Presentation is loading. Please wait.

Presentation is loading. Please wait.

Announcements: 1. Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479:

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Announcements: 1. Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479:"— Presentation transcript:

1 Announcements: 1. Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 32

2 RSA Signatures Alice chooses: p,q, n=pq, p,q, n=pq, e: gcd(n, (p-1)(q-1))=1, e: gcd(n, (p-1)(q-1))=1, d: ed = 1(mod ((p-1)(q-1)) d: ed = 1(mod ((p-1)(q-1)) Publishes n, e Alice’s signature: y = m d (mod n). Delivers (m, y) y = m d (mod n). Delivers (m, y) Bob’s verification: Does m = y e (mod n)? Does m = y e (mod n)? Show the verification works. Note that given the signature y, Bob can compute the message, m. Sig = f(user, message)

3 ElGamal Signatures Many different valid signatures for a given message Alice chooses: p,primitive root ,  a p,primitive root ,  a Publishes (p,  ), keeps a secret Publishes (p,  ), keeps a secret Alice’s signature: Chooses k: random, gcd(k, p-1)=1 Chooses k: random, gcd(k, p-1)=1 Sends m, (r,s), where: Sends m, (r,s), where: r =  k (mod p) s = k -1 (m – ar) Bob’s verification: Does  r r s =  m (mod p)? Does  r r s =  m (mod p)? Show the verification works.

4 ElGamal Signatures Many different valid signatures for a given message Alice chooses: p,primitive root ,  a p,primitive root ,  a Publishes (p,  ), keeps a secret Publishes (p,  ), keeps a secret Alice’s signature: Chooses k: random, gcd(k, p- 1)=1 Chooses k: random, gcd(k, p- 1)=1 Sends m, (r,s), where: Sends m, (r,s), where: r =  k (mod p) s = k -1 (m – ar) Bob’s verification: Does  r r s =  m (mod p)? Does  r r s =  m (mod p)? Show the verification works. Why can’t Eve apply the signature to another message? If Eve has learns a, she can forge the signature Note: Alice needs to randomize k each time, else Eve can recognize this, and can compute k and a relatively quickly

5 Hashing and Signing Note that m < n in RSA, m < p in ElGamal If we hash first, then it’s much quicker to sign h(m) and verify it than to sign m itself. If we hash first, then it’s much quicker to sign h(m) and verify it than to sign m itself. Alice sends (m, sig(h(m))) Alice sends (m, sig(h(m))) Eve intercepts this, wants to sign m’, so needs sig(h(m’)) = sig(h(m)); this means h(m)=h(m’) Eve intercepts this, wants to sign m’, so needs sig(h(m’)) = sig(h(m)); this means h(m)=h(m’) Why can’t she do this?

6 Birthday attacks on signatures Slightly different paradigm: two rooms with r people each. What’s the probability that someone in this room has the same birthday as someone in the other room. Approximation: Note that we divide by N, not 2N. Note that we divide by N, not 2N. Solving for r, we get r=c*sqrt(n) (where c=sqrt(ln 2)~.83) Solving for r, we get r=c*sqrt(n) (where c=sqrt(ln 2)~.83)

7 Birthday attacks on signatures Mallory generates 2 groups of documents: Want a match (m 1, m 2 ) between them such that h(m 1 ) = h(m 2 ) Mallory sends (m 1, h(m 1 )) to Alice, who returns signed copy: (m 1, sig(h(m 1 )). Mallory replaces m 1 with m 2 and uses sig(h(m 1 ) as the signature. The pair (m 2, sig(h(m 1 )) looks like Alice’s valid signature! The pair (m 2, sig(h(m 1 )) looks like Alice’s valid signature! Alice’s defense? What can she do to defend herself? r “good docs” r “fraudulent docs”

8 Alice’s defense She changes a random bit herself! Note this changes her signature: (m 1 ’, sig(h(m 1 ’)) Mallory is forced to generate another message with the same hash as this new document. Mallory is forced to generate another message with the same hash as this new document. Good luck! Good luck!Lessons: Birthday attacks essentially halve the number of bits of security. Birthday attacks essentially halve the number of bits of security. So SHA-1 is still secure against them Make a minor change to the document you sign! Make a minor change to the document you sign!

9 Code-talkers? http://xkcd.com/c257.html Thanks to Andrew Foltz Thanks also to Ben Fritz for posting T1-89 code for powermod.

10 DSA: Digital Signature Algorithm 1994 Similar to ElGamal Assume m is already hashed using SHA: so signing 160-bit message.

Download ppt "Announcements: 1. Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479:"

Similar presentations

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.

Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.

HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O167 10 th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.

Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.

Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,

Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
Pass in HW6 now Can use up to 2 late days Can use up to 2 late days But one incentive not to burn them all: teams will get to pick their presentation day.

Pass in HW6 now Can use up to 2 late days Can use up to 2 late days But one incentive not to burn them all: teams will get to pick their presentation day.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.

Similar presentations

Ads by Google