digital signatures
DESCRIPTION
Digital Signatures. Presented by Olga Shishenina. Outline. Cryptographic goals Message Authentication Codes (MACs) Digital signatures RSA digital signature Elliptic curve digital signature Comparison of ECDSA and RSA signature. Message authentication. Entity authentication. - PowerPoint PPT PresentationTRANSCRIPT
Digital Signatures
Presented byOlga Shishenina
2Outline Cryptographic goals Message Authentication Codes (MACs)
Digital signatures RSA digital signature Elliptic curve digital signature
Comparison of ECDSA and RSA signature
3
Symmetric-key ciphers:Block ciphersStream ciphers
Public-keyciphers
Cryptographic Goals
Cryptographic goals
Confidentiality Data integrity Authentication Non-repudiation
Message authentication
Entity authenticationArbitrary lengthhash functions
Message Authentication codes (MACs)
Digital signatures
Authentication primitives
Digital signatures
MACs
Digitalsignatures
4Non-repudiation
Alice Bob
m is a signed messages is a valid signature for m
m, s
Alice denies her signature if she finds: m’ ≠ m : s is valid signature for m’
5Message Authentication Codes MAC f(x, key):{0,1}* {0,1}n
knowing x and key f is easy to compute it is infeasible to calculate f(x, key)
without the key
MAC are often block cipher based message m, secret key k specification of block cipher E
MAC (m) = E( m, key ) MAC (m) = E(hash(m), key )
6CBC-based MAC algorithm
Ekey
0
X1(n bit)
Ekey
X2 (n bit)
h1
…h2
Ekey
Xt (n bit)
ht-1
H = MAC
Optional output transformationh1 = Ekey(x1)
hi = Ekey(hi-1 xi ), 2 ≤ i ≤ t
Algorithm CBC-MACINPUT: data x; specification of block cipher E; secret MAC key for EOUTPUT: n-bit MAC on x
n bit
n bit
h1(n bit) h2(n bit)
7Use of a MAC
message MAC algorithm
message MAC
Secret key
Unsecured channel
Signer
MAC verificationalgorithm
Secret key
Verifier
Ok / not Ok
Used to provide Data integrity Message authentication
8Digital Signatures Scheme Used to provide
Data integrity Message authentication Non-repudiation
message Signing algorithm
message signature
Signer’s private key
Unsecured channel
Signer
Signature verificationalgorithm
Signer’s public key
Verifier
Ok / not Ok
9Difference between MAC and digital signature
To prove the validity of a MAC to a third party, you need to reveal the key
If you can verify a MAC, you can also create it
MAC does not allow a distinction to be made between the parties sharing the key
Computing a MAC is (usually) much faster than computing a digital signature Important for devices with low computing power
10
RSA signature algorithm
11RSA Developed in 1978 by Rivest, Shamir and
Adleman (RSA)
Most popular public key cryptosystem
Based on the hard problem of “integer factorization”
12Key-Generation for RSA(1)1. Generate two large random distinct primes
p and q, each roughly the same size
2. Compute n = pq and
3. Select random integer e:
4. Compute unique integer d:
5. Public key is (n, e); Private key is d
( ) ( 1)( 1)n p q
1 , such that gcd( , ) 1e e
1 , such that 1 modd ed
13Key-Generation for RSA(2) Usually numbers with the right bit length are
chosen randomly and tested for primality
Statistical tests are used to determine the probability that these numbers are primesi.e. Strassen – Test
Miller – Rabin – Test
There is always an insignificantly low chance that number is not prime
14Used notation M is a set of elements, called the
message space = Zn
MS is a set of elements, called the signing space = Zn
R is a 1 to 1 mapping from M to MS, called the redundancy function
MR is the image of R: {y| y = R(x), xЄ M}
R-1 is the inverse of R: MR M
15RSA signature generation and verification
To sign a message A should: Compute:
where R(m) is a redundancy function Compute: A’s signature for m is s
To verify A’s signature and recover m, B should: Obtain A’s authentic public key (n, e) Compute: Verify that ; if not, reject the signature Recover
]n,[),m(Rm~ 10 range the ininteger an
nmodm~s d
nmodsm~ eRMm~
)m~(Rm 1
Mm
16Proof that signature verification works Euler’s theorem: ,
where is the Euler’s function of n
If s is a signature for m, then:
Since , then:
Finally:
)m(Rm~,nm~s d mod))n((ed,pqn mod1
)n(m~m~m~m~m~m~s
q)n(
q)n())n((ede
modmod
11
m))m(R(R)m~(R 11
11 )n,agcd(,na )n( mod
)n(
17RSA signature exampleAlice p=5 q=7 n = 35 φ(n) = 4·6=24 e = 5; d: ed = 5d=1 mod 24 => d = 5
Public key: (n=35, e=5) Private key: d=5
M = [0, n-1] For all m Є M R(m)=m m = 26; R(m) = 26 s = 265 mod 35 = 31Bob:
R(m) = 315 mod 35 = 26 Є [0, n-1] m = R-1(m) = 26
m~
m~
18Possible Attacks on RSA signature Integer factorization
If an adversary is able to factor n, then
Multiplicative property of RSA
If , then s is valid signature for m: Hence, to avoid this attack R must not be
multiplicative, i.e.
))n((ed:d)q)(p()n(,pqn mod find and 111
)n(ss)m~m~(m~sm~m~m~)n(modm~s
)n(modm~s ddd
d
mod then if 21212122
11
RMm~ )m(Rm~
)b(R)a(R)ba(RMb,a
19Performance characteristics n=pq , where n is 2k-bit, p&q – k-bit primes
takes bit operations
Verification is significantly faster that signing if e is chosen to be a small number, e.g.
It is not recommended to restrict the size of d
nms dmod )k(O 3
111123 16
))q)(p(,egcd(qp,e,e
that so chosen bemust and or
20
n=pq , where n is 2k-bits, p&q – k-bits primes ISO/IEC 9796
R:
To sign a kt-bits message m: Divide m = m1 || m2 || m3 ||… || mt and sign each block
individually one transmits 2kt bits.
Sign a l-bits hash(m), l ≤ k. Then one transmits kt+2k bits. (kt – to transmit the message)
If t > 2, then kt+2k < 2kt
2k bitsm~
Short vs. long messages
m
k bits
21
The Elliptic Curve Digital Signature Algorithm (ECDSA)
22Elliptic curves (EC) over the reals A non-singular EC is the set E of solutions
to the equation
together with a special point O, where
has three distinct roots
RR)y,x( baxxy 32
0274 23 ba,Rb,a
00274 323 baxxba
23An EC over the reals y2 = x3 – 4x 4a3 + 27b2 = -256
24Addition – Geometric Approach Chord-and-tangent
rule P + Q = R, P ≠ Q
Point doublingP + P = 2 P = R
x
y
(x1, y1) = P
Q = (x2, y2)
R = (x3, y3)
x
y
P = (x1, y1)
R = (x3, y3)
-R = (x3, -y3)
-R = (x3, -y3)
25Addition – Algebraic Approach
E is elliptic curve over the reals1. ( is the identity
element )2. If
3.
4.
)y,x()y,x(,E)y,x(P thenPPPEP
where Then andLet
),y,x(QP.QP,E)y,x(Q,E)y,x(P
33
2211
21
2
3 12
12 xxx xxyy
131312
12 yxxy xxyy
where2 ThenLet ),y,x(P.PP,E)y,x(P 3311
1
2
23
3 21
21 xx y
ax
1312
33 1
21 yxxy y
ax
-P
26Galois Fields (Finite Fields) GF (q) Is a set of elements (G, + , *)
that satisfy certain arithmetic properties
Finite Field exists iff q is a prime power
If q = p, p is prime {0, 1, ... , p - 1 } are the field elements ADDITION: MULTIPLICATION: INVERSION:
prbaqba mod),GF(, prbaqba mod),GF(, paaaa mod1:0 11
27Elliptic Curves Over Finite FieldsOver GF(p), p is prime, p > 3
Elliptic curve E equation
where
E consists of all pairs
satisfying curve equation special point - point at infinity
baxxy 32
)p(modba),p(b,a 0274 23 andGF
)p(y),p(x),y,x( GFGF
),( 00
28Example 1: elliptic curve over GF(23)
p = 23
The points in E are and the following:(0, 2) (0, 21) (1, 11) (1, 12) (4, 7) (4, 16) (7, 3) (7, 20) (8, 8) (8, 15) (9, 11) (9, 12) …
28 points + = 29 points Let’s consider (4, 7)
64 + 4 + 4 = 72 = 3 (mod 23) 49 = 3 (mod 23)
2322274
41423
32
mod
ba
b,a,xxy:E
),( 00
29Basic Facts
Let E(GF(q)) be an EC over GF(q) The points of E(GF(q)), form a group under
addition Hasse’s theorem:
Number of points on E (group order):
If #E is prime then the group is cyclic and
If #E has a prime factor, that there exists a cyclic subgroup
qt,tq))q(GF(E 21 #
#Ek:kP))q(GF(E:))q(GF(EP 0
30Example 2: elliptic curve over GF(23)
p = 23
The points in E are and the following: P = (0, 2) 2P = (13, 12) 3P = (11, 9) 4P = (1, 12) 5P = (7, 20) 6P = (9, 11) 7P = (15, 9) 8P = (14, 5) 9P = (4, 7) 10P = (22, 5) 11P = (10, 5) 12P = (17, 9)13P = (8, 15) 14P = (18, 9) 15P = (18, 14) 16P = (8, 8) 17P = (17, 14) 18P = (10, 18) 19P = (22, 18) 20P = (4, 16)21P = (14, 18) 22P = (15, 17) 23P = (9, 12) 24P = (7, 3) 25P = (1, 11) 26P = (11, 14) 27P = (13, 11) 28P = (0, 21) 29P = O 30P = P 29 points
cyclic is group#
29429 32
Exxy:E
31ECDSA parameters setup Create (random) public abstract groups
Domain Parameter Generate: Complex & public. DP often taken from published list.
Domain Parameter Validate: Easy & public
Key Pair Generate: Easy & private.
Key Pair Validate: Easy & public.
32ECDSA Domain Parameters Domain parameters D = (q, a, b, G, n, h)
Field size q, q = p or q = 2m
Coefficients a, b in GF(q) of E=Ea,b(GF(q)):
Seed s of length ≥ 160 bits (Optional)
Base point G=(xG, yG) on curve E, i.e.
Order n of G: n is prime,
Cofactor h: #E(GF(q)) = hn
qnn 4and2160
0274 23 ba
)q(GFy,x GG
33Curve parameters generation(1) Input: GF(p), p is prime Output: seed, curve coefficients a & b Used notations: stv,ps
160160
12log
Hash algorithm
g > 160 bits
zW0
v-1 bits
Arbitrary SEED
160 bits
W stringbit
hash(z + 1) hash(z + 2) … hash(z + s)
(v-1)+ s·160 < log2 p bits
W0
34Curve parameters generation(2)
1. 2. if abort and start again 3. Choose a,b
4. Result: y2 = x3 + ax + b
if Exclude singular curves
rW
pr
rmod0274
0
pabrb,a)p( mod:GF 3200
pba
bapba
mod
andEC)(singular mod
427
000274
2
323
35Isomorphism classes of ECs(1)
E1: y2 = x3 +a1x +b1 and E2: y2 = x3
+a2x +b2
are isomorphic
Step 3: Choose a,b
There only 2 variants for a and b on step 3
22
32
21
31
26
124
10ba
ba.e.i,bubauau),p(u and :GF
pmodabrb,a)p(b,a 3200 :GF
36Isomorphism classes of ECs(2) Let’s prove that there are precisely 2 choices for
(a, b) on step 3 : We can find a1, b1 and a2, b2:
We can not find a3, b3 : E3 is not isomorphic to E1 or E2
isomorphicnot are curves and pmodrba
ba
pmodku:k
pmodbub
pmodaua
22
32
21
31
2
13
2
12
2
2
1
to isomoprhic i.e. Else
to isomoprhic i.e. If
sLet'
sLet'
E,pmodaapmodaua
pmodaua
E,pmodblbub,pmodalauapmodul:l
pmodbub,pmodauapmodubb
aa:u
pmodrba
ba
ba
uu
2
2
31
22
1233
16
13331
41
2333
2
13331
233
632
1
23
31
33
3
23
33
22
32
21
31
3
37Domain Parameter Generation Domain parameters D = (q, a, b, G, n, h) 1. Generate EC coeffs a & b
E ( GF(q) ): y2 = x3 + ax + b2. Compute #E( GF(q) ) (e.g. Schoof’s algorithm)3. Verify that , n is prime,4. if not, go to step 15. Verify that if not, go to step 16. Verify that n≠q if not, go to step 17. Select an arbitrary point
Set Repeat until
nhE # qnn 4and2160
2011 k,q|n k
)).q((E'G GF'.G)n/N(G
G
38
Alice(signer)
Key pair
D = (q, a, b, G, n, h)Key generation:1. Select random d: 1 ≤ d ≤ n-12. Q = d·GQ(xQ, yQ) is public G is private
Bob(verifier)
(D, Q)
Q is valid or not???
Key validation:
Check that:1. Q ≠2. 3. 4. nQ = 5. If any check fails
-> Q is invalidelse-> Q is valid
)q(GFy,x QQ
baxxy QQQ 32
39
BobParameters D = (q, a, b, G, n, h)Alice’s public key QAlice’s signature (r, s) on m
To sign message m:1. k randomly chosen 0 < k < n-12. k·G = (x1, y1) r =x1 mod n3. if r = 0 abort and start again4. e = SHA-1(m) 5. s = k-1· ( e + d·r) mod n6. if s = 0 abort and start againOutput: (r, s)
ECDSA generation & verification
rvkGG)duu(QuGu
nduuwrdwerdsesdreskndreks
2121
211111 modmod
accept if rv
AliceParameters D = (q, a, b, G, n, h)Associated keys (d, Q)
Proof that signature verification works:
To verify signature (r, s):1. check: 1 ≤ r ≤ n-1, 1 ≤ s ≤ n -12. e = SHA-1(m) 3. w = s-1 mod n4. u1 = e·w mod n u2 = r·w mod n5. X = u1·G + u2·Q, if6. X=(x1, y1) v = x1 mod n7.
reject X
D, Q, m, r, s
40Ordinary DLP Definition:
Given: prime p, generator g of GF(p), non‑zero element y GF(p),
Find: the unique integer k, 0 k p – 2: y gk(mod p)
k is called the discrete logarithm of y to the base g
Known attacksThe most efficient:Index Calculus Method O( ) ppoe lnlnln))1(2/1(
41Elliptic Curve DLP Identified in 1985 – Koblitz and Miller suggested
using it in place of DLP
Definition:Given: EC E defined over GF(q),
point PE( F(q) ) of order n, point QE( GF(q) ),
Determine: the integer l, 0 l n – 1: Q = lP Arises in groups defined on EC Hard Problem Only exponential algorithms known
42Known Attacks on ECDLP Pollard’s Rho Algorithm O( ) Parallelized Pollard’s Rho O( )
r is the number of processors usedPrecautions:
Pohlig-Hellman Algorithm O( )Precautions:
Menezez-Okamoto-Vanstone (MOV) O( )Precautions:
No index calculus method found
n r/n
q
)log(qk
1602n
primeisn
2011 k,q|n k
43Pollard’s Rho Algorithm(1)To find k where Q=kP, and n is the grouporder: Use a pseudo-random walk through the group Start at a known point When a collision occurs, we can find k Because there is not enough room to store all
visited points, we only store distinguished points (points with some distinguishing property, such as the first i lower order bits equal to zero).
44Pollard’s Rho Algorithm(2) The random walk is defined as:
Where the Si are three sets of points (e.g. Si may be points such that x mod 3 i), and the ri are randomly chosen.
365
243
121
1
SRQrPrRSRQrPrRSR,QrPrR
R
ii
ii
ii
i
for for for
45Pollard’s Rho Algorithm(3)
R0 is chosen to be a known multiple of P and Q. For each iteration, Ri+1 is found, and also what
multiple of P and Q it is. When a collision occurs, we have:
PdbacQ
dQcPbQaP
RR ji
46Pollard’s Rho Algorithm(4)
The number of iterations is
With this approach, the path of the pseudo-random walk depends on Q.
There is no precomputation.
Calculations from previous ECDLP’s are of limited usefulness in subsequent ECDLP’s, because collisions are only detected for distinguished points.
nO
47Duplicate-Signature Key Selection
An adversary Selects arbitrary c:
Computes:
Forms:
0
1111 )nmod)rcses((t
nc
:
)rQeG(GX)nmodt(G
)m(SHAerQseGsX
rce
11
11 1 ) where (
GcQ)h,n,G,b,a,FR,q(D EE and
Alice Bob
Adversary E
D, Q, m, r, s
DE, QE, m, r, s
Proof of work:
kGG)wrdwe(wrdGweGwrQweGw)rce(
)rwcew()cuu(GcuGuQuGuX
rcerQeG
rcerQeG
rcerQeG
E
212121
48Key Size Comparisons
Sym. key: 80, 112, 128, 192, 256
ECC n: 161, 224, 256, 384, 512
RSA n: 1024, 2048, 3072, 7680, 15360
49ECDSA Advantages Elliptic curves offer a much shorter key length
than RSA.
There are some environments where 1024-bit RSA can not be implemented, while 163-bit ECC can.
No subexponential-time algorithm is known for the EC discrete logarithm problem.
50Discussion
???
51Exercises(1) Does this equation define an EC over GF(17)? y2 = x3 + 10x + 5 Do the points P(2,0) and Q(6,3) lie on the
elliptic curve y2 = x3 + x + 7 over GF(17)?
What are the negatives of the following elliptic curve points over GF(17)?
P(5,8) Q(3,0) R(0,6)
In the elliptic curve group defined by y2 = x3 + x + 7 over GF(17), what is P + Q if P = (2,0) and Q = (1,3)?
52Exercises(2) Suppose that p > 3 is an odd prime
a, b Є GF(p) Further suppose that
has 3 distinct roots in GF(p)
Prove that the corresponding elliptic curve E is not cyclic
pbaxx mod03
53References Don Johnson, Alfred Menezes, The Elliptic Curve
Digital Signature, February 2000http://www.cacr.math.uwaterloo.ca
A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied cryptography, CRC Press 1996http://www.cacr.math.uwaterloo.ca/hac
Douglas R. Stinson Cryptography, Theory and Practice, CRC Press
54Elliptic Curves Over Finite FieldsOver GF(2m) Elliptic curve E equation
where
E consists of all pairs
satisfying curve equation special point - point at infinity
baxxxyy 232
02 b),(GFb,a m and
)(GFy),(GFx),y,x( mm 22
55Example 2: elliptic curve over GF(24)
Generator polynomial f(x) = x4 + x + 1 The points in E are and the following:
15 points + = 16 points
042432 1 b,a,xxxyy:E
)()()( )()( )()( )()()()(
)()()()(
121212810
10139109146
8611535133
83136
0
1110
,,,
,,,,
,,,,
,,,,
56Addition – Algebraic Approach
E – elliptic curve over GF(2m)1. 2. If
3.
4.
)yx,x()y,x(,E)y,x(P thenPPPEP
where Then andLet
),y,x(QP.QP,E)y,x(Q,E)y,x(P
33
2211
axxx xxyy
xxyy
212
321
21
21
21 13313 21
21 yxxxy xxyy
where2 ThenLet ),y,x(P.PP,E)y,x(P 3311
21
213 x
bxx 3312
13 1
1 xxxxy xy
-P
57Curve parameters generation Used notations: Input: prime p Output: seed, curve coefficients a & b Algorithm:
1. Choose a bit string seedE: g = |seedE| ≥ 160 bits2. H = SHA-1(seedE)3. z = (int) seedE4. For i from 1 to s do:
si = (z+i) mod 2g
Wi = SHA-1 (si)5. 6. r = (int) W, if r = 0 or 4r + 27 ( 0 mod p ) go to step 17. Choose a,b 8. The elliptic curve is: y2 = x3 + ax + b9. Output (seedE, a, b)
stv,/ts,plogt 16016012
H
160 bits
W0
v-1 bits
W0 W1… WsW =
pmodabrb,a)p(GF 3200 :
58
Alice domain
D = (q, FR, a, b, G, n, h)D is valid or not?
D validation:Check that:1. 2. 3. 4. 5. n is prime AND n > 2160 6. #E ≠ q 7.
8.
9.
10. If any check fails-> D is invalid
else-> D is valid
mqorpq 2
Domain Parameters Validation
2011 k,q|n k
)|n(qn E# 24Bob domain
D
0274 23 baGnG
'hhn/)q('h ,21
59Verifying the order of an EC Hasses’s theorem:
Hence, check implies that
Also since:
Hence if:
22 1121 )q(E)q(qt,tqE ##qn 4
22 16 nEqn #
n)q(h,qqnhqq:h
212121! q)q()q( 411 22
nhE
n)q(hqn,nG
to equal indeed is #
and
214
60Potential CA Services POP - Proof of possession of private key.
Can use zero-knowledge proof.
PKV - Public Key Validation shows public key makes arithmetic sense.
POP and PKV can be considered duals of each other. Doing both provides strong assurance.
61Security Considerations
Per-message secret k:
Repeated usage of k:
Check: 1 ≤ r ≤ n-1, 1 ≤ s ≤ n -1
)m(SHAs,r),b,(G 100
0001
01 21
1
rv)b,(X,GGX
u,eeu
i.e.
nmod)eks(rdnmod)dre(ks 11
nmod)ee()ss(k
nmodee)ss(k
nmoddreksnmoddreks
nmod)dre(ks
nmod)dre(ks
211
21
2121
22
11
21
2
11
1
To verify signature (r, s):1. check: 1 ≤ r ≤ n-1, 1 ≤ s ≤ n -1
2. e = SHA-1(m) 3. w = s-1 mod n
4. u1 = e·w mod n u2 = r·w mod n5. X = u1·G + u2·Q, if6. X(x1, y1) v = x1 mod n7.
reject X
accept if rv
62Attacks on Hash function SHA-1
Preimage resistance hard to find x: H(x) = y Collision resistance hard to find x1 and x2 : H(x1) = H(x2)
If not preimage resistant One can forge signature:
Calculate parameters r, s, e, m : e = SHA-1(m),where (r, s) is valid signature for m
If not collision resistant One can repudiate messages:
Generate m’: SHA-1(m) = SHA-1(m’)
63Signature Forgery Signature Forgery
A forgery is a signature computed without the signer’s private key
selective forgery: an adversary is able to create a valid signature for a particular message chosen a priori
existential forgery – an adversary is able to forge a signature for at least one message