Framework for digital signature scheme

1
Title

• Introduction
• Framework for digital signature scheme
• RSA and related signature schemes
• Fiat-Shamir signature schemes

2
Groundwork

• Digital Signatures can provide
• Authentication
• Data Integrity
• Non-Repudiation
• Biggest Application
• Certification of public keys in large networks

3
definitions

• Digital Signature - a data string which
  associates a message with some originating entity
• Digital Signature Scheme - consists of a
  signature generation algorithm and an associated
  verification algorithm

4
notations

• M message space
• MS signing space
• S signature space
• R a one-one mapping from M to MS called the
  redundancy function
• MR the image of R

5
more notations...

• R-1 the inverse of R (R-1 MR ? M)
• R indexing set for signing
• h a one-way function with domain M
• Mh the image of h (h M ? Mh)
• Mh ? MS the hash value space

6
taxonomy of signature schemes
randomized
message recovery
deterministic
signature schemes
randomized
appendix
deterministic
7
schemes with appendix

• Schemes that require the message as input to the
  verification algorithm
• more commonly used scheme as opposed to schemes
  with message recovery
• rely on cryptographic hash functions rather than
  customized redundancy functions
• DSA, ElGamal, Schnorr etc.

8
schemes with appendix

• (each entity creates a private key for signing
  messages, and a corresponding public key to be
  used by other entities for verifying signatures)
• Select a private key which defines a set SA
  SA, k k ? R of transformations. SA, k is a
  one-to-one transformation from Mh to S called
  signing transformation.

9
schemes with appendix

• SA defines a corresponding mapping VA from Mh X
  S to true, false such that
• VA(m, s) true, if SA, k(m) s
• false, otherwise
• for all m ? Mh, s ? S, m h(m) for m ? M

10
schemes with appendix

• VA is called a verification transformation and is
  constructed such that it may be computed without
  knowledge of the signers private key
• As public key is VA As private key is the set
  SA

11
signature generation

• Select an element k ? R
• Compute m h(m) and s SA,k(m)
• Signature for m is s
• Both m and s are made available to entities
  which may wish to verify the signature.

12
signature verification

• Compute m h(m) and u VA(m, s)
• Accept the signature if and only if u true.

13
desirable properties

• for each k ? R, SA,k should be efficient to
  compute
• VA should be efficient to compute
• It should be computationally infeasible for an
  entity other than the signer to find an m ? M and
  an s ? S such that VA(m, s) true, where m
  h(m)

14
Signature schemes with message recovery

• A digital signature scheme with message recovery
  does not require priori knowledge of the message
  for the verification
• message is recovered from the signature itself.
• RSA, Rabin, Nyberg-Rueppel etc.

15
Key Generation

• Selects a set SA SA, k k ? R of
  transformations
• SA defines a corresponding mapping VA with the
  property that VA? SA,k is the identity map on MS
  for all k ? R.
• VA is the verification transformation and may be
  computed without knowledge of the signers
  private key.

16
Signature Generation

• Select an element k ? R
• Compute m R(m) and s SA,k(m)
• Signature is s and this could be used for
  verification as well as recovering the message m

17
Verification

• Compute m VA(s)
• Verify that m ? MR (If m ? MR then reject the
  signature)
• Recover m from m by computing R-1(m).

18
desirable properties

• for each k ? R, SA,k should be efficient to
  compute
• VA should be efficient to compute
• it should be computationally infeasible for an
  entity other than A to find any s ? S such that
  VA(s) ? MR