Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

Published byRickey Anable Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants."— Presentation transcript:

1 1 Chapter 7-2 Signature Schemes

2 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants of the ElGamal Signature Scheme The Schnorr Signature Scheme The Digital Signature Algorithm The Elliptic Curve DSA [5] Signatures with additional functionality Blind Signatures Undeniable Signatures Fail-stop Signatures

3 3 [4] Variants of the ElGamal Signature Scheme Schnorr Signature Scheme Proposed in 1989 Greatly reduced the signature size Digital Signature Algorithm (DSA) Proposed in 1991 Was adopted as a standard on December 1, 1994 Elliptic Curve DSA (ECDSA) FIPS 186-2 in 2000

4 4 Let p be a prime such that the DL problem in Z p * is intractable, and let q be a prime that divides p-1. Let α be a q th root of 1 modulo p. Define K={ (p,q,α,a,β):β=α a mod p } p,q,α,β are the public key, a is private Schnorr Signature Scheme

5 5 For a (secret) random number k, define sig(x,k)=(γ,δ), where γ=hash(x||α k ) andδ=k+aγ mod q For a message (x,(γ,δ)), verification is done by performing the following computations: ver(x,(γ,δ))=true iff. hash(x||α δ β -γ )=γ

6 6 If the signature was construct correctly, the verification will succeed since α δ β - γ =α k+a γ α -a γ =α k

7 7 Schnorr Signature Scheme Example We take q=101, p=78q+1=7879, α=170, a=75, then β =170 75 mod 7879=4567 To sign the message m=15, Alice selects k=50; Then γ =hash(15||170 50 ), δ=5+75*γ mod 101 (15,(γ,δ)) is the signed message

8 8 Digital Signature Algorithm Let p be a L-bit prime such that the DL problem in Z p * is intractable, and let q be a 160-bit prime that divides p-1. Let α be a q th root of 1 modulo p. Define K={ (p,q,α,a,β): β=α a mod p } p,q,α,β are the public key, a is private L=0 mod 64, 512≤L≤102 4

9 9 For a (secret) random number k, define sig (x,k)=(γ,δ), where γ=(α k mod p) mod q and δ=(SHA-1(x)+aγ)k -1 mod q For a message (x,(γ,δ)), verification is done by performing the following computations: e 1 =SHA-1(x)*δ -1 mod q e 2 =γ*δ -1 mod q ver(x,(γ,δ))=true iff. (α e 1 β e 2 mod p) mod q=γ

10 10 Notice that the verification requires to compute: e 1 =SHA-1(x)*δ -1 mod q e 2 =γ*δ -1 mod q when δ=0 (it is possible!), Alice should re- construct a new signature with a new k

11 11 Take q=101, p=78q+1=7879, α=170, a=75; then β=4567 To sign the message SHA-1(x)=22, Alice selects k=50; Then γ =(170 50 mod 7879) mod 101=94, δ =(22+75*94)50 -1 mod 101=97 (x, (94,97)) is the signed message DSA Example

12 12 The signature (94,97) on the message digest 22 can be verify by the following computations: δ -1 =97 -1 mod 101=25 e 1 =22*25 mod 101=45 e 2 =94*25 mod 101=27 (170 45 *4567 27 mod 7879) mod 101 = 94 = γ

13 13 Elliptic Curve DSA Let p be a prime or a power of two, and let E be an elliptic curve defined over F p. Let A be a point on E having prime order q, such that DL problem in is infeasible. Define K={ (p,q,E,A,m,B): B=mA } p,q,E,A,B are the public key, m is private

14 14 For a (secret) random number k, define sig k (x,k)=(r,s), where rA=(u,v), r=u mod q and s=k -1 (SHA-1(x)+mr) mod q For a message (x,(r,s)), verification is done by performing the following computations: i=SHA-1(x)*s -1 mod q j=r*s -1 mod q (u,v)=iA+jB ver(x,(r,s))=true if and only if u mod q=r

15 15 [5] Signatures with additional functionality Blind signature schemes (1983) Undeniable signature schemes (1989) Fail-stop signature schemes (1992)

16 16 Blind signature schemes A sends a piece of information to B which B signs and returns to A. From this signature, A can compute B ’ s signature on an a priori message x of A ’ s choice (B is a signer here!) B knows neither the message x nor the signature associated with it

17 17 Chaum ’ s blind signature protocol (1983) (A is a verifier and B is a signer, (n,e) is RSA public key of B and d is RSA private key of B) 1. A randomly select a secret integer k 2. A computes x*=xk e mod n and sends it to B 3. B computes y*=(x*) d mod n and sends it to A 4. A computes y=k -1 y* mod n, which is B ’ s signature on x (Note the signer B does not know (x,y) but (x,y) is a B ’ s signed message.)

18 18 Undeniable Signatures A signature can not be verified without the cooperation of the signer First introduced by Chaum and van Antwerpen in 1989 Protects Alice against the possibility that documents signed by her are duplicated and distributed electronically without her approval

19 19 Since a signature should be verified with the cooperation of the signer, it is possible for a signer to evilly disavow a signature which signed by him previously An undeniable signature scheme should consists of a disavowal protocol between the verifier B and the signer A, such that: For a signature which is not signed by A, B will recognize it as a forgery For a signature which is signed by A, A can fool B to recognized it as a forgery with very low probability

20 20 An application of the undeniable signature A large corporation A creates a software package. A signs the package and sells it to B, who decides to make copies of this package and resell it to a third party C. C is unable to verify the authenticity of the software without the cooperation of A

21 21 Chaum-van Antwerpen undenial signature scheme Let p=2q+1 be a prime such that q is prime And the DL problem in Z p is intractable. Letα be an element of order q. Define: K={ (p, α,a,β) :β=α a mod p } 1. Signing algorithm To sign a message x, Alice computes y=sig(x)=x a mod p

22 22 2. Verification protocol Bob chooses e 1,e 2 from Z q * randomly Bob computes c=y e 1 β e 2 mod p and sends it to Alice Alice computes d=c a -1 mod q mod p and sends it to Bob Bob accepts s as a valid signature if and only if d = x e 1 α e 2 mod p

23 23 c=y e1 β e2 mod p d=c a -1 mod q mod p d ≠ x e1 α e2 mod p Two possibilities: y is not a valid signature of x y is the signature of x, she is fooling me by sending garbled d to me Signer Verifier message x, signature y

24 24 (Correctness of the signature protocol) Bob will accept a valid signature, since if s is valid: y=x a mod p, then c = y e 1 β e 2 = x ae 1 α ae 2 mod p Hence d = x e 1 α e 2 mod p as desired

25 25 I doubt that you are fooling me to disavow your signature on x c=y e1 β e2 d=(c) a -1 c ’ =y e1 ’ β e2 ’ d ’ =(c ’ ) a -1 Fact: if y≠x a, (dα -e2 ) e1 ’ =(d ’ α -e2 ’ ) e1 (dα -e2 ) e1 ’ =(d ’ α -e2 ’ ) e1 I blame her wrongly, y is not signed by her Signer Verifier

26 26 c=y e1 β e2 d=(c) a -1 c ’ =y e1 ’ β e2 ’ d ’ =(c ’ ) a -1 Fact:if y=x a, she can make (dα -e2 ) e1 ’ =(d ’ α -e2 ’ ) e1 holds with a very small probability 1/q Verifier Signer

27 27 3. Disavowal protocol (1/3) B selects random secret integers e 1,e 2 and computes c=y e 1 β e 2 mod p, and sends c to A A computes d=(c) a -1 mod p and sends d to B B checks if d=x e 1 α e 2, then he concludes that y is a valid signature of x, otherwise go to next step

28 28 Disavowal protocol (2/3) B selects random secret integers e 1 ’,e 2 ’ and computes c ’ =y e 1 ’ β e 2 ’ mod p, and sends c’ to A A computes d’=(c’) a -1 mod p and sends d’ to B B checks if d ’ =x e 1’ α e 2’, then he concludes that y is a valid signature of x, otherwise go to next step

29 29 Disavowal protocol (3/3) B checks (dα -e 2 ) e 1 ’ =(d’α -e 2 ’ ) e 1 if it holds, he concludes that y is a forgery Otherwise, he concludes that A is trying to disavow the signature

30 30 FactLet x be a message and suppose that y is A ’ s (purported) signature on x If y is a forgery, i.e., y≠x a mod p, then (dα -e 2 ) e 1 ’ =(d’α -e 2 ’ ) e 1 holds Suppose that y is indeed A’s signature for x, i.e., y=x a mod p, then (dα -e 2 ) e 1 ’ =(d’α -e 2 ’ ) e 1 holds with probability 1/q

31 31 Fail-stop Signatures In a fail-stop signature scheme, when Oscar is able to forge Alice ’ s signature on a message, Alice will (with high probability) be able to prove that Oscar ’ s signature is a forgery A fail-stop signature scheme consists of a singing algorithm, a verification algorithm and a “ proof of forgery ” algorithm

32 32 Van Heyst and Pedersen scheme (1992) Let p=2q+1 be a prime such that q is prime and the DL problem in Z p is intractable. Let α be an element of order q. Let 1≤a 0 ≤q-1 and define β =α a 0 mod p. The value of a 0 is kept secret from everyone The values p,q, α, β and a 0 are chosen by a trusted central authority

33 33 A key has the form K=(γ 1,γ 2,a 1,a 2,b 1,b 2 ) where γ 1 =α a 1 β a 2 mod p γ 2 =α b 1 β b 2 mod p (γ 1,γ 2 ) is the public key and (a 1,a 2,b 1,b 2 ) is private

34 34 To sign a message x, sig(x)=(y 1,y 2 ) where y 1 =a 1 +xb 1 mod q y 2 =a 2 +xb 2 mod q To verify a signed message (x,(y 1,y 2 )) ver(x,(y 1,y 2 ))=true iff. γ 1 γ 2 x =α y 1 β y 2 mod p

35 35 Proof of forgery – the argument If there is a signature (y 1 ’’,y 2 ’’) on a message x’ which can be verified as signing by Alice, but actually it is not signed by Alice, i.e. (y 1 ’’,y 2 ’’)≠sig(x’) then Alice can calculate the secret a 0 which was not given to her Alice shows a 0 to prove that she is innocent

36 36 Proof of forgery – calculation of a 0 Since (y 1 ’’,y 2 ’’) is a valid signature on x’ γ 1 γ 2 x’ =α y 1 ’’ β y 2 ’’ mod p Alice can compute her own signature (y 1 ’,y 2 ’) on x’ γ 1 γ 2 x’ =α y 1 ’ β y 2 ’ mod p Hence α y 1 ’’ β y 2 ’’ =α y 1 ’ β y 2 ’ mod p α y 1 ’’ α a 0 y 2 ’’ =α y 1 ’ α a 0 y 2 ’ mod p

37 37 Thus y 1 ’’+a 0 y 2 ’’=y 1 ’+a 0 y 2 ’ (mod q) a 0 =(y 1 ’’-y 1 ’)(y 2 ’-y 2 ’’) -1 (mod q) It is computable by Alice!

Download ppt "1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants."

Similar presentations

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Digital Signatures and applications Math 7290CryptographySu07.

Digital Signatures and applications Math 7290CryptographySu07.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.

Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O167 10 th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.

Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.

Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,

Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Similar presentations

Ads by Google