Digital signatures Flashcards

1
Q

How does MAC provide integrity and authentication?

A

Only an entity with the shared secret can generate a valid MAC tag

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How does digital signatures obtain the property of MAC?

A

Use public key cryptography.

Only the private-key owner can generate a correct digital signature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does digital signature provide non-repudiation?

A

Because a judge can decide which party formed the signature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Compare digital and physical signatures

A

Produced by: human-machine
Same on all documents - function of message
Easy to recognise - requires computer to check

Both must e difficult to forge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the flow of signatures?

A

Have a digital message
Hash this
Sign with private key
Verify with public key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the three algorithms of digital signature schemes?

A

Key generation (output private signing key Ks and public verification key Kv)
Signature generation
Signature verification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe the signature generation algorithm

A

Signature o = Sig(m, Ks)

m: Message
Ks: private signing key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Describe the verification algorithm

A

Ver(m, o, Kv) = true or false

m: Message
o: Claimed signature
Kv: public verification key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the required properties of verifying functions?

A

Correctness
Unforgeability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the correctness property?

A

If o = Sig(m, Ks) then Ver(m, o, Kv) = true, for any matching signing/verification keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the unforgeability property?

A

It is computationally infeasible for anyone without Ks to construct m and o such that Ver(m, o, Kv) = true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is key recovery?

A

Attacker tries to recover the private key from the public key and some known signatures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is selective forgery?

A

Attacker chooses a message and tries to obtain a signature on that message

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is existential forgery?

A

The attacker attempts to forge a signature on any message not previously signed, even if it is a meaningless message

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When are digital signatures considered secure?

A

If they can resist existential forgery under a chosen message attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How are RSA signature keys generated?

A

A modulus n is computed:
n = pq, p and q are two large primes

e and d are generated such that:
ed mod o(n) = 1

Private key: sk = (d, p, q)
Public key: pk = (e, n)

A hash function h is also required and should be a fixed public parameter of the signature scheme

17
Q

Describe RSA signature generation

A

o = h(m)^d mod n

m: message
n: modulus
d: private exponent

18
Q

Describe RSA signature verification

A

h’ = h(m)
Check whether o^e mod n = h’

19
Q

What are discrete logarithm signatures?

A

Signatures whose security relies on the difficulty of the discrete log problem

20
Q

Describe the Elgamal signature scheme in Z_p^*

A

p: large prime
g: generator for Z_p^*
x: 0 < c < p-1, private signing key
y = g^x mod p: public verification key

Public knowledge: p, g, y
m: message with value between 0 and p-1 (maybe?)

21
Q

Describe the Elgamal signature generation

A

Sign m with signing key x

  1. Select random k, 0 < k < p-1
  2. compute r = g^k mod p
  3. Compute s = k^-1(m - xr) mod (p-1)
  4. Signature o = (r, s)
22
Q

Describe the Elgamal signature verification

A

Given m and claimed signature o = (r, s) and verification key y

Verify that g^m ≡ y^r* r^s mod p

23
Q

Describe Schnorr signature scheme in Z_p^*

A

Public knowledge: p, g, y

p: large prime
g: generator for Z_p^*
x: 0 < x < p-1, private key
y = g^x mod p: public key

24
Q

Describe the Schnorr signature generation

A
  1. select random k, 0 < k < p-1
  2. compute r=g^k mod p
  3. Let e = H(r||m)
  4. Compute s = k-xe mod (p-1)
  5. Signature: o = (s, e)
25
Q

Describe the Schnorr signature verification

A

m: message
o = (s, e): claimed signature
y: Verification key

  1. r_v = g^s*y^e
  2. e_v = H(r_v||m)
  3. Check if e == e_v
26
Q

Describe Digital signature algorithm DSA

A

Based on Elgamal signatures

Simpler calculations and shorter signatures because it restricts calculations to a subgroup of Z_p^* or to an elliptic curve group

Avoids some attacks that Elgamal may be vulnerable to

27
Q

What are the parameters of DSA?

A

p: a prime modulus of L bits
q: a prime divisor of p-1 of N bits

Use valid combinations of L and N: (L=1024, N=160), (L=2048, N=224), (L=2048, N=256), (L=3072, N=256)

g = h^((p-1) / q) mod p
h is any integer, 1 < h < p-1

H: SHA hash family variant which outputs an N-bit digest

28
Q

Describe DSA key generation

A
  1. Choose random integer x, 0 < x < q
  2. X is the secret signing key
  3. y = g^x mod p is the public key
29
Q

Describe DSA signature generation

A
  1. Choose k at random, 0 < k < q
  2. Set r = (g^k mod p) mod q
  3. Set s = k^-1 (H(m) - xr) mod q
  4. Signature o = (r, s)
30
Q

Describe DSA signature verification

A

Claimed signature (r, s)

Check that 0 < r < q
Check that 0 < s < q

Compute w = s^-1 mod q

u1 = H(m)w mod q
u2 = rw mod q

Check whether (g^y1 * y^-u2 mod p) mod q == r

31
Q

What is ECDSA?

A

Elliptic curve DSA

Similar signatur gen and verification, except that:
- q becomes order of elliptic curve group
- multiplication mod p is replaced by elliptic curve group operation
- after operation on the group elements, only the x-coordinate is kept

32
Q

What are the parameters of ECDSA?

A

E: An approved elliptic curve field and equation
G: The elliptic curve group generator, or base point
n: Order of curve group and a prime number
H: SHA-2 hash family variant which outputs an N-bit digest

33
Q

Describe ECSDA key generation

A

Choose random d with 0 < d < n
d: secret key

Compute Y = dG
Y: public key in group G

It is required to check a public key before it is used, to be a point on the curve G different from the identity

34
Q

Describe ECDSA signature generation

A
  1. e = H(m)
  2. Random k, 0 < k < n-1
  3. (x, y) = kG
  4. r = x, if r = 0 return to step 2
    5.s = k^-1(e + rd) mod n
  5. Signature o = (r, s)
35
Q

Describe ECDSA signature verification

A

Claimed signature (r, s)

Check 0 < r < n
Check 0 < s < n

w = s^-1 mod ne = H(m)

u1 = ew mod n
u2 = rw mod n

Compute the point (x, y) = u1G + u2Y

Valid signature:
- (x, y) is not the identity element in the curve E
- r ≡ x mod n

36
Q

What is deterministic ECDSA signatures?

A

The per-message key is deterministically computed as a function (based on HMAC) of the message to be signed and the private signing key d

37
Q

What is EdDSA signatures?

A

Uses Edwards curve 25519

Deterministic version of Schnorr signatures

38
Q

When is deterministic signatures recommended?

A

When a good random number generator is not available

39
Q

What is a chosen message oracle?

A

When an attacker is able to obtain signatures on messages of their choice.