Cryptography V: Digital Signatures

Similar documents
Cryptography V: Digital Signatures

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Public Key Algorithms

Chapter 9 Public Key Cryptography. WANG YANG

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Cryptography and Network Security. Sixth Edition by William Stallings

Digital Signature. Raj Jain

Lecture 3.4: Public Key Cryptography IV

CSC 474/574 Information Systems Security

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Part VI. Public-key cryptography

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Topics. Number Theory Review. Public Key Cryptography

Other Topics in Cryptography. Truong Tuan Anh

CS408 Cryptography & Internet Security

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

T Cryptography and Data Security

T Cryptography and Data Security

Applied Cryptography and Computer Security CSE 664 Spring 2018

Solutions to exam in Cryptography December 17, 2013

Spring 2010: CS419 Computer Security

Public Key Cryptography

CSC/ECE 774 Advanced Network Security

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

CPSC 467: Cryptography and Computer Security

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Lecture 9: Public-Key Cryptography CS /05/2018

Public-key Cryptography: Theory and Practice

1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS)

Cryptography and Network Security Chapter 13. Fourth Edition by William Stallings. Lecture slides by Lawrie Brown

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

CS408 Cryptography & Internet Security

Appendix A: Introduction to cryptographic algorithms and protocols

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

Making Use of the Subliminal Channel in DSA

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

Introduction to Public-Key Cryptography

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CSC 5930/9010 Modern Cryptography: Digital Signatures

CSC 474/574 Information Systems Security

Cryptographic protocols

Symmetric Encryption 2: Integrity

Cryptography: More Primitives

Digital Signatures 1

CS Computer Networks 1: Authentication

Blind Signatures and Their Applications

Secure Multiparty Computation

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

Lecture III : Communication Security Mechanisms

Session key establishment protocols

Session key establishment protocols

Digital Multi Signature Schemes Premalatha A Grandhi

CSE 127: Computer Security Cryptography. Kirill Levchenko

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Introduction to Cryptography Lecture 10

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Asymmetric Primitives. (public key encryptions and digital signatures)

Public-Key Cryptanalysis

HOST Authentication Overview ECE 525

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

Public Key Algorithms

Security. Communication security. System Security

CSC 774 Network Security

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

CSCE 715: Network Systems Security

Public Key Cryptography

Prime Field over Elliptic Curve Cryptography for Secured Message Transaction

Technological foundation

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Encryption. INST 346, Section 0201 April 3, 2018

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Public Key Encryption. Modified by: Dr. Ramzi Saifan

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

CSC 482/582: Computer Security. Security Protocols

Applied Cryptography Protocol Building Blocks

Cryptographic Hash Functions

Grenzen der Kryptographie

1 Defining Message authentication

Cryptography and Network Security. Sixth Edition by William Stallings

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Lecture 3: Public-Key Cryptography

Securely Combining Public-Key Cryptosystems

Verifiably Encrypted Signature Scheme with Threshold Adjudication

Efficient identity-based GQ multisignatures

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Lecture 6: Overview of Public-Key Cryptography and RSA

Kurose & Ross, Chapters (5 th ed.)

Transcription:

Cryptography V: Digital Signatures Computer Security Lecture 10 David Aspinall School of Informatics University of Edinburgh 10th February 2011

Outline Basics Constructing signature schemes Security of signature schemes ElGamal DSA Summary

Outline Basics Constructing signature schemes Security of signature schemes ElGamal DSA Summary

Aims Digital signatures allow a principal to cryptographically bind (a representation of) its identity to a piece of information.

Aims Digital signatures allow a principal to cryptographically bind (a representation of) its identity to a piece of information. Signatures can help establish security properties such as:

Aims Digital signatures allow a principal to cryptographically bind (a representation of) its identity to a piece of information. Signatures can help establish security properties such as: authentication

Aims Digital signatures allow a principal to cryptographically bind (a representation of) its identity to a piece of information. Signatures can help establish security properties such as: authentication accountability/non-repudiation

Aims Digital signatures allow a principal to cryptographically bind (a representation of) its identity to a piece of information. Signatures can help establish security properties such as: authentication accountability/non-repudiation unforgeability

Aims Digital signatures allow a principal to cryptographically bind (a representation of) its identity to a piece of information. Signatures can help establish security properties such as: authentication accountability/non-repudiation unforgeability integrity

Aims Digital signatures allow a principal to cryptographically bind (a representation of) its identity to a piece of information. Signatures can help establish security properties such as: authentication accountability/non-repudiation unforgeability integrity verifiability by independent, public or 3rd party

Aims Digital signatures allow a principal to cryptographically bind (a representation of) its identity to a piece of information. Signatures can help establish security properties such as: authentication accountability/non-repudiation unforgeability integrity verifiability by independent, public or 3rd party Digital signatures are the asymmetric analogue of MACs, with a crucial difference.

Aims Digital signatures allow a principal to cryptographically bind (a representation of) its identity to a piece of information. Signatures can help establish security properties such as: authentication accountability/non-repudiation unforgeability integrity verifiability by independent, public or 3rd party Digital signatures are the asymmetric analogue of MACs, with a crucial difference.

Aims Digital signatures allow a principal to cryptographically bind (a representation of) its identity to a piece of information. Signatures can help establish security properties such as: authentication accountability/non-repudiation unforgeability integrity verifiability by independent, public or 3rd party Digital signatures are the asymmetric analogue of MACs, with a crucial difference. MACs can t disinguish which of A or B provided integrity to a message (so no non-repudiation or independent verifiability). NB: electronic signature is a more general notion.

Handwritten versus Digital Signatures

Handwritten versus Digital Signatures ink binds to paper cryptographically bound to data

Handwritten versus Digital Signatures ink binds to paper verifier needs signature cryptographically bound to data verifier needs public key

Handwritten versus Digital Signatures ink binds to paper verifier needs signature signatures always same cryptographically bound to data verifier needs public key depends on document

Handwritten versus Digital Signatures ink binds to paper verifier needs signature signatures always same copies apparent cryptographically bound to data verifier needs public key depends on document copies indistinguishable

Handwritten versus Digital Signatures ink binds to paper verifier needs signature signatures always same copies apparent signer saw document cryptographically bound to data verifier needs public key depends on document copies indistinguishable computer added signature

Handwritten versus Digital Signatures ink binds to paper verifier needs signature signatures always same copies apparent signer saw document have legal impact cryptographically bound to data verifier needs public key depends on document copies indistinguishable computer added signature may have legal impact

Signature mechanism A signature mechanism for principal A is given by: A message space M of messages for signing A set S of signatures (e.g. strings {0, 1} n ) A secret signing function S A : M S A public verification function V A : M S Bool

Signature mechanism A signature mechanism for principal A is given by: A message space M of messages for signing A set S of signatures (e.g. strings {0, 1} n ) A secret signing function S A : M S A public verification function V A : M S Bool satisfying the correctness and security properties: 1. V A (m, s) = true if and only if S A (m) = s. 2. For any principal other than A, it is computationally infeasible to find for any m M, an s S such that V A (m, s) = true.

Signature mechanism A signature mechanism for principal A is given by: A message space M of messages for signing A set S of signatures (e.g. strings {0, 1} n ) A secret signing function S A : M S A public verification function V A : M S Bool satisfying the correctness and security properties: 1. V A (m, s) = true if and only if S A (m) = s. 2. For any principal other than A, it is computationally infeasible to find for any m M, an s S such that V A (m, s) = true. Usually use a public algorithm yielding key-indexed families {S s s K} of signing and verification functions {V v v K}. Principal advertises v.

Signature mechanism A signature mechanism for principal A is given by: A message space M of messages for signing A set S of signatures (e.g. strings {0, 1} n ) A secret signing function S A : M S A public verification function V A : M S Bool satisfying the correctness and security properties: 1. V A (m, s) = true if and only if S A (m) = s. 2. For any principal other than A, it is computationally infeasible to find for any m M, an s S such that V A (m, s) = true. Usually use a public algorithm yielding key-indexed families {S s s K} of signing and verification functions {V v v K}. Principal advertises v. Remark: nobody has proved a signature mechanism satisfying 2 exists, although there are good candidates.

Using a signature scheme

Using a signature scheme To sign a message the signer A

Using a signature scheme To sign a message the signer A 1. Computes s = S A (m).

Using a signature scheme To sign a message the signer A 1. Computes s = S A (m). 2. Sends the pair (m, s).

Using a signature scheme To sign a message the signer A 1. Computes s = S A (m). 2. Sends the pair (m, s). To verify that a signature s on a message m was created by A, another principal, the verifier:

Using a signature scheme To sign a message the signer A 1. Computes s = S A (m). 2. Sends the pair (m, s). To verify that a signature s on a message m was created by A, another principal, the verifier: 1. Obtains the verification function V A for A.

Using a signature scheme To sign a message the signer A 1. Computes s = S A (m). 2. Sends the pair (m, s). To verify that a signature s on a message m was created by A, another principal, the verifier: 1. Obtains the verification function V A for A. 2. Computes u = V A (m, s)

Using a signature scheme To sign a message the signer A 1. Computes s = S A (m). 2. Sends the pair (m, s). To verify that a signature s on a message m was created by A, another principal, the verifier: 1. Obtains the verification function V A for A. 2. Computes u = V A (m, s) 3. Accepts the signature if u = true, Rejects it if u = false.

Outline Basics Constructing signature schemes Security of signature schemes ElGamal DSA Summary

Digital signatures with a TTP Given a trusted third party, it is possible to use symmetric cryptography techniques.

Digital signatures with a TTP Given a trusted third party, it is possible to use symmetric cryptography techniques. Let secure Sam S be the TTP, who shares a key with each principal.

Digital signatures with a TTP Given a trusted third party, it is possible to use symmetric cryptography techniques. Let secure Sam S be the TTP, who shares a key with each principal. For A to send a signed contract M to B, S acts as an intermediary. Message 1. A S: { M } Kas Message 2. S B: { M } Kbs (like Wide Mouthed Frog key exchange protocol, M should include time-stamps and names).

Digital signatures with a TTP Given a trusted third party, it is possible to use symmetric cryptography techniques. Let secure Sam S be the TTP, who shares a key with each principal. For A to send a signed contract M to B, S acts as an intermediary. Message 1. A S: { M } Kas Message 2. S B: { M } Kbs (like Wide Mouthed Frog key exchange protocol, M should include time-stamps and names). If A and B disagree about a signature, a judge Judy can verify the contracts also using S: Message 1. J S: { M } Kas, { M } Kbs Message 2. S J: { yes or no } Kjs

Digital signatures from PK encryption Suppose we have a public-key encryption scheme with M = C, and (d, e) a key-pair. Then because E e and D d are both permutations on M, we have that: D d (E e (m)) = E e (D d (m)) = m for all m M A public-key scheme of this type is called reversible.

Digital signatures from PK encryption Suppose we have a public-key encryption scheme with M = C, and (d, e) a key-pair. Then because E e and D d are both permutations on M, we have that: D d (E e (m)) = E e (D d (m)) = m for all m M A public-key scheme of this type is called reversible. RSA is reversible, but not every PK scheme is.

Digital signatures from PK encryption Suppose we have a public-key encryption scheme with M = C, and (d, e) a key-pair. Then because E e and D d are both permutations on M, we have that: D d (E e (m)) = E e (D d (m)) = m for all m M A public-key scheme of this type is called reversible. RSA is reversible, but not every PK scheme is. We can define a digital signature scheme by reversing encryption and decryption:

Digital signatures from PK encryption Suppose we have a public-key encryption scheme with M = C, and (d, e) a key-pair. Then because E e and D d are both permutations on M, we have that: D d (E e (m)) = E e (D d (m)) = m for all m M A public-key scheme of this type is called reversible. RSA is reversible, but not every PK scheme is. We can define a digital signature scheme by reversing encryption and decryption: Message space M, signature space C (= M).

Digital signatures from PK encryption Suppose we have a public-key encryption scheme with M = C, and (d, e) a key-pair. Then because E e and D d are both permutations on M, we have that: D d (E e (m)) = E e (D d (m)) = m for all m M A public-key scheme of this type is called reversible. RSA is reversible, but not every PK scheme is. We can define a digital signature scheme by reversing encryption and decryption: Message space M, signature space C (= M). the signing function SA = D d

Digital signatures from PK encryption Suppose we have a public-key encryption scheme with M = C, and (d, e) a key-pair. Then because E e and D d are both permutations on M, we have that: D d (E e (m)) = E e (D d (m)) = m for all m M A public-key scheme of this type is called reversible. RSA is reversible, but not every PK scheme is. We can define a digital signature scheme by reversing encryption and decryption: Message space M, signature space C (= M). the signing function SA = D d the verification function VA is defined by true if Ee (s) = m, V A (m, s) = false otherwise.

Outline Basics Constructing signature schemes Security of signature schemes ElGamal DSA Summary

Attacks on signature schemes [HAC] An adversary wants to forge signatures. Cases:

Attacks on signature schemes [HAC] An adversary wants to forge signatures. Cases: 1. Total break. Adversary can compute the private key or find an equivalent signing function.

Attacks on signature schemes [HAC] An adversary wants to forge signatures. Cases: 1. Total break. Adversary can compute the private key or find an equivalent signing function. 2. Selective forgery. Adversary can create a valid signature for some chosen message, without using the signer.

Attacks on signature schemes [HAC] An adversary wants to forge signatures. Cases: 1. Total break. Adversary can compute the private key or find an equivalent signing function. 2. Selective forgery. Adversary can create a valid signature for some chosen message, without using the signer. 3. Existential forgery. Adversary can create a valid signature for at least one message, without explicit choice of the message. May involve signer.

Attacks on signature schemes [HAC] An adversary wants to forge signatures. Cases: 1. Total break. Adversary can compute the private key or find an equivalent signing function. 2. Selective forgery. Adversary can create a valid signature for some chosen message, without using the signer. 3. Existential forgery. Adversary can create a valid signature for at least one message, without explicit choice of the message. May involve signer. The adversary may have different knowledge levels. For PK schemes:

Attacks on signature schemes [HAC] An adversary wants to forge signatures. Cases: 1. Total break. Adversary can compute the private key or find an equivalent signing function. 2. Selective forgery. Adversary can create a valid signature for some chosen message, without using the signer. 3. Existential forgery. Adversary can create a valid signature for at least one message, without explicit choice of the message. May involve signer. The adversary may have different knowledge levels. For PK schemes: 1. Key-only attack: adversary only knows PK.

Attacks on signature schemes [HAC] An adversary wants to forge signatures. Cases: 1. Total break. Adversary can compute the private key or find an equivalent signing function. 2. Selective forgery. Adversary can create a valid signature for some chosen message, without using the signer. 3. Existential forgery. Adversary can create a valid signature for at least one message, without explicit choice of the message. May involve signer. The adversary may have different knowledge levels. For PK schemes: 1. Key-only attack: adversary only knows PK. 2. Known-message attack: adversary has signatures for some known (not chosen) messages.

Attacks on signature schemes [HAC] An adversary wants to forge signatures. Cases: 1. Total break. Adversary can compute the private key or find an equivalent signing function. 2. Selective forgery. Adversary can create a valid signature for some chosen message, without using the signer. 3. Existential forgery. Adversary can create a valid signature for at least one message, without explicit choice of the message. May involve signer. The adversary may have different knowledge levels. For PK schemes: 1. Key-only attack: adversary only knows PK. 2. Known-message attack: adversary has signatures for some known (not chosen) messages. 3. Chosen-message attack: adversary can obtain signatures for messages of his choosing. Messages may be determined in advance or in adaptive way, using signer as oracle.

Existential forgery The previous scheme is too simple because signatures are forgeable: a principal B can generate a random s S as a signature, apply the public encryption function to get a message m = E e (s), and transmit (m, s).

Existential forgery The previous scheme is too simple because signatures are forgeable: a principal B can generate a random s S as a signature, apply the public encryption function to get a message m = E e (s), and transmit (m, s). Obviously this verifies! It is an example of existential forgery.

Existential forgery The previous scheme is too simple because signatures are forgeable: a principal B can generate a random s S as a signature, apply the public encryption function to get a message m = E e (s), and transmit (m, s). Obviously this verifies! It is an example of existential forgery. The message m is not likely to be of B s choosing (and probably garbage).

Existential forgery The previous scheme is too simple because signatures are forgeable: a principal B can generate a random s S as a signature, apply the public encryption function to get a message m = E e (s), and transmit (m, s). Obviously this verifies! It is an example of existential forgery. The message m is not likely to be of B s choosing (and probably garbage). But this ability violates property 2 given earlier.

Signatures with redundancy A fix to reduce likelihood of existential forgery is to take M M to be messages with a special redundant structure, which is publicly known e.g., messages padded to an even length, surrounded with a fixed bit pattern.

Signatures with redundancy A fix to reduce likelihood of existential forgery is to take M M to be messages with a special redundant structure, which is publicly known e.g., messages padded to an even length, surrounded with a fixed bit pattern. This format is easily recognized by the verifier: true if Ee (s) M, V A (s) = false otherwise.

Signatures with redundancy A fix to reduce likelihood of existential forgery is to take M M to be messages with a special redundant structure, which is publicly known e.g., messages padded to an even length, surrounded with a fixed bit pattern. This format is easily recognized by the verifier: true if Ee (s) M, V A (s) = false otherwise. Now A only transmits the signature s, since the message m = E e (s) can be recovered by the verification function.

Signatures with redundancy A fix to reduce likelihood of existential forgery is to take M M to be messages with a special redundant structure, which is publicly known e.g., messages padded to an even length, surrounded with a fixed bit pattern. This format is easily recognized by the verifier: true if Ee (s) M, V A (s) = false otherwise. Now A only transmits the signature s, since the message m = E e (s) can be recovered by the verification function. This property is message recovery, the scheme is called a signature scheme with recovery.

Signatures with redundancy A fix to reduce likelihood of existential forgery is to take M M to be messages with a special redundant structure, which is publicly known e.g., messages padded to an even length, surrounded with a fixed bit pattern. This format is easily recognized by the verifier: true if Ee (s) M, V A (s) = false otherwise. Now A only transmits the signature s, since the message m = E e (s) can be recovered by the verification function. This property is message recovery, the scheme is called a signature scheme with recovery. Existential forgery is now less likely.

Signatures and hash functions In practice, usually the signing function is constructed by first making a hash of the input document, and signing that. Reasons:

Signatures and hash functions In practice, usually the signing function is constructed by first making a hash of the input document, and signing that. Reasons: 1. efficiency: signature is on smaller text

Signatures and hash functions In practice, usually the signing function is constructed by first making a hash of the input document, and signing that. Reasons: 1. efficiency: signature is on smaller text 2. avoid attacks on cipher system

Signatures and hash functions In practice, usually the signing function is constructed by first making a hash of the input document, and signing that. Reasons: 1. efficiency: signature is on smaller text 2. avoid attacks on cipher system Signer: computes and transmits (m, s) where s = S A (h(m)).

Signatures and hash functions In practice, usually the signing function is constructed by first making a hash of the input document, and signing that. Reasons: 1. efficiency: signature is on smaller text 2. avoid attacks on cipher system Signer: computes and transmits (m, s) where s = S A (h(m)). Verifier: computes h(m) and verifies V A (h(m), s).

Signatures and hash functions In practice, usually the signing function is constructed by first making a hash of the input document, and signing that. Reasons: 1. efficiency: signature is on smaller text 2. avoid attacks on cipher system Signer: computes and transmits (m, s) where s = S A (h(m)). Verifier: computes h(m) and verifies V A (h(m), s). The hash function must satisfy appropriate properties (see Hash Functions lecture).

Signatures and hash functions In practice, usually the signing function is constructed by first making a hash of the input document, and signing that. Reasons: 1. efficiency: signature is on smaller text 2. avoid attacks on cipher system Signer: computes and transmits (m, s) where s = S A (h(m)). Verifier: computes h(m) and verifies V A (h(m), s). The hash function must satisfy appropriate properties (see Hash Functions lecture). This is called a signature scheme with appendix.

RSA Signatures Setup: n = pq computed as product of two primes. ed 1 mod ϕ(n). (e, n) is the public key.

RSA Signatures Setup: n = pq computed as product of two primes. ed 1 mod ϕ(n). (e, n) is the public key. To sign a message m, compute the signature s = h(m) d mod n. Only the owner of the private key d is able to compute the signature.

RSA Signatures Setup: n = pq computed as product of two primes. ed 1 mod ϕ(n). (e, n) is the public key. To sign a message m, compute the signature s = h(m) d mod n. Only the owner of the private key d is able to compute the signature. To verify the signature, upon receipt of (m, s), compute s e mod n and verify whether it equals h(m)

Distributed RSA Signatures Signatures can optionally be distributed so that each of t users contributes to the signature. A trusted party T computes t shares such that d = t d i mod ϕ(n) i=1 and securely distributes d i to each user i.

Distributed RSA Signatures Signatures can optionally be distributed so that each of t users contributes to the signature. A trusted party T computes t shares such that d = t d i mod ϕ(n) i=1 and securely distributes d i to each user i. To compute a signature on a message m, each user i computes o i = h(m) d i mod n.

Distributed RSA Signatures Signatures can optionally be distributed so that each of t users contributes to the signature. A trusted party T computes t shares such that d = t d i mod ϕ(n) i=1 and securely distributes d i to each user i. To compute a signature on a message m, each user i computes o i = h(m) d i mod n. A signer can compute the resultant signature as s = t o i mod n i=1

Distributed RSA Signatures Signatures can optionally be distributed so that each of t users contributes to the signature. A trusted party T computes t shares such that d = t d i mod ϕ(n) i=1 and securely distributes d i to each user i. To compute a signature on a message m, each user i computes o i = h(m) d i mod n. A signer can compute the resultant signature as s = t o i mod n i=1 Secret sharing can also be used so that l < t users could be used to construct a signature.

Outline Basics Constructing signature schemes Security of signature schemes ElGamal DSA Summary

ElGamal signatures Setup as encryption: p an appropriate prime, g a generator of Z p, and the private signing key, d a random integer with 1 d p 2.

ElGamal signatures Setup as encryption: p an appropriate prime, g a generator of Z p, and the private signing key, d a random integer with 1 d p 2. The public verification key is (p, g, g d mod p).

ElGamal signatures Setup as encryption: p an appropriate prime, g a generator of Z, and the private signing key, d a p random integer with 1 d p 2. The public verification key is (p, g, g d mod p). To sign a message m, 0 m p, the signer picks a random secret number r with 1 r p 2 and gcd(r, p 1) = 1, and computes: S d (m) = (e, s) where e = g r mod p de + rs m (mod p 1).

ElGamal signatures Setup as encryption: p an appropriate prime, g a generator of Z, and the private signing key, d a p random integer with 1 d p 2. The public verification key is (p, g, g d mod p). To sign a message m, 0 m p, the signer picks a random secret number r with 1 r p 2 and gcd(r, p 1) = 1, and computes: S d (m) = (e, s) where e = g r mod p de + rs m (mod p 1). The verification function checks that 1 e p 1, and an equation: true if (g V (p,g,g d )(m, (e, s)) = d ) e e s g m (mod p), false otherwise.

ElGamal signatures Setup as encryption: p an appropriate prime, g a generator of Z, and the private signing key, d a p random integer with 1 d p 2. The public verification key is (p, g, g d mod p). To sign a message m, 0 m p, the signer picks a random secret number r with 1 r p 2 and gcd(r, p 1) = 1, and computes: S d (m) = (e, s) where e = g r mod p de + rs m (mod p 1). The verification function checks that 1 e p 1, and an equation: true if (g V (p,g,g d )(m, (e, s)) = d ) e e s g m (mod p), false otherwise. Verification works because for a correct signature, (g d ) e e s g de+rs g m (mod p).

Outline Basics Constructing signature schemes Security of signature schemes ElGamal DSA Summary

From ElGamal to DSA The Digital Signature Algorithm is part of the NIST Digitial Signature Standard [FIPS-186].

From ElGamal to DSA The Digital Signature Algorithm is part of the NIST Digitial Signature Standard [FIPS-186]. Based on ElGamal, but with improved efficiency.

From ElGamal to DSA The Digital Signature Algorithm is part of the NIST Digitial Signature Standard [FIPS-186]. Based on ElGamal, but with improved efficiency. The first digital signature scheme to be recognized by any government.

From ElGamal to DSA The Digital Signature Algorithm is part of the NIST Digitial Signature Standard [FIPS-186]. Based on ElGamal, but with improved efficiency. The first digital signature scheme to be recognized by any government. Based on two primes: p, which is 512 1024 bits long, and q, which is a 160-bit prime factor of p 1. A signature signs a SHA-1 hash value of a message. (In fact, ElGamal signing should be used with a hash function to prevent existential forgery)

From ElGamal to DSA The Digital Signature Algorithm is part of the NIST Digitial Signature Standard [FIPS-186]. Based on ElGamal, but with improved efficiency. The first digital signature scheme to be recognized by any government. Based on two primes: p, which is 512 1024 bits long, and q, which is a 160-bit prime factor of p 1. A signature signs a SHA-1 hash value of a message. (In fact, ElGamal signing should be used with a hash function to prevent existential forgery) Security of both ElGamal and DSA schemes relies on the intractability of the DLP.

From ElGamal to DSA The Digital Signature Algorithm is part of the NIST Digitial Signature Standard [FIPS-186]. Based on ElGamal, but with improved efficiency. The first digital signature scheme to be recognized by any government. Based on two primes: p, which is 512 1024 bits long, and q, which is a 160-bit prime factor of p 1. A signature signs a SHA-1 hash value of a message. (In fact, ElGamal signing should be used with a hash function to prevent existential forgery) Security of both ElGamal and DSA schemes relies on the intractability of the DLP. Comparison with RSA signature scheme: key generation is faster; signature generation is about the same; DSA verification is slower. Verification is the most common operation in general.

Outline Basics Constructing signature schemes Security of signature schemes ElGamal DSA Summary

Summary: Digital Signature Schemes RSA, ElGamal, DSA already described. There are several variants of ElGamal, including schemes with message recovery. Notice difference between randomized and deterministic schemes. Schemes for one-time signatures (e.g., Rabin, Merkle), require a fresh public key for each use. Typically more efficient than RSA/ElGamal methods. But tedious for multiple documents E-cash protocols use blind signature schemes that prevent the signer (e.g., a bank) linking a signed message (e.g., the cash) with the user. For real world security guarantees: obtaining correct public key is vital; non-repudiation supposes that private key has not been stolen; we may require secure time stamps.

References Alfred J. Menezes, Paul C. Van Oorschot, and Scott A. Vanstone, editors. Handbook of Applied Cryptography. CRC Press Series on Discrete Mathematics and Its Applications. CRC Press, 1997. Online version at http://www.cacr.math.uwaterloo.ca/hac. Digital signatures covered in Section 1.6 and Chapter 11. Nigel Smart. Cryptography: An Introduction. McGraw-Hill, 2003. Third edition online: http://www.cs.bris.ac.uk/~nigel/crypto_book/ Recommended Reading Chapter 14 (14.2 14.4, 14.7) of Smart (3rd Ed).

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback