SIGNATURE SCHEMES IN SINGLE AND MULTI-USER SETTINGS by Vikt´oria I. Vill´anyi A Dissertation Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy Florida Atlantic University Boca Raton, Florida August 2009 This dissertation was prepared under the direction of the candidate's dissertation advisor, Dr. Rainer Steinwandt, Department of Mathematical Sciences, and has been approved by the members of her supervisory committee. It was submitted to the faculty of the Charles E. Schmidt College of Science and was accepted in partial fulfillment of the requirements for the degree of Doctor of Philosophy. SUPERVISORY COMMITTEE: Rainer Steinwandt, Ph.D. Dissertation Advisor stepheh C. Locke, Ph.D. Ronald C. Mullin, Ph.D. Lee Klingler, Ph.D. Fred Richman, Ph.D. matical Sciences Dean, The Charles E. Schmidt College of Science FLL*?P/9,;349 Barry T. Rosson, Ph.D. Date Dean, Graduate College Acknowledgements I would like to say thank you to all those who were on my side and made it pos- sible for me to finish my studies and write my dissertation. First of all I would like to say thank you to my supervisor, Rainer Steinwandt, who is the most important person in the existence of this thesis. I will spend the rest of my life in deep debt to him. He happily accepted me as his student in 2005 when he joined the department. Since I met him, and he has been supervising me, my research developed very quickly. Thank you for guiding me, helping me and keeping my interest. I hope we will keep in touch and continue to work together in the future; otherwise I would miss you terribly. I would like to say a special big thank you to Stephen Locke and his wife, Joanne Thomson Locke, who were with me when I had the hardest time in my life. I would like to say a big thank you to Robert Full´er,Ron Mullin and Bart Preneel for sup- porting my scientific career. I would like to say thank you to our former Chair, Spyros Magliveras, and our Chair, Lee Klingler, for their help. I have to say thank you also to the Student Government for my son Matthew’s tuition waiver. I could never have financially managed being a single mom and a full time student. It is hard to express how challenging it would have been to manage our lives from my scholarship, alone. iii Thank you to all of my friends with whom I shared time and a bit of life. Thank you to Vladimir Boˇzovi´c,Basak Ay, Nicola Pace, Kenneth Mattheis, Nidhi Singhi, Marcella Chiorescu, Mary Hopkins (without Mary’s and Rainer’s help with LaTex, this dissertation would have never existed,) for being my friends and for listening and answering my never ending complaints. Thank you to my parents, who raised me and emphasized the importance of thinking and solving problems. Thank you to my Dad, J´ozsef, for teaching me how to play (basic) chess when I was 3 years old, giving me the world famous magic (Rubik) cube, and buying my first computer (ZX81) when I was 8 years old. Thank you to my Mom, Hajnalka, for having the patience to raise me and teach me to read and write. Thank you to my brother, Zolt´an, for the hours we spent together when we were children, and thank you for being my best friend now. Thank you to my son, M´at´e, for giving me the chance to be his mom, which made me strong and able to pursue my goals. Sorry for the hours that I couldn’t spend with you because I had to work on my Ph.D. Thank you for all the love and support that you give me every single day. iv Abstract Author: Vikt´oria I. Vill´anyi Title: Signature Schemes in Single and Multi-User Settings Institution: Florida Atlantic University Dissertation advisor: Dr. Rainer Steinwandt Degree: Doctor of Philosophy Year: 2009 In the first chapters we will give a short introduction to signature schemes in single and multi-user settings. We give the definition of a signature scheme and explain a group of possible attacks on them. In Chapter 6 we give a construction which derives a subliminal-free RSA public key. In the construction we use a computationally binding and unconditionally hid- ing commitment scheme. To establish a subliminal-free RSA modulus n, we have to construct the secret primes p and q. To prove p and q are primes we use Lehmann’s pri- mality test on the commitments. The chapter is based on the paper, “RSA signature schemes with subliminal-free public key” (Tatra Mountains Mathematical Publica- tions 41 (2008)). v In chapter 7 a one-time signature scheme using run-length encoding is presented, which in the random oracle model offers security against chosen-message attacks. For parameters of interest, the proposed scheme enables about 33% faster verification with a comparable signature size than a construction of Merkle and Winternitz. The public key size remains unchanged (1 hash value). The main cost for the faster verification is an increase in the time required for signing messages and for key generation. The chapter is based on the paper “A one-time signature using run-length encoding” (Information Processing Letters Vol. 108, Issue 4, (2008)). vi This manuscript is dedicated to my son, Matthew B. Szemes who has spent all his life with a full-time student mom. Contents 1 Introduction to digital signature schemes . 1 1.1 Preliminaries . 1 1.2 Defining security of a family of hash functions . 5 2 The necessary assumptions . 8 2.1 The assumptions . 8 3 Signature schemes in a single-user setting . 11 3.1 Preliminaries . 11 3.2.1 Attacks on signature schemes in a single-user setting . 12 3.2.2 Subliminal channels in the signature . 14 4 Signature schemes in a multi-user settings . 18 4.1 Preliminaries . 18 4.3 Attacks on signature schemes in a multi-user setting . 19 4.3.1 Key substitution attacks . 20 vii 5 RSA cryptosytem and signature schemes . 22 5.2 RSA cryptosystem . 22 5.4 RSA signature scheme . 23 6 Subliminal channels in the RSA public verification key . 25 6.1 Preliminaries . 25 6.2 Set up definitions . 26 6.5 Commitment scheme . 30 6.6 The basic setup of a subliminal-free public key construction . 33 6.7 The details of the construction . 35 6.8 Proof of subliminal-freeness . 38 6.8.1 Subliminal-freeness of our RSA-PSS . 38 6.9 The size of the proof . 40 6.10 Detailed protocols . 40 6.11 The estimation with chosen parameters . 41 7 One-time signature schemes . 43 7.1 Introduction to one-time signature schemes . 43 7.2 The Lamport signature scheme . 43 7.2.1 Number of hash function evaluations . 44 viii 7.2.2 Length of the public key and the signature . 45 7.3 The Merkle one-time signature scheme . 45 7.3.1 Number of hash function evaluations . 46 7.3.2 Length of the public key and the signature . 46 7.4 One-time signature scheme called HORS . 47 7.4.1 Number of hash function evaluations . 48 7.4.2 Length of the public key and the signature . 48 7.5 The Merkle-Winternitz one-time signature scheme . 48 7.6 Our scheme with faster verification . 50 7.6.1 Key generation . 51 7.6.2 Signature generation . 51 7.7.1 Signature verification . 55 7.7.2 Correctness and security . 56 7.8 Performance for parameters of interest . 61 7.9 Summary of our one-time signature scheme . 64 7.10 Combining one-time signatures . 65 7.10.1 Hash chain . 65 7.10.2 Merkle hash tree . 66 ix 7.10.3 Improved Merkle signature scheme . 68 8 Summary . 69 x Chapter 1 Introduction to digital signature schemes 1.1 Preliminaries In [DH76] Diffie and Hellman introduced the concept of a “digital signature”. They formulated the properties that a digital signature scheme has to satisfy in order to be able to substitute for handwritten signatures. No longer is there a need for the parties to meet and sign the contract or establish a secure communication channel to share their keys and delay the communication. The digital signature scheme must satisfy the following requirements: every user should be able to verify a given signature but it must not be possible for anybody to forge the signature. The proposed cryptosystems, based on trapdoors, are good candidates for digital signature schemes. We present the suggestion of Diffie and Hellman from [DH76]. Example 1. A public key cryptosystem is a pair of families {EK }K∈K and {DK }K∈K 1 of algorithms representing invertible transformations, where K is the key space. EK : M → M DK : M → M on a finite message space M, such that 1) for every K ∈ K, EK is the inverse of DK , 2) for every K ∈ K and M ∈ M, the algorithms EK and DK are easy to compute, 3) for almost every K ∈ K, each easily computed algorithm equivalent to DK is computationally infeasible to derive from EK , 4) for every K ∈ K, it is feasible to compute inverse pairs EK and DK from K. The public key cryptosystem can be used to obtain a digital signature scheme. A’s signature on the message M is DA(M), where DA is the secret deciphering key of A.