Professional Documents
Culture Documents
AN INTRODUCTION
Prior to the invention of public-key cryptography, it was essentially impossible to provide key management for large-scale networks. With symmetric cryptography, as the number of users increases on a network, the number of keys required to provide secure communications among those users increases rapidly. For example, a network of 100 users would require almost 5000 keys if it used only symmetric cryptography. Doubling such a network to 200 users increases the number of keys to almost 20,000. Thus, with using only symmetric cryptography, key management quickly becomes unwieldy even for relatively small-scale networks. The invention of public-key cryptography was of central importance to the field of cryptography and provided answers to many key management problems for large scale networks. For all its benefits, however, public-key cryptography did not provide a comprehensive solution to the key management problem. Indeed, the possibilities brought forth by public-key cryptography heightened the need for sophisticated key management systems to answer questions such as the following: "How can I easily encrypt a file once for a number of different people using public-key cryptography?" "If I lose my keys, how can I decrypt all of my files that were encrypted with those keys?" "How do I know that I really have Alice's public key and not the public key of someone pretending to be Alice?" (Or any Mr. X for that matter!!) "How can I know that a public key is still trustworthy?" These are some of the issues that have led us to a full discussion of Digital Signatures in this project. Now, to understand what is Digital Signature and understand how cryptography is used to secure electronic communications, lets look at a process we are all familiar with: writing and sending a check. SECURING THE ELECTRONIC VERSION The simplest electronic version of the check can be a text file, created with a word processor, asking where bank to pay someone a specific sum. However, sending this check over an electronic network poses several security problems: since anyone could intercept and read the file, we need confidentiality. since someone else could create a similar counterfeit file, the bank needs to authenticate that it was actually we who created the file. since we could deny creating the file, the bank needs non-repudiation. since someone could alter the file, both we and the bank need data integrity.
2
To overcome these issues, modern cryptography (i.e. Digital Signatures) performs a number of steps hidden behind a simple user interface. The first step is to sign the check with a digital signature. DIGITAL SIGNATURE The process of digitally signing starts by taking a mathematical summary (called a hash code) of the check. This hash code is a uniquely-identifying digital fingerprint of the check. If even a single bit of the check changes, the hash code will dramatically change. The next step in creating a digital signature is to sign the hash code with our private key. This signed hash code is then appended to the check. How is this a signature? Well, the recipient of our check can verify the hash code sent by we, using our public key. At the same time, a new hash code can be created from the received check and compared with the original signed hash code. If the hash codes match, then the recipient has verified that the check has not been altered. The recipient also knows that only we could have sent the check because only we have the private key that signed the original hash code. Confidentiality and encryption Once the electronic check is digitally signed, it can be encrypted using a high-speed mathematical transformation with a key that will be used later to decrypt the document. This is often referred to as a symmetric key system because the same key is used at both ends of the process. As the check is sent over the network, it is unreadable without the key. The next challenge is to securely deliver the symmetric key to the bank. Public-key cryptography for delivering symmetric keys Public-key encryption is used to solve the problem of delivering the symmetric encryption key to the bank in a secure manner. To do so, we would encrypt the symmetric key using the banks public key. Since only the bank has the corresponding private key, only the bank will be able to recover the symmetric key and decrypt the check. Why use this combination of public-key and symmetric cryptography? The reason is simple. Public-key cryptography is relatively slow and is only suitable for encrypting small amounts of information such as symmetric keys. Symmetric cryptography is much faster and is suitable for encrypting large amounts of information. The following illustration describes what is usually done behind the scenes to deliver the secure electronic messages.
Here, in this project, we will discussing at lengths about Digital Signatures, Various techniques used and then, we will do comparative analysis of two widely used, one of them relatively new standards and provide an improved model for the same. This project will also lay certain platform for future work on the same. We will also provide an interesting, but easy way to implement the existing ECC digital signatures. During the course of the project, we implemented and tried to compare the performance characteristics of RSA and elliptic curve digital signature algorithms by implementing each algorithm and comparing their experimental running-times in an effort to gauge the experimental time efficiencies of each. In addition to that, we have to tried to propose a new standard, a mathematical technique which can be used for efficient implementation of the present techniques and, indeed, may be presented as a completely new technique with some more work. However, we will present our idea after the full discussion of what we have done. Digital signatures are used in message transmission to verify the identity of the sender of the message and to ensure that the message has not been modified after signing. They are essential for verifying the authenticity of a message. The application of digital signatures is widespread in digital computing, taking the place of an ordinary hand-written signature. Because digital signatures are akin to hand-written signatures, they are used in many of the applications of signatures on the Internet (e.g. e-voting, online banking, online college applications, etc.). The importance of digital signatures in digital communications merits the research into relatively new cryptosystems such as elliptic curve cryptography (ECC), especially as the need for more efficient algorithms grows with the growing number of memory-limited mobile electronic devices. The increasing key sizes needed by RSA for security against brute force attacks by powerful computers or distributed computing also makes ECC more appealing, with its smaller secure key sizes [8]. After implementing and running ECC and RSA digital signatures with various key sizes on several test cases, we concluded that the results are mostly consistent with current academic knowledge comparing the two systems. RSA key generation is quite costly in terms of time, both cryptographic schemes are Performance Comparison of Elliptic Curves and RSA Signatures comparative (up to 7680 bit RSA signing) for message signing, and RSA scales better than ECC in signature verification.
A key generation algorithm that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key. A signing algorithm that, given a message and a private key, produces a signature. A signature verifying algorithm that, given a message, public key and a signature, either accepts or rejects the message's claim to authenticity.
Two main properties are required. First, a signature generated from a fixed message and fixed private key should verify the authenticity of that message by using the corresponding public key. Secondly, it should be computationally infeasible to generate a valid signature for a party who does not possess the private key. The first widely marketed software package to offer digital signature was Lotus Notes 1.0, released in 1989, which used the RSA algorithm. To create RSA signature keys, we generate an RSA key pair containing a modulus N that is the product of two large primes, along with integers e and d such that e d 1 (mod (N)), where is the Euler phi-function. The signer's public key consists of N and e, and the signer's secret key contains d.
To sign a message m, the signer computes md (mod N). To verify, the receiver checks that e m (mod N). But as we noted, this system is not so secure. To prevent attacks, one can first apply a cryptographic hash function to the message m and then apply the RSA algorithm described above to the result. This approach can be proven secure in the so-called random oracle model. Other digital signature schemes were soon developed after RSA, the earliest being Lamport signatures, Merkle signatures (also known as "Merkle trees" or simply "Hash trees"),and Rabin signatures.(All Described Later in the Report) In 1988, ShafiGoldwasser, Silvio Micali, and Ronald Rivest became the first to rigorously define the security requirements of digital signature schemes. They described a hierarchy of attack models for signature schemes, and also present the GMR signature scheme, the first that can be proven to prevent even an existential forgery against a chosen message attack.
9
Most early signature schemes were of a similar type: they involve the use of a trapdoor permutation, such as the RSA function, or in the case of the Rabin signature scheme, computing square modulo composite n. A trapdoor permutation family is a family of permutations, specified by a parameter, that is easy to compute in the forward direction, but is difficult to compute in the reverse direction without already knowing the private key. However, for every parameter there is a "trapdoor" (private key) which when known, easily decrypts the message. Trapdoor permutations can be viewed as public-key encryption systems, where the parameter is the public key and the trapdoor is the secret key, and where encrypting corresponds to computing the forward direction of the permutation, while decrypting corresponds to the reverse direction. Trapdoor permutations can also be viewed as digital signature schemes, where computing the reverse direction with the secret key is thought of as signing, and computing the forward direction is done to verify signatures. Because of this correspondence, digital signatures are often described as based on public-key cryptosystems, where signing is equivalent to decryption and verification is equivalent to encryption, but this is not the only way digital signatures are computed. Used directly, this type of signature scheme is vulnerable to a key-only existential forgery attack. To create a forgery, the attacker picks a random signature and uses the verification procedure to determine the message m corresponding to that signature. In practice, however, this type of signature is not used directly, but rather, the message to be signed is first hashed to produce a short digest that is then signed. This forgery attack, then, only produces the hash function output that corresponds to , but not a message that leads to that value, which does not lead to an attack. In the random oracle model, this hash-and-decrypt form of signature is existentially unforgeable, even against a chosen-message attack. There are several reasons to sign such a hash (or message digest) instead of the whole document.
For efficiency: The signature will be much shorter and thus save time since hashing is generally much faster than signing in practice. For compatibility: Messages are typically bit strings, but some signature schemes operate on other domains (such as, in the case of RSA, numbers modulo a composite number N). A hash function can be used to convert an arbitrary input into the proper format. For integrity: Without the hash function, the text "to be signed" may have to be split (separated) in blocks small enough for the signature scheme to act on them directly. However, the receiver of the signed blocks is not able to recognize if all the blocks are present and in the appropriate order.
10
AUTHENTICATION
Although messages may often include information about the entity sending a message, that information may not be accurate. Digital signatures can be used to authenticate the source of messages. When ownership of a digital signature secret key is bound to a specific user, a valid signature shows that the message was sent by that user. The importance of high confidence in sender authenticity is especially obvious in a financial context. For example, suppose a bank's branch office sends instructions to the central office requesting a change in the balance of an account. If the central office is not convinced that such a message is truly sent from an authorized source, acting on such a request could be a grave mistake.
INTEGRITY
In many scenarios, the sender and receiver of a message may have a need for confidence that the message has not been altered during transmission. Although encryption hides the contents of a message, it may be possible to change an encrypted message without understanding it. (Some encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a message is digitally signed, any change in the message after signature will invalidate the signature. Furthermore, there is no efficient way to modify a message and its signature to produce a new message with a valid signature, because this is still considered to be computationally infeasible by most cryptographic hash functions. NON-REPUDIATION Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of digital signatures. By this property an entity that has signed some information cannot at a later time deny having signed it. Similarly, access to the public key only does not enable a fraudulent party to fake a valid signature. This is in contrast to symmetric systems, where both sender and receiver share the same secret key, and thus in a dispute a third party cannot determine which entity was the true source of the information.
11
12
13
1.3.3.4 BLS
In cryptography, the BonehLynnShacham signature scheme allows a user to verify that a signer is authentic. The scheme uses a pairing function for verification and signatures are group elements in some elliptic curve. Working in an elliptic curve provides defense against index calculus attacks against allowing shorter signatures than FDH signatures. Signatures are often referred to as short signatures, BLS short signatures, or simply BLS signatures. The signature scheme is provably secure (that is, the scheme is existentially unforgeable under adaptive
14
chosen-message attacks) assuming both the existence of random oracles and the intractability of the computational DiffieHellman problem.
produced a valid signature.The DSS approach also makes use of a hash function. The hash code is provided as input to a signature function along with a random number k generated for this particular signature. The signature function also depends on the sender's private key (PRa)and a set of parameters known to a group of communicating principals. We can consider this set to constitute a global public key (PUG). The result is a signature consisting of two components, labeled s and r.
16
17
18
Soundness and Completeness: Valid signatures by group members always verify correctly, and invalid signatures always fail verification. Unforgeable: Only members of the group can create valid group signatures. Anonymity: Given a message and its signature, the identity of the individual signer cannot be determined without the group manager's secret key. Traceability: Given any valid signature, the group manager should be able to trace which user issued the signature. (This and the previous requirement imply that only the group manager can break users' anonymity.) Unlinkability: Given two messages and their signatures, we cannot tell if the signatures were from the same signer or not. No Framing: Even if all other group members (and the managers) collude, they cannot forge a signature for a non-participating group member. Unforgeable tracing verification: The revocation manager cannot falsely accuse a signer of creating a signature he did not create.
The ACJT 2000, BBS04 (in Crypto), BS04 (in CCS) group signature schemes are the state of the art. BBS04: Boneh, Boyen and Shacham published in 2004 (Crypto04) a novel group signature scheme based on bilinear maps. Signatures in this scheme are approximately the size of a standard RSA signature (around 200 bytes). The security of the scheme is proven in the random oracle model and relies on the Strong Diffie Hellman assumption (SDH) and a new assumption in bilinear groups called the Decision linear assumption (DLin).
1.3.3.11 MULTISIGNATURE
A multisignature represents a certain number of signers signing a given message. Number of signers is not fixed and signers identities are evident from a given multi-signature. A multisignature is much shorter (sometimes constant) than the simple collection of individual signatures.
19
1.3.3.12PROXY SIGNATURE
A proxy signature allows a delegator to give partial signing rights to other parties called proxy signers. Proxy signatures do not offer Anonymity
1.3.3.13AGGREGATE SIGNATURE
An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all thesesignatures into a single short signature. This single signature (and the n original messages)will convince the verifier that the n users did indeed sign the n original messages (i.e., user I signed message Mi for i = 1; : : : ; n). In this paper we introduce the concept of an aggregate signature, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M. Verifiably encrypted signatures are used in contract-signing protocols. These are more or less, what have been used and what is being used today. We take up RSA and ECCDSA for analysis, because of the reasons described in the next section.
20
IN THE
DIGITAL SIGNATURES
THAT WE HAVE
In the contemporary world, devices are getting smaller, compact and even more powerful. With the advent of palm-held devices and desktops getting reduced in size day-by-day, the need for providing security while consuming comparatively lesser resources and even lesser time is increasing every now and then, demanding better algorithms each day. With the advent of ad-hoc networks and ever increasing wireless networks, the devices that are being used have constrained capabilities concerning CPU power ,battery power and transmission bandwidth, where as all security mechanisms being used are resource consuming.ECC is still in its infancy, and thus has not received as much scientific analysis as the much older RSA scheme. The smaller key sizes of ECC potentially allow for less computationally able devices such as smart cards and embedded systems to use cryptography for secure data transmissions, message verification and other means. Keeping in view, the rapidly constrained reports and ever increasing demands for security along with the efficient consumption of resources, we suggest RSA is comparable to ECC for digital signature creation in terms of time, and is faster than ECC for digital signature verification. Thus, for applications requiring Signature generation more often than message verification, ECC may be the better choice but for applications requiring message verification more often than signature generation, RSA is a better choice. Compared to traditional crypto systems like RSA, ECC provide equivalent security with smaller key sizes, which results in faster computations, lower power consumption, as well as memory and bandwidth savings. This is especially useful for mobile devices which are typically limited in terms of their CPU, power and network connectivity.
Keeping in view the above issues, we have in this project compared the performance characteristics of two public key cryptosystems (RSA and ECC) used in digital signatures to determine the applicability of each in modern technological devices and protocols that use such signatures. Digital signatures are used in message transmission to verify the identity of the sender and to ensure that a message has not been modified after signing. The space and time efficiency of digital signature algorithms is essential to their widespread adoption in message transport systems.
21