Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.

Published byNathan Stone Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr."— Presentation transcript:

1 1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr

2 2 Digital Signature  Digital Signature  Electronic version of handwritten signature on electronic document  Signing using private key (only by the signer)  Verification using public key (by everyone)  Hash then sign: sig(h(m))  Efficiency in computation and communication

3 3 Digital Signature  Security requirements for digital signature  Unforgeability ( 위조 방지 )  User authentication ( 사용자 인증 )  Non-repudiation ( 부인 방지 )  Unalterability ( 변조 방지 )  Non-reusability ( 재사용 방지 )  Services provided by digital signature  Authentication  Data integrity  Non-Repudiation

4 4  Digital Signature Combine Hash with Digital Signature and use PKC Provide Authentication and Non-Repudiation RSA; DSA, KCDSA, ECDSA, EC-KCDSA Digital Signature Signature Sender’s Private Key Hash Algorithm Hash Hash Algorithm Hash1 Hash2 Sender’s Public Key SEND Signature SigningVerifying

5 5 RSA Signature  Key generation  Choose two large (512 bits or more) primes p & q  Compute modulus n = pq, and  (n) = (p-1)(q-1)  Pick an integer e relatively prime to  (n), gcd(e,  (n))=1  Compute d such that ed = 1 mod  (n)  Public key (n, e) : publish  Private key d : keep secret (may discard p & q)  Signing / Verifying  S: s = m d mod n for 0 < m < n  V: m =? s e mod n  S: s = h(m) d mod n --- hashed version  V: h(m) =? s e mod n  RSA signature without padding  Deterministic signature, no randomness introduced

6 6 RSA Signature  RSA signature forgery: Attack based on the multiplicative property of RSA. y 1 = (m 1 ) d y 2 = (m 2 ) d, then (y 1 y 2 ) e = m 1 m 2 Thus y 1 y 2 is a valid signature of m 1 m 2 This is an existential forgery using a known message attack.

7 7 RSA Signing with RSA-PSS Padding M’ = EM =  Parameter : Hash, MGF, sLen  Input : M, (n, d) salt mHashPad MaskedDB MGF  Hash H salt DB = bc Pad = 0x00 00 00 00 00 00 00 00 (8 octets of all zeros) Hash M 01 PS Padding string: all 0x00 S = (EM) d mod n Random octet string of sLen octets emLen =  (|n|-1)/8 

8 8 ElGamal Signature Scheme  Keys & parameters  Domain parameter = {p, g}  Choose x  [1, p-1] and compute y = g x mod p  Public key (p, g, y)  Private key x  Signature generation: (r, s)  Pick a random integer k  [1, p-1]  Compute r = g k mod p  Compute s such that m = xr + ks mod p-1  Signature verification  y r r s mod p =? g m mod p -If equal, accept the signature (valid) -If not equal, reject the signature (invalid)  No hash function…

9 9 Digital Signature Algorithm (DSA) Private : x Public : p, q, g, y p : 512 ~ 1024-bit prime q : 160-bit prime, q | p-1 g : generator of order q x : 0 < x < q y = g x mod p  Signing r = (g k mod p) mod q s = k -1 (SHA1(m) + xr) mod q  Verifying m, (r,s) Pick a random k s.t. 0 < k < q w = s -1 mod q u1 = SHA1(m)  w mod q u2 = r  w mod q v = (g u1  y u2 mod p) mod q v =? r m, (r,s)

10 10 Korean Certificate-based Digital Signature Algorithm (KCDSA) Private : x Public : p, q, g, y z=h(Cert_Data) p : 768+256k (k=0 ~ 5) bit prime q : 160+32k (k=0~3) bit prime, q | p-1 g : generator of order q x : 0 < x < q y = g x mod p, x = x -1 mod q  Signing r = HAS160(g k mod p) e = r  HAS160(z || m) s = x(k - e) mod q  Verifying m, (r,s) Pick a random k s.t. 0 < k < q e = r  HAS160(z || m) v = y s  g e mod p HAS160(v) =? r m, (r,s)

11 11 Schnorr Signature Scheme  Domain parameters  p = a large prime (~ size 1024 bit), q = a prime (~size 160 bit)  q = a large prime divisor of p-1 (q | p-1)  g = an element of Z p of order q, i.e., g  1 & g q = 1 mod p  Considered in a subgroup of order q in modulo p  Keys  Private key x  R [1, q-1] : a random integer  Public key y = g x mod p  Signature generation: (r, s)  Pick a random integer k  R [1, q-1]  Compute r = h(g k mod p, m)  Compute s = k – xr mod q  Signature verification  r =? h(y r g s mod p, m)

12 12 Security of Digital Signature Schemes  Security goals  Total break: adversary is able to find the secret for signing, so he can forge then any signature on any message.  Selective forgery: adversary is able to create valid signatures on a message chosen by someone else, with a significant probability.  Existential forgery: adversary can create a pair (message, signature), s.t. the signature of the message is valid.

13 13 Security of Digital Signature Schemes  Attack models  Key-only attack: Adversary knows only the verification function (which is supposed to be public).  Known message attack: Adversary knows a list of messages previously signed by Alice.  Chosen message attack: Adversary can choose what messages wants Alice to sign, and he knows both the messages and the corresponding signatures.

Download ppt "1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr."

Similar presentations

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.

Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.

Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,

Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 29.

Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 29.
Announcements: 1. Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479:

Announcements: 1. Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479:

Similar presentations

Ads by Google