Cryptography - PowerPoint PPT Presentation

About This Presentation
Title:

Cryptography

Description:

Cryptography Lecture 9 Stefan Dziembowski www.dziembowski.net stefan_at_dziembowski.net Plan Definition od secure signature schemes RSA signatures Hash-and-sign paradigm ... – PowerPoint PPT presentation

Number of Views:70
Avg rating:3.0/5.0
Slides: 39
Provided by: Dziembowski
Category:

less

Transcript and Presenter's Notes

Title: Cryptography


1
Cryptography
  • Lecture 9Stefan Dziembowskiwww.dziembowski.net
  • stefan_at_dziembowski.net

2
Plan
  1. Definition od secure signature schemes
  2. RSA signatures
  3. Hash-and-sign paradigm
  4. ElGamal signatures

3
Signature schemes
  • digital signature schemes


MACs in the public-key setting
4
Remember MACs?
(m, tTagk(m))
m ? 0,1
Vrfyk(m,t) ? yes,no
Alice
Bob
k
k
Gen(1n)
1n
5
Signature schemes
m ? 0,1
(m, sSignsk(m))
Vrfypk(m,s) ? yes,no
Alice
Bob
pk
sk
Gen(1n)
1n
6
Anyone can verify the signatures
Sign(sk3,m)
P3
P2
public register
sk3
pk1
pk2
pk3
pk4
pk5
1. Sign(sk3,m)
Sign(sk3,m)
P4
2. reads pk3
P1
3. computes Vrfy(pk3,m)
P5
7
Advantages of the signature schemes
  • Digital signatures are
  • publicly verifiable
  • transferable
  • provide non-repudiation
  • (we explain it on the next slides)

8
Look at the MACs...
k
k
(m, tTagk(m))
m ? 0,1
Alice
Bob
  • Why shall I trust you?
  • You could have created t yourself (because you
    know k)
  • I dont know k, so how can I verify the tag?

Look, I got (m,t) from Alice
Carol
9
Signatures are publicly-verifiable!
skA
pkA
(m, s Signsk(m))
m ? 0,1
Alice
Bob
Look, I got (m,s) from Alice
I can calculate Vrfy(pkA,m,s) and check.
Carol
10
So, the signatures are transferable
Alice
skA
Alice signed m
Alice signed m
Alice signed m
s Sign(sk3,m)
I believe it!
I believe it!
I believe it!
(m,s)
(m,s)
(m,s)
pkA
pkA
pkA
pkA
P4
P2
P1
P3
11
Non-repudiation
skA
pkA
(m, s Signsk(m))
m ? 0,1
Alice
Bob
I got (m,s) from Alice
Its not true!I never signed m!
Vrfy(pk,m,s) yesso you cannot repudiate
signing m...
Judge
12
Digital Signature Schemes
  • A digital signature scheme is a tuple
    (Gen,Sign,Vrfy) of poly-time algorithms, such
    that
  • the key-generation algorithm Gen takes as input a
    security parameter 1n and outputs a pair
    (pk,sk),
  • the signing algorithm Sign takes as input a key
    sk and a message m?0,1 and outputs a signature
    s,
  • the verification algorithm Vrfy takes as input a
    key pk, a message m and a signature s, and
    outputs a bit b ? yes, no.If Vrfypk(m,s)
    yes then we say that t is a valid signature on
    the message m.

13
Correctness
  • We require that it always holds that
  • Vrfypk(m,Signsk(m)) yes
  • What remains is to define security of a MAC.

14
How to define security?
  • As in the case of MACs, we need to specify
  • how the messages m1,...,mt are chosen,
  • what is the goal of the adversary.
  • Good tradition be as pessimistic as possible!
  • Therefore we assume that
  • The adversary is allowed to chose m1,...,mt.
  • The goal of the adversary is to produce a valid
    signature on some m such that m ? m1,...,mt.

15
security parameter 1n
selects (pk,sk) Gen(1n)
pk
adversary
m1
oracle
Signsk(m1)
. . .
mt
Signsk(mt)
  • We say that the adversary breaks the MAC scheme
    at the end she outputs (m, s) such that
  • Vrfy(m, s) yes
  • m ? m1,...,mt

16
The security definition
sometimes we just say secure
  • We say that (Gen,Mac,Vrfy) is existentially
    unforgeable under an adaptive chosen-message
    attack if

A
P(A breaks it) is negligible (in n)
polynomial-timeadversary A
17
How to design secure signature schemes?
  • Rember the idea with the trapdoor
    permutations?

18
Trapdoor permutations
A family of permutations indexed by pairs
(pk,sk)
E X ? X(pk,sk) ? keys
this is denoted Dsk
such that
Epk
easy
X
X
  • easy one can compute Epk-1 if one knows a
    trapdoor sk
  • hard (otherwise)

19
How to encrypt a message m
encryption
c Epk(m)
messages
ciphertext
decryption
m Dsk(c)
one can compute it only if one knows sk
Warning in general its not that simple.
20
How to sign a message m
one can compute it only if one knows sk
signing
signatures
messages
Dsk(m)
verifying
Epk(m)
Warning in general its not that simple.
21
In general its not that simple
  1. Not every trapdoor permutation is OK.
  2. There are other ways to create signature schemes.
  3. One can even construct a signature scheme from
    any one-way function.(this is a theoretical
    construction)

22
The handbook RSA signatures
  • N pq, such that p and q are large distinct
    primes
  • e is such that gcd(e, f(N)) 1
  • d is such that ed 1 (mod f(N))
  • Signd ZN ? ZN is defined as
  • Sign(m) md mod N.
  • Vrfyeis defined as
  • Vrfye(m,s) yes if se m (mod N)
  • no otherwise
  • Correctness
  • follows from the fact that (md)e m (mod N)

f(N)) (p-1)(q-1).
public key(N,e)private key(N,d)
23
Problems with the handbook RSA (1/2)
  • A no-message attack
  • The adversary can forge a signature on a random
    message m.
  • Given the public key (N,e)
  • he just selects a random s and computes
  • m se mod N.
  • Trivially, s is a valid signature on m.

24
Problems with the handbook RSA (2/2)
  • How to forge a signature on an arbitrary message
    m?

(N,e)
m1
adversary
oracle
Signsk(m1) m1d mod N
  • chooses
  • random m1
  • m2 m / m1 mod N

m2
Signsk(m2) m2d mod N
computes (mod N) m1d m2d (m1 m2)d
md
this is a valid signature on m
25
Is it a problem?
  • In many applications probably not.
  • But we would like to have schemes that are not
    application-dependent...

26
Solution
  • Before computing the RSA function apply some
    function H.
  • N pq, such that p and q are large distinct
    primes
  • e is such that gcd(e, f(N)) 1
  • d is such that ed 1 (mod f(N))
  • Signd ZN ? ZN is defined as
  • Sign(m) H(m)d mod N.
  • Vrfyeis defined as
  • Vrfye(m,s) yes if se H(m) (mod N)
  • no otherwise

27
How to choose such H?
  • A minimal requirement
  • it should be collision-resistant.
  • (because if the adversary can find two messages
    m,m such that
  • H(m) H(m)
  • then he can forge a signature on m by asking the
    oracle for a signature on m)

28
A typical choice of H
  • Usually H is one of the popular hash functions.
  • Additional advantage
  • We can sign very long messages keeping the
    modulus N small (its much more efficient!).
  • It is called a
  • hash-and-sign paradigm.

29
Hash-and-Sign (1/3)
  • 1. (Gen,Sign,Vrfy) a signature scheme for
    short messages

yes / no
signature s
Vrfypk
Signsk
s
x
short x
2. a hash function H
H(m)
H
m
30
Hash-and-Sign (2/3)
How to sign a message m?
signature Signsk (H(m))
Signsk
H(m)
H
m
31
Hash-and-Sign (3/3)
How to verify?
yes / no
Vrfypk
s
H(m)
H
m
32
Hash-and-Sign
  • It can be proven that this construction is
    secure.
  • For this we need to assume that H is taken from a
    family of collision-resilient hash functions.
  • Hs s ? keys
  • Then s is a part of the public key and the
    private key.

33
What can be proven
  • Suppose
  • Hs s ? keys is a family of collision-resistant
    hash functions,
  • (Gen,Sign,Vrfy) is a secure signature scheme.
  • Then the signature scheme constructed on the
    previous slide is secure.

34
Can anything be proven about the hashed RSA
scheme?
  • Not really (it is provably secure only under very
    strong assumptions).
  • But at least the attacks described before look
    infeasible.
  • For the first attack one would need to invert
    H.
  • The second attackLooks impossible because the
    adversary would need to find messages m,m1,m2
    such that
  • H(m) H(m1) H(m2)

35
Other popular signature schemes
  • Based on discrete log
  • ElGamal signatures
  • Digital Signature Standard (DSS)(also based on
    other groups elliptic curves)
  • ...

36
ElGamal signatures
but remember that we can use the hash-and-sign
paradigm
37
How to understand it?start with the verification
condition
the signature
the message
38
Security of ElGamal
  • If the discrete log in Zp is hard, then the
    scheme is broken.
  • To hope for any security one needs to hash the
    message before signing.
  • Is there any proof of security of the hashed El
    Gamal?
  • No...
Write a Comment
User Comments (0)
About PowerShow.com