CS435 - Digital Signature
In the Schnorr identification scheme, b = ?
b = (v - x * c) mod q
In a Schnorr signature, s = ?
s = v - xh
What are the requirements for a Zero-Knowledge Proof?
-Completeness -Soundness -Zero-knowledge
Outline some attacks on textbook RSA signatures
-No-message attack -Selected message attack
In the Schnorr identification scheme, what is g?
A generator for Gq
Do you sign a digital signature with a symmetric key, a public key, or a private key?
A private key
Outline, in general terms, what a Zero Knowledge Proof is
A proof that you know a secret, without revealing the secret
Do you verify a digital signature with a symmetric key, a public key, or a private key?
A public key
Please give the formal definition of a digital signature scheme
A triple of algos: -G(): outputs a key pair (pk, sk) -S(sk, m): outputs signature 𝜎 -V(pk, m, 𝜎): outputs "accept" or "reject" Must be consistent: ∀ (pk, sk) output by G: ∀m ∈ M: V(pk, m, S(sk, m)) = "accept"
What is the transcript of a Schnorr identification scheme session?
A triple: (V, c, b)
What is existential forgery on digital signatures?
Attempting to produce some new valid message/sign pair (m, 𝜎) i.e. m is not one of m₁, m₂, ..., mₙ
How do you verify a Schnorr signature?
Check gˢXʰ == V
How do you tackle/mitigate the weaknesses of textbook RSA signatures?
Do RSA on a hash of the message, rather than a message itself!
Outline the no-message attack on textbook RSA
Eve has access to the public key pk = (N, e). So, they just pick some element 𝜎 in (Zₙ)* and compute: m = 𝜎ᵉ mod N ===> they have some valid message/signature pair (m, 𝜎)
What is a chosen message attack on digital signatures?
For m₁, m₂, ..., mₙ, the attacker is given 𝜎 <- S(sk, mᵢ)
Outline what the below algorithm is for in a digital signature scheme: G
G() is the generator - it outputs a key pair (pk, sk)
Outline the following requirement for a Zero-Knowledge Proof: Soundness
If the statement is false, a cheating prover will only have a small probability of convincing the verifier that it is true
Outline the following requirement for a Zero-Knowledge Proof: Completeness
If the statement is true, the prover can convince the verifier of this fact
How can the communication efficiency of the interactive Schnorr identification scheme be improved?
Instead of transmitting V, transmit a hash of V
Outline the steps of the Schnorr non-interactive proof
Just like interactive Schnorr, but c = H("Alice", g, gᵛ, gˣ) i.e. c is still chosen randomly by an honest verifier (the hash algo), and the prover (Alice) has her identity in the hash
Outline the selected-message attack on textbook RSA
Relies on them having access to the public key pk = (N, e), and being able to get signatures for m₁ and m₂, which is easy if they have access to two or more message/signature pairs that the victim sent
Outline what the below algorithm is for in a digital signature scheme: S
S(sk, m) is for signing - it outputs signature 𝜎
In a Schnorr signature, what is x? (i.e. what is its purpose?)
The private key
Outline how Textbook RSA signatures work
The signature is just the encrypted message, and verification is just decrypting and checking if the messages match
In the Schnorr identification scheme, what is Gq?
The subgroup of Zp*, of prime order q
Outline the following requirement for a Zero-Knowledge Proof: Zero-knowledge
The verifier learns nothing other than the fact that the statement is true
In the Schnorr identification scheme, what does the prover want to prove to the verifier?
They they hold the private key x, to a given public key X = gˣ mod p where x is from [0, q - 1]
What is the Fiat-Shamir heuristic?
Transform an interactive ZKP into a non-interactive one by replacing the verifier with the results of a cryptographic hash function (thereby fulfilling the honest verifier requirement)
In the Schnorr identification scheme, what are p and q?
Two large primes, such that q | p - 1
Outline what the below algorithm is for in a digital signature scheme: V
V(pk, m, 𝜎) is for verifying a signature - it outputs "accept" or "reject"
What is the main difference between a MAC and a digital signature?
Whether the verification can be done publicly
With regards to digital signatures, the attacker has the power to ___, and their goal is ___
With regards to digital signatures, the attacker has the power to conduct chosen message attacks, and their goal is existential forgery
In a Schnorr identification scheme, what is X?
X = gˣ mod p where x is from [0, q - 1]
What does it mean for a digital signature scheme to be consistent?
∀(pk, sk) output by G: ∀m ∈ M: V(pk, m, S(sk, m)) = "accept"