Digital Signatures

Saravanan Vijayakumaran

Department of Electrical Engineering, IIT Bombay

October 21, 2025

Digital Signatures

	Secrecy	Integrity
Private-Key Setting	Private-Key Encryption	MACs
Public-Key Setting	Public-Key Encryption	Digital Signatures

Digital Signatures Workflow

• Digital signature schemes allow a signer S to sign a message using his private key sk.
• Anyone who has the signer’s public key pk can verify that the message originated from S and was not modified in transit

Digital Signatures vs MACs

• Both MACs and digital signature schemes ensure integrity of the transmitted messages

• MAC tags are not publicly verifiable

• Non-repudiation: Once a signer S signs a message m, she cannot later deny having done so

• MACs cannot provide non-repudiation

  • Suppose a receiver R wants to prove to a judge that S sent him a message m with MAC tag t
  • Since the receiver also knows the private key used to generate t, he cannot convince the judge that S generated the tag t.

Digital Signature Scheme

A digital signature scheme consists of three PPT algorithms (\textsf{Gen}, \textsf{Sign}, \textsf{Vrfy})

• \textsf{Gen}: The key-generation algorithm \textsf{Gen} takes as input the security parameter 1^n and outputs a pair of keys (pk, sk).

• \textsf{Sign}: The signing algorithm \textsf{Sign} takes as input a private key sk and a message m from some message space (that may depend on pk). It outputs a signature \sigma, and we write this as \sigma \leftarrow \textsf{Sign}_{sk}(m).

• \textsf{Vrfy}: The deterministic verification algorithm \textsf{Vrfy} takes as input pk, m, and \sigma. It outputs a bit b, with b=1 meaning valid and b=0 meaning invalid. We write this as b = \textsf{Vrfy}_{pk}(m,\sigma).

• It is required that except with negligible probability over (pk, sk) output by \textsf{Gen}(1^n) \textsf{Vrfy}_{pk}(m, \textsf{Sign}_{sk}(m))=1 for every valid message m

Digital Signature Experiment

• The signature experiment \textsf{Sig-forge}_{\mathcal{A},\Pi}(n):

  1. \textsf{Gen}(1^n) is run to obtain keys (pk, sk).

  2. Adversary \mathcal{A} is the public key pk and oracle access to \textsf{Sign}_{sk}(\cdot). The adversary eventually outputs (m,\sigma). Let \mathcal{Q} denote the set of all queries that \mathcal{A} asked its oracle.

  3. \mathcal{A} succeeds if and only if

     1. \textsf{Vrfy}_{pk}(m,\sigma) = 1 and
     2. m \notin \mathcal{Q}. If \mathcal{A} succeeds, the output of the experiment is 1. Otherwise, the output is 0.

Security Definition

A signature scheme \Pi = (\textsf{Gen}, \textsf{Sign}, \textsf{Vrfy}) is existentially unforgeable under an adaptive chosen-message attack, or just secure, if for all PPT adversaries \mathcal{A}, there is a negligible function such that: \begin{equation*} \Pr\left[ \textsf{Sig-forge}_{\mathcal{A}, \Pi}(n) = 1\right] \le \textsf{negl}(n). \end{equation*}

RSA Signatures

Plain RSA Signatures

• \textsf{Gen:} On input 1^n run \textsf{GenRSA}(1^n) to obtain N, e, d. The public key is \langle N,e \rangle and the private key is \langle N,d \rangle.
• \textsf{Sign:} On input a private key sk = \langle N, d \rangle and message m \in \mathbb{Z}_N^*, compute the signature \begin{equation*} \sigma = m^d \bmod N. \end{equation*}
• \textsf{Vrfy:} On input a public key pk = \langle N, e \rangle, a message m \in \mathbb{Z}_N^*, and a signature \sigma \in \mathbb{Z}_N^*, output 1 if and only if \begin{equation*} m = \sigma^e \bmod N. \end{equation*}

Attacks on Plain RSA Signatures

• A no-message attack

  • Given an public key \langle N, e \rangle, adversary chooses a uniform \sigma \in \mathbb{Z}_N^* and computes m = \sigma^e \bmod N
  • He then outputs (m, \sigma) as a forgery

• Attack using two signatures

  • Suppose the adversary can make the signer sign two messages m_1, m_2 \in \mathbb{Z}_N^* and get the corresponding signatures \sigma_1, \sigma_2
  • The adversary outputs (m_1m_2, \sigma_1 \sigma_2) as the forgery.

RSA Full-Domain Hash

• \textsf{Gen:} On input 1^n run \textsf{GenRSA}(1^n) to obtain N, e, d. The public key is \langle N,e \rangle and the private key is \langle N,d \rangle.

  • A cryptographic hash function H : \{0,1\}^* \mapsto \mathbb{Z}_N^* is chosen

• \textsf{Sign:} On input a private key sk = \langle N, d \rangle and message m \in \{0,1\}^*, compute the signature \begin{equation*} \sigma \coloneqq \left[\left(H(m)\right)^d \bmod N \right]. \end{equation*}

• \textsf{Vrfy:} On input a public key pk = \langle N, e \rangle, a message m, and a signature \sigma, output 1 if and only if \begin{equation*} \sigma^e = H(m) \bmod N. \end{equation*}

How to Choose H?

• Collisions

  • It must be hard to find collisions in H
  • If H(m_1) = H(m_2) for m_1 \neq m_2, then m_1 and m_2 have the same signature

• No message

  • To prevent no-message attacks, it should be infeasible to find m such that H(m) = \hat{m} where \hat{m} \coloneqq \left[\sigma^e \bmod N\right] for any \sigma \in \mathbb{Z}_N^*

• Multiplication

  • H should not admit “multiplicative relations”

  • It should be infeasible to find three messages m, m_1, m_2 with H(m) = H(m_1) \cdot H(m_2) \bmod N

Security of RSA-FDH

• Theorem: If the RSA problem is hard relative to \textsf{GenRSA} and H is modeled as a random oracle, then the RSA-FDH signature scheme is secure

• What is a random oracle?

The Random-Oracle Model

• Idealized model of hash functions used to prove security of cryptographic schemes

• If H is modeled as a random oracle, then

  • If x has not been queried to H, then the value of H(x) is uniformly chosen and returned
  • If x has already been queried to H, then the same value of H(x) is returned

• RO assumption is controversial; no unanimous agreement

Signatures from the Discrete-Logarithm Problem

• Identification Schemes \rightarrow Fiat-Shamir Transform \rightarrow Signature Schemes

Identification Schemes

• Interactive protocols that allow a party to prove its identity

  • Identity = Knowledge of private key corresponding to a public key

• The party proving identity is called the prover

• The party verifying the identity is called the verifier

Schnorr Identification Scheme

• Let \mathcal{G} denote a polynomial-time, cyclic group generation algorithm
• Prover runs \mathcal{G}(1^n) to obtain (G,q,g), chooses uniform x \in \mathbb{Z}_q, and sets y \coloneqq g^x
• Public key is \langle G, q, g, y \rangle and private key is x

Schnorr Identification Scheme

Schnorr Identification Scheme Security

• The Schnorr identification experiment \textsf{Ident}_{\mathcal{A}, Schnorr}(n):

  1. \mathcal{G}(1^n) is run to obtain pk = (G,q,g,y) and sk = x \in \mathbb{Z}_q

  2. Adversary \mathcal{A} is given pk and access to an transcript oracle \textsf{Trans}_{sk} that it can query

  3. At any point in the experiment,

     • \mathcal{A} outputs a message I.
     • A uniform challenge r \in \mathbb{Z}_q is chosen and given to \mathcal{A}
     • \mathcal{A} responds with some s

  4. The experiment outputs 1 if and only if g^s \cdot y^{-r} = I

• The Schnorr identification scheme is secure against a passive attack, or just secure, if for all PPT adversaries \mathcal{A}, there is a negligible function such that: \begin{equation*} \Pr\left[ \textsf{Ident}_{\mathcal{A}, Schnorr}(n) = 1\right] \le \textsf{negl}(n). \end{equation*}

Schnorr Identification Scheme Security

• Adversary is allowed to observe a polynomial number of protocol transcripts

• Anyone can simulate transcripts of honest executions only using the public key, without knowledge of the private key

  • Choose r,s \in \mathbb{Z}_q and set I \coloneqq g^s \cdot y^{-r}

• Consider an adversary \mathcal{A} which outputs I, receives a uniform challenge r and responds with s

• We use \mathcal{A} as a subroutine of another adversary \mathcal{A}' which is trying to solve the discrete logarithm problem

Schnorr Identification Scheme Security

• \mathcal{G}(1^n) is run to obtain pk = (G,q,g)
  
• \mathcal{A}' is given y where x is chosen uniformly from \mathbb{Z}_q and y = g^x
• \mathcal{A}' uses a Schnorr protocol attacker \mathcal{A} as a subroutine
• \mathcal{A}' can simulate the Schnorr protocol transcript oracle
• If an attacker \mathcal{A} can compute correct responses s_1, s_2 to at least two different challenges r_1, r_2 \in \mathbb{Z}_q, then \mathcal{A}' can compute the discrete log of y
• Theorem: If the discrete-logarithm problem is hard relative to \mathcal{G}, then the Schnorr identification scheme is secure
  • See proof of Theorem 13.11 in Katz/Lindell

Schnorr Identification Scheme Security

Fiat-Shamir Transform

• Popular technique to convert interactive protocols into non-interactive cryptographic schemes

• Uniformly chosen challenges in the interactive protocol \rightarrow Cryptographic hash of the transcript values up to that point

• Identification schemes can be converted to signature schemes by including message into transcript

Schnorr Signature Scheme

• Idea

  • The signer acts as a prover, running the identification protocol by itself
  • Replaces random challenge r with a hash of the message and I

• \textsf{Gen}: Run \mathcal{G}(1^n) to obtain (G,q,g), chooses uniform x \in \mathbb{Z}_q, and sets y \coloneqq g^x. The public key is (G,q,g,y) and private key is x. A hash function H : \{0,1\}^* \mapsto \mathbb{Z}_q is chosen.

• \textsf{Sign}: On input private key x and message m \in \{0,1\}^*, choose k \in \mathbb{Z}_q and set I \coloneqq g^k. Then compute r \coloneqq H(I,m) and s \coloneqq [rx+k] \bmod q. Output the signature as (r,s).

• \textsf{Vrfy}: On input public key pk, a message m, and a signature (r,s), compute I \coloneqq g^s \cdot y^{-r} and output 1 if and only if H(I,m) \overset{?}{=} r

Security of Schnorr Signatures

• Theorem: Let \Pi be the Schnorr identification scheme, and let \Pi' be the signature scheme that results by applying the Fiat-Shamir transform to it.

  If \Pi is secure and H is modeled as a random oracle, then \Pi' is secure.

Certificates and Public-Key Infrastructure

How to distribute public keys?

• Public-key cryptography can be used once public keys are securely distributed

• Digital signatures are used to securely distribute public keys

• Users have to trust one public key first, which can then authenticate other public keys

• The “first” public keys can be embedded in browsers or operating systems

Digital Certificates

• A signature binding an entity to a public key
• Suppose Charlie has a key-pair (pk_C, sk_C)
• Charlie knows that pk_B is Bob’s public key
• Charlie can generate a digital certificate as \textsf{cert}_{C \rightarrow B} = \textsf{Sign}_{sk_C} \left(``\text{Bob's key is } pk_B "\right)

Using Digital Certificates

• Suppose Bob wants to communicate with Alice
• Alice knows Charlie’s public key pk_C
• Bob sends (pk_B, \textsf{cert}_{C \rightarrow B}) to Alice
• If Alice trusts Charlie, she will accept pk_B as Bob’s public key
• Charlie is called a certificate authority (CA)

Certificates Cannot Be Forever

• Certificates may need to be revoked

  • An employee who was issued a certificate may quit the company
  • A private key might be stolen

• One solution is to include an expiry date in the signed message\textsf{cert}_{C \rightarrow B} = \textsf{Sign}_{sk_C} \left(``\text{Bob's key is } pk_B ", \text{date}\right)

• This involves a delay in expiry

Certificate Revocation Lists

• CAs can explicitly revoke a certificate

• CA includes a serial number in every certificate it issues\textsf{cert}_{C \rightarrow B} = \textsf{Sign}_{sk_C} \left(``\text{Bob's key is } pk_B ", \texttt{\#\#\#}\right)

• To revoke a certificate, CAs will add its serial number to certificate revocation list (CRL) and sign the list and current date

• The signed CRL is widely distributed by the CA

• Certificate verification now involves

  • Checking signature in the certificate is valid
  • Checking that serial number does not appear in latest CRL
  • Checking the signature on the CRL itself

Further Reading

• Section 13.1, 13.2, 13.4, 13.5, 13.6 of Katz & Lindell
• Section 6.5 of Katz & Lindell