Asymmetric Key Signatures

David Evans and Samee ZahurCS4501, Fall 2015

Please pay $1000 to my employee--TheBoss

You have money!

Real-life Signatures

Easy to verify• Bank has your signatureForging unlikely• Legal consequences of forging• Checkbooks are well-guarded• Copying it requires physical accessHard to repudiate• Bank keeps a copy for few months

Digital Signatures

Easy to verify• Everybody has your “verification key”, vkHard to forge• Nobody but you has the “signing key”, skHard to repudiate• Everybody knows only you have signing key

Topics

• Asymmetric cryptography• Digital signatures• Elliptic curve cryptography• Implementation pitfalls

Ordinary (or symmetric) crypto

Message

key key

Whitfield Diffie

Martin Hellman

New Directions in Cryptography, 1976

Diffie-Hellman Key Exchange

𝑔𝑎  mod  𝑝

𝑔𝑏  mod  𝑝Picks secret aComputes

Picks secret bComputesPublic values:

Shared secret:

Discrete Logarithm Problem

Given find such that:

Discrete Logarithm Problem

Random element out of …?

𝑔𝑎  mod  𝑝

𝑔𝑏  mod  𝑝Picks random aComputes

Picks random bComputes

Mod 5 Exponentiation

0 1 2 3 4 5 6 …

0 - 0 0 0 0 0 0 …

1 1 1 1 1 1 1 1 …

2 1 2 4 3 1 2 4 …

3 1 3 4 2 1 3 4 …

4 1 4 1 4 1 4 1 …

Order 1

Order 2

In mod multiplication, multiplicative order is always a factor of

Exponent Modulus

• Multiplicative order is at most • Pick random such that

Public-key Cryptography

Publicly announces

,

Picks secret aComputes

Picks random secret b. Computes

Encrypts message :

Public values: Shared secret:

Man-in-the-Middle (MITM)

𝑔𝑎

, Picks secret aComputes

Picks secret b. Computes

Encrypts message :

𝑔𝑎 ′

,

Picks random , ,Reads everything

Digital Signature

Recall

Easy to verify• Everybody has your “verification key”, vkHard to forge• Nobody but you has the “signing key”, skHard to repudiate• Everybody knows only you have signing key

Discrete-log based signature

ElGamal Signature Scheme

SigningInput: message 1. Pick random 2. Compute

3. Send with message

VerificationInput: message Check if

Fixed global parameters: Private key: Public key:

Bitcoin PaymentSign it like a check!

Recap

1. We want to sign transactions digitally on the bitcoin network, such that they are:a) Easy to verifyb) Hard to forgec) Hard to repudiate

2. Discrete exponentiation is easy, logarithm is hard3. We used it to make asymmetric (aka. public) key crypto4. Same principle used for digital signatures

Avoiding (overly) long numbers

Informal Requirements

Given and , should be hard to solve for

Group

A group is a set of elements (denoted ) and an associated binary operation (denoted ) that satisfies the following:• Closure: is also a group element, or • Associativity: • Identity element: • Inverse: Not necessary, but okay to have:• Commutativity:

Additional Cryptographic Properties

• Discrete logarithm should be hard• Group operation should be efficient• Implies small key sizes

Elliptic Curve Cryptography (ECC)

• Group elements: points on the curve, P, Q, and R• Point “addition”: using

“geometry”. P+Q=R

𝑦 2=𝑥3+7

P

Q

R

Elliptic “Curve”

Image from: http://www.coindesk.com/math-behind-bitcoin/

Elliptic Curve Digital Signature Algorithm (ECDSA)

ElGamal SignatureInputs: message , private key 1. Pick random 2. Compute

3. Send with message Verification

Check if

ECDSAInputs: message , private key 1. Pick random k2. Compute

a) , let

3. Send with message Verification

If , check

Please pay $1000 to my employee--TheBoss

You have money!

Jason Benjamin

Logistics

• Next class: hash functions and Bitcoin consensus• Checkup 1 on Monday. Includes everything till today