Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.

Published bySheila Bruce Modified over 9 years ago

Similar presentations

Presentation on theme: "Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but."— Presentation transcript:

1 Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but also to the message that is being signed The digital signature needs to be easily verified by other parties Digital signature schemes therefore consist of two distinct steps: the signing process and the verification process

2 RSA Signatures Bob has a document m that Alice agrees to sign. Alice does the following. Alice chooses two primes: p, q and n=pq, makes (e,n) public with gcd(e,(p-1)(q-1))=1 de≡1 (mod φ(n)), she keeps p,q,d secret 。 Alice’s signature is y≡m d (mod n) 。 Alice then makes the pair (y,m) public

3 How does Bob verify Alice’s Signature Download Alice’s (e,n) Compute z≡y e (mod n) If z=m, then Bob accepts the signature as valid; otherwise the signature is not valid

4 Blind Signatures (1/2) Alice chooses n=pq, find e, and solve d as required in RSA scheme,i.e., ed≡1(mod n) Bod chooses a random k with gcd(k,n)=1, computes t≡k e m (mod n) for message m, and sends t to Alice Alice signs t by computing s≡t d (mod n). She returns s to Bob Bob computes sk -1 (mod n) to get the signed message m d

5 Blind Signatures (2/2) sk -1 ≡t d k -1 ≡(k e m) d k -1 ≡m d (k ed ) k -1 ≡ m d Alice has never seen the message m t≡k e m and s≡t d, then sk -1 ≡ m d (mod n) The choice of k is random, therefore, t≡k e m (mod n) gives essentially no information about m. In this way, Alice knows nothing about the message m she is signing.

6 ElGamal Signature Scheme One feature that is different from RSA is that, with this method, there are many different signatures that are valid for a given message Suppose Alice wants to sign a message m. To start, Alice chooses a large prime p and a primitive root α. Alice next chooses a secret integer (key) a, 1≤a≤p-2, and computes β≡α a (mod p), (p,α,β) are made public.

7 Alice signs the message m via Select a secret random k such that gcd(k,p-1)=1 Computes r≡α k (mod p) Computes s≡k -1 (m-ar) (mod p-1) The signed message is the triple (m,r,s)

8 Bob verifies the signature via Download Alice’s public key (p,α,β) Computes u≡β r r s and w≡α m (mod p) The signature is declared valid iff u≡w (mod p) Proof: w≡α m ≡α sk+ar ≡(α a ) r (α k ) s ≡β r r s ≡u (mod p) More details from p.246~248

9 ElGamal Signature for one Alice wants to sign m 1 =151405 (one). She chooses p=225119; a primitive root α=11. She chooses a secret number a, computes β≡α a ≡18191 (mod p). To sign the message, she picks up a random k and keeps it secret. She computes r≡α k ≡164130 (mod p), and s 1 ≡k -1 (m 1 -ar)≡130777 (mod p-1) The signed message is (151405, 164130, 130777)

10 ElGamal Signature for two Alice then signs m 2 =202315 (two) with the same k, where (p,α)=(225119,11), hence r has the same value and the signed message is (202315, 164130, 164899). Then we have -34122k ≡ (s 1 -s 2 )k ≡ m 1 -m 2 ≡ -50910 (mod p-1) Since gcd(-34122,p-1)=2, so there are two k’s: k=239 and k=112798 (mod p-1) Since α 239 ≡164130, α 112789 ≡59924 (mod p), k=239 leads to the correct value r=164130

11 Dangerous for the same key to different documents Rewrite s 1 k≡m 1 -ar (mod p-1) to obtain 164130a≡ar≡ m 1 - s 1 k≡187104 (mod p-1) Since gcd(164130, p-1)=2, there are two solutions for a’s: a=28862 and a=141421 Since α=11, β=18191, and α 28862 ≡206928, α 141421 ≡18191 (mod p) Therefore the key a=141421 is revealed.

12 Hash Functions A cryptographic hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. Certain properties should be satisfied. (1)Given a message m, the message digest h(m) can be calculated very quickly. (2)Given a digest message y, it is computationally infeasible to find an m with h(m)=y. In other words, h is a one-way, or preimage resistant, function. (3)It is computationally infeasible to find messages x, y such that h(x)=h(y), i.e., h is strongly collision-free.

13 Examples Let n=b k b k-1 …b 1 b 0, define h(n)=b k ⊕ … ⊕ b 0, Thus, this h does not satisfy (2) The discrete log hash function due to Chaum, van Heijst, and Pfitzmann Select a large prime p such that q=(p-1)/2 is prime, let α,βbe two primitive roots mod p which satisfyα a ≡β (mod p) and a is a secret number, let m=x+yq, with 0≤x,y ≤q-1, Define a hash function h(m)≡α x β y (mod p)

14 Proposition (p.184) If we know messages m≠n with h(m)=h(n), then we can determine the discrete logarithm a=L α (β). (Proof) Write m=x+yq, n=r+sq. Suppose h(m)=h(n) i.e., α x β y ≡ α r β s (mod p), since α a ≡β (mod p), hence α a(y-s)-(x-r) ≡1 (mod p) Therefore a(y-s)≡(x-r) (mod p-1). Since p-1=2q has only 4 divisors: 1,2,q,p-1, so d=gcd(y-s,p-1)=1 or 2. Thus, we can get the secret a.

15 Other Hash Functions ☺MD family: MD4, MD5 due to Rivest ☺NIST’s Secure Hash Algorithm (SHA) which yields a 160-bit message digest [Stinson] [Schneier] [Menezes et al.]

16 Hashing, Signing, and Applications Sending (m,sig(h(m))) instead of (m,sig(m)) could significantly reduce the size of digital signatures. An appropriate hash function should be chosen. In particular, in electronic exchanges in E-commerce.

17 Birthday Attacks If there are 23 people in a room, the probability 50.7% that two of them have the same birthday. If there are 30 people, the probability is increasing up to 70%. The probability of 23 people do not have the same birthday is (1-1/365)(1-2/365)…(1-22/365) = 0.493

18 A Birthday Attack on Discrete Log Suppose we want to evaluate L a (b) with a large p. We can do by a birthday attack in the following procedures: 1.The first list contains numbers a k (mod p) for approximately p 1/2 randomly chosen values of k. 2.The first list contains numbers ba -j (mod p) for approximately p 1/2 randomly chosen values of j. There is a good chance that there is a match between some element on the 1st list and one on the 2nd list. If so, a k ≡ba -j (mod p) and hence a k+j ≡b (mod p) x≡k+j (mod p-1) is the discrete log solution

19 Digital Signature Algorithm (DSA) The NIST proposed the DSA in 1991 and adopted it as a standard in 1994. The message digest is a 160-bit output of a hash function. The generate keys for DSA proceeds as follows. First, there is an initialization phase:

20 Initialization Phase Alice finds a prime q that is 160 bits long and chooses a prime p that satisfies q|p-1. The discrete log problem should be hard for this choice of p (e.g., p is 512-bit long). Let g be a primitive root mod p and let α≡g (p-1)/q (mod p). Then α q ≡1 (mod p). Alice chooses a secret a such that 1≤a<q-1 and calculates β≡α a (mod p) Alice publishes (p,q, α, β) and keeps a secret

21 The signing process Alice signs a message m by the following procedure: 1.Select a random, secret integer k, such that 0<k<q-1 2.Compute r≡(α k (mod p)) (mod q) 3.Compute s≡k -1 (m+ar) (mod q) 4.Alice’s signature for m is (r,s), which she sends to Bob along with m.

22 Verification For Bob to verify, he must 1. Download Alice’s public information (p,q,α,β) 2. Compute u≡s -1 m, v≡s -1 r (mod q) 3. Compute w≡( α u β v (mod p)) (mod q) 4. Accept the signature iff w=r

23 Simple Exercises from p.252-255 Exercises 1,2,3,4 Computer Problem 1

Download ppt "Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but."

Similar presentations

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.

Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Authentication Methods: From Digital Signatures to Hashes.

Authentication Methods: From Digital Signatures to Hashes.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O167 10 th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.

Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.

Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,

Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google