Security requirements for signature schemes

1
Security requirements for signature schemes

• Types of attack
• Key-only attack Alices public key.
• Known message attack, a list of signed messages
• (x1,y1), (x2,y2) , ,
• Chosen message attack
• Chose a list message to get the signatures of
  them
• Goal of an attacker
• Total break determine the private key of Alice
• Selective forgery able to create a valid
  signature on a message chosen by someone else
• Existential forgery able to create a valid
  signature for at least one message.

Can a signature scheme be unconditionally secure?
No.
2
Examples based on RSA

• Existential forgery using key-only attack
• Choose a signature y, compute x, then
  verK(x,y)true.
• Based on multiplicative property of RSA
• y1signK(x1), y2signK(x2), then verK(x1x2 mod n,
  y1y2 mod n) true.
• Create a signature y1y2 for x1x2 , so existential
  forgery using known messages attack.
• Oscar wants a signature for x, find x1 and x2,
  such that xx1x2 mod n. ask Alice to sign x1 and
  x2, and get signature for x. so selective forgery
  using chosen message attack.

3
Encryption vs. signature

• Encryption/decryption is used once currently
• But signature may be verified many times for many
  years in the future. So need more secure.

4
Undeniable signature

• The signers cooperation in verifying a
  signature.
• Three components
• a signing algorithm
• a verification algorithm
• a disavowal protocol
• By disavowal protocol, Alice is able to prove a
  forged signature is, in fact, a forgery. (if
  Alice refuses to take part in the disavowal
  protocol, this would be regarded as evidence that
  the signature is, in fact, genuine.)

5
Importance of undeniable signature

• Prevent a signed document from duplication or
  distribution without signers involvement
• Prevent the signer from denying what he/she has
  signed before.
• Alice may claim a valid signature is a forgery
  and either refuse to verify it or carry out the
  protocol in a false way such that the signature
  can not be verified.
• A disavowal protocol will let Alice prove a
  forgery signature is really invalid.
• thus, if Alice refuse to participate disavowal
  protocol, then the signature is really what
  signed by Alice.

6
Scenarios for undeniable signature

• Entity A (the customer) wishes to gain access to
  a secured area controlled by entity B (the Bank).
  If A uses an undeniable signature, then B can not
  prove to anyone else that A used the facility
  without As involvement.
• A creates a package, signs it and sells to B, B
  can not sell to C without As involvement in the
  verification process.

7
Chaum-van Antwerpen undeniable signaturesign
verification

• Let p2q1 be a prime such that q is a prime and
  DLP in Zp is intractable. Let ?? Zp be an
  element of order q. Let 1???q-1 and ??a (mod p).
  Let G denote the multiplicative subgroup of Zp
  of order q (G consists of the quadratic residues
  modulo p). define
• Key space(p,q,?,a,? ??a (mod p)
• p,q,?,? are public key and a is private key.
• For K(p,q,?,a,?) and x?G, define ysigK(x)xa
  mod p.
• For x,y?G, verification is done by executing the
  following
• Bob chooses e1,e2 at random, e1,e2? Zq
• Bob computes cye1?e2 mod p and send it to Alice.
• Alice computes dca-1 mod q mod p and send it to
  Bob.
• Bob accepts y as a valid signature iff dxe1?e2
  mod p.

8
Chaum-van Antwerpen undeniable signatureDisavowal

• Bob chooses e1,e2 at random, e1,e2? Zq
• Bob computes cye1?e2 mod p and send it to Alice.
• Alice computes dca-1 mod q mod p and send it to
  Bob.
• Bob verifies that d ? xe1?e2 mod p.
• Bob chooses f1,f2 at random, f1,f2? Zq
• Bob computes Cyf1?f2 mod p and send it to Alice.
• Alice computes DCa-1 mod q mod p and send it to
  Bob.
• Bob verifies that D ? xf1?f2 mod p.
• Bob concludes that y is a forgery iff (d?-e2)f1
  (D?-f2)e1 mod p.