digital signatures (dss)

23
Digital Signatures (DSs) • The digital signatures cannot be separated from the message and attached to another • The signature is not only tied to signer but also to the message that is being signed • The digital signature needs to be easily verified by other parties • Digital signature schemes therefore consist of two distinct steps: the signing process and the verification process

Upload: phiala

Post on 06-Feb-2016

48 views

Category:

Documents


0 download

DESCRIPTION

Digital Signatures (DSs). The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but also to the message that is being signed The digital signature needs to be easily verified by other parties - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Digital Signatures (DSs)

Digital Signatures (DSs)

• The digital signatures cannot be separated from the message and attached to another

• The signature is not only tied to signer but also to the message that is being signed

• The digital signature needs to be easily verified by other parties

• Digital signature schemes therefore consist of two distinct steps: the signing process and the verification process

Page 2: Digital Signatures (DSs)

RSA Signatures

• Bob has a document m that Alice agrees to sign. Alice does the following.

• Alice chooses two primes: p, q and n=pq, makes (e,n) public with gcd(e,(p-1)(q-1))=1

de≡1 (mod φ(n)), she keeps p,q,d secret

。 Alice’s signature is y≡md (mod n)

。 Alice then makes the pair (y,m) public

Page 3: Digital Signatures (DSs)

How does Bob verify Alice’s Signature

• Download Alice’s (e,n)

• Compute z≡ye (mod n)

• If z=m, then Bob accepts the signature as valid; otherwise the signature is not valid

Page 4: Digital Signatures (DSs)

Blind Signatures (1/2)

• Alice chooses n=pq, find e, and solve d as required in RSA scheme,i.e., ed≡1(mod n)

• Bod chooses a random k with gcd(k,n)=1, computes t≡kem (mod n) for message m, and sends t to Alice

• Alice signs t by computing s≡td (mod n). She returns s to Bob

• Bob computes sk-1 (mod n) to get the signed message md

Page 5: Digital Signatures (DSs)

Blind Signatures (2/2)

• sk-1 ≡tdk-1≡(kem)dk-1≡md(ked) k-1≡ md

• Alice has never seen the message m

• t≡kem and s≡td, then sk-1 ≡ md (mod n)

• The choice of k is random, therefore, t≡ke

m (mod n) gives essentially no information about m. In this way, Alice knows nothing about the message m she is signing.

Page 6: Digital Signatures (DSs)

ElGamal Signature Scheme

• One feature that is different from RSA is that, with this method, there are many different signatures that are valid for a given message

• Suppose Alice wants to sign a message m. To start, Alice chooses a large prime p and a primitive root α. Alice next chooses a secret integer (key) a, 1≤a≤p-2, and computes β≡αa (mod p), (p,α,β) are made public.

Page 7: Digital Signatures (DSs)

Alice signs the message m via

• Select a secret random k such that gcd(k,p-1)=1

• Computes r≡αk (mod p)

• Computes s≡k-1(m-ar) (mod p-1)

• The signed message is the triple (m,r,s)

Page 8: Digital Signatures (DSs)

Bob verifies the signature via

• Download Alice’s public key (p,α,β) • Computes u≡βrrs and w≡αm (mod p)• The signature is declared valid iff u≡w (mod p) Proof: w≡αm≡αsk+ar≡(αa)r(αk)s ≡βrrs≡u (mod p) More details from p.246~248

Page 9: Digital Signatures (DSs)

ElGamal Signature for one

Alice wants to sign m1=151405 (one). She

chooses p=225119; a primitive root α=11.

She chooses a secret number a, computes

β≡αa ≡18191 (mod p).

To sign the message, she picks up a random k and keeps it secret. She computes r≡αk ≡164130 (mod p), and s1≡k-1(m1-ar)≡130777 (mod p-1)

The signed message is (151405, 164130, 130777)

Page 10: Digital Signatures (DSs)

ElGamal Signature for two

Alice then signs m2=202315 (two) with the same k, where (p,α)=(225119,11), hence r has the same value and the signed message is

(202315, 164130, 164899). Then we have

-34122k ≡ (s1-s2)k ≡ m1-m2 ≡ -50910 (mod p-1)

Since gcd(-34122,p-1)=2, so there are two k’s:

k=239 and k=112798 (mod p-1)

Since α239 ≡164130, α112789 ≡59924 (mod p),

k=239 leads to the correct value r=164130

Page 11: Digital Signatures (DSs)

Dangerous for the same key to different documents

Rewrite s1k≡m1-ar (mod p-1) to obtain

164130a≡ar≡ m1- s1k≡187104 (mod p-1)

Since gcd(164130, p-1)=2, there are two solutions for a’s: a=28862 and a=141421

Since α=11, β=18191, and

α28862 ≡206928, α141421 ≡18191 (mod p)

Therefore the key a=141421 is revealed.

Page 12: Digital Signatures (DSs)

Hash Functions

• A cryptographic hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. Certain properties should be satisfied.

(1) Given a message m, the message digest h(m) can be calculated very quickly.

(2) Given a digest message y, it is computationally infeasible to find an m with h(m)=y. In other words, h is a one-way, or preimage resistant, function.

(3) It is computationally infeasible to find messages x, y such that h(x)=h(y), i.e., h is strongly collision-free.

Page 13: Digital Signatures (DSs)

Examples

• Let n=bkbk-1…b1b0 , define h(n)=bk⊕…⊕b0 , Thus, this h does not satisfy (2)

• The discrete log hash function due to Chaum, van Heijst, and Pfitzmann

Select a large prime p such that q=(p-1)/2 is prime, let

α,βbe two primitive roots mod p which satisfyαa ≡ β (mod p) and a is a secret number, let m=x+yq, with 0≤x,y ≤q-1, Define a hash function h(m)≡αx βy (mod p)

Page 14: Digital Signatures (DSs)

Proposition (p.184)

• If we know messages m≠n with h(m)=h(n), then we can determine the discrete logarithm a=Lα(β).

(Proof) Write m=x+yq, n=r+sq. Suppose h(m)=h(n) i.e., αxβy ≡ αrβs (mod p), since αa ≡ β (mod p), hence αa(y-s)-(x-r) ≡1 (mod p)Therefore a(y-s)≡(x-r) (mod p-1). Since p-1=2qhas only 4 divisors: 1,2,q,p-1, so d=gcd(y-s,p-1)=1 or 2. Thus, we can get the secret a.

Page 15: Digital Signatures (DSs)

Other Hash Functions

☺MD family: MD4, MD5 due to Rivest

☺NIST’s Secure Hash Algorithm (SHA) which yields a 160-bit message digest

[Stinson] [Schneier] [Menezes et al.]

Page 16: Digital Signatures (DSs)

Hashing, Signing, and Applications

• Sending (m,sig(h(m))) instead of (m,sig(m)) could significantly reduce the size of digital signatures.

• An appropriate hash function should be chosen. In particular, in electronic exchanges in E-commerce.

Page 17: Digital Signatures (DSs)

Birthday Attacks

• If there are 23 people in a room, the probability 50.7% that two of them have the same birthday. If there are 30 people, the probability is increasing up to 70%.

• The probability of 23 people do not have the same birthday is

(1-1/365)(1-2/365)…(1-22/365) = 0.493

Page 18: Digital Signatures (DSs)

A Birthday Attack on Discrete Log

• Suppose we want to evaluate La(b) with a large p. We can do by a birthday attack in the following procedures:

1. The first list contains numbers ak (mod p) for approximately p1/2 randomly chosen values of k.

2. The first list contains numbers ba-j (mod p) for approximately p1/2 randomly chosen values of j.

There is a good chance that there is a match between some element on the 1st list and one on the 2nd list. If so, ak ≡ba-j (mod p) and hence ak+j ≡b (mod p)

x≡k+j (mod p-1) is the discrete log solution

Page 19: Digital Signatures (DSs)

Digital Signature Algorithm (DSA)

• The NIST proposed the DSA in 1991 and adopted it as a standard in 1994. The message digest is a 160-bit output of a hash function. The generate keys for DSA proceeds as follows. First, there is an initialization phase:

Page 20: Digital Signatures (DSs)

Initialization Phase

• Alice finds a prime q that is 160 bits long and chooses a prime p that satisfies q|p-1. The discrete log problem should be hard for this choice of p (e.g., p is 512-bit long).

• Let g be a primitive root mod p and let α≡g(p-1)/q

(mod p). Then αq ≡1 (mod p).• Alice chooses a secret a such that 1≤a<q-1 and

calculates β≡αa (mod p)• Alice publishes (p,q, α, β) and keeps a secret

Page 21: Digital Signatures (DSs)

The signing process

• Alice signs a message m by the following procedure:

1. Select a random, secret integer k, such that 0<k<q-1

2. Compute r≡(αk (mod p)) (mod q)

3. Compute s≡k-1(m+ar) (mod q)

4. Alice’s signature for m is (r,s), which she sends to Bob along with m.

Page 22: Digital Signatures (DSs)

Verification

• For Bob to verify, he must

1. Download Alice’s public information (p,q,α,β)

2. Compute u≡s-1m , v≡s-1r (mod q)

3. Compute w≡( αuβv (mod p)) (mod q)

4. Accept the signature iff w=r

Page 23: Digital Signatures (DSs)

Simple Exercises from p.252-255

• Exercises 1,2,3,4

• Computer Problem 1