Signatures, etc.
Network Security
Gene Itkis
Signature scheme: Formal definition
• Key Generation:
GenGen(1k) PK, SK
• Signing: SignSign(SK, M) sig
• Verifying:
VerVer(PK, M,sig) “valid” or “invalid”
Example: RSA
• Key Generation:– GenGen(1k) PK=(N, e), SK=(N, d)
• d = e-1 mod φ(N) (zd mod N)e mod N = z
• Signing:
– SignSign(SK, M) s = hash(M) d mod N
• Verifying:
– VerVer(PK, M, s): test “se mod N = hash(M)”
Example: Fiat-Shamir (modified)
• First: Zero-Knowledge Identification Protocol– Players: Prover P & Verifier V– Public (both V & P know): NN, II– Secret (only P knows): s, such that ss2 2 mod N = mod N = II – Production Center Secret: p & q, such that N = pq
• Allows Production Center to support many Provers with the same N
– Generate s for any II
Fiat-Shamir (cont.)
P P (user) V V (e.g., system)s
r R Z*N;
x r2 modNx
q = 0 1
z=rz=rs modN
check:z2 x (modN)
z2 xII (modN)[z2 xIIqq (modN)]
N, II
Rep
eat
k ti
mes
zrsq modN
Fiat-Shamir (cont.)
• Proof (of PP knowing s)– after k rounds the probability of mistake (i.e. PP
cheating without being caught) is (1/2)k
• Zero-Knowledge– if query is known in advance:
• for query=0, select r, and x=r2 mod N
• for query=1, select z, and x=z2II mod N
(z “pretends” to be rs mod N)
Security of Fiat-Shamir
Relies on
• hardness of factoring:• an algorithm “cracking” Fiat-Shamir
yields an algorithm for factoring N
• randomness: • of r for Zero-Knowledge• of query - to prevent PP from cheating
ZKP Identification Signature• Idea:
P P (user) V V (e.g., system){si
}r R Z*N;
x r2 modNx
{qi}
check:z2 x Πi IIii
qi (modN)
N, {IIii}}
zrΠi siqi modN
Hash (M,II,x,…)
Exercise
• Write down the formal definition of the Fiat-Shamir signature scheme (as sketched above)
Signature scheme: Formal definition
• Key Generation:
GenGen(1k) PK, SK
• Signing: SignSign(SK, M) sig
• Verifying:
VerVer(PK, M,sig) “valid” or “invalid”
Signature scheme: Security definition (intuitive)
• Correct:
GenGen(1k) {PK, SK}
SignSign(SK, M) sig
Secure:
Infeasible to compute valid M, sig without SK Even given signatures on messages of her choice,
adversary cannot forge signatures on new messages
Goal: Goal: Non-RepudiationNon-RepudiationIf Sam signed M he cannot later deny this fact
VerVer(PK, M,sig) “valid”
Repudiation 1
• Attack – Fake PK
• Defense– Certification, PKI
• Not 100%, but hopefully “good enough”– 100% impossible
Repudiation 2
• Stolen SK
– Repudiation: fake stolen SK
• Problem: keys do get lost or stolen– People lose laptops/PDAs/cell phones– Hackers break into computers– …
Defenses
• Post-mortem:– PKI Certificate Revocation
• Expensive, Slow, …
• Prevention?– Group Signatures (key sharing)
• Threshold signatures
– Forward security, Intrusion-Resilience
Top Related