# 10. Digital Signatures

## Digital Signatures

Definition.Asignature scheme$\mc{S} = (G, S, V)$ is a triple of efficient algorithms, where $G$ is akey generationalgorithm, $S$ is asigningalgorithm, and $V$ is averificationalgorithm.

- A probabilistic algorithm $G$ outputs a pair $(pk, sk)$, where $sk$ is called a secret
signing key, and $pk$ is a publicverification key.- Given $sk$ and a message $m$, a probabilistic algorithm $S$ outputs a
signature$\sigma \la S(sk, m)$.- $V$ is a deterministic algorithm that outputs either $\texttt$ or $\texttt{reject}$ for $V(pk, m, \sigma)$.

The correctness property requires that all signatures generated by $S$ is always accepted by $V$. For all $(pk, sk) \la G$ and $m \in \mc{M}$,

\[\Pr[V(pk, m, S(sk, m)) = \texttt] = 1.\]### Properties of Digital Signatures

- Digital signatures can be verified by anyone, whereas MACs can be verified by the parties sharing the same key.
- No need to share a key for digital signatures.

**Non-repudiation**: cannot deny having created the signature.- Signatures can only be created by people having the secret key.
- In cases where the secret key is leaked, then we don’t have non-repudiation.
- In MACs, the secret key is shared by two parties, so we don’t have non-repudiation.

- Must trust the identity of the public key.
- How do you trust that this public key is Alice’s?
- We need
**public key infrastructure**(PKI).

### Applications

- Electronic document signing
- HTTPS/TLS certificates
- Software installation
- Authenticated email (DKIM)
- Bitcoins

## Secure Digital Signatures

The definition is similar to the secure MAC. The adversary can perform a **chosen message attack**, but cannot create an **existential forgery**.

Definition.Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$. Given an adversary $\mc{A}$, the game goes as follows.

- The challenger generates $(pk, sk) \la G()$ and sends $pk$ to $\mc{A}$.
- $\mc{A}$ makes a series of
signing queriesto the challenger.

- Each query is a message $m_i \in \mc{M}$, the challenger responds with $\sigma_i \la S(sk, m_i)$.
- $\mc{A}$ computes and outputs a candidate forgery pair $(m, \sigma) \in \mc{M} \times \Sigma$.

- $m \notin \left\lbrace m_1, \dots, m_q \right\rbrace$.
- $(m, \sigma) \notin \left\lbrace (m_1, \sigma_1), \dots, (m_q, \sigma_q) \right\rbrace$. (strong)
$\mc{A}$ wins if $V(pk, m, \sigma) = \texttt{accept}$, let this event be $W$. The advantage of $\mc{A}$ with respect to $\mc{S}$ is defined as

\[\rm{Adv}_{\rm{SIG}}[\mc{A}, \mc{S}] = \Pr[W].\]If the advantage is negligible for all efficient adversaries $\mc{A}$, the signature scheme $S$ is (strongly)

secure. $\mc{S}$ isexistentially unforgeable under a chosen message attack.

- We do not make verification queries, since the adversary can always check any signature.
- The normal definition of security is sufficient. Secure signature schemes can be converted into strongly secure signature schemes. See Exercise 14.10.
^{1}

### Message Confusion

Two different messages $m, m’$ can produce the same signature $\sigma$. In this case, the scheme is vulnerable to **message confusion**. See Exercise 13.3.^{1}

In common implementations, we consider $m$, $m’$ both to be valid. But there may be situations that this is undesirable. For those cases, a signature is would be a *binding commitment* to the message, and there will be no confusion.

### Signer Confusion

Suppose that $(m, \sigma)$ is a valid pair with $pk$, i.e, $V(pk, m, \sigma) = \texttt{accept}$. But an attacker can generate $pk’$ different from $pk$ such that $V(pk’, m, \sigma) = \tt{accept}$. In this cases, we have **signer confusion** since both can claim to have signed $m$. See Exercise 13.4.^{1}

### Strongly Binding Signatures

**Strongly binding signatures** prevent both message confusion and signer confusion.

Any signature scheme can be made strongly binding by appending a collision resistant hash of $(pk, m)$ to the signature. See Exercise 13.5.^{1}

## Extending the Message Space

We can extend the message space of a secure digital signature scheme, as we did for MACs. Let $\mc{S} = (G, S, V)$ be a signature scheme defined over $(\mc{M}, \Sigma)$ and let $H : \mc{M}’ \ra \mc{M}$ be a hash function with $\left\lvert \mc{M}’ \right\lvert \geq \left\lvert \mc{M} \right\lvert$.

Define a new signature scheme $\mc{S}’ = (G, S’, V’)$ over $(\mc{M}’, \Sigma)$ as

\[S'(sk, m) = S(sk, H(m)), \qquad V'(pk, m, \sigma) = V(pk, H(m), \sigma).\]This is often called the **hash-and-sign paradigm**, and the new signature scheme is also secure.

Theorem.Suppose that $\mc{S}$ is a secure signature scheme and $H$ is a collision resistant hash function. Then $\mc{S}’$ is a secure signature.If $\mc{A}$ is an adversary attacking $\mc{S}’$, then there exist an adversary $\mc{B}_\mc{S}$ attacking $\mc{S}$ and an adversary $\mc{B}_H$ attacking $H$ such that

\[\rm{Adv}_{\rm{SIG}}[A, \mc{S}'] \leq \rm{Adv}_{\rm{SIG}}[\mc{B}_\mc{S}, \mc{S}] + \rm{Adv}_{\rm{CR}}[\mc{B}_H, H].\]

*Proof*. The proof is identical to the theorem for MACs.

## Digital Signature Constructions

We can build secure signature schemes from hash functions, trapdoor permutations, or from discrete logarithms.

### Textbook RSA Signatures

This is the signature scheme based on the textbook RSA. It is also insecure.

- Key generation: $pk = (N, e)$ and $sk = (N, d)$ are chosen to satisfy $d = e^{-1} \bmod \phi(N)$ for $N = pq$.
- Sign: $S(sk, m) = m^d \bmod N$.
- Verify: $V(pk, m, \sigma)$ returns $\texttt{accept}$ if and only if $\sigma^e = m \bmod N$.

Here are some possible attacks.

- No message attack
- Just return $(\sigma^e, \sigma)$ for some $\sigma$. Then it passes verification.

- Attack using the homomorphic property.
- Suppose we want to forge a message $m$.
- Pick $m_1 \in \Z_N^{\ast}$ and set $m_2 = m\cdot m_1^{-1} \bmod N$.
- Query signatures for both messages and multiply the responses.
- $\sigma = \sigma_1 \cdot \sigma_2 = m_1^e \cdot m^e \cdot m_1^{-e} = m^e \bmod N$.

- Then $(m, \sigma)$ is a valid pair.

Because of the second attack, the textbook RSA signature is **universally forgeable**. This property is used to create **blind signatures**, where the signer creates a signature without any knowledge about the message. See Exercise 13.15.^{1}

### RSA Full Domain Hash Signature Scheme

Given a hash function $H : \mc{M} \ra \mc{Y}$, the **RSA full domain hash** signature scheme $\mc{S}_\rm{RSA-FDH}$ is defined as follows.

- Key generation: $pk = (N, e)$ and $sk = (N, d)$ are chosen to satisfy $d = e^{-1} \bmod \phi(N)$ for $N = pq$.
- Sign: $S(sk, m) = H(m)^d \bmod N$.
- Verify: $V(pk, m, \sigma)$ returns $\texttt{accept}$ if and only if $\sigma^d = H(m) \bmod N$.

This scheme is now secure.

Theorem.If the hash function $H$ is modeled as a random oracle, and the RSA assumptions holds, then $\mc{S}_\rm{RSA-FDH}$ is a secure signature scheme.For any $q$-query adversary $\mc{A}$ against hashed RSA, there exists an adversary $\mc{B}$ solving the RSA problem such that

\[\rm{Adv}_{\rm{SIG}}[\mc{A}, \mc{S}_\rm{RSA-FDH}] \leq q \cdot \rm{Adv}_{\rm{RSA}}[\mc{B}].\]

### Full Domain Hash Signature Scheme

The following is a description of a **full domain hash** scheme $\mc{S}_\rm{FDH}$, constructed from trapdoor permutation scheme $\mc{T} = (G, F, I)$.

- Key generation: $(pk, sk) \la G()$.
- Sign: $S(sk, m)$ returns $\sigma \la I(sk, H(m))$.
- Verify: $V(pk, m, \sigma)$ returns $\texttt{accept}$ if and only if $F(pk, \sigma) = H(m)$.

This scheme $\mc{S}_\rm{FDH} = (G, S, V)$ is secure if $\mc{T}$ is a **one-way trapdoor permutation** and $H$ is a random oracle.

Theorem.Let $\mc{T} = (G,F,I)$ be a one-way trapdoor permutation defined over $\mc{X}$. Let $H : \mc{M} \ra \mc{X}$ be a hash function, modeled as a random oracle. Then the derived FDH signature scheme $\mc{S}_\rm{FDH}$ is a secure signature scheme.

*Proof*. See Theorem 13.3.^{1}

## Schnorr Digital Signature Scheme

This one uses discrete logarithms.

### The Schnorr Identification Protocol

This scheme is originally from the **Schnorr identification protocol**.

Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. We consider an interaction between two parties, prover $P$ and a verifier $V$. The prover has a secret $\alpha \in \Z_q$ and the verification key is $u = g^\alpha$. **$P$ wants to convince $V$ that he knows $\alpha$, but does not want to reveal $\alpha$**.

The protocol $\mc{I}_\rm{sch} = (G, P, V)$ works as follows.

- A
secret key$\alpha \la \Z_q$ andverification key$u \la g^\alpha$ is generated. The prover $P$ has $\alpha$ and the verifier $V$ has $u$.- $P$ computes a random $\alpha_t \la \Z_q$, and sends $u_t \la g^{\alpha_t}$ to $V$.
- $V$ chooses a random $c \la \Z_q$ and sends it to $P$.
- $P$ computes $\alpha_z \la \alpha_t + \alpha c \in \Z_q$ and sends it to $V$.
- $V$ checks if $g^{\alpha_z} = u_t \cdot u^c$. Accept if and only if it is equal.

- $u_t$ is the
**commitment**sent to the verifier. - $c$ is the
**challenge**sent to the prover.- If $P$ can predict the challenge, $P$ can choose $\alpha_t$ and $\alpha_z$ so that verifier accepts it.

- $\alpha_z$ is the
**response**sent to the verifier.

We must check a few things.

**Correctness**: If $P$ has the correct $\alpha$, then $g^{\alpha_z} = g^{\alpha_t} \cdot (g^\alpha)^c = u_t \cdot u^c$.**Soundness**: If $P$ does not have the correct $\alpha$, it is reject with probability $1 - \frac{1}{q}$.- We can repeat this many times then the probability of reject is $1 - \frac{1}{q^n} \ra 1$.
- Thus $q$ (the size of the challenge space) must be large.

**Zero-knowledge**: $V$ learns no information about $x$ from the conversation.- This will be revisited later. See here.

Theorem.The Schnorr identification protocol is secure if the DL problem is hard, and the challenge space $\mc{C}$ is large.

### Schnorr Digital Signature Scheme

We *transform* the above protocol to a signature scheme.^{2} We need a hash function $H : \mc{M} \times G \ra \mc{C}$, modeled as a random oracle. The protocol originally involves interaction between two parties, but a signature is computed by a single party. Intuitively, $H$ will play the role of the verifier.

The **Schnorr signature scheme** $\mc{S}_\rm{sch} = (G, S, V)$ is defined as follows.

- Key generation: a
**secret key**$sk = \alpha \la \Z_q$ and**public key**$pk = u \la g^\alpha$ is generated. - Sign: $S(sk, m)$ outputs $\sigma = (u_t, \alpha_z)$ where
- Choose random $\alpha_t \la \Z_q$ and set $u_t \la g^{\alpha_t}$.
**Compute $c \la H(m, u_t)$**and set $\alpha_z \la \alpha_t + \alpha c$.

- Verify: $V(pk, m, \sigma)$ outputs $\texttt{accept}$ if and only if $g^{\alpha_z} = u_t \cdot u^c$.
- $c \la H(m, u_t)$ can be computed and $u$ is known.

Since $H$ is being modeled as a random oracle, the signer cannot predict the value of the challenge $c$. Also, $c$ must take both $m$ and $u_t$ as input, since without $m$, the signature is not related to $m$ (the signature has no $m$ term inside it). On the other hand, without $u_t$, then the scheme is insecure since the Schnorr identification protocol is HVZK. See Exercise 19.12.^{1}

Theorem.If $H$ is modeled as a random oracle and Schnorr’s identification protocol is secure, then Schnorr’s signature scheme is also secure.

*Proof*. See Theorem 19.7.^{1}

Note that $\alpha \la \Z_q$ must be chosen randomly every time.

## Digital Signature Algorithm

Schnorr’s scheme was protected by a patent, so NIST opted for a ad-hoc signature scheme based on a prime order subgroup of $\Z_p^{\ast}$. This algorithm eventually became the **Digital Signature Algorithm** (DSA). The standard was updated to support elliptic curve groups over a finite field, resulting in **ECDSA**.

## Public Key Infrastructure

How would you trust public keys? We introduce **digital certificates** for this.