Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented."— Presentation transcript:

1 Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented by J. Liu

2 Outline Introduction Definitions 1.The random oracle model 2.Digital signature schemes Preliminaries 1. Complexity theory and “Oracle replay attack” 2. Distinguishability of distributions of probability Security arguments for digital signatures

3 Introduction Provable security has tried to provide proof in the asymptotic framework of complexity theory. That is, poly reductions the problem to well-established problems, such as factorization, DLP, NPC…. One way function  NP vs. P

4 The random oracle model Hash function (e.g. MD5, SHA1-2, …) long message  short digest. Nonrepudiation  it is impossible to find two different messages providing the same hash value (collision freeness) The hash function can be seen as an oracle which produces a truly random value for each “new” query.

5 Digital signature schemes 1.Key generation algo. G (probabilistic): input: k and w, output: (Kp, Ks) 2.Signing algo. Σ(may be probabilistic): input: message m, (Kp, Ks) output: signature σ 3.Verification algo. V (not probabilistic): input: m, Kp, σ output: accept or reject

6 Fig. 1. signature schemes

7 Example: RSA signature N = pq, ed = 1 mod φ(N) where e is p and d is s. The signature of a message m with respect to d is σ= m d mod N It is not secure under existential forgery. σ’ = σ 2 = (m d ) 2 = (m 2 ) d mod N Not intelligible or without the proper redundancy

8 Example: Schnorr signature p, q two large prime and q | p-1 with q ≧ 2 k. g  (Z/pZ)* of order q, y = g -x mod p σ= (r, e, s), where r = g K mod p with random K, e = H(m, r) mod q and s =K+ex mod q Verify by e = H(m, g s y e mod p) [g s y e = g K+ex (g -x ) e = g K+ex-ex = g K =r mod p]

9 No-message attack vs. known- message attack NMA: Attacker only knows public key of the signer. KMA: Attacker can access a list of (m, σ) pairs. 1)Plan known-message attack 2)Generic chosen-message attack 3)Oriented chosen-message attack 4)Adaptively chosen-message attack

10 Plan known-message attack Attacker has access to a list of signed messages, but he has not chosen them.

11 Generic chosen-message attack Attacker can choose the list of messages to be signed. This choice must be made before accessing the public key of the signer. That is the choice is independent of the signer.

12 Oriented chosen-message attack Choose the message for specific signer.

13 Adaptively chosen-message attack Having knowledge of the public key of the signer, the attacker can ask the signer to sign any message that he wants. He can then adapt his queries according to previous message-signature pairs.

14 Forgeries Total break: Disclose the secret key of the signer. Universal forgery: Constructing an efficient algorithm which can sign any message. Existential forgery: providing a new message-signature pair. (not dangerous ∵ meaningless)

15 Secure signature scheme A signature scheme is secure if an existential forgery is computationally impossible, even under an adaptively chosen-message attack.

Download ppt "Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented."

Similar presentations

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.

Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Almost uniform density of power residues and the provable security of ESIGN Jacques Stern ASIACRYPT 2003 December 3rd 2003 École normale supérieure Tatsuaki.

Almost uniform density of power residues and the provable security of ESIGN Jacques Stern ASIACRYPT 2003 December 3rd 2003 École normale supérieure Tatsuaki.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
Chapter 3 Encryption Algorithms & Systems (Part C)

Chapter 3 Encryption Algorithms & Systems (Part C)
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part II.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part II.

Similar presentations

Ads by Google