DOCSLIB.ORG

Modern Cryptography: Lecture 13 Digital Signatures

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Modern Cryptography: Lecture 13 Digital Signatures Modern Cryptography: Lecture 13 Digital Signatures Daniel Slamanig Organizational ● Where to find the slides and homework? – https://danielslamanig.info/ModernCrypto18.html ● ow to conta!t me? – [email protected] ● #utor: Karen Klein – [email protected] ● Offi!ial page at #', )o!ation et!. – https://tiss.tuwien.ac.at/!ourse/!o$rseDetails.+html?dswid=86-2&dsrid,6/0. !ourseNr,102262&semester,2018W ● #utorial, #U site – https://tiss.tuwien.ac.at/!ourse/!o$rseAnnouncement.+html?dswid=4200.dsr id,-51.!ourseNum6er,10206-.!ourseSemester,2018W ● 8+am for the se!ond part: Thursday 31.21.2210 15:00-1/:00 (Tutorial slot; 2/26 Overview Digital Signatures message m / :m( σ; secret key skA Inse!$re !hannel p$bli! key pkA p$bli! key pkA σ σ :, 7igskA:m; 6 :, =rfypkA:m( ; 3: pkA -/26 Digital Signatures: Intuitive Properties Can 6e seen as the p$6li!9key analog$e of M3Cs with p$6li! >erifiability ● Integrity protection: 3ny modifi!ation of a signed message !an 6e detected ● 7o$r!e a$thenti!ity: The sender of a signed message !an be identified ● Non9rep$diation: The signer !annot deny ha>ing signed :sent) a message 7e!$rity :intuition;: sho$ld 6e hard to !ome $p with a signat$re for a message that has not 6een signed by the holder of the pri>ate key 5/26 Digital Signatures: pplications *igital signat$res ha>e many applications and are at the heart of implementing p$6lic9key !ryptography in practice ● <ss$ing !ertifi!ates 6y CAs (?$6lic %ey <nfrastr$!t$res;: 6inding of identities to p$6lic keys ● @$ilding authenticated !hannels: a$thenti!ate parties :ser>ers; in sec$rity proto!ols :e.g.( TL7; or se!$re messaging :Whats3pp( 7ignal, ...; ● Code signing: a$thenti!ate software/firmware :$pdates; ● 7ign do!$ments :e.g.( !ontra!ts;: )egal reg$lations define when digital signat$res are eq$ivalent to handwritten signat$res ● 7ign transa!tions: $sed in the !rypto!$rren!y realm ● et!. 4/26 Digital Signatures: Definition *8B<1<#<&N 12.1 3 :digital; signature scheme is a triple of ??T algorithms :Gen( 7ig( =rfy; su!h that: 1. #he key9generation algorithm Cen takes as inp$t the se!$rity parameter 1n and o$tputs a pair of keys :pk( sk; :we assume that pk and sk ha>e length n and that n !an 6e inferred from pk or sk;. 2. The signing algorithm 7ig takes as inp$t a pri>ate key sk and a message m from some message space M. It o$tp$ts a signature D( and we write this as D ← 7igsk:m;. 3. The deterministi! >erification algorithm =rfy takes as inp$t a pu6li! key ?k( a message m( and a signat$re D. It o$tp$ts a 6it 6 with 6,1 meaning >alid and 6,0 meaning in>alid. We write this as 6 :, =rfypk:m( D;. <t is reA$ired that( e+!ept possi6ly with negligi6le pro6ability o>er :pk( sk; ← Gen:1n;( we ha>e =rfypk:m( 7igsk:m;; , 1 for any message m ∈ M. 6/26 Some #emar$s on the De!nition ● The signing algorithm – may be deterministic or pro6a6ilistic – may be stateful or stateless (latter is the norm) ● The deterministi! >erifi!ation algorithm may 6e perfe!tly !orre!t :never fails) or may fail with negligi6le pro6ability ● 8>ery instan!e has an asso!iated message spa!e M :whi!h we assume to 6e impli!itly defined when seeing the p$bli! key; – <f there is a f$nction k s$!h that the message spa!e is {2( 1Gk(n; (with n 6eing the se!urity parameter;( then the signat$re scheme s$pports message length k(n; – We will later see how we can generically !onstr$!t signat$res schemes for ar6itrary message spa!es from any scheme that s$pports message length k(n; //26 %ormal Security &otions 'or Digital Signatures ● 3tta!k model :in!reasing strength; – 1o9message attack (NMA): Ad>ersary only sees p$6lic key – Handom message atta!k :HMA): Ad>ersary !an o6tain signatures for random messages (not in the !ontrol of the adversary; – 1on9adaptive chosen message attack (naCM3;: Adversary defines a list of messages for which it wants to o6tain signatures (before it sees the p$6lic key; – Chosen message attack (CMA): Ad>ersary !an adaptively ask for signat$res on messages of its choice 8/26 %ormal Security &otions 'or Digital Signatures ● Coal of an ad>ersary :de!reasing hardness) – 'niversal forgery (UB;: Adversary is given a target message for which it needs to o$tp$t a valid signat$re – 8xistential forgery (EB): Ad>ersary outputs a signat$re for a message of the adversaryIs !hoice ● 7ec$rity notion: atta!k model J goal of the ad>ersary ● Bor s!hemes $sed in practi!e: 3d>ersary !an not even a!hieve the weakest goal in the strongest atta!k model – 8'B9CM3: existential unforgea6ility under !hosen message atta!ks 0/26 ()%*CMA Security 3 signat$re scheme scheme K , :Cen( 7ig( =rfy) is existentially $nforgeabily $nder !hosen message attacks :8'B9CM3; se!$re( if for all ??T ad>ersaries A there is a negligi6le f$n!tion negl s.t. e$f9!ma ≤ ?rL7ig9forgeA,K:n;,1] negl:n; . 12/26 Some #emar$s on the De!nition ● &ne-time >s. many9time signat$res – #he num6er of queries to the ora!le may 6e limited, i.e.( only a single Auery is allowed vs. ar6itrary many are allowed ● Weak >s. strong $nforgea6ility – <n !ase of strong unforgea6ility the ad>ersary wins if it o$tputs a >alid signat$re even for a queried message( 6ut the signature differs from the one o6tained from the oracle ● &racle Q records (mi(Di; and winning !ondition is: :mN(DN; ∉ Q ● Not achie>able for re-randomiOable signature s!hemes – We consider only standard :weak; unforgea6ility 11/26 #S Signatures ● %eyGen: &n inp$t 1n pi!k two random n96it primes p(A( set N , pA( pi!k e s.t. g!d(e( P:1;; , 1, !omp$te d :, eQ1 mod P:1; o$tp$t :sk( pk; :, ::d ( N ;( :e (1;; ● 7ign: &n inp$t m ∈ Z1N and sk , :d, 1;( !omp$te and o$tput D :, md mod N ● =rfy: &n inp$t a p$6li! key pk , :e( 1;( a message m ∈ Z1N and a signature σ ∈ Z1N o$tp$t 1 if and only if m :, De mod 1 12/26 #S Signatures ● #o forge signature of a message m( the adversary( gi>en 1( e 6$t not d( m$st !ompute md mod 1( meaning in>ert the H73 f$n!tion at m. ● @$t H73 is one9way so this task sho$ld 6e hard and the scheme sho$ld 6e se!$re. Corre!t? ● &f !o$rse not… ● No9message attacks 1; &utp$t forgery (mN( DN) :, :1( 1). Valid since 1d = 1 mod 1 e 2) Choose D ∈ Z1* and !ompute m :, D mod N ● 8'B9CM3 atta!k – Ask signat$res D1( D2 for m1(m2 ∈ Z1* and o$tp$t :mN( DN; :, :m1 S m2 mod N( D1 S D2 mod N; 8>en if it wo$ld 6e sec$re( a message spa!e of Z1N is not desirable! 13/26 Extending the Message Space ● @lock9wise signing – Consider m :, :m1(R( mn; with mi ∈ M and !ompute D :, :D1(R( Dn; – 1eed to take !are to a>oid mix9and9match attacks :6lo!k reordering( e+changing blo!ks from different signatures( et!.; – <neffi!ient for large messages :one in>o!ation of the scheme per block; ● Hash9and9sign – Compress arbitrarily long message before signing 6y hashing them to a fi+ed length string $sing a hash f$n!tion – #he range of needs to be !ompatible with the message spa!e of the signat$re scheme 14/26 ,ash*and*Sign Paradigm (Construction 1./3) ● )et K , :Cen( 7ign( =rfy; 6e a signature s!heme for messages of length k:n;( and let Γ , :Cen ( ; 6e a hash f$n!tion with o$tp$t length k:n;. Constru!t signature scheme KI , :GenI ( 7ignI ( =rfy’; as follows: – n n n CenI: on inp$t 1 ( run Gen:1 ; to o6tain :pk( sk; and run Cen :1 ; to obtain s; the pu6li! key is :pk( s; and the pri>ate key is :sk( s;. – 7ignI: on inp$t a pri>ate key :sk( s; and a message m ∈ F2( 1}* ( o$tp$t σ E 7ignsk: :s, m;;. – =rfy’: on input a p$6li! key :pk( s;( a message m ∈ F2( 1}*, and a signat$re D( o$tp$t 1 if and only if =rfypk: :s, m;( D; , 1. # 8&H8M 12.4: If K is a sec$re signature scheme for messages of length k and Γ is !ollision resistant, then KI is a sec$re signat$re s!heme :for arbitrary9length messages). 15/26 ,ash*and*Sign Paradig" ● ?roof Idea – )et m1 (... ( mA be the messages A$eried 6y A and :mN( DN; the >alid forgery ● Case 1: :s( mN; , H:s( mi; for some i ∈ [q] : we ha>e a collision for H ● Case 2: H:s( mN; V :s( mi; for all i ∈ [AM : we ha>e that ( :s( mN;( σN; is a forgery for K ● Hash9and9sign in practi!e – 'sed 6y signature schemes $sed in pra!tice :H73 ?%C7W1 >1.4 signat$res, 7!hnorr( :8C)*73( R; – Hecall that we !onsider to 6e keyed for theoreti!al reasons and in practice would be any XgoodY !ollision9resistant hash fun!tion( e.g.( 7 39- 16/26 #S FD, Signatures ● Can we simply apply the hash9and9sign paradigm to H73? – No, not assuming !ollision resistant hashing :or any other reasona6le standard property of a hash f$nction;( as the underlying te+t6ook H73 signature s!heme does not pro>ide any meaningful se!urity ● @$t, we !an apply the idea of hash9and9sign and model the hash f$nction as a random oracle! – H73 Bull *omain ash :H739B* ; – #he random ora!le is !ollision resistant and destroys other Xdangero$s” alge6rai! properties – <mportant that range of is :!lose to; Z1N – !onstr$!ted >ia repeated application of an underlying !ryptographic hash fun!tion s$!h as 7 39- ● Ne>er say Xsigning , d/en!rypt the hashY when talking about signing :with H73;T – XMisunderstanding” d$e to !ommutativity of H73 private and p$6lic key operation – &ther signature s!hemes do usually not allow any s$!h analogy 17/26 #S FD, Signatures (Construction 1./10 ● %eyCen: On inp$t 1n pick two random n96it primes p(A( set N = pA( pi!k e s.t.
Load more

Recommended publications
  • One-Time and Interactive Aggregate Signatures from Lattices
    One-Time and Interactive Aggregate Signatures from Lattices Dan Boneh Sam Kim Stanford University Stanford University [email protected] [email protected] Abstract An aggregate signature scheme enables one to aggregate multiple signatures generated by different people on different messages into a short aggregate signature. We construct two signature aggregation schemes whose security is based on the standard SIS problem on lattices in the random oracle model. Our first scheme supports public aggregation of signatures, but for a one-time signature scheme. Our second scheme supports aggregation of signatures in a many-time signature scheme, but the aggregation process requires interaction among the signers. In both schemes, the size of the aggregate signature is at most logarithmic in the number of signatures being aggregated. 1 Introduction A signature scheme is a tuple of three algorithms: KeyGen generates a key pair (sk; pk), Sign(sk; m) ! σ signs a message m, and Verify(pk; m; σ) ! 0=1 verifies a signature σ on message m. A one-time signature is a signature scheme that is existentially unforgeable against an adversary that is given the public key and the signature on a single message of its choice. One-time signatures (OTS) have found many applications in cryptography. They are used to transform any existentially unforgeable signature into a strongly unforgeable signature [BS08], in several chosen-ciphertext secure public-key encryption constructions [DDN03, CHK04], in offline/online signatures [EGM96], and for authenticating streaming data [GR01]. The classic OTS scheme of Lamport [Lam79] and its Winternitz variant [BDE+13] shows that one-time signature schemes can be constructed from any one-way function.
    [Show full text]
  • Blind Schnorr Signatures in the Algebraic Group Model
    An extended abstract of this work appears in EUROCRYPT’20. This is the full version. Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model Georg Fuchsbauer1, Antoine Plouviez2, and Yannick Seurin3 1 TU Wien, Austria 2 Inria, ENS, CNRS, PSL, Paris, France 3 ANSSI, Paris, France first.last@{tuwien.ac.at,ens.fr,m4x.org} January 16, 2021 Abstract. The Schnorr blind signing protocol allows blind issuing of Schnorr signatures, one of the most widely used signatures. Despite its practical relevance, its security analysis is unsatisfactory. The only known security proof is rather informal and in the combination of the generic group model (GGM) and the random oracle model (ROM) assuming that the “ROS problem” is hard. The situation is similar for (Schnorr-)signed ElGamal encryption, a simple CCA2-secure variant of ElGamal. We analyze the security of these schemes in the algebraic group model (AGM), an idealized model closer to the standard model than the GGM. We first prove tight security of Schnorr signatures from the discrete logarithm assumption (DL) in the AGM+ROM. We then give a rigorous proof for blind Schnorr signatures in the AGM+ROM assuming hardness of the one-more discrete logarithm problem and ROS. As ROS can be solved in sub-exponential time using Wagner’s algorithm, we propose a simple modification of the signing protocol, which leaves the signatures unchanged. It is therefore compatible with systems that already use Schnorr signatures, such as blockchain protocols. We show that the security of our modified scheme relies on the hardness of a problem related to ROS that appears much harder.
    [Show full text]
  • Implementation and Performance Evaluation of XTR Over Wireless Network
    Implementation and Performance Evaluation of XTR over Wireless Network By Basem Shihada [email protected] Dept. of Computer Science 200 University Avenue West Waterloo, Ontario, Canada (519) 888-4567 ext. 6238 CS 887 Final Project 19th of April 2002 Implementation and Performance Evaluation of XTR over Wireless Network 1. Abstract Wireless systems require reliable data transmission, large bandwidth and maximum data security. Most current implementations of wireless security algorithms perform lots of operations on the wireless device. This result in a large number of computation overhead, thus reducing the device performance. Furthermore, many current implementations do not provide a fast level of security measures such as client authentication, authorization, data validation and data encryption. XTR is an abbreviation of Efficient and Compact Subgroup Trace Representation (ECSTR). Developed by Arjen Lenstra & Eric Verheul and considered a new public key cryptographic security system that merges high level of security GF(p6) with less number of computation GF(p2). The claim here is that XTR has less communication requirements, and significant computation advantages, which indicate that XTR is suitable for the small computing devices such as, wireless devices, wireless internet, and general wireless applications. The hoping result is a more flexible and powerful secure wireless network that can be easily used for application deployment. This project presents an implementation and performance evaluation to XTR public key cryptographic system over wireless network. The goal of this project is to develop an efficient and portable secure wireless network, which perform a variety of wireless applications in a secure manner. The project literately surveys XTR mathematical and theoretical background as well as system implementation and deployment over wireless network.
    [Show full text]
  • A Provably-Unforgeable Threshold Eddsa with an Offline Recovery Party
    A Provably-Unforgeable Threshold EdDSA with an Offline Recovery Party Michele Battagliola,∗ Riccardo Longo,y Alessio Meneghetti,z and Massimiliano Salax Department of Mathematics, University Of Trento Abstract A(t; n)-threshold signature scheme enables distributed signing among n players such that any subset of size at least t can sign, whereas any subset with fewer players cannot. The goal is to produce threshold digital signatures that are compatible with an existing centralized sig- nature scheme. Starting from the threshold scheme for the ECDSA signature due to Battagliola et al., we present the first protocol that supports EdDSA multi-party signatures with an offline participant dur- ing the key-generation phase, without relying on a trusted third party. Under standard assumptions we prove our scheme secure against adap- tive malicious adversaries. Furthermore we show how our security notion can be strengthen when considering a rushing adversary. We discuss the resiliency of the recovery in the presence of a malicious party. Using a classical game-based argument, we prove that if there is an adversary capable of forging the scheme with non-negligible prob- ability, then we can build a forger for the centralized EdDSA scheme with non-negligible probability. Keywords| 94A60 Cryptography, 12E20 Finite fields, 14H52 Elliptic curves, 94A62 Authentication and secret sharing, 68W40 Analysis of algorithms 1 Introduction A(t; n)-threshold signature scheme is a multi-party computation protocol that en- arXiv:2009.01631v1 [cs.CR] 2 Sep 2020 ables a subset of at least t among n authorized players to jointly perform digital signatures. The flexibility and security advantages of threshold protocols have be- come of central importance in the research for new cryptographic primitives [9].
    [Show full text]
  • On Notions of Security for Deterministic Encryption, and Efficient Constructions Without Random Oracles
    A preliminary version of this paper appears in Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, D. Wagner ed., LNCS, Springer, 2008. This is the full version. On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles Alexandra Boldyreva∗ Serge Fehr† Adam O’Neill∗ Abstract The study of deterministic public-key encryption was initiated by Bellare et al. (CRYPTO ’07), who provided the “strongest possible” notion of security for this primitive (called PRIV) and con- structions in the random oracle (RO) model. We focus on constructing efficient deterministic encryption schemes without random oracles. To do so, we propose a slightly weaker notion of security, saying that no partial information about encrypted messages should be leaked as long as each message is a-priori hard-to-guess given the others (while PRIV did not have the latter restriction). Nevertheless, we argue that this version seems adequate for certain practical applica- tions. We show equivalence of this definition to single-message and indistinguishability-based ones, which are easier to work with. Then we give general constructions of both chosen-plaintext (CPA) and chosen-ciphertext-attack (CCA) secure deterministic encryption schemes, as well as efficient instantiations of them under standard number-theoretic assumptions. Our constructions build on the recently-introduced framework of Peikert and Waters (STOC ’08) for constructing CCA-secure probabilistic encryption schemes, extending it to the deterministic-encryption setting and yielding some improvements to their original results as well. Keywords: Public-key encryption, deterministic encryption, lossy trapdoor functions, leftover hash lemma, standard model. ∗ College of Computing, Georgia Institute of Technology, 266 Ferst Drive, Atlanta, GA 30332, USA.
    [Show full text]
  • Securing Threshold Cryptosystems Against Chosen Ciphertext Attack∗
    Securing Threshold Cryptosystems against Chosen Ciphertext Attack∗ Victor Shoupy Rosario Gennaroz September 18, 2001 Abstract For the most compelling applications of threshold cryptosystems, security against chosen ciphertext attack is a requirement. However, prior to the results presented here, there appeared to be no practical threshold cryptosystems in the literature that were provably chosen-ciphertext secure, even in the idealized random oracle model. The contribution of this paper is to present two very practical threshold cryptosystems, and to prove that they are secure against chosen ciphertext attack in the random oracle model. Not only are these protocols computationally very efficient, but they are also non-interactive, which means they can be easily run over an asynchronous communication network. 1 Introduction In a threshold cryptosystem, the secret key of a public key cryptosystem is shared among a set of decryption servers, so that a quorum of servers can act together to decrypt a given ciphertext. Just as for ordinary, non-threshold cryptosystems, a natural and very useful notion of security is that of security against chosen ciphertext attack. In this paper, we consider the problem of designing threshold cryptosystems that are secure against chosen ciphertext attack. Our goal is to design a practical scheme, and provide strong evidence that it cannot be broken. Even though the most compelling applications of threshold cryptosystems seem to require chosen-ciphertext security, prior to the results presented here, there appeared to be no practi- cal threshold cryptosystems in the literature that were provably secure | even in the random oracle model, where one models a cryptographic hash function as a random oracle.
    [Show full text]
  • Proactive Two-Party Signatures for User Authentication
    Proactive Two-Party Signatures for User Authentication Antonio Nicolosi, Maxwell Krohn, Yevgeniy Dodis, and David Mazieres` NYU Department of Computer Science {nicolosi,max,dodis,dm}@cs.nyu.edu Abstract may have the right to initiate signatures of arbitrary mes- We study proactive two-party signature schemes in the con- sages, while a server’s role is simply to approve and log text of user authentication. A proactive two-party signa- what has been signed. In such settings, an attacker may gain ture scheme (P2SS) allows two parties—the client and the fruitful advantage from the use of even a single key share, server—jointly to produce signatures and periodically to re- unless some separate mechanism is used for mutual authen- fresh their sharing of the secret key. The signature genera- tication of the two parties. Finally, ordinary two-party sig- tion remains secure as long as both parties are not compro- natures offer no way to transfer ownership of a key share mised between successive refreshes. We construct the first from one party to another—as the old owner could neglect such proactive scheme based on the discrete log assump- to erase the share it should no longer be storing. tion by efficiently transforming Schnorr’s popular signature Proactive digital signatures allow private key shares to be scheme into a P2SS. We also extend our technique to the updated or “refreshed” in such a way that old key shares signature scheme of Guillou and Quisquater (GQ), provid- cannot be combined with new shares to sign messages or ing two practical and efficient P2SSs that can be proven recover the private key.
    [Show full text]
  • Integrity, Authentication and Confidentiality in Public-Key Cryptography Houda Ferradi
    Integrity, authentication and confidentiality in public-key cryptography Houda Ferradi To cite this version: Houda Ferradi. Integrity, authentication and confidentiality in public-key cryptography. Cryptography and Security [cs.CR]. Université Paris sciences et lettres, 2016. English. NNT : 2016PSLEE045. tel- 01745919 HAL Id: tel-01745919 https://tel.archives-ouvertes.fr/tel-01745919 Submitted on 28 Mar 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT de l’Université de recherche Paris Sciences et Lettres PSL Research University Préparée à l’École normale supérieure Integrity, Authentication and Confidentiality in Public-Key Cryptography École doctorale n◦386 Sciences Mathématiques de Paris Centre Spécialité Informatique COMPOSITION DU JURY M. FOUQUE Pierre-Alain Université Rennes 1 Rapporteur M. YUNG Moti Columbia University et Snapchat Rapporteur M. FERREIRA ABDALLA Michel Soutenue par Houda FERRADI CNRS, École normale supérieure le 22 septembre 2016 Membre du jury M. CORON Jean-Sébastien Université du Luxembourg Dirigée par
    [Show full text]
  • An Efficient Blind Signature Scheme Based on Error Correcting Codes
    ACSIJ Advances in Computer Science: an International Journal, Vol. 4, Issue 4, No.16 , July 2015 ISSN : 2322-5157 www.ACSIJ.org an Efficient Blind Signature Scheme based on Error Correcting Codes Junyao Ye1, 2, Fang Ren3 , Dong Zheng3 and Kefei Chen4 1 Department of Computer Science and Engineering, Shanghai Jiaotong University, Shanghai 200240, China [email protected] 2 School of Information Engineering, Jingdezhen Ceramic Institute, Jingdezhen 333403,China [email protected] 3 National Engineering Laboratory for Wireless Security, Xi’an University of Posts and Telecommunications Xi’an 710121, China [email protected] 4 School of Science, Hangzhou Normal University, Hangzhou 310000, China [email protected] The concept of blind signature was first proposed by Abstract Chaum et al.[2] in CRYPTO'82. In a blind signature Cryptography based on the theory of error correcting codes and mechanism, the user can get a valid signature without lattices has received a wide attention in the last years. Shor’s revealing the message or relevant information to the signer. algorithm showed that in a world where quantum computers are What's more, the signer won't be able to connect the assumed to exist, number theoretic cryptosystems are insecure. signature with the corresponding signature process in the Therefore, it is important to design suitable, provably secure future. In 1992, Okamoto proposed a blind signature post-quantum signature schemes. Code-based public key cryptography has the characteristic of resisting the attack from scheme[3] based on schnorr signature[4]. In 2001, Chien post-quantum computers. We propose a blind signature scheme et al.[5] proposed a partial blind signature scheme based based on Niederreiter PKC, the signature is blind to the signer.
    [Show full text]
  • Subliminal Channels in High-Speed Signatures
    Die approbierte Originalversion dieser Diplom-/ Masterarbeit ist in der Hauptbibliothek der Tech- nischen Universität Wien aufgestellt und zugänglich. http://www.ub.tuwien.ac.at institute of telecommunications The approved original version of this diploma or master thesis is available at the main library of the Vienna University of Technology. http://www.ub.tuwien.ac.at/eng Subliminal Channels in High-Speed Signatures Master’s Thesis for obtaining the academic degree Diplom-Ingenieur as part of the study Electrical Engineering and Information Technology carried out by Alexander Hartl student number: 01125115 Institute of Telecommunications at TU Wien Supervision: Univ. Prof. Dipl.-Ing. Dr.-Ing. Tanja Zseby Dipl.-Ing. Robert Annessi, B.Sc Acknowledgments I want to express my gratitude for everyone who assisted or encouraged me in various ways during my studies. In particular, I would like to thank Prof. Tanja Zseby and Dipl.-Ing. Robert Annessi for giving me the opportunity to write this thesis, for supporting me actively while I was working on it and for many valuable comments and suggestions. I owe special thanks to my family, especially my parents Edith and Rudolf, for their endless support during all these years. Thank you, Sabrina, for encouraging me and for so many cheerful hours in my life. Abstract One of the fundamental building blocks for achieving security in data networks is the use of digital signatures. A digital signature is a bit string which allows the receiver of a message to ensure that the message indeed originated from the apparent sender and has not been altered along the path.
    [Show full text]
  • Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information
    Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information Ran Canetti IBM T.J.Watson Research Center. Email: canettiOwatson.ibm.com Abstract. The random oracle model is a very convenient setting for designing cryptographic protocols. In this idealized model all parties have access to a common, public random function, called a random or- acle. Protocols in this model are often very simple and efficient; also the analysis is often clearer. However, we do not have a general mech- anism for transforming protocols that are secure in the random oracle model into protocols that are secure in real life. In fact, we do not even know how to meaningfully specify the properties required from such a mechanism. Instead, it is a common practice to simply replace - often without mathematical justification - the random oracle with a ‘crypto- graphic hash function’ (e.g., MD5 or SHA). Consequently, the resulting protocols have no meaningful proofi of security. We propose a research program aimed at rectifying this situation by means of identifying, and subsequently realizing, the useful properties of random oracles. As a first step, we introduce a new primitive that realizes a specific aspect of random oracles. This primitive, cded omcle hashang, is a hash function that, like random oracles, ‘hides all partial information on its input’. A salient property of oracle hashing is that it is probabilistic: different applications to the same input result in Merent hash dues. Still, we maintain the ability to ueejy whether a given hash value was generated from a given input. We describe constructions of oracle hashing, as well as applications where oracle hashing successfully replaces random oracles.
    [Show full text]
  • Modern Cryptography - a Review
    INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 9, ISSUE 04, APRIL 2020 ISSN 2277-8616 Modern Cryptography - A Review Seetha. R, Mythili. N Abstract: Cryptography techniques involve message conveyance either in a secret form or in some hidden form. Cryptography finds it applications in almost all fields for secure data transfer. Looking into the history it is the military field which is very much influenced by secure data transfer and communication. Use of cryptography has spread its wings once digital communication stepped in. The thirst of data security increased when digital communication started using wireless medium for data transmission. It is therefore necessary to understand the basics and importance of cryptographic techniques for better, fast and efficient data transfer without any intrusion. Index Terms: Encryption, Decryption, Plaintext, Cipher text, Cryptanalysis, Data security. ———————————————————— INTRODUCTION concepts like but not limited to number theory concepts like The necessity of communicating and sharing information in a divisibility, factors, primes, integer representation with different selective manner from one end to another end has led to the radix, GCD, LCM, modular arithmetic, rings and prime fields evolution of cryptography. The true security strength of and basic arithmetic operations are widely used in cryptographic algorithms lies on the cryptanalysis which is the cryptosystems and cryptanalysis. Other concepts include ability to break the encrypted (cipher) text. Thus cryptography algebra, permutations and combinations, substitutions, and cryptanalysis always coexist and are collectively known as complexity theory of algorithms (NP-hard and NP-complete cryptology. The major focus of cryptography is to provide problems), Euler‘s function, discrete logarithm, Chinese secure data transmission which include data confidentiality, Remainder Theorem, Factorization, modular square root, integrity, non-repudiation, and authentication.
    [Show full text]