Digital Signatures: Introduction, Security, and Constructions, Study notes of Cryptography and System Security

A portion of lecture notes from cs 120/ e-177: introduction to cryptography, focusing on digital signatures. The notes cover the concepts of digital signatures, their differences from message authentication codes (macs), security definitions, and various constructions. The document also includes examples of insecure signatures and applications of digital signatures.

Typology: Study notes

2010/2011

Uploaded on 11/02/2011

thecoral
thecoral 🇺🇸

4.5

(30)

395 documents

1 / 6

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 120/ E-177: Introduction to Cryptography
Salil Vadhan and Alon Rosen Nov. 22, 2006
Lecture Notes 17:
Digital Signatures
Recommended Reading.
Katz-Lindell 10
1 Signatures vs. MACs
Digital signatures are the public-key version of message authentication codes:
anybody
can verify.
Can be thought of as digital analogue" of handwritten signatures (but are in fact stronger). Unlike
MACs signatures are:
1.
Publicly veriable
- anybody can verify their validity.
2.
Transferable
- recipient can show the signature to another party who can then verify that the
signature is valid (this follows from public veriability).
3.
Non-repudiable
- If Alice digitally signs a document, then Bob can prove to a third party (e.g.
a court) that she signed it, by presenting the document and her signature. By denition, only
Alice could have produced a valid signature.
Notice that MACs
cannot
have this property. None of the parties holding the key can claim
the other one has signed. This is because it might be the case that the other party has actually
signed.
MACs are more ecient in practice.
2 Syntax
Denition 1
A
digital signature scheme
consists of three algorithms
(G, S, V )
such that:
The
key generation
algorithm
G
is a randomized algorithm that returns a
public key
PK
and
a
secret key
SK
; we write
(PK ,SK )
R
G(1n)
.
The
signing
algorithm
S
is a (possibly) randomized algorithm that takes the secret key
SK
and
a
message
m
and outputs a signature
σ
; we write
σ
R
SSK (m)
.
The
verication
algorithm
V
is a deterministic algorithm that takes the public key
PK
, a
message
m
, and a signature
σ
, and outputs
VPK (m, σ) {accept,reject}
.
We require
VPK (m, SSK (m)) = accept
for all
(PK ,SK )
R
G(1n)
and
m {0,1}
.
1
pf3
pf4
pf5

Partial preview of the text

Download Digital Signatures: Introduction, Security, and Constructions and more Study notes Cryptography and System Security in PDF only on Docsity!

CS 120/ E-177: Introduction to Cryptography

Salil Vadhan and Alon Rosen Nov. 22, 2006

Lecture Notes 17:

Digital Signatures

Recommended Reading.

  • Katz-Lindell 10

1 Signatures vs. MACs

Digital signatures are the public-key version of message authentication codes:anybody can verify. Can be thought of as digital analogue" of handwritten signatures (but are in fact stronger). Unlike MACs signatures are:

  1. Publicly veriable - anybody can verify their validity.
  2. Transferable - recipient can show the signature to another party who can then verify that the signature is valid (this follows from public veriability).
  3. Non-repudiable - If Alice digitally signs a document, then Bob can prove to a third party (e.g. a court) that she signed it, by presenting the document and her signature. By denition, only Alice could have produced a valid signature. Notice that MACs cannot have this property. None of the parties holding the key can claim the other one has signed. This is because it might be the case that the other party has actually signed.

MACs are more ecient in practice.

2 Syntax

Denition 1 A digital signature scheme consists of three algorithms (G, S, V ) such that:

  • The key generation algorithm G is a randomized algorithm that returns a public key PK and a secret key SK ; we write (PK , SK ) ←R G(1n).
  • The signing algorithm S is a (possibly) randomized algorithm that takes the secret key SK and a message m and outputs a signature σ; we write σ ←R SSK (m).
  • The verication algorithm V is a deterministic algorithm that takes the public key PK , a message m, and a signature σ, and outputs VPK (m, σ) ∈ {accept, reject}.

We require VPK (m, SSK (m)) = accept for all (PK , SK ) ←R G(1n) and m ∈ { 0 , 1 }∗.

2.1 Comments

  1. The sender needs secret key, opposite from public-key encryption. Alice will send a message encrypted with Bob's public key but signed with Alice's secret key. However, digital signatures and public key encryption are not duals" of each other (as one might be tempted to think).
  2. It is conceivable that the sender keeps state between signatures and we will allow this in some cases.
  3. Similarly to MAC, randomization is not necessary.
  4. Note that we do not require any formatting on the messages and they could be arbitrary strings. Sometimes it is required that messages obey some pre-specied format" (possibly depending on PK ). In such a case, it is required to explicitly specify how to map arbitrary strings into a string that obeys this format.

3 Security

Denition 2 (existential unforgeability under adaptive chosen message attack) A signa- ture scheme (G, S, V ) is secure if for every PPT A, there is a negligible function ε such that

Pr

[

ASSK^ (·)(PK ) forges

]

≤ ε(k) ∀k,

where the probability is taken over (PK , SK ) ←R G(1k) and the coin tosses of A. A forges ≡ A produces a pair (m, σ) for which (a) VPK (m, σ) = accept, and (b) m is dierent from all of A's queries to the SSK -oracle.

3.1 Comments

  1. Denition is strong:

(a) A gets access to signatures on messages of its choice. (b) A forges even if m it has produced is meaningless."

These are indeed strong requirements. However, if we can satisfy them, we can certainly satisfy weaker requirements. Also, this will give us signature schemes which are application independent (in particular, will be suitable for use regardless of the formatting/semantics of the messages being signed). As for Item (1), in practice this can happen. For example, notary would conceivably sign on any document regardless of its contents.

4 Applications

Here are some applications of signatures.

  1. Can be used for public-key infrastructure (without public directory):
    • One trusted party (certicate authority, e.g. Verisign) has a public key known to every- one, and signs individual's public keys, e.g. signs statement like

m = `Verisign certifies that PK (^) Alice is Alice's public key'

6 Constructions

Digital signatures can be constructed from one-way functions (no trapdoors!). Signing is deter- ministic. This result is beyond the scope of this class. Instead we will outline a provably secure construction from collision-free hash functions:

  1. One-time signature for xed-length messages (Pk = { 0 , 1 }k) from any one-way function.
  2. Use hash-then-sign to convert this into a one-time signature for unbounded-length messages.
  3. Use key refreshing to convert one-time signature into many-use signature.

6.1 One-time signature

We start by showing how to construct a one-time signature from any one-way function f.

Single bit message. Let f be any one-way function.

  1. The secret key is SK = {x 0 , x 1 } where x 0 and x 1 are chosen at random in { 0 , 1 }k. The public key is PK = {y 0 , y 1 } where y 0 = f (x 0 ) and y 1 = f (x 1 ).
  2. The signature of the bit b is SSK (b) = xb.
  3. The verication is VPK (b, x) = accept i f (x) = yb.

This scheme is not very ecient and gives away half of the secret key. But it is secure if the adversary asks only one query. Assume that he obtains the signature of 0, i.e. x 0. Then the adversary cannot produce the signature of 1, i.e. invert y 1 , because x 0 and x 1 are chosen independently so seeing x 0 does not help him to invert y 1.

`-bit messages.

  • G(1k): For i = 1, · · · , `, choose xi, 0 ← {R 0 , 1 }k, xi, 1 ← {R 0 , 1 }k. Let yi, 0 = f (xi, 0 ), yi, 1 = f (xi, 1 ) PK =all y's, SK =all x's.
  • SSK (m) for m ∈ { 0 , 1 }: For i = 1,... ,, let σi = xi,mi. Output σ = (σ 1 ,... , σ`).
  • VPK (m, σ): Check that f (σi) = yi,mi for all in{ 1 , · · · , `}.

Theorem 3 Above is a secure one-time signature (i.e. adversary can make only one query) for message space { 0 , 1 }`^ if f is a one-way function.

Proof: Reducibility argument. Suppose there is a PPT forger A that succeeds with nonnegligible probability ε. We will build PPT B that inverts f with nonnegligible probability. Intuitively, the query (m, σ) reveals half of the x's. But m 6 = m′^ so in at least one position, A has to guess the corresponding x, i.e. invert f on a point y. B will guess the position where A has successfully inverted f.

Inverter B(y):

  1. Choose j ← {R 1 ,... , `}, c ← {R 0 , 1 }. Let yj,c = y.
  2. For all (i, b) 6 = (j, c), choose xi,b ← {R 0 , 1 }k, let yi,b = f (xi,b).
  3. Let PK = all yi,b's, and run A(PK ).
  4. A asks for signature on some m. If mj 6 = c, B can answer correctly A's query, otherwise output fail.
  5. A produces forgery (m′, σ′). If m′ j = c, output x = σ′ j. Otherwise output fail.

Whenever A would successfully forge, B will succeed w.p. ≥ 1 / 2 (whenever (j, c) satisfy mj 6 = c and m′ j = c, σ j′ is an inverse of y under f ) Thus B succeeds w.p. ε/ 2, still nonnegligible.

If the message is of length , the public key is of length 2 k so this scheme is not very ecient. Also, to construct signatures for multiple messages we will need that the size of PK is shorter than the size of message. How to sign long messages? Sign a short hash of the message. This is called hash-then-sign. See lecture notes on collision-free hashing.

6.2 One-time signatures to many-time signatures

How do we obtain a signature scheme for multiple messages?

  • Idea: generate new keys on the y and authenticate them with previous key.
  • Start with a one-time signature scheme (G, S, V ), and construct general signature scheme as follows:

 Public key PK 0 , secret key SK 0 for original scheme.  To sign rst message m 1 : Generate (PK 1 , SK 1 )

R ← G(1k). Let σ 1

R ← SSK 0 (m 1 , PK 1 ). Output σ′ 1 = (1, σ 1 , m 1 , PK 1 ).  To sign second message m 2 : Generate (PK 2 , SK 2 ) ←R G(1k). Let σ 2 ←R SSK 1 (m 2 , PK 2 ). Output σ′ 2 = (2, σ 1 ′, σ 2 , m 2 , PK 2 ).  etc.

  • This works, but very inecient.
  • Improvements:

 Use a tree  each key authenticates two new keys ⇒ signature length, verication time, signing time no longer grow linearly w/ number of signatures.  Can also make it stateless.  Can construct secure signatures based on any one-way function (very complicated!).  See Katz-Lindell.