Digital Signatures

1. Digital Signatures CSCI381 Fall 2005 GWU

2. Definition • P: set of plaintext • S: set of signatures • K: keyspace • private function: sigk: P S • public function: verK: P X S {true, false} • verK(m, s) = true iff sigK(m) = s; else verK(m, s) = false • {m, sigK(m)} is a signed message CS284/Spring05/GWU/Vora/Signatures

3. El Gamal Digital Signature • For a key K= (p, , , a);  = a mod p; a private • Choose random k invertible in Zp-1 • sigK(x, k) = (=k mod p, =(x-a)k-1 mod p-1) • verK(x, (G, D)) = true  GGD=x mod p • Depends on security of the DL problem: Find a given p, ,  CS284/Spring05/GWU/Vora/Signatures

4. Digital Signature Example • K= (p=11, =2, =5, a=4);  = a mod p; a private • Choose random k=3 invertible in Zp-1 • sigK(x=7, k=3) = (=k mod p, =(x-a)k-1 mod p-1) = (8, 5) • verK(x, (G, D)) = true  GGD=x mod p (7 mod 11) CS284/Spring05/GWU/Vora/Signatures

5. DSA Uses SHA(x) instead of X CS284/Spring05/GWU/Vora/Signatures

6. Discrete Log in Elliptic Curves As before, only group is no longer Zp* The problem is to determine a given P and Q = aP in the elliptic curve group The best-known algorithm for breaking DL over Zp* takes less time than that for breaking DL over an elliptic curve group of the same size CS284/Spring05/GWU/Vora/Signatures