{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

notes-9 - Leo Reyzin Notes for BU CAS CS 538 1 9 9.1...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Leo Reyzin. Notes for BU CAS CS 538. 1 9 Digital Signatures: Definition and First Constructions. Hashing. 9.1 Definition First note that encryption provides no guarantee that a message is authentic. For example, if a message is encrypted with the one-time pad, the adversary can flip any of its bits by simply flipping the corresponding bit of the ciphertext. In any public-key encryption scheme, there is no way to tell the source of the message, because the key is public. Furthermore, the message can be modified in transit by the adversary in every encryption scheme we studied so far. Thus, encryption ensures secrecy, but can’t help you figure out who the message came from or what it was really meant to say. We need digital signatures for that. A digital signature scheme is a triple of probabilistic polynomial-time algorithms (Gen , Sig , Ver). The key generation algorithm Gen outputs (PK , SK) when given 1 k as input. The signing algorithm Sig takes SK and m as input, and outputs a signature σ . The verification algorithm Ver takes PK , m, σ as input and outputs 1 or 0 (or true/false, valid/invalid, etc.). We require that signatures produced by Sig verify as correct by Ver: if (PK , SK) Gen(1 k ), then for all m , Ver(PK , m, Sig(SK , m )) = 1 (perhaps with probability 1 - η ( k )). We may also restrict the message space to some set M , and instead saying “for all m ,” say “for all m M .” The above description says nothing about security. Indeed, to define security, one has to try a few examples to better understand the notion. Here is an example: suppose my Gen generates an RSA pair PK = ( n, e ) , SK = ( n, d ); to sign m , let σ = m d mod n , and to verify ( m, σ ), check if m = σ e mod n . We identified a few problems with this in class: if you have signatures σ 1 on m 1 and σ 2 on m 2 , you can compute σ 1 σ 2 mod n to obtain a signature on m 1 m 2 mod n . Also, without observing any signatures at all, you can pick a random σ Z * n and compute m = σ e mod n to get a valid pair ( m, σ ). Of course, m may not be a meaningful message, but it’s di ffi cult to know what will be “meaningful” for a particular application. The definition we want is that the adversary be unable to come up with a signature on a new message ( any message of the adversary’s choice—so called “existential forgery”), even after observing signatures on other messages of its choice (so-called “adaptive chosen-message attack”—adaptive because the choice of the next message may depend on the signatures received for previous messages). In other words, the adversary E ? is a probabilistic polynomial-time oracle machine (we use the superscript “?” to denote the fact that the machine has access to an oracle; when running the machine E with a specific oracle f , we write E f , and sometimes denote by · the placeholder for an input to f given by E , e.g., E f ( · ) ). Consider the following experiment of running the E with the oracle for the signing function: exp-forge (k) 1. (PK , SK) Gen(1 k ) 2. ( m, σ ) E Sig SK ( · ) (1 k , PK) 3. If m was not queried by E to its oracle and Ver PK ( m, σ ) = 1, output 1. Else output 0.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}