From 162df3190c4e179ef968b0a467ddd4951faba336 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 24 Oct 2017 15:33:07 +0200 Subject: Notes on cryptography --- ss2017/cryptography/Notes17.txt | 194 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 194 insertions(+) create mode 100644 ss2017/cryptography/Notes17.txt (limited to 'ss2017/cryptography/Notes17.txt') diff --git a/ss2017/cryptography/Notes17.txt b/ss2017/cryptography/Notes17.txt new file mode 100644 index 0000000..6a15827 --- /dev/null +++ b/ss2017/cryptography/Notes17.txt @@ -0,0 +1,194 @@ +17 Digital signatures +--------------------- + +Digital signatures are the public key analogues of message +authentication schemes (MAC). They allow a *signer* to authenticate a +message with their *private key* by producing a tag that can +subsequently be verified by anyone who has the corresponding public +key. Just as with MACs the tags are specific to the message being +signed. Changing the message in any way should invalidate the tag, +thus the "signature". Also no-one who is not in the possession of the +private key corresponding to the public key used for verification +should be able to produce a valid signature. + +Definition: a signature scheme is a triple Pi=(Gen,Sign,Vrfy) of ppt +algorithms where + +1. Gen(n) produces a public/private key-pair (pk,sk) + +2. The signing algorithm Sign takes a secret key and a message m and +produces a signature sigma<-Sign_sk(m). + +3. The (deterministic) verification algorithm Vrfy takes a public key, +a message m, and a signature sigma, and answers 1 or 0. If +sigma<-Sign_sk(m) then Vrfy_pk(m,sigma) must return 1. + +If Sign_pk is defined only for messages of length l(n) for some +function l() then we speak of a *fixed length* signature scheme. + +The signature scheme Pi=(Gen,Sign,Vrfy) is *secure* if the +success probability of the following experiment is negligible for any +ppt adversary A: + +Experiment Sig-forge_{A,Pi}(n): + +1. (pk,sk)<-Gen(n) + +2. A gets n, pk, and oracle access to Sign_sk(). The adversary then +outputs (sigma,m). Let Q be the sequence of questions to the oracle +posed so far, i.e. messages for which a signature has been requested. + +3. The outcome of the experiment is 1 iff Vrfy_pk(m,sigma)=1 and m is not in Q. + +End of definition. + +In KL our "secure" is called "existentially unforgeable under an adaptive +chosen-message attack" to differentiate from other, weaker notions of +security. + + +Insecure signature based on textbook RSA +- - - - - - - - - - - - - - - - - - - - - + +A naive attempt at defining a signature scheme based on RSA goes as +follows: + +Gen(n): (N,e,d)<-GenRSA(n);pk=(N,e);sk=(N,d) + output (pk,sk) + +Sign_{(N,d)}(m): + output m^d mod N + +Vrfy_{(N,e)}(m,sigma): + output 1 iff sigma^e = m (mod N) + +Clearly, verification of a valid signature succeeds but the scheme is +insecure for several reasons. First, if an adversary can choose an +arbitrary signature sigma first and then fabricate a corresponding +"message" as m=sigma^e mod N. Notice that Vrfy_{(N,e)}(m,sigma) +succeeds, so this adversary will win the experiment with certainty. + +Second, and perhaps more realistically, if the adversary would like to +get a signature on a previously fixed message m it could request +signatures sigma1 for random m1 and sigma2 for m2:=m/m1 (mod N). It is +then clear that sigma1*sigma2 mod N is a valid signature for the +original m. + + +Secure signatures with random oracles +- - - - - - - - - - - - - - - - - - - + +It is possible, but rather inefficient, to construct secure signature +schemes based on the RSA assumption and a collision-resistant hash +function, see KL12.6. In practice, one uses signature schemes based on +cryptographic hash functions which can only be proved secure in the +random oracle model. We thus modify our definition of secure signature +scheme to the effect that both parties now have access to a function +H:{0,1}^n->{0,1}^n which is selected uniformly at random at the +beginning of the experiment. + +In this situation we have the following signature scheme RSA-FDH +("full domain hash"). + +RSA-FDH: + +Gen(n): (N,e,d)<-GenRSA(n);pk=(N,e);sk=(N,d) + output (pk,sk) + +Sign_{(N,d)}(m): + output H(m)^d mod N + +Vrfy_{(N,e)}(m,sigma): + output 1 iff sigma^e = H(m) (mod N) + +In practice, the random oracle H() will be replaced by a cryptographic +hash function such as SHA-2 and the scheme is just like the +abovedescribed insecure one with the exception that the message is +hashed prior to signing. + +Let us see how this prevents the previous two attacks. Firstly, if the +attacker starts with arbitrary sigma then in order to fabricate a +corresponding message it would have to find m such that sigma^e=H(m) +(mod N) and thus for a given H()-value which it *can* compute, namely +sigma^e, find an inverse image, which is infeasible. + +Similarly, in order to perpetrate the other attack it would have to +fabricate for given m two values x and y so that H(x)*H(y)=H(m). +While this is infeasible for truly random H() and not possible with +current knowledge for SHA-2 it is not prevented by mere +collision-resistance. + +Theorem: If GenRSA() fulfills the RSA assumption then RSA-FDA is +secure in the random oracle model. + +Proof: Let A be an attacker in the Sig-forge_{A,RSA-FDA} +experiment. We may fix a polynomial q(n) bounding the queries of A to +H() and also assume that A first queries H(m) for any message for +which it requests a signature or which it finally outputs. We also +assume that A makes exactly q(n) queries. All this is done in order to +save a few case distinctions in the argument. We now build from A an +attacker A' against GenRSA() in the RSA-inv(n) experiment from Chapter +12 as follows. + +Attacker A' against GenRSA: + +Given N, e, y* = x^e mod N we (assuming the role of A') choose +j<-{1..q(n)} and forward the public key pk=(N,e) to A. + +When A makes its i-th query m_i to H() we answer as follows: + +If i=j we return y*. If m_i has been asked previously, i.e., if +m_i=m_j for some j