dTA OF dIGITAL SIGNATURE

1. Digital signatures
IUB BD DHAKA

2. What is a digital signature
• A digital signature allows the holder of the secret key (the signing key)
to sign a document
• Everyone who knows the verification key can verify that the signature
is valid (correctness)
• No one can forge a signature even given the verification key even
though he is given a signature

3. Structure of digital signature
• 𝐺𝑒𝑛 1𝑛 → (𝑠𝑘, 𝑣𝑘)
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 → 𝑠𝑖𝑔
• 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑠𝑖𝑔 → {0,1}

4. Structure of digital signature scheme (DSS)
• 𝐺𝑒𝑛 1𝑛 → (𝑠𝑘, 𝑣𝑘)
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 → 𝑠𝑖𝑔
• 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑠𝑖𝑔 → {0,1}
• Correctness
• 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘(𝑚) = 1
• Unforgeability
• To be continued

5. DSS VS MAC
• 𝐺𝑒𝑛 1𝑛 → (𝑠𝑘, 𝑣𝑘)
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 → 𝑠𝑖𝑔
• 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑠𝑖𝑔 → {0,1}
• 𝐺𝑒𝑛 1𝑛 → 𝑘
• 𝑚𝑎𝑐𝑘 𝑚 → 𝑡
• v𝑒𝑟𝑘 𝑚, 𝑡 → {0,1}

6. Mac forgery game
M ← {}
𝑚′
𝑡′
k ∈𝑅 0,1 𝑠
(𝑚, 𝑡)
Wins if
• 𝑚 ∉ 𝑀
• 𝑣𝑒𝑟𝑖𝑓𝑦 𝑚, 𝑡 = 1
𝑡′ ← 𝑚𝑎𝑐𝑘(𝑚′)
M ← 𝑀 ∪ {𝑚′} Repeat as many times
as the adversary wants

7. Signature forgery game
M ← {}
𝑚′
𝑠𝑖𝑔′
𝑠𝑘, 𝑣𝑘 ← 𝐺𝑒𝑛(1𝑠
)
(𝑚, 𝑠𝑖𝑔)
Wins if
• 𝑚 ∉ 𝑀
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑠𝑖𝑔 = 1
𝑠𝑖𝑔′ ← 𝑆𝑖𝑔𝑛𝑠𝑘(𝑚′)
M ← 𝑀 ∪ {𝑚′} Repeat as many times
as the adversary wants
𝑣𝑘

8. Definition of signature scheme
• Correctness:
• Pr 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 = 1 𝑠𝑘, 𝑣𝑘 ← 𝐺𝑒𝑛 1𝑠 = 1
• Unforgeability
• For all PPT adversary 𝐴, there exists negligible function 𝜇,
• Pr 𝐴 𝑤𝑖𝑛𝑠 𝑡ℎ𝑒 𝑠𝑖𝑔𝑛𝑎𝑡𝑢𝑟𝑒 𝑓𝑜𝑟𝑔𝑒𝑟𝑦 𝑔𝑎𝑚𝑒 ≤ 𝜇(𝑛)

9. Relation between macs and signatures
• Every signature scheme is a message authentication code.
• A mac scheme is not necessarily a signature.
• Without the key, it may be impossible to verify a mac.

10. Signatures are expensive
• They require public-key operations for each signature you wish to do.
• Hash functions are relatively cheap

11. Hash and sign
• Let (𝐺𝑒𝑛′, 𝑆𝑖𝑔𝑛′, 𝑉𝑒𝑟𝑖𝑓𝑦′) be a signature scheme and let 𝐻 be a
collision resistant hash function, then the following
• 𝐺𝑒𝑛 1𝑠 ≔ 𝐺𝑒𝑛′ 1𝑠
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝑆𝑖𝑔𝑛𝑠𝑘
′
(𝐻 𝑚 )
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑠𝑖𝑔 ≔ 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘
′
𝐻 𝑚 , 𝑠𝑖𝑔 = 1

12. Security of hash and sign
• Let (𝐺𝑒𝑛′, 𝑆𝑖𝑔𝑛′, 𝑉𝑒𝑟𝑖𝑓𝑦′) be a signature scheme and let 𝐻 be a collision resistant hash function, then the
following
• 𝐺𝑒𝑛 1𝑠
≔ 𝐺𝑒𝑛′
1𝑠
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝑆𝑖𝑔𝑛𝑠𝑘
′
(𝐻 𝑚 )
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑠𝑘 𝑚, 𝑠𝑖𝑔 ≔ 𝑉𝑒𝑟𝑖𝑓𝑦′
𝐻 𝑚 , 𝑠𝑖𝑔 = 1
• Essentially the same proof as hash and mac
• Breaking security of this scheme means
• Finding a collision
• Finding a signature on an unsigned message

13. Interesting property of plaintext RSA
• 𝑠𝑘, 𝑝𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛 1𝑠 ⇒ 𝐸𝑛𝑐𝑝𝑘 𝐷𝑒𝑐𝑠𝑘 𝑚 = 𝑚
• Due to the fact that 𝑚𝑒 𝑑 = 𝑚𝑑 𝑒
= 𝑚𝑒𝑑

14. RSA signature scheme
• Let (𝐾𝑒𝑦𝑔𝑒𝑛, 𝐸𝑛𝑐, 𝐷𝑒𝑐) denote the RSA encryption scheme
• 𝐺𝑒𝑛 1𝑠 ≔ {𝑠𝑘 ← 𝑠𝑘′, 𝑣𝑘 ← 𝑝𝑘 ∣ 𝑠𝑘′, 𝑝𝑘′ ← 𝐾𝑒𝑦𝑔𝑒𝑛 1𝑠 }
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝑚
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑠𝑖𝑔 ≔ 𝐸𝑛𝑐𝑣𝑘 𝑠𝑖𝑔 = 𝑚

15. Insecure RSA signature scheme
• 𝐺𝑒𝑛 1𝑠 ≔ { 𝑣𝑘 ← 𝑝𝑘, 𝑠𝑘 ← 𝑠𝑘′ ∣ 𝑠𝑘′, 𝑝𝑘′ ← 𝐾𝑒𝑦𝑔𝑒𝑛 1𝑠 }
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝑚
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 = 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝑚
• 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝑚 = 𝑚𝑑 𝑒
= 𝑚𝑒⋅𝑑 = 𝑚

16. Secure RSA signature scheme
• Assumptions
• Random oracle 𝐻 (Hash function modeled as a random oracle
• 𝑛 = 𝑝𝑞 where 𝑝, 𝑞 are prime
• 𝐺𝑒𝑛 1𝑠
≔ { 𝑣𝑘 ← 𝑝𝑘, 𝑠𝑘 ← 𝑠𝑘′ ∣ 𝑠𝑘′
, 𝑝𝑘′
← 𝐾𝑒𝑦𝑔𝑒𝑛 1𝑠
}
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝐻(𝑚)
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐻 𝑚 = 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝐻(𝑚)
• 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝐻(𝑚) = (𝐻(𝑚))𝑑 𝑒
𝑚𝑜𝑑 𝑛
• (𝐻(𝑚))𝑑 𝑒
𝑚𝑜𝑑 𝑛 = 𝐻(𝑚)𝑒⋅𝑑 𝑚𝑜𝑑 𝜙(𝑛)
(𝑚𝑜𝑑 𝑛) = 𝐻(𝑚)

17. Schnorr signature scheme
• Based on
• Group G
• Generator 𝑔 for G
• Random oracle 𝐻
• Discrete logarithm

18. Schnorr signature scheme
• Requirement: Group 𝐺, 𝐺 = 𝑞, generator 𝑔, random oracle 𝐻
• 𝐺𝑒𝑛 1𝑠
• 𝑠𝑘 ∈𝑅 𝐺
• 𝑣𝑘 ← 𝑔𝑠𝑘
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘(𝑚, 𝑠𝑖𝑔)
• 𝑎, 𝑠 ← 𝑠𝑖𝑔
• u ← 𝑔𝑠 ⋅ 𝑣𝑘−𝑎
• Output 𝐻 𝑢, 𝑚 = 𝑎
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚
• 𝑏 ∈𝑅 𝑍|𝐺|
• 𝑢 ← 𝑔𝑏
• 𝑎 ← 𝐻(𝑢, 𝑚)
• 𝑠 ← 𝑎 ⋅ 𝑠𝑘 + 𝑏 (𝑚𝑜𝑑 𝑞)
• Output (𝑎, 𝑠)