Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Blind Signatures Clemens Cap Overview ASR of RSA: A Short Repetition of Rivest-Shamir-Adleman Constructing blind and non-blind signatures Applications: Electronic cash Enhancing security for RSA signatures We remember a bit of mathematics ... Arithmetic modulo n Euclidean Algorithm Inverse modulo n Phi Function Theorem of Euler 1 Euclidean Algorithm Start: Numbers 228 and 174 228 = 1 * 174 + (must be different) Divide the larger by the smaller Get a remainder 54 Remainder is smaller than the divisor Repeat the game Euclidean Algorithm Start: Numbers 228 and 174 228 = 1 * 174 + (must be different) Divide the larger by the smaller Get a remainder 54 Remainder is smaller than the divisor Repeat the game 174 = 3 * 54 + 12 54 = 4 * 12 + 6 12 = 2 * 6 + 0 Terminates eventually with a zero Why? Remainder always strictly smaller than divisor Remainder never negative Euclidean Algorithm Start: Numbers 228 and 174 228 = 1 * 174 + (must be different) Divide the larger by the smaller Get a remainder 54 Remainder is smaller than the divisor Repeat the game 174 = 3 * 54 + 12 54 = 4 * 12 + 6 12 = 2 * 6 + 0 Terminates with a number (6) which divides the initial two numbers Why? Run equations backwards ! 6 divides 12 (due to termination at 0) 6 divides 6 and 12 and therefore 54 6 divides 12 and 54 and therefore 174 6 divides 54 and 174 and therefore 228 2 Euclidean Algorithm Start: Numbers 228 and 174 228 = 1 * 174 + 54 174 = 3 * 54 + 12 54 = 4 * 12 + 6 12 = 2 * 6 + 0 Terminates with greatest number (6) which divides the initial two numbers Why? Run equations forward. Assume X divides 228 and 174 Then X divides 54 Since X divides 174 and 54 so X divides 12 Since X divides 54 and 12 so X divides 6 Euclidean Algorithm Start: Numbers 228 and 174 228 = 1 * 174 + 54 174 = 3 * 54 + 12 54 = 4 * 12 + 6 12 = 2 * 6 + 0 Terminates with greatest number (6) which divides the initial two numbers Since X divides 54 and 12 so X divides 6 Therefore X smaller or equal to 6 6 (as well as X) divide 228 and 174 Therefore 6 is the greatest common divisor if 228 and 174 Euclidean Algorithm Start: Numbers 228 and 174 228 = 1 * 174 + 54 174 = 3 * 54 + 12 54 = 4 * 12 + 6 12 = 2 * 6 + 0 6 = 1 * 54 - 4 * 12 Delivers GCD as value and as weighted sum of the initial numbers Why? Get GCD as linear combination in pre-last step Eliminate the smaller of the two numbers (12) by going upwards 3 Euclidean Algorithm Start: Numbers 228 and 174 228 = 1 * 174 + 54 174 = 3 * 54 + 12 54 = 4 * 12 + 6 12 = 2 * 6 + 0 12 = 1 * 174 - 3 * 54 6 = - 4 * 174 + 13 * 54 6 = 1 * 54 - 4 * 12 6 = 1 * 54 - 4 * 12 Delivers GCD as value and as weighted sum of the initial numbers Why? Get GCD as linear combination in pre-last step Eliminate the smaller of the two numbers (12) by going upwards Eliminate the smaller of the two numbers (54) by going upwards Euclidean Algorithm Start: Numbers 228 and 174 228 = 1 * 174 + 54 54 = 1 * 228 - 1 * 174 6 = 13 * 228 - 17 * 174 174 = 3 * 54 + 12 12 = 1 * 174 - 3 * 54 6 = - 4 * 174 + 13 * 54 54 = 4 * 12 + 6 6 = 1 * 54 - 4 * 12 6 = 1 * 54 - 4 * 12 12 = 2 * 6 + 0 Delivers GCD as value and as weighted sum of the initial numbers Why? Get GCD as linear combination in pre-last step Eliminate the smaller of the two numbers (12) by going upwards Eliminate the smaller of the two numbers (54) by going upwards Now we are done Euclidean Algorithm Start: Numbers 228 and 174 228 = 1 * 174 + 54 54 = 1 * 228 - 1 * 174 6 = 13 * 228 - 17 * 174 174 = 3 * 54 + 12 12 = 1 * 174 - 3 * 54 6 = - 4 * 174 + 13 * 54 54 = 4 * 12 + 6 6 = 1 * 54 - 4 * 12 6 = 1 * 54 - 4 * 12 12 = 2 * 6 + 0 Terminates with greatest common divisor GCD Delivers GCD as value and as weighted sum of the initial numbers GCD ( 228 , 174 ) = 6 = 13 * 228 - 17 * 174 4 Inverse modulo n Inverse modulo n Let x and n have no common divisor, then there is a y such that x * y = 1 mod n We have GCD ( x, n ) = 1 Get GCD as weighted sum: 1 = GCD ( x, n ) = a * x + b * n Take modulo n the equation 1=a*x+b*n 1 = a * x modulo n Phi Function Remove (p-1) numbers q, 2q, 3q, ..., (p-1)q Euler Phi Function (n) Number of all positive numbers less-or-equal n having no common divisor with n (5)=#{1 1, 2 2, 3 3, 4 4, 5 } = 4 p prime Remove (q-1) numbers p, 2p, 3p, ..., (q-1)p ( p ) = # {1, 2, 3, ..., p - 1, p} = p - 1 Remove p * q All numbers p, q primes ( p * q ) = # {1, 2, ..., p * q } = p * q - ( q-1 ) - ( p-1 ) - 1 = (p - 1) * (q - 1) ( 6 ) = # { 1, 2, 3, 4, 5, 6 } = 6 - 2 - 1 - 1 = 2 = (3-1) * (2-1) Theorem of Euler Theorem of Euler Let x and n have no common divisor, then we have x ( n ) = 1 mod n Let Z = {a1, a2, ..., a (n) } be all positive numbers less-or-equal n, having no common divisor with n x * Z = {x*a1, x*a2, ..., x*a (n) } is exactly the same set (modulo n) since we may divide by x Product of all numbers in x * Z = Product of all numbers in Z x*a1 * x*a2 * ... * x*a (n) = a1 * a2 * ... * a (n) x ( n ) = x*x*...*x* = 1 mod n 5 RSA Algorithm Pick to different and large primes p, q Calculate n = p * q Chose number e, sharing no divisor with (n) Get d as inverse mod (n) to e: e * d = 1 mod (n) RSA Operations Rd ( x ) := xd mod n Re ( x ) := xe mod n Core Property Re ( Rd ( x ) ) = x mod n Rd ( Re ( x ) ) = x mod n (x e)d = x e*d = x 1+k(n) = x * x k(n) =x * (x(n))k = x * 1k = x RSA Assumption Assumption: It is difficult to split a large number n into prime factors p, q Known: If n is publically known then determining e from d is as difficult as splitting n into prime factors p, q Every person is associated with two keys A public key (n,e) known to everybody A private key d known only to this person RSA Signature Public key of Alice (n,e) Private key of Alice d Rd I love you only owner of d (Alice) is able to to so Re eRqWEgF26JhK I love you only owner of e (everybody) can do so Everybody can check that Alice is in love by applying Re Only Alice can produce such a message by applying Rd 6 RSA Encryption Public key of Alice (n,e) Private key of Alice d My bank PIN is 123 Re Rd qeoi23458swr only owner of e (everybody) can do so My bank PIN is 123 only owner of d (Alice) is able to to so Everybody can encrypt secrets to Alice Only Alice can reproduce the original message Can we use an RSA digital signature to implement electronic cash? Idea Alice presents 1$ at the bank Alice receives an electronic document "This document has a value of 1$ and serial number 3456" This electronic document is signed by the bank Alice now pays with this document 7 Problems Problem 1: Keeping the right When Alice hands over the signed document to Bob she might keep a copy of the signed document Problem 2: Double Spending Alice might used a signed document to pay to Bob and Carol Problem 3: No privacy When Bob presents the document to the bank to get his 1$ the bank may check the serial number and sees that it was Alice who paid Bob Solutions Database of spent coins Before accepting a digital document as a coin I ask the bank if it has been used already Blind Signature The bank signs the document but without seeing the serial number Needs a new concept of blind signature ! Blind Signature By D. Chaum Bob has public key (n,e) and private key d Alice wants a (blind) signature of Bob on document x Alice choses blinding factor B Alice sends y = x * Re ( B ) mod n to Bob Bob signs and sends z = Rd ( y ) to Alice Alice calculates inverse G to B, ie. G * B = 1 mod n Alice calculates z*G 8 Blind Signature by D. Chaum What did Alice receive? z*G Blind Signature by D. Chaum What did Alice receive? z * G = yd * G Definition of z z = Rd ( y ) Blind Signature by D. Chaum What did Alice receive? z * G = yd * G = (x * Re ( B ) )d * G Definition of y y = x * Re ( B ) mod n 9 Blind Signature by D. Chaum What did Alice receive? z * G = yd * G = (x * Re ( B ) )d * G = (x * Be)d * G Definition of Re ( B ) R e ( B ) = Be Blind Signature by D. Chaum What did Alice receive? z * G = yd * G = (x * Re ( B ) )d * G = (x * Be)d * G = xd * Be*d * G Blind Signature by D. Chaum What did Alice receive? z * G = yd * G = (x * Re ( B ) )d * G = (x * Be)d * G = xd * Be*d * G = xd * B * G Core property of RSA Re ( Rd ( B ) ) = B mod n 10 Blind Signature by D. Chaum What did Alice receive? z * G = yd * G = (x * Re ( B ) )d * G = (x * Be)d * G = xd * Be*d * G = xd * B * G = xd G was the inverse to B mod n B * G = 1 mod n Blind Signature by D. Chaum What did Alice receive? z * G = yd * G = (x * Re ( B ) )d * G = (x * Be)d * G = xd * Be*d * G = xd * B * G = xd Alice has obtained the signature xd = Rd ( x ) Properties Blind signature allows Alice to Receive a signature from Bob on a document Without Bob knowing the signed document Application: Bank signs a digital bank note Bank does not know the serial number When digital bank note is handed in to bank bank checks signature and stores serial to protect against double spending 11 Problem 1 Blind signatures are unwanted in normal life. Consequence 1: Do not digitally sign arbitrary data Normally, not docs but hashes of docs are signed Must verify, that data indeed is hash of the doc you want 2 sign Consequence 2: Randomize signed document You sign hash value R You think you sign document X, since hash(X) = R Your opponent will claim you signed document Y, since hash(Y)=R Issue: Opponent pre-pares docs X and Y such that hash(X)=hash(Y) and can use years of preparation in advance Defence: When signing document X, both parties add random noise N and M and produce hash(XNM) – so nobody can pre-pare hash collisions Problem 2 Consequence 2: For intentional blind signatures, use different key pair than for normal contract signing Idea: Every key should have a clear "purpose" Think: Car sales contract shows up signed with a key "for blind signature only" 12