSignature Scheme Parameters

Similar to Schnorr scheme except that p=2q+1.Let α ε Zp* and its order is q. (how?)α = g(p-1)/q = g2, g is a generator for Zp* .

K={(p, q, α, a, β):β= αa mod p}, only ais private.Signature: y=sigK(x) = xa mod p. (similar but not quite as RSA signature)

Chaum and AntwerpenSignature Scheme Features

B (Bob) received y=sigK(x) = xa mod p. supposedly signed/sent from A (Alice).y can be a forgery or a valid signatureB issues a challenge to A for a response to either verify y is valid signature or y is indeed a forgery.Q: what if A wants to disavow her own signature ?

Cryptosystem 7.8: Chaum and Antwerpen Signature Scheme

K={(p, q, α, a, β):β= αa mod p}, only a is private. q=(p-1)/2. α = g2 mod p.Signature: y=sigK(x) = xa mod p.Verification:

1. B chooses e1, e2 randomly from Zq*.2. B computes c=ye1 βe2 mod p, send to A.3. A computes d=cA mod p, A=a-1 mod q.4. B accepts y, whenever d=xe1 αe2 mod p.

Example 7.7 (page 309)K={(p, q, α, a, β):β= αa mod p}, a is private. q=(p-1)/2. α= g2 mod p.Signature: y=sigK(x) = xa

mod p.Verification:

1. B chooses e1, e2 from Zq.2. B computes c=ye1 βe2 mod

p, send to A.3. A computes d=cA mod p,

A=a-1 mod q.4. B accepts y, whenever

d=xe1 αe2 mod p.

1. p=467, q=(p-1)/2=233.2. g=2, α = 22 = 4.3. choose a=101.4. β= αa = 4101 mod 467=449.5. assume x=119.6. y=119101 mod 467= 129.

verification:1. e1=38, e2=397.2. c=12938 449397 mod

467=13.3. A=101-1 mod 233=304. d=1330 mod 467= 9.

Disavow Protocol

What if d≠xe1 αe2 mod p in the Cryptosystem 7.8 ?

1. y may be forgery and indeed not signed by A. A can convince B that it is indeed a forgery. (how? why ?)

2. y may be signed by A but for some reason, A would like to disavow. The chance of “successful denial” is small.

Algorithm 7.3 Disavowal

1. B chooses e1, e2 from Zq.2. B computes c=ye1 βe2

mod p, send to A.3. A sends B with d=cA mod

p, (A=a-1 mod q).4. B verifies d≠xe1 αe2 mod

p.

1. B chooses f1, f2 from Zq.2. B computes C=yf1 βf2

mod p, send to A.3. A sends B with D=CA

mod p, (A=a-1 mod q).4. B verifies D≠xf1 αf2 mod

p.

B concludes y is a forgery if any only if (d α–e2 ) f1 = (D α–f2 ) e1 (mod p)

Consist of two runs of verification and one run consistency check.

Example 7.8 (page 311) 1. B chooses e1, e2 from Zq.2. B computes c=ye1 βe2 mod p, send to

A.3. A sends B with d=cA mod p, (A=a-1

mod q).4. B verifies d≠xe1 αe2 mod p.5. B chooses f1, f2 from Zq.6. B computes C=yf1 βf2 mod p, send to

A.7. A sends B with D=CA mod p, (A=a-1

mod q).8. B verifies D≠xf1 αf2 mod p.

1. p=467, q=(p-1)/2=233.2. g=2, α = 22 = 4.3. choose a=101.4. β= αa = 4101 mod 467=449.5. assume x=286.6. y=286101 mod 467= 129.7. suppose y=83 is sent.

verification:1. e1=45, e2=237.2. c=8345 449237 mod 467=306.3. A=101-1 mod 233=304. d=30530 mod 467= 109.5. 28645 4237 mod 467= 149 ≠ 109.

B concludes y is a forgery if any only if (d α–e2 ) f1 = (D α–f2 ) e1 (mod p)

Show that, f1=125, f2=9. C=270, D=68.

(109* 4-237)125 = (68* 4-9)45 = 188 mod 467.

Theory behind Chaum and Antwerpen Signature Scheme

Theorem 7.3 (page 309): If y ≠ xa mod p, then B will accept y as a valid signature for x with prob. ≤ 1/q.

Theorem 7.4 (page 311): If y ≠ xa mod p, both A and B follow Disavow Protocol, then

(d α–e2 ) f1 = (D α–f2 ) e1 (mod p)

Theory behind Chaum and Antwerpen Signature Scheme

Theorem 7.5 (page 312): If y = xa mod p, (true sig. of A) and B follows Disavow Protocol (A may not follow and send B: d and D), and

1. B verifies d≠xe1 αe2 mod p.2. B verifies D≠xf1 αf2 mod p.Then Pr(not EQ)=1-1/q, Pr(EQ)=1/q.

EQ: (d α–e2 ) f1 = (D α–f2 ) e1 (mod p)

Fail-stop signatures

proposed by van Heyst and Pedersen in 1992.provides enhanced security against the possibility that a very powerful adversary might be able to forge a signature. (skip)

Summary

Variants of ElGamal signature schemeSchnorr signature schemeDSA: Digital Signature Algorithm

Provably secure signature scheme (skip)

Undeniable signaturefeatures and applications

Fail-stop signature (skip)

HW 7

Chapter 7: 7.1, 7.4, 7.7, 7.15.