Cryptography

1
Cryptography

• Lecture 9Stefan Dziembowskiwww.dziembowski.net
• stefan_at_dziembowski.net

2
Plan

1. Definition od secure signature schemes
2. RSA signatures
3. Hash-and-sign paradigm
4. ElGamal signatures

3
Signature schemes

• digital signature schemes

MACs in the public-key setting
4
Remember MACs?
(m, tTagk(m))
m ? 0,1
Vrfyk(m,t) ? yes,no
Alice
Bob
k
k
Gen(1n)
1n
5
Signature schemes
m ? 0,1
(m, sSignsk(m))
Vrfypk(m,s) ? yes,no
Alice
Bob
pk
sk
Gen(1n)
1n
6
Anyone can verify the signatures
Sign(sk3,m)
P3
P2
public register
sk3
pk1
pk2
pk3
pk4
pk5
1. Sign(sk3,m)
Sign(sk3,m)
P4
2. reads pk3
P1
3. computes Vrfy(pk3,m)
P5
7
Advantages of the signature schemes

• Digital signatures are
• publicly verifiable
• transferable
• provide non-repudiation
• (we explain it on the next slides)

8
Look at the MACs...
k
k
(m, tTagk(m))
m ? 0,1
Alice
Bob

• Why shall I trust you?
• You could have created t yourself (because you
  know k)
• I dont know k, so how can I verify the tag?

Look, I got (m,t) from Alice
Carol
9
Signatures are publicly-verifiable!
skA
pkA
(m, s Signsk(m))
m ? 0,1
Alice
Bob
Look, I got (m,s) from Alice
I can calculate Vrfy(pkA,m,s) and check.
Carol
10
So, the signatures are transferable
Alice
skA
Alice signed m
Alice signed m
Alice signed m
s Sign(sk3,m)
I believe it!
I believe it!
I believe it!
(m,s)
(m,s)
(m,s)
pkA
pkA
pkA
pkA
P4
P2
P1
P3
11
Non-repudiation
skA
pkA
(m, s Signsk(m))
m ? 0,1
Alice
Bob
I got (m,s) from Alice
Its not true!I never signed m!
Vrfy(pk,m,s) yesso you cannot repudiate
signing m...
Judge
12
Digital Signature Schemes

• A digital signature scheme is a tuple
  (Gen,Sign,Vrfy) of poly-time algorithms, such
  that
• the key-generation algorithm Gen takes as input a
  security parameter 1n and outputs a pair
  (pk,sk),
• the signing algorithm Sign takes as input a key
  sk and a message m?0,1 and outputs a signature
  s,
• the verification algorithm Vrfy takes as input a
  key pk, a message m and a signature s, and
  outputs a bit b ? yes, no.If Vrfypk(m,s)
  yes then we say that t is a valid signature on
  the message m.

13
Correctness

• We require that it always holds that
• Vrfypk(m,Signsk(m)) yes
• What remains is to define security of a MAC.

14
How to define security?

• As in the case of MACs, we need to specify
• how the messages m1,...,mt are chosen,
• what is the goal of the adversary.
• Good tradition be as pessimistic as possible!
• Therefore we assume that
• The adversary is allowed to chose m1,...,mt.
• The goal of the adversary is to produce a valid
  signature on some m such that m ? m1,...,mt.

15
security parameter 1n
selects (pk,sk) Gen(1n)
pk
adversary
m1
oracle
Signsk(m1)
. . .
mt
Signsk(mt)

• We say that the adversary breaks the MAC scheme
  at the end she outputs (m, s) such that
• Vrfy(m, s) yes
• m ? m1,...,mt

16
The security definition
sometimes we just say secure

• We say that (Gen,Mac,Vrfy) is existentially
  unforgeable under an adaptive chosen-message
  attack if

A
P(A breaks it) is negligible (in n)
polynomial-timeadversary A
17
How to design secure signature schemes?

• Rember the idea with the trapdoor
  permutations?

18
Trapdoor permutations
A family of permutations indexed by pairs
(pk,sk)
E X ? X(pk,sk) ? keys
this is denoted Dsk
such that
Epk
easy
X
X

• easy one can compute Epk-1 if one knows a
  trapdoor sk
• hard (otherwise)

19
How to encrypt a message m
encryption
c Epk(m)
messages
ciphertext
decryption
m Dsk(c)
one can compute it only if one knows sk
Warning in general its not that simple.
20
How to sign a message m
one can compute it only if one knows sk
signing
signatures
messages
Dsk(m)
verifying
Epk(m)
Warning in general its not that simple.
21
In general its not that simple

1. Not every trapdoor permutation is OK.
2. There are other ways to create signature schemes.
3. One can even construct a signature scheme from
   any one-way function.(this is a theoretical
   construction)

22
The handbook RSA signatures

• N pq, such that p and q are large distinct
  primes
• e is such that gcd(e, f(N)) 1
• d is such that ed 1 (mod f(N))
• Signd ZN ? ZN is defined as
• Sign(m) md mod N.
• Vrfyeis defined as
• Vrfye(m,s) yes if se m (mod N)
• no otherwise
• Correctness
• follows from the fact that (md)e m (mod N)

f(N)) (p-1)(q-1).
public key(N,e)private key(N,d)
23
Problems with the handbook RSA (1/2)

• A no-message attack
• The adversary can forge a signature on a random
  message m.
• Given the public key (N,e)
• he just selects a random s and computes
• m se mod N.
• Trivially, s is a valid signature on m.

24
Problems with the handbook RSA (2/2)

• How to forge a signature on an arbitrary message
  m?

(N,e)
m1
adversary
oracle
Signsk(m1) m1d mod N

• chooses
• random m1
• m2 m / m1 mod N

m2
Signsk(m2) m2d mod N
computes (mod N) m1d m2d (m1 m2)d
md
this is a valid signature on m
25
Is it a problem?

• In many applications probably not.
• But we would like to have schemes that are not
  application-dependent...

26
Solution

• Before computing the RSA function apply some
  function H.
• N pq, such that p and q are large distinct
  primes
• e is such that gcd(e, f(N)) 1
• d is such that ed 1 (mod f(N))
• Signd ZN ? ZN is defined as
• Sign(m) H(m)d mod N.
• Vrfyeis defined as
• Vrfye(m,s) yes if se H(m) (mod N)
• no otherwise

27
How to choose such H?

• A minimal requirement
• it should be collision-resistant.
• (because if the adversary can find two messages
  m,m such that
• H(m) H(m)
• then he can forge a signature on m by asking the
  oracle for a signature on m)

28
A typical choice of H

• Usually H is one of the popular hash functions.
• Additional advantage
• We can sign very long messages keeping the
  modulus N small (its much more efficient!).
• It is called a
• hash-and-sign paradigm.

29
Hash-and-Sign (1/3)

• 1. (Gen,Sign,Vrfy) a signature scheme for
  short messages

yes / no
signature s
Vrfypk
Signsk
s
x
short x
2. a hash function H
H(m)
H
m
30
Hash-and-Sign (2/3)
How to sign a message m?
signature Signsk (H(m))
Signsk
H(m)
H
m
31
Hash-and-Sign (3/3)
How to verify?
yes / no
Vrfypk
s
H(m)
H
m
32
Hash-and-Sign

• It can be proven that this construction is
  secure.
• For this we need to assume that H is taken from a
  family of collision-resilient hash functions.
• Hs s ? keys
• Then s is a part of the public key and the
  private key.

33
What can be proven

• Suppose
• Hs s ? keys is a family of collision-resistant
  hash functions,
• (Gen,Sign,Vrfy) is a secure signature scheme.
• Then the signature scheme constructed on the
  previous slide is secure.

34
Can anything be proven about the hashed RSA
scheme?

• Not really (it is provably secure only under very
  strong assumptions).
• But at least the attacks described before look
  infeasible.
• For the first attack one would need to invert
  H.
• The second attackLooks impossible because the
  adversary would need to find messages m,m1,m2
  such that
• H(m) H(m1) H(m2)

35
Other popular signature schemes

• Based on discrete log
• ElGamal signatures
• Digital Signature Standard (DSS)(also based on
  other groups elliptic curves)
• ...

36
ElGamal signatures
but remember that we can use the hash-and-sign
paradigm
37
How to understand it?start with the verification
condition
the signature
the message
38
Security of ElGamal

• If the discrete log in Zp is hard, then the
  scheme is broken.
• To hope for any security one needs to hash the
  message before signing.
• Is there any proof of security of the hashed El
  Gamal?
• No...