1 / 23

Digital Signatures (DSs)

Digital Signatures (DSs). The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but also to the message that is being signed The digital signature needs to be easily verified by other parties

phiala
Download Presentation

Digital Signatures (DSs)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Digital Signatures (DSs) • The digital signatures cannot be separated from the message and attached to another • The signature is not only tied to signer but also to the message that is being signed • The digital signature needs to be easily verified by other parties • Digital signature schemes therefore consist of two distinct steps: the signing process and the verification process

  2. RSA Signatures • Bob has a document m that Alice agrees to sign. Alice does the following. • Alice chooses two primes: p, q and n=pq, makes (e,n) public with gcd(e,(p-1)(q-1))=1 de≡1 (mod φ(n)), she keeps p,q,d secret 。Alice’s signature is y≡md (mod n) 。Alice then makes the pair (y,m) public

  3. How does Bob verify Alice’s Signature • Download Alice’s (e,n) • Compute z≡ye (mod n) • If z=m, then Bob accepts the signature as valid; otherwise the signature is not valid

  4. Blind Signatures (1/2) • Alice chooses n=pq, find e, and solve d as required in RSA scheme,i.e., ed≡1(mod n) • Bod chooses a random k with gcd(k,n)=1, computes t≡kem (mod n) for message m, and sends t to Alice • Alice signs t by computing s≡td (mod n). She returns s to Bob • Bob computes sk-1 (mod n) to get the signed message md

  5. Blind Signatures (2/2) • sk-1 ≡tdk-1≡(kem)dk-1≡md(ked) k-1≡ md • Alice has never seen the message m • t≡kem and s≡td, then sk-1 ≡ md (mod n) • The choice of k is random, therefore, t≡kem (mod n) gives essentially no information about m. In this way, Alice knows nothing about the message m she is signing.

  6. ElGamal Signature Scheme • One feature that is different from RSA is that, with this method, there are many different signatures that are valid for a given message • Suppose Alice wants to sign a message m. To start, Alice chooses a large prime p and a primitive root α. Alice next chooses a secret integer (key) a, 1≤a≤p-2, and computes β≡αa (mod p), (p,α,β) are made public.

  7. Alice signs the message m via • Select a secret random k such that gcd(k,p-1)=1 • Computes r≡αk (mod p) • Computes s≡k-1(m-ar) (mod p-1) • The signed message is the triple (m,r,s)

  8. Bob verifies the signature via • Download Alice’s public key (p,α,β) • Computes u≡βrrs and w≡αm (mod p) • The signature is declared valid iff u≡w (mod p) Proof: w≡αm≡αsk+ar≡(αa)r(αk)s ≡βrrs≡u (mod p) More details from p.246~248

  9. ElGamal Signature for one Alice wants to sign m1=151405 (one). She chooses p=225119; a primitive root α=11. She chooses a secret number a, computes β≡αa ≡18191 (mod p). To sign the message, she picks up a random k and keeps it secret. She computes r≡αk ≡164130 (mod p), and s1≡k-1(m1-ar)≡130777 (mod p-1) The signed message is (151405, 164130, 130777)

  10. ElGamal Signature for two Alice then signs m2=202315 (two) with the same k, where (p,α)=(225119,11), hence r has the same value and the signed message is (202315, 164130, 164899). Then we have -34122k ≡ (s1-s2)k ≡ m1-m2 ≡ -50910 (mod p-1) Since gcd(-34122,p-1)=2, so there are two k’s: k=239 and k=112798 (mod p-1) Since α239 ≡164130, α112789 ≡59924 (mod p), k=239 leads to the correct value r=164130

  11. Dangerous for the same key to different documents Rewrite s1k≡m1-ar (mod p-1) to obtain 164130a≡ar≡ m1- s1k≡187104 (mod p-1) Since gcd(164130, p-1)=2, there are two solutions for a’s: a=28862 and a=141421 Since α=11, β=18191, and α28862 ≡206928, α141421 ≡18191 (mod p) Therefore the key a=141421 is revealed.

  12. Hash Functions • A cryptographic hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. Certain properties should be satisfied. • Given a message m, the message digest h(m) can be calculated very quickly. • Given a digest message y, it is computationally infeasible to find an m with h(m)=y. In other words, h is a one-way, or preimage resistant, function. • It is computationally infeasible to find messages x, y such that h(x)=h(y), i.e., h is strongly collision-free.

  13. Examples • Let n=bkbk-1…b1b0 , define h(n)=bk⊕…⊕b0 , Thus, this h does not satisfy (2) • The discrete log hash function due to Chaum, van Heijst, and Pfitzmann Select a large prime p such that q=(p-1)/2 is prime, let α,βbe two primitive roots mod p which satisfyαa ≡β (mod p) and a is a secret number, let m=x+yq, with 0≤x,y≤q-1, Define a hash function h(m)≡αx βy (mod p)

  14. Proposition (p.184) • If we know messages m≠n with h(m)=h(n), then we can determine the discrete logarithm a=Lα(β). (Proof) Write m=x+yq, n=r+sq. Suppose h(m)=h(n) i.e., αxβy ≡ αrβs (mod p), since αa ≡β (mod p), hence αa(y-s)-(x-r) ≡1 (mod p) Therefore a(y-s)≡(x-r) (mod p-1). Since p-1=2q has only 4 divisors: 1,2,q,p-1, so d=gcd(y-s,p-1)=1 or 2. Thus, we can get the secret a.

  15. Other Hash Functions ☺MD family: MD4, MD5 due to Rivest ☺NIST’s Secure Hash Algorithm (SHA) which yields a 160-bit message digest [Stinson] [Schneier] [Menezes et al.]

  16. Hashing, Signing, and Applications • Sending (m,sig(h(m))) instead of (m,sig(m)) could significantly reduce the size of digital signatures. • An appropriate hash function should be chosen. In particular, in electronic exchanges in E-commerce.

  17. Birthday Attacks • If there are 23 people in a room, the probability 50.7% that two of them have the same birthday. If there are 30 people, the probability is increasing up to 70%. • The probability of 23 people do not have the same birthday is (1-1/365)(1-2/365)…(1-22/365) = 0.493

  18. A Birthday Attack on Discrete Log • Suppose we want to evaluate La(b) with a large p. We can do by a birthday attack in the following procedures: • The first list contains numbers ak (mod p) for approximately p1/2 randomly chosen values of k. • The first list contains numbers ba-j (mod p) for approximately p1/2 randomly chosen values of j. There is a good chance that there is a match between some element on the 1st list and one on the 2nd list. If so, ak ≡ba-j (mod p) and hence ak+j ≡b (mod p) x≡k+j (mod p-1) is the discrete log solution

  19. Digital Signature Algorithm (DSA) • The NIST proposed the DSA in 1991 and adopted it as a standard in 1994. The message digest is a 160-bit output of a hash function. The generate keys for DSA proceeds as follows. First, there is an initialization phase:

  20. Initialization Phase • Alice finds a prime q that is 160 bits long and chooses a prime p that satisfies q|p-1. The discrete log problem should be hard for this choice of p (e.g., p is 512-bit long). • Let g be a primitive root mod p and let α≡g(p-1)/q (mod p). Then αq ≡1 (mod p). • Alice chooses a secret a such that 1≤a<q-1 and calculates β≡αa (mod p) • Alice publishes (p,q, α, β) and keeps a secret

  21. The signing process • Alice signs a message m by the following procedure: • Select a random, secret integer k, such that 0<k<q-1 • Compute r≡(αk (mod p)) (mod q) • Compute s≡k-1(m+ar) (mod q) • Alice’s signature for m is (r,s), which she sends to Bob along with m.

  22. Verification • For Bob to verify, he must 1. Download Alice’s public information (p,q,α,β) 2. Compute u≡s-1m , v≡s-1r (mod q) 3. Compute w≡(αuβv (mod p)) (mod q) 4. Accept the signature iff w=r

  23. Simple Exercises from p.252-255 • Exercises 1,2,3,4 • Computer Problem 1

More Related