Digital signatures allow a document to be signed using a secret key so that the signature can be verified by anyone with the corresponding public key. A digital signature scheme (DSS) consists of key generation, signing, and verification algorithms. DSS provides correctness, meaning signatures can be verified, and unforgeability, meaning an adversary cannot generate valid signatures for unsigned messages. Message authentication codes (MACs) are similar but do not provide non-repudiation since anyone can generate valid MACs given the key. Common DSS include RSA signatures, which sign a hash of the message using the private key, and Schnorr signatures, which are based on discrete logarithm problems in groups.

1. Digital signatures
IUB BD

2. What is a digital signature
• A digital signature allows the holder of the secret key (the signing key)
to sign a document
• Everyone who knows the verification key can verify that the signature
is valid (correctness)
• No one can forge a signature even given the verification key even
though he is given a signature

3. Structure of digital signature
• 𝐺𝑒𝑛 1𝑛 → (𝑠𝑘, 𝑣𝑘)
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 → 𝑠𝑖𝑔
• 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑠𝑖𝑔 → {0,1}

4. Structure of digital signature scheme (DSS)
• 𝐺𝑒𝑛 1𝑛 → (𝑠𝑘, 𝑣𝑘)
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 → 𝑠𝑖𝑔
• 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑠𝑖𝑔 → {0,1}
• Correctness
• 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘(𝑚) = 1
• Unforgeability
• To be continued

5. DSS VS MAC
• 𝐺𝑒𝑛 1𝑛 → (𝑠𝑘, 𝑣𝑘)
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 → 𝑠𝑖𝑔
• 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑠𝑖𝑔 → {0,1}
• 𝐺𝑒𝑛 1𝑛 → 𝑘
• 𝑚𝑎𝑐𝑘 𝑚 → 𝑡
• v𝑒𝑟𝑘 𝑚, 𝑡 → {0,1}

6. Mac forgery game
M ← {}
𝑚′
𝑡′
k ∈𝑅 0,1 𝑠
(𝑚, 𝑡)
Wins if
• 𝑚 ∉ 𝑀
• 𝑣𝑒𝑟𝑖𝑓𝑦 𝑚, 𝑡 = 1
𝑡′ ← 𝑚𝑎𝑐𝑘(𝑚′)
M ← 𝑀 ∪ {𝑚′} Repeat as many times
as the adversary wants

7. Signature forgery game
M ← {}
𝑚′
𝑠𝑖𝑔′
𝑠𝑘, 𝑣𝑘 ← 𝐺𝑒𝑛(1𝑠
)
(𝑚, 𝑠𝑖𝑔)
Wins if
• 𝑚 ∉ 𝑀
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑠𝑖𝑔 = 1
𝑠𝑖𝑔′ ← 𝑆𝑖𝑔𝑛𝑠𝑘(𝑚′)
M ← 𝑀 ∪ {𝑚′} Repeat as many times
as the adversary wants
𝑣𝑘

8. Definition of signature scheme
• Correctness:
• Pr 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 = 1 𝑠𝑘, 𝑣𝑘 ← 𝐺𝑒𝑛 1𝑠 = 1
• Unforgeability
• For all PPT adversary 𝐴, there exists negligible function 𝜇,
• Pr 𝐴 𝑤𝑖𝑛𝑠 𝑡ℎ𝑒 𝑠𝑖𝑔𝑛𝑎𝑡𝑢𝑟𝑒 𝑓𝑜𝑟𝑔𝑒𝑟𝑦 𝑔𝑎𝑚𝑒 ≤ 𝜇(𝑛)

9. Relation between macs and signatures
• Every signature scheme is a message authentication code.
• A mac scheme is not necessarily a signature.
• Without the key, it may be impossible to verify a mac.

10. Signatures are expensive
• They require public-key operations for each signature you wish to do.
• Hash functions are relatively cheap

11. Hash and sign
• Let (𝐺𝑒𝑛′, 𝑆𝑖𝑔𝑛′, 𝑉𝑒𝑟𝑖𝑓𝑦′) be a signature scheme and let 𝐻 be a
collision resistant hash function, then the following
• 𝐺𝑒𝑛 1𝑠 ≔ 𝐺𝑒𝑛′ 1𝑠
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝑆𝑖𝑔𝑛𝑠𝑘
′
(𝐻 𝑚 )
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑠𝑖𝑔 ≔ 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘
′
𝐻 𝑚 , 𝑠𝑖𝑔 = 1

12. Security of hash and sign
• Let (𝐺𝑒𝑛′, 𝑆𝑖𝑔𝑛′, 𝑉𝑒𝑟𝑖𝑓𝑦′) be a signature scheme and let 𝐻 be a collision resistant hash function, then the
following
• 𝐺𝑒𝑛 1𝑠
≔ 𝐺𝑒𝑛′
1𝑠
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝑆𝑖𝑔𝑛𝑠𝑘
′
(𝐻 𝑚 )
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑠𝑘 𝑚, 𝑠𝑖𝑔 ≔ 𝑉𝑒𝑟𝑖𝑓𝑦′
𝐻 𝑚 , 𝑠𝑖𝑔 = 1
• Essentially the same proof as hash and mac
• Breaking security of this scheme means
• Finding a collision
• Finding a signature on an unsigned message

13. Interesting property of plaintext RSA
• 𝑠𝑘, 𝑝𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛 1𝑠 ⇒ 𝐸𝑛𝑐𝑝𝑘 𝐷𝑒𝑐𝑠𝑘 𝑚 = 𝑚
• Due to the fact that 𝑚𝑒 𝑑 = 𝑚𝑑 𝑒
= 𝑚𝑒𝑑

14. RSA signature scheme
• Let (𝐾𝑒𝑦𝑔𝑒𝑛, 𝐸𝑛𝑐, 𝐷𝑒𝑐) denote the RSA encryption scheme
• 𝐺𝑒𝑛 1𝑠 ≔ {𝑠𝑘 ← 𝑠𝑘′, 𝑣𝑘 ← 𝑝𝑘 ∣ 𝑠𝑘′, 𝑝𝑘′ ← 𝐾𝑒𝑦𝑔𝑒𝑛 1𝑠 }
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝑚
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑠𝑖𝑔 ≔ 𝐸𝑛𝑐𝑣𝑘 𝑠𝑖𝑔 = 𝑚

15. Insecure RSA signature scheme
• 𝐺𝑒𝑛 1𝑠 ≔ { 𝑣𝑘 ← 𝑝𝑘, 𝑠𝑘 ← 𝑠𝑘′ ∣ 𝑠𝑘′, 𝑝𝑘′ ← 𝐾𝑒𝑦𝑔𝑒𝑛 1𝑠 }
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝑚
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 = 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝑚
• 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝑚 = 𝑚𝑑 𝑒
= 𝑚𝑒⋅𝑑 = 𝑚

16. Secure RSA signature scheme
• Assumptions
• Random oracle 𝐻 (Hash function modeled as a random oracle
• 𝑛 = 𝑝𝑞 where 𝑝, 𝑞 are prime
• 𝐺𝑒𝑛 1𝑠
≔ { 𝑣𝑘 ← 𝑝𝑘, 𝑠𝑘 ← 𝑠𝑘′ ∣ 𝑠𝑘′
, 𝑝𝑘′
← 𝐾𝑒𝑦𝑔𝑒𝑛 1𝑠
}
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝐻(𝑚)
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐻 𝑚 = 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝐻(𝑚)
• 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝐻(𝑚) = (𝐻(𝑚))𝑑 𝑒
𝑚𝑜𝑑 𝑛
• (𝐻(𝑚))𝑑 𝑒
𝑚𝑜𝑑 𝑛 = 𝐻(𝑚)𝑒⋅𝑑 𝑚𝑜𝑑 𝜙(𝑛)
(𝑚𝑜𝑑 𝑛) = 𝐻(𝑚)

17. Schnorr signature scheme
• Based on
• Group G
• Generator 𝑔 for G
• Random oracle 𝐻
• Discrete logarithm

18. Schnorr signature scheme
• Requirement: Group 𝐺, 𝐺 = 𝑞, generator 𝑔, random oracle 𝐻
• 𝐺𝑒𝑛 1𝑠
• 𝑠𝑘 ∈𝑅 𝐺
• 𝑣𝑘 ← 𝑔𝑠𝑘
• 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘(𝑚, 𝑠𝑖𝑔)
• 𝑎, 𝑠 ← 𝑠𝑖𝑔
• u ← 𝑔𝑠 ⋅ 𝑣𝑘−𝑎
• Output 𝐻 𝑢, 𝑚 = 𝑎
• 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚
• 𝑏 ∈𝑅 𝑍|𝐺|
• 𝑢 ← 𝑔𝑏
• 𝑎 ← 𝐻(𝑢, 𝑚)
• 𝑠 ← 𝑎 ⋅ 𝑠𝑘 + 𝑏 (𝑚𝑜𝑑 𝑞)
• Output (𝑎, 𝑠)