1 REUNIONES EN MADRID

There are two major problems with the public key-based signature schemes we have seen.

(1) They are existentially forgeable.

(2) If the message is long then the signature will take a long time to compute. (Recall that in practice most public key cryptosystems are not used to encrypt long messages, rather they are used to encrypt short session keys.) The common solution employed to overcome both of these problems is the use of a hash function. We give only an informal definition of what this is.

Ahash function hshould map a (possibly lengthy) message to a small digest

h(M), called thehashof the message. Ideally it has the following properties. (H1) The length ofh(M) should be small so that it can signed efficiently. (H2) The functionhshould be a publicly known one-way function. (H3) It should ‘destroy algebraic relationships’ between messages and

signatures.

(H4) It should be ‘collision-resistant’, that is it should be difficult to find two messages with the same hash value.

Of all these conditions the last two are the most difficult to formalise. Before examining what these conditions mean we describe how to use a hash function in a signature scheme.

Assuming that Alice and Bob have chosen a hash functionh, the public key- based signature schemes we have described in previous sections can be adapted so that rather than signing the message,M, Alice instead signs the hash of the message,h(M). To be precise the new scheme works as follows.

Example 8.9A generic ‘hash then sign’ signature scheme.

(1) Setup.

(a) Alice and Bob first agree on a hash functionhto use.

(b) Alice then chooses her public and private keys and publishes her public key.

8.5 The importance of hashing 179

(2) Signing.If Alice wishes to sign a messageM she does the following. (a) She first computes the hash of the message,H=h(M).

(b) She then uses her private key to sign the hash, asS =dA(H). (c) Finally she sends the pair (M,S) to Bob.

(3) Verification.Bob checks the signature as follows. (a) He computes the hash of the messageH =h(M).

(b) He uses Alice’s public key to check that the signature is authentic and accepts iff the following identity holds

eA(S)=eA(dA(H))=H.

One immediate advantage of this type of scheme is that rather than signing a message by ‘decrypting’ a possibly lengthy message Alice now signs by computing the hash of the message and then ‘decrypting’ this short hash value. This will generally result in significant efficiency savings.

Now that we know how Alice and Bob will use a hash function in their signa- ture scheme we can return to the definition of a hash function and in particular discuss the last two conditions: (H3) ‘destroying algebraic relationships’ and (H4) ‘collision-resistant’.

To motivate condition (H3), recall the attack on the RSA scheme that showed it was universally forgeable under a chosen-message attack (see Proposition 8.2 (b)). This result relied on the fact that if

M=M1M2modn

andMi has signatureSithen the signature ofM is

S=S1S2modn.

If we want a hash function to be useful in thwarting such an attack then we need to make sure that the following identity does not hold

h(M1)h(M2)=h(M) modn.

This is because if it does then the attack described in Proposition 8.2 (b) still works. This is an example of the type of algebraic relationship which the hash function should destroy.

In general the exact ‘algebraic properties’ that we wish the hash function to destroy will vary from one signature scheme to another.

The other condition, of ‘collision-resistance’, refers to a problem that is actually introduced by using hash functions, rather than an existing problem in signature schemes. If we wish to ensure that a forger Fred cannot substitute his message for a messageMwhich Alice has signed then it is essential that Fred

180 8 Digital signatures

cannot find another messageMsuch thath(M)=h(M). Since if he can find such a message, then he can replaceM byMand, since both messages have the same hash value, the signature forMwill still be valid as a signature forM. Thus we say that a hash functionh iscollision-resistant if it is computa- tionally infeasible for an adversary to find two messagesM1andM2such that h(M1)=h(M2) (such a pair of messages is known as acollision). However, this

is rather difficult to make precise. Since a hash function maps long messages to short hash values and in general there will be a large number of possible messages (far greater than the number of possible hash values) there will gen- erally be lots of pairs of messages that have the same hash value. When this is true there clearlyexistsan extremely short algorithm for describing collisions: it simply outputs two messages that collide! However, in reality what matters is whether anyone can actually figure out what this algorithm is.

A family of widely used hash functions is described in the Secure Hash Stan- dard (FIPS 180-2). These consist of SHA-1, which is the hash function desig- nated for use in the Digital Signature Standard, together with SHA-256, SHA- 384 and SHA-512. These functions map messages to hash values of lengths 160, 256, 384 and 512 bits respectively. Despite the fact that the compression involved implies that there are an extremely large number of possible messages that collide (SHA-1 maps a message space of size 2264

to a hash space of size 2160_{) no-one has yet found even a single pair of messages that collide! (However,}

a recent attack on SHA-1 requiring work of order 263to find a single collision suggests that this may not hold true for much longer.)

As a concrete example of a hash function consider the following, due to Chaum, van Heijst and Pfitzmann (1992).

Letpbe a safe prime, that ispis of the form 2q+1, whereqis also prime. Leta,bbe distinct primitive roots modulopand define

h:Zq ×Zq →Z∗p, h(x,y)=a x

bymodp.

It can be shown (by case analysis see Problem 8.10) that given a single collision forhthere is a polynomial time algorithm to compute logabmod p. However, as we will see in the next section, to withstand even the simplest attack pmust be large.