Digital Signatures
In chapter 9 we used PRFs for message authentication. If the correct MAC tag accompanied a message , this was “proof” that someone who knows the key has vouched for . MACs are symmetric-key primitives: The same key is used both to generate and verify a tag.
This chapter introduces digital signatures, the asymmetric-key equivalent of MACs. A private key is used to produce the authentication tag, and a public key is used to verify it.
16.1. Security definitions for digital signatures
In a digital signature scheme, a user first generates a key pair using a key generation algorithm. Only someone who holds the private key can generate authentication tags, now called signatures, of messages. But anyone who holds the public key can verify that the signature is authentic. Thus, verification must happen differently than for MACs. With a MAC (at least MACs as we have defined them), a tag is verified by simply recomputing the “correct” tag and comparing it to the given one. We cannot expect digital signatures to be verified in the same way, since the person performing verification cannot compute correct signatures on their own. Thus, a signature scheme must specify an additional, explicit verification algorithm.
A digital signature scheme (usually just called a signature scheme) consists of the following algorithms:
-
: a randomized algorithm that takes no inputs and outputs a key pair , where is a public key and is a private key.
-
: a possibly randomized algorithm that takes a private key and message as input and returns a signature.
-
: a deterministic algorithm that takes a public key , message , and signature as input, and returns a boolean.
If , we say that is a valid signature of under . A signature scheme is correct if signatures generated by are always valid. More formally, for all , the following program outputs with probability 1:
Sometimes the public key of a signature scheme is called the verification key and the private key called the signing key.
Security: The intuitive guarantee of a signature scheme is that only the private-key holder can produce valid signatures. Even an adversary who is allowed to see many examples of valid signatures, on messages of its choice, and who knows the public key, cannot produce any new examples of valid signatures.
We formalize security in a similar way to MACs (section 9.4). We imagine an attack scenario in which the adversary can request signatures on chosen messages from the victim. Of course these signatures will always be valid. A forgery is any message-signature pair produced by the adversary, which is valid but different than those it received from the victim/library. We say that forgeries should be hard to generate by requiring that the verification algorithm is indistinguishable from an algorithm that simply responds to any not generated by the victim. The true verification algorithm differs from this “fake” one only in the case of a forgery, so if they are indistinguishable then it must be hard to produce a forgery.
A digital signature scheme is secure if the following two libraries are indistinguishable:
Another difference with MACs is that we treated MACs and PRFs as synonyms. Thus, every MAC that we have seen has tags that are not only hard to forge but are pseudorandom. But pseudorandom signatures are simply not possible. A valid signature cannot be pseudorandom because it satisfies a very conspicuous property: It causes the algorithm to output ! A uniformly chosen value would rarely have this property (otherwise, one could easily generate forgeries by sampling signatures uniformly).
Because of this distinction, the security definition for signature schemes does not require signatures to look pseudorandom. Both libraries produce and output truly valid signatures; we do not have a “real” library generating valid signatures and a “random” library generating fake, uniformly chosen ones.
16.2. Signatures from RSA
In RSA-based cryptography, only someone who holds the private key can compute -th roots. On the other hand, anyone with the public key can verify that is an -th root of by checking . These properties seem perfectly matched for digital signatures. Can we make a signature scheme in which signatures are -th roots?
16.2.1. Textbook RSA signatures
Textbook RSA is the signature scheme you get by letting the -th root of be its signature.
The textbook RSA digital signature scheme is defined by the following algorithms:
Unfortunately, just like the case of encryption, the textbook RSA approach is insecure.
First, textbook RSA signatures are malleable, thanks to their algebraic structure. Given two textbook RSA signatures and , it's not hard to see that is a valid signature for the message . In a secure signature scheme, it should not be possible to guess a valid signature on after seeing valid signatures of and .
Second, we must be more precise when claiming that “it's hard to compute -th roots mod .” In fact, it is easy to find a pair where is the -th root of : Simply choose first, and then set . In the context of textbook RSA signatures, this corresponds to an attack in which the adversary chooses the signature first and then computes the message that matches. Even though the attack results in a signature on a message that the adversary can't control, it's something that should not be possible in a secure digital signature scheme.
To be more precise about computing -th roots mod , we should say that “it's hard to compute -th roots mod , of values that you didn't choose.” In textbook RSA signatures, the values can be chosen by the adversary, which means they can be chosen with a known -th root. To fix textbook RSA signatures, the signer should not compute the -th root of directly, but rather the -th root of something that nobody can directly control.
16.2.2. RSA-PSS
In the RSA-PSS scheme, the signer computes -th roots of a hash of , the idea being that it should be hard to choose that hashes to any favorable value. The signature scheme can be proven secure if the hash function is modeled as a random oracle. The proof is made significantly easier if the signer computes an -th root, not of but of , where is chosen uniformly for each signature (and included in the output).
Let be a random oracle whose range is . The RSA probabilistic signature scheme (RSA-PSS) is defined by the following algorithms:
One downside to RSA-PSS is that it requires a hash function that acts like a random oracle, with outputs in . It's not immediately clear how to instantiate such a hash function in the real world. However, construction 16.2.2 is merely a simplification of the “real” RSA-PSS standard, which uses a more conventional random oracle with outputs in .
16.2.3. Self-reducibility
In the RSA assumption (definition 15.2.5), one RSA key pair is associated with just a single challenge value . Finding the -th root of this value is hard. On the other hand, the security of RSA-PSS relies on the difficulty of finding the -th root of any one of many random oracle outputs. Hence, one important step in the proof is to bridge this gap between one target for -th roots and many targets.
In this section, we prove that finding the -th root of any one of many uniformly chosen targets is hard. This is a general result, not tied to the use of RSA for signatures. The proof uses the following idea: Given any RSA target value , there is a way to generate many new values such that:
-
Each is uniformly distributed in , and
-
Given the -th root of any of these values, we can easily compute an -th root of .
Thus, from a single target value we get many target values which follow the correct distribution, and whose -th roots are exactly as hard to find as 's. This kind of transformation, from one to many 's, is called a random self-reduction, and it is a useful concept throughout cryptography.
Let's now see the idea behind this self-reduction, illustrated for a single value. Given a target value , how can we choose such that an -th root of helps us learn the -th root of ?
Suppose , where . Then given , and an -th root of , it is possible to efficiently compute an -th root of . Furthermore, if is sampled uniformly in , then the distribution over is uniform.
If is an -th root of , then is an -th root of , a fact that can be verified as:
To see that is distributed uniformly, observe that: (1) is chosen uniformly; (2) raising to the -th power is a 1-to-1 function, so is distributed uniformly; (3) is a one-time pad ciphertext with acting as key, and multiplication-mod- as the algebraic group operation.
We can now prove the multi-target security of the RSA assumption:
If the RSA assumption is true, then the following two libraries are indistinguishable:
These libraries are indistinguishable if it is hard for the adversary to find the -th root of any of the -values generated by the library.
16.2.4. Security proof for RSA-PSS
We now have the tools to prove security of RSA-PSS.
RSA-PSS (construction 16.2.2) is a secure digital signature scheme in the random oracle model, if the RSA assumption is true.
An RSA-PSS signature is the -th root of a random oracle output. The intuition behind security is that it is hard to compute the -th root of such uniformly sampled values, if you don't know the private RSA exponent . We expect to formalize this intuition in the security proof by applying claim 16.2.4. But we cannot do so unless we have a hybrid library that doesn't use at all: The libraries in claim 16.2.4 do not provide to the calling program. So the main challenge in this proof is finding a different way to implement the subroutine without using .
Our approach takes advantage of the fact that the library can change how random-oracle outputs are generated; this is called programming the random oracle. Normally, the subroutine would sample uniformly from . We introduce a hybrid in which the library samples this to have a known -th root. In other words, when is called, the library samples , computes , and designates to be the output of . The output distribution of does not change; it remains uniform. However, is a valid RSA-PSS signature of , because is the -th root of . Importantly, this modified library never needs to know the exponent .
At this point in the proof, random oracle calls are treated in two distinct ways: If a random oracle call is made inside , then the library chooses the output in this special way to have a known -th root. If a random oracle call is made directly by the adversary, then the library chooses the output uniformly, so we can argue that finding an -th root of this value is hard. You may ask what should happen if a random oracle call falls into both cases. Should the output be chosen with a known or unknown -th root? Fortunately, we don't need to worry about this case. The first case (in ) involves calls of the form , where has just been sampled uniformly. It is therefore only negligibly likely that the adversary has already directly called . This is precisely the reason for in the construction.
We now proceed with the hybrid proof.
A note on programming: Programming the random oracle is a powerful proof technique, and one of the main features of the random oracle that critics disparage. Indeed, imagine trying to carry out the steps of our security proof where is a public, plain-model hash function like SHA-3. You will get stuck when the proof reaches a hybrid that tries to “choose” to have a known -th root. Of course, the library cannot do this, because simply is whatever it is, and the library cannot pretend it to be something else.
16.2.5. A rant
If you want to make a cryptographer genuinely angry, casually mention that signing is just encrypting with the private key, or that verifying a signature is just decrypting with the public key.
The document is then encrypted with the user's private key.
— US News & World Report, “What Is a Digital Signature?”
To validate a digital signature, the recipient ... decrypts the digital signature using the sender's PUBLIC key...
Public key encrypts, private key decrypts (encrypting); Private key encrypts, public key decrypts (signing)
— highly rated answers to Stack Overflow question, “How does a public key verify a signature?”
You can create a one-way hash of the data and then use your private key to encrypt the hash. The encrypted hash, along with other information like the hashing algorithm, is known as a digital signature.
— IBM z/TPF documentation
Why do people say these things?
RSA-based cryptography, for both encryption and signatures, involves exponentiation to the power and to the power:
| exponentiate with | exponentiate with | |
| RSA-KEM: | encryption | decryption |
| RSA signatures: | verification | signing |
In a nontechnical context, we might want to avoid talking about the scary concept of exponentiation and instead euphemistically refer to it as “encryption/decryption with a key.” In that case it would make sense to describe signing as “encryption with the private key” This correctly emphasizes the fact that encryption and signature verification use public information, while decryption and signing require private information.
So what's wrong with saying these things?
First, it's annoyingly imprecise to call everything “encryption” and “decryption.”
Digital signatures and public-key encryption are completely different primitives, targeting completely different security goals; they deserve different terminology.
If an operation requires the private key of a public-private keypair, please don't call it encryption.
Second, it's wrong to suggest a fundamental duality between signature schemes and encryption schemes (“to construct a signature scheme, just reverse the keys in a public-key encryption scheme!”). The fact that RSA encryption, decryption, signing, verification all use similar exponentiation steps is mostly a fluke. There is no fundamental reason to expect a signing algorithm to resemble any kind of encryption operation. Aside from RSA, I can't think of any other signature scheme with this curious property. In general, you cannot easily convert an arbitrary PKE scheme into a digital signature scheme, nor vice versa.
16.2.6. Looking Ahead
RSA-based signatures have great historical significance, and their security proof demonstrates important new provable security techniques. However, RSA signatures are expensive and large, because RSA requires huge moduli. One might wonder whether, as in the case of key agreement, it is possible to achieve something better by using elliptic curve cryptography, where the underlying values are significantly smaller than RSA group elements. Later in section 19.4 we discuss an alternative approach for signatures—called Schnorr signatures—that can be based on elliptic curves and therefore lead to much smaller signatures. For most applications, Schnorr signatures (and closely related constructions) are a better choice than RSA signatures.
16.3. Common signature idioms
16.3.1. Hash-then-sign
In RSA-PSS, the signer starts by computing a hash of the message being signed. It is important to the security proof that the hash function is a random oracle. But the idea of hashing before signing is a standard general principle. In practice, one can always sign a hash of a long message rather than the message itself.
Signing a hash authenticates that the signer vouches for that hash. And if the hash function is collision-resistant, there can be only one known message that produces that hash, so the signature of its hash authenticates that (unique) message. Both the signer and verifier must be able to evaluate this hash function. Thus, one should use a standard collision-resistant hash function with public salt, and not a UHF.
We can formalize the security of signing a hash, with the following construction:
Let be a signature scheme with , and let be a salted hash function with output length . The hash-then-sign construction is defined by the following:
We use variable to denote the hash function's salt, since is used to represent signatures.
If is a secure signature scheme and is collision-resistant, then hash-then-sign is a secure signature scheme.
16.3.2. Certificates and chains
When Alice wants to connect to joyofcryptography.com, how does her browser ensure that she is talking to the real joyofcryptography.com and not some impostor website that advocates for ECB mode? Cryptography does not directly involve things like website domain names; instead, it involves public keys and private keys. Users need a way to bridge the gap between cryptographic public keys and human-understandable identities, like domain names. On the internet, this gap is bridged by certificates, a common application of digital signatures. Certificates help answer the question, what is the correct public key for this particular domain name? Later in chapter 18 we discuss how to actually use a public key to cryptographically authenticate a website connection.
There are billions of websites, so web browsers cannot simply ship with a database that maps every domain name to a public keys. Instead, browsers delegate the responsibility to a small number of certificate authorities (CA). The job of a CA is to issue certificates, which are essentially digital signatures on messages of the form “a28f1eb9... is a valid public key for joyofcryptography.com.”
Certificates are issued in the following process:
-
A website operator contacts a CA and presents a public key . The operator proves that (1) it controls a domain name, usually by adding a special string to its DNS record or to a publicly accessible webpage, and (2) that it controls the public key, usually by signing a challenge message sampled uniformly by the CA.
-
If the CA is satisfied, it will generate a certificate signed under its (the CA's) public key.
This process is frequently automated, and some larger website hosting companies are also CAs themselves, making the process easier.
Later, when a browser connects to the website:
-
The webserver presents its public key , and its certificate.
-
The browser verifies that the certificate lists and the expected domain name, and that it is signed by a known CA. Each browser ships with a small collection of known CA public keys; at the time of writing, my browser recognizes 74 CAs.
-
Assuming all of these checks pass, the browser attempts to authenticate the server as the holder of the private key corresponding to . Authentication happens using the techniques described in chapter 18.
Signature/Certificate Chains: A certificate is just a signature vouching for someone else's public key. That someone else could be a website, but it could also be another CA. In practice, root CAs sign the public keys of other CAs, called intermediate CAs, who then sign public keys of websites. This arrangement helps relieve load on the root CAs.
For example, the certificate for joyofcryptography.com is signed by Cloudflare's CA, whose CA certificate is signed by Baltimore CyberTrust, a root CA whose public key is in your browser's trust store. When your browser connects to joyofcryptography.com, the server presents its public key along with this certificate chain. Your browser validates the entire chain from root to website.
Trusting CAs: Any certificate authority that your browser trusts can issue a certificate for any domain name. Thus, CAs have the power to completely and silently impersonate any website on the internet. The decision to include a CA in a browser's trusted list is therefore not taken lightly, and geopolitical forces are often at play. (The EU recently proposed controversial legislation that would force browsers to trust CAs operated by EU governments.)
A rogue CA who issues improper certificates can have a disastrous impact on the internet. While rogue certificates cannot be completely eliminated, modern web browsers include some features to detect them. For example, a website operator can instruct browsers to accept certificates only from specific CAs, using a special DNS record called certificate authority authorization (CAA). In a project called certificate transparency, CAs are required to publicly announce all certificates they issue; some browsers periodically check certificates they have received against this public list. A domain name owner can also check the list for unexpected certificates for their domain. If a website presents a certificate that is not in this public list, the offending CA's reputation can be damaged.
Exercises
-
Let be a digital signature scheme, and define the new scheme as follows:
-
Prove that is secure, if is. This example shows that digital signatures do not need to hide the message, since signatures in include the message in the clear.
-
Show that if the line marked is removed, then the resulting scheme is not secure.
-
-
Let be a digital signature scheme, and define the new scheme as follows:
Show that is not a secure digital signature scheme.
-
In this exercise, is a random oracle with input and output length . We use the following shorthand notation:
Consider the following signature scheme:
-
Show that the scheme satisfies correctness.
-
Consider a variant of the security definition for digital signatures, in which the adversary can receive only one signature (e.g., returns an error if called more than once). Prove that the scheme is secure with respect to this modified definition.
-
Show that the scheme is not secure with respect to the standard definition for digital signatures.
-
-
In section 15.3 we proved that RSA-KEM is a secure one-message KEM. Then we used the general result that a secure one-message KEM is a secure many-message KEM. But the latter proof involves a sequence of hybrids, where is the number of ciphertexts encrypted by the adversary. Each hybrid adds a negligible loss to the proof's concrete security. Overall, these two proofs show that breaking security of RSA-KEM is at most times easier than breaking the RSA assumption.
Give a direct proof that RSA-KEM is a secure many-message KEM (in the random oracle model), where the sequence of hybrids applies the RSA assumption only once. Thus, in terms of concrete security, breaking security of RSA-KEM is no easier than breaking the RSA assumption.
-
Show a random self-reduction for the discrete logarithm problem. Let be a cyclic group with order and generator .
Given any , show how to generate a new value such that:
-
is uniformly distributed in .
-
Given the discrete logarithm of , there is an efficient way to compute the discrete logarithm of .
-
-
h This exercise develops a random self-reduction for the DDH problem. Let be a cyclic group with order and generator . Consider the following algorithm:
We will say that are a Diffie-Hellman triple if , , and . The DDH assumption says that it is hard to distinguish the uniform distribution over Diffie-Hellman triples from the uniform distribution over all triples in .
-
Show that if is a Diffie-Hellman triple, then the output of is uniformly distributed over Diffie-Hellman triples. Make no assumptions about the distribution on . The output of is induced by its random choices, not a distribution over its inputs.
-
Show that if is not a Diffie-Hellman triple, then the output of is uniformly distributed over .
-
The DDH assumption (definition 13.2.3) generates only a single triple in its lifetime. Prove that if the DDH assumption is true, then the following two libraries (which generate many independent triples) are indistinguishable:
:return:returnYour proof should invoke the standard DDH assumption only once!
For part (a), reason about all cyclic group elements in terms of their discrete logs. For part (b), a non-Diffie-Hellman triple has the form where .
-
-
Below is a variant of RSA-PSS which does not use a random oracle. Assume that the RSA modulus has bits, message has bits, and is interpreted as a -bit integer in the usual way.
Show that the scheme is not secure.
-
h Exponentiation mod can be sped up using the CRT method (section 15.4), if the factorization of is known. In RSA-PSS signatures, it is the signer who knows this factorization. Using the CRT optimization, the signer will compute mod , then mod , and finally reconstruct the result mod .
Suppose a victim has signed a known message in this way, resulting in signature . However, their CPU experienced a glitch while computing mod , resulting in an incorrect result. The CPU correctly computed mod and the CRT reconstruction (on the wrong values). As a result, the final result does not verify as a valid signature.
Show how an adversary who knows , , and the public key can factor .
satisfies:
-
Usually it is not advisable to use the same key for different purposes. Despite that, it is safe to use RSA-KEM and RSA-PSS with the same RSA keypair; prove that the following two libraries are indistinguishable. RSA-KEM requires a random oracle with output , while RSA-PSS requires one with output . The following libraries implement two independent random oracles, with different ranges.
:return:// :return:// :return:// :return:// :return:if undefined:return:if undefined:return:return:return:if defined: return// :return:// :return:if : returnreturn:if undefined:return:if undefined:return -
Prove that if is a secure (salted) CRHF and is a secure signature scheme, then the following scheme is also a secure signature scheme:
So if a signature scheme has very large public keys, they can be shrunk at the expense of making signatures longer.
-
Suppose is a PKE scheme and is a signature scheme, and consider the following new PKE scheme:
Show that this scheme is not CCA-secure, even if is CPA-secure and is a secure digital signature scheme.
-
This exercise explores whether we can convert a CPA-secure PKE into a CCA-secure one, by incorporating signatures similar to how MACs promote CPA security to CCA security for SKE.
-
Let be a CPA-secure PKE with . Prove that the following scheme is correct and is also CPA-secure:
-
Now consider the following natural approach to authenticate ciphertexts using a signature: Encrypt the plaintext along with a verification key, and then sign the resulting ciphertext. More formally, let be a PKE scheme and be a signature scheme, and define the following PKE:
Show that the resulting scheme is not CCA-secure, when is the CPA-secure scheme from part (a), and is a secure digital signature scheme. Thus, this recipe does not suffice to upgrade an arbitrary CPA-secure PKE into a CCA-secure.
-
-
Let be a signature scheme and define the new scheme below, which produces a signature chain:
Prove that is a secure digital signature scheme, if is.
Chapter Notes
Diffie and Hellman were the first to conceive of digital signatures [83]. The standard modern security definition for signatures is due to Goldwasser, Micali, and Rivest [116].
The signature scheme in exercise 16.3 is based on the Winternitz signature scheme, attributed to Robert Winternitz by Merkle [160].
Construction 16.2.2 is a simplified variant of the PSS construction proposed by Bellare and Rogaway [28]. The “real” PSS construction uses a hash function with range , rather than as in construction 16.2.2, and then cleverly encodes the randomness into the bits of the -element itself, thus saving on the additional cost of transmitting as part of the signature. PSS itself is a variant of full-domain hash (FDH) signature scheme, which is essentially construction 16.2.2 without the signing randomness . FDH is also secure, although its security proof is more involved, and provides worse concrete security; see Coron [72,73].