This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this primitive. 12.1 Digital signature schemes A digital signature scheme is just like a message authentication scheme except for an asymmetry in the key structure. The key sk used to generate signatures (in this setting the tags are often called signatures) is different from the key pk used to verify signatures. Furthermore pk is public, in the sense that the adversary knows it too. So while only a signer in possession of the secret key can generate signatures, anyone in possession of the corresponding public key can verify the signatures. Definition 12.1.1 A digital signature scheme DS = ( K , Sign , VF) consists of three algorithms, as follows: • The randomized key generation algorithm K (takes no inputs and) returns a pair ( pk , sk ) of keys, the public key and matching secret key, respectively. We write ( pk , sk ) $ ← K for the operation of executing K and letting ( pk , sk ) be the pair of keys returned. • The signing algorithm Sign takes the secret key sk and a message M to return a signature (also sometimes called a tag ) σ ∈ { , 1 } ∗ ∪{⊥} . The algorithm may be randomized or stateful. We write σ $ ← Sign sk ( M ) or σ $ ← Sign( sk ,M ) for the operation of running Sign on inputs sk ,M and letting σ be the signature returned. • The deterministic verification algorithm VF takes a public key pk , a message M , and a candidate signature σ for M to return a bit. We write d ← VF pk ( M,σ ) or d ← VF( pk ,M,σ ) to denote the operation of running VF on inputs pk ,M,σ and letting d be the bit returned. We require that VF pk ( M,σ ) = 1 for any keypair ( pk , sk ) that might be output by K , any message M , and any σ negationslash = ⊥ that might be output by Sign sk ( M ). If Sign is stateless then we associate to each public key a message space Messages ( pk ) which is the set of all M for which Sign sk ( M ) never returns ⊥ . Let S be an entity that wants to have a digital signature capability. The first step is key generation: S runs K to generate a pair of keys ( pk , sk ) for itself. Note the key generation algorithm is run locally by S . Now, S can produce a digital signature on some document M ∈ Messages ( pk ) by 2 DIGITAL SIGNATURES running Sign sk ( M ) to return a signature σ . The pair ( M,σ ) is then the authenticated version of the document. Upon receiving a document M ′ and tag σ ′ purporting to be from S , a receiver B in possession of pk verifies the authenticity of the signature by using the specified verification proce dure, which depends on the message, signature, and public key. Namely he computes VF pk ( M ′ ,σ ′ ), whose value is a bit. If this value is 1, it is read as saying the data is authentic, and so B accepts it as coming from S . Else it discards the data as unauthentic.....
View
Full Document
 Winter '08
 daniele
 Cryptography, Cryptographic hash function, digital signatures, signature scheme

Click to edit the document details