1 chapter 7-2 signature schemes. 2 outline [1] introduction [2] security requirements for signature...
TRANSCRIPT
2
Outline
[1] Introduction [2] Security Requirements for Signature
Schemes [3] The ElGamal Signature Scheme [4] Variants of the ElGamal Signature Scheme
The Schnorr Signature Scheme The Digital Signature Algorithm The Elliptic Curve DSA
[5] Signatures with additional functionality Blind Signatures Undeniable Signatures Fail-stop Signatures
3
[4] Variants of the ElGamal Signature Scheme
Schnorr Signature Scheme Proposed in 1989 Greatly reduced the signature size
Digital Signature Algorithm (DSA) Proposed in 1991 Was adopted as a standard on December 1, 1994
Elliptic Curve DSA (ECDSA) FIPS 186-2 in 2000
4
Let p be a prime such that the DL problem in Zp* is intractable, and let q be a prime that divides p-1. Let α be a qth root of 1 modulo p.
Define K={ (p,q,α,a,β):β=αa mod p }
p,q,α,β are the public key, a is private
Schnorr Signature Scheme
5
For a (secret) random number k, definesig(x,k)=(γ,δ), whereγ=hash(x||αk ) andδ=k+aγ mod q
For a message (x,(γ,δ)), verification is done by performing the following computations:
ver(x,(γ,δ))=true iff. hash(x||αδβ-γ)=γ
7
Schnorr Signature Scheme Example
We take q=101, p=78q+1=7879, α=170, a=75, then
β=17075 mod 7879=4567
To sign the message m=15, Alice selects k=50;Then γ=hash(15||17050),
δ=5+75*γ mod 101
(15,(γ,δ)) is the signed message
8
Digital Signature Algorithm
Let p be a L-bit prime such that the DL problem in Zp* is intractable, and let q be a 160-bit prime that divides p-1. Let α be a qth root of 1 modulo p.
Define K={ (p,q,α,a,β): β=αa mod p }
p,q,α,β are the public key, a is private
L=0 mod 64, 512≤L≤1024
9
For a (secret) random number k, definesig (x,k)=(γ,δ), whereγ=(αk mod p) mod q andδ=(SHA-1(x)+aγ)k-1 mod q
For a message (x,(γ,δ)), verification is done by performing the following computations:
e1=SHA-1(x)*δ-1 mod qe2=γ*δ-1 mod q
ver(x,(γ,δ))=true iff. (αe1βe2 mod p) mod q=γ
10
Notice that the verification requires to compute:
e1=SHA-1(x)*δ-1 mod q
e2=γ*δ-1 mod q
when δ=0 (it is possible!), Alice should re-construct a new signature with a new k
11
Take q=101, p=78q+1=7879, α=170, a=75;then β=4567
To sign the message SHA-1(x)=22, Alice selects k=50;Then γ=(17050 mod 7879) mod 101=94,
δ=(22+75*94)50-1 mod 101=97
(x, (94,97)) is the signed message
DSA Example
12
The signature (94,97) on the message digest 22 can be verify by the following computations:
δ-1=97-1 mod 101=25e1=22*25 mod 101=45e2=94*25 mod 101=27
(17045*456727 mod 7879) mod 101 = 94 =γ
13
Elliptic Curve DSA
Let p be a prime or a power of two, and let E be an elliptic curve defined over Fp. Let A be a point on E having prime order q, such that DL problem in <A> is infeasible.
Define K={ (p,q,E,A,m,B): B=mA }
p,q,E,A,B are the public key, m is private
14
For a (secret) random number k, define sigk(x,k)=(r,s),
where rA=(u,v), r=u mod q ands=k-1(SHA-1(x)+mr) mod q
For a message (x,(r,s)), verification is done by performing the following computations:
i=SHA-1(x)*s-1 mod qj=r*s-1 mod q(u,v)=iA+jB
ver(x,(r,s))=true if and only if u mod q=r
15
[5] Signatures with additional functionality
Blind signature schemes (1983) Undeniable signature schemes
(1989) Fail-stop signature schemes (1992)
16
Blind signature schemes
A sends a piece of information to B which B signs and returns to A. From this signature, A can compute B’s signature on an a priori message x of A’s choice (B is a signer here!)
B knows neither the message x nor the signature associated with it
17
Chaum’s blind signature protocol (1983)(A is a verifier and B is a signer, (n,e) is RSA public
key of B and d is RSA private key of B)1. A randomly select a secret integer k2. A computes x*=xke mod n and sends it to B3. B computes y*=(x*)d mod n and sends it to A4. A computes y=k-1y* mod n, which is B’s signature
on x (Note the signer B does not know (x,y) but (x,y) is a
B’s signed message.)
18
Undeniable Signatures
A signature can not be verified without the cooperation of the signer
First introduced by Chaum and van Antwerpen in 1989
Protects Alice against the possibility that documents signed by her are duplicated and distributed electronically without her approval
19
Since a signature should be verified with the cooperation of the signer, it is possible for a signer
to evilly disavow a signature which signed by him previously
An undeniable signature scheme should consists of a disavowal protocol between the verifier B and the signer A, such that:
For a signature which is not signed by A, B will recognize it as a forgery
For a signature which is signed by A, A can fool B to recognized it as a forgery with very low probability
20
An application of the undeniable signature
A large corporation A creates a software package. A signs the package and sells it to B, who decides to make copies of this package and resell it to a third party C. C is unable to verify the authenticity of the software without the cooperation of A
21
Chaum-van Antwerpen undenial signature scheme
Let p=2q+1 be a prime such that q is primeAnd the DL problem in Zp is intractable.
Let α be an element of order q. Define:
K={ (p,α,a,β) :β=αa mod p }1. Signing algorithm To sign a message x, Alice computes
y=sig(x)=xa mod p
22
2. Verification protocol Bob chooses e1,e2 from Zq* randomly Bob computes c=ye1βe2 mod p and
sends it to Alice Alice computes d=ca-1 mod q mod p and
sends it to Bob Bob accepts s as a valid signature if
and only ifd = xe1αe2 mod p
23
c=ye1βe2 mod p
d=ca-1 mod q mod p
d ≠ xe1αe2 mod pTwo possibilities:• y is not a valid signature of
x• y is the signature of x, she
is fooling me by sending garbled d to me
SignerVerifier
message x, signature y
24
(Correctness of the signature protocol)
Bob will accept a valid signature, since if s is valid:
y=xa mod p,then
c = ye1βe2 = xae1αae2 mod pHence
d = xe1αe2 mod pas desired
25
I doubt that you are fooling meto disavow your signature on x
c=ye1βe2
d=(c)a-1
c’=ye1’βe2’
d’=(c’)a-1
Fact: if y≠xa, (dα-e2)e1’=(d’α-e2’)e1
(dα-e2)e1’=(d’α-e2’)e1
I blame her wrongly, y is not signed by her
SignerVerifier
26
c=ye1βe2
d=(c)a-1
c’=ye1’βe2’
d’=(c’)a-1
Fact: if y=xa, she can make (dα-e2)e1’=(d’α-e2’)e1
holds with a very small probability 1/q
Verifier Signer
27
3. Disavowal protocol (1/3)
B selects random secret integers e1,e2 and computes c=ye1βe2 mod p, and sends c to A
A computes d=(c)a-1 mod p and sends d to B
B checks if d=xe1αe2, then he concludes thaty is a valid signature of x, otherwise go to
next step
28
Disavowal protocol (2/3)
B selects random secret integers e1’,e2’ and computes c’=ye1’βe2’ mod p, and sends c’ to A
A computes d’=(c’)a-1 mod p and sends d’ to B
B checks if d’=xe1’αe2’, then he concludes thaty is a valid signature of x, otherwise go to next step
29
Disavowal protocol (3/3)
B checks (dα-e2)e1’=(d’α-e2’)e1 if it holds, he concludes that y is a forgery
Otherwise, he concludes that A is trying
to disavow the signature
30
Fact Let x be a message and suppose that y isA’s (purported) signature on x
If y is a forgery, i.e., y≠xa mod p, then(dα-e2)e1’=(d’α-e2’)e1 holds
Suppose that y is indeed A’s signature for x, i.e., y=xa mod p, then(dα-e2)e1’=(d’α-e2’)e1 holds with probability 1/q
31
Fail-stop Signatures
In a fail-stop signature scheme, when Oscar is able to forge Alice’s signature on a message, Alice will (with high probability) be able to prove that Oscar’s signature is a forgery
A fail-stop signature scheme consists of a singing algorithm, a verification algorithm and a “proof of forgery” algorithm
32
Van Heyst and Pedersen scheme (1992)
Let p=2q+1 be a prime such that q is prime and the DL problem in Zp is intractable. Let α be an element of order q. Let 1≤a0≤q-1 and define β=αa0 mod p.
The value of a0 is kept secret from everyone
The values p,q,α,β and a0 are chosen by a trusted central authority
33
A key has the formK=(γ1,γ2,a1,a2,b1,b2)
whereγ1=αa1βa2 mod p
γ2=αb1βb2 mod p
(γ1,γ2) is the public key and (a1,a2,b1,b2) is private
34
To sign a message x,sig(x)=(y1,y2)
wherey1=a1+xb1 mod q
y2=a2+xb2 mod q
To verify a signed message (x,(y1,y2))
ver(x,(y1,y2))=true iff. γ1γ2x =αy1βy2 mod p
35
Proof of forgery – the argument
If there is a signature (y1’’,y2’’) on a message x’ which can be verified as signing by Alice, but actually it is not signed by Alice, i.e.
(y1’’,y2’’)≠sig(x’)
then Alice can calculate the secret a0 which was not given to her
Alice shows a0 to prove that she is innocent
36
Proof of forgery – calculation of a0
Since (y1’’,y2’’) is a valid signature on x’
γ1γ2x’ =αy1’’βy2’’ mod p
Alice can compute her own signature (y1’,y2’) on x’
γ1γ2x’ =αy1’βy2’ mod p
Henceαy1’’βy2’’=αy1’βy2’ mod p
αy1’’αa0y2’’=αy1’αa0y2’ mod p