Presentation is loading. Please wait.

Presentation is loading. Please wait.

Applied Cryptography Spring 2015 Digital signatures.

Published byWhitney Rose Modified over 8 years ago

Similar presentations

Presentation on theme: "Applied Cryptography Spring 2015 Digital signatures."— Presentation transcript:

1 Applied Cryptography Spring 2015 Digital signatures

2 Digital signature

3 (assuming that Alice’s key have not be compromised) only Alice should be able to sign the message on her name any should be able to verify that the message is signed by Alice Undeniable digital signatures sometimes it could be useful to additionally require that signature could be verified only in cooperation with Alice (however, when cooperating she shouldn’t be able to deny her signature) Digital signature - Requirements

4 M – message,  – its digital signature Depending from signature scheme it could be sufficient to send just , or it might be necessary to send pair ( ,M) h - a one-way hash function (easy to compute, but for a given M it is hard to find M’ with h(M) = h(M’)) Digital signature: Send message M Sign h(M) and send its digital signature  together with M Digital signature – Practicalities

5 Signatures are often computed by small chips. Therefore it is preferable that signing of message could be performed faster than verification of signature. Digital signature – Practicalities

6 Digital signature - RSA p,q - two large primes (100 digits or more) n = pq e - small odd integer that is relatively prime to (p – 1)(q – 1) d- integer such that de  1 (mod (p – 1)(q – 1)) (it can be shown that it always exists) P = (e,n)- public key S = (d,n)- secret key Signing:S = M d (mod n) Verifying:V(S) = S e (mod n)

7 H – hashes {0,1}*  {0,1} k G – hashes {0,1} k  {0,1} n  k  1 (G 1 and G 2 are two parts of this value) Can be shown to be as secure as RSA RSA – probabilistic signature scheme (PPS)

8 Digital signature - ElGamal Taher ElGamal, 1984

9 Digital signature - ElGamal

10

11

12

13 Warnings: Never reuse k – this will instantly allow to recover secret key x. It is not difficult to generate “bad” values of g – either the implementation should be completely trusted, or use a a one way hash function to generate pseudorandom g, whose randomness can then be verified. When verifying signature, check that a < p ElGamal signatures – a closer look

14 ElGamal - subliminal channel ElGamal: p,g,y=g x mod p - public; x - private h - "signed" message, m - "secret" message gcd(m,p–1) should be 1 Alice: a=g m mod p and finds b: h=xa+mb mod(p–1) Signature:a,b

15 ElGamal - subliminal channel Alice: a=g m mod p and finds b: h=xa+mb mod(p–1) Signature:a,b Bob: Verification:y a a b =gh mod p ? Extraction:m=(b –1 (h–xa)) mod(p–1) Implementations of digital signatures should be trusted - this can be used to "broadcast" secret keys!

16 Digital signature - Schnorr p - prime q - prime factor of p–1 [can be “small” – e.g. 160 bits] a - a q =1 mod p (and a≠1) [try several a = x (p-1)/q mod p] All these are public s < q - a random number and secret key v = a –s mod p - public key Signing: Pick random k<q and compute x = a k mod p Compute e = H(M,x) and y = (k+se) mod q Signature - pair (e,y) Verification: Compute x’ = a y v e mod p and check that e = H(M,x’) Claus Peter Schnorr, 1989

17 Digital signature - DSA Proposed by the National Institute of Standards and Technology (NIST) in 1991 for use in their Digital Signature Standard (DSS) adopted in 1993. Expanded further in 2000. Design criteria secret but was given for assessment to public. Could be considered as variation of ElGamal scheme. Intended to be free for use for everybody. Received strong criticism from RSA Data Security:) and companies that have invested in RSA

18 Digital signature - DSA Points of criticism: 1)Can’t be used for encryption and key distribution 2)Developed by NSA and may contain a trapdoor 3)DSA is slower than RSA 4)RSA is de facto standard 5)Selection process was not public, sufficient time for analysis was not provided. 6)DSA may infringe on other patents. 7)The key size is too small.

19 Digital signature - DSA

20

21

22

23

24

25 Discrete logarithm signature schemes

26

27 Undeniable digital signatures Signature should be such that: Bob should be able to verify signature in cooperation with Alice Alice should be unable to deny the signature Signature can't be verified from message and signature pair alone

28 Undeniable digital signatures p,g,y=g x mod p - public; x - private Signing (Alice): s=m x mod p Verification (Bob and Alice): 1) (Bob):chooses random a,b<p, sends Alice c=s a y b mod p 2) (Alice):computes t=x –1 mod (p–1), sends Bob d=c t mod p 3) (Bob):confirms that d=m a g b mod p

29 Undeniable digital signatures p,g,y=g x mod p - public; x - private; signature s=m x mod p Verification (Bob and Alice): 1) (Bob):chooses random a,b<p, sends Alice c=s a y b mod p 2) (Alice):computes t=x –1 mod (p–1), sends Bob d=c t mod p 3) (Bob):confirms that d=m a g b mod p Fake transcript: 1) generate fake pair m,s 2) choose random a,b<p, and compute d=m a g b mod p and s a y b mod p

30 Undeniable digital signatures (a second look)

31

32

33

34 Identification schemes Victor wants to communicate with Peggy and be sure that she is the right person. How to achieve this? Peggy and Victor both know a secret key k. Victor sends a random message r and Peggy returns E k (r). Peggy has a public key d and a secret key s. Victor sends a random message r and Peggy returns E s (r). However, it is not a particularly good idea to sign random numbers :)

35 Identification schemes Assume RSA is used. d - public, s - secret. Eve wants to get Alice sign m. 1) find m 1 and m 2 such that m = m 1 m 2 mod n 2) get Alice to sign "random" m 1 and m 2 3) calculate m d mod n = (m 1 d mod n)(m 2 d mod n) However, it is not a particularly good idea to sign random numbers :)

36 Quadratic Residues If p is prime, and a is greater than 0 and less than p, then a is a quadratic residue mod p if x 2 = a (mod p) for some x For example, if p =7, the quadratic residues are 1, 2, and 4. 1*1=1=1(mod7) 2*2=4=4(mod7) 3*3=9=2(mod7) 4*4=16=2(mod7) 5*5=25=4(mod7) 6*6=36=1(mod7)

37 Quadratic Residues When p is odd, there are exactly (p - 1)/2 quadratic residues mod p If a is a quadratic residue mod p, then a has exactly two square roots, one of them between 0 and (p - 1)/2, and the other between (p - 1)/2 and (p - 1). One of these square roots is also a quadratic residue mod p; this is called the principal square root.

38 Quadratic Residues Computation of quadratic residues mod p: - easy if n is prime and n = 4k+3 - a probabilistic algorithm if n is prime and n = 4k+1 - if n = pq, where p,q are primes, the problem of computing square roots mod n is as hard as is the factorization of n

39 Feige-Fiat-Shamir identification scheme On July 9, 1986 the three authors submitted a U.S. patent application. Because of its potential military applications, the application was reviewed by the military. Occasionally the Patent Office responds not with a patent, but with something called a secrecy order. On January 6, 1987, three days before the end of their six-month period, the Patent Office imposed that order at the request of the Army. They stated that “...the disclosure or publication of the subject matter...would be detrimental to the national security....” The authors were ordered to notify all Americans to whom the research had been disclosed that unauthorized disclosure could lead to two years’ imprisonment, a $10,000 fine, or both. Furthermore, the authors had to inform the Commissioner of Patents and Trademarks of all foreign citizens to whom the information had been disclosed.

40 Feige-Fiat-Shamir identification scheme n = pq, where p,q are primes such that p,q=3 mod 4. v - quadratic residue mod n, i.e. z 2 = v mod n and v –1 mod n exists s = sqrt(v –1 ) mod n v - public; s - private Identification protocol: 1) (Peggy):chooses random r<n, sends Victor x=r 2 mod n 2) (Victor):sends random b  {0,1} 3) (Peggy):if b=0 sends r; if b=1 sends y=r s mod n 4) (Victor):if b=0, verifies x=r 2 mod n (Peggy knows r) if b=1, verifies x = y 2 v mod n (Peggy knows s) Without s Peggy can pick r such that either x=r 2 mod n or x = y 2 v mod n, but not both. Repeat k times for probability 1–2 k

41 Feige-Fiat-Shamir identification scheme n = pq, where p,q are primes such that p,q=3 mod 4. v - quadratic residue mod n, i.e. z 2 = v mod n and v –1 mod n exists s = sqrt(v –1 ) mod n v - public; s - private Identification protocol: 1) (Peggy):chooses random r<n, sends Victor x=r 2 mod n 2) (Victor):sends random b  {0,1} 3) (Peggy):if b=0 sends r; if b=1 sends y=r s mod n 4) (Victor):if b=0, verifies x=r 2 mod n (Peggy knows r) if b=1, verifies x = y 2 v mod n (Peggy knows s) Replacing Victor by one-way hash function we obtain digital signature scheme!

Download ppt "Applied Cryptography Spring 2015 Digital signatures."

Similar presentations

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
7. Asymmetric encryption-

7. Asymmetric encryption-
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.

Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,

Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
Announcements: 1. Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479:

Announcements: 1. Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479:

Similar presentations

Ads by Google