Digital Signatures (DSs) - PowerPoint PPT Presentation

About This Presentation
Title:

Digital Signatures (DSs)

Description:

Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but also to the ... – PowerPoint PPT presentation

Number of Views:194
Avg rating:3.0/5.0
Slides: 24
Provided by: CChen
Category:

less

Transcript and Presenter's Notes

Title: Digital Signatures (DSs)


1
Digital Signatures (DSs)
  • The digital signatures cannot be separated from
    the message and attached to another
  • The signature is not only tied to signer but also
    to the message that is being signed
  • The digital signature needs to be easily verified
    by other parties
  • Digital signature schemes therefore consist of
    two distinct steps the signing process and the
    verification process

2
RSA Signatures
  • Bob has a document m that Alice agrees to sign.
    Alice does the following.
  • Alice chooses two primes p, q and npq, makes
    (e,n) public with gcd(e,(p-1)(q-1))1
  • de1 (mod f(n)), she keeps p,q,d secret
  • ?Alices signature is ymd (mod n)
  • ?Alice then makes the pair (y,m) public

3
How does Bob verify Alices Signature
  • Download Alices (e,n)
  • Compute zye (mod n)
  • If zm, then Bob accepts the signature as valid
    otherwise the signature is not valid

4
Blind Signatures (1/2)
  • Alice chooses npq, find e, and solve d as
    required in RSA scheme,i.e., ed1(mod n)
  • Bod chooses a random k with gcd(k,n)1, computes
    tkem (mod n) for message m, and sends t to Alice
  • Alice signs t by computing std (mod n). She
    returns s to Bob
  • Bob computes sk-1 (mod n) to get the signed
    message md

5
Blind Signatures (2/2)
  • sk-1 tdk-1(kem)dk-1md(ked) k-1 md
  • Alice has never seen the message m
  • tkem and std, then sk-1 md (mod n)
  • The choice of k is random, therefore, tkem (mod
    n) gives essentially no information about m. In
    this way, Alice knows nothing about the message m
    she is signing.

6
ElGamal Signature Scheme
  • One feature that is different from RSA is that,
    with this method, there are many different
    signatures that are valid for a given message
  • Suppose Alice wants to sign a message m. To
    start, Alice chooses a large prime p and a
    primitive root a. Alice next chooses a secret
    integer (key) a, 1ap-2, and computes ßaa (mod
    p), (p,a,ß) are made public.

7
Alice signs the message m via
  • Select a secret random k such that gcd(k,p-1)1
  • Computes rak (mod p)
  • Computes sk-1(m-ar) (mod p-1)
  • The signed message is the triple (m,r,s)

8
Bob verifies the signature via
  • Download Alices public key (p,a,ß)
  • Computes ußrrs and wam (mod p)
  • The signature is declared valid iff
  • uw (mod p)
  • Proof
  • wamaskar(aa)r(ak)s ßrrsu (mod p)
  • More details from p.246248

9
ElGamal Signature for one
  • Alice wants to sign m1151405 (one). She
  • chooses p225119 a primitive root a11.
  • She chooses a secret number a, computes
  • ßaa 18191 (mod p).
  • To sign the message, she picks up a random k and
    keeps it secret. She computes rak 164130 (mod
    p), and s1k-1(m1-ar)130777 (mod p-1)
  • The signed message is (151405, 164130, 130777)

10
ElGamal Signature for two
  • Alice then signs m2202315 (two) with the same k,
    where (p,a)(225119,11), hence r has the same
    value and the signed message is
  • (202315, 164130, 164899). Then we have
  • -34122k (s1-s2)k m1-m2 -50910 (mod p-1)
  • Since gcd(-34122,p-1)2, so there are two ks
  • k239 and k112798 (mod p-1)
  • Since a239 164130, a112789 59924 (mod p),
  • k239 leads to the correct value r164130

11
Dangerous for the same key to different documents
  • Rewrite s1km1-ar (mod p-1) to obtain
  • 164130aar m1- s1k187104 (mod p-1)
  • Since gcd(164130, p-1)2, there are two solutions
    for as a28862 and a141421
  • Since a11, ß18191, and
  • a28862 206928, a141421 18191 (mod p)
  • Therefore the key a141421 is revealed.

12
Hash Functions
  • A cryptographic hash function h takes as input a
    message of arbitrary length and produces as
    output a message digest of fixed length. Certain
    properties should be satisfied.
  • Given a message m, the message digest h(m) can be
    calculated very quickly.
  • Given a digest message y, it is computationally
    infeasible to find an m with h(m)y. In other
    words, h is a one-way, or preimage resistant,
    function.
  • It is computationally infeasible to find messages
    x, y such that h(x)h(y), i.e., h is strongly
    collision-free.

13
Examples
  • Let nbkbk-1b1b0 , define h(n)bk??b0 ,
  • Thus, this h does not satisfy (2)
  • The discrete log hash function due to Chaum, van
    Heijst, and Pfitzmann
  • Select a large prime p such that q(p-1)/2 is
    prime, let
  • a,ßbe two primitive roots mod p which satisfyaa
    ß
  • (mod p) and a is a secret number, let mxyq,
    with
  • 0x,y q-1, Define a hash function
  • h(m)ax ßy (mod p)

14
Proposition (p.184)
  • If we know messages m?n with h(m)h(n), then we
    can determine the discrete logarithm aLa(ß).
  • (Proof) Write mxyq, nrsq. Suppose
  • h(m)h(n) i.e., axßy arßs (mod p), since
  • aa ß (mod p), hence aa(y-s)-(x-r) 1 (mod p)
  • Therefore a(y-s)(x-r) (mod p-1). Since p-12q
  • has only 4 divisors 1,2,q,p-1, so
    dgcd(y-s,p-1)1
  • or 2. Thus, we can get the secret a.

15
Other Hash Functions
  • ?MD family MD4, MD5 due to Rivest
  • ?NISTs Secure Hash Algorithm (SHA) which yields
    a 160-bit message digest
  • Stinson Schneier Menezes et al.

16
Hashing, Signing, and Applications
  • Sending (m,sig(h(m))) instead of (m,sig(m)) could
    significantly reduce the size of digital
    signatures.
  • An appropriate hash function should be chosen. In
    particular, in electronic exchanges in
    E-commerce.

17
Birthday Attacks
  • If there are 23 people in a room, the
    probability 50.7 that two of them have the same
    birthday. If there are 30 people, the probability
    is increasing up to 70.
  • The probability of 23 people do not have the same
    birthday is
  • (1-1/365)(1-2/365)(1-22/365) 0.493

18
A Birthday Attack on Discrete Log
  • Suppose we want to evaluate La(b) with a large p.
    We can do by a birthday attack in the following
    procedures
  • The first list contains numbers ak (mod p) for
    approximately p1/2 randomly chosen values of k.
  • The first list contains numbers ba-j (mod p) for
    approximately p1/2 randomly chosen values of j.
  • There is a good chance that there is a match
    between some element on the 1st list and one on
    the 2nd list. If so, ak ba-j (mod p) and hence
    akj b (mod p)
  • xkj (mod p-1) is the discrete log solution

19
Digital Signature Algorithm (DSA)
  • The NIST proposed the DSA in 1991 and adopted it
    as a standard in 1994. The message digest is a
    160-bit output of a hash function. The generate
    keys for DSA proceeds as follows. First, there is
    an initialization phase

20
Initialization Phase
  • Alice finds a prime q that is 160 bits long and
    chooses a prime p that satisfies qp-1. The
    discrete log problem should be hard for this
    choice of p (e.g., p is 512-bit long).
  • Let g be a primitive root mod p and let
    ag(p-1)/q (mod p). Then aq 1 (mod p).
  • Alice chooses a secret a such that 1altq-1 and
    calculates ßaa (mod p)
  • Alice publishes (p,q, a, ß) and keeps a secret

21
The signing process
  • Alice signs a message m by the following
    procedure
  • Select a random, secret integer k, such that
    0ltkltq-1
  • Compute r(ak (mod p)) (mod q)
  • Compute sk-1(mar) (mod q)
  • Alices signature for m is (r,s), which she sends
    to Bob along with m.

22
Verification
  • For Bob to verify, he must
  • 1. Download Alices public information (p,q,a,ß)
  • 2. Compute us-1m , vs-1r (mod q)
  • 3. Compute w( außv (mod p)) (mod q)
  • 4. Accept the signature iff wr

23
Simple Exercises from p.252-255
  • Exercises 1,2,3,4
  • Computer Problem 1
Write a Comment
User Comments (0)
About PowerShow.com