Digital Signatures: A Comprehensive Overview, Study notes of Advanced Computer Architecture

Download Digital Signatures: A Comprehensive Overview and more Study notes Advanced Computer Architecture in PDF only on Docsity! COMSM2004 : Digital Signatures B. Warinschi and N.P. Smart Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom. January 30, 2009 B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 1 Outline Generalities on Signatures Cryptographic Hash Functions Security of Signature Schemes Secure RSA Signatures DSA Schnorr Signatures Implicit Certificates Signatures with Message Recovery B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 2 Digital Signatures On the last slide we described a signature scheme with appendix: the message is an explicit input of the verification algorithm. Some signature schemes have the property of message recovery: the message is recovered from a signature. The basic idea is Message + Alice’s Private Key = Signature Signature + Alice’s Public Key = Message or INVALID Henceforth we denote a public/secret key pair (pk , sk). A message is denoted m, the signing algorithm is denoted S, the verification algorithm is denoted V a signature is denoted s So, we have S(sk , m) = s and V (s, m, pk) = YES/NO. (For with appendix case.) B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 5 Digital Signatures : Services The verification algorithm is used to determine whether or not the signature is properly constructed. It determines whether or not the owner of the public key really produced the signature. If s is a valid signature for m the verifier has guarantee of I message integrity and I message origin. Signature schemes also provide non-repudiation - not provided by message authentication codes (MACs). B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 6 RSA Signatures Recall RSA. Alice picks two large primes p and q. I p, q have around 512 bits. I N = pq. Alice also chooses an encryption exponent e with gcd(e, (p − 1)(q − 1)) = 1 Alice publishes (N, e): The public key Via xgcd Alice computes d such that e · d ≡ 1 (mod (p − 1)(q − 1)). Alice keeps (d , p, q) secret: The secret/private key Encryption: c = me mod N Decryption: m = cd mod N B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 7 Signing Long Messages To apply RSA signing to a long message m one could I break m into blocks m1, m2, . . . and I sign each block in turn. This is very time consuming for long messages! Worse than this, we must add serial numbers and redundancy to each message! I If we don’t do this an attacker could delete parts of the long message without us knowing. Luckily there is a much better way to sign long messages using RSA! The method we have just described is a signature scheme with message recovery, the one we are about to see is a signature scheme with appendix. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 10 Signatures Schemes with Appendix (or without Message Recovery) Suppose we have a signature transform S that can sign m ∈ {0, 1}n using a secret key sk : s = S(m, sk). Having computed s we transmit the pair (m, s). The verification process V takes three inputs: message m, signature s and public key pk . The verification process outputs a bit indicating whether or not s is a valid signature on m under public key pk . To use this process to obtain signatures on messages of arbitrary length - as opposed to messages from {0, 1}n - we require the use of a cryptographic hash function. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 11 Cryptographic Hash Functions We introduce cryptographic hash functions to help us construct signatures for long messages. These are functions with the following properties. I They take arbitrary length bit strings as input (denote {0, 1}∗). I They produce fixed length bit strings as output ({0, 1}n). The output of a hash function is referred to as a fingerprint, message digest, hash code, hash value or simply hash of its input. There are several security properties that should be satisfied for a cryptographic hash function H : {0, 1}∗ → {0, 1}n: I One-way property: Given H(m) it should be infeasible to find any m′ such that H(m) = H(m′). I Collision resistance property: It should be infeasible to find any m 6= m′ such that H(m) = H(m′). B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 12 RSA Signature: One-Way Property The one-way property stops a cryptanalyst from cooking up a message with a given signature. An an adversary proceeds as follows. I Chooses a random value s. I Computes H(m)′ = se mod N. I Finds m such that H(m) = H(m)′. It is easy to see that s is a valid signature on m in the above. Conclusion: For our construction to be secure H must be one-way. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 15 RSA Signature: Collision Resistance Property We also require H to be collision resistant. Suppose that H is not collision resistant. A malicious signer could proceed as follows. I Find m and m′ such that H(m) = H(m′). I Sign m: s = H(m)d mod N. I Claim that s is really a signature on m′. The above undermines the non-repudiation offered by the scheme. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 16 Birthday Paradox It is harder to construct collision resistant hash functions than one-way hash functions. This is owing to the birthday paradox. (Actually not a paradox at all.) How probable is it that a person in the room has a particular birthday? How probable is it that two people in this room have the same birthday? Experiment time! B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 17 Avalanche Effect A basic design principle when designing hash functions is that the hash function should produce an avalanche effect. In other words a small change in the input produces a large and unpredictable change in the output. This is needed so that a signature on a cheque for 30 pounds cannot be altered into a signature on a cheque for 30000 pounds. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 20 Avalanche Effect : Examples MD5("The quick brown fox jumps over the lazy dog") = 9e107d9d372bb6826bd81d3542a419d6 MD5("The quick brown fox jumps over the lazy cog") = 1055d3e698d289f2af8663725127bd4b SHA1("The quick brown fox jumps over the lazy dog") = 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 SHA1("The quick brown fox jumps over the lazy cog") = de9f2c7fd25e1b3afad3e85a0bd17d9b100db4b3 B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 21 Hash Functions in Practice To be collision resistant, a hash-code should be at least 128 bits long and I preferably 160 bits. Several hash functions are widely used, they are all iterative in nature. The Secure Hash Algorithm - 1 (SHA-1) is a US and ISO standard with 160 bit outputs. (Recent attacks are theoretical only.) In the past MD4 and MD5 were very popular but it has been superseded by SHA-1. In August 2004 a method published to find collisions in MD4 and MD5. Also a reduced version of SHA-1 was “broken” at the same conference. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 22 MD4 The data stream is loaded 16 words at a time into X [j], 0 ≤ j < 16. The following steps are then executed. I (A, B, C, D) = (H1, H2, H3, H4) I Execute Round 1 I Execute Round 2 I Execute Round 3 I (H1, H2, H3, H4) = (H1 + A, H2 + B, H3 + C, H4 + D) After all data has been read in, the output is the concatenation of H1, H2, H3, H4. We will now see what happens during the rounds. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 25 MD4 Round 1 For j = 0 to 15 do I t = A + f (B, C, D) + X [zj ] + yj I (A, B, C, D) = (D, t << sj , B, C) Round 2 For j = 16 to 31 do I t = A + g(B, C, D) + X [zj ] + yj I (A, B, C, D) = (D, t << sj , B, C) Round 3 For j = 32 to 47 do I t = A + h(B, C, D) + X [zj ] + yj I (A, B, C, D) = (D, t << sj , B, C) The symbol << denotes bit wise rotate in the above. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 26 Merkle-Damgård Construction Most fully-fledged hash functions are constructed from compression functions as described below. Let f denote a collision resistant compression function from n + t bits to n bits. To construct a collision resistant function that takes arbitrary length input we proceed as follows. I Divide the input into t-bit blocks m1, . . . , ml . I Set h0 to be a fixed n bit block. I Define hi = f (hi−1||mi) for i = 1, . . . , l . I Output hl . Often used with length strengthening: one adds an extra block to the message to encode its length. Problems were found in this construction in 2004/2005, so people are now working on new ideas. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 27 Hash Functions and MACs One possibility is to concatenate the key with the message and then apply a hash-function. Suppose the hash code output is the MAC MAC = H(M||k). This is a very bad idea because of a birthday attack operating in O(2n/2) operations. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 30 Hash Functions and MACs The most widely adopted use of a hash in a MAC is HMAC HMAC is (believed to be) secure and it works as follows. MAC = H(k ||p1||H(k ||p2||M)) where I k is the MAC’s key, say of length 128 bits. I m is the message we wish to MAC. I p1 and p2 are padding strings, say of length 384 bits. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 31 Another Use of Hash Functions Hash functions are simply a special type of manipulation detection code (MDC). A hash function can be used to protect the integrity of a large file as follows. I The hash of the file is computed. I The hash value is kept in a physically secure place, on a floppy disk in a safe for example. I To test whether or not the file has been manipulated one compares its hash value with that on disk. Clearly collision resistance is important in the above context! B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 32 Signature Scheme Security What does it mean for a signature scheme to be secure? I Note: We don’t care about recovering a message, since the message is public. Like standard signatures we worry about forgery. I There are two types of forgery: I selective forgery and I existential forgery. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 35 Signature Scheme Security Selective Forgery : I Clearly we require that an attacker should not be able to produce a message, signature pair on a message of their choice. I This is considered to be a weak notion of security. Existential Forgery : I A scheme is existentially unforgeable if, no matter how many message, signature pairs an adversary sees, it cannot produce a signature on any other message. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 36 Signature Scheme Security We have just seen some adversarial goals; to form a complete definition we also need attack models. Passive Attack : I Attacker obtains a public key and some message, signature pairs produced using the public key. Adaptive Chosen Message Attack : I Attacker can obtain signatures on messages of its choosing. I It can choose the messages based on what it has already seen - hence adaptive. I It’s job is to produce a signature on a new message. Accepted definition of security : I A signature scheme is deemed secure if it resists existential forgery under an adaptive chosen message attack. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 37 PKCS-1 To sign a message m using RSA as in PKCS-1 one proceeds as follows. Hash m to obtain an octet string D whose length should be less than or equal to k − 11 in octets. Form an octet string EB of k octets by concatenating 00||BT ||PS||00||D. Usually one chooses I BT = 01 I PS = FF ||FF || . . . ||FF . Convert EB to an integer m in the obvious way (little octetian format). The signature is then f (m). B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 40 Digital Signature Algorithm We have one digital signature scheme (RSA) why do we need another one? I What if someone breaks the RSA algorithm? I What if factoring is easy? We also have DSA (digital signature algorithm). I Sometimes referred to as DSS (digital signature standard). The elliptic curve variants of DSA (ECDSA) run very fast and have smaller footprints and key sizes. DSA is based on the difficulty of the discrete logarithm problem (DLP) in the group GF (p)∗ = F∗p. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 41 DSA A DSA signature consists of two 160-bit blocks r and s. r is a function of a 160-bit random number k I which is different for every message (like a session key). s is a function of I the message, I the signers private key x and I r . The signature has a 2−160 probability of being forged i.e. if you write down random r and s then it has probability 2−160 of being a valid signature for a message m. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 42 DSA : Signing To sign a message M the signer proceeds as follows. I Signer computes one-way hash m = H(M). I Signer chooses a random ephemeral key: 0 < k < q. I Signer computes r = (gk (mod p)) (mod q). I Finally, signer computes s = (m + xr)/k (mod q). The signature on M is the pair (r , s). B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 45 DSA : Verification To verify a signature (r , s) on a message M under public key y , the verifier proceeds as follows. The verifier computes the following. I m = H(M) I a = m/s (mod q) I b = r/s (mod q) The verifier accepts the signature if and only if v = r where v = (gayb (mod p)) (mod q). B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 46 DSA : Small Example Domain parameters: q = 13, p = 4q + 1 = 53, g = 16 Private key: x = 3 Public key: y = gx (mod p) = 163 (mod 53) = 15 Signature: I Hash of message m = H(M) = 5 I Ephemeral key k = 2 I r = (gk (mod p)) (mod q) = 5 I s = (m + xr)/k (mod q) = 10 Verification: I a = m/s (mod q) = 7 (m = H(M)) I b = r/s (mod q) = 7 I v = (gayb (mod p)) (mod q) = 5 Note: v = r hence signature is verified. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 47 Generalised DSA We can generalise DSA to an arbitrary finite Abelian group in which the DLOG problem is hard. We write G = 〈g〉 for a cyclic group generated by g. I Assume g has prime order q > 2160. I Assume that the DLOG problem with respect to g is hard. I Assume we have a public function f f : 〈g〉 −→ F∗q. Each user generates a secret signing key x at random and such that I 0 < x < q. Public key is y where y = gx . B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 50 Generalised DSA : Signing To sign a message M the signer proceeds as follows. I Signer computes one-way hash m = H(M). I Signer chooses a random ephemeral key: 0 < k < q. I Signer computes r = f (gk ). I Finally, signer computes s = (m + xr)/k (mod q). The signature on M is the pair (r , s). B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 51 Generalised DSA : Verification To verify a signature (r , s) on a message M under public key y , the verifier proceeds as follows. The verifier computes the following. I m = H(M) I a = m/s (mod q) I b = r/s (mod q) The verifier accepts the signature if and only if v = r where v = f (gayb). B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 52 Schnorr Signatures : Signing To sign a message M the signer proceeds as follows. I Signer chooses a random ephemeral key: 0 < k < q. I Signer computes r = gk . I Signer computes one-way hash m = H(r ||M). I Finally, signer computes s = (k + mx) (mod q). The signature on M is the pair (m, s). B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 55 Schnorr Signatures : Verification To verify a signature (m, s) on a message M under public key y , the verifier proceeds as follows. The verifier computes r ′ = gsy−m. If the signature is valid we have r ′ = gk+mx · g−xm = gk . So, the verifier accepts signature if and only if m = H(r ′||M). B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 56 Making Things Smaller We now investigate how to make messages smaller. We describe two such ways: I implicit certificates and I signatures with message recovery. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 57 Implicit Certificates We cannot reduce the size of the user’s details but we could possibly reduce the size of the other components. An implicit certificate looks like X ||Y where I X = user’s details and I Y = the actual implicit certificate on X. From Y we can I recover the public key of the user and gain I implicit assurance that the certificate was issued by the CA. For a DSA type signatures Y has approximately 1024 bits. For ECDSA type signatures Y has size approx 160 bits We shall describe a DSA based version here. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 60 Implicit Certificates System Setup The CA chooses a group G of order n and an element P ∈ G. The CA chooses a private key c from {1, . . . , n} and computes the public key Q = Pc . Certificate Request For Alice to request a certificate and the public key associated to the information ID (user’s details on the previous slides) she proceeds as follows. Alice chooses an ephemeral secret key t from {1, . . . , n} and computes an ephemeral public key R = P t . Alice sends R and ID to the CA. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 61 Implicit Certificates Processing of the Request The CA checks that he wants to link ID with Alice. The CA then picks another random number k from {1, . . . , n} and computes G = PkR = PkP t = Pk+t . Next it computes s = cH(ID||G) + k (mod n). The CA sends back to Alice the pair (G, s). The implicit certificate is the pair (ID, G). B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 62 Implicit Certificates As soon as the users sees Alice’s key used in action he knows implicitly that it must have been issued by the CA I since otherwise Alice’s signature would not verify correctly. There are a number of problems with the above system which means that implicit certificates are not used much in real life. I What do you do if the CA’s key is compromised? I Usually you pick a new CA key and re-certify users keys. I You cannot do this since users’ public keys are chosen interactively during the certification process. I Implicit certificates require the CA and users to work at the same security level. I This is not considered good practice. However, for small bandwidth devices they can offer a suitable solution. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 65 Signatures with Message Recovery What happens when we want to sign a message which is itself quite short. I The signature could be longer than the message. RSA can be used either as a scheme with appendix or without. We would like a DLOG scheme with this property. The DLOG based schemes we have seen are all signatures with appendix: I the signature is appended to the message. We would like to remove this but still maintain security. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 66 Redundancy Function All signature schemes with message recovery require a redundancy function R. This maps messages over to the data which is actually signed. A redundancy function acts rather like a hash function in standard signatures. I But a redundancy function must be easy to invert! We shall take R to be the function R : { {0, 1}n/2 −→ {0, 1}n m −→ m||m See the HAC, Section 11.2.3 for more discussion of redundancy functions. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 67 Nyberg-Rueppel: Verification Bob is given the pair (e, s) and Alice’s public key y = gx . Bob computes u1 = gsy−e = gs−ex = gk = r (mod p). Bob now computes u2 = e/u1 (mod p). Bob then verifies that u2 lies in the range of the redundancy function, in our example we must have u2 = R(m) = m||m. Now, Bob can recover the message m. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 70 Size of Nyberg-Rueppel Signatures Since we require one group element and one integer modulo q, the size can look quite large if one uses standard DLOGs. If one uses standard DLOGs then one really requires I 1024 + 160 = 1624 bits. If one uses an ECC variant then one can get away with I 160 + 160 = 320 bits. B. Warinschi and N.P. Smart COMSM2004 : Digital Signatures Slide 71