Lec8 - Digital Signature Sheng Zhong Digital Signature (1)...

Info iconThis preview shows pages 1–12. Sign up to view the full content.

View Full Document Right Arrow Icon
Digital Signature Sheng Zhong
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Digital Signature (1) Public-key-based technique for data integrity. A digital signature scheme is a tuple (PK, SK, M, S, KG, Sign, Verify). PK: Public key space (the set of all possible keys). SK: Private key space. M: Message space. S: Signature space.
Background image of page 2
3 Digital Signature (2) KG: {Positive Integer} → PK × SK. An efficient algorithm for key generation. Sign: SK × M → S. An efficient algorithm for signing. Verify: PK × M × S → {accept, reject}. An efficient algorithm for verifying signature on message.
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4 Correctness Requirement We require that the signature generated by a private key can definitely be verified by the corresponding public key. For all output (pk, sk) of the key generation algorithm, for all message m, Verify(pk, m, Sign(sk, m))=accept.
Background image of page 4
5 Unforgeability Requirement We require that any adversary should not be able to forge a signature on any message. For all efficient algorithm A, for all message m, for public key pk distributed as in the output of the key generation algorithm, Pr[Verify(pk, m, A(pk, m))=accept]=negligible
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
6 RSA Signature (1) Key generation: Same as in the RSA cryptosystem. N=pq is an RSA modulus. ed=1 (mod Φ(N)). Public key: (N, e). Private key: (N, d). Signing: s=m d mod N. Note this looks like decryption in RSA cryptosystem.
Background image of page 6
7 RSA Signature (2) Verification: return accept if and only if m=s e mod N. This looks like encryption in RSA cryptosystem, right? Why is the scheme correct? Because s e = (m d ) e = m de =m (mod N).
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
8 Unforgeability Recall RSA is a trapdoor one-way function. Without knowing trapdoor d, it should be infeasible to find s such that s e =m (mod N). The above is equivalent to that it is hard to find s=m d (mod N). So the RSA signature is unforgeable in the very weak sense as we described.
Background image of page 8
9 Inadequacy of Simple Unforgeability The above unforgeability property only ensures that adversary can’t generate valid signature on any given message. Bad guy can’t show to people that you “have borrowed $1 million from him”. But it does not ensure that adversary can’t generate valid signature on random message. Bad guy might be able to show that you “have done something” (which you did not really do).
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
10 Attack on RSA Adversary picks a random element s of the signature space. Adversary computes m=s e (mod N). Clearly, s is a valid signature on message m. Adversary can claim signer has done random things!
Background image of page 10
Countermeasure to the Attack We can modify the signing procedure by adding a hash: Signing: s=(H(m)) d mod N. Verification: Return accept if and only if
Background image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 12
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 46

Lec8 - Digital Signature Sheng Zhong Digital Signature (1)...

This preview shows document pages 1 - 12. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online