Signature Schemes
Chester Rebeiro IIT Madras
CR STINSON : chapter 7 Recall : MACs y = h (x) Alice K Bob K hK = “Attack at Dawn!!” Message Digest h K Message unsecure channel K “Attack at Dawn!!”
MACs allow Bob to be certain that • the message has originated from Alice • the message was not tampered during communication MAC cannot • prevent Bob from creating forgeries (i.e., messages in the name of Alice) • cannot prove Authenticity to someone without sharing the secret key K Digital Signatures solve both these problems
CR 2 Digital Signatures
• A token sent along with the message that achieves – Authentication – Non-repudiation – Integrity • Based on public key cryptography
CR 3 Public key Certificates TA Important application of digital signatures
Bob’s Certificate{ Bob’s public key in plaintext Signature of the certifying authority other information }
To communicate with Bob, Alice gets his public key from a trusted authority (TA) A trusted authority could be a Government agency, Verisign, etc.
A signature from the TA, ensures that the public key is authentic.
CR 4 Digital Signature
Alice y = digital signature Alice’s sig Everyone Else Private Key K TRUE / FALSE (x, y) ver Alice’s unsecure channel K Message Public Key x = “Attack at Dawn!!”
Signing Function Verifying Function
y = sig a(x) ver b(x, y)
Input : Message (x) and Alice’s private key Input : digital signature, message Output: Digital Signature of Message Output : true or false true if signature valid false otherwise CR 5 Digital Signatures (Formally)
CR 6 Forgery
Mallory digital signature Everyone Else Forgery TRUE Algorithm (x, y) ver Alice’s unsecure channel K Public Key
If Mallory can create a valid digital signature such that ver K(x, y) = TRUE for a message not previously signed by Alice, then the pair (x, y) forms a forgery
CR 7 Security Models for Digital Signatures
Assumptions Goals of Attacker
• Total break: Mallory can determine Alice’s private key
(therefore can generate any number of signed messages) DifficultyLevel • Selective forgery: Given a message x, Mallory can determine y, such that (x, y) is a valid signature from Alice
• Existential forgery: Mallory is able to create y for some x, such that (x, y) is a valid signature from Alice
CR 8 Security Models for Digital Signatures
Assumptions Goals of Attacker
Weak • Key-only attack : Mallory only has Alice’s public key (i.e. only has access to the verification function, ver ) • Known -message attack : Mallory only has a list of messages signed by Alice
(x 1, y 1), (x 2, y 2), (x 3, y 3), (x 4, y 4), ….. • Chosen-message attack :
Mallory chooses messages x 1, x 2, x 3, …….. and tricks Alice into providing the corresponding signatures y1, y 2, y 3 (resp.) Strong
CR 9 First Attempt making a digital signature (using RSA)
b,n public a, p,q private n = pq; a ≡ b-1modϕ(n) sig(x){ ver(x, y){ a y ≡ x mod n (x, y) if (x ≡ yb mod n) return TRUE return (x, y) else return FALSE } }
x is the message here and (x, y) the signature
CR 10 A Forgery for the RSA signature (First Forgery)
b,n public a, p,q private n = pq; a ≡ b-1modϕ(n) sig(x){ verK (x, y){ a y ≡ x mod n (x, y) if (x ≡ yb mod n) return TRUE return (x, y) else return FALSE } }
forgery(){ select a random y Key only, existential forgery compute x ≡ yb mod n return (x, y) }
CR 11 Second Forgery
Suppose Alice creates signatures of two messages x 1 and x 2
a y1 = sig(x1) → y1 ≡ x1 mod n (x1, y1) a y2 = sig(x2 ) → y2 ≡ x2 mod n (x2 , y2 )
Mallory can use the multiplicative property of RSA to create a forgery
Known message, existential forgery (x1x2 mod n, y1 y2 mod n) is a forgery y y ≡ xa xa mod n 1 2 1 2
CR 12 RSA Digital Signatures
Incorporate a hash function in the scheme to prevent forgery
b,n public a, p,q private sig(x){ verK (x, y){ z = h(x) z = h(x) a (x, y) y ≡ z mod n if (z ≡ yb mod n) return TRUE return (x, y) else return FALSE } } x is the message here, (x, y) the signature and h is a hash function
CR 13 How does the hash function help?
Preventing the First Forgery forgery(){ select a random y compute z'≡ yb mod n compute I st preimage: x st. z'= h(x) return (x, y) }
Forgery becomes equivalent to the first preimage attack on the hash function
CR 14 How does the hash function help?
Preventing the Second Forgery
(x1x2 mod n, y1 y2 mod n) is difficult a a y1 y2 ≡ h(x1) h(x2 ) mod n a a ≡ x1 x2 mod n
creating such a forgery is unlikely
CR 15 How does the hash function help?
Another Forgery prevented
forgery(x, y){ compute h(x) compute II nd preimage: find x' ts .. h(x) = h(x )' and x ≠ x' return (x ,' y) }
Given a valid signature (x,y) find (x’,y) creating such a forgery is equivalent to solving the 2 nd preimage problem of the hash functionw
CR 16 ElGamal Signature Scheme
• 1985 • Variant adopted by NIST as the DSA (DSA: standard for digital signature algorithm) • Based on the difficult of the discrete log problem
CR 17 ElGamal Signing
Initialization Choose a large prime p * Let α ∈ Z p bea primitive element Choose a 0( < a ≤ p − )1 Compute β ≡ α a mod p
Public Parameters : p, α, β Private key : a
Signing Message x sig(x){ select a secret random k ts .. gcd(k, p − )1 =1 The use of a random secret k for every γ ≡ α k mod p signature makes ElGamal non-deterministic δ ≡ (x − aγ )k −1 mod p −1 y = γ ,( δ ) return x,( y) }
CR 18 ElGamal Verifying
Initialization Choose a large prime p * Let α ∈ Z p bea primitive element Choose a 0( < a ≤ p − )1 Compute β ≡ α a mod p
Public Parameters : p, α, β Private key : a
Verifying Signature (x,y) ver x γ ,(,( δ )){ x compute t1 ≡ α mod p γ δ compute t2 ≡ β γ mod p
if (t1 = t2 ) return TRUE else return FALSE } CR 19 ElGamal Correctness
Initialization Choose a large prime p Signing Message x * Let α ∈ Z p bea primitive element Verifying Signature (x,y) sig(x){ Choose a 0( < a ≤ p − )1 ver x γ ,(,( δ )){ select a secret random k a x Compute β ≡ α mod p compute t1 ≡ α mod p k γ ≡ α mod p γ δ compute t2 ≡ β γ mod p δ ≡ (x − aγ )k −1 mod p −1 Public Parameters : p, α, β if (t1 = t2 ) return TRUE y = (γ ,δ ) Private key : a else return FALSE return x,( y) } }
First note that correctness aγ + kδ ≡ x mod( p − )1 if the signature is valid, t 1 = t 2
γ δ x t2 ≡ β γ mod p t1 ≡ α mod p ≡(α a )γ + (α k )δ mod p ≡ α aγ +kδ mod p ≡ α x mod p
CR 20 Example
p = 467 α = 2 a =127 β ≡ α a mod p = 2127 mod 467 Signature of message x = 100 =132 k = 213 (chosen randomly) k −1 mod p −1 = 431 Verifying γ = α k mod p β γ γ δ mod p =132292951 mod 467 =189 = 2213 mod 467 α x mod p = 2100 mod p =189 = 29 TRUE δ = (x − aγ )k −1 mod p −1 = (100 − 2⋅29)431mod 466 = 51
CR 21 Security of ElGamal Signature Scheme (against Selective forgery)
Given an x, Mallory needs to find(γ ,δ ) such that ver(x (, γ ,δ )) = TRUE
Attempt 1 γ δ x Choose a value for γ , then try to compute δ ts .. β γ ≡ α mod p This is the intractable x −γ δ = logγα β discrete log problem Attempt 2 Choose a value for δ , then try to compute γ ts .. β γ γ δ ≡ α x mod p This is not related to the discrete log problem. There is no known solution for this.
Attempt 3 Choose value for γ andδ simultaneously, ts .. β γ γ δ ≡ α x mod p No way known.
CR 22 Security of ElGamal Signature Scheme (against Existential forgery)
Mallory needs to findan (x, (γ ,δ )) such that ver(x (, γ ,δ )) = TRUE
The one-parameter forgery choose some i 0( ≤ i ≤ p − 2). form γ ≡ α i β mod p δ ≡ −γ mod(p −1) x ≡ iδ mod(p −1). forgery forgery then, ver(x (, γ ,δ )) = TRUE α x ≡ β γ γ δ mod p RHS ≡ β γ (α i β )δ mod p ≡ β γ +δα iδ mod p ≡ α aγ +aδα iδ mod p aγ −aγ +iδ
proof ≡ α mod p ≡ α iδ mod p ≡ α x mod p = LHS
CR 23 Security of ElGamal Signature Scheme (against Existential forgery)
Mallory needs to findan (x, (γ ,δ )) such that ver(x (, γ ,δ )) = TRUE
The two-parameter forgery
choose some i, j (0 ≤ i, j ≤ p − 2; gcd( j, p −1) =1). form γ ≡ α i β j mod p δ ≡ −γj −1 mod( p − )1 −1
forgery x ≡ γij mod( p − ).1 then, ver(x (, γ ,δ )) = TRUE
Prevent Existential Forgeries by hashing the message
CR 24 Improper use of ElGamal’s Signature Scheme
1. What if k is not a secret? sig(x){ if gcd(γ , p − )1 =1 then select a secret random k γ ≡ α k mod p secret a can be computedas follows δ ≡ (x − aγ )k −1 mod p −1 −1 a = (x − kδ )γ mod( p −1). y = γ ,( δ ) return (x, y) } The secret key ‘a’ is retrieved and Mallory can create many forgeries
CR 25 Improper use of ElGamal’s Signature Scheme 2. What if k is reused?
Lets say we have two different messages x1 and x2 signed with the same k The signatures are (γ ,δ ) and (γ ,δ ) then, 1 2 sig(x){ select a secret random k γ ≡ α k mod p δ ≡ (x − aγ )k −1 mod p −1 y = γ ,( δ ) return x,( y) dividing }
Representing in terms of α
=>
CR 26 Improper use of ElGamal’s Signature Scheme
CR 27 ElGamal Signature Length
• Generally p is a prime of length 1024 bits • The signature comprises of ( γ , δ ) which is of length 2048 bits
Schnorr’s Signature Scheme is a modification of the ElGamal signature scheme with signatures of length around 320 bits
CR 28 DSA (Digital Signature Standard)
Initialization Choose a large prime p (1024bit) Choose another prime q (160 bit) ts .. q | p −1 Find α of order q (α creates a subgroup of order q) Choose a 0( < a ≤ q − )1 Compute β ≡ α a mod p choose some α Public Parameters : p, q, α, β And compute Private key : a α(p-1)/q mod p
CR 29 DSA (Signing Function)
Initialization Choose a large prime p (1024bit) Choose another prime q (160 bit) ts .. q | p −1 Find α of order q (α creates a subgroup of order q) Choose a 0( < a ≤ q − )1 Compute β ≡ α a mod p
Public Parameters : p, q, α, β Private key : a Signing Message x sig(x){ select a secret random k ts .. gcd(k,q) =1 The use of a random secret k for every γ ≡ (α k mod p) mod q signature makes ElGamal non-deterministic δ ≡ (SHA(x) + aγ )k −1 mod q y = γ ,( δ ) return x,( y) }
CR 30 DSA (Verifying Function)
Initialization Choose a large prime p (1024bit) Choose another prime q (160 bit) ts .. q | p −1 Find α of order q (α creates a subgroup of order q) Choose a 0( < a ≤ q − )1 Compute β ≡ α a mod p
Public Parameters : p, q, α, β Private key : a Signing Message x Verifying Signature sig(x){ ver x γ ,(,( δ )){ select a secret random k ts .. gcd(k,q) =1 compute w ≡ δ −1 mod q γ ≡ (α k mod p) mod q compute t1 ≡ w⋅ SHA(x) mod q δ ≡ (SHA(x) + aγ )k −1 mod q compute t2 ≡ w⋅γ mod q y = γ ,( δ ) compute v ≡ (α t1 ⋅ β t2 mod p) mod q return x,( y) if (v ≡ γ mod q) return TRUE } else return FALSE }
CR 31 DSA (Correctness) Initialization Public Parameters : p, q, α, β (β ≡ α a mod p) Private key : a Verifying Signature Signing Message x ver x γ ,(,( δ )){ sig(x){ compute w ≡ δ −1 mod q select a secret random k ts .. gcd(k,q) =1 compute t1 ≡ w⋅ SHA(x) mod q γ ≡ (α k mod p) mod q compute t2 ≡ w⋅γ mod q −1 δ ≡ (SHA(x) + aγ )k mod q compute v ≡ (α t1 ⋅ β t2 mod p) mod q y = γ ,( δ ) if (v ≡ γ mod q) return TRUE return x,( y) else return FALSE } }
δ ≡ (SHA(x) + aγ )k −1 mod q α k ≡ α (t1 +at2 )modq mod p k ≡ (SHA(x) + aγ )δ −1 mod q α k ≡ α t1 β t2 mod p =(wSHA(x) + waγ ) mod q Take mod q on both sides
t1 t2 k ≡ (t1 + at2 ) mod q γ ≡ (α β mod p) mod q
CR 32 Security of DSA
• There are two ways to attack the DSA (attempt to recover the secret a)
– Target the large cyclic group Zp
– Target the smaller group Zq
Could you techniques such as Index Calculus. For a 1024 bit p, this method offers security of 80 bits Cannot apply Index Calculus relies on Pollard rho for solving the discrete log, For 160 bit q, this offers security of 80 bits
CR 33 Security of DSA
• There are two ways to attack the DSA (attempt to recover the secret a)
– Target the large cyclic group Zp
– Target the smaller group Zq Could you techniques such as Index Calculus. For a 1024 bit p, this method offers security of 80 bits Cannot apply Index Calculus relies on Pollard rho for solving the discrete log, For 160 bit q, this offers security of 80 bits
Thus the size of p dictates the size of q.
CR 34 Schnorr Signature Scheme (uses a hash function to get smaller signatures) Initialization Choose a large prime p (of size 1024 bits) Choose a smaller prime q (of size 160 bits) and q (| p − )1 * Let α0 ∈ Z p bea primitive element ( p− /)1 q th then α = α0 mod p is the q root of 1mod p Choose a randomly from 0( ≤ a < q) Compute β = α a mod q Private : a Private : α, β, p,q Signing Message x Verifying Signature (x,y) sig(x){ select a secret random k ts 1.. ≤ k ≤ q − .1 ver x γ ,(,( δ )){ k δ −γ γ = h(x ||α mod p) compute t1 ≡ h(x ||α β mod p)
δ = k + aγ mod p if (t1 = γ ) return TRUE y = γ ,( δ ) else return FALSE return x,( y) } }
CR 35