# digital signatures

Post on 18-Mar-2016

67 views

Embed Size (px)

DESCRIPTION

Digital Signatures. Presented by Olga Shishenina. Outline. Cryptographic goals Message Authentication Codes (MACs) Digital signatures RSA digital signature Elliptic curve digital signature Comparison of ECDSA and RSA signature. Message authentication. Entity authentication. - PowerPoint PPT PresentationTRANSCRIPT

Digital SignaturesPresented byOlga Shishenina

OutlineCryptographic goalsMessage Authentication Codes (MACs)

Digital signaturesRSA digital signatureElliptic curve digital signature

Comparison of ECDSA and RSA signature

Cryptographic GoalsSymmetric-key ciphers:Block ciphersStream ciphers

Public-keyciphersCryptographic goalsConfidentialityData integrityAuthenticationNon-repudiationArbitrary lengthhash functions

Message Authentication codes (MACs)

Digital signaturesAuthentication primitivesDigital signaturesMACs

Digitalsignatures

Non-repudiationAliceBobm is a signed messages is a valid signature for m m, sAlice denies her signature if she finds: m m : s is valid signature for m

Message Authentication CodesMAC f(x, key):{0,1}* {0,1}nknowing x and key f is easy to computeit is infeasible to calculate f(x, key)without the key

MAC are often block cipher basedmessage m, secret key kspecification of block cipher EMAC (m) = E( m, key )MAC (m) = E(hash(m), key )

CBC-based MAC algorithmEkey0X1(n bit)EkeyX2 (n bit)h1h2EkeyXt (n bit)ht-1H = MACOptional output transformationAlgorithm CBC-MACINPUT: data x; specification of block cipher E; secret MAC key for EOUTPUT: n-bit MAC on xn bitn bith1(n bit)h2(n bit)

Use of a MACUsed to provide Data integrity Message authentication

Digital Signatures Scheme Used to provide Data integrity Message authentication Non-repudiation

Difference between MAC and digital signatureTo prove the validity of a MAC to a third party, you need to reveal the key

If you can verify a MAC, you can also create it

MAC does not allow a distinction to be made between the parties sharing the key

Computing a MAC is (usually) much faster than computing a digital signatureImportant for devices with low computing power

RSA signature algorithm

RSA Developed in 1978 by Rivest, Shamir and Adleman (RSA)

Most popular public key cryptosystem

Based on the hard problem of integer factorization

Key-Generation for RSA(1)Generate two large random distinct primes p and q, each roughly the same size

Compute n = pq and

Select random integer e:

Compute unique integer d:

Public key is (n, e); Private key is d

Key-Generation for RSA(2)Usually numbers with the right bit length are chosen randomly and tested for primality

Statistical tests are used to determine the probability that these numbers are primesi.e. Strassen TestMiller Rabin Test

There is always an insignificantly low chance that number is not prime

Used notationM is a set of elements, called the message space = Zn

MS is a set of elements, called the signing space = Zn

R is a 1 to 1 mapping from M to MS, called the redundancy function

MR is the image of R: {y| y = R(x), x M}

R-1 is the inverse of R: MR M

RSA signature generation and verificationTo sign a message A should:Compute:where R(m) is a redundancy functionCompute: As signature for m is s

To verify As signature and recover m, B should:Obtain As authentic public key (n, e)Compute: Verify that ; if not, reject the signatureRecover

Proof that signature verification worksEulers theorem: ,where is the Eulers function of n

If s is a signature for m, then:

Since , then:

Finally:

RSA signature exampleAlicep=5 q=7 n = 35 (n) = 46=24e = 5; d: ed = 5d=1 mod 24 => d = 5Public key: (n=35, e=5) Private key: d=5

M = [0, n-1]For all m M R(m)=m m = 26; R(m) = 26 s = 265 mod 35 = 31Bob: R(m) = 315 mod 35 = 26 [0, n-1]m = R-1(m) = 26

Possible Attacks on RSA signatureInteger factorizationIf an adversary is able to factor n, then

Multiplicative property of RSA

If , then s is valid signature for m: Hence, to avoid this attack R must not be multiplicative, i.e.

Performance characteristicsn=pq , where n is 2k-bit, p&q k-bit primes

takes bit operations

Verification is significantly faster that signing if e is chosen to be a small number, e.g.

It is not recommended to restrict the size of d

Short vs. long messagesn=pq , where n is 2k-bits, p&q k-bits primesISO/IEC 9796R:

To sign a kt-bits message m:Divide m = m1 || m2 || m3 || || mt and sign each block individually one transmits 2kt bits.

Sign a l-bits hash(m), l k. Then one transmits kt+2k bits. (kt to transmit the message)

If t > 2, then kt+2k < 2kt

The Elliptic Curve Digital Signature Algorithm (ECDSA)

Elliptic curves (EC) over the realsA non-singular EC is the set E of solutions to the equation

together with a special point O, where

has three distinct roots

An EC over the realsy2 = x3 4x 4a3 + 27b2 = -256

Addition Geometric ApproachChord-and-tangent rule P + Q = R, P Q

Point doublingP + P = 2 P = Rxy(x1, y1) = P Q = (x2, y2) R = (x3, y3)xyP = (x1, y1) R = (x3, y3)-R = (x3, -y3)-R = (x3, -y3)

Addition Algebraic ApproachE is elliptic curve over the reals ( is the identity element )If

-P

Galois Fields (Finite Fields) GF (q)Is a set of elements (G, + , *) that satisfy certain arithmetic properties

Finite Field exists iff q is a prime power

If q = p, p is prime{0, 1, ... , p - 1 } are the field elementsADDITION: MULTIPLICATION: INVERSION:

Elliptic Curves Over Finite FieldsOver GF(p), p is prime, p > 3

Elliptic curve E equation

where

E consists of all pairs satisfying curve equation special point - point at infinity

Example 1: elliptic curve over GF(23)p = 23

The points in E are and the following:(0, 2) (0, 21) (1, 11) (1, 12) (4, 7) (4, 16) (7, 3) (7, 20) (8, 8) (8, 15) (9, 11) (9, 12) 28 points + = 29 points Lets consider (4, 7) 64 + 4 + 4 = 72 = 3 (mod 23) 49 = 3 (mod 23)

Basic FactsLet E(GF(q)) be an EC over GF(q)The points of E(GF(q)), form a group under addition Hasses theorem: Number of points on E (group order):

If #E is prime then the group is cyclic and

If #E has a prime factor, that there exists a cyclic subgroup

Example 2: elliptic curve over GF(23)p = 23

The points in E are and the following: P = (0, 2) 2P = (13, 12) 3P = (11, 9) 4P = (1, 12) 5P = (7, 20) 6P = (9, 11) 7P = (15, 9) 8P = (14, 5) 9P = (4, 7) 10P = (22, 5) 11P = (10, 5) 12P = (17, 9)13P = (8, 15) 14P = (18, 9) 15P = (18, 14) 16P = (8, 8) 17P = (17, 14) 18P = (10, 18) 19P = (22, 18) 20P = (4, 16)21P = (14, 18) 22P = (15, 17) 23P = (9, 12) 24P = (7, 3) 25P = (1, 11) 26P = (11, 14) 27P = (13, 11) 28P = (0, 21) 29P = O 30P = P 29 points

ECDSA parameters setupCreate (random) public abstract groups

Domain Parameter Generate: Complex & public. DP often taken from published list.

Domain Parameter Validate: Easy & public

Key Pair Generate: Easy & private.

Key Pair Validate: Easy & public.

ECDSA Domain ParametersDomain parameters D = (q, a, b, G, n, h) Field size q, q = p or q = 2mCoefficients a, b in GF(q) of E=Ea,b(GF(q)):Seed s of length 160 bits (Optional)Base point G=(xG, yG) on curve E, i.e. Order n of G: n is prime, Cofactor h: #E(GF(q)) = hn

Curve parameters generation(1)Input: GF(p), p is primeOutput: seed, curve coefficients a & bUsed notations:

Curve parameters generation(2) if abort and start again Choose a,b Result: y2 = x3 + ax + b if Exclude singular curves

Isomorphism classes of ECs(1)E1: y2 = x3 +a1x +b1 and E2: y2 = x3 +a2x +b2 are isomorphic

Step 3: Choose a,b

There only 2 variants for a and b on step 3

Isomorphism classes of ECs(2)Lets prove that there are precisely 2 choices for (a, b) on step 3 :We can find a1, b1 and a2, b2:

We can not find a3, b3 : E3 is not isomorphic to E1 or E2

Domain Parameter GenerationDomain parameters D = (q, a, b, G, n, h) Generate EC coeffs a & bE ( GF(q) ): y2 = x3 + ax + bCompute #E( GF(q) ) (e.g. Schoofs algorithm)Verify that , n is prime,if not, go to step 1Verify that if not, go to step 1Verify that nq if not, go to step 1Select an arbitrary point Set Repeat until

Key pair

D = (q, a, b, G, n, h)Key generation:Select random d: 1 d n-1Q = dGQ(xQ, yQ) is public G is privateAlice(signer)Bob(verifier)(D, Q)Q is valid or not???Key validation:

Check that:Q nQ = If any check fails-> Q is invalidelse-> Q is valid

ECDSA generation & verificationBobParameters D = (q, a, b, G, n, h)Alices public key QAlices signature (r, s) on m To sign message m:k randomly chosen 0 < k < n-1kG = (x1, y1) r =x1 mod nif r = 0 abort and start againe = SHA-1(m) s = k-1 ( e + dr) mod nif s = 0 abort and start againOutput: (r, s)AliceParameters D = (q, a, b, G, n, h)Associated keys (d, Q)Proof that signature verification works:D, Q, m, r, s

Ordinary DLPDefinition:Given: prime p, generator g of GF(p), nonzero element y GF(p), Find: the unique integer k, 0 k p 2: y gk(mod p)k is called the discrete logarithm of y to the base g

Known attacksThe most efficient:Index Calculus Method O( )