Key Substitution Attacks on Some Provably Secure Signature Schemes

Slides:

Advertisements

Similar presentations

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.

Advertisements

Design and Security Analysis of Marked Blind Signature

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures and Hash Functions. Digital Signatures.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Chapter 7-1 Signature Schemes.

1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

1. Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol.

Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.

Public Key Model 8. Cryptography part 2.

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |

8. Data Integrity Techniques

1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Topic 22: Digital Schemes (2)

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

Cryptography Lecture 9 Stefan Dziembowski

Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.

Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013

Lecture 8 Overview. Secure Hash Algorithm (SHA) SHA SHA SHA – SHA-224, SHA-256, SHA-384, SHA-512 SHA-1 A message composed of b bits.

Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.

Prepared by Dr. Lamiaa Elshenawy

A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,

Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004.

1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.

Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.

COM 5336 Lecture 8 Digital Signatures

ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.

Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.

Cryptography and Network Security Chapter 13

Source: The Journal of Systems and Software, Vol. 73, 2004, pp.507–514

Reporter :Chien-Wen Huang

Author : Guilin Wang Source : Information Processing Letters

Public-Key Cryptography RSA Rivest-Shamir-Adelmann Public-Key System

Information Security message M one-way hash fingerprint f = H(M)

Certificateless signature revisited

Public Key Encryption and Digital Signatures

Security of a Remote Users Authentication Scheme Using Smart Cards

IEEE TRANSACTIONS ON INFORMATION THEORY, JULY 1985

Digital signatures.

Practical E-Payment Scheme

Information Security message M one-way hash fingerprint f = H(M)

Digital Signature Schemes and the Random Oracle Model

ICS 454 Principles of Cryptography

Cryptography Lecture 27.

Digital Signature Schemes and the Random Oracle Model

Information Security message M one-way hash fingerprint f = H(M)

ICS 454 Principles of Cryptography

Source： Ad Hoc Networks, Vol. 71, pp , 2018

Digital Signatures.

Lecture 6: Digital Signature

A New Provably Secure Certificateless Signature Scheme

Topic 13: Message Authentication Code

Chapter 13 Digital Signature

Lecture 4.1: Hash Functions, and Message Authentication Codes

CSC 774 Advanced Network Security

Biometrics-based RSA Cryptosystem for Securing Real-Time Communication

A Distributed Sign-and-Encryption for Anonymity

Cryptography Lecture 26.

LAB 3: Digital Signature

Presentation transcript:

Key Substitution Attacks on Some Provably Secure Signature Schemes Author: Chik-How Tan Source: IEICE Trans. Fundamentals, Vol.E87-A, 　No.1 Jan. 2004 Speaker: Su Sheng-Yao

Outline Introduction Two Provably Secure Signature Scheme Fischlin Signature Scheme Camenisch-Lysyanskaya Signature Scheme Cryptoanalysis Conclusion

Introduction Provable Security Provably Secure Signature Schemes Security could be proved under standard and well-believed complexity theoretic assumptions Definition, Protocol, Proof Provably Secure Signature Schemes Key Substitution Attack U’s public key and signature s on m adversary A tries to produce a new public key s.t. s is also a valid A’s signature on m

Application e-lottery e-coupon (禮卷) the gambler uses his/her secret key to sign on the e-lottery to ensure that he owns the e-lottery e-coupon (禮卷) require be signed by the buyer and later signed by the shop

History (1998) Goldwasser, Micali and Rivest introduced the security notion of existential unforgeability against adaptive chosen-message attacks (1999) Blake-Wilson and Menezes introduced a duplicate-signature key selection attacks (2004) Menezes and Smart analyzed the security of some signature schemes against this attack, named as key substitution attacks

Fischlin Signature Scheme (1/2) Key Generation: N=pq ( p=2p’+1, so does q ) three random quadratic residues h1, h2, X ZN* Signature Generation: compute (l-bit) H(m), H(.): collision resistant hash fun. compute y=(Xh1ah2a XOR H(m))1/e mod N e: random (l+1)-bit prime a: l-bit long Public key (N, X, h1, h2) Private key (p, q) Signature (y, a, e)

Fischlin Signature Scheme (2/2) Signature Verification: check e : (l+1)-bit odd integer a: l-bit ye= (Xh1a h2a XOR H(m)) mod N

Camenisch-Lysyanskaya Signature Scheme (1/2) Key Generation: N=pq ( p=2p’+1, so does q ) three random quadratic residues h1, h2, X ZN* Signature Generation: compute y=(Xh1sh2m)1/e mod N e >2lm+1: random prime of length le=lm+2 s: random number st. ls=lN+lm+l Public key (N, X, h1, h2) Private key (p, q) Signature (y, s, e)

Camenisch-Lysyanskaya Signature Scheme (2/2) Signature Verification: check e: 2le-1 < e < 2le ye= (Xh1s h2m) mod N

Cryptanalysis (1/2) Weak-key substitution attack (stronger) produce public/private key Strong-key substitution attack public key (without knowing private key) Weak-Key Substitution Attack the same form X = yeh1-s h2-t mod N signature (y, a, e) where s=a, t=a XOR H(m) in Fischlin sheme t=m in C-L scheme

Cryptanalysis (2/2) choose two new primes st. choose two random quadratic residues compute Then public key is valid with secret key and signature (y, a, e) of m

Conclusion Attack the two schemes by weak-key substitution attack A signature scheme secure against existential forgery under adaptive chosen-message attack is inadequate A scheme should be against key substitution attacks or rather under multi-user setting