Verifying Digital Signatures with the Discrete Logarithm Problem, Study notes of Cryptography and System Security

The principles behind verifying digital signatures using the discrete logarithm problem. It covers the use of large primes q and p, the role of the base g and its order q, and the verification equation y^r * r^s congruent to g^m mod p. The text also discusses the implications of using m + rxs instead of m - rxs in the calculation of s.

Typology: Study notes

2011/2012

Uploaded on 04/26/2012

king-ben111
king-ben111 🇮🇱

5

(1)

5 documents

1 / 372

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download Verifying Digital Signatures with the Discrete Logarithm Problem and more Study notes Cryptography and System Security in PDF only on Docsity!

Information Security and Cryptography

Texts and Monographs

Series Editor

Ueli Maurer

Associate Editors

Martin Abadi

Ross Anderson

Mihir Bellare

Oded Goldreich

Tatsuaki Okamoto

Paul van Oorschot

Birgit Pfitzmann

Aviel D. Rubin

Jacques Stern

Authors Series Editor

Library of Congress Control Number: 2007921676 ACM Computing Classification: E.

ISBN-13 978-3-540-49243-6 Springer Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broad- casting, reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable for prosecution under the German Copyright Law.

Springer is a part of Springer Science+Business Media springer.com © Springer-Verlag Berlin Heidelberg 2007

The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Typesetting: Integra, India

Printed on acid-free paper SPIN: 11929970

ISSN 1619-

Cover design: KünkelLopka, Heidelberg

45/3100/Integra 5 4 3 2 1 0

Prof. Dr. Hans Delfs Georg-Simon-Ohm University of Applied Sciences N urnberg¨ Department of Computer Science Keßlerplatz 12 90489 N urnberg¨ Germany [email protected]

Prof. Dr. Helmut Knebl Georg-Simon-Ohm University of Applied Sciences N urnberg¨ Department of Computer Science Keßlerplatz 12 90489 N urnberg¨ Germany [email protected]

Prof. Dr. Ueli Maurer Inst. f ur Theoretische Informatik¨ ETH Z urich, 8092 Z¨ urich¨ Switzerland

Preface to the Second, Extended Edition

New topics have been included in the second edition. They reflect recent progress in the field of cryptography and supplement the material covered in the first edition. Major extensions and enhancements are the following.

  • A complete description of the Advanced Encryption Standard AES is given in Chapter 2 on symmetric encryption.
  • In Appendix A, there is a new section on polynomials and finite fields. There we offer a basic explanation of finite fields, which is necessary to understand the AES.
  • The description of cryptographic hash functions in Chapter 3 has been extended. It now also includes, for example, the HMAC construction of message authentication codes.
  • Bleichenbacher’s 1-Million-Chosen-Ciphertext Attack against schemes that implement the RSA encryption standard PKCS#1 is discussed in detail in Chapter 3. This attack proves that adaptively-chosen-ciphertext attacks can be a real danger in practice.
  • In Chapter 9 on provably secure encryption we have added typical secu- rity proofs for public-key encryption schemes that resist adaptively-chosen- ciphertext attacks. Two prominent examples are studied – Boneh’s simple- OAEP, or SAEP for short, and Cramer-Shoup’s public key encryption.
  • Security proofs in the random oracle model are now included. Full-domain- hash RSA signatures and SAEP serve as examples. Furthermore, the text has been updated and clarified at various points. Errors and inaccuracies have been corrected.

We thank our readers and our students for their comments and hints, and we are indebted to our colleague Patricia Shiroma-Brockmann and Ronan Nugent at Springer for proof-reading the English copy of the new and revised chapters.

N¨urnberg, December 2006 Hans Delfs, Helmut Knebl

VIII Preface

and covers, for example, basics like Euclid’s algorithm and the Chinese Re- mainder Theorem, but also more advanced material like Legendre and Jacobi symbols and probabilistic prime number tests. The concepts and results from probability and information theory that are applied in the second part of the book are given in full in Appendix B. To keep the mathematics easy, we do not address elliptic curve cryptography. We illustrate the key concepts of public-key cryptography by the classical examples like RSA in the quotient rings Zn of the integers Z. The book starts with an introduction into classical symmetric encryption in Chapter 2. The principles of public-key cryptography and their use for encryption and digital signatures are discussed in detail in Chapter 3. The famous and widely used RSA, ElGamal’s methods and the digital signature standard, Rabin’s encryption and signature schemes serve as the outstand- ing examples. The underlying one-way functions – modular exponentiation, modular powers and modular squaring – are used throughout the book, also in the second part. Chapter 4 presents typical cryptographic protocols, including key ex- change, identification and commitment schemes, electronic cash and elec- tronic elections. The following chapters focus on a precise definition of the key concepts and the security of public-key cryptography. Attacks are modeled by prob- abilistic polynomial algorithms (Chapter 5). One-way functions as the basic building blocks and the security assumptions underlying modern public-key cryptography are studied in Chapter 6. In particular, the bit security of the RSA function, the discrete logarithm and the Rabin function is analyzed in detail (Chapter 7). The close relation between one-way functions and com- putationally perfect pseudorandom generators meeting the needs of cryptog- raphy is explained in Chapter 8. Provable security properties of encryption schemes are the central topic of Chapter 9. It is clarified that randomness is the key to security. We start with the classical notions of provable security originating from Shannon’s work on information theory. Typical examples of more recent results on the security of public-key encryption schemes are given, taking into account the computational complexity of attacking algo- rithms. A short introduction to cryptosystems, whose security can be proven by information-theoretic methods without any assumptions on the hardness of computational problems (“unconditional security approach”), supplements the section. Finally, we discuss in Chapter 10 the levels of security of dig- ital signatures and give examples of signature schemes, whose security can be proven solely under standard assumptions like the factoring assumption, including a typical security proof.

Each chapter (except Chapter 1) closes with a collection of exercises. Answers to the exercises are provided on the Web page for this book: www.informatik.fh-nuernberg.de/DelfsKnebl/Cryptography.

Preface IX

We thank our colleagues and students for pointing out errors and sug- gesting improvements. In particular, we express our thanks to J¨org Schwenk, Harald Stieber and Rainer Weber. We are grateful to Jimmy Upton for his comments and suggestions, and we are very much indebted to Patricia Shiroma-Brockmann for proof-reading the English copy. Finally, we would like to thank Alfred Hofmann at Springer-Verlag for his support during the writing and publication of this book.

N¨urnberg, December 2001 Hans Delfs, Helmut Knebl

Notation

Page

M ∗^ set of words m 1 m 2... ml, l ≥ 0 , over M

{ 0 , 1 }∗^ set of bit strings of arbitrary length

1 k^ constant bit string 11... 1 of length k 157

a ⊕ b bitwise XOR of bit strings a, b ∈ { 0 , 1 }l^13

a||b concatenation of strings a and b

N set of natural numbers: { 1 , 2 ,.. .} 35

Z set of integers 35

Q set of rational numbers

R set of real numbers

ln(x) natural logarithm of a real x > 0

log(x) base-10 logarithm of a real x > 0

log 2 (x) base-2 logarithm of a real x > 0

logg (x) discrete base-g logarithm of x ∈ Z∗ p

a | b a ∈ Z divides b ∈ Z 289

|x| absolute value of x ∈ R

|x| length of a bit string x ∈ { 0 , 1 }∗

|x| binary length of x ∈ N

|M | number of elements in a set M 296

g ◦ f composition of maps: g ◦ f (x) = g(f (x))

idX identity map: idX (x) = x for all x ∈ X

f −^1 inverse of a bijective map f

x−^1 inverse of a unit x in a ring 296

Zn residue class ring modulo n 295

Z∗ n units in Zn 296

a div n integer quotient of a and n 290

a mod n remainder of a modulo n 290, 306

a ≡ b mod n a congruent b modulo n 295, 307

XVI Notation

( (^) x n x x

    1. Introduction
    • 1.1 Encryption and Secrecy
    • 1.2 The Objectives of Cryptography
    • 1.3 Attacks
    • 1.4 Cryptographic Protocols
    • 1.5 Provable Security
    1. Symmetric-Key Encryption
    • 2.1 Stream Ciphers
    • 2.2 Block Ciphers
      • 2.2.1 DES
      • 2.2.2 AES
      • 2.2.3 Modes of Operation
    1. Public-Key Cryptography
    • 3.1 The Concept of Public-Key Cryptography
    • 3.2 Modular Arithmetic
      • 3.2.1 The Integers
      • 3.2.2 The Integers Modulo n
    • 3.3 RSA
      • 3.3.1 Key Generation and Encryption
      • 3.3.2 Digital Signatures
      • 3.3.3 Attacks Against RSA
      • 3.3.4 Probabilistic RSA Encryption
    • 3.4 Cryptographic Hash Functions
      • 3.4.1 Security Requirements for Hash Functions
      • 3.4.2 Construction of Hash Functions
      • 3.4.3 Data Integrity and Message Authentication
      • 3.4.4 Hash Functions as Random Functions
      • 3.4.5 Signatures with Hash Functions
    • 3.5 The Discrete Logarithm
      • 3.5.1 ElGamal’s Encryption
      • 3.5.2 ElGamal’s Signature Scheme
      • 3.5.3 Digital Signature Algorithm
    • 3.6 Modular Squaring XII Contents
      • 3.6.1 Rabin’s Encryption
      • 3.6.2 Rabin’s Signature Scheme
    1. Cryptographic Protocols
    • 4.1 Key Exchange and Entity Authentication
      • 4.1.1 Kerberos
      • 4.1.2 Diffie-Hellman Key Agreement
      • 4.1.3 Key Exchange and Mutual Authentication
      • 4.1.4 Station-to-Station Protocol
      • 4.1.5 Public-Key Management Techniques
    • 4.2 Identification Schemes
      • 4.2.1 Interactive Proof Systems
      • 4.2.2 Simplified Fiat-Shamir Identification Scheme
      • 4.2.3 Zero-Knowledge
      • 4.2.4 Fiat-Shamir Identification Scheme
      • 4.2.5 Fiat-Shamir Signature Scheme
    • 4.3 Commitment Schemes
      • 4.3.1 A Commitment Scheme Based on Quadratic Residues
      • 4.3.2 A Commitment Scheme Based on Discrete Logarithms
      • 4.3.3 Homomorphic Commitments
    • 4.4 Electronic Elections
      • 4.4.1 Secret Sharing
      • 4.4.2 A Multi-Authority Election Scheme
      • 4.4.3 Proofs of Knowledge
      • 4.4.4 Non-Interactive Proofs of Knowledge
      • 4.4.5 Extension to Multi-Way Elections
      • 4.4.6 Eliminating the Trusted Center
    • 4.5 Digital Cash
      • 4.5.1 Blindly Issued Proofs
      • 4.5.2 A Fair Electronic Cash System
      • 4.5.3 Underlying Problems
    1. Probabilistic Algorithms
    • 5.1 Coin-Tossing Algorithms
    • 5.2 Monte Carlo and Las Vegas Algorithms
    1. One-Way Functions and the Basic Assumptions
    • 6.1 A Notation for Probabilities
    • 6.2 Discrete Exponential Function
    • 6.3 Uniform Sampling Algorithms
    • 6.4 Modular Powers
    • 6.5 Modular Squaring
    • 6.6 Quadratic Residuosity Property
    • 6.7 Formal Definition of One-Way Functions
    • 6.8 Hard-Core Predicates Contents XIII
    1. Bit Security of One-Way Functions
    • 7.1 Bit Security of the Exp Family
    • 7.2 Bit Security of the RSA Family
    • 7.3 Bit Security of the Square Family
    1. One-Way Functions and Pseudorandomness
    • 8.1 Computationally Perfect Pseudorandom Bit Generators
    • 8.2 Yao’s Theorem
    1. Provably Secure Encryption
    • 9.1 Classical Information-Theoretic Security
    • 9.2 Perfect Secrecy and Probabilistic Attacks
    • 9.3 Public-Key One-Time Pads
    • 9.4 Passive Eavesdroppers
    • 9.5 Chosen-Ciphertext Attacks
      • 9.5.1 A Security Proof in the Random Oracle Model
      • 9.5.2 Security Under Standard Assumptions
    • 9.6 Unconditional Security of Cryptosystems
      • 9.6.1 The Bounded Storage Model
      • 9.6.2 The Noisy Channel Model
    1. Provably Secure Digital Signatures
    • 10.1 Attacks and Levels of Security
    • 10.2 Claw-Free Pairs and Collision-Resistant Hash Functions
    • 10.3 Authentication-Tree-Based Signatures
    • 10.4 A State-Free Signature Scheme
  • A. Algebra and Number Theory
    • A.1 The Integers
    • A.2 Residues
    • A.3 The Chinese Remainder Theorem
    • A.4 Primitive Roots and the Discrete Logarithm
    • A.5 Polynomials and Finite Fields
      • A.5.1 The Ring of Polynomials
      • A.5.2 Residue Class Rings
      • A.5.3 Finite Fields
    • A.6 Quadratic Residues
    • A.7 Modular Square Roots
    • A.8 Primes and Primality Tests
  • B. Probabilities and Information Theory XIV Contents
    • B.1 Finite Probability Spaces and Random Variables
    • B.2 The Weak Law of Large Numbers
    • B.3 Distance Measures
    • B.4 Basic Concepts of Information Theory
  • References
  • Index
  • gcd(a, b) greatest common divisor of integers Page
  • ϕ(n) Euler phi function
  • Fq , GF(q) finite field with q elements
  • ord(x) order of an element x in a group
  • QRn quadratic residues modulo n
  • QNRn quadratic non-residues modulo n - Legendre or Jacobi symbol 311, )
  • J+1 n units in Zn with Jacobi symbol
  • bxc greatest integer ≤ x [a, b] interval a ≤ x ≤ b in R
  • dxe smallest integer ≥ x
  • O(n) Big-O notation
  • Primesk set of primes of binary length k
  • P or P (X) positive polynomial
  • prob(E) probability of an event E
  • prob(x) probability of an element x ∈ X
  • prob(E, F) probability of E AND F
  • prob(E |F) conditional probability of E assuming F
  • prob(y |x) conditional probability of y assuming x
  • E(R) expected value of a random variable R
  • X ./ W join of a set X with W = (Wx)x∈X
  • XW joint probability space 327, - ← X x randomly selected according to pX 148, pX
  • x ← X x randomly selected from X 148,
    • ← X x uniformly selected from X 148, u
  • x ← X, y ← Yx first x, then y randomly selected 148,
  • prob(. : x ← X) probability of for randomly chosen x 148,
  • {A(x) : x ← X} image of a distribution under A 139,
  • y ← A(x) y randomly generated by A on input x
  • dist(p, p˜) statistical distance between distributions
  • H(X) uncertainty (or entropy) of X
  • H(X|Y ) conditional uncertainty (entropy)
  • I(X; Y ) mutual information

2 1. Introduction

symmetric. For example, in Caesar’s cipher the secret key is the offset 3 of the shift. We have

D(k, E(k, m)) = m for each plaintext m.

Symmetric encryption and the important examples DES (data encryption standard) and AES (advanced encryption standard) are discussed in Chap- ter 2. In 1976, W. Diffie and M.E. Hellman published their famous paper, New Directions in Cryptography ([DifHel76]). There they introduced the revo- lutionary concept of public-key cryptography. They provided a solution to the long standing problem of key exchange and pointed the way to digital signatures. The public-key encryption methods (comprehensively studied in Chapter 3) are asymmetric. Each recipient of messages has his personal key k = (pk, sk), consisting of two parts: pk is the encryption key and is made public, sk is the decryption key and is kept secret. If Alice wants to send a message m to Bob, she encrypts m by use of Bob’s publicly known encryption key pk. Bob decrypts the ciphertext by use of his decryption key sk, which is known only to him. We have

D(sk, E(pk, m)) = m.

Mathematically speaking, public-key encryption is a so-called one-way function with a trapdoor. Everyone can easily encrypt a plaintext using the public key pk, but the other direction is difficult. It is practically impossible to deduce the plaintext from the ciphertext, without knowing the secret key sk (which is called the trapdoor information). Public-key encryption methods require more complex computations and are less efficient than classical symmetric methods. Thus symmetric methods are used for the encryption of large amounts of data. Before applying sym- metric encryption, Alice and Bob have to agree on a key. To keep this key secret, they need a secure communication channel. It is common practice to use public-key encryption for this purpose.

1.2 The Objectives of Cryptography

Providing confidentiality is not the only objective of cryptography. Cryptog- raphy is also used to provide solutions for other problems:

  1. Data integrity. The receiver of a message should be able to check whether the message was modified during transmission, either accidentally or de- liberately. No one should be able to substitute a false message for the original message, or for parts of it.
  2. Authentication. The receiver of a message should be able to verify its origin. No one should be able to send a message to Bob and pretend to

1.2 The Objectives of Cryptography 3

be Alice (data origin authentication). When initiating a communication, Alice and Bob should be able to identify each other (entity authentica- tion).

  1. Non-repudiation. The sender should not be able to later deny that she sent a message.

If messages are written on paper, the medium – paper – provides a certain se- curity against manipulation. Handwritten personal signatures are intended to guarantee authentication and non-repudiation. If electronic media are used, the medium itself provides no security at all, since it is easy to replace some bytes in a message during its transmission over a computer network, and it is particularly easy if the network is publicly accessible, like the Internet. So, while encryption has a long history,^3 the need for techniques provid- ing data integrity and authentication resulted from the rapidly increasing significance of electronic communication. There are symmetric as well as public-key methods to ensure the integrity of messages. Classical symmetric methods require a secret key k that is shared by sender and receiver. The message m is augmented by a message authenti- cation code (MAC). The code is generated by an algorithm and depends on the secret key. The augmented message (m, MAC (k, m)) is protected against modifications. The receiver may test the integrity of an incoming message (m, m) by checking whether

MAC (k, m) = m.

Message authentication codes may be implemented by keyed hash functions (see Chapter 3). Digital signatures require public-key methods (see Chapter 3 for examples and details). As with classical handwritten signatures, they are intended to provide authentication and non-repudiation. Note that non-repudiation is an indispensable feature if digital signatures are used to sign contracts. Digital signatures depend on the secret key of the signer – they can be generated only by him. On the other hand, anyone can check whether a signature is valid, by applying a publicly known verification algorithm Verify, which depends on the public key of the signer. If Alice wants to sign the message m, she applies the algorithm Sign with her secret key sk and gets the signature Sign(sk, m). Bob receives a signature s for message m, and may then check the signature by testing whether

Verify(pk, s, m) = ok,

with Alice’s public key pk. It is common not to sign the message itself, but to apply a cryptographic hash function (see Section 3.4) first and then sign the hash value. In schemes

(^3) For the long history of cryptography, see [Kahn67].

1.4 Cryptographic Protocols 5

  1. Ciphertext-only attack. Eve has the ability to obtain ciphertexts. This is likely to be the case in any encryption situation. Even if Eve cannot perform the more sophisticated attacks described below, one must assume that she can get access to encrypted messages. An encryption method that cannot resist a ciphertext-only attack is completely insecure.
  2. Known-plaintext attack. Eve has the ability to obtain plaintext-ciphertext pairs. Using the information from these pairs, she attempts to decrypt a ciphertext for which she does not have the plaintext. At first glance, it might appear that such information would not ordinarily be available to an attacker. However, it very often is available. Messages may be sent in standard formats which Eve knows.
  3. Chosen-plaintext attack. Eve has the ability to obtain ciphertexts for plaintexts of her choosing. Then she attempts to decrypt a ciphertext for which she does not have the plaintext. While again this may seem unlikely, there are many cases in which Eve can do just this. For example, she sends some interesting information to her intended victim which she is confident he will encrypt and send out. This type of attack assumes that Eve must first obtain whatever plaintext-ciphertext pairs she wants and then do her analysis, without any further interaction. This means that she only needs access to the encrypting device once.
  4. Adaptively-chosen-plaintext attack. This is the same as the previous at- tack, except now Eve may do some analysis on the plaintext-ciphertext pairs, and subsequently get more pairs. She may switch between gather- ing pairs and performing the analysis as often as she likes. This means that she has either lengthy access to the encrypting device or can some- how make repeated use of it.
  5. Chosen- and adaptively-chosen-ciphertext attack. These two attacks are similar to the above plaintext attacks. Eve can choose ciphertexts and gets the corresponding plaintexts. She has access to the decryption de- vice.

1.4 Cryptographic Protocols

Encryption and decryption algorithms, cryptographic hash functions or pseudorandom generators (see Section 2.1, Chapter 8) are the basic building blocks (also called cryptographic primitives) for solving problems involving secrecy, authentication or data integrity. In many cases a single building block is not sufficient to solve the given problem: different primitives must be combined. A series of steps must be executed to accomplish a given task. Such a well-defined series of steps is called a cryptographic protocol. As is also common, we add another condition: we require that two or more parties are involved. We only use the term protocol if at least two people are required to complete the task.

6 1. Introduction

As a counter example, take a look at digital signature schemes. A typical scheme for generating a digital signature first applies a cryptographic hash function h to the message m and then, in a second step, computes the signa- ture by applying a public-key decryption algorithm to the hash value h(m). Both steps are done by one person. Thus, we do not call it a protocol. Typical examples of protocols are protocols for user identification. There are many situations where the identity of a user Alice has to be verified. Alice wants to log in to a remote computer, for example, or to get access to an account for electronic banking. Passwords or PIN numbers are used for this purpose. This method is not always secure. For example, anyone who observes Alice’s password or PIN when transmitted might be able to impersonate her. We sketch a simple challenge-and-response protocol which prevents this attack (however, it is not perfect; see Section 4.2.1). The protocol is based on a public-key signature scheme, and we assume that Alice has a key k = (pk, sk) for this scheme. Now, Alice can prove her identity to Bob in the following way.

  1. Bob randomly chooses a “challenge” c and sends it to Alice.
  2. Alice signs c with her secret key, s := Sign(sk, c), and sends the “re- sponse” s to Bob.
  3. Bob accepts Alice’s proof of identity, if Verify(pk, s, c) = ok.

Only Alice can return a valid signature of the challenge c, because only she knows the secret key sk. Thus, Alice proves her identity, without showing her secret. No one can observe Alice’s secret key, not even the verifier Bob. Suppose that an eavesdropper Eve observed the exchanged messages. Later, she wants to impersonate Alice. Since Bob selects his challenge c at random (from a huge set), the probability that he uses the same challenge twice is very small. Therefore, Eve cannot gain any advantage by her obser- vations. The parties in a protocol can be friends or adversaries. Protocols can be attacked. The attacks may be directed against the underlying cryptographic algorithms or against the implementation of the algorithms and protocols. There may also be attacks against a protocol itself. There may be passive attacks performed by an eavesdropper, where the only purpose is to obtain information. An adversary may also try to gain an advantage by actively manipulating the protocol. She might pretend to be someone else, substitute messages or replay old messages. Important protocols for key exchange, electronic elections, digital cash and interactive proofs of identity are discussed in Chapter 4.

1.5 Provable Security

It is desirable to design cryptosystems that are provably secure. Provably se- cure means that mathematical proofs show that the cryptosystem resists cer-