digital signatures

Download Digital Signatures

If you can't read please download the document

Post on 18-Mar-2016




6 download

Embed Size (px)


Digital Signatures. Presented by Olga Shishenina. Outline. Cryptographic goals Message Authentication Codes (MACs) Digital signatures RSA digital signature Elliptic curve digital signature Comparison of ECDSA and RSA signature. Message authentication. Entity authentication. - PowerPoint PPT Presentation


  • Digital SignaturesPresented byOlga Shishenina

  • OutlineCryptographic goalsMessage Authentication Codes (MACs)

    Digital signaturesRSA digital signatureElliptic curve digital signature

    Comparison of ECDSA and RSA signature

  • Cryptographic GoalsSymmetric-key ciphers:Block ciphersStream ciphers

    Public-keyciphersCryptographic goalsConfidentialityData integrityAuthenticationNon-repudiationArbitrary lengthhash functions

    Message Authentication codes (MACs)

    Digital signaturesAuthentication primitivesDigital signaturesMACs


  • Non-repudiationAliceBobm is a signed messages is a valid signature for m m, sAlice denies her signature if she finds: m m : s is valid signature for m

  • Message Authentication CodesMAC f(x, key):{0,1}* {0,1}nknowing x and key f is easy to computeit is infeasible to calculate f(x, key)without the key

    MAC are often block cipher basedmessage m, secret key kspecification of block cipher EMAC (m) = E( m, key )MAC (m) = E(hash(m), key )

  • CBC-based MAC algorithmEkey0X1(n bit)EkeyX2 (n bit)h1h2EkeyXt (n bit)ht-1H = MACOptional output transformationAlgorithm CBC-MACINPUT: data x; specification of block cipher E; secret MAC key for EOUTPUT: n-bit MAC on xn bitn bith1(n bit)h2(n bit)

  • Use of a MACUsed to provide Data integrity Message authentication

  • Digital Signatures Scheme Used to provide Data integrity Message authentication Non-repudiation

  • Difference between MAC and digital signatureTo prove the validity of a MAC to a third party, you need to reveal the key

    If you can verify a MAC, you can also create it

    MAC does not allow a distinction to be made between the parties sharing the key

    Computing a MAC is (usually) much faster than computing a digital signatureImportant for devices with low computing power

  • RSA signature algorithm

  • RSA Developed in 1978 by Rivest, Shamir and Adleman (RSA)

    Most popular public key cryptosystem

    Based on the hard problem of integer factorization

  • Key-Generation for RSA(1)Generate two large random distinct primes p and q, each roughly the same size

    Compute n = pq and

    Select random integer e:

    Compute unique integer d:

    Public key is (n, e); Private key is d

  • Key-Generation for RSA(2)Usually numbers with the right bit length are chosen randomly and tested for primality

    Statistical tests are used to determine the probability that these numbers are primesi.e. Strassen TestMiller Rabin Test

    There is always an insignificantly low chance that number is not prime

  • Used notationM is a set of elements, called the message space = Zn

    MS is a set of elements, called the signing space = Zn

    R is a 1 to 1 mapping from M to MS, called the redundancy function

    MR is the image of R: {y| y = R(x), x M}

    R-1 is the inverse of R: MR M

  • RSA signature generation and verificationTo sign a message A should:Compute:where R(m) is a redundancy functionCompute: As signature for m is s

    To verify As signature and recover m, B should:Obtain As authentic public key (n, e)Compute: Verify that ; if not, reject the signatureRecover

  • Proof that signature verification worksEulers theorem: ,where is the Eulers function of n

    If s is a signature for m, then:

    Since , then:


  • RSA signature exampleAlicep=5 q=7 n = 35 (n) = 46=24e = 5; d: ed = 5d=1 mod 24 => d = 5Public key: (n=35, e=5) Private key: d=5

    M = [0, n-1]For all m M R(m)=m m = 26; R(m) = 26 s = 265 mod 35 = 31Bob: R(m) = 315 mod 35 = 26 [0, n-1]m = R-1(m) = 26

  • Possible Attacks on RSA signatureInteger factorizationIf an adversary is able to factor n, then

    Multiplicative property of RSA

    If , then s is valid signature for m: Hence, to avoid this attack R must not be multiplicative, i.e.

  • Performance characteristicsn=pq , where n is 2k-bit, p&q k-bit primes

    takes bit operations

    Verification is significantly faster that signing if e is chosen to be a small number, e.g.

    It is not recommended to restrict the size of d

  • Short vs. long messagesn=pq , where n is 2k-bits, p&q k-bits primesISO/IEC 9796R:

    To sign a kt-bits message m:Divide m = m1 || m2 || m3 || || mt and sign each block individually one transmits 2kt bits.

    Sign a l-bits hash(m), l k. Then one transmits kt+2k bits. (kt to transmit the message)

    If t > 2, then kt+2k < 2kt

  • The Elliptic Curve Digital Signature Algorithm (ECDSA)

  • Elliptic curves (EC) over the realsA non-singular EC is the set E of solutions to the equation

    together with a special point O, where

    has three distinct roots

  • An EC over the realsy2 = x3 4x 4a3 + 27b2 = -256

  • Addition Geometric ApproachChord-and-tangent rule P + Q = R, P Q

    Point doublingP + P = 2 P = Rxy(x1, y1) = P Q = (x2, y2) R = (x3, y3)xyP = (x1, y1) R = (x3, y3)-R = (x3, -y3)-R = (x3, -y3)

  • Addition Algebraic ApproachE is elliptic curve over the reals ( is the identity element )If


  • Galois Fields (Finite Fields) GF (q)Is a set of elements (G, + , *) that satisfy certain arithmetic properties

    Finite Field exists iff q is a prime power

    If q = p, p is prime{0, 1, ... , p - 1 } are the field elementsADDITION: MULTIPLICATION: INVERSION:

  • Elliptic Curves Over Finite FieldsOver GF(p), p is prime, p > 3

    Elliptic curve E equation


    E consists of all pairs satisfying curve equation special point - point at infinity

  • Example 1: elliptic curve over GF(23)p = 23

    The points in E are and the following:(0, 2) (0, 21) (1, 11) (1, 12) (4, 7) (4, 16) (7, 3) (7, 20) (8, 8) (8, 15) (9, 11) (9, 12) 28 points + = 29 points Lets consider (4, 7) 64 + 4 + 4 = 72 = 3 (mod 23) 49 = 3 (mod 23)

  • Basic FactsLet E(GF(q)) be an EC over GF(q)The points of E(GF(q)), form a group under addition Hasses theorem: Number of points on E (group order):

    If #E is prime then the group is cyclic and

    If #E has a prime factor, that there exists a cyclic subgroup

  • Example 2: elliptic curve over GF(23)p = 23

    The points in E are and the following: P = (0, 2) 2P = (13, 12) 3P = (11, 9) 4P = (1, 12) 5P = (7, 20) 6P = (9, 11) 7P = (15, 9) 8P = (14, 5) 9P = (4, 7) 10P = (22, 5) 11P = (10, 5) 12P = (17, 9)13P = (8, 15) 14P = (18, 9) 15P = (18, 14) 16P = (8, 8) 17P = (17, 14) 18P = (10, 18) 19P = (22, 18) 20P = (4, 16)21P = (14, 18) 22P = (15, 17) 23P = (9, 12) 24P = (7, 3) 25P = (1, 11) 26P = (11, 14) 27P = (13, 11) 28P = (0, 21) 29P = O 30P = P 29 points

  • ECDSA parameters setupCreate (random) public abstract groups

    Domain Parameter Generate: Complex & public. DP often taken from published list.

    Domain Parameter Validate: Easy & public

    Key Pair Generate: Easy & private.

    Key Pair Validate: Easy & public.

  • ECDSA Domain ParametersDomain parameters D = (q, a, b, G, n, h) Field size q, q = p or q = 2mCoefficients a, b in GF(q) of E=Ea,b(GF(q)):Seed s of length 160 bits (Optional)Base point G=(xG, yG) on curve E, i.e. Order n of G: n is prime, Cofactor h: #E(GF(q)) = hn

  • Curve parameters generation(1)Input: GF(p), p is primeOutput: seed, curve coefficients a & bUsed notations:

  • Curve parameters generation(2) if abort and start again Choose a,b Result: y2 = x3 + ax + b if Exclude singular curves

  • Isomorphism classes of ECs(1)E1: y2 = x3 +a1x +b1 and E2: y2 = x3 +a2x +b2 are isomorphic

    Step 3: Choose a,b

    There only 2 variants for a and b on step 3

  • Isomorphism classes of ECs(2)Lets prove that there are precisely 2 choices for (a, b) on step 3 :We can find a1, b1 and a2, b2:

    We can not find a3, b3 : E3 is not isomorphic to E1 or E2

  • Domain Parameter GenerationDomain parameters D = (q, a, b, G, n, h) Generate EC coeffs a & bE ( GF(q) ): y2 = x3 + ax + bCompute #E( GF(q) ) (e.g. Schoofs algorithm)Verify that , n is prime,if not, go to step 1Verify that if not, go to step 1Verify that nq if not, go to step 1Select an arbitrary point Set Repeat until

  • Key pair

    D = (q, a, b, G, n, h)Key generation:Select random d: 1 d n-1Q = dGQ(xQ, yQ) is public G is privateAlice(signer)Bob(verifier)(D, Q)Q is valid or not???Key validation:

    Check that:Q nQ = If any check fails-> Q is invalidelse-> Q is valid

  • ECDSA generation & verificationBobParameters D = (q, a, b, G, n, h)Alices public key QAlices signature (r, s) on m To sign message m:k randomly chosen 0 < k < n-1kG = (x1, y1) r =x1 mod nif r = 0 abort and start againe = SHA-1(m) s = k-1 ( e + dr) mod nif s = 0 abort and start againOutput: (r, s)AliceParameters D = (q, a, b, G, n, h)Associated keys (d, Q)Proof that signature verification works:D, Q, m, r, s

  • Ordinary DLPDefinition:Given: prime p, generator g of GF(p), nonzero element y GF(p), Find: the unique integer k, 0 k p 2: y gk(mod p)k is called the discrete logarithm of y to the base g

    Known attacksThe most efficient:Index Calculus Method O( )