You are on page 1of 42

STRONG AND PROVABLE

SECURITY FOR DIGITAL


SIGNATURES

People can eavesdrop, intercept, relay, modify, forge or


inject messages.

Try to fool the targeted receivers that the messages are sent by the
real person.
In vulnerable connection, to depend only on cryptography
mechanisms are inadequate.

We need a mechanism which can enable receiver to verify


that a message indeed come from the claimed source and
has not been altered.
Data integrity is the security service against unauthorized
modification of messages.
Data integrity in modern cryptography is closely related to,
and evolves from error-detection code.
The error-detection code is a procedure for detecting
errors which can be introduced into messages due to fault
in communications.

Using information which has been modified in a malicious way is


at the same risk as using information which contains defects due
to errors introduce in communication or data processing.
Data integrity and error-detection codes are essentially the same.
A transmitter of a message creates a checking value by
encoding some redundancy into the message to be transmitted
and attaches the checking value to the message. A receiver of the
message then verifies the correctness of the message received
using the attached checking value according to a set of rules
agreed with the transmitter.
In Error-detection code: The redundancy is encoded in such a way
that the receiver can use a maximum likelihood detector to
decide which message he should infer as having most likely been
transmitted from the possibly altered codes that were received.
In Data integrity: The redundancy is encoded in such a way that
the attached checking value will be distributed as uniform as
possible to the entire message space of the checking values to
minimize the probability for an attacker to forge a valid checking.

Like

an encryption algorithm, the


cryptographic transformations for achieving
data integrity should also be parameterized
by keys.
Thus, in the usual sense, a correct dataintegrity verification result will also provide
the verifier with the knowledge of the
message source, that is, the principal who had
created the data integrity protection.
However, recently a notion of "data integrity
without source identification" has emerged.
This new notion is important in the study of
public key cryptosystems secure against
adaptive attackers.

A digital signature or digital signature scheme is a mathematical


scheme for demonstrating the authenticity of a digital message
or document.
A valid digital signature gives a recipient reason to believe that
the message was created by a known sender, and that it was not
altered in transit.
Commonly used for software distribution, financial transactions,
and in other cases where it is important to detect forgery or
tampering.
A digital signature scheme typically consists of three algorithms:

A key generation algorithm that selects a private key uniformly at random


from a set of possible private keys. The algorithm outputs the private key
and a corresponding public key.
A signing algorithm that, given a message and a private key, produces a
signature.
A signature verifying algorithm that, given a message, public key and a
signature, either accepts or rejects the message's claim to authenticity.

Digital

certificate

Is

a multipurpose document developed to be


used primarily over the internet and its used in
either identification or encryption.

Identification :
Proves identity (verifies the sender of the information).
Grant the right to access information or other services online.
Includes insuring the identity of all parties involved in a transaction.

Encryption:
Used in secure web transactions.
Contain the key used to encrypt the data.

Non-repudiation:

the person later deny that he or she send it.

Digital signature has two types Assymetric and Symmetric.


A conventional digital signature uses asymmetric
cryptography to create a tamper-evident seal which enables
determining through a simple test whether data has been
altered since the signature was applied, and also the identity
of the private key that was used to encrypt the signature.
More recently, digital signatures are being created with
symmetric cryptography based upon a key that is derived
from the identity of the user and is known only to a trusted
server that both creates and verifies the signatures and
generates proof of signature certificates when queried to
verify a signature.
Such symmetric digital signatures share a syntax similar to Message
Authentication Codes ("MAC's")
Symmetric digital signatures have additional advantages over
asymmetric digital signatures of being less processer-intensive than
asymmetric digital signatures and thus are more efficient and cheaper
to maintain.

Elgamal signature

ElGalmal is a digital signature scheme which is based on the difficulty of


computing discrete logarithms.

Described by Taher ElGamal in 1984

Not to be confused with ElGamal encryption which was also invented by


Taher ElGamal.

The ElGamal signature scheme allows a third-party to confirm the


authenticity of a message sent over an insecure channel.

Attacks on ElGamal is discovered by Bleichenbacher in 1996.

There are a number of ElGamal-like signature schemes. They are


different in details, but have the same basic idea.

Trapdoor one-way function


A trapdoor function is a function that is easy to compute in one
direction, yet believed to be difficult to compute in the opposite
direction (finding its inverse) without special information, called
the "trapdoor". Examples: RSA and Rabin
Trapdoor functions are widely used in cryptography.

Signcryption is a public-key primitive that simultaneously


performs the functions of both digital signature and encryption.
Offers three frequently used security:

In public key schemes, a traditional method is to digitally sign a


message then followed by an encryption.
It own two problems:

Confidentiality, Authenticity, and Non-repudiation

Low efficiency and High cost of such summation.

Signcryption is a relatively new cryptographic technique that is


supposed to fulfill the functionalities of digital signature and
encryption in a single logical step and can effectively decrease
the computational costs and communication overheads in
comparison with the traditional signature-then-encryption
schemes.
Signcryption provides the properties of both digital signatures
and encryption schemes in a way that is more efficient than
signing and encrypting separately.

Any signcryption scheme should have the following properties:


Correctness: Any signcryption scheme should be correctly
verifiable.
Efficiency: The computational costs and communication costs of
a signcryption scheme should be smaller than those of the best
known signature-then-encryption schemes with the same
provided functionalities.
Security: A signcryption scheme should simultaneously fulfill the
security attributes of an encryption scheme and those of a digital
signature.
Such additional properties mainly include:

Some signcryption schemes provide further attributes such as:

Confidentiality, Unforgeability, Integrity, and Non-repudiation.


Public verifiability and Forward secrecy of message confidentiality while
the others do not provide them.

Such properties are the attributes that are required in many


applications while the others may not require them.

clear

a replacement for DES was needed

have theoretical attacks that can break it


have demonstrated exhaustive key search
attacks

can

use Triple-DES but slow, has small


blocks
US NIST issued call for ciphers in 1997
15 candidates accepted in Jun 98
5 were shortlisted in Aug-99
Rijndael was selected as the AES in Oct2000
issued as FIPS PUB 197 standard in Nov2001

private

key symmetric block cipher


128-bit data, 128/192/256-bit keys
stronger & faster than Triple-DES
active life of 20-30 years (+ archival use)
provide full specification & design details
both C & Java implementations
NIST have released all submissions &
unclassified analyses

initial

security effort for practical cryptanalysis


cost in terms of computational efficiency
algorithm & implementation characteristics

final

criteria:

criteria

general security
ease of software & hardware implementation
implementation attacks
flexibility (in en/decrypt, keying, other factors)

It is based on Rijndale algorithm.


Use a combination of substitution and a couple of
transpositions approaches together with a keying
function.
Consists of n rounds of the above said
combination, where n depends on the key length
(i.e. unlike DES, the length of AES key varies
amongst 3 types).
Use block encryption where 1 block is a fixed size
of 128 bits.
Use symmetric encryption where the size of a key
can either be 128 bits (still double the size of DES
64 bits of key!!), 192 bits, or 256 bits, where the
number of n rounds are 9, 11 and 13 respectively.

designed

by Rijmen-Daemen in Belgium
has 128/192/256 bit keys, 128 bit data
an iterative rather than feistel cipher

processes data as block of 4 columns of 4 bytes


operates on entire data block in every round

designed

to be:

resistant against known attacks


speed and code compactness on many CPUs
design simplicity

data

block of 4 columns of 4 bytes is state


key is expanded to array of words
has 9/11/13 rounds in which state undergoes:
byte substitution (1 S-box used on every byte)
shift rows (permute bytes between groups/columns)
mix columns (subs using matrix multipy of groups)
add round key (XOR state with key material)
view as alternating XOR key & scramble data bytes

initial

XOR key material & incomplete last

round
with fast XOR & table lookup implementation

1.
2.

an iterative rather than feistel cipher


key expanded into array of 32-bit words
1.

3.
4.
5.
6.
7.

8.
9.
10.

four words form round key in each round

4 different stages are used


has a simple structure
only AddRoundKey uses key
AddRoundKey a form of Vernam cipher
each stage is easily reversible
decryption uses keys in reverse order
decryption does recover plaintext
final round has only 3 stages

In AES, the block of 128 bits are treated as


individual 4*4 matrix of bytes (i.e. a total of 16
matrices)
Byte1

Byte5

Byte9

Byte13

Byte2

Byte6

Byte10

Byte14

Byte3

Byte7

Byte11

Byte15

Byte4

Byte8

Byte12

Byte16

Each round in AES consists of 4 steps:(1) Byte Substitution


by substituting each byte in a block based
on a substitution table.

simple substitution of each byte


uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
each byte of state is replaced by byte
indexed by row (left 4-bits) & column
(right 4-bits)
eg.

byte {95} is replaced by byte in row 9


column 5
which has value {2A}
designed

attacks

to be resistant to all known

circular byte shift in each

1st

row is unchanged
2nd row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
decrypt

inverts using shifts to right


since state is processed by columns, this
step permutes bytes between the columns

each column is processed separately


each byte is replaced by a value dependent
on all 4 bytes in the column
effectively a matrix multiplication in GF(28)
using prime poly m(x) =x8+x4+x3+x+1

XOR state with 128-bits of the round key


again processed by column (though
effectively a series of byte operations)
inverse for decryption identical

since

XOR own inverse, with reversed keys

designed to be as simple as possible


a

form of Vernam cipher on expanded key


requires other stages for complexity / security

takes 128-bit (16-byte) key and expands into


array of 44/52/60 32-bit words
start by copying key into first 4 words
then loop creating words that depend on
values in previous & 4 places back

in

3 of 4 cases just XOR these together


1st word in 4 has rotate + S-box + XOR round
constant on previous, before XOR 4th back

designed to resist known attacks


design criteria included

knowing

part key insufficient to find many more


invertible transformation
fast on wide range of CPUs
use round constants to break symmetry
diffuse key bits into round keys
enough non-linearity to hinder analysis
simplicity of description

AES decryption is not identical to encryption


since steps done in reverse
but can define an equivalent inverse cipher
with steps as for encryption

but

using inverses of each step


with a different key schedule

works since result is unchanged when


swap

byte substitution & shift rows


swap mix columns & add (tweaked) round key

can efficiently implement on 8-bit CPU


byte

substitution works on bytes using a table of


256 entries
shift rows is simple byte shift
add round key works on byte XORs
mix columns requires matrix multiply in GF(28)
which works on byte values, can be simplified to
use table lookups & byte XORs

can efficiently implement on 32-bit CPU


redefine

steps to use 32-bit words


can precompute 4 tables of 256-words
then each column in each round can be
computed using 4 table lookups + 4 XORs
at a cost of 4Kb to store tables

designers believe this very efficient


implementation was a key factor in its
selection as the AES cipher