CS435 - Digital Signature

Ace your homework & exams now with Quizwiz!

In the Schnorr identification scheme, b = ?

b = (v - x * c) mod q

In a Schnorr signature, s = ?

s = v - xh

What are the requirements for a Zero-Knowledge Proof?

-Completeness -Soundness -Zero-knowledge

Outline some attacks on textbook RSA signatures

-No-message attack -Selected message attack

In the Schnorr identification scheme, what is g?

A generator for Gq

Do you sign a digital signature with a symmetric key, a public key, or a private key?

A private key

Outline, in general terms, what a Zero Knowledge Proof is

A proof that you know a secret, without revealing the secret

Do you verify a digital signature with a symmetric key, a public key, or a private key?

A public key

Please give the formal definition of a digital signature scheme

A triple of algos: -G(): outputs a key pair (pk, sk) -S(sk, m): outputs signature 𝜎 -V(pk, m, 𝜎): outputs "accept" or "reject" Must be consistent: ∀ (pk, sk) output by G: ∀m ∈ M: V(pk, m, S(sk, m)) = "accept"

What is the transcript of a Schnorr identification scheme session?

A triple: (V, c, b)

What is existential forgery on digital signatures?

Attempting to produce some new valid message/sign pair (m, 𝜎) i.e. m is not one of m₁, m₂, ..., mₙ

How do you verify a Schnorr signature?

Check gˢXʰ == V

How do you tackle/mitigate the weaknesses of textbook RSA signatures?

Do RSA on a hash of the message, rather than a message itself!

Outline the no-message attack on textbook RSA

Eve has access to the public key pk = (N, e). So, they just pick some element 𝜎 in (Zₙ)* and compute: m = 𝜎ᵉ mod N ===> they have some valid message/signature pair (m, 𝜎)

What is a chosen message attack on digital signatures?

For m₁, m₂, ..., mₙ, the attacker is given 𝜎 <- S(sk, mᵢ)

Outline what the below algorithm is for in a digital signature scheme: G

G() is the generator - it outputs a key pair (pk, sk)

Outline the following requirement for a Zero-Knowledge Proof: Soundness

If the statement is false, a cheating prover will only have a small probability of convincing the verifier that it is true

Outline the following requirement for a Zero-Knowledge Proof: Completeness

If the statement is true, the prover can convince the verifier of this fact

How can the communication efficiency of the interactive Schnorr identification scheme be improved?

Instead of transmitting V, transmit a hash of V

Outline the steps of the Schnorr non-interactive proof

Just like interactive Schnorr, but c = H("Alice", g, gᵛ, gˣ) i.e. c is still chosen randomly by an honest verifier (the hash algo), and the prover (Alice) has her identity in the hash

Outline the selected-message attack on textbook RSA

Relies on them having access to the public key pk = (N, e), and being able to get signatures for m₁ and m₂, which is easy if they have access to two or more message/signature pairs that the victim sent

Outline what the below algorithm is for in a digital signature scheme: S

S(sk, m) is for signing - it outputs signature 𝜎

In a Schnorr signature, what is x? (i.e. what is its purpose?)

The private key

Outline how Textbook RSA signatures work

The signature is just the encrypted message, and verification is just decrypting and checking if the messages match

In the Schnorr identification scheme, what is Gq?

The subgroup of Zp*, of prime order q

Outline the following requirement for a Zero-Knowledge Proof: Zero-knowledge

The verifier learns nothing other than the fact that the statement is true

In the Schnorr identification scheme, what does the prover want to prove to the verifier?

They they hold the private key x, to a given public key X = gˣ mod p where x is from [0, q - 1]

What is the Fiat-Shamir heuristic?

Transform an interactive ZKP into a non-interactive one by replacing the verifier with the results of a cryptographic hash function (thereby fulfilling the honest verifier requirement)

In the Schnorr identification scheme, what are p and q?

Two large primes, such that q | p - 1

Outline what the below algorithm is for in a digital signature scheme: V

V(pk, m, 𝜎) is for verifying a signature - it outputs "accept" or "reject"

What is the main difference between a MAC and a digital signature?

Whether the verification can be done publicly

With regards to digital signatures, the attacker has the power to ___, and their goal is ___

With regards to digital signatures, the attacker has the power to conduct chosen message attacks, and their goal is existential forgery

In a Schnorr identification scheme, what is X?

X = gˣ mod p where x is from [0, q - 1]

What does it mean for a digital signature scheme to be consistent?

∀(pk, sk) output by G: ∀m ∈ M: V(pk, m, S(sk, m)) = "accept"


Related study sets

Chapter 2: Radio Frequency Fundamentals

View Set

Networking Essentials – Modules 13 – 16

View Set

Human Anatomy and Physiology - Checkpoints

View Set

Streetcar Named Desire Study Questions

View Set

macro: the money market: foundational concepts

View Set

LS1 Week 8 Chapter 58 Assessment and Management of Patients with Breast Disorders

View Set