1 / 32

Number Theory and Advanced Cryptography 6. Digital Signature

Number Theory and Advanced Cryptography 6. Digital Signature. Chih-Hung Wang Sept. 2012. Part I: Introduction to Number Theory Part II: Advanced Cryptography. Hash Function. Definition A hash function accepts a variable-size message M as input and produces a fixed-size hash code H(M)

vduncan
Download Presentation

Number Theory and Advanced Cryptography 6. Digital Signature

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Number Theory and Advanced Cryptography6. Digital Signature Chih-Hung Wang Sept. 2012 Part I: Introduction to Number Theory Part II: Advanced Cryptography

  2. Hash Function • Definition • A hash function accepts a variable-size message M as input and produces a fixed-size hash code H(M) • Sometime called a message digest • Hash Algorithm • MD5 • RFC 1321 developed by Ron Rivist at MIT • Secure Hash Algorithm (SHA) • FIPS PUB 180 in 1993 (NIST) 180-1 in 1995 • FISP: Federal Information Processing Standard

  3. PlaintextM Message Digest Hash value H(M) Hash Function

  4. Requirements of Hash • H can be applied to a block of data of any size • H produces a fixed-length output • H(x) is relatively easy to compute for any given x, making both hardware and software implementations practical • For any given code h, it is computationally infeasible to find x such that H(x)=h. This is sometimes referred to in the literature as the one-way property • For any given block x, it is computationally infeasible to find yx with H(y)=H(x). This is sometimes referred to as weak collision resistance • It is computationally infeasible to find any pair (x,y) such that H(x)=H(y). This is sometimes referred to as strong collision resistance.

  5. m1 H(m1) It is difficult to find m1 and m2 (m1 m2) such that H(m1)=H(m2) m2 H(m2) Requirements of Hash

  6. Security of Hash Functions • For a code of length n • One-way: 2n • Weak collision resistance: 2n • Strong collision resistance: 2n/2

  7. Properties of a Hash Function

  8. Digital Signature • Dispute of message authentication • Message authentication protects two parties who exchange messages from any third party. However, it does not protect the two parties against each other. • Several forms of dispute between the two are possible

  9. Properties • The digital signature is analogous to the handwritten signature. It must have the following properties: • It must be able to verify the author and the date and time of the signature • It must be able to authenticate the contents at the time of the signature • The signature must be verifiable by third parties, to resolve dispute

  10. Requirements (1/2) • The signature must be a bit pattern that depends on the message being signed • The signature must use some information unique to the sender, to prevent both forgery and denial • It must be relatively easy to produce the digital signature • It must be relatively easy to recognize and verify the digital signature

  11. Requirements (2/2) • It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message • It must be practical to retain a copy of the digital signature in storage

  12. Signer’s Public Key Signer’s Private Key Signed Document Signer Receiver Verify the signature Digital Signature Concept

  13. Dispute Concept Verify & Judge Signer’s Digital Signature Third Party Dispute Sender Receiver

  14. Signer’s public key : (e,n) Signer’s private key: d Sig=h(M)d mod n Signed Document Receiver Signer Verify h(M) ?= Sige mod n =( h(M)d)e mod n RSA Digital Signature

  15. Digital Signature Schemes • RSA • ElGamal • Rabin • DSA (DSS) • Schnorr • Others

  16. RSA (Algorithm 10.1) m=M|I m=h(M)

  17. Rabin (Algorithm 10.2)

  18. ElGamal (Algorithm 10.3)

  19. ElGamal (II)

  20. Informal Security Argument for ElGamal Signature (1) • Warning 1

  21. Informal Security Argument for ElGamal Signature (2) • Warning 2

  22. Informal Security Argument for ElGamal Signature (3) • Warning 3

  23. Prevention of Existential Forgery

  24. Schnorr (Algorithm 10.4)

  25. Schnorr (II)

  26. Properties of Schnorr Signature • Working in the order-q subgroup of Fq. • The signature size is much shorter than that of a signature in ElGamal. • Schnorr: 2|q| • ElGamal: 2|p| • Fewer operations in signature generation and verification.

  27. DSA/DSS (Algorithm 10.5)

  28. DSA/DSS (II)

  29. About DSA (DSS) • In August 1991, NIST announced a new proposed digital signature scheme called the Digital Signature Standard (DSS) • The National Institute of Standards and Technology (NIST) has published Federal Information Processing Standard FIPS PUB 186, known as the Digital Signature Standard (DSS). • The DSS makes use of the Secure Hash Algorithm (SHA) • The DSS was originally proposed in 1991 and revised in 1993 in response to public feedback concerning the security of the scheme

  30. Criticisms of DSS (1/2) • DSS cannot be used for encryption or key distribution • DSS was developed by the NSA, and there may be a trapdoor in the algorithm • DSS is slower than RSA • RSA is the ISO 9796, the international digital signature standard

  31. Criticisms of DSS (2/2) • The DSS selection process was not public; sufficient time for analysis has not been provided • DSS may infringe on other pattern • The key size is too small

  32. ECC Signatures • See papers

More Related