Defining and Proving Security for Signature Schemes

A theoretical treatment of digital signatures security was started by Goldwasser, Micali and Yao in [103]

and continued in [101, 14, 145, 171, 74].

9.3.1 Attacks Against Digital Signatures

We distinguish three basic kinds of attacks, listed below in the order of increasing severity.

• Key-Only Attack: In this attack the adversary knows only the public key of the signer and therefore only has the capability of checking the validity of signatures of messages given to him.

• Known Signature Attack: The adversary knows the public key of the signer and has seen mes-sage/signature pairs chosen and produced by the legal signer. In reality, this the minimum an adversary can do.

• Chosen Message Attack: The adversary is allowed to ask the signer to sign a number of messages of the adversary’s choice. The choice of these messages may depend on previously obtained signatures.

For example, one may think of a notary public who signs documents on demand.

For a finer subdivision of the adversary’s possible attacks see [101].

What does it mean to successfully forge a signature?

We distinguish several levels of success for an adversary, listed below in the order of increasing success for the adversary.

• Existential Forgery: The adversary succeeds in forging the signature of one message, not necessarily of his choice.

• Selective Forgery: The adversary succeeds in forging the signature of some message of his choice.

• Universal Forgery: The adversary, although unable to find the secret key of the The forger, is able to forge the signature of any message.

• Total Break : The adversary can compute the signer’s secret key.

Clearly, different levels of security may be required for different applications. Sometimes, it may suffice to show that an adversary who is capable of a known signature attack can not succeed in selective forgery, while for other applications (for example when the signer is a notary-public or a tax-return preparer) it may be required that an adversary capable of a chosen signature attack can not succeed even at existential forgery with non-negligible probability.

The security that we will aim at, in these notes are that with high probability a polynomial time adversary would not be able to even existentially forge in the presence of a chosen message attack.

We say that a digital signature is secureif an enemy who can use the real signer as “an oracle” can not in time polynomial in the size of the public key forge a signature for any message whose signature was not obtained from the real signer. Formally, letB be a black box which maps messagesm to valid signatures, i.e , V(P, B(m), m) = 1 for all messages m. Let the forging algorithm F on input the public key P have access toB, denoted asF^B(P). The forging algorithm runs in two stages: it first launches a chosen message attack, and then outputs a “new forgery” which is defined to be any message-signature pair such that the message was not signed before and that signature is valid. We require that for all forging algorithmsF, for all polynomialsQ, for all sufficiently largek,P rob(V(P, s, m) = 1 : (P, S)←^R G(1^k) ; (m, s)←^R F^B(P))≤ _Q(k)¹ .

Cryptography: Lecture Notes 167

The probability is taken over the choice of the keys (P, S)∈G(1^k) , the coin tosses of the forgery algorithm F, and the coins ofB.

Diffie and Hellman’s original proposal does not meet this strict definition of security; it is possible to existen-tially forge with just the public information: Choose ansat random. Apply the public key tosto produce m=f(s). Nowsis a valid signature ofm.

Many digital signature systems have been proposed. For a fairly exhaustive list we refer to the paper [101]

handed out.

We examine the security of three systems here.

9.3.2 The RSA Digital Signature Scheme

The first example is based on the RSA cryptosystem.

The public key is a pair of numbers (n, e) where n is the product of two large primes and e is relatively prime toφ(n), and the secret key isdsuch that ed= 1 modφ(n). Signing is to computeσ(m) =m^dmodn.

Verifying is to raise the signature to the powereand compare it to the original message.

Claim 9.1 RSA is universallly forgable under a chosen-message attack. (alternatively, existentially forgable under known message attack)

Proof: If we are able to produce signatures for two messages, the signature of the the product of the two messages is the product of the signatures. Letm1 and m2 be the two messages. Generate signatures for these messages with the black box: σ(m1) = m1^dmodn, σ(m2) =m2^dmodn. Now we can produce the signature for the product of these two messages: σ(m1m2) = (m1m2)^d=m1^dm2^d=σ(m1)σ(m2) modn To produce a signature for a messagem, begin by choosing a random numberr∈2n^∗. Now definem1 and m2 as follows: m1 =mrmodn, andm2 =r⁻¹modnUsing the strategy above, we can find a signature for the product of these messages, which is the original messagem, as follows: m1m2 = (mr)r⁻¹=m.

9.3.3 El Gamal’s Scheme

This digital signature system security relies on the difficulty of solving a a problem called the Diffie-Hellman-key-exchange (DHKE)problem, which is related to the discrete log problem. The DHKE problem is on input a prime p, a generator g, and g^y, g^x ∈ Z_p^∗, compute outputg^xymodp. The best way currently known to solve the DHKE is to first solve the discrete log problem. Whether computing a discrete log is as hard as the Diffie-Hellman problem is currently an open question.

The following digital signature scheme is probabilistic. A close variant of it called DSS has been endorsed as a national standard.

Idea of the scheme:

• Public key: A triple (y, p, g), wherey=g^xmodp,pis prime andgis a generator forZ_p^∗.

• Secret key: xsuch thaty=g^xmodp.

• Signing: The signature of messagemis a pair (r, s) such that 06=r, s6=p−1 andg^m=y^rr^smodp.

• Verifying: Check thatg^m=y^rr^smodpactually holds.

In order to generate a pair (r, s) which constitutes a signature, the signer begins by choosing a random numberksuch that 06=k6=p−1 andGCD(k, p−1) = 1. Letr=g^k(modp). Now we want to compute ans

such thatg^m=y^rr^s=g^xr+ksmodp. In terms of the exponents, this relationship ism=xr+ks(modp−1).

Hences= (m−xr)^k−1modp−1. The signature ofmis the pair (r, s).

Clearly, If an attacker could solve the discrete logarithm problem, he could break the scheme completely by computing the secret keyxfrom the information in the public file. Moreover, if an attacker findsk for one message, he can solve the discrete logarithm problem, so the pseudo random number generator employed to generatek’s has to be of superior quality.

Claim 9.2 This scheme is existentially forgable in the presence of a known message attack.

Exercise.

Note on a key exchange protocol based on discrete log: It is interesting to note that it is possible for two people to exchange a secret key without prior secret meeting using the DL problem which is not known to yield a trapdoor function. This can be done by Persons A and B agree on a prime p and a generator g.

Person A chooses a secret number xand sends g^x(modp) to B. Person B chooses a secret number y and sendsg^y(modp) to A. Now each user can readily computeg^xy(modp); let this be the shared secret key. It is not known if computingxy is as difficult asDLP.

9.3.4 Rabin’s Scheme

Rabin [164] proposed a method where the signature for a messageM was essentially the square root ofM, modulo n, the product of two large primes. Since the ability to take square roots is provably equivalent to the ability to factor n, an adversary should not be able to forge any signatures unless he can factorn.

For our purpose let’s consider the variant of it when n=pq andp=q= 3 mod 4, so that the signature is uniquely determined.

This argument assumes that the adversary only has access to the public key containing the modulus n of the signer. An enemy may break this scheme with an active attack by asking the real signer to sign M =x²modn, wherexhas been chosen randomly. If the signer agrees and produces a square rooty ofM, there is half a chance that gcd(n, x−y) will yield a nontrivial factor ofn— the signer has thus betrayed his own secrets! Although Rabin proposed some practical techniques for circumventing this problem, they have the effect of eliminating the constructive reduction of factoring to forgery.

Let us look at this in some detail.

This digital signature scheme is based on the difficulty of computing square roots modulo a composite number.

• Public key: n=pq

• Secret key: primesp, q

• Signing: s=√

mmodn(assume WLOG that allmare squares)

• Verification: Check thats²=mmodn.

Claim 9.3 This system is existentially forgable with key-only attack.

Proof:Choose a signature and square it to produce a corresponding message.

Claim 9.4 The system is totally breakable in the face of a chosen message attack.

Proof: We know that if we can find two distinct square roots of a message, we can factor the modulus.

Choose a valuesand letm=s². Nows is a valid signature ofm. Submitmto the black box. There is a one in two chance that it will produce the same signatures. If so, repeat this process. If not, we have both square roots ofmand can recover the factors ofn.

Cryptography: Lecture Notes 169

Security when “Breaking” is Equivalent to Factoring

Given the insecurity of Rabin’s scheme in the face of a chosen message attack, one might hypothesize that there exists no secure digital signature system based on factoring. That is, a scheme wherein:

• “Breaking” the scheme is equivalent to factoring.

• The signature scheme is secure against a chosen message attack.

False proof: We assume (1) and show that (2) is impossible. Since the first statement is that ”breaking”

the scheme is equivalent to factoring, we know that the following reduction must be possible on input of a composite numbern.

• Generate a public key P.

• Produce a messagem.

• Produce a valid signatures∈σ(P, m) using the ”breaker” algorithm. (Repeat these three steps up to a polynomial number of times.)

• Factorn.

Conclude that the system must be insecure in the face of a chosen message attack, since we can substitute the CMA for the ”breaker” algorithm in step 3. QED

What is wrong with this argument? First, there is only a vague definition of the public information P; it need not contain the numbern. Second, the CMA will always produce signatures with respect to fixed public information, whereas in the above reduction it may be necessary to use different public information in every call to the ”breaker”.