1. 8. Data Integrity Techniques
CIS Cryptography
8. Data Integrity Techniques

2. Asymmetric techniques, I
Digital signatures
With PK encryption, Alice can use her private key to decrypt a message and the resultant “ciphertext’’ can be “encrypted’’ to recover the message.
This ciphertext can serve as a
Manipulation Detection Code (MDC).
The verification of a MDC can be performed by anyone since the public key is available to anyone.

3. Example of an MDC based on RSA
Let p = 101, q = 113. Then n =
 (n) = 100  112 = = 26527
Alice takes e = 3533, d = 6597
Alice publishes: n = 11413, e = 3533.
Let the message be m = 5761
Alice computes the MDC:
(mod 11413) = 9726
Suppose Bob wants to verify that 9726 is the MDC of Alice
Bob computes mod = 5761

4. Digital signature schemes
M, message space
S, signature space
K, signing key space
K’, verifying key space
Gen: 1 𝑛  KK’, an efficient key generating algorithm
Sign: MK  S, an efficient signing algorithm
Verify: MSK’ {true,false} an efficient verifying algorithm.

5. The RSA signature scheme
Signature setup:
n = pq, where p and q are primes.
M = S = Zn , with keyspace
K = {(n,e,d) : ed = 1 mod  (n) }.
Public key = (n,e), Private key (n,d).
Signature generation: for m  Zn,
𝑠= 𝑠𝑖𝑔 𝑑 𝑚 = 𝑚 𝑑 𝑚𝑜𝑑 𝑛
Signature Verification
𝑉𝑒𝑟𝑖𝑓𝑦 𝑛,𝑒 𝑚,𝑠 =𝑇𝑟𝑢𝑒 if and only if 𝑠 𝑒 =𝑚 𝑚𝑜𝑑 𝑛

6. Security issues for Digital Signatures
Active attacks digital signatures
Adaptive Chosen-Message Attack (CMA):
The attacker chooses adaptively a number of messages and obtains the corresponding signatures: the task of the attacker is successful if he can sign a (new) target message.
Existential forgery under CMA:
The algorithms (Sign,Verify) form a one-way trapdoor pair. This means that it is easy to compute valid “message-signature” pairs
(by first selecting a signature and then finding the corresponding message).
However, computing message-signature pairs should be hard.
A usual way to control this is add redundancy to the message.

7. Rabin signatures Signature setup: Same as RSA
Public key = (n,b), Private key = (p,q).
Signature generation: Exercise
Signature Verification: Exercise

8. The ElGamal signature scheme
Signature setup:
Same as ElGamal encryption scheme, with:
M = Zp* , S = Zp* Zp-1, and keyspace K = Zp* Zp-1.
Public key = (p, g, y)
Private key = (p, g, x).

9. The ElGamal signature scheme
Signing
Let m  Zp* be a message.
For public key (p,g,y), with y = gx mod p,
and a secret random number k  Zp-1, define:
sigx,k (m,k) = (s,t), where
s = gk mod p
t = (m-xs) k-1 mod ( p-1)
Verification
Verify(p,,g,y)(m,(s,t)) = true st·ys = gm mod p.

10. Toy example Let p = 467, g = 2, x = 127, y = 132 message m = 100,
Choose k = 213. Then k -1mod 466 = 431.
The signature is:
s = mod 467 = 29
t = (m-xs) k -1 mod (p-1)
= ( ×29) 431 mod 466 = 51
Verification: ? 2951×13229 mod 467

11. The security of ElGamal signatures
If the DL problem is feasible then ElGamal signatures can be forged.
The converse may not be true.
The exponent k must be
private
cannot be used twice
best: chosen at random.

12. The Digital Signature Algorithm
Let p be a an L-bit prime prime,
512  L  1024 and L  0 mod 64 ,
let q be a 160-bit prime that divides p-1 and
Let  e Zp* be a q-th root of 1 modulo p.
Let M = Zp-1,
S = Zq x Zq and
K = {(p,q,,x,y): y =  x modp }.
The public key is (p,q,,y).
The private key is (p,q,,x).

13. The Digital Signature scheme
Signing
Let m  Z be a message.
For public key (p,g,,y), with y =  x mod p, and
secret random number k  Zp-1, define: sigx,k(m) = (s,t), where
s = ( k mod p) mod q
t = (SHA(m) + xs) k -1 mod q
Verification
Let
e1 = (SHA(m)) t -1 mod q
e2 = s t -1 mod q
Verify(p,,y),(m,(s,t)) = true ( e1 y e2 mod p) mod q = s.

14. Provable security Forging signatures
We must how that given a message it is hard to forge a signature. Is this enough?
There are several attacks we already discussed:
Existential forgery
Adaptive Chosen-Message Attacks
What is really needed is a formal security model for digital signatures, that allows for all possible threat scenarios and all protocol aspects.
One such model is the Random Oracle model.

15. Asymmetric techniques, II Data Integrity without source Identification
Optimal Asymmetric Encryption Padding
RSA-OAEP

16. RSA with OAEP Key Parameters
Let (N,e,d,G,H,n,k0,k1) U Gen (1x) satisfy:
(N,e,d) are RSA parameters
|N| = k = n+k0+k1, with 2k0, 2k1 negligible quantities
G, H hash functions with:
G: {0,1}k0  {0,1}k-k0 , H: {0,1}k-k0  {0,1}k0
n is the length of the plaintext
(n, k0,k1,G,H,e) is Alice’s RSA public key,
(n, k0,k1,G,H,d) is Alice’s RSA private key.

17. RSA with OAEP Encryption
Let m  {0,1}n be the message to be sent to Alice.
Bob (the adversary?) performs the following:
.r  U {0,1}k0 ;
s  (m || 0k1)  G(r) ; t  r H(s)
.c  (s || t) e mod N

18. RSA with OAEP Decryption
Upon receipt of the ciphertext c Alice performs:
.s || t  c d mod N satisfying
|s| = n+k1 , |t| = k0
.u  t H(s); v  s  G(u)
Output m if v = m || 0k0, else reject.

19. RSA with OAEP
Security
RSA with OAEP provides data-integrity, but not origin integrity.
It can be shown that RSA-OAEP is secure against adaptive chosen ciphertext (CCA2) attacks in the Random Oracle Model.

20. The Random Oracle Model (ROM)
Security is defined in terms of a game involving two parties: the system and the adversary.
All authorized parties of the system are represented by random oracles (Alice, Bob, …)
Access to any party is via its oracle.
Access to an oracle G is by a query a, to get the response G(a).
The system of oracles is managed by a Simulator (who arranges that the oracles simulate the behavior of the real parties).

21. The Random Oracle Model
There are two phases:
A training phase in which adversary is allowed to make queries (adaptively) and get responses.
A test phase in which adversary must answer 0 or 1 as his educated guess to a challenge.
The adversary wins if at the test phase he can distinguish with probability better than
0.5 + negl
between two strings.
e.g. if a public-key encryption system is analyzed, the
adversary must distinguish between the ciphertexts c1,c2
of two new messages m1, m2.

22. The Random Oracle Model
The system is secure if the adversary cannot win.
The type of queries the adversary can make is determined by the threat model used.
in CCA2 the adversary can adaptively chose ciphertexts an get the corresponding plaintexts.

23. One-time signatures Lamport signature scheme
Let k be an integer, P = {0,1}k.
Suppose that f : Y  Z is a one-way function,
and A = Y k.
Let
yi,j  Y be chosen at random, 1 ≤ i ≤ k, j =0,1, and
zi,j = f (yi,j),
The key K consists of the 2k pairs : (yi,j, zi,j).
The y’s are the private key, the z’s are the pubic key.

24. Lamport signature scheme
Signing
Let x = (x1,x2, … , xk)  P be a message.
For K = (yi,j, zi,j) define
sigK (x1,x2, … , xk) = (y1,x1,y2,x2, … , yk,xk ) .
Verification
verK((x1,x2, … xk),(y1,x1,y2,x2, … , yk,xk )) = true
 f(yi) = zixi , 1 ≤ i ≤ k

25. The security of the Lamport signature scheme
The security of the Lamport signature scheme can
be proven if we assume that:
The one-way function is bijective, and that
The public key consists of distinct elements.

26. Certificates and Public-Key Infrastructures
We have not shown how to distribute securely public keys.
We shall now show how this can be done by using public-key cryptography
Sounds circular, and is! but works.

27. Certificates and Public-Key Infrastructures
A first approach: bootstrap all public-keys to a single one using certificates.
To be concrete suppose that Charlie has generated a key pair ( 𝑝𝑘 𝐶 , 𝑠𝑘 𝐶 ).
Consider the certificate
𝑐𝑒𝑟𝑡 𝐶→𝐵 = 𝑠𝑖𝑔 𝑠𝑘 𝐶 ′𝐵𝑜 𝑏 ′ 𝑠 𝑘𝑒𝑦 𝑖𝑠 𝑝𝑘 𝐵 ′
Give this to Bob.
Bob publishes: (𝑝𝑘 𝑀 , 𝑐𝑒𝑟𝑡 𝐶→𝐵 )
This authenticates the public key of Bob to anyone who trusts Charlie.