Embed Size (px)
Citation preview
Plan
1. Definition od secure signature schemes
2. RSA signatures
3. Hash-and-sign paradigm
4. ElGamal signatures
Signature schemes
digital signature schemes≈MACs in the public-key setting
Remember MACs?
Alice Bob
(m, t=Tagk(m))
k k
m є {0,1}*
Gen(1n)
Vrfyk(m,t) є {yes,no}
1n
Signature schemes
Alice Bob
(m, σ=Signsk(m))
sk pk
m є {0,1}*
Gen(1n)
Vrfypk(m,σ) є {yes,no}
1n
Anyone can verify the signatures
P5
P1
P3P2
P4
pk1
pk2
pk3
pk4
pk5
1. Sign(sk 3
,m)
public register:Sign(sk3,m)
Sig
n(s
k 3,m
)
2. reads pk3
sk3
3. computes Vrfy(pk3,m)
Advantages of the signature schemes
Digital signatures are:
1. publicly verifiable
2. transferable
3. provide non-repudiation
(we explain it on the next slides)
Look at the MACs...
Alice Bob
(m, t=Tagk(m))
k k
m є {0,1}*
Carol
Look, I got (m,t) from AliceWhy shall I trust you?
1. You could have created t yourself (because you know k)
2. I don’t know k, so how can I verify the tag?
Signatures are publicly-verifiable!
Alice Bob
(m, σ =Signsk(m))
skA pkA
m є {0,1}*
Carol
I can calculate
Vrfy(pkA,m,σ)
and check.
Look, I got (m,σ) from Alice
So, the signatures are transferable
P2 P3
Alice
P4P1
σ =
Sig
n(s
k 3,m
)
skA
(m,σ) (m,σ) (m,σ)
Alice signed m
pkA pkA pkA pkA
Alice signed m
Alice signed m
I believe it! I believe it! I believe it!
Non-repudiation
Alice Bob
(m, σ =Signsk(m))
skA pkA
m є {0,1}*
Judge
I got (m,σ) from Alice
It’s not true!I never signed m!
Vrfy(pk,m,σ) = yesso you cannot repudiate signing m...
Digital Signature Schemes
A digital signature scheme is a tuple (Gen,Sign,Vrfy) of poly-time algorithms, such that
• the key-generation algorithm Gen takes as input a security parameter 1n and outputs a pair (pk,sk),
• the signing algorithm Sign takes as input a key sk and a message mє{0,1}* and outputs a signature σ,
• the verification algorithm Vrfy takes as input a key pk, a message m and a signature σ, and outputs a bit b є {yes, no}.
If Vrfypk(m,σ) = yes then we say that t is a valid signature on the message m.
Correctness
We require that it always holds that:
Vrfypk(m,Signsk(m)) = yes
What remains is to define security of a MAC.
How to define security?As in the case of MACs, we need to specify:
1. how the messages m1,...,mt are chosen,
2. what is the goal of the adversary.
Good tradition: be as pessimistic as possible!
Therefore we assume that
1. The adversary is allowed to chose m1,...,mt.
2. The goal of the adversary is to produce a valid signature on some m’ such that m’ ≠ m1,...,mt.
security parameter1n
selects (pk,sk) = Gen(1n)
oracle
m1
mt
. . .We say that the adversary breaks the MAC scheme at the
end she outputs (m’, σ’) such that
1. Vrfy(m’, σ’) = yes2. m’ ≠ m1,...,mt
adversary
pk
Signsk(m1)
Signsk(mt)
The security definition
We say that (Gen,Mac,Vrfy) is existentially unforgeable under an adaptive chosen-message attack ifA
polynomial-timeadversary A
P(A breaks it) is negligible (in n)
sometimes we just say: secure
How to design secure signature schemes?
Rember the idea with the ``trapdoor permutations’’?
Trapdoor permutations
X X
easy
• easy: one can compute Epk-1
if one knows a trapdoor sk• hard (otherwise)
Epk
this is denoted
Dsk
A family of permutations indexed by pairs (pk,sk):
{E : X → X}(pk,sk) є keys
such that:
How to encrypt a message m
messages ciphertext
m := Dsk(c)
c := Epk(m)
one can compute it only if one knows sk
encryption
decryption:
Warning: in general it’s not that simple.
How to sign a message m
signatures messages
Dsk(m)
Epk(m)
one can compute it only if one knows sk
signing:
verifying:
Warning: in general it’s not that simple.
In general it’s not that simple
1. Not every trapdoor permutation is OK.
2. There are other ways to create signature schemes.
3. One can even construct a signature scheme from any one-way function.(this is a theoretical construction)
The “handbook” RSA signatures
N = pq, such that p and q are large distinct primese is such that gcd(e, φ(N)) = 1d is such that ed = 1 (mod φ(N))
Signd: ZN* → ZN
* is defined as:Sign(m) = md mod N.
Vrfyeis defined as:
Vrfye(m,σ) = yes if σe = m (mod N) no otherwise
Correctness:
follows from the fact that (md)e = m (mod N)
φ(N)) = (p-1)(q-1).
public key:(N,e)
private key:(N,d)
Problems with the “handbook RSA” (1/2)
A “no-message attack”:
The adversary can forge a signature on a “random” message m.
Given the public key (N,e):
he just selects a random σ and computes m = σe mod N.
Trivially, σ is a valid signature on m.
Problems with the “handbook RSA” (2/2)
How to forge a signature on an arbitrary message m?
oracle
m1adversary
Signsk(m1) = m1d mod N
Signsk(m2) = m2d mod N
(N,e)
chooses:1. random m1
2. m2 := m / m1 mod N m2
computes (mod N):
m1d · m2
d
= (m1 · m2)d
= md
this is a valid signature on m
Is it a problem?
In many applications – probably not.
But we would like to have schemes that are not application-dependent...
SolutionBefore computing the RSA function – apply some function H.
N = pq, such that p and q are large distinct primese is such that gcd(e, φ(N)) = 1d is such that ed = 1 (mod φ(N))
Signd: ZN* → ZN
* is defined as:Sign(m) = H(m)d mod N.
Vrfyeis defined as: Vrfye(m,σ) = yes if σe = H(m) (mod N)
no otherwise
How to choose such H?
A minimal requirement:
it should be collision-resistant.
(because if the adversary can find two messages m,m’ such that
H(m) = H(m’)
then he can forge a signature on m’ by asking the oracle for a signature on m)
A typical choice of H
Usually H is one of the popular hash functions.
Additional advantage:
We can sign very long messages keeping the modulus N small (it’s much more efficient!).
It is called ahash-and-sign paradigm.
Hash-and-Sign (1/3)1. (Gen,Sign,Vrfy) – a signature scheme “for short messages”
short x
signature σ
Signsk
σ
yes / no
Vrfypk
x
m
2. a hash function H
H
H(m)
Hash-and-Sign (2/3)
signature Signsk (H(m))
Signsk
m
H
H(m)
How to sign a message m?
Hash-and-Sign (3/3)How to verify?
σ
yes / no
Vrfypk
m
H
H(m)
Hash-and-Sign
It can be proven that this construction is secure.
For this we need to assume that H is taken from a family of collision-resilient hash functions.
{Hs} s є keys
Then s is a part of the public key and the private key.
What can be proven
Suppose
1. {Hs} s є keys is a family of collision-resistant hash functions,
2. (Gen,Sign,Vrfy) is a secure signature scheme.
Then the signature scheme constructed on the previous slide is secure.
Can anything be proven about the “hashed RSA” scheme?
Not really (it is provably secure only under very strong assumptions).
But at least the attacks described before “look infeasible”.
1. For the first attack: one would need to invert H.
2. The second attack:Looks impossible because the adversary would need to find messages m,m1,m2 such that
H(m) = H(m1) · H(m2)
Other popular signature schemes
Based on discrete log:
• ElGamal signatures
• Digital Signature Standard (DSS)(also based on other groups – elliptic curves)
• ...
ElGamal signatures
but remember that we can use the hash-and-sign paradigm
How to understand it?start with the verification condition
the signature
the message
Security of ElGamal
If the discrete log in Zp* is hard, then the scheme is broken.
To hope for any security one needs to hash the message before signing.
Is there any proof of security of the “hashed” El Gamal?
No...
