Digital signatures allow a document to be signed by a secret key holder and verified by anyone with the public verification key. A digital signature scheme (DSS) consists of key generation, signing, and verification algorithms. DSS provides correctness, meaning signatures can be verified, and unforgeability, meaning an adversary cannot generate valid signatures for unsigned messages. Message authentication codes (MACs) are similar but do not provide non-repudiation like signatures since anyone can generate MACs given the secret key. The RSA and Schnorr signature schemes are examples of DSS that are based on computational hardness assumptions like factoring or discrete logarithms.
2. What is a digital signature
โข A digital signature allows the holder of the secret key (the signing key)
to sign a document
โข Everyone who knows the verification key can verify that the signature
is valid (correctness)
โข No one can forge a signature even given the verification key even
though he is given a signature
6. Mac forgery game
M โ {}
๐โฒ
๐กโฒ
k โ๐ 0,1 ๐
(๐, ๐ก)
Wins if
โข ๐ โ ๐
โข ๐ฃ๐๐๐๐๐ฆ ๐, ๐ก = 1
๐กโฒ โ ๐๐๐๐(๐โฒ)
M โ ๐ โช {๐โฒ} Repeat as many times
as the adversary wants
7. Signature forgery game
M โ {}
๐โฒ
๐ ๐๐โฒ
๐ ๐, ๐ฃ๐ โ ๐บ๐๐(1๐
)
(๐, ๐ ๐๐)
Wins if
โข ๐ โ ๐
โข ๐๐๐๐๐๐ฆ๐ฃ๐ ๐, ๐ ๐๐ = 1
๐ ๐๐โฒ โ ๐๐๐๐๐ ๐(๐โฒ)
M โ ๐ โช {๐โฒ} Repeat as many times
as the adversary wants
๐ฃ๐
8. Definition of signature scheme
โข Correctness:
โข Pr ๐๐๐๐ฃ๐ ๐, ๐๐๐๐๐ ๐ ๐ = 1 ๐ ๐, ๐ฃ๐ โ ๐บ๐๐ 1๐ = 1
โข Unforgeability
โข For all PPT adversary ๐ด, there exists negligible function ๐,
โข Pr ๐ด ๐ค๐๐๐ ๐กโ๐ ๐ ๐๐๐๐๐ก๐ข๐๐ ๐๐๐๐๐๐๐ฆ ๐๐๐๐ โค ๐(๐)
9. Relation between macs and signatures
โข Every signature scheme is a message authentication code.
โข A mac scheme is not necessarily a signature.
โข Without the key, it may be impossible to verify a mac.
10. Signatures are expensive
โข They require public-key operations for each signature you wish to do.
โข Hash functions are relatively cheap
11. Hash and sign
โข Let (๐บ๐๐โฒ, ๐๐๐๐โฒ, ๐๐๐๐๐๐ฆโฒ) be a signature scheme and let ๐ป be a
collision resistant hash function, then the following
โข ๐บ๐๐ 1๐ โ ๐บ๐๐โฒ 1๐
โข ๐๐๐๐๐ ๐ ๐ โ ๐๐๐๐๐ ๐
โฒ
(๐ป ๐ )
โข ๐๐๐๐๐๐ฆ๐ฃ๐ ๐, ๐ ๐๐ โ ๐๐๐๐๐๐ฆ๐ฃ๐
โฒ
๐ป ๐ , ๐ ๐๐ = 1
12. Security of hash and sign
โข Let (๐บ๐๐โฒ, ๐๐๐๐โฒ, ๐๐๐๐๐๐ฆโฒ) be a signature scheme and let ๐ป be a collision resistant hash function, then the
following
โข ๐บ๐๐ 1๐
โ ๐บ๐๐โฒ
1๐
โข ๐๐๐๐๐ ๐ ๐ โ ๐๐๐๐๐ ๐
โฒ
(๐ป ๐ )
โข ๐๐๐๐๐๐ฆ๐ ๐ ๐, ๐ ๐๐ โ ๐๐๐๐๐๐ฆโฒ
๐ป ๐ , ๐ ๐๐ = 1
โข Essentially the same proof as hash and mac
โข Breaking security of this scheme means
โข Finding a collision
โข Finding a signature on an unsigned message
13. Interesting property of plaintext RSA
โข ๐ ๐, ๐๐ โ ๐พ๐๐ฆ๐บ๐๐ 1๐ โ ๐ธ๐๐๐๐ ๐ท๐๐๐ ๐ ๐ = ๐
โข Due to the fact that ๐๐ ๐ = ๐๐ ๐
= ๐๐๐