DigitalDigital SignatureSignature SchemesSchemes BasedBased onon LFSRLFSR SequencesSequences Guang Gong Department of Electrical & Computer Engineering University of Waterloo, CANADA PresentationPresentation OutlineOutline Ø Overview of Digital Signature Schemes Ø Characteristic Sequences over GF(q) of Degree n and Commutative Law Ø Digital Signature Schemes Based on Characteristic Sequences and the Trace-Discrete-Logarithm Ø Efficient Digital Signature Schemes Based on the Sequences for n = 3 and n = 5 Ø Related work: LUC, XTR and Toris Based Cryptography @ G. Gong Bergen'04 2 OverviewOverview ofof DigitalDigital SignatureSignature SchemesSchemes Ø Basics of Public-key Cryptography Ø RSA Encryption and Digital Signature Ø ElGamal Digital Signature and DSS (Digital Signature Standard) Ø ECDSA (Elliptic Curve Digital Signature Algorithm) @ G. Gong Bergen'04 3 Bob’s public key Bob’s private key Plaintext Encryption Ciphertext Decryption Plaintext algorithm algorithm Bob Alice Simplified Model of Public-Key Encryption @ G. Gong Bergen'04 4 Requirements of Public-key Cryptography One-way function: easy x f(x) infeasible Trapdoor one-way function: easy x f k(x) infeasible if k is not known easy if k is known @ G. Gong Bergen'04 5 Therefore, security of public-key cryptosystems are based on the difficulty of different computational problems. Most important ones are - Factoring large integers - Finite field discrete logarithms - Elliptic curve discrete logarithms @ G. Gong Bergen'04 6 KeyKey pairspairs ofof thethe publicpublic--keykey systemsystem In a secure network system, each user x has a pair of keys (Ex, Dx): • Ex is an encryption key which is put into a public key directory or a file (after certified), called a public-key of the user. • Dx is a decrypted key kept private, called a private key of the user. • Dx(Ex) = Ex(Dx) = identity map • From known Ex, it is computational infeasible to obtain Dx C = E (m) Alice b Bob: Db(C) = DbEb(m) = m @ G. Gong Bergen'04 7 RequirementsRequirements ofof DigitalDigital SignaturesSignatures Ø Everyone can verify digital signatures. Ø Only the signer can sign; no one can forge the signer’s signature (this prevents forgery and denial attacks.) Ø Once a dispute occurs, a third party can solve it. @ G. Gong Bergen'04 8 RSARSA Digital Digital Signature Signature Algorithm Algorithm ( (RSARSA--DSA)DSA) Signer: - Select p and q both prime; n = pq; e: gcd(e, f(n)) = 1, 1<e< f(n). Compute: d = e-1 mod f(n). Public key: {e, n}. Private key: {d, p, q} - h(.): a hash function (e.g. SHA-1) Signer Verifier e • Computes h(m) and • computes r mod n • checks whether d r =h(m) modn r e = h( m ) (1) r is a digital signature of the message m If (1) is true, accepts as a valid signature. Otherwise, rejects it. Remark: Most frequently used in wireless communications since e can be chosen as 3 which extremely saves the cost of the verification process. ElGamalElGamalDigitalDigital Signature Signature Algorithm Algorithm (1985) (1985) and and DigitalDigital Signature Signature Standard Standard (DSS) (DSS) ( ( NIST, NIST, 1994) 1994) - System public keys: p, a prime, Q, a factor of p -1, g an element in GF(p) with order Q - h(.): a hash function - Signer, private key: 0< x < Q with (x, Q) = 1, public key: y = gx. Signing Verifying • setting u = h(m)t-1 mod Q • randomly picks k: 0 < k < Q -1 coprime with Q (per message) v = - r t mod Q • computes w = guyv • computes r = gk • checks whether • solves for t in the equation: w = r (1) h(m) º xr +kt (mod Q) If (1) is true, accept as a valid (r, t) is a digital signature of the signature. Otherwise, reject it. message m In ElGmal, Q = p – 1, and in DSS, Q is a 160 bit number. In elliptic curve digital signature algorithm (EC-DSA), g is replaced by a point on an elliptic curve, and the multiplicative group of GF(p) is replaced by an additive group of points on the curve. But the signing equation and all the procedures are preserved. ElGamal and DSS Signing Process m m Message r s m y = g x r = g k (r, s) signature Hash Sign x: private key k: secret number per message @ G. Gong Bergen'04 11 ElGamal and DSS Verifying Process m Hash r s Verifying y = g x: public key @ G. Gong Bergen'04 12 SecuritySecurity ofof thethe ElGamalElGamal--likelike SignatureSignature SchemeScheme Consider m = xr + ks mod p -1 (1) If the attacker can compute y = g x to obtain x, then he can forge any signature since in (1) he can pick k to compute r, and therefore, obtain s. Thus the security of the ElGamal digital signature algorithm is based on the difficulty of solving discrete log problem in Fp . Remark: The signing equation (1) can be changed to other forms. We will refer to all signature schemes using the ElGamal procedure with a different signing equation, or different group, or different order of g, as ElGamal-like signature schemes. @ G. Gong Bergen'04 13 CharacteristicCharacteristic Sequences Sequences over over GF(GF(qq)) of of Degree Degree n n Third-orderandand Characteristic Commutative Commutative SequencesLaw Law Ø Let q be a prime or a power of a prime, n n-1 n-2 n-1 n f (x) = x - an-1x + an-2 x -L+ (-1) a1x + (-1) , ai ÎGF (q) irreducible over GF(q) with order Q,, and let a be a root of f(x) in the extension GF(qn). Ø A sequence s = {sk} is said to be an LFSR sequence generated by f(x) if n-1 n s k+n= an-1sk+n-1 + an-2sk+n-2 -L+ (-1) a1sk+1 + (-1) sk , k = 0,1,L Ø If an initial state of {sk} is given by k sk = Tr(a ), k = 0,1,L, n -1 then {sk} is called a (nth-order) characteristic sequence. We denote sk = sk (f), k = 0, 1, … . @ G. Gong Bergen'04 14 Characteristic Sequences of Degree 3 n Let q be a prime or a power of a prime and f(x) = x3 – a x2 + bx – 1, a, b Î GF(q), be irreducible over GF(q). n A sequence {sk} is said to be an LFSR sequence generated by f(x) if s3+k = as2+k + bs1+k + sk, k = 0, 1, … n If an initial state of {sk} is given by 2 s0 = 3, s1 = a, and s2 = a – 2b, then {sk} is called a (3rd-order) characteristic sequence. @ G. Gong Bergen'04 15 Example 1. Let K = GF(5), r = 3 and f(x) = x3 + x – 1 which is irreducible over K. The characteristic sequence generated by f(x): 3 0 3 3 2 0 1 2 4 4 3 0 1 3 4 3 4 1 4 3 2 1 1 1 0 0 1 0 4 1 1 ... which has period 31 = 52 + 5 + 1. The reciprocal polynomial of f(x) is f -1(x) = x3 - x2 -1 @ G. Gong Bergen'04 16 3 1 1 4 0 1 … Output Output 3 0 3 3 2 0 ... 1 1 3 3 0 3 1 -1 Figure 2. A Pair of the Reciprocal LFSRs in Example 1 @ G. Gong Bergen'04 17 1 4 3 4 4 3 3 1 2 0 3 1 4 1 One period of the LFSR 3 4 1 f(x) = x + x – 1 and its reciprocal 2 0 1 0 0 1 0 2 4 3 1 3 1 3 0 @ G. Gong Bergen'04 18 ProfilesProfiles ofof nnthth--orderorder CharacteristicCharacteristic SequencesSequences n Period : a factor of qn-1 + … + q + 1 n Trace representation: k k kq kqn-1 sk = Tr(a ) = a +a +L +a , k = 0,1,... n For any two positive integers k and e, let fk(x) be the minimal polynomial of ak over GF(q). Then se ( fk ) = sek ( f ) = sk ( fe ) which is called the commutative law of the char. sequences. n Let f (x) = x n - a xn-1 +L+ (-1)n-1 a + (-1)n k n-1,k 1,k Then s k = a n - 1 , k and s-k = a1,k @ G. Gong Bergen'04 19 StateState TransitionTransition ofof LFSRLFSR SequencesSequences ... sn-1 s1 s0 n Let {sk} be generated by f(x), n State vector: n-2 n-1 an-1xn-1 + L+ (-1) x1 + (-1) x0 s j = (s j , s j +1, L, s j +n-1 ) n State transition matrix: Let é s j ù n-1 ê ú é 0 0 L 0 (-1) ù s ê ú ê j +1 ú 1 0 0 (-1)n-2 a M ( j) = ê 1 ú ê M ú A = ê n-3 ú 0 1 0 (-1) a2 ê ú ê ú s êL ú ëê j+n -1 ûú ê ú ë 0 0 1 an-1 û Property 1. -1 State transition formulas: sv+ j = sv (M (0) M ( j)) s j = (s j-1, s j , L, s j+n -2 )A Therefore, the (v+j)th term, sv+j , is the inner = L -1 product of sv and the first column of M ( 0 ) M ( j ) . j = (s0 , s1, L, sn-1 )A Motivation of the LFSR based public-key cryptography n Develop a PKC whose security is based on the difficulty of solving the discrete logarithm (DL) in GF(qn), but all computation are performed in GF(q). One important issue needs to be solved: th Fast computation algorithm for evaluating sk, the k term of the sequence.