Signature Schemes Chester Rebeiro IIT Madras CR STINSON : chapter 7 Recall : MACs y = h (x) Alice K Bob K hK = “Attack at Dawn!!” Message Digest h K Message unsecure channel K “Attack at Dawn!!” MACs allow Bob to be certain that • the message has originated from Alice • the message was not tampered during communication MAC cannot • prevent Bob from creating forgeries (i.e., messages in the name of Alice) • cannot prove Authenticity to someone without sharing the secret key K Digital Signatures solve both these problems CR 2 Digital Signatures • A token sent along with the message that achieves – Authentication – Non-repudiation – Integrity • Based on public key cryptography CR 3 Public key Certificates TA Important application of digital signatures Bob’s Certificate{ Bob’s public key in plaintext Signature of the certifying authority other information } To communicate with Bob, Alice gets his public key from a trusted authority (TA) A trusted authority could be a Government agency, Verisign, etc. A signature from the TA, ensures that the public key is authentic. CR 4 Digital Signature Alice y = digital signature Alice’s sig Everyone Else Private Key K TRUE / FALSE (x, y) ver Alice’s unsecure channel K Message Public Key x = “Attack at Dawn!!” Signing Function Verifying Function y = sig a(x) ver b(x, y) Input : Message (x) and Alice’s private key Input : digital signature, message Output: Digital Signature of Message Output : true or false true if signature valid false otherwise CR 5 Digital Signatures (Formally) CR 6 Forgery Mallory digital signature Everyone Else Forgery TRUE Algorithm (x, y) ver Alice’s unsecure channel K Public Key If Mallory can create a valid digital signature such that ver K(x, y) = TRUE for a message not previously signed by Alice, then the pair (x, y) forms a forgery CR 7 Security Models for Digital Signatures Assumptions Goals of Attacker • Total break: Mallory can determine Alice’s private key (therefore can generate any number of signed messages) Level Difficulty • Selective forgery: Given a message x, Mallory can determine y, such that (x, y) is a valid signature from Alice • Existential forgery: Mallory is able to create y for some x, such that (x, y) is a valid signature from Alice CR 8 Security Models for Digital Signatures Assumptions Goals of Attacker Weak • Key-only attack : Mallory only has Alice’s public key (i.e. only has access to the verification function, ver ) • Known -message attack : Mallory only has a list of messages signed by Alice (x 1, y 1), (x 2, y 2), (x 3, y 3), (x 4, y 4), ….. • Chosen-message attack : Mallory chooses messages x 1, x 2, x 3, …….. and tricks Alice into providing the corresponding signatures y1, y 2, y 3 (resp.) Strong CR 9 First Attempt making a digital signature (using RSA) b,n public a, p,q private n = pq; a ≡ b-1modϕ(n) sig(x){ ver(x, y){ a y ≡ x mod n (x, y) if (x ≡ yb mod n) return TRUE return (x, y) else return FALSE } } x is the message here and (x, y) the signature CR 10 A Forgery for the RSA signature (First Forgery) b,n public a, p,q private n = pq; a ≡ b-1modϕ(n) sig(x){ verK (x, y){ a y ≡ x mod n (x, y) if (x ≡ yb mod n) return TRUE return (x, y) else return FALSE } } forgery(){ select a random y Key only, existential forgery compute x ≡ yb mod n return (x, y) } CR 11 Second Forgery Suppose Alice creates signatures of two messages x 1 and x 2 a y1 = sig(x1) → y1 ≡ x1 mod n (x1, y1) a y2 = sig(x2 ) → y2 ≡ x2 mod n (x2 , y2 ) Mallory can use the multiplicative property of RSA to create a forgery Known message, existential forgery (x1x2 mod n, y1 y2 mod n) is a forgery y y ≡ xa xa mod n 1 2 1 2 CR 12 RSA Digital Signatures Incorporate a hash function in the scheme to prevent forgery b,n public a, p,q private sig(x){ verK (x, y){ z = h(x) z = h(x) a (x, y) y ≡ z mod n if (z ≡ yb mod n) return TRUE return (x, y) else return FALSE } } x is the message here, (x, y) the signature and h is a hash function CR 13 How does the hash function help? Preventing the First Forgery forgery(){ select a random y compute z'≡ yb mod n compute I st preimage: x st. z'= h(x) return (x, y) } Forgery becomes equivalent to the first preimage attack on the hash function CR 14 How does the hash function help? Preventing the Second Forgery (x1x2 mod n, y1 y2 mod n) is difficult a a y1 y2 ≡ h(x1) h(x2 ) mod n a a ≡ x1 x2 mod n creating such a forgery is unlikely CR 15 How does the hash function help? Another Forgery prevented forgery(x, y){ compute h(x) compute II nd preimage: find x' ts .. h(x) = h(x )' and x ≠ x' return (x ,' y) } Given a valid signature (x,y) find (x’,y) creating such a forgery is equivalent to solving the 2 nd preimage problem of the hash functionw CR 16 ElGamal Signature Scheme • 1985 • Variant adopted by NIST as the DSA (DSA: standard for digital signature algorithm) • Based on the difficult of the discrete log problem CR 17 ElGamal Signing Initialization Choose a large prime p * Let α ∈ Z p bea primitive element Choose a 0( < a ≤ p − )1 Compute β ≡ α a mod p Public Parameters : p, α, β Private key : a Signing Message x sig(x){ select a secret random k ts .. gcd(k, p − )1 =1 The use of a random secret k for every γ ≡ α k mod p signature makes ElGamal non-deterministic δ ≡ (x − aγ )k −1 mod p −1 y =(,γ δ ) return(,x y) } CR 18 ElGamal Verifying Initialization Choose a large prime p * Let α ∈ Z p bea primitive element Choose a 0( < a ≤ p − )1 Compute β ≡ α a mod p Public Parameters : p, α, β Private key : a Verifying Signature (x,y) ver x γ ,(,( δ )){ x compute t1 ≡ α mod p γ δ compute t2 ≡ β γ mod p if (t1 = t2 ) return TRUE else return FALSE } CR 19 ElGamal Correctness Initialization Choose a large prime p Signing Message x * Let α ∈ Z p bea primitive element Verifying Signature (x,y) sig(x){ Choose a 0( < a ≤ p − )1 ver(,(,x γ δ )){ select a secret random k a x Compute β ≡ α mod p compute t1 ≡ α mod p k γ ≡ α mod p γ δ compute t2 ≡ β γ mod p δ ≡ (x − aγ )k −1 mod p −1 Public Parameters : p, α, β if (t1 = t2 ) return TRUE y = (γ ,δ ) Private key : a else return FALSE return(,x y) } } First note that correctness aγ + kδ ≡ x mod( p − )1 if the signature is valid, t 1 = t 2 γ δ x t2 ≡ β γ mod p t1 ≡ α mod p ≡(α a )γ + (α k )δ mod p ≡ α aγ +kδ mod p ≡ α x mod p CR 20 Example p = 467 α = 2 a =127 β ≡ α a mod p = 2127 mod 467 Signature of message x = 100 =132 k = 213 (chosen randomly) k −1 mod p −1 = 431 Verifying γ = α k mod p β γ γ δ mod p =132292951 mod 467 =189 = 2213 mod 467 α x mod p = 2100 mod p =189 = 29 TRUE δ = (x − aγ )k −1 mod p −1 = (100 − 2⋅29)431mod 466 = 51 CR 21 Security of ElGamal Signature Scheme (against Selective forgery) Given an x, Mallory needs to find(γ ,δ ) such that ver(x (, γ ,δ )) = TRUE Attempt 1 γ δ x Choose a value for γ , then try to compute δ ts .. β γ ≡ α mod p This is the intractable x −γ δ = logγα β discrete log problem Attempt 2 Choose a value for δ , then try to compute γ ts .. β γ γ δ ≡ α x mod p This is not related to the discrete log problem. There is no known solution for this. Attempt 3 Choose value for γ andδ simultaneously, ts .. β γ γ δ ≡ α x mod p No way known. CR 22 Security of ElGamal Signature Scheme (against Existential forgery) Mallory needs to findan (x, (γ ,δ )) such that ver(x (, γ ,δ )) = TRUE The one-parameter forgery choose some i 0( ≤ i ≤ p − 2). form γ ≡ α i β mod p δ ≡ −γ mod(p −1) x ≡ iδ mod(p −1). forgery forgery then, ver(x (, γ ,δ )) = TRUE α x ≡ β γ γ δ mod p RHS ≡ β γ (α i β )δ mod p ≡ β γ +δα iδ mod p ≡ α aγ +aδα iδ mod p aγ −aγ +iδ proof ≡ α mod p ≡ α iδ mod p ≡ α x mod p = LHS CR 23 Security of ElGamal Signature Scheme (against Existential forgery) Mallory needs to findan (x, (γ ,δ )) such that ver(x (, γ ,δ )) = TRUE The two-parameter forgery choose some i, j (0 ≤ i, j ≤ p − 2; gcd( j, p −1) =1). form γ ≡ α i β j mod p δ ≡ −γj −1 mod( p − )1 −1 forgery x ≡ γij mod( p − ).1 then, ver(x (, γ ,δ )) = TRUE Prevent Existential Forgeries by hashing the message CR 24 Improper use of ElGamal’s Signature Scheme 1. What if k is not a secret? sig(x){ if gcd(γ , p − )1 =1 then select a secret random k γ ≡ α k mod p secret a can be computedas follows δ ≡ (x − aγ )k −1 mod p −1 −1 a = (x − kδ )γ mod( p −1).