chapter 8 digital signature cryptography-principles and practice harbin institute of technology...
TRANSCRIPT
Chapter 8 Digital Signature
Cryptography-Principles and PracticeHarbin Institute of TechnologySchool of Computer Science and Technology
Zhijun Lihttp://cst.hit.edu.cn/~lizhijun
Zhijun Li S1034040/Autumn08/HIT 2
Outline
• Nonreputation & Digital Signature • RSA Signature• ElGamal Signature• Digital Signature Algorithm• Digital Signature with other Properties
– Security Provable Signature– Blind Signature– Undeniable Signature– Fail-Stop Signature
Zhijun Li S1034040/Autumn08/HIT 3
• Confidentiality/secrecy/privacy– Encryption
• Integrity– MAC
• Nonreputation– Identity (source or destination) can not deny transmitti
ng the message – Use ?
Security Goals
Zhijun Li S1034040/Autumn08/HIT 4
Nonreputation
• Nonreputation: Identity (source or destination) can not deny transmitting the message– Authentication protects two parties from third parties
– Nonrepudiation protects two parties against each other
• Example: Alice sends IOU message to Bob– Alice can deny sending the message– Bob may forge a different message and claim that it
came from Alice
Zhijun Li S1034040/Autumn08/HIT 5
IOU Protocol Review
AliceBob
{KUA, KRA}
M EKRA[H(M)]
Judge
M EKRA[H(M)]
knows KUA
knows KUA
Digital Signature
Alice Bob
Judge
Zhijun Li S1034040/Autumn08/HIT 6
Digital Signature
• Digital Signature: a data string which associates a message with some originating entity
• Digital Signature Scheme: for each key, there is a SECRET signature generation algorithm and a PUBLIC verification algorithm
• Digital Signature & PKI– Digital signature is difficult to implement in
other ways
Zhijun Li S1034040/Autumn08/HIT 7
SignatureSignature generation
Private key
Document
Signer
Signature verification
Public key
Document
OK / not OK
Verifier
Digital Signature Scheme
SIG: KM S kK is the secret key
VER : K’MS {OK, FAIL}
OK iff s is a valid signature
e is the public key
Zhijun Li S1034040/Autumn08/HIT 8
Adversary of Digital Signature
• Adversarial goals: – Total break: adversary can forge signature on any message
– Selective forgery: adversary is able to create valid signatures on a chosen message with a significant probability
– Existential forgery: adversary can create a pair (message, signature), s.t. the signature of the message is valid
• Note:– A signature scheme can not be perfectly secure
• Adversary can always forge signature given enough time
– Signature scheme can only be computationally secure
Zhijun Li S1034040/Autumn08/HIT 9
Attack Model to Digital Signature
• Key-only attack: Adversary knows only the verification function (it is supposed to be public)
• Known message attack: Adversary knows a list of messages previously signed by Alice
• Chosen message attack: Adversary can choose what messages wants Alice to sign, and knows the messages and the corresponding signatures
Zhijun Li S1034040/Autumn08/HIT 10
Outline
• Nonreputation & Digital Signature • RSA Signature• ElGamal Signature• Digital Signature Algorithm• Digital Signature with other Properties
– Security Provable Signature– Blind Signature– Undeniable Signature– Fail-Stop Signature
Zhijun Li S1034040/Autumn08/HIT 11
RSA Signature
• Given RSA {(e, n), (d, p, q)}
• SIG(d, m) s = md (mod n)
• VER(e, m, s)
m =? se (mod n)
• se = med (mod n) = m (mod n)
Zhijun Li S1034040/Autumn08/HIT 12
Existential Forgery
• Oscar can generate a valid signature by: 1. Choose signature sZn
2. Encrypt: m = ekpub(s) = se mod n
3. Send (m,s) to Bob
4. Bob verifies:
verkpub(m, s): se m (mod n) true
• Note: – m can’t be controlled, so existential forgery
Zhijun Li S1034040/Autumn08/HIT 13
Remark for This Forgery
• It is a key-only attack
• Countermeasures: – Use some redundancy in message to detect
– Example: • Sig(m) = (Hash(m))d = s• se = Hash(m) : Need find m with Hash(m) = se
• Hash is preimage resistant • Know Hash(m), but NOT known m
Zhijun Li S1034040/Autumn08/HIT 14
Another Existential Forgery
• (m1,s1) and (m2,s2) are valid signatures
• (m=m1m2, s=s1s2) are valid
• (m,s) is valid signature• (m-1, s-1) is valid
• Remark: – An existential forgery – Sig(m) = (Hash(m))d is also useful
Zhijun Li S1034040/Autumn08/HIT 15
Outline
• Nonreputation & Digital Signature • RSA Signature• ElGamal Signature• Digital Signature Algorithm• Digital Signature with other Properties
– Security Provable Signature– Blind Signature– Undeniable Signature– Fail-Stop Signature
Zhijun Li S1034040/Autumn08/HIT 16
ElGamal Signature
• Key generation:– Chooses a prime p, and chooses a generator
gZp*
– Selects a random integer k as the private key– Computes the public key = gk mod p – Public key is (, g, p) – Private key is (k)
Zhijun Li S1034040/Autumn08/HIT 17
ElGamal Signature
• Signing a message m:
– Select random r, 1rp-1, rZp-1* (gcd(r,p-1)=
1)– Compute x gr (mod p)– Solves y in following congruence equation
m k·x+r·y (mod p-1)
– SIGk,r(m) = (x,y)
Zhijun Li S1034040/Autumn08/HIT 18
ElGamal Signature
• Verification: – Receive the m and s = (x, y)– Computes gm
– Computes ()x·xy
– VER(m, s): gm ?()x ·xy(mod p)
Zhijun Li S1034040/Autumn08/HIT 19
Why This Schema Can Work?
• If m=m, x=x, y=y
• ()x·xy (mod p) = gkx · gry (mod p)• ry = m - kx (mod p-1) • kx+ry = m (mod p-1)
• ()x·xy = gkx + ry = gm (mod p)
• Why?
Zhijun Li S1034040/Autumn08/HIT 20
ElGamal Signature Example
1. Choose p=11, g=2 and k=8 2. c = 28 mod 11 = 3 So: Public key (3,2,11)3. Signing m=5 3.1 select a random integer r=9 gcd(10,9)=1 3.2 computes x = gr mod p = 29 mod 11 = 6 3.3 solves 5 = 8·6+9·y mod 10; because 9-1 =
9 mod 10;so y = 9-1· (5-8·6) = 3 mod 10 3.4 signature s=(6,3) 4. Verification
36.63 =21 =10 = 25 =10 mod 11
Zhijun Li S1034040/Autumn08/HIT 21
Security of ElGamal Signature
• Based on DLP BUT weaker than DLP– Existential Forgery
• Find (m,x,y) s.t. ()x·xy=gm
– Suppose x=gij (mod p) gmx(gij)y (mod p)– gm-iyx+jy mod p – Let m-iy0 mod p-1 x+jy0 mod p-1– If gcd(j, p-1)=1– y=-xj-1(mod p-1)– m=-xij-1(mod p-1) (if hash?)– x=gij(mod p)
Zhijun Li S1034040/Autumn08/HIT 22
Security of ElGamal Signature
• The random r must be keep secret– k=(m-ry)x-1 (mod p-1)
• The random r must be unique for each message– ()x·xy1=gm1 (mod p);()x·xy2=gm2 (mod p)– gm1-m2 y1-y2 gk(y1-y2) (mod p)– m1-m2 k(y1-y2) mod p-1– d=gcd(y1-y2, p-1); d|(m1-m2) – m'=(m1-m2)/d; y'=(y1-y2)/d; p'=(p-1)/d– m'=ky' mod p' and gcd(y', p')=1 – k=m'y'-1+ip' mod p-1 i<d and test them by =gk mod p
Zhijun Li S1034040/Autumn08/HIT 23
Lesson of ElGamal Signature
• Hash function h must be used– Otherwise easy for an existential forgery
attack
• Signature length is 2 times of the length p – p=1024 bits– For some storage limited device (smart chard)
Zhijun Li S1034040/Autumn08/HIT 24
Outline
• Nonreputation & Digital Signature • RSA Signatures• ElGamal Signatures• Digital Signature Algorithm• Digital Signature with other Properties
– Security Provable Signature– Blind Signature– Undeniable Signature– Fail-Stop Signature
Zhijun Li S1034040/Autumn08/HIT 25
DSA Overview
• Published in NIST in 1992 (FIPS PUB 186) • Remark:
– DSA is a variant for ElGamal signature– Using SHA hash algorithms and the digest is 320 bi
ts– Sometimes called DSS (Digital Signature Standard)
Zhijun Li S1034040/Autumn08/HIT 26
From ElGamal Signature
• Use a subgroup {,2,…,q} in Zp*, the order of is q– q is a 160-bits prime– p is a 1024-bits prime
• Introduce the hashing function– SHA1(m) is also 160-bits
Zhijun Li S1034040/Autumn08/HIT 27
From ElGamal Signature
• y=r-1(m+k·x) (mod p-1)– Verify mx=xy mod p – ord() = q, so all exponents need mod q– x = (r mod p) mod q– y=(m-k·x)r-1 (mod q) (x can be replaced by x) mx=xy mod p my-1xy-1=x mod p
my-1xy-1=x mod p
(my-1xy-1mod p) mod q = x
Zhijun Li S1034040/Autumn08/HIT 28
DSA: Key Generation
• Select a prime q of 160-bits• Choose 0t8 and 2511+64t<p<2512+64t with q | p-1
• Let g be a generator of Zp*, and = g(p-1)/q mod p
• Select 1 k q-1• Compute = k mod p
• Public key: (p, q, , )• Private key: k
Zhijun Li S1034040/Autumn08/HIT 29
DSA: Signature
• Signing message m:• 1. Compute one-way hash h = SHA-1(m)• 2. Select a random signing key r, 0 < r < q• 3. Compute
– x = (r mod p) mod q– y = (SHA-1(m) + xk).r-1 mod q– SIG(m)=(x, y)
Zhijun Li S1034040/Autumn08/HIT 30
DSA: Verification
• Verifying m, (r, s): 1. Verify 0 < r < q and 0 < y < q, if not, invalid
2. Verifier computes – w = y-1 mod q – u1= SHA-1(m).w mod q – u2= x.w mod q – v = (u1.u2 mod p) mod q
3. Verifier accepts the signature iff – v = x
Zhijun Li S1034040/Autumn08/HIT 31
DSA Remark
• Advantages:– Suitable to storage limited device– Hashing function is used– Based on discrete logarithm problem
• Disadvantages:– Unpublicized selection
Zhijun Li S1034040/Autumn08/HIT 32
Outline
• Nonreputation & Digital Signature • RSA Signatures• ElGamal Signatures• Digital Signature Algorithm• Digital Signature with other Properties
– Security Provable Signature– Blind Signature– Undeniable Signature– Fail-Stop Signature
Zhijun Li S1034040/Autumn08/HIT 33
Security Provable Signature
• Idea: – Can reduce the forgery into the inverse of one-way
• Lamport One-time Signature:– P={0,1}k, f is one-way function f: YZ
– Choose secret keys yi,jY, 1ik, j=0,1
– Let zi,jZ, 1ik, j=0,1 are public keys
– Sig(m1, m2, …, mk) = (y1,m1, y2,m2
, …,yk,mk)
– Ver((m1, m2, …, mk), (a1, a2, …, ak)= true f(ai)=zi,mi
Zhijun Li S1034040/Autumn08/HIT 34
Lamport Signature Example
• p=7879 and 3 is a generator• f(x)=3x mod 7879
• y1,0=5831;y1,1=735;y2,0=803;y2,1=2467;y3,0=4285;y3,1=6449
• z1,0=2009;z1,1=3810;z2,0=4672;z2,1=4721;z3,0=268;z3,1=5731
• m=(1,1,0): • Sig(m)=(735,2467,4285)• Verification: 3735 mod 7879=3810; 32467 mod 7879=4721; 342
85 mod 7879=268
Zhijun Li S1034040/Autumn08/HIT 35
One-Time Digital Signature
• One-time digital signatures:– Using signing at most one message– Otherwise signature can be forged– In Lamport: (1, 0, 1) + (0, 1, 0) = all 23 – A new public key is required for each signed message
• Advantage: – Signature and verification can be very efficient– Can be very secure– Is useful for cards with low resources
Zhijun Li S1034040/Autumn08/HIT 36
Lamport-Preimage(z)
• If we have Lamport-Forge:• Lamport-Preimage(z)
Select i0{1,…,k} and j0{0,1} randomly
Build public key Z=(zi,j: 1ik, j=0,1) s.t. z=zi0,j0
((m1,…,mk), (a1,…,ak)) = Lamport-Forge(z)
if xi0=j0
then return (ai0)
else return (fail)
Zhijun Li S1034040/Autumn08/HIT 37
Success of Lamport-Preimage
• Theorem: with Lamport-Forge, the success rate of Lamport-Preimage(z) 1/2
• Proof: – Let S is the set of all public keys, s=|S|
– Let Sz is the set of public keys contain z, sz=|Sz|
– Let Tz is all ZS with Lamport-Preimage success, tz=|Tz
| zZtz = ks; 2ks=sz|Z|
– Pr(success)=1/|Z|zZpz=1/|Z|zZtz/sz
=zZtz/sz|Z|=1/2kszZtz=ks/2ks=1/2
Zhijun Li S1034040/Autumn08/HIT 38
Blind Signature
• Situation: Signing with unknowing the content• Example: Anonymous electronic cash
• Scene
Alice Bob
Authority Sign③
Signature④
Unblinding⑤
Signature ⑥
Verification⑦Blinding
①Blin
ded Mess
age②
Zhijun Li S1034040/Autumn08/HIT 39
RSA Blind Signature
• Initialization: • Authority: p,q are primes, N=pq, public key e a
nd ed 1 mod (p-1)(q-1)
• Blinding:
• Alice: Get N and e, choose a random rZN*, compute blinded message
b m re (mod N)
Zhijun Li S1034040/Autumn08/HIT 40
RSA Blind Signature
• Signing: • Authority: sign the blinded message b s = bd
• Unblinding: • Alice: Remove the r from s s = s r -1 md (mod N)
• Verify: • Bob: Receive (m1,s1) Check s1
e ? m1 (mod N)
Zhijun Li S1034040/Autumn08/HIT 41
Undeniable Signature
• Signature with following features:– Signature verification must involve the participation of
the signer– Signer can prove that a signature is not valid– Signer can’t Deny a Valid Signature
– So Undeniable
• Example:– Software distribution
Zhijun Li S1034040/Autumn08/HIT 42
Why Undeniable?
• The signer need to be online when verifying – The precondition for undeniability – Challenge-Response interaction
• The signer can prove a signature is forged– If he deny to prove – Then the signature is valid
Zhijun Li S1034040/Autumn08/HIT 43
How to Prove?
• In Challenge-Response interaction– If the Verification fails
• The signature is a fraud • Signer cheats by giving “incorrect” response
– So need run some protocol after fails
• Summary:
Signing & Verification & Disavowal Protocol
Zhijun Li S1034040/Autumn08/HIT 44
• Initialization: • The Signer Chooses:
– two primes p and q, and p=2q+1
– gZp* and ord(g)=q
– G generated by g, so G is a subgroup of Zp*
– A random k(0<k<q), k is secret and gk is public
Chaum-van Antwerpen Signature
Zhijun Li S1034040/Autumn08/HIT 45
• Signing: For a message mG
s=mk (mod p)
• Verification: Bob and Signer interact:
– Challenge: Bob select two random a,bZq* and sends the challenge c=sa(gk)b (mod p)
– Response: r = ck-1magb (mod p)– Test: Bob checks
VER( m, r ) = (r ? m agb (mod p))
Chaum-van Antwerpen Signature
Zhijun Li S1034040/Autumn08/HIT 46
• Disavowal Protocol: (when verification fails)– BobSigner: select a1,b1Zq* and sends c1=sa1(gk)b1
(mod p)
– SignerBob: r1=c1k-1
– Test: if r1 ma1gb1 (mod p), then follow
– BobSigner: select a2,b2Zq* and sends c2=sa2(gk)b2
(mod p)
– SignerBob: r2=c2k-1
– Test: r2 ma2gb2 (mod p)
If (r1g-b1)a2 (r2g-b2)a1 (mod p)
then forged
else signer cheat
Chaum-van Antwerpen Signature
Zhijun Li S1034040/Autumn08/HIT 47
• Theorem: if s mk mod p, then Bob accepts s as correct signature with prob. at most 1/q
• Proof: – For each c=se1(gk)e2, there are q pairs of (e1, e2) becaus
e the order of s and gk is all q
– g is a generator and ord(g)=q– c=gi, r=gj, m=gv, s=gw
– cse1(gk)e2 (mod p); rme1ge2 (mod p)– iwe1 + ke2 (mod q); jve1 + e2 (mod q)– If smk mod p, then wkv mod q, then 0, and o
nly a pair in q pairs of (e1,e2) is correct
Correctness of Verification
w kv 1
Zhijun Li S1034040/Autumn08/HIT 48
• Theorem: If s mk mod p, and both parties follow the protocol, then (rg-e2)f1 (Rg-f2)e1 (mod p) (Alice can convince Bob)
• Proof:– r=ck-1 (mod p)– cse1(gk)e2 (mod p)
– (rg-e2)f1 (se1(gk)e2)k-1g-e2)f1 (mod p)
se1k-1f1 (mod p)
– R=Ck-1 (mod p)
– (Rg-f2)e1se1k-1f1 (mod p)
Correctness of Disavow Protocol
Zhijun Li S1034040/Autumn08/HIT 49
• Theorem: If s mk mod p, and Bob follows the protocol, then Alice can convince Bob ((rg-e2)f1 (Rg-f2)e1 (mod p)) with prob. 1/q
• Proof:– s=mk; (rg-e2)f1 (Rg-f2)e1 (mod p) – r me1ge2; R mf1gf2
– (rg-e2)f1 (Rg-f2)e1 (mod p) iff. R = (r1/e1g-e2/e1)f1gf2
– Let r0=r1/e1g-e2/e1, which can be computed after stage one– Let stage two is the verification protocol– Suppose s is the r0’s signature (s=r0
k mod p) with prob. 1-1/q– s mk mod p and s=r0
k mod p m=r0
– r me1ge2 m r1/e1g-e2/e1 m r0
– Contradiction (rg-e2)f1 (Rg-f2)e1 (mod p) with prob. 1/q
Correctness of Disavow Protocol
Zhijun Li S1034040/Autumn08/HIT 50
• Situation: For the Attacker with Unlimited Computing Power
• Scene
Alice Bob
TTP
Oscar
EstablishParameters
①
Public Keys ②
⑤Build PROOF
③Signatures
④
Forged Signatures
⑦Fail-stop⑥
Proof
Fail-Stop Signatures
Zhijun Li S1034040/Autumn08/HIT 51
• Initialization:• TTP: two primes p and q, and p=2q+1
– gZp* and ord(g)=q
– a random rZq* (0<r<q), r is known only by TTP and R=gr
– (p,q,g,R) is Public and keep r is Secret
• Signer(Alice): Select a1,a2,b1,b2Zq* as secret key, compute (1ga1Rb1 mod p 2ga2Rb2 mod p) as public key
Van Heyst & Pedersen Signature
Zhijun Li S1034040/Autumn08/HIT 52
• Signing:
• Alice: SigK(m)=(s1,s2)
s1=a1+mb1 mod q
s2=a2+mb2 mod q
• Verification:
• Bob: VerK(m,s) is 12m?gs1Rs2 mod p
Van Heyst & Pedersen Signature
Zhijun Li S1034040/Autumn08/HIT 53
• Build PROOF:• Alice:
– Detect a forged signature (s1,s2) for m
– Compute the original signature (s1,s2) for m
– Compute
PROOF(s)=r(s1-s1)(s2-s2)-1 (mod q)
r is the proof
Van Heyst & Pedersen Signature
Zhijun Li S1034040/Autumn08/HIT 54
• Lemma 1: Let Oscar with unlimited power, he can solve (a1,a2,b1,b2) with q possible solutions from the public information and a signature s=(s1,s2) for m
• Proof: Denote 1=ge1 and 2=ge2 , so
ge1 ga1grb1 mod p ge2 ga2grb2 mod p
e1=a1+rb1 mod q e1=a1+rb1 mod q s1=a1+mb1 mod q s2=a2+mb2 mod q
m010
0m01
r100
00r1
2
1
2
1
s
s
e
e
=
2
1
2
1
b
b
a
a
Rank is 3
Find by unlimited power
Van Heyst & Pedersen: Remark
Zhijun Li S1034040/Autumn08/HIT 55
Rank is 4
m010
0m01
r100
00r1
2
1
2
1
s
se
e
=
2
1
2
1
b
b
a
a
m’010
0m’01
2
1
s’s’
Van Heyst & Pedersen: Remark
• Lemma 2: Let a signature s=(s1,s2) for m and a signature s’=(s1’,s2’) for m’, then a single solution for (a1,a2,b1,b2)
• Proof:
• Notes:– One-time signature– Oscar can compute s’=sigK(m’) with prob. 1/q known s=sigK(m)– BUT Oscar can give a verifiable signature s’’ for m’ and s’’s’
Zhijun Li S1034040/Autumn08/HIT 56
• Lemma 3: If Signer get a forged signature s’=(s1’,s2’) for m
and s’s, he can compute the r=loggR
• Proof: – The forged signature s’ can pass the test 12
mgs’1Rs’2 mod p
– For original signature 12
mgs1Rs2 mod p
– gs’1Rs’2 gs1Rs2 mod p r=loggR (s1-s1’)(s2’-s2)-1 (mod q)
Van Heyst & Pedersen: Remark
Zhijun Li S1034040/Autumn08/HIT 57
Summary
• Nonreputation – Digital Signature – Public Key Infrastructure
• RSA Signature• ElGamal Signature• Digital Signature Algorithm • Signatures with other Properties