Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Published byBernard Ross Modified over 8 years ago

Similar presentations

Presentation on theme: "Ryan Henry I 538 /B 609 : Introduction to Cryptography."— Presentation transcript:

1 Ryan Henry I 538 /B 609 : Introduction to Cryptography

2 Ryan Henry Last Thursday’s lecture: El Gamal encryption Goldwasser-Micali bit encryption Paillier encrypton Today’s lecture: Signature schemes 1

3 Ryan Henry Assignment 6 is due Thursday, Dec 3 (Assignment 7 will be due on the same day!) 2 Thursday, December 10

4 Ryan Henry 3 Please complete the Online Course Questionnaire Reminder:

5 Ryan Henry Going forward Tuesday (11/17): Digitial signature schemes Thursday (11/19): Random oracle model **Thanksgiving break (11/22—11/29) ** Tuesday (12/01): Zero-knowledge Thursday (12/03): ?? Tuesday (12/08): ?? Thursday (12/10): ?? 4 – Specific cryptosystems – Secret sharing schemes – Pairing-based cryptography – Zero-knowledge proofs – Private information retrieval – Secure multiparty computation – Side-channel attacks – Other Security notions – Anonymous credentials possible topics

6 Ryan Henry Recall: Secrecy versus Authenticity ▪S▪Secrecy / confidentiality –I–IND-CPA: indistiguishable multiple encryptions in the presence of an eavesdropper –P–Provides ”security” in the presence of passive attackers ▪A▪Authenticity / integrity –E–Existential unforgeability under adaptive chosen message attacks –P–Provides “security” in the presence of active attackers 5 “ s e c u r i t y ” = = s e c r e c y “ s e c u r i t y ” = = i n t e g r i t y

7 Ryan Henry Recall: MAC schemes 6 Usually write MAC k (m) and Ver k (m,t) instead of MAC(k,m) and Ver(k,m,t) K is the key space M is the message space T is the tag space (the set of possible keys) (the set of possible messages) (the set of possible “tags”) Def n : A message authentication code (MAC) is a triple of efficient algorithms (Gen,MAC,Ver) such that – Gen:1 ℕ →K is a randomized “key generation” algorithm – MAC:K×M→T is a “tagging” algorithm – Ver:K×M×T→{0,1} is a “tag verification” algorithm

8 Ryan Henry Recall: MAC existential forgery game 7 1s1s 1s1s (m,t)∈M×T k←Gen(1 s ) m 1 ∈M t 1 ←MAC k (m 1 ) m 2 ∈M t 2 ←MAC k (m 2 ) m n ∈M t n ←MAC k (m n ) m1m1 m2m2 mnmn t1t1 t2t2 tntn Let E be the event that (m,t)∉{(m 1 ,t 1 ),…,(m n ,t n )} yet Ver k (m,t)=1 Define A’s advantage to be Adv MAC-forge (A)≔Pr[E] ⋮

9 Ryan Henry Recall: Existential unforgeability 8 The message m and tage t are chosen arbitrarily by the attacker at the end of the attack Existential unforgeability is the “default” unforgeability property Def n : A MAC scheme (Gen,MAC,Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ + such that Adv MAC-forge (A)≤ε(s).

10 Ryan Henry Digital signature schemes ▪ Intuitively, a digital signature scheme is the public-key equivalent of a MAC scheme. 9 Def n : A digital signature scheme is a triple of efficient algorithms (Gen,Sign,Ver) such that – Gen:1 ℕ →K s ×K v is a randomized “key generation” algorithm – Sign:K s ×M→S is a randomized “signing” algorithm – Ver:K v ×S→{0,1} is a deterministic “signature verification” algorithm

11 Ryan Henry Correctness ▪ Intuitively: Correctness is the property of being able to verify a signature (given the appropriate public key) 10 Def n : A signature scheme (Gen,Sign,Ver) with message space M is correct if there exists a negligible function ε:ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈M, Pr[Ver k v (m,Sign k s (m))=1|(k s,k v )←Gen(1 s )]≥1−ε(s) If Ver(k v ,m,σ)≟1, then we call σ a valid signature on m (under the verification key k v ).

12 Ryan Henry Signature existential forgery game 11 1s1s 1s1s (m,σ)∈M×S (k s ,k v )←Gen(1 s ) m 1 ∈M σ 1 ←Sign k s (m 1 ) m 2 ∈M σ 2 ←Sign k s (m 2 ) m n ∈M σ n ←Sign k s (m n ) m1m1 m2m2 mnmn σ1σ1 σ2σ2 σnσn Let E be the event that (m,σ)∉{(m 1 ,σ 1 ),…,(m n ,σ n )} yet Ver k v (m,σ)=1 Define A’s advantage to be Adv Sig-forge (A)≔Pr[E] ⋮ kvkv

13 Ryan Henry Existential unforgeability 12 Def n : A digital signature scheme (Gen,Sign,Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ + such that Adv Sig-forge (A)≤ε(s). ▪ Intuitively: Existential unforgeability is the property of being resistant to forgeries, even those arising from malicious tampering with existing signatures

14 Ryan Henry “Textbook” RSA signatures 13 ▪M▪Many textbooks (and courses) describe RSA signatures as a direct application of the RSA trapdoor permutation to a message; that is, –G–Gen(1 s ) chooses distinct s-bit primes p and q and e∈℥ φ(pq), and then it outputs k v ≔(pq,e) and k s ≔e -1 mod φ(pq); –S–Sign(k s ,m) outputs σ≔m d mod pq; and –V–Ver(k v ,m,σ) outputs 1 if m≟σ e mod pq and 0 otherwise. Q: Is this an existentially unforgeable signature scheme? A: NO! NO! NO! Don’t ever do this! (Seriously, don’t do it!) (If you do this and I find out, I will retroactive fail you in this course!)

15 Ryan Henry “Textbook” RSA signatures ▪ As with textbook RSA encryption, textbook RSA signatures have some serious problems! – Unclear how to sign “long” messages – Extremely inefficient – “No message” forgery attacks – Forgeries from malleability – Forgeries on arbitrary messages – Key reuse attacks 14

16 Ryan Henry “No message” forgeries 15 Obs 1: Let p v ≔(pq,e) be a verification key for the textbook RSA signature scheme. Given any σ∈℥ N, the attacker can output a valid forgery (m,σ) where m≔ σ e mod pq. ??? Q: Can attacker choose σ corresponding to a particular message of its choosing? A: No! (Unless the RSA assumption fails to hold.) Message is an eth root of σ modulo pq!

17 Ryan Henry Forgeries from malleability ▪ Attacker can choose a and b arbitrarily – a=b=1 yields signature on m 1 m 2 – b=0 yields signature on m 1 a 16 Obs 2: Let p v ≔(pq,e) be a verification key for the textbook RSA signature scheme. Given any two message-signatures pairs (m 1 ,σ 1 ), (m 2 ,σ 2 ) such that Ver(p v ,m 1 ,σ 1 )=Ver(p v ,m 2 ,σ 2 )=1, the attacker can output a valid forgery (m’,σ’) where m’≔m 1 a m 2 b mod pq and σ’≔ σ 1 a σ 2 b mod pq.

18 Ryan Henry Forgeries on arbitrary messages 17 Obs 3: Let p v ≔(pq,e) be a verification key for the textbook RSA signature scheme. Attacker can forge signature on arbitrary message m of its choosing by 1. choosing any r∈℥ pq such that r≠1, 2. requesting a signature σ’ on m’≔ 3. outputting σ≔ This “attack” is useful for constructing blind RSA signatures. m·r e, and ??? σ’·r -1 mod pq. ???

19 Ryan Henry One-time signature schemes ▪I▪Intuitively, a one-time signature (OTS) scheme is a digital signature scheme that is existentially unforgeable provided the private key is only used to sign a single message Q: Why is this notion useful? A1: We can construct OTS schemes under weaker assumptions –N–No random oracles, no computational assumptions A2: OTS’s are a useful building block for “many-time” signatures 18

20 Ryan Henry One-time forgery game 19 1s1s 1s1s (m’,σ’)∈M×S (k s ,k v )←Gen(1 s ) m∈M σ←Sign k s (m) m σ Let E be the event that (m’,σ’)≠(m,σ) yet Ver k v (m’,σ’)=1 Define A’s advantage to be Adv OTS-forge (A)≔Pr[E] kvkv

21 Ryan Henry One-time existential unforgeability 20 Def n : A digital signature scheme (Gen,Sign,Ver) is existentially unforgeable under single-message attacks (or is one-time secure) if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ + such that Adv OTS-forge (A)≤ε(s).

22 Ryan Henry Lamport’s OTS scheme (for ℓ(s)-bit messages) 21

23 Ryan Henry Security of Lamport’s OTS scheme 22 Thm: Let ℓ:ℕ→ℕ be any positive integer-valued polynomial and let F be an OWF. Then Lamport’s OTS scheme for messages of length ℓ(s) is existentially unforgeable under single-message attacks. Proof (Sketch): Suppose A requests a signature on an ℓ(s)-bit message m and consider any message m’∈{0,1} s ∖{m}. Since m’≠m, there exists a bit position i for which m i ≠m′ i ; thus, forging a signature on m’ requires A to find x′ i ∈F -1 (y i,m′ i ). Since F is an OWF, A succeeds in doing so with negligible advantage. ☐

24 Ryan Henry That’s all for today, folks! 23

Download ppt "Ryan Henry I 538 /B 609 : Introduction to Cryptography."

Similar presentations

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.

Dan Boneh Message integrity Message Auth. Codes Online Cryptography Course Dan Boneh.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Lecture 10 Signature Schemes Stefan Dziembowski www.dziembowski.net MIM UW 7.12.12ver 1.0.

Lecture 10 Signature Schemes Stefan Dziembowski MIM UW ver 1.0.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011

Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011

Similar presentations

Ads by Google