# Lec8 - Digital Signature Sheng Zhong Digital Signature(1...

This preview shows pages 1–12. Sign up to view the full content.

Digital Signature Sheng Zhong

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
2 Digital Signature (1) Public-key-based technique for data integrity. A digital signature scheme is a tuple (PK, SK, M, S, KG, Sign, Verify). PK: Public key space (the set of all possible keys). SK: Private key space. M: Message space. S: Signature space.
3 Digital Signature (2) KG: {Positive Integer} → PK × SK. An efficient algorithm for key generation. Sign: SK × M → S. An efficient algorithm for signing. Verify: PK × M × S → {accept, reject}. An efficient algorithm for verifying signature on message.

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
4 Correctness Requirement We require that the signature generated by a private key can definitely be verified by the corresponding public key. For all output (pk, sk) of the key generation algorithm, for all message m, Verify(pk, m, Sign(sk, m))=accept.
5 Unforgeability Requirement We require that any adversary should not be able to forge a signature on any message. For all efficient algorithm A, for all message m, for public key pk distributed as in the output of the key generation algorithm, Pr[Verify(pk, m, A(pk, m))=accept]=negligible

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
6 RSA Signature (1) Key generation: Same as in the RSA cryptosystem. N=pq is an RSA modulus. ed=1 (mod Φ(N)). Public key: (N, e). Private key: (N, d). Signing: s=m d mod N. Note this looks like decryption in RSA cryptosystem.
7 RSA Signature (2) Verification: return accept if and only if m=s e mod N. This looks like encryption in RSA cryptosystem, right? Why is the scheme correct? Because s e = (m d ) e = m de =m (mod N).

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
8 Unforgeability Recall RSA is a trapdoor one-way function. Without knowing trapdoor d, it should be infeasible to find s such that s e =m (mod N). The above is equivalent to that it is hard to find s=m d (mod N). So the RSA signature is unforgeable in the very weak sense as we described.
9 Inadequacy of Simple Unforgeability The above unforgeability property only ensures that adversary can’t generate valid signature on any given message. Bad guy can’t show to people that you “have borrowed \$1 million from him”. But it does not ensure that adversary can’t generate valid signature on random message. Bad guy might be able to show that you “have done something” (which you did not really do).

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
10 Attack on RSA Adversary picks a random element s of the signature space. Adversary computes m=s e (mod N). Clearly, s is a valid signature on message m. Adversary can claim signer has done random things!
Countermeasure to the Attack We can modify the signing procedure by adding a hash: Signing: s=(H(m)) d mod N. Verification: Return accept if and only if

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

### Page1 / 46

Lec8 - Digital Signature Sheng Zhong Digital Signature(1...

This preview shows document pages 1 - 12. Sign up to view the full document.

View Full Document
Ask a homework question - tutors are online