248 views

Uploaded by simplyanilkumar

- Digital Signature Project Report
- Digital Signatures 20130304
- Digital Signatures and the Hidden Costs of PKI
- Java XML Digital Signatures
- Digital Signature
- Main Presentation( Digital Signature Certificates)
- IJETR032753
- An Enhanced Security Enabled Sharing of Protected Cloud Storage Services by Trapdoor Commitment Based on RSA Signature Assumption
- Digital Signature
- Bit Coin
- 10.1.1.32
- 10. Case Study Digital Signature
- CHAPTER 05- PAYMENT AND SECURITY 1.ppt
- Board Resolution Digital Signature
- Chapter 5 Public Key Cryptology - Part II
- Renewal Certificate (1)
- Unit 7 Assignment 1 - Select Appropriate Encryption Algorithms
- Notes-13.pdf
- Gold Lock 3G White Paper
- Efficiency Comparison of Various Important Established Digital Short Signature Schemes Based on Bilinear Pairings

You are on page 1of 43

Chapt 11

Outline

Framework

RSA related signature schemes

DSA related signature schemes

One-time digital signatures

Arbitrated signature schemes

Signatures with added functionality

Framework

Digital Signatures can provide

Authentication

Data Integrity

Non-Repudiation

One Application

Certification of public keys in large networks

Framework (cont)

Definitions

Digital Signature - a data string which associates

a message with some originating entity

Digital Signature Generation Algorithm – a

method for producing a digital signature

Digital Signature Scheme - consists of a signature

generation algorithm and an associated

verification algorithm

Framework (cont)

Notation

M message space

MS signing space

S signature space

R a one-one mapping from M to MS called the

redundancy function

MR the image of R

R-1 the inverse of R

h a one-way function with domain M

Mh hash value space, the image of h (h: M→ Mh)

Framework (cont)

Taxonomy of digital signatures

randomized

message recovery

deterministic

signature schemes

randomized

appendix

deterministic

Framework (cont)

Schemes with appendix

Requires the message as input to verification

algorithm

Rely on cryptographic hash functions rather than

customized redundancy functions

DSA, ElGamal, Schnorr etc.

Framework (cont)

Digital Signature with Appendix

M

Mh S

h SA,k

m m s*

h

s* = SA,k(mh)

u = VA(mh,

Mh x S VA s*)

u ∈ {True,

False}

Framework (cont)

Desirable Properties

For each k ∈ R, SA,k should be efficient to compute

VA should be efficient to compute

It should be computationally infeasible for an

entity other than the signer to find an m ∈ M and

an s ∈ S such that VA(m’, s*) = true, where m’ =

h(m)

Framework (cont)

Digital Signature with Message Recovery

M MR S

m R SA,k

m s*

Mr S

S MR M

VA R-1

s* m m

r

Framework (cont)

Desirable properties

For each k ∈ R, SA,k should be efficient to compute

VA should be efficient to compute

It should be computationally infeasible for an

entity other than A to find any s* ∈ S such that VA(s*)

∈ MR

Framework (cont)

M Mh MR S

m h R SA,k

m m s*

h

Mr S

Framework (cont)

Breaking a signature scheme

Total Break: private key is comprimised

Selective forgery: adversary can create a valid

signature on a preselected message

Existential forgery: adversary can create a valid

signature with no control over the message

Framework (cont)

Types of attacks

Key-only: adversary knows only the public key

Message attacks

Known-message attack: adversary has signatures for a

set of messages which are known to the adversary but

not chosen by him

Chosen-message attack: adversary obtains valid

signatures from a chosen list of his choice (non adaptive)

Adaptive chosen-message attack: adversary can use the

signer as an oracle

RSA

Key generation n, p, q, e, d

Sign

Compute mr = R(m)

Compute s = mrd mod n

The signature for m is s

Verify

Obtain authentic public key (n, e)

Compute mr = se mod n

Verify that mr ∈ Mr

Recover m = R-1(mr)

RSA (cont)

Attacks

Integer factorization

Homomorphic property

Reblocking problem

If signatures are encrypted different modulus

sizes can render the message unrecoverable

Importance of the redundancy function

ISO/IEC 9796

RSA (cont)

Performance (p, q are k-bit primes)

Signature O(k3)

Verification O(k2)

Bandwidth

Bandwidth is determined by R. For example,

ISO/IEC 9796 maps k-bit messages to 2k-bit

elements in MS for a 2k-bit signature (efficiency of

½)

DSA

DSA Algorithm : key generation

select a prime q of 160 bits

Choose 0≤t≤8, select 2511+64t <p< 2512+64t with q|

p-1

Select g in Zp*, and α = g(p-1)/q mod p, α≠1

Select 1 ≤ a ≤q-1, compute y= αa mod p

public key (p,q, α,y), private key a

DSA (cont)

DSA signature generation

Select a random integer k, 0 < k < q

Compute r=(αk mod p) mod q

compute k-1 mod q

Compute s=k-1 ∗(h(m) + ar) mod q

signature = (r, s)

DSA (cont)

DSA signature verification

Verify 0<r<q and 0<s<q, if not, invalid

Compute w= s-1mod q and h(m)

Compute u1=w∗h(m)mod q,u2=r∗w mod q

Compute v = (αu1yu2 mod p) mod q

Valid iff v=r

wh(m) + arw ≡ k (mod q )

u1 + au 2 ≡ k (mod q )

α u1 y u 2 mod p (mod q ) = α k mod p (mod q )

DSA (cont)

Security of DSA

two distinct DL problems: ZP*, cyclic subgroup

order q

Parameters:

q~160bits, p 768~1Kb, p,q, α can be system

wide

Probability of failure

Pr[s=0]= (1/2)160

DSA (cont)

Performance

Signature Generation

One modular exponentiation

Several 160-bit operations (if p is 768 bits)

The exponentiation can be precomputed

Verification

Two modular exponentiations

ElGamal

Key generation: p, q, α, a, y=αa mod p

Signature Generation

Select random k, 1 ≤ k ≤ p-1, gcd(k, p-1)=1

Compute r = αk mod p

Compute k-1 mod (p-1)

Compute s = k-1 ∗ (h(m) - ar) mod (p-1)

signature is (r,s)

ElGamal (cont)

Signature Verification

Verify 1 ≤ r ≤ p-1

Compute v1 = yrrs mod p

Compute h(m) and v2= αh(m) mod p

Accept iff v1=v2

−1

s ≡ k {h(m) − ar} (mod p − 1)

ks ≡ h(m) − ar (mod p − 1)

h(m) ar + ks a r s

α ≡α ≡ (α ) r (mod p )

ElGamal (cont)

Security (based on DL problem)

Index-calculus attack: p should be large

Pohlig-Hellman attack: p-1 should not be smooth

Weak generators: If p ≡ 1 mod 4, α|p-1, DL can

be broken for subgroup S of order α. Forgeries

are then possible

ElGamal (cont)

In addition…

k must be unique for each message signed

(s1-s2)k=(h(m1)-h(m2))mod (p-1)

An existential forgery attack can be mounted if a

hash function is not used

ElGamal (cont)

Performance

Signature Generation

One modular exponentiation

One Euclidean Algorithm

Both can be done offline

Verification

Three modular exponentiations

One-Time Signatures

Definition: digital schemes used to sign, at

most one message; otherwise signature can

be forged. A new public key is required for

each signed message.

Most one-time signature schemes have the

property that signature generation and

verification are both very efficient

Rabin One-Time Signatures

Key generation

Select a symmetric key encryption scheme E (e.g.

DES)

Generate 2n random secret strings k1,k2...k2n∈K,

each of bit length l

Compute yi=Eki(M0(i)), i ∈[1,2n].

Public key is (y1,y2,...y2n),

private key is (k1,k2,...k2n).

Rabin One-Time Signatures

Signature Generation:

compute si=Eki(h(m)), i ∈[1,2n]

signature is (s1,s2,...s2n)

Verification:

Compute h(m)

Select n distinct random number rj, rj∈[1,2n]

Request from signer, the keys krj, ∀ j: 1 ≤ j ≤ n

Verify received n keys ie. does yrj= Ekr (M0(rj))?

j

j

Rabin One-Time Signatures

Resolution of disputes: signer A, verifier B

and TTP

B provides m and the signature to TTP

TTP gets private key k1,...k2n from A

TTP verifies authenticity of the private key

TTP computes ui=Eki(h(m)), 1 ≤ i ≤ n. If ui = si for at

most n values of i, it is forgery. If n+1 or more

values match, it is valid signature

1

Rationale for dispute resolution

2n protocol

A can disavow with Pr

=n

Arbitrated Digital Signatures

Requires an unconditionally TTP as part of

the signature generation and signature

verification.

Each entity shares a symmetric key with the

TTP

Symmetric key cryptography results in a

very fast algorithm

However, this speedup is overshadowed by

the TTP as well as communication overhead

Arbitrated Digital Signatures

Signature Generation (by A)

A IAs, =

uE=k (h(m)||I

T Ek (h(m))

A A) TTP

Arbitrated Digital Signatures

Signature Verification (by B)

B IBE,kv(h(m)||I

B = Ek (s)

B A) TTP

ESIGN

Key generation

Compute n=p2q, select k>3

Sign message m

compute v=h(m), random x, 0 ≤ x < pq

Verify:

compute u = sk mod n, z = h(m)

ESIGN (cont)

Why does this work? I refer you to the text p 473

Security of ESIGN

Based on factoring of large integers.

Not known whether n=p2q is easier than factoring RSA

modulus

Given m and s, inkorder to forge a signature

2 lg n 3 for m’, we must

h(m' ) ≤ s mod n ≤ h(m' ) + 2

have that

expect to try 2lg(n)/3 different values of m’

ESIGN (cont)

Efficiency of ESIGN

The only modular exponentiation is with

small (e.g. k=4)

For a 768-bit modulus n, ESIGN signature

of magnitude (10 to 100 times) faster than RSA

signature generation.

Blind signature scheme

Definition: A sends a piece of information to

B. B signs and returns the signature to A.

From this signature, A can compute B’s

signature on a priori message m of A’s

choice. At the completion of the protocol, B

knows neither m, nor the signature

associated with it.

Application: e-cash

Blind signature scheme

(cont)

Chaum

Sender A; Signer B

B’s RSA public and private key are as usual. k is a

random secret integer chosen by A, satisfying 0 ≤

k<n

Protocol actions

(blinding) A: comp m* = mke mod n, to B

Note: (mke)d = mdk

(signing) B comp s* = (m*)d mod n, to A

(unblinding) A: computes s = k-1s* mod n

Undeniable Signature

Schemes

requires the cooperation of signer

Chaum-van Antwerpen

Key generation

Select random prime p=2q+1, q is prime

Select a generator α for the subgroup of order q in Zp*

Select random a∈{1,2,...q-1}, y= αamod p

public (p, α, y), private a

Chaum-van Antwerpen

Signature Generation

compute s = ma mod p

Verification

B selects a random secret integers x1, x2 ∈

{1,2,...q-1}

B computes z = sx1yx2 mod p, and sends z to A

A computes w = za-1mod p, and sends w to B

B computes w′ = mx1αx2 mod p. Valid iff w= w′

a -1 x1 x2 a −1 ax1 ax2 a −1 x1 x2

w≡z ≡ (s y ) ≡ (m α ) ≡m α ≡ w' mod p

Chaum-van Antwerpen

If s is a forgery, B accept it with pr=1/q and

independent of adversary’s computation

resources

refuse to participate in verification

perform the verification incorrectly

claim a signature forgery even though the

verification protocol is successful.

Chaum-van Antwerpen

Disavowal protocol

Select two pair (x1, x2) and (x’1, x’2) and verify

twice

Compute c = (wα-x2)x’1 mod p and c′ = (w′α-x’2)x1

mod p, if c = c′, s is a forgery, otherwise s is valid

and A is attempting to disavow the signature

Let m be message, s a signature on m

If s ≠ ma mod p and the disavowal protocol runs

correctly, then c=c′

If s = ma mod p. B follows protocol, but A does

not. The Pr[c=c′] is 1/q

- Digital Signature Project ReportUploaded bySurabhi Agrawal
- Digital Signatures 20130304Uploaded byCourtney Petty
- Digital Signatures and the Hidden Costs of PKIUploaded byPaul Glen
- Java XML Digital SignaturesUploaded bymkiitd
- Digital SignatureUploaded byGaurav Kumar
- Main Presentation( Digital Signature Certificates)Uploaded byeeshasingh
- IJETR032753Uploaded byerpublication
- An Enhanced Security Enabled Sharing of Protected Cloud Storage Services by Trapdoor Commitment Based on RSA Signature AssumptionUploaded byBONFRING
- Digital SignatureUploaded byBibinMathew
- Bit CoinUploaded byNguyen Trung Hieu
- 10.1.1.32Uploaded byMahesh Kumar N
- 10. Case Study Digital SignatureUploaded bydaveharshil31
- CHAPTER 05- PAYMENT AND SECURITY 1.pptUploaded byMrz Rostan
- Board Resolution Digital SignatureUploaded byrafique75
- Chapter 5 Public Key Cryptology - Part IIUploaded by2eaa889c
- Renewal Certificate (1)Uploaded byMinatiBindhani
- Unit 7 Assignment 1 - Select Appropriate Encryption AlgorithmsUploaded byMahlikBrown
- Notes-13.pdfUploaded byJean Villavicencio
- Gold Lock 3G White PaperUploaded bylucape83
- Efficiency Comparison of Various Important Established Digital Short Signature Schemes Based on Bilinear PairingsUploaded byAnonymous vQrJlEN
- CFR 21 Part 11Uploaded byNishith
- T-110 4206 Lecture Slides for Ssl Tls.4200 Tls-ssl (5)Uploaded byA. M. Anisul Huq
- Cryptography and Network Security 1Uploaded byabshk
- Digital Signature for Sales ForceUploaded bymike3190
- transcript updateUploaded byapi-318755245
- ADSS Server for Signing Verification Services DatasheetUploaded byannastacy
- RNGVSUploaded bya93504
- Achieving Secure, Scalable, And Fine-Grained Data Access Control in Cloud ComputingUploaded byRamesh Nallamalli
- 140sp1571Uploaded bytombakcs

- guide.pdfUploaded byAyu Malika
- MA4263Uploaded byecd4282003
- mca-cup-0.5.9.pdfUploaded byJesly Varghese
- Threshold Cryptography Based Data Security in Cloud ComputingUploaded byIRJET Journal
- Notes StanfordUploaded byjinyup1000
- prefect power pell.pdfUploaded bythonguyen
- 230hw4solUploaded byMauricio Perdomo
- Divide by Constants OptimizationUploaded byDavid Moody
- 2 Random NumbersUploaded byNadia Moromenacho Solis
- IMO 2005 ShortlistUploaded byAdnan Gobeljić
- 16-1Uploaded byksr131
- 1andreescu_titu_mortici_cristinel_tetiva_marian_mathematical.pdfUploaded byMarcos Vinícius
- AES Discussion SheetUploaded byAjmal Salim
- Modular ArithmeticUploaded byjane
- Quadratic Integers: Some Properties and HistoryUploaded bybilisoly
- EuclidUploaded byAruna Samant
- Annihilators.dviUploaded byverdos
- SYLLABUS-2014Uploaded byMeghna Raj C
- Carmichael FunctionUploaded byLăscău Ionut Sebastian
- Simple Proof of Last Fermat TheorUploaded byJuancarlos Ponce
- Solution's Manual Abstract Algebra RotmanUploaded byplooshhead
- Computing With Multiple PrecisionUploaded byRupesh Vagheshwari
- modular arithmeticUploaded bybytorrent7244
- Number TheoryUploaded byShhubham Rai
- won5Uploaded byFachni Rosyadi
- pi15.pdfUploaded byxristostsifakis
- Math 780 NotesUploaded byVlad Copil
- c05 Crypto Publickeycrypto10Uploaded byshare_life
- ch1Uploaded byvjean_jacques
- PT-Basic Programming Manual Ver1.0 06122009Uploaded bySopan sonar