Presentation is loading. Please wait.

Presentation is loading. Please wait.

COM 5336 Lecture 8 Digital Signatures

Published byLinda Moore Modified over 8 years ago

Similar presentations

Presentation on theme: "COM 5336 Lecture 8 Digital Signatures"— Presentation transcript:

1 COM 5336 Lecture 8 Digital Signatures
Scott CH Huang COM 5336 Cryptography Lecture 8

2 Outline Introduction RSA signature scheme ElGamal signature scheme
Rabin public-key signature scheme DSA signature scheme (optional) Rabin one-time signature Arbitrated signature schemes Arbitrated signature schemes require a TTP for signature generation and verification, which results in computational generation and verification. With added functionality such as blind, undeniable and fail-stop signature schemes

3 Digital Signature

4 Definitions Digital signature - a data string which associates a message with some originating entity Digital signature generation algorithm – a method for producing a digital signature Digital signature verification algorithm – a method for verifying whether a digital signature is authentic Digital signature scheme - consists of a signature generation algorithm and an associated verification algorithm

5 Digital Signature Digital Signatures can provide Authentication
Data Integrity Non-Repudiation Timestamping

6 Desirable Properties It should be efficient to compute by the signer
It should be easy to verify by everybody It should be computationally infeasible for an attacker to forge the signature

7 Types of Digital Signatures
Taxonomy of digital signatures signature schemes message recovery appendix deterministic randomized We can break signature schemes into two classifications: Digital signature schemes with appendix where the signature is appended to the message and both are required as input to the verification algorithm. Message recovery, where where the original message signed can be obtained from the signature itself. The original message is not required as input to the verification algorithm.

8 Schemes w/ Appendix Requires the message as input to verification algorithm Rely on cryptographic hash functions rather than customized redundancy functions Schemes of this type ElGamal, DSA, Schnorr etc. More commonly used

9 Schemes w/ Message Recovery
The original message is not required as input to the verification algorithm The original message can be recovered from the signature itself Schemes of this type RSA, Rabin, Nyberg-Rueppel An entity A has a public and private key. A should select an element k if the algorithm is randomized. Compute mr by applying the redundancy function. Apply the signing algorithm using A’s private key on this value to obtain s*. A’s signature is s*, only s* is made available for verifiers to recover the plaintext m. Verification involves obtaining A’s authentic public key VA, compute mr. If mr is not an element of the image of R then we reject the signature. Apply the inverse of the redundancy function to obtain m. It becomes clear that the redundancy function is very important. For example, if R were simply the identity mapping, one could simply choose and arbitrary s* and a corresponding message m is found simply by applying the verification algorithm.

10 Breaking a Signature Scheme
Total Break: private key is comprimised Selective forgery: adversary can create a valid signature on a preselected message Existential forgery: adversary can create a valid signature with no control over the message Total break can simply occur if the adversary finds an efficient algorithm that is functionally equivalent to the valid signing algorithm

11 Types of Attacks Key-only Message attacks
adversary knows only the public key Message attacks Known-message attack: adversary has signatures for a set of messages which are known to the adversary but not chosen by him Chosen-message attack: adversary obtains valid signatures from a chosen list of his choice (non adaptive) Adaptive chosen-message attack: adversary can use the signer as an oracle

12 RSA Signature Scheme Key generation n, p, q, e, d Sign Verify
Compute mr = R(m), where R is an invertable redundancy function that maps a message into the signature space Compute s = mrd mod n The signature for m is s Verify Obtain authentic public key (n, e) Compute mr = se mod n Verify that mr  Mr Recover m = R-1(mr) n, e are public, p q and d are private. d = e inverse mod phi(n)

13 RSA Signature (cont’d)
Attacks Integer factorization Homomorphic property Reblocking problem If signatures are encrypted different modulus sizes can render the message unrecoverable Importance of the redundancy function ISO/IEC 9796 For s1 and s2, we have that s1s2 is a signature for m1m2 given that m1m2 is an element of the image of the redundancy function. Thus it is important that our redundancy function is not multiplicative. Various solutions to this problem, one effective solution is to ensure that each modulus is of a special form. Or have one set t bits for signing and one set t+1 bits for encrypting. Where k is the number of bits in p and q.

14 RSA Signature (cont’d)
Performance (p, q are k-bit primes) Signature O(k3) Verification O(k2) Bandwidth Bandwidth is determined by R. For example, ISO/IEC 9796 maps k-bit messages to 2k-bit elements in MS for a 2k-bit signature (efficiency of ½)

15 ElGamal Signature Scheme
Key generation: p, , a, y=a mod p Signature Generation Select random k, 1  k  p-1, gcd(k, p-1)=1 Compute r = k mod p Compute k-1 mod (p-1) Compute s = k-1  (h(m) - ar) mod (p-1), where h is a one-way hash function. Signature is (r,s) Here alpha is a generator of Z*p p alpha and y are public and a is private key Again, this is randomized as apposed to deterministic

16 ElGamal Signature (cont’d)
Signature Verification Verify 1  r  p-1 Compute v1 = yrrs mod p Compute h(m) and v2= h(m) mod p Accept iff v1=v2

17 ElGamal Signature (cont’d)
Security (based on DLP) Index-calculus attack: p should be large Pohlig-Hellman attack: p-1 should not be smooth Weak generators: If p  1 mod 4, |p-1, DL can be broken for subgroup S of order . Forgeries are then possible We can solve this by letting alpha be a generator for a subgroup of Z*p of prime order rather than Z*p itself

18 ElGamal Signature (cont’d)
In addition… k must be unique for each message signed (s1-s2)k=(h(m1)-h(m2))mod (p-1) An existential forgery attack can be mounted if a hash function is not used If gcd((s1-s2),p-1)=1 then we can easily find k and from there we can find private key a p. 255

19 ElGamal Signature (cont’d)
Performance Signature Generation One modular exponentiation One Euclidean Algorithm Both can be done offline Verification Three modular exponentiations Generalized ElGamal Signatures Euclidean is for inversion Also requires two modular multiplications We can use any cyclic group, preferably one where discrete logarithms are known to be quite hard, such as elliptic curve groups which also give us the benefit of shorter key lenghts.

20 Rabin Public-Key Signature Scheme
Signature: s = m1/2 mod n Using any sqrt Verification: m = s2 mod n About ¼ of the messages have sqrts. If a message doesn’t have a sqrt, then it has to be slightly modified by doing proper padding.

21 Rabin Signature (cont’d)
In practice, one might try to append a small amount of random bits and hope that it has a sqrt. On average, two such attempts would be enough. Such method has no guarantee of success, so a deterministic method would be preferable.

22 Modified Rabin Signature Scheme
To overcome this problem, a modified Rabin signature scheme is designed. It provides a deterministic method for associating messages with elements in the signing space such that computing s square root (or something close to it) is always possible. Details of modified Rabin signature scheme is beyond the scope of this course.

23 Rabin Signature Pros & Cons
Advantage: Verification is extremely fast Cracking the signature scheme is provable as hard as doing factorization. Disadvantage: like Rabin encryption, one system can only generate signature for a single user.

24 DSA Signature DSA Algorithm : key generation
select a prime q of 160 bits Choose 0t8, select t <p< t with q|p-1 Select g in Zp*, and  = g(p-1)/q mod p, 1 (ord()=q) Select 1  a q-1, compute y= a mod p public key (p,q, ,y), private key a Two primes p and q. We are dealing with two groups, one Z*p and a subgroup of that of order q. Here alpha is a generator of that subgroup. Notice that the security of our key is based on the discrete logarithm problem.

25 DSA Signature (cont’d)
DSA signature generation Select a random integer k, 0 < k < q Compute r=(k mod p) mod q Compute k-1 mod q Compute s=k-1 (h(m) + ar) mod q Signature = (r, s) Randomized! Vs. deterministic

26 DSA Signature (cont’d)
DSA signature verification Verify 0<r<q and 0<s<q, if not, invalid Compute w= s-1mod q Compute u1=wh(m) mod q, u2=rw mod q Compute v = (u1yu2 mod p) mod q Valid iff v=r

27 DSA Signature (cont’d)
Security of DSA two distinct DL problems: ZP*, cyclic subgroup order q Parameters: q~160bits, p 768~1Kb, p,q,  can be system wide Probability of failure Pr[s=0]= (1/2)160 Note that Z*p we have the index-calculus methods such as coppersmiths algorithms which run in subexponential time. However, in the second group we are left with “square root” time with algorithms such as Pohlig Hellman Verification requires the computation of s inverse, if s is zero then an inverse does not exist

28 DSA Signature (cont’d)
Performance Signature Generation One modular exponentiation Several 160-bit operations (if p is 768 bits) The exponentiation can be pre-computed Verification Two modular exponentiations So we have that DSA signing is cheap and verification expensive, but RSA signing expensive, verification cheap.

29 Nyberg-Rueppel Signature Scheme
Can be regarded as an ElGamal signature scheme w/ message recovery Key generation: Same as DSA but no constraints on the sizes of p,q Select g in Zp*, and  = g(p-1)/q mod p, 1 (ord()=q) Select, p,q w/ q|(p-1},   Zp*, (private key) a, y= a. 29

30 Nyberg-Rueppel Signature Scheme
Sign message m Compute mr = R(m), where R is an invertable redundancy function Select a random secret integer k s.t. 1  k  p-1 Compute r  -k (mod p), e  mr r (mod p), and s  ae + k (mod q) Signature is (e,s) Verify signature (e,s) Obtain authentic public key (p,q, ,y) Verify that 0 < e < p and 0  s  q. If not, reject. Compute v  sy-e (mod p) and m  ve (mod p) Recover m = R-1(mr) 30

Download ppt "COM 5336 Lecture 8 Digital Signatures"

Similar presentations

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Introduction to Signcryption November 22, 2004. 22/11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Similar presentations

Ads by Google