Download Presentation
## Digital Signatures

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Digital Signatures**Presented by Olga Shishenina**Outline**• Cryptographic goals • Message Authentication Codes (MACs) • Digital signatures • RSA digital signature • Elliptic curve digital signature • Comparison of ECDSA and RSA signature**Message authentication**Entity authentication Cryptographic Goals Cryptographic goals Confidentiality Data integrity Authentication Non-repudiation • Symmetric-key • ciphers: • Block ciphers • Stream ciphers • Public-key • ciphers Arbitrary length hash functions Message Authentication codes (MACs) Digital signatures Digital signatures Authentication primitives MACs Digital signatures**Non-repudiation**mis a signed message s is a valid signature for m m, s Alice Bob Alice denies her signature if she finds: m’ ≠ m : s is valid signature for m’**Message Authentication Codes**• MAC f(x, key):{0,1}* {0,1}n • knowing x and key f is easy to compute • it is infeasible to calculate f(x, key) without the key • MAC are often block cipher based • message m, secret key k • specification of block cipher E • MAC (m) = E( m, key ) • MAC (m) = E(hash(m), key )**h1 = Ekey(x1)**hi = Ekey(hi-1 xi ), 2 ≤ i ≤ t CBC-based MAC algorithm Algorithm CBC-MAC INPUT: data x; specification of block cipher E; secret MAC key for E OUTPUT:n-bit MAC on x X1(n bit) X2 (n bit) Xt (n bit) h1 h2 ht-1 0 … key key key E E E n bit h1(n bit) h2(n bit) Optional output transformation n bit H = MAC**Secret key**MAC algorithm Secret key message MAC verification algorithm Unsecured channel Ok / not Ok message MAC Signer Verifier Use of a MAC • Used to provide • Data integrity • Message authentication**Signer’s private key**Signing algorithm Signer’s public key message Signature verification algorithm Unsecured channel Ok / not Ok message signature Signer Verifier Digital Signatures Scheme • Used to provide • Data integrity • Message authentication • Non-repudiation**Difference between MAC and digital signature**• To prove the validity of a MAC to a third party, you need to reveal the key • If you can verify a MAC, you can also create it • MAC does not allow a distinction to be made between the parties sharing the key • Computing a MAC is (usually) much faster than computing a digital signature • Important for devices with low computing power**RSA**• Developed in 1978 by Rivest, Shamir and Adleman (RSA) • Most popular public key cryptosystem • Based on the hard problem of “integer factorization”**Key-Generation for RSA(1)**• Generate two large random distinct primes p and q, each roughly the same size • Compute n = pq and • Select random integer e: • Compute unique integer d: • Public key is (n, e); Private key is d**Key-Generation for RSA(2)**• Usually numbers with the right bit length are chosen randomly and tested for primality • Statistical tests are used to determine the probability that these numbers are primes i.e. Strassen – Test Miller – Rabin – Test • There is always an insignificantly low chance that number is not prime**Used notation**• Misa set of elements, called the message space = Zn • MSisa set of elements, called the signing space = Zn • Risa 1 to 1 mapping from M to MS, called the redundancy function • MRisthe image of R: {y| y = R(x), xЄ M} • R-1 isthe inverse of R: MRM**RSA signature generation and verification**• To sign a message A should: • Compute: where R(m) is a redundancy function • Compute: • A’s signature for m is s • To verify A’s signature and recover m, B should: • Obtain A’s authentic public key (n, e) • Compute: • Verify that ; if not, reject the signature • Recover**Proof that signature verification works**• Euler’s theorem: , where is the Euler’s function of n • If s is a signature for m, then: • Since , then: • Finally:**RSA signature example**Alice • p=5 q=7 n = 35 φ(n) = 4·6=24 • e = 5; d: ed = 5d=1 mod 24 => d = 5 Public key: (n=35, e=5) Private key: d=5 • M = [0, n-1] • For all mЄMR(m)=m • m = 26;R(m) = 26 s = 265 mod 35 = 31 Bob: • R(m) = 315 mod 35 = 26 Є [0, n-1] • m = R-1(m) = 26**Possible Attacks on RSA signature**• Integer factorization • If an adversary is able to factor n, then • Multiplicative property of RSA • If , then s is valid signature for m: • Hence, to avoid this attack R must not be multiplicative, i.e.**Performance characteristics**• n=pq , where n is 2k-bit, p&q – k-bit primes • takes bit operations • Verification is significantly faster that signing if e is chosen to be a small number, e.g. • It is not recommended to restrict the size of d**m**2k bits k bits Short vs. long messages • n=pq , where n is 2k-bits, p&q – k-bits primes • ISO/IEC 9796 R: • To sign a kt-bits message m: • Divide m = m1 || m2 || m3 ||… || mt and sign each block individually one transmits 2kt bits. • Sign a l-bits hash(m), l ≤ k. Then one transmits kt+2k bits. (kt – to transmit the message) • If t > 2, then kt+2k < 2kt**Elliptic curves (EC) over the reals**• A non-singular EC is the set E of solutions to the equation together with a special point O, where • has three distinct roots**An EC over the reals**• y2 = x3 – 4x 4a3 + 27b2 = -256**Addition – Geometric Approach**y • Chord-and-tangent rule P + Q = R, P ≠ Q • Point doubling P + P = 2 P = R Q = (x2, y2) -R = (x3, -y3) x (x1, y1) = P R = (x3, y3) y -R = (x3, -y3) P = (x1, y1) x R = (x3, y3)**Addition – Algebraic Approach**E iselliptic curve over the reals • ( is the identity element ) • If -P**Galois Fields (Finite Fields) GF (q)**• Is a set of elements (G, + , *) that satisfy certain arithmetic properties • Finite Field exists iff q is a prime power • If q = p, p is prime • {0, 1, ... , p - 1 } are the field elements • ADDITION: • MULTIPLICATION: • INVERSION:**Elliptic Curves Over Finite Fields**Over GF(p), p is prime, p > 3 • Elliptic curve E equation where • E consists of • all pairs satisfying curve equation • special point - point at infinity**Example 1: elliptic curve over GF(23)**• p = 23 • The points in E are and the following: (0, 2) (0, 21) (1, 11) (1, 12) (4, 7) (4, 16) (7, 3) (7, 20) (8, 8) (8, 15) (9, 11) (9, 12) … 28 points + = 29 points • Let’s consider (4, 7) 64 + 4 + 4 = 72 = 3 (mod 23) 49 = 3 (mod 23)**Basic Facts**Let E(GF(q)) be an EC over GF(q) • The points of E(GF(q)), form a group under addition • Hasse’s theorem: Number of points on E (group order): • If #E is prime then the group is cyclic and • If #E has a prime factor, that there exists a cyclic subgroup**Example 2: elliptic curve over GF(23)**• p = 23 • The points in E are and the following: P = (0, 2) 2P = (13, 12) 3P = (11, 9) 4P = (1, 12) 5P = (7, 20) 6P = (9, 11) 7P = (15, 9) 8P = (14, 5) 9P = (4, 7) 10P = (22, 5) 11P = (10, 5) 12P = (17, 9) 13P = (8, 15) 14P = (18, 9) 15P = (18, 14) 16P = (8, 8) 17P = (17, 14) 18P = (10, 18) 19P = (22, 18) 20P = (4, 16) 21P = (14, 18) 22P = (15, 17) 23P = (9, 12) 24P = (7, 3) 25P = (1, 11) 26P = (11, 14) 27P = (13, 11) 28P = (0, 21) 29P = O 30P = P 29 points**ECDSA parameters setup**• Create (random) public abstract groups • Domain Parameter Generate: Complex & public.DP often taken from published list. • Domain Parameter Validate: Easy & public • Key Pair Generate: Easy & private. • Key Pair Validate: Easy & public.**ECDSA Domain Parameters**• Domain parameters D = (q, a, b, G, n, h) • Field size q, q = p or q = 2m • Coefficients a, b in GF(q) of E=Ea,b(GF(q)): • Seed s of length ≥ 160 bits (Optional) • Base point G=(xG, yG) on curve E, i.e. • Ordern of G: nis prime, • Cofactor h: #E(GF(q)) = hn**Hash**algorithm W0 Arbitrary SEED v-1 bits g > 160 bits 160 bits hash(z+ 1) hash(z+ 2) … hash(z+ s) W0 (v-1)+s·160 < log2p bits Curve parameters generation(1) • Input:GF(p), p is prime • Output: seed, curve coefficients a & b • Used notations:**Curve parameters generation(2)**• ifabort and start again • Choose a,b • Result:y2 = x3 + ax + b • if • Exclude singular curves**Isomorphism classes of ECs(1)**• E1: y2 =x3+a1x +b1 and E2: y2 =x3+a2x +b2are isomorphic • Step 3: Choose a,b • There only 2 variants for a and b on step 3**Isomorphism classes of ECs(2)**• Let’s prove that there are precisely 2 choices for (a, b) on step 3 : • We can find a1, b1 and a2, b2: • We can not find a3, b3 : E3 is not isomorphic to E1 orE2**Domain Parameter Generation**• Domain parameters D = (q, a, b, G, n, h) • Generate EC coeffs a & b E (GF(q) ): y2 = x3 + ax + b • Compute #E( GF(q) ) (e.g. Schoof’s algorithm) • Verify that , n is prime, • if not, go to step 1 • Verify that if not, go to step 1 • Verify that n≠q if not, go to step 1 • Select an arbitrary point Set Repeat until**Key pair**Alice(signer) D = (q, a, b, G, n, h) Key generation: • Select random d: 1 ≤ d ≤ n-1 • Q = d·G Q(xQ, yQ) ispublic G isprivate • Key validation: • Check that: • Q ≠ • nQ = • If any check fails • -> Q is invalid • else • -> Q is valid (D, Q) Bob(verifier) Q is valid or not???**To verify signature (r, s):**• check: 1 ≤ r ≤ n-1, 1 ≤ s ≤ n -1 • e = SHA-1(m) • w = s-1 mod n • u1 = e·w mod n u2 = r·w mod n • X = u1·G + u2·Q, if • X=(x1, y1) v = x1 mod n ECDSA generation & verification Alice Parameters D = (q, a, b, G, n, h) Associated keys (d, Q) Bob Parameters D = (q, a, b, G, n, h) Alice’s public key Q Alice’s signature (r, s) on m To sign message m: • k randomly chosen 0 < k < n-1 • k·G = (x1, y1) r =x1mod n • if r = 0 abort and start again • e =SHA-1(m) • s = k-1·( e + d·r) mod n • if s = 0 abort and start again • Output:(r, s) D, Q, m, r, s Proof that signature verification works:**Ordinary DLP**• Definition: Given: prime p, generator g of GF(p), non‑zero element y GF(p), Find: the unique integer k, 0 k p – 2: y gk(mod p) k is called the discrete logarithm of y to the base g • Known attacks The most efficient: Index Calculus Method O( )**Elliptic Curve DLP**• Identified in 1985 – Koblitz and Miller suggested using it in place of DLP • Definition: Given: EC E defined over GF(q), point PE( F(q) )of order n, point QE( GF(q) ), Determine: the integer l, 0 l n – 1: Q = lP • Arises in groups defined on EC • Hard Problem • Only exponential algorithms known**Known Attacks on ECDLP**• Pollard’s Rho Algorithm O( ) • Parallelized Pollard’s RhoO( ) r is the number of processors used Precautions: • Pohlig-Hellman Algorithm O( ) Precautions: • Menezez-Okamoto-Vanstone (MOV) O( ) Precautions: • No index calculus method found**Pollard’s Rho Algorithm(1)**To find k where Q=kP, and n is the group order: • Use a pseudo-random walk through the group • Start at a known point • When a collision occurs, we can find k • Because there is not enough room to store all visited points, we only store distinguished points (points with some distinguishing property, such as the first i lower order bits equal to zero).**Pollard’s Rho Algorithm(2)**• The random walk is defined as: • Where the Si are three sets of points (e.g. Si may be points such that x mod 3 i), and the ri are randomly chosen.**Pollard’s Rho Algorithm(3)**• R0 is chosen to be a known multiple of P and Q. • For each iteration, Ri+1 is found, and also what multiple of P and Q it is. • When a collision occurs, we have:**Pollard’s Rho Algorithm(4)**• The number of iterations is • With this approach, the path of the pseudo-random walk depends on Q. • There is no precomputation. • Calculations from previous ECDLP’s are of limited usefulness in subsequent ECDLP’s, because collisions are only detected for distinguished points.**Proof of work:**Duplicate-Signature Key Selection D, Q, m, r, s • An adversary • Selects arbitrary c: • Computes: • Forms: Alice Bob DE, QE, m, r, s Adversary E**Key Size Comparisons**Sym. key: 80, 112, 128, 192, 256 ECC n: 161, 224, 256, 384, 512 RSA n: 1024, 2048, 3072, 7680, 15360**ECDSA Advantages**• Elliptic curves offer a much shorter key length than RSA. • There are some environments where 1024-bit RSA cannot be implemented, while 163-bit ECC can. • No subexponential-time algorithm is known for the EC discrete logarithm problem.**Discussion**???