CHAPTER 7: Digital signatures Digital signatures are one of the most important inventions/applications of modern cryptography. The problem is how can a user sign a message such that everybody (or the intended addressee only) can verify the digital signature and the signature is good enough also for legal purposes. Example: Assume that each user A uses a public-key cryptosystem (e ,d ). Part VII A A Signing a message w by a user A, so that any user can verify the signature; Digital signatures dA(w) Signing a message w by a user A so that only user B can verify the signature; eB (dA(w)) Sending a message w, and a signed message digest of w, obtained by using a hash function h: (w, dA(h(w))) Example Assume Alice succeeds to factor the integer Bob used, as modulus, to sign his will, using RSA, 20 years ago. Even the key has already expired, Alice can rewrite Bob’s will, leaving fortune to her, and date it 20 years ago. Moral: It may pay off to factor a single integers using many years of many computers power. prof. Jozef Gruska IV054 7. Digital signatures 2/44 Digital signatures – basic goals Digital signatures If only signature (but not the encryption of the message) are of importance, then it suffices that Alice sends to Bob Digital sigantures should be such that each user should be able to verify signatures of other users, but that should give him/her no information how to sign a message on (w, dA(w)) behind of other users. Caution: Signing a message w by A for B by An important difference from a handwritten signature is that digital signature of a eB (dA(w)) message is always intimately connected with the message, and for different messages is different, whereas the handwritten signature is adjoined to the message and always looks is O.K., but the symmetric solution, with encoding first: the same. c = dA(eB (w)) Technically, a digital signature signing is performed by a signing algorithm and a digital signature is verified by a verification algorithm. is not good. A copy of a digital (classical) signature is identical (usually distinguishable) to (from) the An active enemy, the tamperer, can intercept the message, then can compute origin. A care has therefore to be taken that a classical signature is not misused. dT (eA(c)) = dT (eB (w)) This chapter contains some of the main techniques for design and verification of digital and can send the outcome to Bob, pretending that it is from him/tamperer (without signatures (as well as some attacks to them). being able to decrypt/know the message). Any public-key cryptosystem in which the plaintext and cryptotext spaces are the same can be used for digital signature. prof. Jozef Gruska IV054 7. Digital signatures 3/44 prof. Jozef Gruska IV054 7. Digital signatures 4/44 Digital Signature Schemes I Digital Signature Schemes II Digital signatures are basic tools for authentication and non-repudiation of messages. A digital signature scheme allows anyone to verify signature of any sender S without Correctness: providing any information how to generate signatures of S. For each messagem fromM and public keyk in Kv , it holds A Digital Signature Scheme (M, S, Ks , Kv ) is given by: verk (m, s) = true M - a set of messages to be signed if there is anr from 0, 1 ∗ such that S - a set of possible signatures { } s = sigl (r, m) Ks - a set of private keys for signing Kv - a set of public keys for verification for a private keyl from Ks corresponding to the public keyk. Moreover, it is required that: Security: For each k from Ks , there exists a single and easy to compute signing mapping For anyw fromM andk in Kv , it is computationally infeasible, without the knowledge sigk : 0, 1 ∗ M S { } × → of the private key corresponding tok, to find a signatures fromS such that For each k from Kv there exists a single and easy to compute verification mapping verk (w, s) = true. verk : M S true, false × → { } such that the following two conditions are satisfied: prof. Jozef Gruska IV054 7. Digital signatures 5/44 prof. Jozef Gruska IV054 7. Digital signatures 6/44 Attacks on digital signatures A digital signature of one bit Let us start with a very simple but much illustrating (though non-practical) example how to sign a single bit. Design of the signature scheme: Total break of a signature scheme: The adversary manages to recover the secret key from A one-way function f(x) is chosen. the public key. Two integers k and k are chosen, by the signer, kept secret, and items Universal forgery: The adversary can derive from the public key an algorithm which 0 1 allows to forge the signature of any message. f, (0, s0), (1, s1) Selective forgery: The adversary can derive from the public key a method to forge are made public, where signatures of selected messages (where selection was made prior the knowledge of the public key). s0 = f (k0), s1 = f (k1) Existential forgery: The adversary is able to create from the public key a valid signature Signature of a bit b: of a message m (but has no control for which m). (b, kb). Verification of such a signature sb = f (kb) SECURITY? prof. Jozef Gruska IV054 7. Digital signatures 7/44 prof. Jozef Gruska IV054 7. Digital signatures 8/44 RSA signatures and their attacks ENCRYPTION versus SIGNATURE Let us have an RSA cryptosystem with encryption and decryption exponentse andd and modulusn. Signing of a message w s = (w, σ), where σ = w d mod n Let each user U uses a cryptosystem with encryption and decryption algorithms: eU , dU Verification of a signature s = (w, σ): Let w be a message e w = σ mod n? PUBLIC-KEY ENCRYPTIONS Attacks Encryption: eU (w) Decryption: dU (eU (w)) It might happen that Bob accepts a signature not produced by Alice. Indeed, let Eve, using Alice’s public key, compute w e and say that (w e , w) is a message signed PUBLIC-KEY SIGNATURES by Alice. Signing: dU (w) e e Everybody verifying Alice’s signature gets w = w . Verification of the signature: eU (dU (w)) Some new signatures can be produced without knowing the secret key. 1 Indeed, is σ1 and σ2 are signatures for w1 and w2, then σ1σ2 and σ1− are signatures 1 for w1w2 and w1− . prof. Jozef Gruska IV054 7. Digital signatures 9/44 prof. Jozef Gruska IV054 7. Digital signatures 10/44 DIGITAL SIGNATURE SYSTEMS – simplified version FROM PKC to DSS - again A digital signature system(DSS) consists of: Any public-key cryptosystem in which the plaintext and cryptotext space are the same, P - the space of possible plaintexts (messages). can be used for digital signature. S - the space of possible signatures. Signing of a message w by a user A so that any user can verify the signature: K - the space of possible keys. dA(w). For each k K there is a signing algorithm sigk Sa and a corresponding ∈ ∈ Signing of a message w by a user A so that only user B can verify the signature; verification algorithm verk V such that ∈ sigk : P S. eB (dA(w)). → verk : P S true, false Sending a message w and a signed message digest of w obtained by using a (standard) ⊗ → { } and hash function h: true ifs = sigk (w); , (w, dA(h(w))). verk (w, s) = (false otherwise. If only signature (but not the encryption of the message) are of importance, then it Algorithms sigk and verk should be computable in polynomial time. suffices that Alice sends to Bob Verification algorithm can be publicly known; signing algorithm (actually only its key) (w, dA(w)). should be kept secret prof. Jozef Gruska IV054 7. Digital signatures 11/44 prof. Jozef Gruska IV054 7. Digital signatures 12/44 ElGamal signatures ElGamal signatures - example Design of the ElGamal digital siganture system: choose: prime p, integers 1 q x p, where q is a primitive element of Z ∗; Example ≤ ≤ ≤ p Compute: y = qx mod p choose: p = 11, q = 2, x = 8 key K = (p, q, x, y) compute: y = 28 mod 11 = 3 public key (p, q, y) - trapdoor: x w = 5 is signed as (a,b), where a = qr mod p, w = xa + rb mod (p 1) − Signature of a message w: Let r Zp∗ 1 be randomly chosen and kept secret. ∈ − choose r = 9 – (this choice is O.K. because gcd(9, 10) = 1) sig(w, r) = (a, b), computea=2 9 mod 11 = 6 r where a = q mod p solve equation: 5 8 6 + 9b (mod 10) 1 ≡ · and b = (w xa)r − (mod (p 1)). that is 7 9b (mod 10) b=3 − − ≡ ⇒ Verification: accept a signature (a,b) of w as valid if signature: (6, 3) y aab qw (mod p) ≡ Note: equation that has to be solved: w = xa + rb mod (p 1). a b ax rb ax+w ax+k(p 1) w (Indeed: y a q q q − − q (mod p)) − ≡ ≡ ≡ prof. Jozef Gruska IV054 7. Digital signatures 13/44 prof. Jozef Gruska IV054 7. Digital signatures 14/44 Security of ElGamal signatures Forging and misusing of ElGamal signatures There are ways to produce, using ElGamal signature scheme, some valid forged Let us analyze several ways an eavesdropper Eve can try to forge ElGamal signature signatures, but they do not allow an opponent to forge signatures on messages of his/her (with x - secret; p, q and y = qx mod p - public): choice.