1 cis 5371 cryptography 8. data integrity techniques
TRANSCRIPT
Asymmetric techniques, I
Digital signaturesWith PK encryption, Alice can use her private key to decrypt a message and the resultant “ciphertext’’ can be “encrypted’’ to recover the message.
This ciphertext can serve as a Manipulation Detection Code (MDC).The verification of a MDC can be performed by anyone since the public key is available to anyone.
Example of an MDC based on RSA
• Let p = 101, q = 113. Then n = 11413.• (n) = 100 112 = 11200 = 26527• Alice takes e = 3533, d = 6597• Alice publishes: n = 11413, e = 3533.• Let the message be m = 5761• Alice computes the MDC:
57616597 (mod 11413) = 9726• Suppose Bob wants to verify that 9726 is the MDC of Alice• Bob computes 97263533 mod 11413 = 5761
Digital signature schemes
• M, message space
• S, signature space
• K, signing key space
• K’, verifying key space
• Gen: KK’, an efficient key generating algorithm
• Sign: MK S, an efficient signing algorithm
• Verify: MSK’ {true,false} an efficient verifying algorithm.
The RSA signature schemeSignature setup: n = pq, where p and q are primes.
M = S = Zn , with keyspace
K = {(n,e,d) : ed = 1 mod (n) }.
Public key = (n,e), Private key (n,d).
Signature generation: for m Zn,
Signature Verification
if and only if
Security issues for Digital Signatures
Active attacks digital signatures• Adaptive Chosen-Message Attack (CMA):
– The attacker chooses adaptively a number of messages and obtains the corresponding signatures: the task of the attacker is successful if he can sign a (new) target message.
• Existential forgery under CMA: – The algorithms (Sign,Verify) form a one-way trapdoor pair.
This means that it is easy to compute valid “message-signature” pairs
(by first selecting a signature and then finding the corresponding message).
– However, computing message-signature pairs should be hard. – A usual way to control this is add redundancy to the message.
Rabin signatures
Signature setup: Same as RSA
Public key = (n,b), Private key = (p,q).
Signature generation: Exercise
Signature Verification: Exercise
The ElGamal signature scheme
Signature setup:
Same as ElGamal encryption scheme, with:
M = Zp* , S = Zp* Zp-1, and keyspace K = Zp* Zp-1.
Public key = (p, g, y)
Private key = (p, g, x).
The ElGamal signature scheme• Signing
Let m Zp* be a message.
For public key (p,g,y), with y = gx mod p,
and a secret random number k Zp-1, define:
sigx,k (m,k) = (s,t), where• s = gk mod p• t = (m-xs) k-1 mod ( p-1)
• Verification
Verify(p,,g,y)(m,(s,t)) = true st·ys = gm mod p.
Toy example
Let p = 467, g = 2, x = 127, y = 132
message m = 100,
Choose k = 213. Then k -1mod 466 = 431.
The signature is: s = 2213 mod 467 = 29
t = (m-xs) k -1 mod (p-1)
= (100-127×29) 431 mod 466 = 51
Verification: 2100 ? 2951×13229 mod 467
The security of ElGamal signatures
• If the DL problem is feasible then ElGamal signatures can be forged.
• The converse may not be true.• The exponent k must be
• private• cannot be used twice• best: chosen at random.
The Digital Signature Algorithm
Let p be a an L-bit prime prime,
512 L 1024 and L 0 mod 64 ,
let q be a 160-bit prime that divides p-1 and
Let e Zp* be a q-th root of 1 modulo p.
Let M = Zp-1,
S = Zq x Zq and
K = {(p,q,,x,y): y = x modp }.
• The public key is (p,q,,y).• The private key is (p,q,,x).
The Digital Signature scheme
• Signing Let m Z be a message.
For public key (p,g,,y), with y = x mod p, and
secret random number k Zp-1, define: sigx,k(m) = (s,t), where
• s = ( k mod p) mod q• t = (SHA(m) + xs) k -1 mod q
• Verification Let
• e1 = (SHA(m)) t -1 mod q• e2 = s t -1 mod q
Verify(p,,y),(m,(s,t)) = true ( e1 y e2 mod p) mod q = s.
Provable security
Forging signatures
• We must how that given a message it is hard to forge a signature. Is this enough?
• There are several attacks we already discussed:• Existential forgery• Adaptive Chosen-Message Attacks
• What is really needed is a formal security model for digital signatures, that allows for all possible threat scenarios and all protocol aspects.
• One such model is the Random Oracle model.
Asymmetric techniques, IIData Integrity without source Identification
Optimal Asymmetric Encryption Padding
RSA-OAEP
RSA with OAEP
Key ParametersLet (N,e,d,G,H,n,k0,k1) U Gen (1x) satisfy:
(N,e,d) are RSA parameters
|N| = k = n+k0+k1, with 2k0, 2k1 negligible quantities
G, H hash functions with: G: {0,1}k0 {0,1}k-k0 , H: {0,1}k-k0 {0,1}k0
n is the length of the plaintext
(n, k0,k1,G,H,e) is Alice’s RSA public key,
(n, k0,k1,G,H,d) is Alice’s RSA private key.
RSA with OAEP
Encryption Let m {0,1}n be the message to be sent to Alice.
Bob (the adversary?) performs the following:
1. .r U {0,1}k0 ;
s (m || 0k1) G(r) ; t r H(s)
2. .c (s || t) e mod N
RSA with OAEP
Decryption
Upon receipt of the ciphertext c Alice performs:
1. .s || t c d mod N satisfying
|s| = n+k1 , |t| = k0
2. .u t H(s); v s G(u)
3. Output m if v = m || 0k0, else reject.
RSA with OAEP
Security
RSA with OAEP provides data-integrity, but not origin integrity.
It can be shown that RSA-OAEP is secure against adaptive chosen ciphertext (CCA2) attacks in the Random Oracle Model.
The Random Oracle Model (ROM)
• Security is defined in terms of a game involving two parties: the system and the adversary.
• All authorized parties of the system are represented by random oracles (Alice, Bob, …)
• Access to any party is via its oracle.• Access to an oracle G is by a query a, to get the
response G(a). • The system of oracles is managed by a Simulator (who
arranges that the oracles simulate the behavior of the real parties).
The Random Oracle Model• There are two phases:
• A training phase in which adversary is allowed to make queries (adaptively) and get responses.
• A test phase in which adversary must answer 0 or 1 as his educated guess to a challenge.
• The adversary wins if at the test phase he can distinguish with probability better than
0.5 + negl
between two strings. e.g. if a public-key encryption system is analyzed, the adversary must distinguish between the ciphertexts c1,c2 of two new messages m1, m2.
The Random Oracle Model
• The system is secure if the adversary cannot win.• The type of queries the adversary can make is
determined by the threat model used. • in CCA2 the adversary can adaptively chose
ciphertexts an get the corresponding plaintexts.
One-time signatures Lamport signature scheme
Let k be an integer, P = {0,1}k.
Suppose that f : Y Z is a one-way function,
and A = Y k.
Let yi,j Y be chosen at random, 1 ≤ i ≤ k, j =0,1, and
zi,j = f (yi,j),
The key K consists of the 2k pairs : (yi,j, zi,j).
The y’s are the private key, the z’s are the pubic key.
Lamport signature scheme Signing
Let x = (x1,x2, … , xk) P be a message.
For K = (yi,j, zi,j) define
sigK (x1,x2, … , xk) = (y1,x1,y2,x2
, … , yk,xk ) .
Verification
verK((x1,x2, … xk),(y1,x1,y2,x2
, … , yk,xk )) = true
f(yi) = zixi , 1 ≤ i ≤ k
The security of the Lamport signature scheme
The security of the Lamport signature scheme can
be proven if we assume that:
• The one-way function is bijective, and that• The public key consists of distinct elements.
Certificates and Public-Key Infrastructures
We have not shown how to distribute securely public keys.
We shall now show how this can be done by using public-key cryptography
Sounds circular, and is! but works.
26
Certificates and Public-Key Infrastructures
A first approach: bootstrap all public-keys to a single one using certificates.
To be concrete suppose that Charlie has generated a key pair (
Consider the certificate
Give this to Bob. Bob publishes: This authenticates the public key of Bob to anyone
who trusts Charlie.
27