digital signature schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3...
TRANSCRIPT
![Page 1: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/1.jpg)
Digital Signature Schemes
![Page 2: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/2.jpg)
1
What is digital signature?
Properties
• “Who signed what” is publicly verifiable
• Unforgeable
![Page 3: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/3.jpg)
2
A Digital Signature Scheme
Key generation algorithm G (probabilistic)
(pk, sk) ← G(1`)
` security parameter
(pk, sk) public/secret key pair
Signing algorithm S (probabilistic or deterministic)
s ← S(pk, sk, m)
m message; s signature for m
Verification algorithm G (deterministic)
d ← V(pk, m, s)
d ∈ {true, false}
![Page 4: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/4.jpg)
3
The RSA Scheme
public key n, e
• n = p q, where p and q are distinct odd primes
• e satisfies gcd(e, φ(n)) = 1
secret key d, p, q
• d e ≡ 1 (mod φ(n))
sign s is the signature of a message m ∈ Zn
s = md mod n
verification s is a valid signature of m if
m ≡ se (mod n)
![Page 5: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/5.jpg)
4
The ElGamal Scheme (1/2)
public key p, g, y
• p is a prime
• g ∈ Z∗p is a primitive element modulo p
• y = gx mod p
secret key x ∈ Zp−1
![Page 6: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/6.jpg)
5
The ElGamal Scheme (2/2)
sign (a, b) is a signature of a message m ∈ Zp−1
1. Select k ∈ Z∗p−1 randomly, that is, gcd(k, p− 1) = 1
2. a = gk mod p
3. b = (m− xa)k−1 mod p− 1
verification (a, b) is a valid signature of m if
gm ≡ yaab (mod p)
![Page 7: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/7.jpg)
6
Misuse of the ElGamal Scheme (1/2)
Do not use the same k for signing different messages!
Suppose that k is used for signing different m1,m2
a, b1 a signature for m1
a, b2 a signature for m2, where a = gk mod p
Then, from the signing algorithm,
m1 = ax + kb1 mod p− 1
m2 = ax + kb2 mod p− 1
m1 −m2 ≡ k(b1 − b2) (mod p− 1)
![Page 8: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/8.jpg)
7
Misuse of the ElGamal Scheme (2/2)
Let gcd(b1 − b2, p− 1) = d and
m̃ =m1 −m2
d, b̃ =
b1 − b2
d, p̃ =
p− 1
d
Then,
m̃ ≡ k b̃ (mod p̃)
Let k̃ = m̃ b̃−1 mod p̃. Then, k = i p̃ + k̃ for ∃i ∈ Zd.
The right value of k is determined by a = gk mod p.
Once k is known, the secret key x can be recovered by
x = (m1 − k b1)a−1 mod p− 1
![Page 9: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/9.jpg)
8
The Digital Signature Algorithm (DSA)
• A modification of the ElGamal scheme
• Proposed by the U.S. National Institute of Standards and
Technology (NIST) in August 1991
• Has become a U.S. Federal Information Processing Standard
(FIPS 186) in 1994 called the Digital Signature Standard
(DSS)
![Page 10: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/10.jpg)
9
The Digital Signature Algorithm (DSA)
public key p, q, g, y
• p, q are primes such that
– 2159 < q < 2160
– 2511+64 t < p < 2512+64 t for some 0 ≤ t ≤ 8
– q divides p− 1
• g ∈ Z∗p such that gq ≡ 1 (mod p)
• y = gx mod p
secret key x ∈ Zq
![Page 11: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/11.jpg)
10
The Digital Signature Algorithm (DSA)
sign (a, b) is a signature of a message m ∈ Zq
1. Select k ∈ Z∗q randomly
2. a = (gk mod p) mod q
3. b = (m + x a)k−1 mod q
verification (a, b) is a valid signature of m if
(gu1yu2 mod p) mod q = a
where
u1 = mb−1 mod q
u2 = a b−1 mod q
![Page 12: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/12.jpg)
11
How the Verification Works
From the signing algorithm,
b = (m + x a)k−1 mod q
k = (m + x a)b−1 mod q
Thus,
gk ≡ gm b−1
gx a b−1
(mod p)
gk ≡ gm b−1
ya b−1
(mod p)
![Page 13: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/13.jpg)
12
The Schnorr Scheme
public key p, q, g, y
• p, q are primes such that q|p− 1
• g ∈ Z∗p such that gq ≡ 1 (mod p)
• y = gx mod p
secret key x ∈ Zq
This scheme also requires a collision-resistant hash function
h : {0, 1}∗ → Z∗q.
![Page 14: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/14.jpg)
13
The Schnorr Scheme
sign (e, s) is a signature of a message m
1. Select k ∈ Z∗q randomly
2. e = h(r,m) where r = gk mod p
3. s = k − e x mod q
verification (e, s) is a valid signature of m if
e = h(r′,m)
where
r′ = gsye mod p
![Page 15: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/15.jpg)
14
Digital Signature and Message Digest
To sign a message m with arbitrary length, a signer first compute a
message digest of m, h(m), with a hash function h and create a
signature for h(m).
The hash function h should be collision-resistant.
Def. 1 A hash function h : D → R is collision-resistant if it is
difficult to find a pair of inputs x, x′ ∈ D such that h(x) = h(x′)
and x 6= x′. ¤
![Page 16: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/16.jpg)
15
Security of Signature Schemes (1/2)
Adversarial goal
• total break
An adversary is able to create a valid signature for any message.
• selective forgery
An adversary is able to create a valid signature for a given
message chosen by someone else.
• existential forgery
An adversary is able to create a valid signature for at least one
message.
![Page 17: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/17.jpg)
16
Security of Signature Schemes (2/2)
Attack
• key-only attack
An adversary only knows the public key of the signer.
• known message attack
An adversary knows a list of messages and their corresponding
signatures.
• chosen message attack
An adversary is able to request signatures for messages he selects.
![Page 18: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/18.jpg)
17
Chosen Message Attack
Adversary ASelect mi
...
���
���
s1
sq
Oracle Osi ← V(pk, sk, mi)
![Page 19: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/19.jpg)
18
Provably Secure Signature Schemes
Efficient and provably secure schemes have been proposed based
on the intractability of number theoretic problems in the random
oracle model.
These schemes are secure against existential forgery with a chosen
message attack.
![Page 20: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/20.jpg)
19
The Schnorr Scheme Is Provably Secure
Thm. 1 Suppose that the discrete logarithm problem is intractable.
Then, the Schnorr scheme is secure against existential forgery with a
chosen message attack in the random oracle model. ¤
(Proof sketch) In the random oracle model,
• An oracle is able to simulate the signer without the secret key.
• If an adversary is able to create a valid signature with
non-negligible probability, then an algorithm is able to be
constructed, which is able to compute the discrete logarithm of
the public key with non-negligible probability using the adversary
as a subroutine.
![Page 21: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/21.jpg)
20
Simulation of the Signer in the Random Oracle Model
public key p, q, g, y
secret key x ∈ Zq, where y = gx mod p
Suppose that an adversary requests a signature for m. The oracle
computes (e, s) in the following way and returns it to the adversary.
1. Select e, s ∈ Z∗q randomly and compute r̃ = gsye mod p
2. Set e = h(r̃, m)
![Page 22: Digital Signature Schemes - 福井大学fuee.u-fukui.ac.jp/.../slides/e/digital_signature.pdf · 3 The RSA Scheme public key n, e † n = pq, where p and q are distinct odd primes](https://reader035.vdocuments.pub/reader035/viewer/2022070901/5f48b60c17b28731f42f3488/html5/thumbnails/22.jpg)
21
Simulation of the Signer in the Random Oracle Model
OracleAdversary
Random oracleh
m ie , si i
Adversary Signerm i
e , si i
Random oracleh
control
Adversaries cannot distinguish between the above two situations.