Digital Signature

1
Digital Signature
(e public key , d secret key ) of a
signer Sd signing function, Ve verification
function, m Ve(Sd(m))
2
Attack models

• Total Breaking Attack
• - The attacker knows the public key and tries
  to recover the corresponding secret key.
• Forgery Attack
• - The attacker knows the public key. He
  tries to find the signature
• for a given message.
• Existential Forgery Attack
• - The attacker knows the public key. He
  tries to find a pair of
• a message and its signature.
• Chosen Message Attack (CMA)
• - The attacker is able to sign messages
  but does not know the key used. He tries to
  perform the (existential) forgery or to obtain
  the secret key.

3
Forgery Attack
The attacker tries to find the signature s from
a given message m and the public key.
signature s of m
Forgery attacker
message m public key
(d secret key )
4
Existential Forgery Attack
The attacker tries to find a pair of a message
and its signature from the public key.
(m,s) pair of message and signature.
Existential Forgery Attacker
public key
(d secret key )
The message of the pair may have no meanings.
5
Chosen Message Attack
The attacker tries to find a pair (m,s) from
several pairs of signature (mi,si) and the
public key.
(m,s) pair of message and signature.
Chosen Message Attacker
public key
(d secret key )
messages m
Sd(m) signatures
Signing Oracle
If the attacker can choose new messages dependent
to obtained signatures, it is called the
adaptive chosen message attack.
6
Definitions of Digital Signature
Digital signature is a triple of algorithms (G,
SIG, VER) such that (1)G is a probabilistic key
generating algorithm which returns public key
pk and secret key sk depending on the security
parameter k. (2)SIG is a signing algorithm,
which on input pk, sk, a message m in 0,1k,
and a random number r in 0,1k (kltn), returns a
signature s. (3)VER is a verification
algorithm, which on input pk and m, and s,
checks if s is valid. We require VER(pk,m,s)1
if s SIG(m,pk,sk).
7
Strongest Security Definition
A signature scheme (G,SIG,VER) is existentially
unforgeable against the adaptive chosen message
attack if Pr (pk,sk) G(1k)
for A chooses mi and gets si SIG(mi,pk,sk)
for i1,2,..,n (m,s) A(pk, m1, s1,
, mn sn) m mi for i1,,n, and
VER(m,pk,s)1 is negligible in k for every
probabilistic polynomial time algorithm A.
8
RSA Signature
p, q primes, n pq, ed 1 mod (n),
e, n public key, d secret key, (factoring,
n 1024 bits) M message, M in 0,1,.. , n-1.
Signing S Md mod n
Verification M Se mod n
Key generation p 3, q 5, n 15, e 3 gt d
3 Signing M 13, S 13d mod n,
gt S 7 Verification Checking M Se mod
n
9
Existential Forgery of RSA
Let (S1, S2) be the signatures of the messages
(M1,M2), namely S1 M1d mod n, S2 M2d mod n.
Then S S1S2 mod n is the signature of M
M1M2 mod n, because S S1S2 M1d M2d
(M1M2)d mod n.
The message M must be randomized before signing.

The message M is usually signed by S h(M)d mod
n, where h is the hash function h 0,1 -gt
Z/nZ. (h(M) h(M1)h(M2) mod n does not
hold)