Signature Schemes

1
Signature Schemes

• (Part II)

2
Outline

• 1 Introduction
• 2 Security Requirements for Signature Schemes
• 3 The ElGamal Signature Scheme
• 4 Variants of the ElGamal Signature Scheme
• The Schnorr Signature Scheme
• The Digital Signature Algorithm
• The Elliptic Curve DSA
• 5 Signatures with additional functionality
• Blind Signatures
• Undeniable Signatures
• Fail-stop Signatures

3
4 Variants of the ElGamal Signature
Scheme

• (1) Schnorr Signature Scheme
• Proposed in 1989
• Greatly reduced the signature size
• (2) Digital Signature Algorithm (DSA)
• Proposed in 1991
• Was adopted as a standard on December 1, 1994
• (3) Elliptic Curve DSA (ECDSA)
• FIPS 186-2 in 2000

4
(1) Schnorr Signature Scheme

• Let p be a prime such that the DL problem in Zp
  is intractable, and let q be a prime that divides
  p-1. Let a be a qth root of 1 modulo p.
• Define K (p,q,a,a,ß)ßaa mod p
• p,q,a,ß are the public key, a is private

5

• For a (secret) random number k, define
• sig(x,k)(?,d), where
• ?hash(xak ) anddka? mod q
• For a message (x,(?,d)), verification is done by
  performing the following computations
• ver(x,(?,d))true iff. hash(xadß-?)?

6

• If the signature was construct correctly, the
  verification will succeed since
• adß-?aka?a-a?ak

7

• (Schnorr Signature Scheme Example)
• We take q101, p78q17879, a170, a75, then
• ß17075 mod 78794567
• To sign the message m15, Alice selects k50
• Then ?hash(1517050),
• d575? mod 101
• (15,(?,d)) is the signed message

8
(2) Digital Signature Algorithm
L0 mod 64, 512L1024

• Let p be a L-bit prime such that the DL problem
  in Zp is intractable, and let q be a 160-bit
  prime that divides p-1. Let a be a qth root of 1
  modulo p.
• Define K (p,q,a,a,ß) ßaa mod p
• p,q,a,ß are the public key, a is private

9

• For a (secret) random number k, define
• sig (x,k)(?,d), where
• ?(ak mod p) mod q and
• d(SHA-1(x)a?)k-1 mod q
• For a message (x,(?,d)), verification is done by
  performing the following computations
• e1SHA-1(x)d-1 mod q
• e2?d-1 mod q
• ver(x,(?,d))true iff. (ae1ße2 mod p) mod q?

10

• Notice that the verification requires to compute
• e1SHA-1(x)d-1 mod q
• e2?d-1 mod q
• when d0 (it is possible!), Alice should
  re-construct a new signature with a new k

11
(DSA Example)

• Take q101, p78q17879, a170, a75
• then ß4567
• To sign the message SHA-1(x)22, Alice selects
  k50
• Then ?(17050 mod 7879) mod 10194,
• d(227594)50-1 mod 10197
• (x, (94,97)) is the signed message

12

• The signature (94,97) on the message digest 22
  can be verify by the following computations
• d-197-1 mod 10125
• e12225 mod 10145
• e29425 mod 10127
• (17045456727 mod 7879) mod 101 94 ?

13
(3) Elliptic Curve DSA

• Let p be a prime or a power of two, and let E be
  an elliptic curve defined over Fp. Let A be a
  point on E having prime order q, such that DL
  problem in ltAgt is infeasible.
• Define K (p,q,E,A,m,B) BmA
• p,q,E,A,B are the public key, m is private

14

• For a (secret) random number k, define sig
  (x,k)(r,s),
• where kA(u,v), ru mod q and
• sk-1(SHA-1(x)mr) mod q
• For a message (x,(r,s)), verification is done by
  performing the following computations
• iSHA-1(x)s-1 mod q
• jrs-1 mod q
• (u,v)iAjB
• ver(x,(r,s))true if and only if u mod qr

15
5 Signatures with additional
functionality

• (1) Blind signature schemes (1983)
• (2) Undeniable signature schemes (1989)
• (3) Fail-stop signature schemes (1992)

16
(1) Blind signature schemes

• A sends a piece of information to B which B signs
  and returns to A. From this signature, A can
  compute Bs signature on an a priori message x of
  As choice (B is a signer here!)
• B knows neither the message x nor the signature
  associated with it

17

• Chaums blind signature protocol (1983)
• (A is a sender and B is a signer, (n,e) is RSA
• public key of B and d is RSA private key of B)
• 1. A randomly selects a secret integer k
• 2. A computes x xke mod n and sends it to B
• 3. B computes y (x)d mod n and sends it to A
• 4. A computes y k-1y mod n, which is Bs
  signature on x
• (Note the signer B does not know (x,y) but (x,y)
• is a Bs signed message.)

18

• (An application of the blind signature)
• The sender A (the customer) does not want the
  signer B (the bank) to know a message x and its
  signature y. This may be important in e-cash
  applications where a message x might represent a
  monetary value which A can spend. When x and y
  are presented to B for payment, B is unable to
  deduce which party was originally given the
  signed value. This allows A to remain anonymous
  so that spending patterns cannot be monitored.

19
(2) Undeniable Signatures

• A signature can not be verified without the
  cooperation of the signer
• First introduced by Chaum and van Antwerpen in
  1989
• Protects Alice against the possibility that
  documents signed by her are duplicated and
  distributed electronically without her approval

20

• Since a signature should be verified with the
  cooperation of the signer, it is possible for a
  signer
• to evilly disavow a signature which signed by
  him previously
• An undeniable signature scheme should consists of
  a disavowal protocol between the verifier B and
  the signer A, such that
• For a signature which is not signed by A, B will
  recognize it as a forgery
• For a signature which is signed by A, A can fool
  B to recognized it as a forgery with very low
  probability

21

• (An application of the undeniable signature)
• A large corporation A creates a software package.
  A signs the package and sells it to B, who
  decides to make copies of this package and resell
  it to a third party C. C is unable to verify the
  authenticity of the software without the
  cooperation of A

22

• Chaum-van Antwerpen undeniable signature scheme
• Let p2q1 be a prime such that q is prime
• And the DL problem in Zp is intractable.
• Let a be an element of order q. Define
• K (p,a,a,ß) ßaa mod p
• 1. Signing algorithm
• To sign a message x, Alice computes
• ysig(x)xa mod p

23

• 2. Verification protocol
• Bob chooses e1,e2 from Zq randomly
• Bob computes cye1ße2 mod p and sends it to Alice
• Alice computes dca-1 mod q mod p and sends it to
  Bob
• Bob accepts s as a valid signature if and only if
• d xe1ae2 mod p

24
Signer
Verifier
message x, signature y
cye1ße2 mod p
dca-1 mod q mod p
d ? xe1ae2 mod p

• Two possibilities
• y is not a valid signature of x
• y is the signature of x, she is fooling me by
  sending garbled d to me

25

• (Correctness of the signature protocol)
• Bob will accept a valid signature, since if y is
  valid
• yxa mod p,
• then
• c ye1ße2 xae1aae2 mod p
• Hence
• d xe1ae2 mod p
• as desired

26
I doubt that you are fooling me to disavow your
signature on x
Signer
Verifier
cye1ße2
d(c)a-1
cye1ße2
d(c)a-1
(da-e2)e1(da-e2)e1
I blame her wrongly, y is not signed by her
Fact if y?xa, (da-e2)e1(da-e2)e1 (Thm 7.4)
27
Signer
Verifier
cye1ße2
d(c)a-1
cye1ße2
d(c)a-1
Fact if yxa, she can make (da-e2)e1(da-e2)e1
holds with a very small probability 1/q (Thm
7.5)
28

• 3. Disavowal protocol (1/3)
• B selects random secret integers e1,e2 and
• computes cye1ße2 mod p, and sends c to A
• A computes d(c)a-1 mod p and sends d to B
• B checks if dxe1ae2, then he concludes that
• y is a valid signature of x, otherwise go to next
  
• step

29

• Disavowal protocol (2/3)
• B selects random secret integers e1,e2 and
• computes cye1ße2 mod p, and sends c to A
• A computes d(c)a-1 mod p and sends d to B
• B checks if dxe1ae2, then he concludes that
• y is a valid signature of x, otherwise go to next
  
• step

30

• Disavowal protocol (3/3)
• B checks (da-e2)e1(da-e2)e1 if it holds,
• he concludes that y is a forgery
• Otherwise, he concludes that A is trying
• to disavow the signature

31

• Fact Let x be a message and suppose that y is
• As (purported) signature on x
• If y is a forgery, i.e., y?xa mod p, then
• (da-e2)e1(da-e2)e1 holds
• Suppose that y is indeed As signature for x,
  i.e., yxa mod p, then
• (da-e2)e1(da-e2)e1 holds with probability
  1/q

32
(3) Fail-stop Signatures

• In a fail-stop signature scheme, when Oscar is
  able to forge Alices signature on a message,
  Alice will (with high probability) be able to
  prove that Oscars signature is a forgery
• A fail-stop signature scheme consists of a
  singing algorithm, a verification algorithm and a
  proof of forgery algorithm

33

• Van Heyst and Pedersen scheme (1992)
• (a one time signature scheme)
• Let p2q1 be a prime such that q is prime and
  the DL problem in Zp is intractable. Let a be an
  element of order q. Let 1a0q-1 and define ßaa0
  mod p.
• The value of a0 is kept secret from everyone
• The values p,q,a,ß and a0 are chosen by a trusted
  central authority

34

• A key has the form
• K(?1,?2,a1,a2,b1,b2)
• where
• ?1aa1ßa2 mod p
• ?2ab1ßb2 mod p
• (?1,?2) is the public key and (a1,a2,b1,b2) is
  private

35

• To sign a message x,
• sig(x)(y1,y2)
• where
• y1a1xb1 mod q
• y2a2xb2 mod q
• To verify a signed message (x,(y1,y2))
• ver(x,(y1,y2))true iff. ?1?2x ay1ßy2 mod p

36

• Proof of forgery the argument
• If there is a signature (y1,y2) on a message
  x which can be verified as signing by Alice, but
  actually it is not signed by Alice, i.e.
• (y1,y2)?sig(x)
• then Alice can calculate the secret a0 which was
  not given to her
• Alice shows a0 to prove that she is innocent

37

• Proof of forgery calculation of a0
• Since (y1,y2) is a valid signature on x
• ?1?2x ay1ßy2 mod p
• Alice can compute her own signature (y1,y2) on
  x
• ?1?2x ay1ßy2 mod p
• Hence
• ay1ßy2ay1ßy2 mod p
• ay1aa0y2ay1aa0y2 mod p

38

• Thus
• y1a0y2y1a0y2 (mod q)
• a0(y1-y1)(y2-y2)-1 (mod q)

It is computable by Alice!