Modern Cryptography: Lecture 13 Digital Signatures Daniel Slamanig Organizational ● Where to find the slides and homework? – https://danielslamanig.info/ModernCrypto18.html ● ow to conta!t me? – [email protected] ● #utor: Karen Klein – [email protected] ● Offi!ial page at #', )o!ation et!. – https://tiss.tuwien.ac.at/!ourse/!o$rseDetails.+html?dswid=86-2&dsrid,6/0. !ourseNr,102262&semester,2018W ● #utorial, #U site – https://tiss.tuwien.ac.at/!ourse/!o$rseAnnouncement.+html?dswid=4200.dsr id,-51.!ourseNum6er,10206-.!ourseSemester,2018W ● 8+am for the se!ond part: Thursday 31.21.2210 15:00-1/:00 (Tutorial slot; 2/26 Overview Digital Signatures message m / :m( σ; secret key skA Inse!$re !hannel p$bli! key pkA p$bli! key pkA σ σ :, 7igskA:m; 6 :, =rfypkA:m( ; 3: pkA -/26 Digital Signatures: Intuitive Properties Can 6e seen as the p$6li!9key analog$e of M3Cs with p$6li! >erifiability ● Integrity protection: 3ny modifi!ation of a signed message !an 6e detected ● 7o$r!e a$thenti!ity: The sender of a signed message !an be identified ● Non9rep$diation: The signer !annot deny ha>ing signed :sent) a message 7e!$rity :intuition;: sho$ld 6e hard to !ome $p with a signat$re for a message that has not 6een signed by the holder of the pri>ate key 5/26 Digital Signatures: pplications *igital signat$res ha>e many applications and are at the heart of implementing p$6lic9key !ryptography in practice ● <ss$ing !ertifi!ates 6y CAs (?$6lic %ey <nfrastr$!t$res;: 6inding of identities to p$6lic keys ● @$ilding authenticated !hannels: a$thenti!ate parties :ser>ers; in sec$rity proto!ols :e.g.( TL7; or se!$re messaging :Whats3pp( 7ignal, ...; ● Code signing: a$thenti!ate software/firmware :$pdates; ● 7ign do!$ments :e.g.( !ontra!ts;: )egal reg$lations define when digital signat$res are eq$ivalent to handwritten signat$res ● 7ign transa!tions: $sed in the !rypto!$rren!y realm ● et!. 4/26 Digital Signatures: Definition *8B<1<#<&N 12.1 3 :digital; signature scheme is a triple of ??T algorithms :Gen( 7ig( =rfy; su!h that: 1. #he key9generation algorithm Cen takes as inp$t the se!$rity parameter 1n and o$tputs a pair of keys :pk( sk; :we assume that pk and sk ha>e length n and that n !an 6e inferred from pk or sk;. 2. The signing algorithm 7ig takes as inp$t a pri>ate key sk and a message m from some message space M. It o$tp$ts a signature D( and we write this as D ← 7igsk:m;. 3. The deterministi! >erification algorithm =rfy takes as inp$t a pu6li! key ?k( a message m( and a signat$re D. It o$tp$ts a 6it 6 with 6,1 meaning >alid and 6,0 meaning in>alid. We write this as 6 :, =rfypk:m( D;. <t is reA$ired that( e+!ept possi6ly with negligi6le pro6ability o>er :pk( sk; ← Gen:1n;( we ha>e =rfypk:m( 7igsk:m;; , 1 for any message m ∈ M. 6/26 Some #emar$s on the De!nition ● The signing algorithm – may be deterministic or pro6a6ilistic – may be stateful or stateless (latter is the norm) ● The deterministi! >erifi!ation algorithm may 6e perfe!tly !orre!t :never fails) or may fail with negligi6le pro6ability ● 8>ery instan!e has an asso!iated message spa!e M :whi!h we assume to 6e impli!itly defined when seeing the p$bli! key; – <f there is a f$nction k s$!h that the message spa!e is {2( 1Gk(n; (with n 6eing the se!urity parameter;( then the signat$re scheme s$pports message length k(n; – We will later see how we can generically !onstr$!t signat$res schemes for ar6itrary message spa!es from any scheme that s$pports message length k(n; //26 %ormal Security &otions 'or Digital Signatures ● 3tta!k model :in!reasing strength; – 1o9message attack (NMA): Ad>ersary only sees p$6lic key – Handom message atta!k :HMA): Ad>ersary !an o6tain signatures for random messages (not in the !ontrol of the adversary; – 1on9adaptive chosen message attack (naCM3;: Adversary defines a list of messages for which it wants to o6tain signatures (before it sees the p$6lic key; – Chosen message attack (CMA): Ad>ersary !an adaptively ask for signat$res on messages of its choice 8/26 %ormal Security &otions 'or Digital Signatures ● Coal of an ad>ersary :de!reasing hardness) – 'niversal forgery (UB;: Adversary is given a target message for which it needs to o$tp$t a valid signat$re – 8xistential forgery (EB): Ad>ersary outputs a signat$re for a message of the adversaryIs !hoice ● 7ec$rity notion: atta!k model J goal of the ad>ersary ● Bor s!hemes $sed in practi!e: 3d>ersary !an not even a!hieve the weakest goal in the strongest atta!k model – 8'B9CM3: existential unforgea6ility under !hosen message atta!ks 0/26 ()%*CMA Security 3 signat$re scheme scheme K , :Cen( 7ig( =rfy) is existentially $nforgeabily $nder !hosen message attacks :8'B9CM3; se!$re( if for all ??T ad>ersaries A there is a negligi6le f$n!tion negl s.t. e$f9!ma ≤ ?rL7ig9forgeA,K:n;,1] negl:n; . 12/26 Some #emar$s on the De!nition ● &ne-time >s. many9time signat$res – #he num6er of queries to the ora!le may 6e limited, i.e.( only a single Auery is allowed vs. ar6itrary many are allowed ● Weak >s. strong $nforgea6ility – <n !ase of strong unforgea6ility the ad>ersary wins if it o$tputs a >alid signat$re even for a queried message( 6ut the signature differs from the one o6tained from the oracle ● &racle Q records (mi(Di; and winning !ondition is: :mN(DN; ∉ Q ● Not achie>able for re-randomiOable signature s!hemes – We consider only standard :weak; unforgea6ility 11/26 #S Signatures ● %eyGen: &n inp$t 1n pi!k two random n96it primes p(A( set N , pA( pi!k e s.t. g!d(e( P:1;; , 1, !omp$te d :, eQ1 mod P:1; o$tp$t :sk( pk; :, ::d ( N ;( :e (1;; ● 7ign: &n inp$t m ∈ Z1N and sk , :d, 1;( !omp$te and o$tput D :, md mod N ● =rfy: &n inp$t a p$6li! key pk , :e( 1;( a message m ∈ Z1N and a signature σ ∈ Z1N o$tp$t 1 if and only if m :, De mod 1 12/26 #S Signatures ● #o forge signature of a message m( the adversary( gi>en 1( e 6$t not d( m$st !ompute md mod 1( meaning in>ert the H73 f$n!tion at m. ● @$t H73 is one9way so this task sho$ld 6e hard and the scheme sho$ld 6e se!$re. Corre!t? ● &f !o$rse not… ● No9message attacks 1; &utp$t forgery (mN( DN) :, :1( 1). Valid since 1d = 1 mod 1 e 2) Choose D ∈ Z1* and !ompute m :, D mod N ● 8'B9CM3 atta!k – Ask signat$res D1( D2 for m1(m2 ∈ Z1* and o$tp$t :mN( DN; :, :m1 S m2 mod N( D1 S D2 mod N; 8>en if it wo$ld 6e sec$re( a message spa!e of Z1N is not desirable! 13/26 Extending the Message Space ● @lock9wise signing – Consider m :, :m1(R( mn; with mi ∈ M and !ompute D :, :D1(R( Dn; – 1eed to take !are to a>oid mix9and9match attacks :6lo!k reordering( e+changing blo!ks from different signatures( et!.; – <neffi!ient for large messages :one in>o!ation of the scheme per block; ● Hash9and9sign – Compress arbitrarily long message before signing 6y hashing them to a fi+ed length string $sing a hash f$n!tion – #he range of needs to be !ompatible with the message spa!e of the signat$re scheme 14/26 ,ash*and*Sign Paradigm (Construction 1./3) ● )et K , :Cen( 7ign( =rfy; 6e a signature s!heme for messages of length k:n;( and let Γ , :Cen ( ; 6e a hash f$n!tion with o$tp$t length k:n;. Constru!t signature scheme KI , :GenI ( 7ignI ( =rfy’; as follows: – n n n CenI: on inp$t 1 ( run Gen:1 ; to o6tain :pk( sk; and run Cen :1 ; to obtain s; the pu6li! key is :pk( s; and the pri>ate key is :sk( s;. – 7ignI: on inp$t a pri>ate key :sk( s; and a message m ∈ F2( 1}* ( o$tp$t σ E 7ignsk: :s, m;;. – =rfy’: on input a p$6li! key :pk( s;( a message m ∈ F2( 1}*, and a signat$re D( o$tp$t 1 if and only if =rfypk: :s, m;( D; , 1. # 8&H8M 12.4: If K is a sec$re signature scheme for messages of length k and Γ is !ollision resistant, then KI is a sec$re signat$re s!heme :for arbitrary9length messages). 15/26 ,ash*and*Sign Paradig" ● ?roof Idea – )et m1 (... ( mA be the messages A$eried 6y A and :mN( DN; the >alid forgery ● Case 1: :s( mN; , H:s( mi; for some i ∈ [q] : we ha>e a collision for H ● Case 2: H:s( mN; V :s( mi; for all i ∈ [AM : we ha>e that ( :s( mN;( σN; is a forgery for K ● Hash9and9sign in practi!e – 'sed 6y signature schemes $sed in pra!tice :H73 ?%C7W1 >1.4 signat$res, 7!hnorr( :8C)*73( R; – Hecall that we !onsider to 6e keyed for theoreti!al reasons and in practice would be any XgoodY !ollision9resistant hash fun!tion( e.g.( 7 39- 16/26 #S FD, Signatures ● Can we simply apply the hash9and9sign paradigm to H73? – No, not assuming !ollision resistant hashing :or any other reasona6le standard property of a hash f$nction;( as the underlying te+t6ook H73 signature s!heme does not pro>ide any meaningful se!urity ● @$t, we !an apply the idea of hash9and9sign and model the hash f$nction as a random oracle! – H73 Bull *omain ash :H739B* ; – #he random ora!le is !ollision resistant and destroys other Xdangero$s” alge6rai! properties – <mportant that range of is :!lose to; Z1N – !onstr$!ted >ia repeated application of an underlying !ryptographic hash fun!tion s$!h as 7 39- ● Ne>er say Xsigning , d/en!rypt the hashY when talking about signing :with H73;T – XMisunderstanding” d$e to !ommutativity of H73 private and p$6lic key operation – &ther signature s!hemes do usually not allow any s$!h analogy 17/26 #S FD, Signatures (Construction 1./10 ● %eyCen: On inp$t 1n pick two random n96it primes p(A( set N = pA( pi!k e s.t.