Digital Signatures (DSs)

1
Digital Signatures (DSs)

• The digital signatures cannot be separated from
  the message and attached to another
• The signature is not only tied to signer but also
  to the message that is being signed
• The digital signature needs to be easily verified
  by other parties
• Digital signature schemes therefore consist of
  two distinct steps the signing process and the
  verification process

2
RSA Signatures

• Bob has a document m that Alice agrees to sign.
  Alice does the following.
• Alice chooses two primes p, q and npq, makes
  (e,n) public with gcd(e,(p-1)(q-1))1
• de1 (mod f(n)), she keeps p,q,d secret
• ?Alices signature is ymd (mod n)
• ?Alice then makes the pair (y,m) public

3
How does Bob verify Alices Signature

• Download Alices (e,n)
• Compute zye (mod n)
• If zm, then Bob accepts the signature as valid
  otherwise the signature is not valid

4
Blind Signatures (1/2)

• Alice chooses npq, find e, and solve d as
  required in RSA scheme,i.e., ed1(mod n)
• Bod chooses a random k with gcd(k,n)1, computes
  tkem (mod n) for message m, and sends t to Alice
• Alice signs t by computing std (mod n). She
  returns s to Bob
• Bob computes sk-1 (mod n) to get the signed
  message md

5
Blind Signatures (2/2)

• sk-1 tdk-1(kem)dk-1md(ked) k-1 md
• Alice has never seen the message m
• tkem and std, then sk-1 md (mod n)
• The choice of k is random, therefore, tkem (mod
  n) gives essentially no information about m. In
  this way, Alice knows nothing about the message m
  she is signing.

6
ElGamal Signature Scheme

• One feature that is different from RSA is that,
  with this method, there are many different
  signatures that are valid for a given message
• Suppose Alice wants to sign a message m. To
  start, Alice chooses a large prime p and a
  primitive root a. Alice next chooses a secret
  integer (key) a, 1ap-2, and computes ßaa (mod
  p), (p,a,ß) are made public.

7
Alice signs the message m via

• Select a secret random k such that gcd(k,p-1)1
• Computes rak (mod p)
• Computes sk-1(m-ar) (mod p-1)
• The signed message is the triple (m,r,s)

8
Bob verifies the signature via

• Download Alices public key (p,a,ß)
• Computes ußrrs and wam (mod p)
• The signature is declared valid iff
• uw (mod p)
• Proof
• wamaskar(aa)r(ak)s ßrrsu (mod p)
• More details from p.246248

9
ElGamal Signature for one

• Alice wants to sign m1151405 (one). She
• chooses p225119 a primitive root a11.
• She chooses a secret number a, computes
• ßaa 18191 (mod p).
• To sign the message, she picks up a random k and
  keeps it secret. She computes rak 164130 (mod
  p), and s1k-1(m1-ar)130777 (mod p-1)
• The signed message is (151405, 164130, 130777)

10
ElGamal Signature for two

• Alice then signs m2202315 (two) with the same k,
  where (p,a)(225119,11), hence r has the same
  value and the signed message is
• (202315, 164130, 164899). Then we have
• -34122k (s1-s2)k m1-m2 -50910 (mod p-1)
• Since gcd(-34122,p-1)2, so there are two ks
• k239 and k112798 (mod p-1)
• Since a239 164130, a112789 59924 (mod p),
• k239 leads to the correct value r164130

11
Dangerous for the same key to different documents

• Rewrite s1km1-ar (mod p-1) to obtain
• 164130aar m1- s1k187104 (mod p-1)
• Since gcd(164130, p-1)2, there are two solutions
  for as a28862 and a141421
• Since a11, ß18191, and
• a28862 206928, a141421 18191 (mod p)
• Therefore the key a141421 is revealed.

12
Hash Functions

• A cryptographic hash function h takes as input a
  message of arbitrary length and produces as
  output a message digest of fixed length. Certain
  properties should be satisfied.
• Given a message m, the message digest h(m) can be
  calculated very quickly.
• Given a digest message y, it is computationally
  infeasible to find an m with h(m)y. In other
  words, h is a one-way, or preimage resistant,
  function.
• It is computationally infeasible to find messages
  x, y such that h(x)h(y), i.e., h is strongly
  collision-free.

13
Examples

• Let nbkbk-1b1b0 , define h(n)bk??b0 ,
• Thus, this h does not satisfy (2)
• The discrete log hash function due to Chaum, van
  Heijst, and Pfitzmann
• Select a large prime p such that q(p-1)/2 is
  prime, let
• a,ßbe two primitive roots mod p which satisfyaa
  ß
• (mod p) and a is a secret number, let mxyq,
  with
• 0x,y q-1, Define a hash function
• h(m)ax ßy (mod p)

14
Proposition (p.184)

• If we know messages m?n with h(m)h(n), then we
  can determine the discrete logarithm aLa(ß).
• (Proof) Write mxyq, nrsq. Suppose
• h(m)h(n) i.e., axßy arßs (mod p), since
• aa ß (mod p), hence aa(y-s)-(x-r) 1 (mod p)
• Therefore a(y-s)(x-r) (mod p-1). Since p-12q
• has only 4 divisors 1,2,q,p-1, so
  dgcd(y-s,p-1)1
• or 2. Thus, we can get the secret a.

15
Other Hash Functions

• ?MD family MD4, MD5 due to Rivest
• ?NISTs Secure Hash Algorithm (SHA) which yields
  a 160-bit message digest
• Stinson Schneier Menezes et al.

16
Hashing, Signing, and Applications

• Sending (m,sig(h(m))) instead of (m,sig(m)) could
  significantly reduce the size of digital
  signatures.
• An appropriate hash function should be chosen. In
  particular, in electronic exchanges in
  E-commerce.

17
Birthday Attacks

• If there are 23 people in a room, the
  probability 50.7 that two of them have the same
  birthday. If there are 30 people, the probability
  is increasing up to 70.
• The probability of 23 people do not have the same
  birthday is
• (1-1/365)(1-2/365)(1-22/365) 0.493

18
A Birthday Attack on Discrete Log

• Suppose we want to evaluate La(b) with a large p.
  We can do by a birthday attack in the following
  procedures
• The first list contains numbers ak (mod p) for
  approximately p1/2 randomly chosen values of k.
• The first list contains numbers ba-j (mod p) for
  approximately p1/2 randomly chosen values of j.
• There is a good chance that there is a match
  between some element on the 1st list and one on
  the 2nd list. If so, ak ba-j (mod p) and hence
  akj b (mod p)
• xkj (mod p-1) is the discrete log solution

19
Digital Signature Algorithm (DSA)

• The NIST proposed the DSA in 1991 and adopted it
  as a standard in 1994. The message digest is a
  160-bit output of a hash function. The generate
  keys for DSA proceeds as follows. First, there is
  an initialization phase

20
Initialization Phase

• Alice finds a prime q that is 160 bits long and
  chooses a prime p that satisfies qp-1. The
  discrete log problem should be hard for this
  choice of p (e.g., p is 512-bit long).
• Let g be a primitive root mod p and let
  ag(p-1)/q (mod p). Then aq 1 (mod p).
• Alice chooses a secret a such that 1altq-1 and
  calculates ßaa (mod p)
• Alice publishes (p,q, a, ß) and keeps a secret

21
The signing process

• Alice signs a message m by the following
  procedure
• Select a random, secret integer k, such that
  0ltkltq-1
• Compute r(ak (mod p)) (mod q)
• Compute sk-1(mar) (mod q)
• Alices signature for m is (r,s), which she sends
  to Bob along with m.

22
Verification

• For Bob to verify, he must
• 1. Download Alices public information (p,q,a,ß)
• 2. Compute us-1m , vs-1r (mod q)
• 3. Compute w( außv (mod p)) (mod q)
• 4. Accept the signature iff wr

23
Simple Exercises from p.252-255

• Exercises 1,2,3,4
• Computer Problem 1