CryptographySecurity - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

CryptographySecurity

Description:

... scheme (Discrete Logarithm) (American, DSS(DSA) scheme) ... Signature schemes based on elliptic curves. Appendix: Various types. Schemes for multi-user: ... – PowerPoint PPT presentation

Number of Views:69
Avg rating:3.0/5.0
Slides: 26
Provided by: DrLawri1
Category:

less

Transcript and Presenter's Notes

Title: CryptographySecurity


1
Chapter 13 Digital Signatures
  • Preliminary
  • RSA signature scheme
  • ElGamal signature
  • DSA signature scheme

2
Development concept
RSA signature scheme, 1978 (Factoring,
2001-Patent)
ElGamal signature scheme, 1985 (Discrete
Logarithm)
Comparisons Performance, other factors
Choose a signature scheme (Discrete
Logarithm) (American, DSS(DSA) scheme)
3
Digital signature
  • Goal Use the digital technique to emulate the
    hand-written signature
  • Security requirements
  • Unforgeability one cannot create a signature
    that is claimed to be anothers
  • Undeniability the signer cannot later deny the
    validity of his signature

4
Requirements
  • The signature depends on the signer and the
    document to be signed.
  • Easy to compute it is easy for a signer to sign
    a document
  • Universal verifiability every one can verify
    validity of a signature (with respect to the
    signer and the document)
  • Easy to store the signature should be short
    enough (using hash function)

5
RSA signature scheme
  • Key generation algorithm
  • Input k (security parameter)
  • Randomly generate two primes p and q of length
    k/2 bits
  • Compute npq (n is k-bit long)
  • Randomly select e, 2?e??(n)-1, withgcd(e,
    ?(n))1 (Note ?(n)(p-1)(q-1))
  • Compute de-1 mod ?(n)
  • The verification (public) key KU(e, n)
  • The signing (private) key KR(d, n)

6
RSA signature scheme (cont.)
  • Let H be a hashing algorithm, publicly known
  • Signing algorithm Sig
  • Input ((d,n), M) (0?M?n-1)
  • Compute sH(M)d mod n
  • Output(s).
  • Verification algorithm Ver
  • Input ((e,n), M, s) (0?s?n-1)
  • Compute hse mod n
  • Output yes if and only if hH(M).
  • Draw the conceptual graph ?

7
RSA example
  • Randomly select two primes p7, q17
  • Calculate npq717119
  • Calculate ?(n)(p-1)(q-1)96
  • Randomly select e5, since gcd(e,?(n))1
  • Calculate de-1 mod ?(n)77
  • Public key KU(5, 119)
  • Private key KR(77, 119)

8
ElGamal signature scheme
  • Key generation algorithm
  • Input k (security parameter)
  • Randomly generate a prime 2q1, where q is also
    prime
  • Randomly select h?Zp and compute gh2 mod p?1.
    (Note gq1 (mod p))
  • Randomly select a number x, 1?x?q-1
  • Compute ygx mod p
  • The verification (public) key KU(g, p, y)
  • The signing (private) key KR(g, p, x)

9
ElGamal signature scheme (cont.)
  • Let H be a hashing algorithm, publicly known
  • Signing algorithm Sig
  • Input ((g,p,x), M) (0?M?p-1)
  • Randomly select k, 1?k?q-1 and compute rgk mod p
  • Compute sk-1 (H(m)-rx) mod q
  • Output((r,s)).
  • Note there are many signatures for a message
  • Verification algorithm Ver
  • Input ((g,p,y), M, (r,s))
  • Compute hH(M)
  • Output yes if and only if ghyrrs mod p.

10
ElGamal signature scheme (cont.)
  • Why ghyrrs (mod p) ?
  • yrrs mod p
  • (gx)r (gk)s mod p
  • gxrks mod p
  • gh(M) mod p

11
Digital signature standard (DSS)
  • Key generation algorithm
  • Input L (security parameter)
  • Randomly generate an L-bit prime kq1, where q
    is also prime, 2159ltqlt2160
  • Randomly select h?Zp and compute gh(p-1)/q mod
    p?1. (Note gq1 (mod p))
  • Randomly select a number x, 1?x?q-1
  • Compute ygx mod p
  • The verification (public) key KU(g, p, q, y)
  • The signing (private) key KR(g, p, q, x)

12
DSS signature scheme (cont.)
  • Let H be a hashing algorithm, publicly known
  • Signing algorithm Sig
  • Input ((g,p,q,x), M) (0?M?p-1)
  • Randomly select k, 1?k?q-1 andcompute r(gk mod
    p) mod q
  • Compute sk-1(H(m)rx) mod q
  • Output (r,s).
  • Note there are many signatures for a message

13
DSS signature scheme (cont.)
  • Verification algorithm Ver
  • Input ((g,p,g,y), M, (r,s))
  • Compute w s-1 mod q
  • Compute u1 H(M)w mod q
  • Compute u2 rw mod q
  • Compute v (gu1yu2 mod p) mod q
  • Output yes if and only if vr

14
DSS signature scheme (cont.)
  • Why it works?
  • gu1yu2 mod p mod q
  • gH(M)w gxrw mod p mod q
  • gw(H(M)xr) mod p mod q
  • gk mod q mod p mod q
  • gk mod p mod q
  • r
  • Note ordp(g)q.

15
DSS signature scheme example
  • Key generation
  • p676?111, q11
  • g2(p-1)/11 mod p36 mod 6759
  • x5, ygx mod p62
  • KU(59, 67, 11, 62)
  • KR(59, 67, 11, 5)
  • Signing
  • Let H(M)4, k3
  • rgk mod p mod q593 mod 67 mod 112
  • sk-1(H(M)rx) mod q3-1(42?5) mod 111
  • (r,s)(2,1)

16
DSS signature scheme example
  • Verification (r, s)(2, 1)
  • ws-1 mod q 1-1 mod 11 1
  • u1 H(M)?w mod q 4?1 mod 11 4
  • u2 r?w mod q 2?1 mod 11 2
  • vgu1 ? yu2 mod p mod q 594?622 mod 67 mod
    11 2
  • Since vr, (2,1) is a signature to H(M)

17
DSS signature scheme security
  • Based on computing discrete logarithm over a
    subgroup of size q logg y mod p.Note ordp(g)q
  • The per-message secret k cannot be used twice.
    Otherwise, given two signatures(r1,s1) for M1
    and (r2,s2) for M2, we have
  • s1k-1(H(M1)r1x) mod q
  • s2k-1(H(M2))r2x) mod q
  • Solve x(s2H(M1)-s1H(M2))/(r2s1-r1s2) mod q

18
Digital signature usage
  • Off-line Signing a document for emulating the
    hand-written signature
  • On-line identity authentication (session key
    distribution)

challenge c
Bob
Alice
rSig(KRBob, c)
If Ver(KUBob, r, c)true then accept that Bob is
talking to me
19
Appendix Various kinds of signatures
  • ???,"??????????",??????,vol.7, no.3, pp. 59-67,
    2001.

20
Appendix Various types
  • Fundamental schemes
  • RSA signature
  • Rabin signature
  • ElGamal signature
  • DSA signature
  • Signature schemes based on error-correcting codes
  • Signature schemes based on two hard problems
  • Signature schemes based on elliptic curves

21
Appendix Various types
  • Schemes for multi-user
  • Multi-signatures
  • Multi-signature scheme with distinguished signing
    authorities
  • Threshold signatures (Group-oriented signature)
  • Threshold signature scheme with traceable signer

22
Appendix Various types
  • Schemes with message recovery
  • Signatures with message recovery
  • Authenticated encryption schemes
  • Authenticated encryption scheme with message
    linkages
  • Authenticated encryption scheme with (t,n) shared
    verification

23
Appendix Various types
  • Schemes with signer-aided verification
  • Undeniable signature
  • Confirmer signatures
  • Convertible undeniable signatures
  • Group-oriented undeniable signature

24
Appendix Various types
  • E-cash and e-Voting scheme
  • Blind signature
  • Blind threshold signature
  • Partially blind signature
  • Partially Blind threshold signature
  • Fair blind signature

25
Appendix Various types
  • Other signature
  • Proxy signature
  • Proxy-protected Proxy signature
  • Threshold proxy signature
  • Group signature
  • Other properties
  • Batch verification
  • Message flow
  • fault tolerance
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "CryptographySecurity" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!