1. 13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature

2. 13.2 Objectives  To define a digital signature  To define security services provided by a digital signature  To define attacks on digital signatures  To discuss some digital signature schemes, including RSA, ElGamal, Schnorr, DSS, and elliptic curve  To describe some applications of digital signatures

3. 13.3 13.1 COMPARISON Let us begin by looking at the differences between conventional signatures and digital signatures.

4. 13.4 A conventional signature is included in the document; it is part of the document. But when we sign a document digitally, we send the signature as a separate document. 13.1.1 Inclusion

5. 13.5 For a conventional signature, when the recipient receives a document, she compares the signature on the document with the signature on file. For a digital signature, the recipient receives the message and the signature. A copy of the signature is not stored anywhere. The recipient needs to apply a verification technique to the combination of the message and the signature to verify the authenticity. 13.1.2 Verification Method

6. 13.6 For a conventional signature, there is normally a one-to-many relationship between a signature and documents. For a digital signature, there is a one-to-one relationship between a signature and a message. 13.1.3 Relationship

7. 13.7 In conventional signature, a copy of the signed document can be distinguished from the original one on file. In digital signature, there is no such distinction unless there is a factor of time on the document. 13.1.4 Duplicity

8. 13.8 13.2 PROCESS Figure 13.1 shows the digital signature process. The sender uses a signing algorithm to sign the message. The message and the signature are sent to the receiver. The receiver receives the message and the signature and applies the verifying algorithm to the combination. If the result is true, the message is accepted; otherwise, it is rejected.

9. 13.9 Figure 13.1 Digital signature process 13.2 PROCESS

10. 13.10 13.2.1 Need for Keys Figure 13.2 Adding key to the digital signature process Note that a digital signature needs a public-key system. The signer signs with her private key; the verifier verifies with the signer’s public key.

11. 13.11 13.2.1 Need for Keys Note that a cryptosystem uses the private and public keys of the receiver: a digital signature uses the private and public keys of the sender.

12. 13.12 13.2.2 Signing the Digest Figure 13.3 Signing the digest Asymmetric-key cryptosystems are very inefficient when dealing with long messages. The sender can sign the message digest with her private key and the receiver can verify the message digest with the signer’s public key.

13. 13.13 13.3 13.3 SERVICES We discussed several security services in Chapter 1 including message confidentiality, message authentication, message integrity, and nonrepudiation. A digital signature can directly provide the last three; for message confidentiality we still need encryption/decryption.

14. 13.14 A secure digital signature scheme, like a secure conventional signature (one that cannot be easily copied) can provide message authentication (referred to as data-origin authentication). 13.3.1 Message Authentication A digital signature provides message authentication.

15. 13.15 The integrity of the message is preserved even if we sign the whole message because we cannot get the same signature if the message is changed. The digital signature scheme today use a hash function in the signing and verifying algorithms that preserve the integrity of the message. 13.3.2 Message Integrity A digital signature provides message integrity.

16. 13.16 13.3.3 Nonrepudiation If Alice signs a message and then denies it, can Bob later prove that Alice actually signed it? Bob must keep the signature on file and later use Alice’s public key to create the original message to prove the message in the file and the newly created message are the same. This is not feasible because Alice may have changed her private or public key during this time; she may also claim that the file containing the signature is not authentic. One solution is a trusted third party.

17. 13.17 13.3.3 Nonrepudiation Figure 13.4 Using a trusted center for nonrepudiation Nonrepudiation can be provided using a trusted party. The center saves a copy of the message with sender’s identity, recipient identity, and the timestamp in its archives.

18. 13.18 13.3.4 Confidentiality Figure 13.5 Adding confidentiality to a digital signature scheme A digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied.

19. 13.19 13.4 13.4 ATTACKS ON DIGITAL SIGNATURE This section describes some attacks on digital signatures and defines the types of forgery. We will look on three kinds of attacks on digital signatures: key-only, known-message, and chosen-message, and two types of forgery: existential and selective.

20. 13.20 Key-Only Attack 13.4.1 Attack Types In the key-only attack, Eve has access only to the public information released by Alice. This is the same as the ciphertext-only attack. In the known-message attack, Eve has access to one or more message-signature pairs. This is similar to the known-plaintext attack. Known-Message Attack

21. 13.21 13.4.1 Attack Types Chosen-Message Attack In the chosen-message attack, Eve somehow makes Alice sign one or more messages for her. Eve now has a chosen-message/signature pair. Eve later creates another message, with the content she wants, and forges Alice’s signature on it. This is similar to the chosen-plaintext attack.

22. 13.22 13.4.2 Forgery Types In an existential forgery, Eve may be able to create a valid message-signature pair, but not one that she can really use. This type of forgery is probable, but fortunately Eve cannot benefit from it very much, since the content of the message is randomly calculated. Her message could be syntactically or semantically unintelligible. Existential Forgery

23. 13.23 13.4.2 Forgery Types Selective Forgery In an selective forgery, Eve may be able to forge Alice’s signature on a message with the content selectively chosen by Eve. Although this is beneficial to Eve, and may be very detrimental to Alice, the probability of such forgery is low, but not negligible.

24. 13.24 13.5 13.5 DIGITAL SIGNATURE SCHEMES Several digital signature schemes have evolved during the last few decades. Some of them have been implemented.

25. 13.25 13.5.1 RSA Digital Signature Scheme Figure 13.6 General idea behind the RSA digital signature scheme

26. 13.26 Key generation in the RSA digital signature scheme is exactly the same as key generation in the RSA cryptosystem. Alice chooses two primes p and q and calculates n = p ⅹ q. Alice calculates  (n) = (p-1)(q-1). She then choose e, the public exponent, and calculates d, the private exponent such that e ⅹ d ≡ 1 mod  (n). 13.5.1 RSA Digital Signature Scheme In the RSA digital signature scheme, d is private; e and n are public. Key Generation

27. 13.27 Signing and Verifying Figure 13.7 RSA digital signature scheme 13.5.1 RSA Digital Signature Scheme

28. 13.28 As a trivial example, suppose that Alice chooses p = 823 and q = 953, and calculates n = 784319. The value of  (n) is 782544. Now she chooses e = 313 and calculates d = 160009. At this point key generation is complete. Now imagine that Alice wants to send a message with the value of M = 19070 to Bob. She uses her private exponent, 160009, to sign the message: Example 13.1 13.5.1 RSA Digital Signature Scheme

29. 13.29 Example 13.1 (Continued) Alice sends the message and the signature to Bob. Bob receives the message and the signature. He calculates Bob accepts the message because he has verified Alice’s signature. 13.5.1 RSA Digital Signature Scheme

30. 13.30 Attacks on RSA Signature Key-Only Attack Eve can access only to Alice’s public key. Eve intercepts ( M, S ) and tries to create another message M ’ such that M ’ ≡ S e ( mod n ). This problem is as difficult to solve as the discrete logarithm problem. This is an existential forgery. 13.5.1 RSA Digital Signature Scheme

31. 13.31 Attacks on RSA Signature (Continued) Known-Message Attack Eve can use the multiplicative property of RSA. In case Eve has intercepted two message-signature pairs ( M 1, S 1 ) and ( M 2, S 2 ) that have been created using the same private key. Let M ≡ ( M 1 ⅹ M 2 ) mod n. Then S ≡ ( S 1 ⅹ S 2 ) mod n is the valid signature of M. 13.5.1 RSA Digital Signature Scheme Sometimes is referred to as multiplicative attack. Existential forgery.

32. 13.32 Attacks on RSA Signature (Continued) Chosen-Message Attack Eve can also use the multiplicative property of RSA. Eve can somehow ask Alice to sign two legitimate messages M 1 and M 2 for her and later creates a new message M ≡ ( M 1 ⅹ M 2 ). Then S ≡ ( S 1 ⅹ S 2 ) mod n is the valid signature of M. 13.5.1 RSA Digital Signature Scheme This is also referred to as multiplicative attack. Selective forgery; Eve can manipulate M 1 and M 2 to get useful M.

33. 13.33 RSA Signature on the Message Digest Figure 13.8 The RSA signature on the message digest 13.5.1 RSA Digital Signature Scheme

34. 13.34 Attacks on RSA Signed Digests Key-Only Attack We can have three cases of this attack: a. Eve intercepts ( M, S ) and tries to find another message M ’ that creates the same digest, h(M) = h(M ’ ). If the hash algorithm is second preimage resistant, this attack is very difficult to launch. b. Eve finds two messages M 1 and M 2 such that, h(M) = h(M ’ ). Eve lures Alice to sign h(M) to find S and then has a pair ( M ’, S ) which passes the verifying test, but it is the forgery. If the hash algorithm is collision resistant, this attack is very difficult to launch. 13.5.1 RSA Digital Signature Scheme

35. 13.35 Attacks on RSA Signed Digests (Continued) Key-Only Attack (Continued) c. Eve may randomly find message digest D, which may match with a random signature. She then finds a message M such that D = h(M). If the hash algorithm is preimage resistant, this attack is very difficult to launch. 13.5.1 RSA Digital Signature Scheme

36. 13.36 Attacks on RSA Signed Digests (Continued) Known-Message Attack Assume Eve has intercepted two message-signature pairs ( M 1, S 1 ) and ( M 2, S 2 ) which have been created using the same private key. Eve calculates S ≡ ( S 1 ⅹ S 2 ) mod n. If she can find a message M such that h(M) ≡ h(M 1 ) ⅹ h(M 2 ) mod n, she has forged a new message. However, finding M given h(M) is very difficult if the hash algorithm is preimage resistant. 13.5.1 RSA Digital Signature Scheme

37. 13.37 Attacks on RSA Signed Digests (Continued) Chosen-Message Attack Eve can ask Alice to sign two legitimate messages M 1 and M 2 for her. Eve then creates a new signature S ≡ ( S 1 ⅹ S 2 ) mod n. Since Eve can calculate h(M) ≡ h(M 1 ) ⅹ h(M 2 ) mod n, if she can find a message M given h(M), the new message is a forgery. However, finding M given h(M) is very difficult if the hash algorithm is preimage resistant. 13.5.1 RSA Digital Signature Scheme

38. 13.38 13.5.1 RSA Digital Signature Scheme When the digest is signed instead of the message itself, the susceptibility of the RSA digital signature scheme depends on the strength of the hash algorithm.

39. 13.39 13.5.2 ElGamal Digital Signature Scheme Figure 13.9 General idea behind the ElGamal digital signature scheme The ElGamal digital signature scheme uses the same key as ElGamal cryptosystem, but the algorithm is different.

40. 13.40 The key generation procedure here is exactly the same as the one used in the cryptosystem. Let p be a prime large enough that the discrete logarithm problem is intractable in Z p *. Let e 1 be a primitive element in Z p *. Select the private key d to be less than p-1. Calculate e 2 = e 1 d. Public key is ( e 1, e 2, p ); Private key is d. 13.5.2 ElGamal Digital Signature Scheme In ElGamal digital signature scheme, (e 1, e 2, p) is Alice’s public key; d is her private key. Key Generation

41. 13.41 Verifying and Signing Figure 13.10 ElGamal digital signature scheme 13.5.2 ElGamal Digital Signature Scheme Checks to see if 0<S 1 <p and 0<S 2 <p-1.

42. 13.42 Here is a trivial example. Alice chooses p = 3119, e 1 = 2, d= 127 and calculates e 2 ≡ 2 127 mod 3119 = 1702. She also chooses r to be 307. She announces e 1, e 2, and p publicly; she keeps d secret. The following shows how Alice can sign a message. Example 13.2 Alice sends M, S 1, and S 2 to Bob. Bob uses the public key to calculate V 1 and V 2. 13.5.2 ElGamal Digital Signature Scheme

43. 13.43 Now imagine that Alice wants to send another message, M = 3000, to Ted. She chooses a new r, 107. Alice sends M, S 1, and S 2 to Ted. Ted uses the public keys to calculate V 1 and V 2. Example 13.3 13.5.2 ElGamal Digital Signature Scheme

44. 13.44 Forgery in the ElGamal Digital Signature Scheme Key-Only Forgery Two kind of forgery are possible: 1. Eve has a predefined message M. To forge Alice’s signature on it, Eve must find two valid signatures S 1 and S 2 for this message. This is a selective forgery. a. Eve can choose S 1 and calculates S 2. She needs to have e 2 S 1 S 1 S 2 ≡ e 1 M (mod p), i.e., S 1 S 2 ≡ e 1 M e 2 -S 1 (mod p), or S 2 ≡ log S 1 (e 1 M e 2 -S 1 ) (mod p). This means computing the discrete logarithm. b. Eve can choose S 2 and calculates S 1. This is much harder than case a. 13.5.2 ElGamal Digital Signature Scheme

45. 13.45 Forgery in the ElGamal Digital Signature Scheme (Continued) Key-Only Forgery (Continued) 2. Eve may be able to find three random values, M, S 1, and S 2 such that ( S 1, S 2 ) is the signature of M. If Eve can find two new parameters x and y such that M ≡ xS 2 mod (p-1) and S 1 ≡ -yS 2 mod (p-1 ), she can forge the message. This is an existential forgery. Known-Message Attack If Eve has intercepted a message M and signature pair ( S 1, S 2 ), she can find another message M ’ with the same signature. However, this is an existential forgery. 13.5.2 ElGamal Digital Signature Scheme

46. 13.46 13.5.3 Schnorr Digital Signature Scheme Figure 13.11 General idea behind the Schnorr digital signature scheme In ElGamal signature scheme, p needs to be very large (at least 1024 bits) to guarantee that DLP is interactable in Z p *. To reduce the size of signature, Schnorr proposed a new scheme based on ElGamal.

47. Key Generation 1)Alice selects a prime p, which is usually 1024 bits in length. 2)Alice selects another prime q, which is 160 bits in length and q | p-1. 3) Alice chooses e 1 to be the q th root of 1 modulo p. 4) Alice chooses an integer, d, as her private key. 5)Alice calculates e 2 = e 1 d mod p. 6)Alice’s public key is ( e 1, e 2, p, q ); her private key is ( d ). 13.5.3 Schnorr Digital Signature Scheme In the Schnorr digital signature scheme, Alice’s public key is (e 1, e 2, p, q); her private key (d). 13.47

48. 13.48 Signing and Verifying Figure 13.12 Schnorr digital signature scheme 13.5.3 Schnorr Digital Signature Scheme

49. 13.49 Signing 1. Alice chooses a random number r. 2. Alice calculates S 1 = h(M|e 1 r mod p). 3. Alice calculates S 2 ≡ r + d × S 1 mod q. 4. Alice sends M, S 1, and S 2. Verifying Message 1. Bob calculates V = h (M | e 1 S 2 e 2 −S 1 mod p). 2. If S 1 is congruent to V modulo p, the message is accepted; 13.5.3 Schnorr Digital Signature Scheme

50. 13.50 Here is a trivial example. Suppose we choose q = 103 and p = 2267. Note that p = 22 × q + 1. We choose e 0 = 2, which is a primitive in Z 2267 *. Then (p −1)/q = 22, so we have e 1 = 2 22 mod 2267 = 354. We choose d = 30, so e 2 = 354 30 mod 2267 = 1206. Alice’s private key is now ( d ); her public key is ( e 1, e 2, p, q ). Example 13.4 Alice wants to send a message M. She chooses r = 11 and calculates e 2 r = 354 11 = 630 mod 2267. Assume that the message is 1000 and then M|e 1 r = 1000630. Also assume that h(1000630) = 200. This means S 1 = 200. Alice calculates S 2 = r + d × S 1 mod q = 11 + 1026 × 200 mod 103 = 35. Alice sends the message M =1000, S 1 = 200, and S 2 = 35. The verification is left as an exercise. 13.5.3 Schnorr Digital Signature Scheme

51. 13.51 Forgery on Schnorr Signature Scheme It looks like all attacks on ElGamal scheme can be applied on Schnorr scheme. However, Schnorr scheme is in a better position because S 1 = h(M|e 1 r mod p) (*hash function is applied*) and r is a secret. 13.5.3 Schnorr Digital Signature Scheme

52. 13.52 13.5.4 Digital Signature Standard (DSS) Figure 13.13 General idea behind DSS scheme DSS was adapted by NIST in 1994 (FIPS186). DSS uses a digital signature algorithm ( DSA ) based on ElGamal scheme with some ideas from Schnorr scheme. Some complaints : 1. the secrecy of DSS design. 2. the size of the prime (512 bits).

53. 13.53 1)Alice chooses primes p ( 512~1024 bits) and q ( 160 bits) such that the length of p is a multiple of 64 and q | (p-1). 2) Alice uses and. 3) Alice creates e 1 to be the q th root of 1 modulo p. 4) Alice chooses d and calculates e 2 = e 1 d. 5) Alice’s public key is ( e 1, e 2, p, q ); her private key is ( d ). 13.5.4 Digital Signature Standard (DSS) Key Generation

54. 13.54 Verifying and Signing Figure 13.14 DSS scheme 13.5.4 Digital Signature Standard (DSS)

55. 13.55 Alice chooses q = 101 and p = 8081. Alice selects e 0 = 3 and calculates e 1 = e 0 (p−1)/q mod p = 6968. Alice chooses d = 61 as the private key and calculates e 2 = e 1 d mod p = 2038. Now Alice can send a message to Bob. Assume that h(M) = 5000 and Alice chooses r = 61 : Example 13.5 Alice sends M, S 1, and S 2 to Bob. Bob uses the public keys to calculate V. 13.5.4 Digital Signature Standard (DSS)

56. 13.56 DSS signatures are smaller than ElGamal signatures because q is smaller than p. 13.5.4 Digital Signature Standard (DSS) DSS Versus RSA Computation of DSS signatures is faster than computation of RSA signatures when using the same p. DSS Versus ElGamal

57. 13.57 13.5.5 Elliptic Curve Digital Signature Scheme Figure 13.15 General idea behind the ECDSS scheme The elliptic curve digital signature scheme is a DSA (or DSS ) based on elliptic curves. The scheme sometimes is referred as ECDSA or ECDSS.

58. 13.58 Key generation follows these steps: 1)Alice chooses an elliptic curve E p ( a, b ) with p a prime. 2)Alice chooses another prime q the private key d, an integer. 3)Alice chooses e 1 (…, …), a point on the curve. 4)Alice calculates e 2 (…, …) = d × e 1 (…, …), another point on the curve. 5)Alice’s public key is ( a, b, p, q, e 1, e 2 ); her private key is d. 13.5.5 Elliptic Curve Digital Signature Scheme Key Generation

59. 13.59 Signing and Verifying Figure 13.16 The ECDSS scheme 13.5.5 Elliptic Curve Digital Signature Scheme (1≤r≤q-1)

60. 13.60 13.6 13.6 VARIATIONS AND APPLICATIONS This section briefly discusses variations and applications for digital signatures.

61. 13.61 13.6.1 Variations Sometimes a signed document needs to be timestamped to prevent it from being replayed by an adversary. This is called timestamped digital signature scheme. e.g., request to a bank to transfer some money to other. Including the actual date and time on the documents may create a problem if the clocks are not synchronized and a universal time is not used. One solution is to use a nonce (a one-time random number). Time Stamped Signatures

62. 13.62 13.6.1 Variations Sometimes we have a document that we want to get signed without revealing the contents of the document to the signer. David Chaum has developed some patented blind digital signature schemes for this purpose. The main idea : a.Bob creates a message and blinds it. Bob sends the blinded message to Alice. b.Alice signs the blinded message and returns the signature on the blinded message. c. Bob unblinds the signature to obtain a signature on the original message. Blind Signatures

63. 13.63 13.6.1 Variations Blind Signature Based on the RSA Scheme Blinding : Bob selects a random number, b, and calculates the blinded message B=M ⅹ b e mod n. b is sometimes called the blinding factor. Bob sends B to Alice. Alice signs the blinded message as S b = B d mod n. and returns the signature S b on the blinded message. Unblinding : uses the multiplicative inverse of blinding factor. S = S b b -1 mod n Blind Signatures (Continued)

64. 13.64 13.6.1 Variations Preventing Fraud It appears that Bob can get Alice to sign a blinded message that may hurt her. e.g., Bob’s message could be a document, claiming to be Alice’s will, that will everything to Bob after her death. There are at least three ways to prevent such damage: a. A law that Alice is not responsible for signing any blinded message that against her interest. b. Request a document from Bob that the message she will sign does not hurt Alice. c. Require that Bob proves his honesty before she signs the blinded message. Blind Signatures (Continued)

65. 13.65 13.6.1 Variations Undeniable digital signature schemes are elegant invention of Chaum and van Antwerpen. An undeniable digital signature scheme has three components: signing algorithm, verification protocol, disavowal protocol. The verification protocol uses the challenge-response mechanism to involve Alice (signer) for verifying the signature. This prevents the duplication and distribution of the signed message without Alice’s approval. The disavowal protocol helps Alice deny a forged signature. To prove that the signature is a forgery, Alice needs to take part in the disavowal protocol. Undeniable Digital Signatures

66. 13.66 13.6.2 Applications Later chapters discuss several applications of cryptography in the network security. Most of these applications directly or indirectly require the use of the public keys. To use a public key, a person should prove that she actually owns the public key. For this reason, the idea of certificates and certificate authorities (CAs) has been developed. The certificates must be signed by the CA to be valid. Digital signatures are used to provide such a proof.

67. 13.67 13.6.2 Applications When Alice needs to use Bob’s public key, she uses the certificates issued by a CA. The CA signs the certificate with its private key and Alice verifies the signature using the public key of CA. The certificate itself contains Bob’s public key. Today’s protocols that use the services of CA include IPSec, SSL/TLS, and S/MIME. Protocol PGP uses certificates, but they can be issued by people in the community.