Skip to Content
CSE442TIntroduction to Cryptography (Lecture 21)

CSE442T Introduction to Cryptography (Lecture 21)

Chapter 5: Authentication

Digital Signature Scheme

“Chain based approach”.

pk0m1pk1m2pk2m3pk3m4pk_0\to m_1||pk_1\to m_2||pk_2\to m_3||pk_3\to m_4\dots

The signature size grows linearly with the message size nn.

Improvement:

Use “Tree based approach”.

Instead of creating 1 public key, we create 2 public keys each time and use the shorter one to sign the next message.

For example, let n=4n=4, and we want to sign m=1100m=1100.

Every verifier knows the public key.

Then we generates (pk0,sk0),(pk1,sk1)(pk_0,sk_0),(pk_1,sk_1) and store σ,sk0,sk1\sigma, sk_0,sk_1

σ=Signsk0(pk0pk1)\sigma=Sign_{sk_0}(pk_0||pk_1)

and generates (pk2,sk2)(pk3,sk3)(pk4,sk4)\to (pk_2,sk_2)\to (pk_3,sk_3)\to (pk_4,sk_4)

σ1=Signsk1(pk10pk11)\sigma_1=Sign_{sk_1}(pk_{10}||pk_{11})

σ11=Signsk11(pk110pk111)\sigma_{11}=Sign_{sk_{11}}(pk_{110}||pk_{111})

σ110=Signsk110(pk1100pk1101)\sigma_{110}=Sign_{sk_{110}}(pk_{1100}||pk_{1101})

σ1100=Signsk1100(m)\sigma_{1100}=Sign_{sk_{1100}}(m)

So we sign m=1100m=1100 as σ1100\sigma_{1100}.

The final signature is σ=(pk,σ,pk1,σ1,pk11,σ11,pk110,σ110,pk1100,σ1100)\sigma'=(pk,\sigma,pk_1,\sigma_1,pk_{11},\sigma_{11},pk_{110},\sigma_{110},pk_{1100},\sigma_{1100}).

The verifier can verify the signature by checking the authenticity of each public key.

Outputs m,σmm,\sigma'_m

The signature size grows logarithmically with the message size nn.

If we want to sign m=1110m=1110 for next message, we can just append 11101110 to the end of the previous signature since pk1,pk11,pk110pk_1,pk_{11},pk_{110} are all stored in the previous signature tree.

So the next signature is σ1110=(pk,σ,pk1,σ1,pk11,σ11,pk111,σ111,pk1110,σ1110)\sigma'_{1110}=(pk,\sigma,pk_1,\sigma_1,pk_{11},\sigma_{11},pk_{111},\sigma_{111},pk_{1110},\sigma_{1110}).

The size of the next signature is still O(logn)O(\log n).

Advantages:

  1. The signature size is small (do not grow linearly as the number of messages grows).
  2. The verification is efficient (do not need to check all the previous messages).
  3. The signature is secure.

Disadvantages:

  1. Have to store all the public keys securely pair as you go.

Fix: Psudo-randomness.

Use a Pseudo-random number generator to generate random pk/sk pairs.

Since the PRG is deterministic, we don’t need to store the public keys anymore.

We can use a random seed to generate all the pk/sk pairs.

Trapdoor-based Signature Scheme

Idea: use RSA to create

N=pqN=p\cdot q, eZϕ(N)e\in\mathbb{Z}_{\phi(N)}^*, d=e1modϕ(N)d=e^{-1}\mod\phi(N) (secret key)

We do the “flip” encryption as follows:

Let c=Encpk(m)=memodNc=Enc_{pk}(m)=m^e\mod N

Then Decsk(c)=cdmodN=mmodNDec_{sk}(c)=c^d\mod N=m'\mod N.

σ=Signsk(m)=mdmodN\sigma=Sign_{sk}(m)=m^d\mod N

Verifypk(m,σ)=1    σe=(md)emodN=mVerify_{pk}(m,\sigma)=1\iff \sigma^e=(m^d)^e\mod N=m

Forgery 1:

Ask oracle nothing.

Pick random σ\sigma let m=σem=\sigma^e.

Although in this case, the adversary has no control over mm, it is still not very good.

Forgery 2:

They want to sign mm.

Pick m1,m2m_1,m_2 and m=m1m2m=m_1\cdot m_2.

Ask oracle for Encpk(m1)=σ1Enc_{pk}(m_1)=\sigma_1 and Encpk(m2)=σ2Enc_{pk}(m_2)=\sigma_2.

Output σ=σ1σ2\sigma=\sigma_1\cdot\sigma_2, since σ1σ2=(m1dmodN)(m2dmodN)=(m1m2)dmodN=md=σ\sigma_1\cdot\sigma_2=(m_1^d\mod N)\cdot(m_2^d\mod N)=(m_1\cdot m_2)^d\mod N=m^d=\sigma.

This is a valid signature for mm.

That’s very bad.

This means if we signed two messages m1,m2m_1,m_2, we can get a valid signature for m1m2m_1\cdot m_2. If unfortunately m1m2m_1\cdot m_2 is the message we want to sign, the adversary can produce a fake signature for free.

Fix for forgeries

Pick a “random”-looking function h:MZNh:\mathcal{M}\to\mathbb{Z}_N^*. (h()h(\cdot) is collision-resistant)

pk=(h,N,e)pk=(h,N,e), sk=(h,N,d)sk=(h,N,d)

Signsk(m)=h(m)dmodNSign_{sk}(m)=h(m)^d\mod N

Verifypk(m,σ)=1    σe=h(m)modNVerify_{pk}(m,\sigma)=1\iff \sigma^e=h(m)\mod N

If hh is truly random, this would be secure.

σe=m\sigma^e=m and σe=h(m)m\sigma^e=h(m)\cancel{\to}m

So σ1=h(m1)d\sigma_1=h(m_1)^d and σ2=h(m2)d\sigma_2=h(m_2)^d, If m=m1m2m=m_1\cdot m_2, then σ1σ2=h(m1)dh(m2)dh(m)d=σ\sigma_1\cdot\sigma_2=h(m_1)^d\cdot h(m_2)^d\neq h(m)^d=\sigma. (the equality is very unlikely to happen)

This is secure.

Choices of hh:

  1. hh is random function. Not practical since we need the verifier to know hh.
  2. hh is pseudo-random function. Verifier needs to use hh, with full access to the random oracle. If we use fkf_k for a random key kk, they need kk. No more pseudo-random security guarantee.
  3. hh is a collision-resistant hash function. We can’t be sure it doesn’t have any patterns like h(m1m2)=h(m1)h(m2)h(m_1\cdot m_2)=h(m_1)\cdot h(m_2).

Here we present our silly solution:

Random oracle model:

Assume we have a true random function hh, the adversary only has oracle access to hh.

And hh is practical to use.

This RSA scheme under the random oracle model is secure. (LOL)

This requires a proof.

In practice, SHA-256 is used as hh. Fun, no one really finds a collision yet.

Last updated on
Introduction to Cryptography (Lecture 20)Introduction to Cryptography (Lecture 22)