--- tags: vaje, kirv, signatures hackmd: https://hackmd.io/o1tJDJoZRcmRIJAMgqMFyw plugins: mathjax --- # Cryptography and computer security - Tutorial 22.12.2020 --- ## Digital signatures ### "Textbook" RSA signature * Key generation: same as for RSA encryption * Signing: <i>$\sigma = m^d \bmod{n}$</i> * Verifying: <i>$m \stackrel{?}{\equiv} \sigma^e \pmod{n}$</i> ### ElGamal signature * Key generation: - Choose a large prime <i>$p$</i> and <i>$\alpha \in \mathbb{Z}_p^*$</i> such that <i>$\langle \alpha \rangle = \mathbb{Z}_p^*$</i> - Choose the **private key** <i>$a \stackrel{R}{\in} \mathbb{Z}_{p-1} \setminus \lbrace 0 \rbrace$</i> - Compute <i>$\beta = \alpha^a \bmod{p}$</i> - Publish <i>$(p, \alpha, \beta)$</i> as the **public key** * Signing $m \in \mathbb{Z}_{p-1}$: - Choose <i>$k \stackrel{R}{\in} \mathbb{Z}_{p-1} \setminus \lbrace 0 \rbrace$</i> - Compute <i>$\gamma = \alpha^k \bmod{p}$</i> and <i>$\delta = (m - a \gamma) k^{-1} \bmod{(p-1)}$</i> - If <i>$\gamma \equiv 0 \pmod{p-1}$</i> or <i>$\delta = 0$</i>, start over by choosing a new <i>$k$</i> - The **signature** is <i>$\sigma = (\gamma, \delta)$</i> * Verifying a signature <i>$\sigma = (\gamma, \delta) \in \mathbb{Z}_p^*$</i><i>${}\times \mathbb{Z}_{p-1}$</i> of a message <i>$m \in \mathbb{Z}_{p-1}$</i>: - Check that <i>$\alpha^m \equiv \beta^\gamma \gamma^\delta \pmod{p}$</i> ### DSA signature * Key generation: - Choose a 1024-bit prime <i>$p$</i> and <i>$\alpha \in \mathbb{Z}_p^*$</i> of order <i>$q$</i> a 160-bit prime - Choose the **private key** <i>$a \stackrel{R}{\in} \mathbb{Z}_q \setminus \lbrace 0 \rbrace$</i> - Compute <i>$\beta = \alpha^a \bmod{p}$</i> - Publish <i>$(p, q, \alpha, \beta)$</i> as the **public key** * Signing $m \in \mathbb{Z}_q$: - Choose <i>$k \stackrel{R}{\in} \mathbb{Z}_q \setminus \lbrace 0 \rbrace$</i> - Compute <i>$\gamma = (\alpha^k \bmod{p}) \bmod{q}$</i> and <i>$\delta = (m + a \gamma) k^{-1} \bmod{q}$</i> - If <i>$\gamma = 0$</i> or <i>$\delta = 0$</i>, start over by choosing a new <i>$k$</i> - The **signature** is <i>$\sigma = (\gamma, \delta)$</i> * Verifying a signature <i>$\sigma = (\gamma, \delta) \in (\mathbb{Z}_q)^*$</i> of a message <i>$m \in \mathbb{Z}_q$</i>: - Verify that <i>$\gamma, \delta \ne 0$</i> - Compute $\theta = \delta^{-1} \bmod{q}$ - Check that <i>$((\alpha^m \beta^\gamma)^\theta \bmod{p}) \bmod{q} = \gamma$</i> --- ### Attacks on digital signatures * **Universal forgery**: an adversary can forge a valid signature <i>$\sigma$</i> for any given message <i>$m$</i>. * **Selective forgery**: an adversary can forge a valid signature <i>$\sigma$</i> for a message <i>$m$</i> chosen by a challenger. * **Existential forgery**: an adversary can forge a valid message-signature pair <i>$(m, \sigma)$</i> which had not been previously produced by a legitimate signer. ### Attack models * **Key-only attack**: the adversary only has access to the public key. * **Known-message attack**: the adversary has access to a number of valid message-signature pairs <i>$(m_i, \sigma_i)$</i>. * **Chosen-message attack**: the attacker can obtain valid signatures <i>$\sigma_i$</i> for messages <i>$m_i$</i> of his own choice. --- ### Exercise 1 Show that the textbook RSA signature scheme is existentially forgeable under a key-only attack and a known-message attack, and universally forgeable under a chosen-message attack. Describe the easiest way to prevent these attacks. ---- * Existential forgery under a key-only attack: - the adversary knows <i>$n, e$</i> - cho ose <i>$\sigma \in \mathbb{Z}_n$</i> - compute <i>$m = \sigma^e \bmod{n}$</i> * Existential forgery under a known-message attack: - the adversary knows <i>$n, e$</i> and some <i>$(m_i, \sigma_i)$</i> - <i>$m = m_1 m_2 \bmod{n}$</i> - <i>$\sigma = \sigma_1 \sigma_2 \bmod{n}$</i> * Universal forgery under a chosen-message attack: - we want to obtain a signature for a message <i>$m$</i> - find <i>$m_1, m_2 \ne m$</i> such that <i>$m_1 m_2 \equiv m \pmod{n}$</i> - obtain signatures <i>$\sigma_1$</i>, <i>$\sigma_2$</i> of <i>$m_1$</i>, <i>$m_2$</i> - compute <i>$\sigma = \sigma_1 \sigma_2 \bmod{n}$</i> --- ### Exercise 2 - the reblocking problem Suppose that Alice wants to send Bob a signed and encrypted message <i>$m$</i>. She will use RSA for both signing and encrypting. She first uses her private key <i>$(n_A, d_A)$</i> to obtain the signature <i>$s = m^{d_A} \bmod{n_A}$</i>, and then uses Bob's public key <i>$(n_B, e_B)$</i> to obtain the ciphertext <i>$c = s^{e_B} \bmod{n_B}$</i>. She sends <i>$c$</i> to Bob, who then decrypts it with his private key <i>$(n_B, d_B)$</i> to obtain <i>$s' = c^{d_B} \bmod{n_B}$</i>, and finally recovers the message <i>$m' = s'^{e_A} \bmod{n_A}$</i> using Alice's public key <i>$(n_A, e_A)$</i>. Assuming that <i>$m$</i> has been chosen uniformly at random from <i>$\mathbb{Z}_{n_A}$</i>, what is the probability that <i>$m \ne m'$</i> - i.e., that Bob does not decrypt the message correctly? Compute the probability for <i>$n_A = 62894113$</i> and <i>$n_B = 55465219$</i>. How could this problem be mitigated? ---- $$ \begin{aligned} m' &= s'^{e_A} \bmod{n_A} \\ &= (c^{d_B} \bmod{n_B})^{e_A} \bmod{n_A} \\ &= ((s^{e_B} \bmod{n_B})^{d_B} \bmod{n_B})^{e_A} \bmod{n_A} \\ &= (((m^{d_A} \bmod{n_A})^{e_B} \bmod{n_B})^{d_B} \bmod{n_B})^{e_A} \bmod{n_A} \\ &= ((m^{d_A} \bmod{n_A}) \bmod{n_B})^{e_A} \bmod{n_A} \end{aligned} $$ * If $n_A < n_B$, everything will be OK. * If $n_A > n_B$: $m' \ne m$ with probability $1 - \frac{n_B}{n_A}$. Revised protocol: 1. Alice produces a signature $\sigma$ of $m$. 2. Alice encrypts $m \| \sigma$ to produce a ciphertext $c$ and sends it to Bob. 3. Bob decrypts the ciphertext $c$ to obtain the message $m'$ and signature $\sigma'$. 4. Bob verifies that $\sigma'$ is Alice's signature of $m'$. --- ### Exercise 3 Describe why the value <i>$\gamma \bmod{p-1}$</i> in the ElGamal signature scheme should not be <i>$0$</i>. ---- * If $\gamma \equiv 0 \pmod{p-1}$, then the private key is not used in signing. * If $\delta = 0$, then we can compute $a = m\gamma^{-1} \bmod{p-1}$. --- ### Exercise 4 Compare the ElGamal and DSA signature schemes. Does the difference in efficiency affect the security of DSA? ---- Assume $p$ is a 1024-bit prime, $q$ is 160-bit prime. * ElGamal signature: - signature length: $2048$ bits - signing: $O(\log^3 p) \approx 1024^3$ - verifying: $3 \cdot O(\log^3 p) \approx 3 \cdot 1024^3$ * DSA signature: - signature length: $320$ bits - signing: $O(\log^3 p) \approx 1024^3$ - verifying: $3 \cdot O(\log^3 p) \approx 3 \cdot 1024^3$ * Index calculus on $p$ is about as efficient as doing baby-step/giant-step algorithm in a subgroup of order $q$