1. Digital signatures

2. What is a digital signature
A digital signature allows the holder of the secret key (the signing key) to sign a document
Everyone who knows the verification key can verify that the signature is valid (correctness)
No one can forge a signature even given the verification key even though he is given a signature

3. Structure of digital signature
𝐺𝑒𝑛 1 𝑛 → (𝑠𝑘,𝑣𝑘)
𝑆𝑖𝑔𝑛 𝑠𝑘 𝑚 → 𝑠𝑖𝑔
𝑉𝑒 𝑟 𝑣𝑘 𝑚,𝑠𝑖𝑔 → {0,1}

4. Structure of digital signature scheme (DSS)
𝐺𝑒𝑛 1 𝑛 → (𝑠𝑘,𝑣𝑘)
𝑆𝑖𝑔𝑛 𝑠𝑘 𝑚 → 𝑠𝑖𝑔
𝑉𝑒 𝑟 𝑣𝑘 𝑚,𝑠𝑖𝑔 → {0,1}
Correctness
𝑉𝑒 𝑟 𝑣𝑘 𝑚,𝑆𝑖𝑔 𝑛 𝑠𝑘 (𝑚) =1
Unforgeability
To be continued

5. DSS VS MAC 𝐺𝑒𝑛 1 𝑛 → (𝑠𝑘,𝑣𝑘) 𝐺𝑒𝑛 1 𝑛 → 𝑘 𝑆𝑖𝑔𝑛 𝑠𝑘 𝑚 → 𝑠𝑖𝑔 𝑚𝑎𝑐 𝑘 𝑚 → 𝑡
𝐺𝑒𝑛 1 𝑛 → (𝑠𝑘,𝑣𝑘)
𝑆𝑖𝑔𝑛 𝑠𝑘 𝑚 → 𝑠𝑖𝑔
𝑉𝑒 𝑟 𝑣𝑘 𝑚,𝑠𝑖𝑔 → {0,1}
𝐺𝑒𝑛 1 𝑛 → 𝑘
𝑚𝑎𝑐 𝑘 𝑚 → 𝑡
v𝑒 𝑟 𝑘 𝑚,𝑡 → {0,1}

6. Mac forgery game M ←{} k ∈ 𝑅 0,1 𝑠 𝑚′ M←𝑀∪{𝑚′} Repeat as many times
as the adversary wants
𝑡′ ←𝑚𝑎 𝑐 𝑘 (𝑚′) 𝑡′
Wins if
𝑚 ∉𝑀
𝑣𝑒𝑟𝑖𝑓𝑦 𝑚,𝑡 =1
(𝑚,𝑡)

7. Signature forgery game𝑣𝑘
M ←{}
𝑠𝑘,𝑣𝑘←𝐺𝑒𝑛( 1 𝑠 ) 𝑚′
M←𝑀∪{𝑚′}
Repeat as many times
as the adversary wants
𝑠𝑖𝑔′ ←𝑆𝑖𝑔 𝑛 𝑠𝑘 (𝑚′)
𝑠𝑖𝑔′
Wins if
𝑚 ∉𝑀
𝑉𝑒𝑟𝑖𝑓 𝑦 𝑣𝑘 𝑚,𝑠𝑖𝑔 =1
(𝑚,𝑠𝑖𝑔)

8. Definition of signature scheme
Correctness:
Pr 𝑉𝑒 𝑟 𝑣𝑘 𝑚,𝑆𝑖𝑔 𝑛 𝑠𝑘 𝑚 =1 𝑠𝑘,𝑣𝑘 ←𝐺𝑒𝑛 1 𝑠 =1
Unforgeability
For all PPT adversary 𝐴, there exists negligible function 𝜇,
Pr 𝐴 𝑤𝑖𝑛𝑠 𝑡ℎ𝑒 𝑠𝑖𝑔𝑛𝑎𝑡𝑢𝑟𝑒 𝑓𝑜𝑟𝑔𝑒𝑟𝑦 𝑔𝑎𝑚𝑒 ≤𝜇(𝑛)

9. Relation between macs and signatures
Every signature scheme is a message authentication code.
A mac scheme is not necessarily a signature.
Without the key, it may be impossible to verify a mac.

10. Signatures are expensive
They require public-key operations for each signature you wish to do.
Hash functions are relatively cheap

11. Hash and sign
Let (𝐺𝑒𝑛′,𝑆𝑖𝑔𝑛′,𝑉𝑒𝑟𝑖𝑓𝑦′) be a signature scheme and let 𝐻 be a collision resistant hash function, then the following
𝐺𝑒𝑛 1 𝑠 ≔𝐺𝑒 𝑛 ′ 1 𝑠
𝑆𝑖𝑔 𝑛 𝑠𝑘 𝑚 ≔ 𝑆𝑖𝑔 𝑛 𝑠𝑘 ′ (𝐻 𝑚 )
𝑉𝑒𝑟𝑖𝑓 𝑦 𝑣𝑘 𝑚,𝑠𝑖𝑔 ≔ 𝑉𝑒𝑟𝑖𝑓 𝑦 𝑣𝑘 ′ 𝐻 𝑚 ,𝑠𝑖𝑔 =1

12. Security of hash and sign
Let (𝐺𝑒𝑛′,𝑆𝑖𝑔𝑛′,𝑉𝑒𝑟𝑖𝑓𝑦′) be a signature scheme and let 𝐻 be a collision resistant hash function, then the following
𝐺𝑒𝑛 1 𝑠 ≔𝐺𝑒 𝑛 ′ 1 𝑠
𝑆𝑖𝑔 𝑛 𝑠𝑘 𝑚 ≔ 𝑆𝑖𝑔 𝑛 𝑠𝑘 ′ (𝐻 𝑚 )
𝑉𝑒𝑟𝑖𝑓 𝑦 𝑠𝑘 𝑚,𝑠𝑖𝑔 ≔ 𝑉𝑒𝑟𝑖𝑓 𝑦 ′ 𝐻 𝑚 ,𝑠𝑖𝑔 =1
Essentially the same proof as hash and mac
Breaking security of this scheme means
Finding a collision
Finding a signature on an unsigned message

13. Interesting property of plaintext RSA
𝑠𝑘,𝑝𝑘 ←𝐾𝑒𝑦𝐺𝑒𝑛 1 𝑠 ⇒ 𝐸𝑛 𝑐 𝑝𝑘 𝐷𝑒 𝑐 𝑠𝑘 𝑚 =𝑚
Due to the fact that 𝑚 𝑒 𝑑 = 𝑚 𝑑 𝑒 = 𝑚 𝑒𝑑

14. RSA signature scheme
Let (𝐾𝑒𝑦𝑔𝑒𝑛,𝐸𝑛𝑐,𝐷𝑒𝑐) denote the RSA encryption scheme
𝐺𝑒𝑛 1 𝑠 ≔{𝑠𝑘←𝑠 𝑘 ′ , 𝑣𝑘←𝑝𝑘∣ 𝑠 𝑘 ′ ,𝑝 𝑘 ′ ←𝐾𝑒𝑦𝑔𝑒𝑛 1 𝑠 }
𝑆𝑖𝑔 𝑛 𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐 𝑠𝑘 𝑚
𝑉𝑒𝑟𝑖𝑓 𝑦 𝑣𝑘 𝑚, 𝑠𝑖𝑔 ≔ 𝐸𝑛 𝑐 𝑣𝑘 𝑠𝑖𝑔 =𝑚

15. Insecure RSA signature scheme
𝐺𝑒𝑛 1 𝑠 ≔{ 𝑣𝑘←𝑝𝑘, 𝑠𝑘←𝑠𝑘′ ∣ 𝑠 𝑘 ′ ,𝑝 𝑘 ′ ←𝐾𝑒𝑦𝑔𝑒𝑛 1 𝑠 }
𝑆𝑖𝑔 𝑛 𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐 𝑠𝑘 𝑚
𝑉𝑒𝑟𝑖𝑓 𝑦 𝑣𝑘 𝑚,𝑆𝑖𝑔 𝑛 𝑠𝑘 𝑚 = 𝐸𝑛 𝑐 𝑣𝑘 𝐷𝑒𝑐 𝑠𝑘 𝑚
𝐸𝑛 𝑐 𝑣𝑘 𝐷𝑒𝑐 𝑠𝑘 𝑚 = 𝑚 𝑑 𝑒 = 𝑚 𝑒⋅𝑑 =𝑚

16. Secure RSA signature scheme
Assumptions
Random oracle 𝐻 (Hash function modeled as a random oracle
𝑛=𝑝𝑞 where 𝑝,𝑞 are prime
𝐺𝑒𝑛 1 𝑠 ≔{ 𝑣𝑘←𝑝𝑘, 𝑠𝑘←𝑠𝑘′ ∣ 𝑠 𝑘 ′ ,𝑝 𝑘 ′ ←𝐾𝑒𝑦𝑔𝑒𝑛 1 𝑠 }
𝑆𝑖𝑔 𝑛 𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐 𝑠𝑘 𝐻(𝑚)
𝑉𝑒𝑟𝑖𝑓 𝑦 𝑣𝑘 𝑚,𝑆𝑖𝑔 𝑛 𝑠𝑘 𝑚 ≔𝐻 𝑚 = 𝐸𝑛 𝑐 𝑣𝑘 𝐷𝑒𝑐 𝑠𝑘 𝐻(𝑚)
𝐸𝑛 𝑐 𝑣𝑘 𝐷𝑒𝑐 𝑠𝑘 𝐻(𝑚) = (𝐻 (𝑚)) 𝑑 𝑒 𝑚𝑜𝑑 𝑛
(𝐻 (𝑚)) 𝑑 𝑒 𝑚𝑜𝑑 𝑛 = 𝐻(𝑚) 𝑒⋅𝑑 𝑚𝑜𝑑 𝜙(𝑛) (𝑚𝑜𝑑 𝑛)=𝐻(𝑚)

17. Schnorr signature scheme
Based on
Group G
Generator 𝑔 for G
Random oracle 𝐻
Discrete logarithm

18. Schnorr signature scheme
Requirement: Group 𝐺, 𝐺 =𝑞, generator 𝑔, random oracle 𝐻
𝐺𝑒𝑛 1 𝑠
𝑠𝑘 ∈ 𝑅 𝐺
𝑣𝑘← 𝑔 𝑠𝑘
𝑉𝑒𝑟𝑖𝑓 𝑦 𝑣𝑘 (𝑚,𝑠𝑖𝑔)
𝑎,𝑠 ←𝑠𝑖𝑔
u ← 𝑔 𝑠 ⋅ 𝑣𝑘 −𝑎
Output 𝐻 𝑢,𝑚 =𝑎
𝑆𝑖𝑔 𝑛 𝑠𝑘 𝑚
𝑏∈ 𝑅 𝑍 |𝐺|
𝑢← 𝑔 𝑏
𝑎←𝐻(𝑢,𝑚)
𝑠←𝑎⋅𝑠𝑘+𝑏 (𝑚𝑜𝑑 𝑞)
Output (𝑎,𝑠)