Signatures, etc. Network Security Gene Itkis

Signature scheme: Formal definition GenKey Generation: Gen(1 k )   PK, SK  SignSigning: Sign(SK, M)  sig VerVerifying: Ver(PK, M,sig)  “valid” or “invalid”

Example: RSA Key Generation: –Gen –Gen(1 k )   PK=(N, e), SK=(N, d)  d = e -1 mod φ(N)  (z d mod N) e mod N ＝ z Signing: –Sign –Sign (SK, M)  s = hash(M) d mod N Verifying: Ver – Ver (PK, M, s): test “ s e mod N = hash(M) ”

Example: Fiat-Shamir (modified) First: Zero-Knowledge Identification Protocol –Players: Prover P & Verifier V NI –Public (both V & P know): N, I s 2 mod N = I –Secret (only P knows): s, such that s 2 mod N = I –Production Center Secret: p & q, such that N = pq Allows Production Center to support many Provers with the same N I –Generate s for any I

Fiat-Shamir (cont.) P P (user) V V (e.g., system) s r  R Z * N ; x  r 2 mod N x q = 0 1 z=r z=rs mod N check: z 2  x ( mod N) I z 2  xI ( mod N) I q [z 2  xI q ( mod N)] IN, IIN, I Repeat k times z  rs q mod N

Fiat-Shamir (cont.) PProof (of P knowing s) P –after k rounds the probability of mistake (i.e. P cheating without being caught) is (1/2) k Zero-Knowledge –if query is known in advance: for query=0, select r, and x=r 2 mod N Ifor query=1, select z, and x=z 2 I mod N (z “pretends” to be rs mod N)

Security of Fiat-Shamir Relies on hardness of factoring: an algorithm “cracking” Fiat-Shamir yields an algorithm for factoring N randomness: of r for Zero-Knowledge Pof query - to prevent P from cheating

ZKP Identification  Signature Idea: P P (user) V V (e.g., system) {si}{si} r  R Z * N ; x  r 2 mod N x {qi}{qi} check: I i z 2  x Π i I i q i ( mod N) Ii}N, {Ii}Ii}N, {Ii} z  rΠ i s i q i mod N I Hash (M,I,x,…)

Exercise Write down the formal definition of the Fiat-Shamir signature scheme (as sketched above)

Signature scheme: Formal definition GenKey Generation: Gen(1 k )   PK, SK  SignSigning: Sign(SK, M)  sig VerVerifying: Ver(PK, M,sig)  “valid” or “invalid”

Signature scheme: Security definition (intuitive) Correct: Gen Gen(1 k )  { PK, SK } Sign Sign( SK, M )  sig Secure: Infeasible to compute valid  M, sig  without SK  Even given signatures on messages of her choice, adversary cannot forge signatures on new messages  Goal: Non-Repudiation If Sam signed M he cannot later deny this fact  Ver  Ver( PK, M,sig )  “ valid ”

Repudiation 1 Attack –Fake PK Defense –Certification, PKI Not 100%, but hopefully “good enough” –100% impossible

Repudiation 2 Stolen SK –Repudiation: fake stolen SK Problem: keys do get lost or stolen –People lose laptops/PDAs/cell phones –Hackers break into computers –…–…

Defenses Post-mortem: –PKI Certificate Revocation Expensive, Slow, … Prevention? –Group Signatures (key sharing) Threshold signatures –Forward security, Intrusion-Resilience