Undeniable signature

1
Undeniable signature

• RSA signature (Cryptosystem 7.1, page 276 of CPT)
• Forged signature
• How to prevent forged signature
• ElGamal signature (Cryptosystem 7.2, page 281 of
  CPT)
• 2048 bit signature (in general)
• Digital Signature Algorithm (DSA) (Cryptosystem
  7.4, page 289 of CPT)
• 320 bit signature
• SHA-1(x) before signing x.

2
Security requirements for signature schemes

• Types of attack
• Key-only attack Alices public key.
• Known message attack, a list of signed messages
• (x1,y1), (x2,y2) , ,
• Chosen message attack
• Chose a list message to get the signatures of
  them
• Goal of an attacker
• Total break determine the private key of Alice
• Selective forgery able to create a valid
  signature on a message chosen by someone else
• Existential forgery able to create a valid
  signature for at least one message.

3
Examples based on RSA

• Existential forgery using key-only attack
• Based on multiplicative property of RSA
• y1signK(x1), y2signK(x2), then verK(x1x2 mod n,
  y1y2 mod n) true.
• Create a signature y1y2 for x1x2 , so existential
  forgery using known messages attack.
• Oscar wants a signature for x, find x1 and x2,
  such that xx1x2 mod n. ask Alice to sign x1 and
  x2, and get signature for x. so selective forgery
  using chosen message attack.

4
Encryption vs. signature

• Encryption/decryption is used once currently
• But signature may be verified many times for many
  years in the future. So need more secure.

5
Undeniable signature

• The signers cooperation in verifying a
  signature.
• Three components
• a signing algorithm
• a verification algorithm
• a disavowal protocol
• By disavowal protocol, Alice is able to prove a
  forged signature is, in fact, a forgery. (if
  Alice refuses to take part in the disavowal
  protocol, this would be regarded as evidence that
  the signature is, in fact, genuine.)

6
Importance of undeniable signature

• Prevent a signed document from duplication or
  distribution without signers involvement
• Prevent the signer from denying what he/she has
  signed before.

7
Scenarios for undeniable signature

• Entity A (the customer) wishes to gain access to
  a secured area controlled by entity B (the Bank).
  If A uses an undeniable signature, then B can not
  prove to anyone else that A used the facility
  without As involvement.
• A creates a package, signs it and sells to B, B
  can not sell to C without As involvement in the
  verification process.

8
Chaum-van Antwerpen undeniable signature scheme

• Algorithm 11.122 on page 476 and 11.125 on page
  477 of HAC.

9
Elliptic curve cryptosystem

• Why ECC?
• Exist sub-exponential algorithms of factoring or
  solving DLP.
• But for ECC, the sub-exponential algorithm of
  breaking it has not been found.
• Means ECC is more secure than RSA or ElGamal
• Or to say, using much smaller key size can
  achieve the same security as RSA or ElGamal with
  large key size, so more efficient.
• Some of the following figures are copied from
  http//www.certicom.com/resources/ecc_tutorial/ecc
  _tut_2_0.html

10
Elliptic curve group over real number

• y2 x3 ax b, where x, y, a and b are real
  numbers, where 4a3 27b2 ?0.
• All (x,y) points satisfying above equation along
  with infinite point O and addition operation,
  form a group
• Suppose P(x,y) then define
• P(x,-y)

11
Elliptic curve example
12
Addition operation (A Geometric Approach)

• If P and Q are distinct, and P ? -Q, define PQ
  as follows
• Draw a line through P and Q, then the line will
  intersect with the curve, the intersected point
  is denoted as R, and define PQR.
• Define P (-P) O
• If P(x,0), then PP O , (in fact, a vertical
  line)
• Otherwise, draw a tangent line through p, the
  intersected point is defined as R, then PP 2P
  R.

13
Definition of PQ R
14
Definition of P(-P)
15
Definition of PP (where y!0)
16
Definition of PP (where y0)
17
Elliptic Curve Addition An Algebraic Approach

• Adding distinct points P and Q When P (xP,yP)
  and Q (xQ,yQ) and P? Q, P ? -Q, P Q R
  where s (yP - yQ) / (xP - xQ)xR s2 - xP - xQ
  and yR s(xP - xR) - yP Note that s is the
  slope of the line through P and Q.
• Doubling the point P When yP is not 0,2P R
  where s (3xP2 a) / (2yP )xR s2 - 2xP and
  yR s(xP - xR) -yP
• P (-P) O,
• If P (xP,yP) and yP 0, then P P 2P O.

18
Elliptic Curve Groups over Zp

• Zp 0,1,,p-1
• y2 mod p x3 ax b mod p
• Where a and b are in Zp, and x, y are also in Zp.
• 4a3 27b2 ?0 mod p.
• Addition with modular p.
• Example P23, ZpZ23. y2 x3 x
• (0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13)
  (13,5) (13,18) (15,3) (15,20) (16,8) (16,15)
  (17,10) (17,13) (18,10) (18,13) (19,1) (19,22)
  (20,4) (20,19) (21,6) (21,17)

19
y2 mod 23 x3 x mod 23
20
Elliptic Curve groups and the Discrete Logarithm
Problem

• Points on Elliptic curve along with addition
  operation form a group.
• Given a point P (P ? (x, 0)), consider 2PPP,
  3P2PP, ., nP(n-1)PP,
• Given any n, it is easy to compute RnP, however
  given R, it is very difficult to find n, such
  that nPR. called Elliptic Curve Discrete
  Logarithm Problem (ECDLP).
• Here the addition is same as the multiplication
  in Zp.

21
Many cryptosystems can be formed based on
Elliptic Curve

• Given elliptic curve E and a point ? (generator)
• Example 1 ElGamal system
• Suppose ?b?, (E, ?, ?) are public, and b is
  secret.
• Encryption randomly select a k, E(x,k)(k?,
  xk?)
• Decryption D(y1,y2) y2 - by1.
• Example 2 Diffie-Hellman key exchange
• Alice selects an a, computes Aa?, send A to Bob
• Bob selects a b, computes Bb?, sends B to Bob
• Then Alice can compute the key KaBab?,
  similarly, Bob computes the key KbAab?.

22
ECC example, y2x3 x6 over Z11

• Computing the points
• For x0,1,..,10, compute z x3 x6 mod 11.
• Check whether z is a quadratic residue
• By Legendre symbol ( ) z(p-1)/2 mod p z5
  mod p.
• If YES, compute two square roots
• Algorithm 3.36, ? z(p1)/4 mod p ? z3 mod p.
• The points (2,4),(2,7), (3,5),(3,6),
  (5,2),(5,9), (7,2),(7,9), (8,3),(8,8),
  (10,2),(10,9), O.
• Any group of prime order is cyclic. So the group
  is isomorphic to Z13. (Note not Z13). Any
  element except O is a generator.

z
p
23
ECC example (cont.)

• Let us select ?(2,7) as a generator.
• Compute the 2?, 3?, as following
• xR s2 - xP - xQ and yR s(xP - xR) - yP
  where
• s (yP - yQ) / (xP - xQ) if P ? Q.
• s (3xP2 a) / (2yP ) if PQ.
• ?(2,7), 2?(5,2), 3?(8,3), 4?(10,2)
• 5?(3,6), 6?(7,9), 7?(7,2), 8?(3,5)
• 9?(10,9), 10?(8,8), 11?(5,9), 12?(2,4)

24
ECC exampleElGamal encryption

• ElGamal ?b? 7? (7,2).
• Suppose message is x(10,9) (a point on E).
• Select a random k3, then the encrypted message
  is
• y13 ? 3(2,7) (8,3).
• y2x3? (10,9)3(7,2)(10,9)(3,5) (10,2).
• Decryption y2 - by1(10,2) 7(8,3) (10,2)
  (3,5) (10,2) (3,6) (10,9).