Digital Signatures
Department of Electrical Engineering, IIT Bombay
October 25, 2023
Digital Signatures
| Secrecy | Integrity | |
|---|---|---|
| Private-Key Setting | Private-Key Encryption | MACs |
| Public-Key Setting | Public-Key Encryption | Digital Signatures |
Digital Signatures Workflow
- Digital signature schemes allow a signer S to sign a message using his private key sk.
- Anyone who has the signer’s public key pk can verify that the message originated from S and was not modified in transit
Digital Signatures vs MACs
Both MACs and digital signature schemes ensure integrity of the transmitted messages
MAC tags are not publicly verifiable
Non-repudiation: Once a signer S signs a message m, she cannot later deny having done so
MACs cannot provide non-repudiation
- Suppose a receiver R wants to prove to a judge that S sent him a message m with MAC tag t
- Since the receiver also knows the private key used to generate t, he cannot convince the judge that S generated the tag t.
Digital Signature Scheme
A digital signature scheme consists of three PPT algorithms (\textsf{Gen}, \textsf{Sign}, \textsf{Vrfy})
The key-generation algorithm \textsf{Gen} takes as input the security parameter 1^n and outputs a pair of keys (pk, sk).
The signing algorithm \textsf{Sign} takes as input a private key sk and a message m from some message space (that may depend on pk)
It outputs a signature \sigma, and we write this as \sigma \leftarrow \textsf{Sign}_{sk}(m).
The deterministic verification algorithm \textsf{Vrfy} takes as input pk, m, and \sigma
It outputs a bit b, with b=1 meaning valid and b=0 meaning invalid. We write this as b = \textsf{Vrfy}_{pk}(m,\sigma).
It is required that except with negligible probability over (pk, sk) output by \textsf{Gen}(1^n), it holds that \textsf{Vrfy}_{pk}(m, \textsf{Sign}_{sk}(m))=1 for every (legal) message m
Digital Signature Experiment
The signature experiment \textsf{Sig-forge}_{\mathcal{A},\Pi}(n)}:
\textsf{Gen}(1^n) is run to obtain keys (pk, sk).
Adversary \mathcal{A} is the public key pk and oracle access to \textsf{Sign}_{sk}(\cdot). The adversary eventually outputs (m,\sigma). Let \mathcal{Q} denote the set of all queries that \mathcal{A} asked its oracle.
\mathcal{A} succeeds if and only if
- \textsf{Vrfy}_{pk}(m,\sigma) = 1 and
- m \notin \mathcal{Q}. If \mathcal{A} succeeds, the output of the experiment is 1. Otherwise, the output is 0.
Security Definition
A signature scheme \Pi = (\textsf{Gen}, \textsf{Sign}, \textsf{Vrfy}) is existentially unforgeable under an adaptive chosen-message attack, or just secure, if for all PPT adversaries \mathcal{A}, there is a negligible function such that: \begin{equation*} \Pr\left[ \textsf{Sig-forge}_{\mathcal{A}, \Pi}(n) = 1\right] \le \textsf{negl}(n). \end{equation*}
RSA Signatures
Plain RSA Signatures
- \textsf{Gen:} On input 1^n run \textsf{GenRSA}(1^n) to obtain N, e, d. The public key is \langle N,e \rangle and the private key is \langle N,d \rangle.
- \textsf{Sign:} On input a private key sk = \langle N, d \rangle and message m \in \mathbb{Z}_N^*, compute the signature \begin{equation*} \sigma = m^d \bmod N. \end{equation*}
- \textsf{Vrfy:} On input a public key pk = \langle N, e \rangle, a message m \in \mathbb{Z}_N^*, and a signature \sigma \in \mathbb{Z}_N^*, output 1 if and only if \begin{equation*} m = \sigma^e \bmod N. \end{equation*}
Attacks on Plain RSA
A no-message attack
- Given an public key \langle N, e \rangle, adversary chooses a uniform \sigma \in \mathbb{Z}_N^* and computes m = \sigma^e \bmod N
- He then outputs (m, \sigma) as a forgery
Attack using two signatures
- Suppose the adversary can make the signer sign two messages m_1, m_2 \in \mathbb{Z}_N^* and get the corresponding signatures \sigma_1, \sigma_2
- The adversary outputs (m_1m_2, \sigma_1 \sigma_2) as the forgery.
RSA Full-Domain Hash
\textsf{Gen:} On input 1^n run \textsf{GenRSA}(1^n) to obtain N, e, d. The public key is \langle N,e \rangle and the private key is \langle N,d \rangle.
- A cryptographic hash function H : \{0,1\}^* \mapsto \mathbb{Z}_N^* is chosen
\textsf{Sign:} On input a private key sk = \langle N, d \rangle and message m \in \{0,1\}^*, compute the signature \begin{equation*} \sigma \coloneqq \left[\left(H(m)\right)^d \bmod N \right]. \end{equation*}
\textsf{Vrfy:} On input a public key pk = \langle N, e \rangle, a message m, and a signature \sigma, output 1 if and only if \begin{equation*} \sigma^e = H(m) \bmod N. \end{equation*}
How to Choose H?
- It must be hard to find collisions in H
- If H(m_1) = H(m_2) for m_1 \neq m_2, then m_1 and m_2 have the same signature
- To prevent no-message attacks, it should be infeasible to find m such that H(m) = \hat{m} where \hat{m} \coloneqq \left[\sigma^e \bmod N\right] for any \sigma \in \mathbb{Z}_N^*
H should not admit “multiplicative relations”
It should be infeasible to find three messages m, m_1, m_2 with H(m) = H(m_1) \cdot H(m_2) \bmod N
Security of RSA-FDH
Theorem: If the RSA problem is hard relative to \textsf{GenRSA} and H is modeled as a random oracle, then the RSA-FDH signature scheme is secure
What is a random oracle?
The Random-Oracle Model
Idealized model of hash functions used to prove security of cryptographic schemes
If H is modeled as a random oracle, then
- If x has not been queried to H, then the value of H(x) is uniformly chosen and returned
- If x has already been queried to H, then the same value of H(x) is returned
RO assumption is controversial; no unanimous agreement
Signatures from the Discrete-Logarithm Problem
- Identification Schemes \rightarrow Fiat-Shamir Transform \rightarrow Signature Schemes
Identification Schemes
Interactive protocols that allow a party to prove its identity
- Identity = Knowledge of private key corresponding to a public key
The party proving identity is called the prover
The party verifying the identity is called the verifier
We will consider only three-round identification protocols
- Three PPT algorithms \mathcal{P}_1, \mathcal{P}_2, \mathcal{V}
3-Round Identification Scheme
Schnorr Identification Scheme
- Let \mathcal{G} denote a polynomial-time, cyclic group generation algorithm
- Prover runs \mathcal{G}(1^n) to obtain (G,q,g), chooses uniform x \in \mathbb{Z}_q, and sets y \coloneqq g^x
- Public key is \langle G, q, g, y \rangle and private key is x
Schnorr Identification Scheme
Schnorr Identification Scheme Security
Theorem: If the discrete-logarithm problem is hard relative to \mathcal{G}, then the Schnorr identification scheme is secure
Non-degenerate Schemes
We only consider identification schemes that are non-degenerate
- Many possible initial messages and none has a high probability of being sent
Definition: An identification scheme is non-degenerate if for every private key sk and any fixed initial message I, the probability that \mathcal{P}_1(sk) outputs I is negligible.
Identification Experiment
Let \Pi = (\textsf{Gen}, \mathcal{P}_1, \mathcal{P}_2, \mathcal{V}) be an identification scheme
A PPT adversary who does not know the prover’s secret key should be unable to fool the verifier into accepting
Adversary is allowed to observe multiple executions of the protocol
- Formalized by access to a transcript oracle \textsf{Trans}_{sk} that returns (I,r,s)
The identification experiment \textsf{Ident}_{\mathcal{A}, \Pi}(n):
\textsf{Gen}(1^n) is run to obtain keys (pk, sk)
Adversary \mathcal{A} is given pk and access to an oracle \textsf{Trans}_{sk} that it can query
At any point in the experiment,
- \mathcal{A} outputs a message I.
- A uniform challenge r \in \Omega_{pk} is chosen and given to \mathcal{A}
- \mathcal{A} responds with some s
The experiment outputs 1 if and only if \mathcal{V}(pk,r,s) \overset{?}{=} I
Security Definition
An identification scheme \Pi = (\textsf{Gen},\mathcal{P}_1, \mathcal{P}_2, \mathcal{V}) is secure against a passive attack, or just secure, if for all PPT adversaries \mathcal{A}, there is a negligible function such that: \begin{equation*} \Pr\left[ \textsf{Ident}_{\mathcal{A}, \Pi}(n) = 1\right] \le \textsf{negl}(n). \end{equation*}
Note that we are not considering active attacks where the adversary can impersonate the verifier and send maliciouly chosen values for r
Fiat-Shamir Transform
Popular technique to convert interactive protocols into non-interactive cryptographic schemes
Uniformly chosen challenges in the interactive protocol \rightarrow Cryptographic hash of the transcript values up to that point
Identification schemes can be converted to signature schemes by including message into transcript
From Identification Schemes to Signatures
- The signer acts as a prover, running the identification protocol by itself
- Replaces random challenge r with a hash of the message and I
Let (\textsf{Gen}_{\textsf{id}}, \mathcal{P}_1, \mathcal{P}_2, \mathcal{V}) be an identification scheme
On input 1^n, simply run \textsf{Gen}_{\textsf{id}}(1^n) to obtain keys pk, sk
- The public key pk specifies a set of challenges \Omega_{pk}
As part of key generation, a function H: \{0,1\}^* \mapsto \Omega_{pk} is specified
On input a private key sk and a message m \in \{0,1\}^*
- Compute (I, \textsf{st}) \leftarrow \mathcal{P}_1(sk)
- Compute r\coloneqq H(I, m)
- Compute s\coloneqq \mathcal{P}_2(sk, \textsf{st}, r)
Output the signature (r,s)
- On input public key pk, a message m, and a signature (r,s), compute I \coloneqq \mathcal{V}(pk, r, s) and output 1 if and only if H(I,m) \overset{?}{=} r
Theorem: Let \Pi be an identification scheme, and let \Pi' be the signature scheme that results by applying the Fiat-Shamir transform to it.
If \Pi is secure and H is modeled as a random oracle, then \Pi' is secure.
Digital Signature Algorithm and Elliptic Curve Digital Signature Algorithm
- DSA used in prime order subgroups of \mathbb{Z}_p^*
- ECDSA used in elliptic curve groups
- Have been around since 1991
- ECDSA used in Bitcoin, Ethereum
- Alleged workarounds to avoid the Schnorr patent
- Have no proofs of security
Identification Scheme Underlying DSA
Obtaining Challenges in DSA/ECDSA
Set \alpha \coloneqq H(m) for a message m where H is a cryptographic hash function
Set r \coloneqq F(I) for a function F: G \mapsto \mathbb{Z}_q
- In DSA, G is a order-q subgroup of \mathbb{Z}_p^* and F(I) = I \bmod q
- In ECDSA, G is a order-q subgroup of an elliptic curve group over \mathbb{Z}_p. For I = (x,y) \in \mathbb{Z}_p \times \mathbb{Z}_p, set F(I) = x \bmod q
Certificates and Public-Key Infrastructure
How to distribute public keys?
Public-key cryptography can be used once public keys are securely distributed
Digital signatures are used to securely distribute public keys
Users have to trust one public key first, which can then authenticate other public keys
The “first” public keys can be embedded in browsers or operating systems
Digital Certificates
- A signature binding an entity to a public key
- Suppose Charlie has a key-pair (pk_C, sk_C)
- Charlie knows that pk_B is Bob’s public key
- Charlie can generate a digital certificate as \textsf{cert}_{C \rightarrow B} = \textsf{Sign}_{sk_C} \left(``\text{Bob's key is } pk_B "\right)
Using Digital Certificates
- Suppose Bob wants to communicate with Alice
- Alice knows Charlie’s public key pk_C
- Bob sends (pk_B, \textsf{cert}_{C \rightarrow B}) to Alice
- If Alice trusts Charlie, she will accept pk_B as Bob’s public key
- Charlie is called a certificate authority (CA)
Certificates Cannot Be Forever
Certificates may need to be revoked
- An employee who was issued a certificate may quit the company
- A private key might be stolen
One solution is to include an expiry date in the signed message\textsf{cert}_{C \rightarrow B} = \textsf{Sign}_{sk_C} \left(``\text{Bob's key is } pk_B ", \text{date}\right)
This involves a delay in expiry
Certificate Revocation Lists
CAs can explicitly revoke a certificate
CA includes a serial number in every certificate it issues\textsf{cert}_{C \rightarrow B} = \textsf{Sign}_{sk_C} \left(``\text{Bob's key is } pk_B ", \texttt{\#\#\#}\right)
To revoke a certificate, CAs will add its serial number to certificate revocation list (CRL) and sign the list and current date
The signed CRL is widely distributed by the CA
Certificate verification now involves
- Checking signature in the certificate is valid
- Checking that serial number does not appear in latest CRL
- Checking the signature on the CRL itself
Further Reading
- Section 13.1, 13.4, 13.5, 13.6 of Katz & Lindell
- Section 6.5 of Katz & Lindell