Post on 17-Jan-2017
Asymmetric Key Signatures
David Evans and Samee ZahurCS4501, Fall 2015
Please pay $1000 to my employee--TheBoss
You have money!
Real-life SignaturesEasy to verify• Bank has your signatureForging unlikely• Legal consequences of forging• Checkbooks are well-guarded• Copying it requires physical accessHard to repudiate• Bank keeps a copy for few months
Digital SignaturesEasy to verify• Everybody has your “verification key”, vkHard to forge• Nobody but you has the “signing key”, skHard to repudiate• Everybody knows only you have signing key
Topics• Asymmetric cryptography• Digital signatures• Elliptic curve cryptography• Implementation pitfalls
Ordinary (or symmetric) crypto
Message
key key
Whitfield DiffieMartin Hellman
New Directions in Cryptography, 1976
Diffie-Hellman Key Exchange
𝑔𝑎 mod 𝑝
𝑔𝑏 mod 𝑝Picks secret aComputes
Picks secret bComputesPublic values:
Shared secret:
Discrete Logarithm Problem
Given find such that:
Discrete Logarithm Problem
Random element out of …?
𝑔𝑎 mod 𝑝
𝑔𝑏 mod 𝑝Picks random aComputes
Picks random bComputes
Mod 5 Exponentiation0 1 2 3 4 5 6 …
0 - 0 0 0 0 0 0 …
1 1 1 1 1 1 1 1 …
2 1 2 4 3 1 2 4 …
3 1 3 4 2 1 3 4 …
4 1 4 1 4 1 4 1 …
Order 1
Order 2
In mod multiplication, multiplicative order is always a factor of
Exponent Modulus• Multiplicative order is at most • Pick random such that
Public-key Cryptography
Publicly announces
,
Picks secret aComputes
Picks random secret b. Computes
Encrypts message :
Public values: Shared secret:
Man-in-the-Middle (MITM)
𝑔𝑎
, Picks secret aComputes
Picks secret b. Computes
Encrypts message :
𝑔𝑎 ′
,
Picks random , ,Reads everything
Digital Signature
RecallEasy to verify• Everybody has your “verification key”, vkHard to forge• Nobody but you has the “signing key”, skHard to repudiate• Everybody knows only you have signing key
Discrete-log based signature
ElGamal Signature Scheme
SigningInput: message 1. Pick random 2. Compute
3. Send with message
VerificationInput: message Check if
Fixed global parameters: Private key: Public key:
Bitcoin PaymentSign it like a check!
Recap1. We want to sign transactions digitally on the bitcoin network, such
that they are:a) Easy to verifyb) Hard to forgec) Hard to repudiate
2. Discrete exponentiation is easy, logarithm is hard3. We used it to make asymmetric (aka. public) key crypto4. Same principle used for digital signatures
Avoiding (overly) long numbers
Informal RequirementsGiven and ,
should be hard to solve for
GroupA group is a set of elements (denoted ) and an associated binary operation (denoted ) that satisfies the following:• Closure: is also a group element, or • Associativity: • Identity element: • Inverse: Not necessary, but okay to have:• Commutativity:
Additional Cryptographic Properties• Discrete logarithm should be hard• Group operation should be efficient• Implies small key sizes
Elliptic Curve Cryptography (ECC)
• Group elements: points on the curve, P, Q, and R• Point “addition”: using
“geometry”. P+Q=R
𝑦 2=𝑥3+7
P
Q
R
Elliptic “Curve”
Image from: http://www.coindesk.com/math-behind-bitcoin/
Elliptic Curve Digital Signature Algorithm (ECDSA)
ElGamal SignatureInputs: message , private key 1. Pick random 2. Compute
3. Send with message Verification
Check if
ECDSAInputs: message , private key 1. Pick random k2. Compute
a) , let
3. Send with message Verification
If , check
Please pay $1000 to my employee--TheBoss
You have money!
Jason Benjamin
Logistics• Next class: hash functions and Bitcoin consensus• Checkup 1 on Monday. Includes everything till today