Digital Signature

1
Digital Signature

• Sheng Zhong

2
Digital Signature (1)

• Public-key-based technique for data integrity.
• A digital signature scheme is a tuple (PK, SK, M,
  S, KG, Sign, Verify).
• PK Public key space (the set of all possible
  keys).
• SK Private key space.
• M Message space.
• S Signature space.

3
Digital Signature (2)

• KG Positive Integer ? PK SK. An efficient
  algorithm for key generation.
• Sign SK M ? S. An efficient algorithm for
  signing.
• Verify PK M S ? accept, reject. An
  efficient algorithm for verifying signature on
  message.

4
Correctness Requirement

• We require that the signature generated by a
  private key can definitely be verified by the
  corresponding public key.
• For all output (pk, sk) of the key generation
  algorithm, for all message m,
• Verify(pk, m, Sign(sk, m))accept.

5
Unforgeability Requirement

• We require that any adversary should not be able
  to forge a signature on any message.
• For all efficient algorithm A, for all message m,
  for public key pk distributed as in the output of
  the key generation algorithm,
• PrVerify(pk, m, A(pk, m))acceptnegligible

6
RSA Signature (1)

• Key generation Same as in the RSA cryptosystem.
• Npq is an RSA modulus.
• ed1 (mod F(N)).
• Public key (N, e).
• Private key (N, d).
• Signing smd mod N.
• Note this looks like decryption in RSA
  cryptosystem.

7
RSA Signature (2)

• Verification return accept if and only if mse
  mod N.
• This looks like encryption in RSA cryptosystem,
  right?
• Why is the scheme correct?
• Because se (md)e mdem (mod N).

8
Unforgeability

• Recall RSA is a trapdoor one-way function.
• Without knowing trapdoor d, it should be
  infeasible to find s such that sem (mod N).
• The above is equivalent to that it is hard to
  find smd (mod N).
• So the RSA signature is unforgeable in the very
  weak sense as we described.

9
Inadequacy of Simple Unforgeability

• The above unforgeability property only ensures
  that adversary cant generate valid signature on
  any given message.
• Bad guy cant show to people that you have
  borrowed 1 million from him.
• But it does not ensure that adversary cant
  generate valid signature on random message.
• Bad guy might be able to show that you have done
  something (which you did not really do).

10
Attack on RSA

• Adversary picks a random element s of the
  signature space.
• Adversary computes mse (mod N).
• Clearly, s is a valid signature on message m.
• Adversary can claim signer has done random
  things!

11
Countermeasure to the Attack

• We can modify the signing procedure by adding a
  hash
• Signing s(H(m))d mod N.
• Verification Return accept if and only if
  seH(m) (mod N).
• Clearly, the scheme remains correct.

12
Random attack is no longer feasible.

• Suppose the hash function is one-way.
• Then the adversary can compute se but cant
  compute mH-1(se).
• So the attack is no longer feasible.
• This is called existent unforgeability.
• For all efficient algorithm A, for public key pk
  distributed as in the output of the key
  generation algorithm,
• PrVerify(pk, A(pk))acceptnegligible

13
Rabin Signature

• Another signature scheme very similar to RSA
  signature.
• Key generation Choose RSA modulus Npq N is
  public key (p, q) is the private key.
• Signing s m1/2 (mod N).
• Verification return accept if and only if ms2
  (mod N).

14
Rabin Signature vs. RSA Signature

• Difference
• Rabin signature uses 2 as verification exponent.
• RSA signature uses e as verification exponent,
  where e is in ZF(N)
• Advantage of Rabin signature
• Faster in verification.

15
Unforgeability of Rabin Signature

• Rabin signature is unforgeable (in the naïve
  sense) if factorization is hard.
• Suppose adversary can forge signature s on given
  message m.
• Then we choose s randomly, computes m(s)2, and
  ask adversary to forge sm1/2.
• Note that s and s are two square roots of m.
• With probability of ½, we are able to factor N.

16
Attack and Countermeasure

• Just like RSA signature scheme, Rabin signature
  scheme is existentally forgeable.
• Pick s and compute ms2 mod N.
• s is a valid signature on m.
• To prevent such attack, we can also use hash
  function.

17
ElGamal Signature (1)

• Yet another popular signature scheme.
• Key generation like in ElGamal cryptosystem.
• Pick a large prime p pick generator g in Zp
  ygx mod p.
• Public key (p, g, y)
• Private key (p, g, x)

18
ElGamal Signature (2)

• Signing
• rgl mod p
• sl-1(m-xr) mod (p-1).
• (r,s) is signature on message m.
• Verification return accept if and only if
• rsgm/yr (mod p)

19
Valid signature can be verified
20
Verified signature should be valid

• Intuitively (not rigorously)
• Can compute valid sl-1(m-xr)
• ? Can compute valid m-xr
• ? Knows x

21
Looks Secure

• The signature looks not giving knowledge about x.
• Since in sl-1(m-xr), x-mr is protected by l-1.
• And in rxl, l is protected by hardness of
  discrete logarithm.

22
Attack on ElGamal Signature (1)

• Can the signer reuse l in signing?
• This leads to breaking of the signature scheme.
• Suppose
• rgl mod p
• sl-1(m-xr) mod (p-1)
• sl-1(m-xr) mod (p-1).
• Then s-sl-1(m-m) (mod (p-1))
• Adversary can figure out l from m, m, s, s.
• Next, adversary computes x from l, m, r, s.

23
Attack on ElGamal Signature (2)

• Even if signer does not reuse l, adversary can
  forge a signature.
• Attacks discovered by Bleichenbacher in 1996.
• One example suppose (r,s) is a signature on
  message m.
• um/m (mod p-1) ssu (mod p-1).
• Compute r s.t. rru (mod p-1) and rr (mod p).

24
Attack on ElGamal Signature (3)

• (r,s) is a valid signature on message m.

25
Attack on ElGamal Signature (4)

• If g is chosen by adversary, Bleichenbacher
  showed a way to forge signatures.
• Details in textbook. Read if you are interested.

26
Countermeasures

• Do NOT reuse l.
• Make sure 0ltrltp.
• This prevents the example attack because rru
  (mod p-1) and rr (mod p) cant be satisfied by
  any r between 0 and p.
• Make sure g is generated randomly.

27
Existent Forgery (1)

• Choose u,v in Zp-1.
• rguyv mod p.
• s-rv-1 mod (p-1).
• m-ruv-1 mod (p-1).
• Claim (r,s) is a valid signature on message m.

28
Existent Forgery (2)

• Why does the attack work?
• Countermeasure Use hash function.

29
ElGamal Signature Family (1)

• There are a number of ElGamal-like signature
  schemes. They are different in details, but have
  the same basic idea
• Signature is to prove sender of message m has
  knowledge of private x.
• So it is enough to prove sender knows a
  function of x and m.
• Note the above function of x and m binds the
  signature to message m.

30
ElGamal Signature Family (2)

• However, function of x and m cannot be the
  signature because adversary may compute x from
  it.
• So, the signer protect function of x and m using
  a random factor, to get a part of the signature.
• gThe random factor is the other part of the
  signature the random factor is now protected by
  hardness of discrete logarithm.
• All signature schemes using the above idea belong
  to the ElGamal signature family.

31
ElGamal signature belongs to the ElGamal
signature family

• Look at the ElGamal signature
• function of x and m
• m-xr.
• Protect the above using a random factor
• sl-1(m-xr)
• Protect the random factor using discrete
  logarithm
• rgl

32
Schnorr Signature

• Another member of ElGamal signature family
• function of x and m
• H(m,r)x.
• Protect the above using a random factor
• sH(m,r)xl
• Protect the random factor using discrete
  logarithm
• rgl

33
Digital Signature Standard (DSS)

• Yet another member of ElGamal signature family
• function of x and m
• H(m)xr.
• Protect the above using a random factor
• sl-1(H(m)xr)
• Protect the random factor using discrete
  logarithm
• rgl

34
Security of ElGamal Signature Family

• There are many other members of ElGamal signature
  family.
• Each has a lot of details that require attention.
• But note that ElGamal signature family is a
  general method of designing signature schemes.
• NOT a method for security proof.
• So the security of each member has to be analyzed
  case by case.

35
Optional Topic Unforgeability and Chosen Message
Attack

• Chosen Message Attack a strong adversary model
  for digital signature
• Analogous to CCA2 for encryption
• Assumes adversary can obtain signatures from an
  oracle for any messages he chooses
• Then ask whether adversary is able to figure out
  a new pair of (message, signature).

36
Oracle Machine

• An oracle machine is associated with a
  functionality.
• It maps an input sequence (called queries) to a
  probability distribution of output sequence
  (called answers) .
• A query/answer can depend on earlier
  queries/answers.
• But it cant depend on later queries/answers.
• Note that the functionality does NOT need to be
  (efficiently) computable.

37
Use of Oracle Machine

• We can let an algorithm A have access to an
  oracle machine M.
• Whenever needed, A can send queries of his
  choices to M and get answers.
• This can help A to complete a lot of
  computational tasks.
• A cant look inside M. In other words, A does not
  know whats happening in M.

38
Unforgeability against Chosen Message Attack (CMA)

• Suppose M is an oracle machine that returns
  signatures for any query messages. A digital
  signature is (existentally) unforgeable against
  Chosen Message Attack if for all efficient
  algorithm A that has access to M, for signing key
  ks and verification key kv distributed as
  specified in the scheme, for all polynomial p(),
  for all sufficiently large k,
• PrVerify(kv, AM(kv))accept and the message in
  AM(kv) is not a query of A to Mlt1/p(k)

39
Unforgeable Signature against CMA

• Suppose fi is a family of trapdoor one-way
  permutations. Then we can construct a signature
  scheme that is unforgeable against CMA.
• Recall fi should have efficient algorithms I,
  D, F for initialization, domain sampling,
  function evaluation, respectively.
• We start by giving a secure signature scheme for
  a single bit then we extend this signature
  scheme to longer messages.

40
Secure Signature for a Single Bit (1)

• For key generation, we first run I to get index i
  and trapdoor d.
• We then use D to sample two points a, b from the
  domain of fi, uniformly and independently.
• We next use F to compute fi(a) and fi(b).
• The public key is (i, fi(a) , fi(b) ).
• The private key is (a, b).

41
Secure Signature for a Single Bit (2)

• Signing
• The signature of 0 is a
• The signature of 1 is b.
• Verification
• If the message is 0, check fi(signature) fi(a)
• If the message is 1, check fi(signature) fi(b).

42
Security Analysis

• Even if adversary sees signature of 0, he cant
  find out signature of 1.
• Because fi is trapdoor one-way and thus without
  knowing the trapdoor the adversary cant compute
  b from fi(b).
• Similarly, even if adversary sees signature of 1,
  he cant find out signature of 0.
• Random message attack is not feasible.
• Because the domain of fi is large and thus it is
  infeasible to find a random signature.

43
Extension to Longer Messages

• A longer message consists of multiple bits.
• So we only need to use the signature scheme for
  single bit for multiple times.
• For each bit of the message we have a different
  instance of the signature scheme for single bit.
• The signatures of all bits constitute the
  signature of the entire message.

44
Problem with Extension

• The above simple extension works for a single
  message of multiple bits.
• But it is subject to attack when there are
  multiple messages.
• Consider for example m11011, m20100, m31111.
• When you have signatures of m1 and m2, you can
  actually derive the signature of m3.
• The signatures of 1st, 3rd, and 4th bits of m3
  come from the signature of m1.
• The signatures of 2nd bit of m3 comes from the
  signature of m2.

45
Fixing the Problem

• To fix the problem, we need to make sure that the
  signatures of different messages use different
  instances of the signature scheme for single bit.
• This can be done by having the signer re-choose
  the instances after signing each message.
• To notify verifier of the new instances, the
  signer must sign them and include them in the
  signature.
• In fact, a complete history of message signing
  and instance changing must be included in the
  signature.
• Fixed as above, the scheme can be proved to be
  existentally unforgeable against CMA.

46
Authentication of Fresh Message

• In the above, we introduced MAC and digital
  signature for message authentication.
• They guarantee a message was indeed sent by a
  specific entity.
• However, the message might actually be a replay
  of a very old message.
• To guarantee the message is fresh, when we use
  MAC or digital signature, we should
• Include time stamp as part of message, or
• Include a fresh nonce chosen by the receiver as
  part of message