1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.

Slides:



Advertisements
Similar presentations
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Advertisements

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Introduction to Modern Cryptography Homework assignments.
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
Chapter 7-1 Signature Schemes.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 29.
Announcements: 1. Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479:
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Cryptography and Network Security Chapter 13
Introduction to Public Key Cryptography
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
Chapter 13 Digital Signature
8. Data Integrity Techniques
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
Digital Signatures Applied Handbook of Cryptography: Chapt 11
11 Digital Signature.  Efficiency  Unforgeability : only signer can generate  Not reusable : not to use for other message  Unalterable : No modification.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
Bob can sign a message using a digital signature generation algorithm
DSA (Digital Signature Algorithm) Tahani Aljehani.
The RSA Algorithm Rocky K. C. Chang, March
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures: Mathematics Zdeněk Říha. Data authentication Data integrity + data origin Digital signature Asymmetric cryptography public and private.
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 10 – Digital Signatures.
Topic 22: Digital Schemes (2)
Introduction to Information Security Lecture 4: Public Key Cryptography & Digital Signature Prof. Kwangjo Kim.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CS461/ECE422 Spring 2012 Nikita Borisov — UIUC1.  Text Chapters 2 and 21  Handbook of Applied Cryptography, Chapter 8 
Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013
Lecture 8 Overview. Secure Hash Algorithm (SHA) SHA SHA SHA – SHA-224, SHA-256, SHA-384, SHA-512 SHA-1 A message composed of b bits.
1 Number Theory and Advanced Cryptography 6. Digital Signature Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Prepared by Dr. Lamiaa Elshenawy
DIGITAL SIGNATURE. A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004.
Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993,
 Requirement  Security  Classification  RSA Signature  ElGamal Signature  DSS  Other Signature Schemes  Applied Digital Signatures 11.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
COM 5336 Lecture 8 Digital Signatures
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Cryptography and Network Security Chapter 13
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.
Overview Modern public-key cryptosystems: RSA
第四章 數位簽章.
第四章 數位簽章.
Digital signatures.
Cryptography and Network Security
Digital Signatures…!.
Digital Signatures.
Lecture 6: Digital Signature
Chapter 13 Digital Signature
Presentation transcript:

1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr

2 Digital Signature  Digital Signature  Electronic version of handwritten signature on electronic document  Signing using private key (only by the signer)  Verification using public key (by everyone)  Hash then sign: sig(h(m))  Efficiency in computation and communication

3 Digital Signature  Security requirements for digital signature  Unforgeability ( 위조 방지 )  User authentication ( 사용자 인증 )  Non-repudiation ( 부인 방지 )  Unalterability ( 변조 방지 )  Non-reusability ( 재사용 방지 )  Services provided by digital signature  Authentication  Data integrity  Non-Repudiation

4  Digital Signature Combine Hash with Digital Signature and use PKC Provide Authentication and Non-Repudiation RSA; DSA, KCDSA, ECDSA, EC-KCDSA Digital Signature Signature Sender’s Private Key Hash Algorithm Hash Hash Algorithm Hash1 Hash2 Sender’s Public Key SEND Signature SigningVerifying

5 RSA Signature  Key generation  Choose two large (512 bits or more) primes p & q  Compute modulus n = pq, and  (n) = (p-1)(q-1)  Pick an integer e relatively prime to  (n), gcd(e,  (n))=1  Compute d such that ed = 1 mod  (n)  Public key (n, e) : publish  Private key d : keep secret (may discard p & q)  Signing / Verifying  S: s = m d mod n for 0 < m < n  V: m =? s e mod n  S: s = h(m) d mod n --- hashed version  V: h(m) =? s e mod n  RSA signature without padding  Deterministic signature, no randomness introduced

6 RSA Signature  RSA signature forgery: Attack based on the multiplicative property of RSA. y 1 = (m 1 ) d y 2 = (m 2 ) d, then (y 1 y 2 ) e = m 1 m 2 Thus y 1 y 2 is a valid signature of m 1 m 2 This is an existential forgery using a known message attack.

7 RSA Signing with RSA-PSS Padding M’ = EM =  Parameter : Hash, MGF, sLen  Input : M, (n, d) salt mHashPad MaskedDB MGF  Hash H salt DB = bc Pad = 0x (8 octets of all zeros) Hash M 01 PS Padding string: all 0x00 S = (EM) d mod n Random octet string of sLen octets emLen =  (|n|-1)/8 

8 ElGamal Signature Scheme  Keys & parameters  Domain parameter = {p, g}  Choose x  [1, p-1] and compute y = g x mod p  Public key (p, g, y)  Private key x  Signature generation: (r, s)  Pick a random integer k  [1, p-1]  Compute r = g k mod p  Compute s such that m = xr + ks mod p-1  Signature verification  y r r s mod p =? g m mod p -If equal, accept the signature (valid) -If not equal, reject the signature (invalid)  No hash function…

9 Digital Signature Algorithm (DSA) Private : x Public : p, q, g, y p : 512 ~ 1024-bit prime q : 160-bit prime, q | p-1 g : generator of order q x : 0 < x < q y = g x mod p  Signing r = (g k mod p) mod q s = k -1 (SHA1(m) + xr) mod q  Verifying m, (r,s) Pick a random k s.t. 0 < k < q w = s -1 mod q u1 = SHA1(m)  w mod q u2 = r  w mod q v = (g u1  y u2 mod p) mod q v =? r m, (r,s)

10 Korean Certificate-based Digital Signature Algorithm (KCDSA) Private : x Public : p, q, g, y z=h(Cert_Data) p : k (k=0 ~ 5) bit prime q : k (k=0~3) bit prime, q | p-1 g : generator of order q x : 0 < x < q y = g x mod p, x = x -1 mod q  Signing r = HAS160(g k mod p) e = r  HAS160(z || m) s = x(k - e) mod q  Verifying m, (r,s) Pick a random k s.t. 0 < k < q e = r  HAS160(z || m) v = y s  g e mod p HAS160(v) =? r m, (r,s)

11 Schnorr Signature Scheme  Domain parameters  p = a large prime (~ size 1024 bit), q = a prime (~size 160 bit)  q = a large prime divisor of p-1 (q | p-1)  g = an element of Z p of order q, i.e., g  1 & g q = 1 mod p  Considered in a subgroup of order q in modulo p  Keys  Private key x  R [1, q-1] : a random integer  Public key y = g x mod p  Signature generation: (r, s)  Pick a random integer k  R [1, q-1]  Compute r = h(g k mod p, m)  Compute s = k – xr mod q  Signature verification  r =? h(y r g s mod p, m)

12 Security of Digital Signature Schemes  Security goals  Total break: adversary is able to find the secret for signing, so he can forge then any signature on any message.  Selective forgery: adversary is able to create valid signatures on a message chosen by someone else, with a significant probability.  Existential forgery: adversary can create a pair (message, signature), s.t. the signature of the message is valid.

13 Security of Digital Signature Schemes  Attack models  Key-only attack: Adversary knows only the verification function (which is supposed to be public).  Known message attack: Adversary knows a list of messages previously signed by Alice.  Chosen message attack: Adversary can choose what messages wants Alice to sign, and he knows both the messages and the corresponding signatures.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.