Digital Signature Scheme

(1)

Topics in Algebra: Cryptography

Univ.-Prof. Dr. Goulnara ARZHANTSEVA

WS 2019

(2)

Digital Signature Scheme

To ensure thenon-repudiationof data over an insecure channel:

Definition: Signature schemeis a 5-tuple (P,A,K,S,V), satisfying:

P is a finite set of possiblemessages;

Ais a finite set of possiblesignatures;

K, thekeyspace, is a finite set of possiblekeys;

S ={sig_k :k ∈ K}consists of polynomialsigning algorithms sig_k:P → A;

V ={ver_k :k ∈ K}consists of polynomialverification algorithms verk:P × A → {true, false};

∀x ∈ P ∀y ∈ A:

(true, ify =sig_k(x)

(3)

Handwritten signature vs Digital signature

Usual Signature Digital Signature

A part of the document Transmitted and stored separately Verified by comparison Anyone can verify, efficiently with the original

A copy is distinguished A copy is identical from the original to the original

Easy to forge Computationally hard to forge Efficient signing process Efficient signing process

(4)

Public-key Cryptosystem vs Digital signature

Public-key cryptosystem Digital Signature Encrypt withE_k Sign withD_k Decrypt withD_k Verify withE_k

Mathematics: Is swapping ofD_k andE_k a valid operation? Practice: Is swapping of the corresponding primitives a valid operation?

Key management: not same keys for distinct applications.

(5)

Public-key Cryptosystem vs Digital signature

Public-key cryptosystem Digital Signature Encrypt withE_k Sign withD_k Decrypt withD_k Verify withE_k

Mathematics: Is swapping ofD_k andE_k a valid operation?

Practice: Is swapping of the corresponding primitives a valid operation?

Key management: not same keys for distinct applications.

(6)

RSA Digital signature

Definition: RSA Signature schemeis a 5-tuple (P,A,K,S,V) such that:

n=pq, wherep,q are primes,P =A=Z/nZand K={(n,p,q,d,e) : de= 1 modφ(n)}

Fork = (n,p,q,d,e), we define

sig_k(x) =x^d modn and

verk(x,y) =

(true, ifx =y^emodn false, otherwise.

(7)

Test questions

Question 15

1 The DSS requires thatS={sig_k :k ∈ K}consists of polynomial signing algorithmssig_k:P → A but the RSA Signature scheme involves the exponentiation. Is there a contradiction?

2 The DSS definesverk(x,y) = true,ify =sig_k(x) but the RSA Signature scheme definessig_k(x) =x^d modn and

ver_k(x,y) = true,ifx =y^emodn.Is there a contradiction?

(8)

Attacks on DSS and their goals

Attacks on DSS

Key-only:The attacker knows the public verification key, hence,ver_k. Known message:The attacker knows some messages (not selected by him) and their signatures.

Chosen message:The attacker knows some messages (selected by him) and their signatures.

Goals of attacks on DSS

Total break:The attacker determines Alice’s private key, hence,sig_k. Selective forgery:With a non-negligible probability, the attacker creates a valid signature on a message chosen by someone else.

Existential forgery:Forge a signature for some message (without the ability to do this for any message).

Universal forgery:Forge signatures of any message.

(9)

Attacks on DSS and their goals

Attacks on DSS

Key-only:The attacker knows the public verification key, hence,ver_k. Known message:The attacker knows some messages (not selected by him) and their signatures.

Chosen message:The attacker knows some messages (selected by him) and their signatures.

Goals of attacks on DSS

Total break:The attacker determines Alice’s private key, hence,sig_k. Selective forgery:With a non-negligible probability, the attacker creates a valid signature on a message chosen by someone else.

Existential forgery:Forge a signature for some message (without the ability to do this for any message).

Universal forgery:Forge signatures of any message.

(10)

DSS goal

DSS goal: strongest variant

The resistance against universal forgery under a chosen message attack.

RSA Signature scheme is not resistant

Choose an arbitrary signaturey ∈Z/nZ, then compute the message x =y^emodn; Thus,y is a valid signature on the messagex (because y =x^d modn; note thatd is private).

(11)

Attacks on DSS: Examples

Existential forgeryusing key-only attack is always possible: Choose an arbitrary signaturey, then compute the messagex given byx :=E_k(y).

To prevent existential forgery: messageredundancyorhashing.

If the corresponding one-way function with trapdoor is multiplicative (e.g. in the RSA case: (xy)ê=xê·yê), then theuniversal forgery under a chosen message attackis possible. Indeed, to signx decompose it asx =x₁x₂withx₁6=x 6=x₂. Get the signaturesy_i ofx_i (this is possible as we are under a chosen message attack). Compute (x,y) = (x,y₁y₂). The RSA case (and the other one-way functions with trapdoor case): The signature has same length as the message.

(12)

Attacks on DSS: Examples

If the corresponding one-way function with trapdoor is multiplicative (e.g. in the RSA case: (xy)ê=xê·yê), then theuniversal forgery under a chosen message attackis possible. Indeed, to signx decompose it asx =x₁x₂withx₁6=x 6=x₂. Get the signaturesy_i ofx_i (this is possible as we are under a chosen message attack). Compute (x,y) = (x,y₁y₂).

The RSA case (and the other one-way functions with trapdoor case): The signature has same length as the message.

(13)

Attacks on DSS: Examples

If the corresponding one-way function with trapdoor is multiplicative (e.g. in the RSA case: (xy)ê=xê·yê), then theuniversal forgery under a chosen message attackis possible. Indeed, to signx decompose it asx =x₁x₂withx₁6=x 6=x₂. Get the signaturesy_i ofx_i (this is possible as we are under a chosen message attack). Compute (x,y) = (x,y₁y₂).

The RSA case (and the other one-way functions with trapdoor case):

The signature has same length as the message.

(14)

DSS + Hashing = Hash-then-sign

Definition: DSS with hashingis a DSS 5-tuple (P,A,K,S,V) such that:

P ={0,1}^∗ andA={0,1}^` for some`∈N;

h:P → Aa publichash functiongiven by a polynomial algorithm;

sig_k(x) =f_k⁻¹(h(x)), wheref_k:A → Ais a one-way function with trapdoor.

∀x ∈ P,∀y ∈ A:verk(x,y) =

(true, iff_k(y) =h(x) false, otherwise.

To avoid the attackshmust be a one-way non-multiplicative function.

(15)

Hash algorithm in practice: Example

TheSHA= Secure Hash Algorithms are cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS).

In 2017 CWI Amsterdam and Google announced they had performed a collision attack against SHA-1. Since 2017 Microsoft, Google, Apple and Mozilla have all announced that their respective browsers stop accepting SHA-1 SSL certificates.

Collisions allow two files to produce the same signature, so a signature may appear valid even though that file was never actually signed.

Current use: SHA-2, Future: SHA-3 (both have various specifications).

(16)

Hash algorithm in practice: Concept

Astream cipher:onebit or byte at a time (e.g. Caesar, Vernam).

Ablock cipher: blocksof bits at a time (e.g. Vigenère, Feistel) Symmetrickey algorithms: DES’1975 (64-bits blocks),

3DES=TDES’1998 (64-bits blocks), AES’2000 (128-bits blocks)

Definition: Hash functions from block ciphers

LetP =K=C ={0,1}^` for some`∈NandE be a block cipher: E:P × K → C,(x,e)7→E_e(x).

Defineh(x₁, . . . ,x_r)∈ {0,1}^`withx_i ∈ {0,1}^` recursively, byh(∅) = 0, and

h(x₁, . . . ,x_r) =E_e_h(x_r) +e_h, wheree_h=h(x₁, . . . ,x_r₋₁). SHA-1 :{0,1}^∗ → {0,1}¹⁶⁰is such example.

(17)

Hash algorithm in practice: Concept

3DES=TDES’1998 (64-bits blocks), AES’2000 (128-bits blocks) Definition: Hash functions from block ciphers

LetP =K=C={0,1}^` for some`∈NandE be a block cipher:

E:P × K → C,(x,e)7→Ee(x).

Defineh(x₁, . . . ,x_r)∈ {0,1}^` withx_i ∈ {0,1}^` recursively, byh(∅) = 0, and

h(x₁, . . . ,x_r) =E_e_h(x_r) +e_h, wheree_h=h(x₁, . . . ,x_r₋₁).

SHA-1 :{0,1}^∗ → {0,1}¹⁶⁰is such example.

(18)

Hash algorithm in practice: Concept

3DES=TDES’1998 (64-bits blocks), AES’2000 (128-bits blocks) Definition: Hash functions from block ciphers

LetP =K=C={0,1}^` for some`∈NandE be a block cipher:

E:P × K → C,(x,e)7→Ee(x).

Defineh(x₁, . . . ,x_r)∈ {0,1}^` withx_i ∈ {0,1}^` recursively, byh(∅) = 0, and

(19)

DSS + Public-key cryptosystem

Alice sends asignedencryptedmessage to Bob

1 Givenx ∈ P, she computes her signaturey =sig_d

Alice(x).

2 She encrypts bothx andy using Bob’s public keyz =Ee_Bob(x,y).

3 She sendsz to Bob, who decrypts itD_d_Bob(z) = (x,y).

4 He uses her public verification function to check whether vere_Alice(x,y) = true.

First signed, then encrypted.

Question 16

What if in the DSS + Public-key cryptosystem scheme we inverse the order of operations: what if Alice first encryptsx, and then signs the result?

(20)

DSS + Public-key cryptosystem

Alice sends asignedencryptedmessage to Bob

1 Givenx ∈ P, she computes her signaturey =sig_d

Alice(x).

2 She encrypts bothx andy using Bob’s public keyz =Ee_Bob(x,y).

3 She sendsz to Bob, who decrypts itD_d_Bob(z) = (x,y).

4 He uses her public verification function to check whether vere_Alice(x,y) = true.

First signed, then encrypted.

Question 16

(21)

ElGamal variant of Digital Signature

Definition: ElGamal Signature scheme

Letpbe a prime andga primitive element modp.

LetP = (Z/pZ)^×,A= (Z/pZ)^××(Z/(p−1)Z) and define K={(p,g,d,y) :y =g^d modp}.

Fork = (p,g,d,y),and for a secrete randomr ∈(Z/(p−1)Z)^×, define sig_k(x;r) = (y₁,y₂), where

y₁=g^r modp, and y₂= (x−dy₁)r⁻¹modp−1.

Forx,y₁∈(Z/pZ)^×andy₂∈Z/(p−1)Z, define

verk(x,(y₁,y₂)) = true⇔y^y¹(y₁)^y² ≡g^x modp Public key is(p,g,y)and private key isd.

(22)

ElGamal variant of Digital Signature

Verification step: a signature will be accepted by the verifier

y^y¹(y₁)^y² ≡(g^d)^y¹g^r^(x−dy¹^)r⁻¹ modp≡g^x modp Reminder(a consequence of Fermat’s little theorem):

Sincegis primitive modpit has orderp−1.

Therefore,g^a−b≡1 modp⇔a≡bmodp−1.

(23)

ElGamal variant of Digital Signature

Security assumptions: computationally hard to forge a signature

To forge a signature of a given messagex without knowingd an attacker chooses an arbitraryy₁and then tries to findy₂:

y₂≡log_y

1g^xy^−y¹ modp, so he must solve the DLP in (Z/pZ)^×.

Alternatively, he chooses an arbitraryy₂and then tries to findy₁: y^y¹y₁^y² ≡g^x modp,

so he must solve this equation with the unknowny₁. Assumption: Both problems6∈BPP

(24)

ElGamal variant of Digital Signature

y₂≡log_y

Assumption: Both problems6∈BPP

(25)

ElGamal variant of Digital Signature

y₂≡log_y

so he must solve this equation with the unknowny₁. Assumption: Both problems6∈BPP

(26)

ElGamal signature scheme: Example of misuse

Proposition: samer twice

The total break holds whenever the samer is used at least twice.

Proof: Let (y₁,y₂) a signature ofx₁and (y₁,z₂) a signature ofx₂. Then y^y¹y₁^y² ≡g^x¹ modp, y^y¹y₁^z² ≡g^x² modp, thus,g^x¹^−x² ≡y₁^y²^−z² modp.

Sincey₁=g^r modp, we have anequationwith theunknownr: g^x¹^−x² ≡g^r^(y²^−z²⁾modp, which is equivalent (see the Reminder), to

(27)

ElGamal signature scheme: Example of misuse

We want to solve: x₁−x₂≡r(y₂−z₂) modp−1.

Lets=gcd(y₂−z₂,p−1). Thens|(x₁−x₂) and we define x⁰ = x₁−x₂

s ,y⁰ = y₂−z₂

s ,p⁰ = p−1 s .

Then the equation becomes: x⁰ ≡ry⁰ modp⁰. Sincegcd(y⁰,p⁰) = 1, we computez⁰ = (y⁰)⁻¹modp⁰.Thenr =x⁰z⁰ modp⁰.This givess

candidates forr:

r =x⁰z⁰+ip⁰ modp−1, for 06i 6s−1. We determine the unique correct value by testing the condition y₁≡g^r modp.

Now thatr is known, the attacker can computed. Indeed,if gcd(y₁,p−1) = 1, then

d = (x −ry₂)(y₁)⁻¹modp−1.

Otherwise, testgcd(y₁,p−1) solutions untild withy =g^d modp.

(28)

ElGamal signature scheme: Example of misuse

s ,y⁰ = y₂−z₂

s ,p⁰ = p−1 s .

candidates forr:

r =x⁰z⁰+ip⁰ modp−1, for 06i 6s−1.

We determine the unique correct value by testing the condition y₁≡g^r modp.

d = (x −ry₂)(y₁)⁻¹modp−1.

(29)

ElGamal signature scheme: Example of misuse

s ,y⁰ = y₂−z₂

s ,p⁰ = p−1 s .

candidates forr:

r =x⁰z⁰+ip⁰ modp−1, for 06i 6s−1.

We determine the unique correct value by testing the condition y₁≡g^r modp.

d = (x −ry₂)(y₁)⁻¹modp−1.

(30)

EC variant of Digital Signature

EIGamal Signature Scheme: a suitable signature scheme, not just use of the ElGamal cryptosystem in the DSS.

Schnorr Signature Scheme: ElGamal Signature in a subgroup of size q of (Z/pZ)^× (DLP in a subgroup6∈BPP) and the hashing is integrated in the signing (opposite to the hash-and-sign).

Digital Signature Algorithm(DSA): Schnorr Signature Scheme + hash-and-sign (SHA-1)

(31)

ECDSA: EC variant of Digital Signature

pprime,k=Z/pZ,E =E(k),P∈E of prime orderq.

Definition: ECDSA, hash-and-sign P ={0,1}^∗,A= (Z/qZ)^××(Z/qZ)^×and

K ={(p,q,E,P,d,Q) : Q =dP}, where 06d 6q−1.

Fork = (p,q,E,P,d,Q), and a secrete randomr, 16r 6q−1, define sig_k(x,r) = (t,s), whererP = (u,v) with

t =umodq

s =r⁻¹(h(x) +dt) modq

If eithert = 0 ors= 0, a new random value ofr is chosen.

The public key is(p,q,E,P,Q)and the private key isd.

(32)

ECDSA: EC variant of Digital Signature

pprime,k=Z/pZ,E =E(k),P∈E of prime orderq

Definition: ECDSA, verification

Forx ∈ {0,1}^∗andt,s ∈(Z/qZ)^×, we compute w =s⁻¹modq

i =wh(x) modq j =wt modq (u,v) =iP+jQ

verk(x,(t,s)) = true⇔u modq=t.

(33)

ElGamal Signature scheme versus ECDSA

d = log_PQthe discrete log: similar toy =g^d modpin the ElGamal SS The order ofP is a large primeq: similar to the order of a primitiveg Computation ofrP: similar to computation ofg^r in the ElGamal SS Computation oft, the first coordinate of the elliptic curve pointrP, modq: similar to computation ofg^r modpto gety₁, the first component of the signature (y₁,y₂)

s is computed fromt,d,r,x: similar to computation ofy₂from y₁,d,r,x.

(34)

Test questions

Question 17

1 What if in the argument showing that the Existential forgery is always possible we first choose an arbitraryx and then compute the corresponding signaturey?

2 Assume that the hash function is not collision-resistant. Is an existential forgery using a known message attack possible?

(35)

Test questions

Question 18

Why is the ElGamal signature scheme not just the use of the ElGamal cryptosysytem in the DSS? Compare with the RSA signature scheme.

Question 19

Does the ElGamal Signature scheme provide the authentication?

Compare to the ECDSA.