聊聊数字签名(Digital Signature)

blockchain-101

#1

Originally published at: https://alphawallet.com/cn/聊聊数字签名digital-signature/
数字签名——我指的不是用Apple Pen在PDF上的涂鸦,而是具有防伪功能,基于密 码学的数学签名——在其发明40年之后,终于在各国都基本获得了认可。法律上认 可的数学签名是需要证书的,用以证明签名者在真实世界里的身份。有些国家对 发证机构有偏好,比如中国要求发证机构从工信部获得牌照。比如德国、丹麦等 国政府直接发证。在我们这里新加坡,Netrust似乎是唯一一家按2010年新加坡 电子交易法案认可的发证机构。

为了做一个听党的话的好公民,我从指定的发证机构为我们的创业公司申请了证 书,以便完全合法地在在新加坡使用数字签名签合同。我觉得可以借这个机会做 一下数字签名的科普,顺带点评一下各国数学签名技术的优劣。

我从Netrust获得的证书是2048位RSA,装在一个Alladin牌的U盾里。

2048位RSA如今算是比较标准的。不是因为它绝对安全仿伪,而是因为它是效率 和安全性都不错。效率这里是指每秒钟一个U盾能签的次数。显然对于签合同这 种事,每秒能签1000个和10秒能签1个实际差别不大。加上合同常常有十年有效 期,所以这个2048位RSA比起10秒才能签一次的爱沙尼亚电子居民证书算是比较 凑合的。实际上,用暴力伪造爱沙尼亚电子居民证书的难度是伪造新加坡这个的 1亿亿亿倍(1后面24个零)。

为什么新加坡不使用这样高强度的签名系统?其实效率不是重点。有些公司要求 每一封电子邮件都有数字签名,所以能签得快一点确实有好处(国内的区块链大 牛谢剑唅每封电子邮件都用2048位RSA签名,尽管没有公司老板逼他),但是即 使提高伪造难度1000倍,也没有人会感觉出区别。那么我们为什么还在用这套技 术?

原因之一是软件支持落后。现在的合同文件大多是PDF 1.5版的,最多只能支持 2048位RSA证书。在支持安全技术方面,Adobe公司可以算是屡教不改的反动分子, 每次技术更新都是必不得己而后行。很多电子邮件软件不能验更安全的签名。

实际上,爱沙尼亚,作为全球数学签名技术领先的国家,使用了一种新的文件格 式ASICE,应用欧盟标准(而非PDF),一部分的原因就是PDF还不支持它使用的 安全签名技术384位ECDSA。还有其它原因是爱沙尼亚有更多安全要求,比如对数 字签名的日期作证,还有管理方便的原因,比如一份合同和其多份附件可以一起 签,不用做到同一个PDF文件里。不过,大家都觉得电脑文件格式已经太多了。

话既然讲到这里,就得解释一下为什么ECDSA是更为安全的技术。ECDSA发明几十 年以来,虽然性能更好,却无人问津,直到比特币出现,使用了256位ECDSA,大 家才重视。比特币的发明人中本聪知道数学签名的安全性是按十年计算的。我们 现在流行的2048位RSA,20年前是美国禁止出口的军方技术,而当时的民间技术 伪造难度只有约百万分之一。现在我们觉得2048位RSA算是安全,二十年后就是 不够安全了。比特币完全可以活二十年,中本聪想,所以要使用最新密码学技术。

这里我要特别说明一下,密码学技术从发明到实用一般有30年周期。比如ECC是 80年代发明的,到了中本聪发明比特币时候才刚刚开始有人用。最近这几年,密 码学技术从发明到实用只有半年到一年的周期,这都是因为区块链,以前密码学 家常常不指望着有生之年他们发明的新技术被广泛使用。

尽管密码学的应用非常缓慢,直到中本聪之后才进入大跃进模式,但是在新加坡 这边看也不算差。政府要求建筑合同备案需要数字签名,要不然假签名不等到起 官司是不知道有做假的。个人也常有申请数字签名的,虽然大多只用它报车辆管 理资料这一件事(相关部门只收数学签名的文件)。

讲到这了我得说一个新闻。去年下半年(2017年),PDF 2.0新标准,即ISO 32000-2:2017,终于,终于,在ECDSA发明30年之后,宣布PDF文件兼容ECDSA了! 这样看来,不出十年,就会有人可以用ECDSA签PDF合同了,不过,到时候数学签 名的PDF合同也就不流行了,因为都用智能合约签名了。

http://tools.ietf.org/html/draft-ietf-msec-mikey-ecc-03

Digital Signature - not the graffiti made with Apple Pen on a PDF file; I am referring to the tamper-resistant cryptographic signatures - is recognised legit in most countries in the world now, 40 years after its invention. Such signature schemes always require a certificate issued by some identity checking organisation to be legally binding Many countries have their preferences on which organisations can do this, for example, in China, such organisation need to acquire a licence from MIIT. Here in Singapore, Netrust is perhaps the only accredited certificate issuer by Singapore Electronic Transactions Act (ETA 2010).

Happy to be a law-abiding citizen, I purchased a certificate for our new startup behind alpha wallet to sign contracts perfectly legally in Singapore. I think it's also a good opportunity to explain the technicality behind this.

The key is stored in an Aladdin Knowledge Systems Token JC - pretty common USB security device. The key is 2048-bit RSA.

2048-bit RSA keys are fairly standard nowadays, not because it is secure enough, but because it is a good balance between security and efficiency, measured by the number of signatures a computer can sign in a second. In some cases, the efficiency matters.

Yet that efficiency is not relevant in the case of contract signing. By common sense, the incentive to falsify a contract is measured in decades. Therefore contracts demand better keys. This is the line of reasoning behind Estonia's e-resident program, which uses a much stronger 384-bit ECDSA key. (It is also the reason why Estonia's scheme included reliable timestamp.)

ECDSA refers to a strong Digital Signature Algorithm which gained popularity by Bitcoin, while RSA is the ageing standard signing algorithm. To compare, the 2048-bit RSA in Netrust Corporate NetID key has a security rating of 112-bit; The 384-bit ECDSA Estonian E-residency key has a security rating of 192-bit. The difference is 80 bits, that is, 2⁸⁰ times of difference in the amount of effort to break it with brutal force. In layman's words, if a computer can break Netrust's cypher, it would take one million million million million such computers to break Estonia E-residency's cypher.

Is it too secure? Probably not. It took us about two decades to shift common SSL key from 1024-bit RSA to 2048-bit RSA. The latter is more than one billion times more difficult to break than the former. At this pace, most readers will still be alive when Estonia E-residency's cypher becomes the most common one. If your contract has an impact longer than that, say, a real-estate purchase contract, you are not abusing the cryptographic power by using Estonia E-residency identity to sign it.

If ECDSA keys are so much better suited for contracts, why not everybody uses it?

The answer is software support. In the realm of contract signing, the limitation is by PDF, the most common contract file format. PDF has been consistently behind the development of security community. PDF files are commonly in version 1.5, which has a limit of 2048-bit RSA keys. In 2012, PDF became an ISO standard, with 4096-bit RSA, and hasn't grown from there since. Newer and stronger stuff like ECDSA, which only has three decades of existence, are expected not to be let in.

To workaround this, Estonia e-residency program uses a new format called ASICE. PDF has the digital signature inside. ASICE has signature outside, PDF inside. Therefore it is not limited by its security features. This has a lot of utilities. For example, a contract and all its attachments can be signed together. Signing by a group of people becomes easier, too. But the new format is generally frowned upon by anyone who receives it because they don't know how to open it.

By late 2017, there came a piece of good news. PDF 2.0 standard, also called ISO 32000-2:2017, started to support ECDSA. It's hard to say if Adobe started to heed the voice of security experts, or that the international community behind ISO standard went for it. In theory, it means users with high-security expectations, like Estonian e-residents, should be able to sign in PDF 2.0. In practise, the applications to do so is still missing, and the adoption of the new standard is slow. Up to today, I have never received any PDF files using the new 2.0 format, signed or not.

Despite the disappointing speed of development, the progress is evident. In Singapore, some government offices which keeps records of building constructions contracts and vehicle purchase contracts require them to be digitally signed, so that the validity of these signatures can be verified, where wet (ink) signatures can't be verified at all.

As of future, there is no doubt we will see more use of digital signatures, thanks to technologies of prominent utility values. Blockchain technology, for the first time, allowed automated transaction settlement by the use of smart-contracts, and Estonian e-residency program is the first which allows bank accounts to be opened remotely without intermediary law firms.

http://tools.ietf.org/html/draft-ietf-msec-mikey-ecc-03