































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
An in-depth exploration of digital signatures, their principles, and various signature schemes including rsa, dsa, schnorr, and implicit certificates. Topics covered include cryptographic hash functions, security of signature schemes, and services such as verification and message recovery.
Typology: Study notes
1 / 71
This page cannot be seen from the preview
Don't miss anything!
































































B. Warinschi and N.P. Smart
Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom.
January 30, 2009
B. Warinschi and N.P. Smart
Generalities on Signatures
Cryptographic Hash Functions
Security of Signature Schemes
Secure RSA Signatures
DSA
Schnorr Signatures
Implicit Certificates
Signatures with Message Recovery
B. Warinschi and N.P. Smart
Another very important public key primitive is the digital signature. The idea is Message + Alice’s Private Key = Signature Message + Signature + Alice’s Public Key = YES/NO Alice can sign a message using her private key. Anyone can verify Alice’s signature, since everyone can obtain her public key. After verification the verifier is convinced that only Alice could have produced the signature because I (^) only Alice knows her private key!
Note: The above outline is a signature scheme with appendix.
B. Warinschi and N.P. Smart
On the last slide we described a signature scheme with appendix: the message is an explicit input of the verification algorithm. Some signature schemes have the property of message recovery: the message is recovered from a signature. The basic idea is Message + Alice’s Private Key = Signature Signature + Alice’s Public Key = Message or INVALID Henceforth we denote a public/secret key pair (pk, sk). A message is denoted m, the signing algorithm is denoted S, the verification algorithm is denoted V a signature is denoted s So, we have S(sk, m) = s and V (s, m, pk) = YES/NO. (For with appendix case.)
B. Warinschi and N.P. Smart
Recall RSA. Alice picks two large primes p and q. I (^) p, q have around 512 bits. I (^) N = pq. Alice also chooses an encryption exponent e with
gcd(e, (p − 1 )(q − 1 )) = 1
Alice publishes (N, e): The public key Via xgcd Alice computes d such that
e · d ≡ 1 (mod (p − 1 )(q − 1 )).
Alice keeps (d, p, q) secret: The secret/private key Encryption: c = me^ mod N Decryption: m = cd^ mod N B. Warinschi and N.P. Smart
RSA can be used as a signature scheme. I (^) Sender applies decryption transform to generate the signature: s = md^ mod N. I (^) Receiver applies encryption transform to recover original message: m = se^ mod N.
How do we check for validity of the signature? I (^) If original message is natural language can verify the extracted message is also in natural language. I (^) Not a good idea in general!
Hence we (may) need to add redundancy to the message before signing. I (^) If the extracted message does not have the required redundancy it is not accepted.
B. Warinschi and N.P. Smart
To apply RSA signing to a long message m one could I (^) break m into blocks m 1 , m 2 ,... and I (^) sign each block in turn. This is very time consuming for long messages!
Worse than this, we must add serial numbers and redundancy to each message! I (^) If we don’t do this an attacker could delete parts of the long message without us knowing.
Luckily there is a much better way to sign long messages using RSA!
The method we have just described is a signature scheme with message recovery, the one we are about to see is a signature scheme with appendix. B. Warinschi and N.P. Smart
Suppose we have a signature transform S that can sign m ∈ { 0 , 1 }n using a secret key sk: s = S(m, sk).
Having computed s we transmit the pair (m, s).
The verification process V takes three inputs: message m, signature s and public key pk.
The verification process outputs a bit indicating whether or not s is a valid signature on m under public key pk.
To use this process to obtain signatures on messages of arbitrary length - as opposed to messages from { 0 , 1 }n^ - we require the use of a cryptographic hash function.
B. Warinschi and N.P. Smart
Using a cryptographic hash function H it is possible to create a signature scheme with appendix (i.e. without message recovery) based on RSA.
Suppose we have an RSA key pair (e, N), (d, N) such that N has n-bits.
We use a hash function H : { 0 , 1 }∗^ → { 0 , 1 }n.
To sign m ∈ { 0 , 1 }∗: I (^) Compute H(m). I (^) Compute signature by ’decrypting’ H(m): s = H(m)d^ mod N.
B. Warinschi and N.P. Smart
To verify signature s on message m:
I (^) ’Encrypt’ s to recover H(m)′^ = se^ mod N.
I (^) Compute H(m).
I (^) Check whether H(m)′^ = H(m).
I (^) If H(m)′^ = H(m), accept the signature. Otherwise reject. The standardised way of doing this is slightly different (we will see it in a later lecture) but the intuition is the same.
B. Warinschi and N.P. Smart
We also require H to be collision resistant.
Suppose that H is not collision resistant. A malicious signer could proceed as follows. I (^) Find m and m′^ such that H(m) = H(m′). I (^) Sign m: s = H(m)d^ mod N. I (^) Claim that s is really a signature on m′.
The above undermines the non-repudiation offered by the scheme.
B. Warinschi and N.P. Smart
It is harder to construct collision resistant hash functions than one-way hash functions.
This is owing to the birthday paradox. (Actually not a paradox at all.)
How probable is it that a person in the room has a particular birthday?
How probable is it that two people in this room have the same birthday?
Experiment time!
B. Warinschi and N.P. Smart
A cryptographic hash function should have the following properties.
Preimage resistant : It is hard to find a message with a given hash value.
Collision Resistant : It is hard to find two messages with the same value.
Second Preimage Resistant : Given m and H(m) it is hard to find m′ with H(m′) = H(m).
The security of a signature scheme depends on both the security of the underlying public key scheme and the security of the hash function used in the construction.
B. Warinschi and N.P. Smart
A basic design principle when designing hash functions is that the hash function should produce an avalanche effect.
In other words a small change in the input produces a large and unpredictable change in the output.
This is needed so that a signature on a cheque for 30 pounds cannot be altered into a signature on a cheque for 30000 pounds.
B. Warinschi and N.P. Smart