Digital Signatures: Authenticity and Security, Slides of Cryptography and System Security

Download Digital Signatures: Authenticity and Security and more Slides Cryptography and System Security in PDF only on Docsity!

Digital Signatures

2

(Public Key) Digital

Signatures

PROBLEM: Alice would like to prove to Bob, Carla, David, ... that has really sent them a claimed message. GOAL: Alice signs each message so individuals can verify authenticity without pre-agreed secret keys for MAC’s and no interatction B A E

D C X

4

Digital Signatures

DEF: A digital signature scheme consists of a tuple ( M, K, G, S,V ) where

M - message space

K - key space with each key = ( pk, sk )

G - PPT key generator picks key k of security parameter l :

S - PPT algorithm for signature from secret key and message. Write:

V - verifier which is a Las-Vegas PPT decider s.t. = 1 if ( pk,sk ) is a valid key. k R ← G ( 1 l ) Ssk ( m ) Vpk ( m , Ssk ( m ))

5

Security Definition

DEF: An existential adaptive message forger is an adversarial algorithm A that has access to a signing oracle and outputs a valid message-signature pair ( m, s ) for some message that was not a query to. DEF: A signature scheme ( M, K, G, S,V ) is existentially unforgeable under adaptive chosen message attack if every PPT forger A succeeds in forging with following negligible probability: Note: “ chosen message attack” doesn’t mean Eve can choose which message to forge at the end. Only that she can choose which message to forge during cryptanalysis. OS Pr[ Vsk ( A OS ( pk )) = 1 ] m new OS

7

Naïve RSA Signature

K = ( p,q,e ) with p,q primes of equal size, e relatively prime to ( p - 1 )( q - 1 ). Set n = p ⋅ q

pk = ( n , e ) , sk = ( n,d ) with [same key-pair as RSA encryption]

Alice signs m with

Bob verifies m by applying Same arguments as with RSA encryption show that key security is equivalent to factoring n. d = e − 1 mod p Ssk ( m ) = x d mod n Vpk ( m ) = x e mod n

8

Naïve Rabin Signature

Same idea as with RSA. Sign by “decrypting” verify by “encrypting”. Need to restrict messaage to QR( n ) so that square roots exists. Other numbers are un-signable.

Alice signs messages in QR( n ) by sending a square root of message m

Bob verifies by squaring signature and checking that result equals message. Similar argument as for Rabin encryption shows: existential forgery with known messages extracting square roots factoring n

10

El-Gamal Motivation

If we can could solve Dlog, would be able to find the exponent x , thus finding the secret key and unabashedly signing any message we want to.

Intuitively, for arbitrary message m , that’s the only way to do it. Complete mastery of forgery expected to allow producing two distinct verifiable triples ( m, a, b ) & ( m’, a’, b’ ) satisfying which by previous techniques solves Dlog problem.

Unknown if El-Gamal break implies Dlog alg.

a

b

= ( a

′

b ′ ! − m " a ≡ (^) p! − m ′ " a ′

11

Naïve Rabin Break

Similar argument as for Rabin encryption’s cracking under chosen ciphertext attack shows: Rabin is totally broken under chosen message attack.

13

Naïve El-Gamal Break

Existentially forgeable as follows: Choose any number w that is relatively prime to p - 1. Choose any number z at all. Let , b = , Notice that which shows that ( m,a,b) is valid according to El-Gamal. Hashing before signing fixes this issue. a =! z " w

m = − azw

− 1

mod ( p − 1 )

a

b

z

w

− aw − 1

− azw − 1

a

m

a − aw − 1 mod ( p − 1 )

14

Cramer-Shoup

Stateless DSA

Provably secure digital signature algorithm if...

collision resistant hash function exist for security parameter l s.t.

strong RSA conjecture: negl. probability of extracting any non-trivial root of random number mod p ⋅ q is (prod. of k -bit primes)

Sophie Germain conjecture: non -negl. prob. that random number is a Sophie Germain prime ( p and 2 p + 1 both prime) h : { 0 , 1 } ∗ → { 0 , 1 } l

16

Cramer-Shoup

Signature

For message m, S ( m ) = defined by:

e : random l + 1 bit prime

: random quadratic residue mod n

y : defined by:

( e , y , y ˜) y ˜ x ˜ = y ˜ e ˜ · g − h ( m ) mod n y = ( x · g h ( x ˜) ) e − 1 mod !( n ) mod n

17

Cramer-Shoup Verify

1. Check that e is an add l + 1 bit odd number not divisible by
2. Compute
3. Check that e ˜ x ˜ = y ˜ e ˜ · g − h ( m ) mod n x ≡ n y e · g − h ( x ˜)