Digital Signature Schemes

Introduction

The conventional handwritten signature on a document is used to certify that the signer is responsible for the content of the document. The signature is physically a part of the document and while forgery is certainly possible, it is difficult to do so convincingly. Trying to mimic a handwritten signature in a digital medium leads to a difficulty since cut and paste operations can be used to create a perfect forgery. Thus, we need to have a way of signing messages digitally which is functionally equivalent to a physical signature, but which is at least as resistant to forgery as its physical counterpart.

Schemes which provide this functionality are called Digital Signature Schemes. A Digital Signature Scheme will have two components, a private signing algorithm which permits a user to securely sign a message and a public verification algorithm which permits anyone to verify that the signature is authentic. The signing algorithm needs to "bind" a signature to a message in such a way that the signature can not be pulled out and used to sign another document, or have the original message modified and the signature remain valid. For practical reasons it would be necessary for both algorithms to be relatively fast and if small computers such as smart cards are to be used, the algorithms can not be too computationally complex.

There are many Digital Signature Schemes which meet these conditions, but we shall only investigate a few of the most popular ones.

RSA Signatures

As we have previously noted, in order for Bob to sign a message m, he raises m to his private decryption exponent mod n. This is the signature algorithm. Anyone can verify this signature by raising md to Bob's public encryption exponent mod n. This is the verification algorithm. Application of the verification algorithm to a valid signature yields the message m. The verifier must know the message m in order to be sure that this is the message that Bob signed, so in this application Bob must send the ordered pair (m, md mod n). Some care must be taken in the construction of the message to be signed in this way. For instance, if m is the instruction to Bob's bank to issue a check to Alice, then if Alice intercepts the ordered pair, she can send the same pair to Bob's bank whenever she is a little low on cash. To prevent this kind of abuse, when it matters, messages should include dates and other such items which prevent the message from being reused.

Forgeries of Bob's signature are easy to construct. The requirement for a valid signature is that raising the second coordinate to Bob's public encryption exponent e gives the first coordinate. Frank the "forger" can take any number y, calculate x = ye mod n and send the pair (x,y). This will be verified as Bob signing the message x. Frank's problem is that he has no control over the "message" x, which will normally be just random nonsense. Without breaking the RSA cryptosytem, Frank has only a negligible chance of finding a meaningful message, let alone a desired message.

El-Gamal Signature Scheme

Unlike the RSA Signature scheme, which can be used as both a cryptosystem and a signature scheme, this signature scheme is designed specifically for signatures and is based on the discrete logarithm problem. As with the El-Gamal cryptosystem, computations are carried out in Zp, where p is a prime such that the discrete log problem is intractable in Zp. A generator of Zp* is fixed, and each user selects a secret exponent a, and publishes the value = a mod p. If Alice wishes to sign a message m, she will first select a random secret integer k with gcd(k,p-1) = 1. She then computes r = k mod p and then computes s = k-1(m -ar) mod (p-1). The signature is the triple (m,r,s).

The verification algorithm compares rrs mod p and m mod p. Noting that from the definition of s, we have m = sk + ar mod (p-1), we see that:

m =sk+ar = (k)s(a)r = rsr mod p.
Now suppose that Frank wants to forge Alice's signature on a message m without knowing Alice's secret exponent a. He can pick r randomly (just as Alice does) and then has to find an s so that rrs = m mod p. Rewritten, this amounts to solving rs = -rm mod p. Which is the discrete logarithm problem. On the other hand, if he first selects a random s, then he must solve the congruence rrs = m mod p for r. This is a problem for which no feasible solution is known and it does not seem to be related to any well studied problem such as the Discrete Log problem. There remains the possibility that Frank can choose r and s simultaneously to get a valid signature. No one has discovered a way to do this, but then again, no one has proved that it can't be done.

Unlike the RSA signature scheme, Frank can not forge Alice's signature on "random messages" by randomly picking r and s and calculating a message m so that (m,r,s) is a valid Alice signature [to do this would require solving the discrete log problem]. However, Frank can create valid Alice signatures by selecting r,s and m simultaneously. To do this, Frank picks two integers, i and j (less than p-1) such that gcd(j,p-1) = 1. Then Frank calculates:

r = ij mod p
s = -rj-1 mod (p-1)
m = is mod (p-1)
Checking the verification algorithm, we see that:
rrs = r(ij)s mod p
= r(isjs) mod p
= r(is-r) mod p
= m mod p.
There are some protocol failures that would compromise the El-Gamal signature scheme. The first involves the secret exponent k. Should this become known, then given a signature (m,r,s) the congruence ar = m-ks mod (p-1), has d = gcd(r,p-1) possible solutions for a. The correct one can be found by verifying that = a mod p. This gives Alice's secret exponent a and so breaks the system. A second protocol failure would occur if Alice used the same exponent k for two different messages. If Alice did this for two messages, m1 and m2, then the r in the signatures would be the same (and Frank would notice this failure of protocol). If the corresponding s values are s1 and s2, then -ar = s1k - m1 = s2k - m2 mod (p-1), and so, (s1 - s2)k = m1 - m2 mod (p-1). Let d = gcd(s1-s2, p-1). There are d solutions to the congruence, and d will usually be small. The correct value of k can be obtained by checking these d possibilities to see which satisfies r = k mod p. Once k is determined, we can calculate a as above and break the system.

Hash Functions

One of the problems with the above mentioned signature schemes is that the signatures are as long or longer than the messages that they sign. When the messages are large this can become a significant difficulty. One way to deal with this is to use cryptographic hash functions. A hash function h takes a message m of arbitrary length and produces a message digest h(m) of some fixed length. In order for a hash function to be useful in cryptographic work, it should satisfy the following conditions:
  1. The message digest h(m) should be calculated very quickly.
  2. The hash function h should be a one-way function, that is, given a message digest h(m), it should be computationally infeasible to obtain the message m.
  3. The hash function h should be strongly collision free, meaning that it should be computationally infeasible to find two messages m1 and m2 so that h(m1) = h(m2).
There are several professional strength hash functions available. In 1990, Rivest proposed the MD4 Hash function and the following year he presented a strengthened version known as MD5. These hash functions produce message digests of 128-bit size for arbitrary length messages. In 1993 (and modified in 1994) the federal government adopted the Secure Hash Standard (SHS) which produces message digests of 160-bits. These functions (algorithms) are fast but complicated and their analysis is difficult. No proof is known that they do satisfy the 2nd and 3rd conditions for a cryptographic hash function, but in practice they seem to work quite well.

We shall examine the discrete log hash function due to Chaum, van Heijst and Pfitzmann. Unfortunately, the calculation of this function is too slow to be of practical use, but it is simple enough to permit an analysis of its cryptographic security.

Select a large prime p such that q = (p-1)/2 is also prime. Choose two primitive roots and of Zp. For a message m with m < q2 we can write m = b + cq with 0b,c < q. We then set h(m) = bc mod p.

In this set up, since is a primitive element, there exists an exponent a such that = a mod p. Of course finding this exponent involves solving the discrete log problem in this field. If, however, we can find a collision for this hash function, i.e., different messages m1 = r + sq and m2 = t + uq with h(m1) = h(m2), then we can easily calculate the exponent a. This follows since,

rs = tu mod p, implies
r-t = u-s = a(u-s) mod p, and so,
a(u-s) = (r-t) mod (p-1).
Let d = gcd(u-s, p-1). There will be d solutions (for a) of this last congruence. Since p - 1 = 2q and q is prime, the only possibilities for d are 1,2,q and 2q = p-1. Since 0u,s < q, we have that -q < u-s < q, so if u is not equal to s, any divisor of u-s (such as d) must be less than q, i.e., d = 1 or 2. On the other hand, if u = s, then from the congruence we obtain r = t, so the messages are the same, contrary to our assumption. If d = 2, we can check the two possible values to obtain the correct exponent a. So, if we assume that finding discrete logarithms is computationally infeasible, then it follows that this hash function is strongly collision free.

In the digital signature application, a cryptographic hash function is made public. The signature algorithm is then applied to the message digest obtained from this hash function. The message and this signature are then sent. The verification algorithm is applied to the signed message digest and compared with the message digest that is recomputed from the message. Signatures in this version are much shorter than the messages that they sign. The cryptographic properties of the hash function prevent forgeries. However, since the message digests are of fixed size, there are not as many of them as there are possible messages. This leads to another type of attack which can be launched against digital signature schemes which employ hash functions.

Birthday Attack

The well known "Birthday Paradox" (not really a paradox, just a surprising result) that in a randomly selected group of at least 23 people, the probability of two having the same birthday is at least 1/2, leads to a method for finding collisions of a hash function known as the Birthday Attack.

Consider a set Z with n elements (think of this as the set of hash digests). We wish to calculate the probability that k randomly selected elements of Z will contain no equal elements (no collisions). As the probability of selecting a particular element is 1/n, we calculate this probability as follows: The first choice is arbitrary. The probability that the second choice is distinct from the first is 1-1/n, while the probability that the third is distinct from the first two is 1 - 2/n, etc. Thus, the probability that k elements are selected with no collisions is

(1-1/n)(1-2/n)(1-3/n)...(1- (k-1)/n) = Prod {i=1 to k-1} (1 - i/n).
If x is a small real number, then 1-x ~ e-x which is derived by taking the first two terms of the series expansion e-x = 1 - x + x2/2! - x3/3! ... . Therefore, an estimate for our probability is
Prod {i=1 to k-1} (1 - i/n) ~ Prod {i=1 to k-1} e-i/n = e-k(k-1)/2n.
Letting p be the probability of obtaining a collision, we have p ~ 1 - e-k(k-1)/2n. So,
e-k(k-1)/2n ~ 1 - p
-k(k-1)/2n ~ ln(1-p)
k(k-1)/2n ~ ln(1/(1-p))
k2 - k ~ 2n ln(1/(1-p)).
By ignoring the term -k, we estimate:
k ~ SQRT(2n ln(1/(1-p))).
With p = 1/2, we have:
k ~ 1.17 SQRT(n).
Thus, by selecting just slightly over SQRT(n) random choices from Z, we obtain a collision with probability at least 50%.

In the Birthday Paradox, n = 365 and our approximation gives k ~ 22.3. In the Birthday attack, if the message digests were of x-bit length, there would be n = 2x digests, and by selecting 2x/2 arbitrary messages and applying the hash function to them, there will be a 50% chance of obtaining a collision. Thus, for 40-bit message digests, just over 220 (about a million) random messages would be needed to find a collision with 50% probability. It is usually suggested that the minimum acceptable size of a message digest is 128-bits to avoid a Birthday attack. The 160-bit message digest of DSS is even more secure against this attack.

Digital Signature Standard

The Digital Signature Standard (DDS) is a modification of the El-Gamal Signature Scheme. First proposed in 1991, it was adopted as a federal standard in 1994. The modification gives a signature to a 160-bit message which is only 320 bits long. Thus, the algorithm has been designed to work with a hash function that produces 160 bit message digests (such as the SHS).

The user of this scheme, say Alice, first finds a prime q which is 160 bits long and then chooses a prime p so that q|p-1. The discrete log problem should be hard for this prime p. (The initial version of the scheme had p chosen as a 512 bit number, but later versions permitted the size of p to be larger, up to 1024 bits.). Now, Alice chooses a qth root of unity mod p, that is an such that q = 1 mod p (this can be done by finding a primitive root mod p, say g, and calculating = g(p-1)/q mod p.) Alice then chooses a secret exponent a, with 0 < a < q-1, and calculates = a mod p. The values of p, q, , and are made public and the exponent a is kept secret.

To sign a message m, Alice first selects a random secret integer k, with 0 < k < q-1. She then computes, r = (k mod p) mod q and s = k-1(m + ar) mod q. Her signature is then (m,r,s). In order for Bob to verify this signature, he computes u = s-1m mod q and v = s-1r mod q. He then computes w = (uv)mod q) mod p and accepts the signature if and only if w = r.

To see why this works, from the definition of s it follows that

sk =( m + ar ) mod q, so
k = s-1m + s-1ar = u + av mod q.
Thus, k = u + av = (uv mod p. Therefore, taking the mod q values, we have r = w.

As in the El-Gamal scheme, the exponent a must be kept secret, and the secret numbers k should never be used twice. DSS is considered to be stronger than El-Gamal, since in this scheme the secret number k is harder to obtain from r because of the reduction mod q. The verification step in DSS is also faster than the corresponding step in El-Gamal, since there are fewer modular exponentiations to perform, and this is an important practical consideration.