Digital Signature. Raj Jain

Similar documents
1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS)

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

Cryptography and Network Security Chapter 13. Fourth Edition by William Stallings. Lecture slides by Lawrie Brown

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

Spring 2010: CS419 Computer Security

Cryptography and Network Security. Sixth Edition by William Stallings

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

UNIT III 3.1DISCRETE LOGARITHMS

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Lecture 2 Applied Cryptography (Part 2)

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Public Key Cryptography

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Public Key Algorithms

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

CSC 474/574 Information Systems Security

CS549: Cryptography and Network Security

Cryptography V: Digital Signatures

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Cryptography V: Digital Signatures

Lecture 3.4: Public Key Cryptography IV

Digital Signatures 1

Public Key (asymmetric) Cryptography

Cryptography and Network Security

Key Management and Distribution

Making Use of the Subliminal Channel in DSA

Chapter 9. Public Key Cryptography, RSA And Key Management

Other Topics in Cryptography. Truong Tuan Anh

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Computer Security: Principles and Practice

Chapter 3 Public Key Cryptography

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Digital Multi Signature Schemes Premalatha A Grandhi

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Chapter 9 Public Key Cryptography. WANG YANG

Public Key Algorithms

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Overview of Authentication Systems

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Public Key Cryptography and RSA

Key Management and Distribution

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Overview of Security Principles

Topics. Number Theory Review. Public Key Cryptography

Overview. Public Key Algorithms I

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

the validity of the signature can be checked by anyone who has knowledge of the sender's public key. In the signcryption scheme of [4], the unsigncryp

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Research Issues and Challenges for Multiple Digital Signatures

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Abhijith Chandrashekar and Dushyant Maheshwary

CPSC 467: Cryptography and Computer Security

Cryptographic Systems

10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem

Public Key Cryptography

A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS

Chapter 7 Public Key Cryptography and Digital Signatures

Introduction to Cryptography Lecture 10

n-bit Output Feedback

Elliptic Curve Public Key Cryptography

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

Network Security. Chapter 4 Public Key Cryptography. Public Key Cryptography (4) Public Key Cryptography

ASYMMETRIC CRYPTOGRAPHY

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Public-key encipherment concept

I.D. NUMBER SURNAME OTHER NAMES

CSCE 715: Network Systems Security

Spring 2010: CS419 Computer Security

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Introduction to Public-Key Cryptography

CSC/ECE 774 Advanced Network Security

Kurose & Ross, Chapters (5 th ed.)

CS Computer Networks 1: Authentication

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Can we make digital signatures by digitalizing our usual signature and attaching them to the messages (documents) that need to be signed?

APNIC elearning: Cryptography Basics

Crypto Basics. Recent block cipher: AES Public Key Cryptography Public key exchange: Diffie-Hellmann Homework suggestion

Speed-ups of Elliptic Curve-Based

Lecture 1 Applied Cryptography (Part 1)

Lecture 10, Zero Knowledge Proofs, Secure Computation

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

CS Network Security. Nasir Memon Polytechnic University Module 7 Public Key Cryptography. RSA.

Public Key Algorithms

Part VI. Public-key cryptography

CSE 127: Computer Security Cryptography. Kirill Levchenko

CHAPTER 4 VERIFIABLE ENCRYPTION OF AN ELLIPTIC CURVE DIGITAL SIGNATURE

Reminder: Homework 4. Due: Friday at the beginning of class

The Application of Elliptic Curves Cryptography in Embedded Systems

Classical Encryption Techniques

Public Key Cryptography 2. c Eli Biham - December 19, Public Key Cryptography 2

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

CS669 Network Security

1. Diffie-Hellman Key Exchange

Encryption. INST 346, Section 0201 April 3, 2018

Transcription:

Digital Signature Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/ 13-1

Overview 1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS) These slides are based partly on Lawrie Brown Lawrie Brown s slides supplied with William Stallings s book Cryptography and Network Security: Principles and Practice, 6 th Ed, 2013. 13-2

Digital Signatures Verify author, date & time of signature Authenticate message contents Can be verified by third parties to resolve disputes Ref: http://en.wikipedia.org/wiki/non-repudiation, http://en.wikipedia.org/wiki/digital_signature, http://en.wikipedia.org/wiki/digital_signatures_and_law 13-3

Digital Signature Model 13-4

Attacks In the order of Increasing severity. C=Attacker, A=Victim 1. Key-only attack: C only knows A s public key 2. Known message attack: C has a set of messages, signatures 3. Generic chosen message attack: C obtains A s signatures on messages selected without knowledge of A s public key 4. Directed chosen message attack: C obtains A s signatures on messages selected after knowing A s public key 5. Adaptive chosen message attack: C may request signatures on messages depending upon previous message-signature pairs 13-5

Forgeries 1. Total break: C knows A s private key 2. Universal forgery: C can generate A s signatures on any message 3. Selective forgery: C can generate A s signature for a particular message chosen by C 4. Existential forgery: C can generate A s signature for a message not chosen by C 13-6

Digital Signature Requirements Must depend on the message signed Must use information unique to sender To prevent both forgery and denial Must be relatively easy to produce Must be relatively easy to recognize & verify Directed Recipient can verify Arbitrated Anyone can verify Be computationally infeasible to forge With new message for existing digital signature With fraudulent digital signature for given message Be able to retain a copy of the signature in storage Ref: http://en.wikipedia.org/wiki/electronic_signature 13-7

ElGamal Digital Signatures Signature variant of ElGamal, related to D-H Uses exponentiation in a finite (Galois) field Based on difficulty of computing discrete logarithms, as in D-H Each user (e.g., A) generates his/her key Given a large prime q and its primitive root a A chooses a private key: 1 < x A < q-1 A computes his public key: y A = a x A mod q Ref: http://en.wikipedia.org/wiki/elgamal_signature_scheme 13-8

ElGamal Digital Signature Alice signs a message M to Bob by computing Hash m = H(M), 0 <= m <= (q-1) Choose random integer K with 1 <= K <= (q-1) and gcd(k,q-1)=1 (K is the per message key) Compute S 1 = a K mod q Compute K -1 the inverse of K mod (q-1) Compute the value: S 2 = K -1 (m-x A S 1 ) mod (q-1) If S 2 is zero, start with a new k Signature is:(s 1,S 2 ) Any user B can verify the signature by computing V 1 = a m mod q V 2 = y A S1 S 1 S2 mod q Signature is valid if V 2 = V 1 (a x A ) S 1 a K S 2 = a x AS 1 +KS 2 = a x AS 1 +m x A S 1 = a m 13-9

ElGamal Signature Example GF(19) q=19 and a=10 Alice computes her key: A chooses x A =16 & computes y A =10 16 mod 19 = 4 Alice signs message with hash m=14 as (3,4): Choosing random K=5 which has gcd(18,5)=1 Computing S 1 = 10 5 mod 19 = 3 Finding K -1 mod (q-1) = 5-1 mod 18 = 11 Computing S 2 = 11(14-16 3) mod 18 = 4 Any user B can verify the signature by computing V 1 = a m mod q = 10 14 mod 19 = 16 V 2 =y A S1 S 1 S2 mod q=4 3 3 4 = 5184 mod 19 = 16 Since 16 = 16 signature is valid 13-10

Schnorr Digital Signatures Also uses exponentiation in a finite (Galois) field Minimizes message dependent computation Main work can be done in idle time Using a prime modulus p p 1 has a prime factor q of appropriate size typically p 1024-bit and q 160-bit (SHA-1 hash size) Schnorr Key Setup: Choose suitable primes p, q Choose a such that a q = 1 mod p (a,p,q) are global parameters for all Each user (e.g., A) generates a key Chooses a secret key (number): 0 < s < q Computes his public key: v = a -s mod q 13-11

Schnorr Signature User signs message by Choosing random r with 0<r<q and computing x = a r mod p Concatenating message with x and hashing: e = H(M x) Computing: y = (r + se) mod q Signature is pair (e, y) Any other user can verify the signature as follows: Computing: x' = a y v e mod p Verifying that: e = H(M x ) x = a y v e = a y a -se = a y-se = a r = x mod p Ref: http://en.wikipedia.org/wiki/schnorr_signature 13-12

Digital Signature Standard (DSS) US Govt approved signature scheme Designed by NIST & NSA in early 90's Published as FIPS-186 in 1991 Revised in 1993, 1996 & then 2000 Uses the SHA hash algorithm DSS is the standard, DSA is the algorithm FIPS 186-2 (2000) includes alternative RSA & elliptic curve signature variants DSA is digital signature only Ref: http://en.wikipedia.org/wiki/digital_signature_algorithm 13-13

Digital Signature Algorithm (DSA) Creates a 320 bit signature With 512-1024 bit security Smaller and faster than RSA A digital signature scheme only Security depends on difficulty of computing discrete logarithms Variant of ElGamal & Schnorr schemes 13-14

DSA Key Generation Shared global public key values (p, q, g): Choose 160-bit prime number q Choose a large prime p with 2 L-1 <p < 2 L Where L= 512 to 1024 bits and is a multiple of 64 Now extended to 2048 or 3072 bits Such that q is a 160 bit prime divisor of (p-1) Choose g = h (p-1)/q Where 1<h<p-1 and h (p-1)/q mod p > 1 Commonly h=2 is used Users choose private & compute public key: Choose random private key: x<q Compute public key: y = g x mod p 13-15

DSA Signature Creation To sign a message M the sender: Generates a random signature key k, k<q Note: k must be random, be destroyed after use, and never be reused Then computes signature pair: r = (g k mod p)mod q if r=0 choose another k s = [k -1 (H(M)+ xr)] mod q if s=0 choose another k Sends signature (r,s) with message M M k H p q g r=(g k mod p)mod q x q s=(k -1 (H(M)+xr)) mod q r s 13-16

DSA Signature Verification To verify a signature, recipient computes: w = s -1 mod q u1= [H(M)w ]mod q u2= (rw)mod q v = [(g u1 y u2 )mod p ]mod q If v=r then signature is verified 13-17

DSS vs. RSA Signatures PU G = Global Public Key k = Per message secret key 13-18

Summary 1. Digital signature depends upon the message and some information unique to the signer to prevent forgery and denial. Anyone should be able to verify. 2. ElGamal/Schnorr/DSA signatures use a per-message secret key and are based on exponentiation 3. DSA produces a 320 bit signature 13-19

Homework 13 DSA specifies that if signature generation process results in a value of s=0, a new value of k should be generated and the signature should be recalculated. Why? Suppose Alice signed a message M using DSA with a specific k value and then the k value was compromised. Can Alice still use her private key for future digital signatures? Hint: Show that the private key of the signer can be easily computed in both of the above cases. 13-20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback