



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A portion of lecture notes from cs 120/ e-177: introduction to cryptography, focusing on digital signatures. The notes cover the concepts of digital signatures, their differences from message authentication codes (macs), security definitions, and various constructions. The document also includes examples of insecure signatures and applications of digital signatures.
Typology: Study notes
1 / 6
This page cannot be seen from the preview
Don't miss anything!




CS 120/ E-177: Introduction to Cryptography
Salil Vadhan and Alon Rosen Nov. 22, 2006
Recommended Reading.
Digital signatures are the public-key version of message authentication codes:anybody can verify. Can be thought of as digital analogue" of handwritten signatures (but are in fact stronger). Unlike MACs signatures are:
MACs are more ecient in practice.
Denition 1 A digital signature scheme consists of three algorithms (G, S, V ) such that:
We require VPK (m, SSK (m)) = accept for all (PK , SK ) ←R G(1n) and m ∈ { 0 , 1 }∗.
Denition 2 (existential unforgeability under adaptive chosen message attack) A signa- ture scheme (G, S, V ) is secure if for every PPT A, there is a negligible function ε such that
Pr
ASSK^ (·)(PK ) forges
≤ ε(k) ∀k,
where the probability is taken over (PK , SK ) ←R G(1k) and the coin tosses of A. A forges ≡ A produces a pair (m, σ) for which (a) VPK (m, σ) = accept, and (b) m is dierent from all of A's queries to the SSK -oracle.
(a) A gets access to signatures on messages of its choice. (b) A forges even if m it has produced is meaningless."
These are indeed strong requirements. However, if we can satisfy them, we can certainly satisfy weaker requirements. Also, this will give us signature schemes which are application independent (in particular, will be suitable for use regardless of the formatting/semantics of the messages being signed). As for Item (1), in practice this can happen. For example, notary would conceivably sign on any document regardless of its contents.
Here are some applications of signatures.
m = `Verisign certifies that PK (^) Alice is Alice's public key'
Digital signatures can be constructed from one-way functions (no trapdoors!). Signing is deter- ministic. This result is beyond the scope of this class. Instead we will outline a provably secure construction from collision-free hash functions:
We start by showing how to construct a one-time signature from any one-way function f.
Single bit message. Let f be any one-way function.
This scheme is not very ecient and gives away half of the secret key. But it is secure if the adversary asks only one query. Assume that he obtains the signature of 0, i.e. x 0. Then the adversary cannot produce the signature of 1, i.e. invert y 1 , because x 0 and x 1 are chosen independently so seeing x 0 does not help him to invert y 1.
`-bit messages.
: For i = 1,... ,, let σi = xi,mi. Output σ = (σ 1 ,... , σ`).Theorem 3 Above is a secure one-time signature (i.e. adversary can make only one query) for message space { 0 , 1 }`^ if f is a one-way function.
Proof: Reducibility argument. Suppose there is a PPT forger A that succeeds with nonnegligible probability ε. We will build PPT B that inverts f with nonnegligible probability. Intuitively, the query (m, σ) reveals half of the x's. But m 6 = m′^ so in at least one position, A has to guess the corresponding x, i.e. invert f on a point y. B will guess the position where A has successfully inverted f.
Inverter B(y):
Whenever A would successfully forge, B will succeed w.p. ≥ 1 / 2 (whenever (j, c) satisfy mj 6 = c and m′ j = c, σ j′ is an inverse of y under f ) Thus B succeeds w.p. ε/ 2, still nonnegligible.
If the message is of length , the public key is of length 2 k so this scheme is not very ecient. Also, to construct signatures for multiple messages we will need that the size of PK is shorter than the size of message. How to sign long messages? Sign a short hash of the message. This is called hash-then-sign. See lecture notes on collision-free hashing.
How do we obtain a signature scheme for multiple messages?
Public key PK 0 , secret key SK 0 for original scheme. To sign rst message m 1 : Generate (PK 1 , SK 1 )
R ← G(1k). Let σ 1
R ← SSK 0 (m 1 , PK 1 ). Output σ′ 1 = (1, σ 1 , m 1 , PK 1 ). To sign second message m 2 : Generate (PK 2 , SK 2 ) ←R G(1k). Let σ 2 ←R SSK 1 (m 2 , PK 2 ). Output σ′ 2 = (2, σ 1 ′, σ 2 , m 2 , PK 2 ). etc.
Use a tree each key authenticates two new keys ⇒ signature length, verication time, signing time no longer grow linearly w/ number of signatures. Can also make it stateless. Can construct secure signatures based on any one-way function (very complicated!). See Katz-Lindell.