Signatures, etc.

Network Security

Gene Itkis

Signature scheme: Formal definition

• Key Generation:

GenGen(1k) PK, SK

• Signing: SignSign(SK, M) sig

• Verifying:

VerVer(PK, M,sig) “valid” or “invalid”

Example: RSA

• Key Generation:– GenGen(1k) PK=(N, e), SK=(N, d)

• d = e-1 mod φ(N) (zd mod N)e mod N ＝ z

• Signing:

– SignSign(SK, M) s = hash(M) d mod N

• Verifying:

– VerVer(PK, M, s): test “se mod N = hash(M)”

Example: Fiat-Shamir (modified)

• First: Zero-Knowledge Identification Protocol– Players: Prover P & Verifier V– Public (both V & P know): NN, II– Secret (only P knows): s, such that ss2 2 mod N = mod N = II – Production Center Secret: p & q, such that N = pq

• Allows Production Center to support many Provers with the same N

– Generate s for any II

Fiat-Shamir (cont.)

P P (user) V V (e.g., system)s

r R Z*N;

x r2 modNx

q = 0 1

z=rz=rs modN

check:z2 x (modN)

z2 xII (modN)[z2 xIIqq (modN)]

N, II

Rep

eat

k ti

mes

zrsq modN

Fiat-Shamir (cont.)

• Proof (of PP knowing s)– after k rounds the probability of mistake (i.e. PP

cheating without being caught) is (1/2)k

• Zero-Knowledge– if query is known in advance:

• for query=0, select r, and x=r2 mod N

• for query=1, select z, and x=z2II mod N

(z “pretends” to be rs mod N)

Security of Fiat-Shamir

Relies on

• hardness of factoring:• an algorithm “cracking” Fiat-Shamir

yields an algorithm for factoring N

• randomness: • of r for Zero-Knowledge• of query - to prevent PP from cheating

ZKP Identification Signature• Idea:

P P (user) V V (e.g., system){si

}r R Z*N;

x r2 modNx

{qi}

check:z2 x Πi IIii

qi (modN)

N, {IIii}}

zrΠi siqi modN

Hash (M,II,x,…)

Exercise

• Write down the formal definition of the Fiat-Shamir signature scheme (as sketched above)

Signature scheme: Formal definition

• Key Generation:

GenGen(1k) PK, SK

• Signing: SignSign(SK, M) sig

• Verifying:

VerVer(PK, M,sig) “valid” or “invalid”

Signature scheme: Security definition (intuitive)

• Correct:

GenGen(1k) {PK, SK}

SignSign(SK, M) sig

Secure:

Infeasible to compute valid M, sig without SK Even given signatures on messages of her choice,

adversary cannot forge signatures on new messages

Goal: Goal: Non-RepudiationNon-RepudiationIf Sam signed M he cannot later deny this fact

VerVer(PK, M,sig) “valid”

Repudiation 1

• Attack – Fake PK

• Defense– Certification, PKI

• Not 100%, but hopefully “good enough”– 100% impossible

Repudiation 2

• Stolen SK

– Repudiation: fake stolen SK

• Problem: keys do get lost or stolen– People lose laptops/PDAs/cell phones– Hackers break into computers– …

Defenses

• Post-mortem:– PKI Certificate Revocation

• Expensive, Slow, …

• Prevention?– Group Signatures (key sharing)

• Threshold signatures

– Forward security, Intrusion-Resilience