diff --git a/content/Basic Cryptography/Basic Cryptography.md b/content/Basic Cryptography/Basic Cryptography.md index 1966f47..68ea335 100644 --- a/content/Basic Cryptography/Basic Cryptography.md +++ b/content/Basic Cryptography/Basic Cryptography.md @@ -16,4 +16,6 @@ - [[Ring Learning with Errors(RLWE)]] - [[Module Learning with Errors(MLWE)]] - [[Hash function]] -- [[Merkle Tree]] \ No newline at end of file +- [[Merkle Tree]] +- [[Digital Signature]] +- [[Schnorr Signature]] \ No newline at end of file diff --git a/content/Basic Cryptography/Digital Signature.md b/content/Basic Cryptography/Digital Signature.md new file mode 100644 index 0000000..ccf686f --- /dev/null +++ b/content/Basic Cryptography/Digital Signature.md @@ -0,0 +1,25 @@ +## Intro +A digital signature is an electronic signature used to verify the **authenticity and integrity** of electronic documents or data. It also ensures **non-repudiation**, meaning the digital signature's author cannot dispute its authorship. Based on these properties, the digital signature proves that specific data was created by a specific individual or organization and ensures that the data has not been altered during transmission. + +## Design +Digital signatures are created using [[Asymmetric key encryption|public key cryptography]] and [[Hash function|hash]]. The high-level process is as follows: +1. **Key Generation**: The key generation process creates a public key and a corresponding private key. The generated public key is delivered to the verifier for the verification process, which can be facilitated by Public Key Infrastructure (PKI) or other methods. +2. **Signing** + 1. **Hashing**: The sender first hashes the original message to be signed and appends the digest to the message. (Padding can be added optionally) + 2. **Encryption**: The sender signs the (message || digest) using the sender's private key generated in step 1. +3. **Verifying**: The receiver checks the following: + 1. **Message Authenticity**: Decrypt the ciphertext message into (message || digest) using the sender's public key obtained in step 1. + 2. **Message Integrity**: Calculate the message digest and compare it to the received digest (Hash(message) == digest?). + +This process describes the scenario when using the hash-then-sign method, which is the most commonly used in digital signatures. Performing simple signatures without hashing is not recommended as it is vulnerable to key-only existential forgery attacks. + +### Why hash-then-sign? - Forgery attacks +Let $(𝑒,𝑁)$ be your public signature verification key of [[RSA]], then the attacker can randomly choose a signature $𝜎 \in \mathbb{Z}_N$ and compute the corresponding message as $𝑚 \equiv 𝜎^𝑒 \mod 𝑁$. Then, the attacker successfully generates your signature on a message you have never signed. However, if a hash (and padding) is appended to the plaintext, the attacker cannot easily generate a valid signature because they cannot control the message $m$. + +## Digital Signature Algorithms +- [[RSA]] with [[SHA]] ([[Hash function|hash algorithm]]) +- [[ECDSA]] with SHA +- [[ElGamal]] +- [[Schnorr Signature]] +- [[Rabin Signature]] +- [[BLS]] and other pairing-based schemes diff --git a/content/Basic Cryptography/Schnorr Signature.md b/content/Basic Cryptography/Schnorr Signature.md new file mode 100644 index 0000000..a19ce03 --- /dev/null +++ b/content/Basic Cryptography/Schnorr Signature.md @@ -0,0 +1,42 @@ +## Introduction +Schnorr signatures are a type of [[Digital Signature|digital signature]] scheme that provides a secure method for signing and verifying messages. They were proposed by Claus-Peter Schnorr and are known for their simplicity, efficiency, and strong security properties. Schnorr signatures are widely regarded for their compact size and the computational efficiency they offer compared to other signature schemes. + +## Design +The design of Schnorr signatures is based on the difficulty of solving the [[Discrete logarithm problem|discrete logarithm problem]] in [[Cyclic Group|cyclic groups]], a common hard problem in cryptography. The scheme involves three key components: a private key, a public key, and a signature generation and verification process. The private key is a randomly chosen number, while the public key is derived from the private key using a predefined base point on an elliptic curve or a large prime number in a finite field. + +### Global parameters $(g, p, q)$ +Schnorr signatures work with the **prime modulo p** such that p-1 has a **prime factor q**. Usually, the appropriate size of p and q is **1024 bits and 160 bits**, respectively. Both parties should agree on a group $Z_p^*$ and its cyclic subgroup $Z_p^*$, whose generator is $g$ such that $g ^ q ≡ 1 \mod p$. + +## How it works + +### Interactive version (Schnorr Identification Protocol) +![[schnorr_signature(1).png]] +1. **Key Generation**: A prover generates a private key $\omega$ by selecting a random integer. The corresponding public key $x$ is computed as $x = g^\omega\mod p$. +2. **Commitment** + - The prover selects a random value $r$ and computes $a = g^r \mod p$ and sends $a$ to the verifier. +3. **Challenge** + - The verifier sends a random challenge number $c$ to the prover. + - The prover calculates the response $z = r + c\omega \mod q$. + - $q$ is the order of the [[Cyclic Subgroup|cyclic subgroup]] and divides $p-1$. ($q$ is a prime number) +4. **Verification** + - The verifier checks if $g^z \mod p$ is equal to $a \cdot x^c \mod p$. + - Here, $a \cdot x^c = g^r \cdot x^c = g^r \cdot g^{\omega c} = g^{r + \omega c} = g^z \mod p$ holds. + - Therefore, if the equality holds, the signature is valid; otherwise, it is invalid. + +This verification ensures that the prover has knowledge of the private key $x$, without revealing the private key itself. That is why this protocol can be regarded as one of the [[Zero Knowledge Proofs|zero-knowledge protocols]]. + +### Non-interactive version (Schnorr Signature) +The interactive version of the Schnorr protocol can be revised to a non-interactive version using the Fiat-Shamir transform. This is what is called the Schnorr signature, whose process involves the following steps: +![[schnorr_signature(2).png]] +1. **Key Generation**: A prover generates a private key $\omega$ by selecting a random integer. The corresponding public key $x$ is computed as $x = g^\omega\mod p$. +2. **Signature Generation**: To sign a message $m$, the signer: + - Selects a random value $r$ and computes $a = g^r \mod p$. + - Computes the hash $e = H(m \| a)$, where $H$ is a cryptographic hash function. + - Calculates the signature $z = r + c\omega \mod q$. + The signature on the message $m$ is the pair $(r, s)$. +3. **Signature Verification**: To verify the signature $(r, s)$ on a message $m$: + - The verifier computes $e = H(m \| a)$. + - Checks if $g^z \mod p$ is equal to $a \cdot x^c \mod p$. + - If the equality holds, the signature is valid; otherwise, it is invalid. + +This ensures that the signature could only have been produced by someone with knowledge of the private key $x$. diff --git a/content/Basic Cryptography/images/schnorr_signature(1).png b/content/Basic Cryptography/images/schnorr_signature(1).png new file mode 100644 index 0000000..25ea22f Binary files /dev/null and b/content/Basic Cryptography/images/schnorr_signature(1).png differ diff --git a/content/Basic Cryptography/images/schnorr_signature(2).png b/content/Basic Cryptography/images/schnorr_signature(2).png new file mode 100644 index 0000000..b002014 Binary files /dev/null and b/content/Basic Cryptography/images/schnorr_signature(2).png differ