Digital Signatures: A Comprehensive Overview, Study notes of Advanced Computer Architecture

An in-depth exploration of digital signatures, their principles, and various signature schemes including rsa, dsa, schnorr, and implicit certificates. Topics covered include cryptographic hash functions, security of signature schemes, and services such as verification and message recovery.

Typology: Study notes

2010/2011

Uploaded on 09/07/2011

home-alone
home-alone 🇬🇧

4

(1)

18 documents

1 / 71

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
COMSM2004 : Digital Signatures
B. Warinschi and N.P. Smart
Department of Computer Science,
University Of Bristol,
Merchant Venturers Building,
Woodland Road,
Bristol, BS8 1UB
United Kingdom.
January 30, 2009
B. Warinschi and N.P. Smart
COMSM2004 : Digital Signatures Slide 1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47

Partial preview of the text

Download Digital Signatures: A Comprehensive Overview and more Study notes Advanced Computer Architecture in PDF only on Docsity!

COMSM2004 : Digital Signatures

B. Warinschi and N.P. Smart

Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom.

January 30, 2009

B. Warinschi and N.P. Smart

Outline

Generalities on Signatures

Cryptographic Hash Functions

Security of Signature Schemes

Secure RSA Signatures

DSA

Schnorr Signatures

Implicit Certificates

Signatures with Message Recovery

B. Warinschi and N.P. Smart

Digital Signatures

Another very important public key primitive is the digital signature. The idea is Message + Alice’s Private Key = Signature Message + Signature + Alice’s Public Key = YES/NO Alice can sign a message using her private key. Anyone can verify Alice’s signature, since everyone can obtain her public key. After verification the verifier is convinced that only Alice could have produced the signature because I (^) only Alice knows her private key!

Note: The above outline is a signature scheme with appendix.

B. Warinschi and N.P. Smart

Digital Signatures

On the last slide we described a signature scheme with appendix: the message is an explicit input of the verification algorithm. Some signature schemes have the property of message recovery: the message is recovered from a signature. The basic idea is Message + Alice’s Private Key = Signature Signature + Alice’s Public Key = Message or INVALID Henceforth we denote a public/secret key pair (pk, sk). A message is denoted m, the signing algorithm is denoted S, the verification algorithm is denoted V a signature is denoted s So, we have S(sk, m) = s and V (s, m, pk) = YES/NO. (For with appendix case.)

B. Warinschi and N.P. Smart

RSA Signatures

Recall RSA. Alice picks two large primes p and q. I (^) p, q have around 512 bits. I (^) N = pq. Alice also chooses an encryption exponent e with

gcd(e, (p − 1 )(q − 1 )) = 1

Alice publishes (N, e): The public key Via xgcd Alice computes d such that

e · d ≡ 1 (mod (p − 1 )(q − 1 )).

Alice keeps (d, p, q) secret: The secret/private key Encryption: c = me^ mod N Decryption: m = cd^ mod N B. Warinschi and N.P. Smart

RSA Signatures

RSA can be used as a signature scheme. I (^) Sender applies decryption transform to generate the signature: s = md^ mod N. I (^) Receiver applies encryption transform to recover original message: m = se^ mod N.

How do we check for validity of the signature? I (^) If original message is natural language can verify the extracted message is also in natural language. I (^) Not a good idea in general!

Hence we (may) need to add redundancy to the message before signing. I (^) If the extracted message does not have the required redundancy it is not accepted.

B. Warinschi and N.P. Smart

Signing Long Messages

To apply RSA signing to a long message m one could I (^) break m into blocks m 1 , m 2 ,... and I (^) sign each block in turn. This is very time consuming for long messages!

Worse than this, we must add serial numbers and redundancy to each message! I (^) If we don’t do this an attacker could delete parts of the long message without us knowing.

Luckily there is a much better way to sign long messages using RSA!

The method we have just described is a signature scheme with message recovery, the one we are about to see is a signature scheme with appendix. B. Warinschi and N.P. Smart

Signatures Schemes with Appendix (or without

Message Recovery)

Suppose we have a signature transform S that can sign m ∈ { 0 , 1 }n using a secret key sk: s = S(m, sk).

Having computed s we transmit the pair (m, s).

The verification process V takes three inputs: message m, signature s and public key pk.

The verification process outputs a bit indicating whether or not s is a valid signature on m under public key pk.

To use this process to obtain signatures on messages of arbitrary length - as opposed to messages from { 0 , 1 }n^ - we require the use of a cryptographic hash function.

B. Warinschi and N.P. Smart

An RSA Signature Scheme with Appendix

Using a cryptographic hash function H it is possible to create a signature scheme with appendix (i.e. without message recovery) based on RSA.

Suppose we have an RSA key pair (e, N), (d, N) such that N has n-bits.

We use a hash function H : { 0 , 1 }∗^ → { 0 , 1 }n.

To sign m ∈ { 0 , 1 }∗: I (^) Compute H(m). I (^) Compute signature by ’decrypting’ H(m): s = H(m)d^ mod N.

B. Warinschi and N.P. Smart

An RSA Signature Scheme with Appendix

To verify signature s on message m:

I (^) ’Encrypt’ s to recover H(m)′^ = se^ mod N.

I (^) Compute H(m).

I (^) Check whether H(m)′^ = H(m).

I (^) If H(m)′^ = H(m), accept the signature. Otherwise reject. The standardised way of doing this is slightly different (we will see it in a later lecture) but the intuition is the same.

B. Warinschi and N.P. Smart

RSA Signature: Collision Resistance Property

We also require H to be collision resistant.

Suppose that H is not collision resistant. A malicious signer could proceed as follows. I (^) Find m and m′^ such that H(m) = H(m′). I (^) Sign m: s = H(m)d^ mod N. I (^) Claim that s is really a signature on m′.

The above undermines the non-repudiation offered by the scheme.

B. Warinschi and N.P. Smart

Birthday Paradox

It is harder to construct collision resistant hash functions than one-way hash functions.

This is owing to the birthday paradox. (Actually not a paradox at all.)

How probable is it that a person in the room has a particular birthday?

How probable is it that two people in this room have the same birthday?

Experiment time!

B. Warinschi and N.P. Smart

Hash Function Security

A cryptographic hash function should have the following properties.

Preimage resistant : It is hard to find a message with a given hash value.

Collision Resistant : It is hard to find two messages with the same value.

Second Preimage Resistant : Given m and H(m) it is hard to find m′ with H(m′) = H(m).

The security of a signature scheme depends on both the security of the underlying public key scheme and the security of the hash function used in the construction.

B. Warinschi and N.P. Smart

Avalanche Effect

A basic design principle when designing hash functions is that the hash function should produce an avalanche effect.

In other words a small change in the input produces a large and unpredictable change in the output.

This is needed so that a signature on a cheque for 30 pounds cannot be altered into a signature on a cheque for 30000 pounds.

B. Warinschi and N.P. Smart