Chapter 7-2 Signature Schemes Outline     [1] [2] [3] [4]    Introduction Security Requirements for Signature Schemes The ElGamal Signature Scheme Variants of the ElGamal Signature Scheme The Schnorr Signature Scheme The Digital Signature Algorithm The Elliptic Curve DSA  [5] Signatures with additional functionality    Blind Signatures Undeniable Signatures Fail-stop Signatures [4] Variants of the ElGamal Signature Scheme  Schnorr Signature Scheme   Proposed in 1989 Greatly reduced the signature size  Digital Signature Algorithm (DSA)   Proposed in 1991 Was adopted as a standard on December 1, 1994  Elliptic Curve DSA (ECDSA)  FIPS 186-2 in 2000 Schnorr Signature Scheme Let p be a prime such that the DL problem in Z p* is intractable, and let q be a prime that divides p-1 Let α be a qth root of modulo p Define K={ (p,q,α,a,β):β=αa mod p } p,q,α,β are the public key, a is private  For a (secret) random number k, define sig(x,k)=(γ,δ), where γ=hash(x||αk ) andδ=k+aγ mod q  For a message (x,(γ,δ)), verification is done by performing the following computations: ver(x,(γ,δ))=true iff hash(x||αδβ-γ)=γ  If the signature was construct correctly, the verification will succeed since αδβ-γ=αk+aγα-aγ=αk Schnorr Signature Scheme Example  We take q=101, p=78q+1=7879, α=170, a=75, then β=17075 mod 7879=4567  To sign the message m=15, Alice selects k=50; Then γ=hash(15||17050), δ=5+75*γ mod 101 (15,(γ,δ)) is the signed message Digital Signature L=0 mod 64, 512≤L≤10 Algorithm 24  Let p be a L-bit prime such that the DL problem in Zp* is intractable, and let q be a 160-bit prime that divides p-1 Let α be a qth root of modulo p Define K={ (p,q,α,a,β): β=αa mod p } p,q,α,β are the public key, a is private  For a (secret) random number k, define sig (x,k)=(γ,δ), where γ=(αk mod p) mod q and δ=(SHA-1(x)+aγ)k-1 mod q  For a message (x,(γ,δ)), verification is done by performing the following computations: e1=SHA-1(x)*δ-1 mod q e2=γ*δ-1 mod q ver(x,(γ,δ))=true iff (αe1βe2 mod p) mod q=γ  Notice that the verification requires to compute: e1=SHA-1(x)*δ-1 mod q e2=γ*δ-1 mod q when δ=0 (it is possible!), Alice should re-construct a new signature with a new k 10 Signer Verifier message x, signature y c=ye1βe2 mod p d=ca-1 mod q mod p d ≠ xe1αe2 mod p Two possibilities: • y is not a valid signature of x • y is the signature of x, she is fooling me by sending garbled d to me 23 (Correctness of the signature protocol)  Bob will accept a valid signature, since if s is valid: y=xa mod p, then c = ye1βe2 = xae1αae2 mod p Hence d = xe1αe2 mod p as desired 24 Verifier I doubt that you are fooling me to disavow your signature on x Signer c=ye1βe2 d=(c)a-1 c’=ye1’βe2’ d’=(c’)a-1 (dα-e2)e1’=(d’α-e2’)e1 I blame her wrongly, y is not signed by her Fact: if y≠xa, (dα-e2)e1’=(d’α-e2’)e1 25 Signer Verifier c=ye1βe2 d=(c)a-1 c’=ye1’βe2’ d’=(c’)a-1 Fact: if y=xa, she can make (dα-e2)e1’=(d’α-e2’)e1 holds with a very small probability 1/q 26 Disavowal protocol (1/3) B selects random secret integers e1,e2 and computes c=ye1βe2 mod p, and sends c to A A computes d=(c)a-1 mod p and sends d to B B checks if d=xe1αe2, then he concludes that y is a valid signature of x, otherwise go to next step 27 Disavowal protocol (2/3) B selects random secret integers e1’,e2’ and computes c’=ye1’βe2’ mod p, and sends c’ to A A computes d’=(c’)a-1 mod p and sends d’ to B B checks if d’=xe1’αe2’, then he concludes that y is a valid signature of x, otherwise go to next step 28 Disavowal protocol (3/3) B checks (dα-e2)e1’=(d’α-e2’)e1 if it holds, he concludes that y is a forgery Otherwise, he concludes that A is trying to disavow the signature 29 Fact Let x be a message and suppose that y is A’s (purported) signature on x  If y is a forgery, i.e., y≠xa mod p, then (dα-e2)e1’=(d’α-e2’)e1 holds  Suppose that y is indeed A’s signature for x, i.e., y=x a mod p, then (dα-e2)e1’=(d’α-e2’)e1 holds with probability 1/q 30 Fail-stop Signatures  In a fail-stop signature scheme, when Oscar is able to forge Alice’s signature on a message, Alice will (with high probability) be able to prove that Oscar’s signature is a forgery  A fail-stop signature scheme consists of a singing algorithm, a verification algorithm and a “proof of forgery” algorithm 31 Van Heyst and Pedersen scheme (1992)  Let p=2q+1 be a prime such that q is prime and the DL problem in Z p is intractable Let α be an element of order q Let 1≤a0≤q-1 and define β=αa0 mod p  The value of a0 is kept secret from everyone  The values p,q,α,β and a0 are chosen by a trusted central authority 32  A key has the form K=(γ1,γ2,a1,a2,b1,b2) where γ1=αa1βa2 mod p γ2=αb1βb2 mod p (γ1,γ2) is the public key and (a1,a2,b1,b2) is private 33  To sign a message x, sig(x)=(y1,y2) where y1=a1+xb1 mod q y2=a2+xb2 mod q  To verify a signed message (x,(y1,y2)) ver(x,(y1,y2))=true iff γ1γ2x =αy1βy2 mod p 34 Proof of forgery – the argument  If there is a signature (y1’’,y2’’) on a message x’ which can be verified as signing by Alice, but actually it is not signed by Alice, i.e (y1’’,y2’’)≠sig(x’) then Alice can calculate the secret a0 which was not given to her  Alice shows a0 to prove that she is innocent 35 Proof of forgery – calculation of a0   Since (y1’’,y2’’) is a valid signature on x’ γ1γ2x’ =αy1’’βy2’’ mod p Alice can compute her own signature (y1’,y2’) on x’ γ1γ2x’ =αy1’βy2’ mod p Hence αy1’’βy2’’=αy1’βy2’ mod p αy1’’αa0y2’’=αy1’αa0y2’ mod p 36 Thus y1’’+a0y2’’=y1’+a0y2’ (mod q) a0=(y1’’-y1’)(y2’-y2’’)-1 (mod q) It is computable by Alice! 37 ... creates a software package A signs the package and sells it to B, who decides to make copies of this package and resell it to a third party C C is unable to verify the authenticity of the software... message x of A’s choice (B is a signer here!)  B knows neither the message x nor the signature associated with it 16 Chaum’s blind signature protocol (1983) (A is a verifier and B is a signer,