Digital Signatures (DSs)

• The digital signatures cannot be separated from the message and attached to another

• The signature is not only tied to signer but also to the message that is being signed

• The digital signature needs to be easily verified by other parties

• Digital signature schemes therefore consist of two distinct steps: the signing process and the verification process

RSA Signatures

• Bob has a document m that Alice agrees to sign. Alice does the following.

• Alice chooses two primes: p, q and n=pq, makes (e,n) public with gcd(e,(p-1)(q-1))=1

de≡1 (mod φ(n)), she keeps p,q,d secret

。 Alice’s signature is y≡md (mod n)

。 Alice then makes the pair (y,m) public

How does Bob verify Alice’s Signature

• Download Alice’s (e,n)

• Compute z≡ye (mod n)

• If z=m, then Bob accepts the signature as valid; otherwise the signature is not valid

Blind Signatures (1/2)

• Alice chooses n=pq, find e, and solve d as required in RSA scheme,i.e., ed≡1(mod n)

• Bod chooses a random k with gcd(k,n)=1, computes t≡kem (mod n) for message m, and sends t to Alice

• Alice signs t by computing s≡td (mod n). She returns s to Bob

• Bob computes sk-1 (mod n) to get the signed message md

Blind Signatures (2/2)

• sk-1 ≡tdk-1≡(kem)dk-1≡md(ked) k-1≡ md

• Alice has never seen the message m

• t≡kem and s≡td, then sk-1 ≡ md (mod n)

• The choice of k is random, therefore, t≡ke

m (mod n) gives essentially no information about m. In this way, Alice knows nothing about the message m she is signing.

ElGamal Signature Scheme

• One feature that is different from RSA is that, with this method, there are many different signatures that are valid for a given message

• Suppose Alice wants to sign a message m. To start, Alice chooses a large prime p and a primitive root α. Alice next chooses a secret integer (key) a, 1≤a≤p-2, and computes β≡αa (mod p), (p,α,β) are made public.

Alice signs the message m via

• Select a secret random k such that gcd(k,p-1)=1

• Computes r≡αk (mod p)

• Computes s≡k-1(m-ar) (mod p-1)

• The signed message is the triple (m,r,s)

Bob verifies the signature via

• Download Alice’s public key (p,α,β) • Computes u≡βrrs and w≡αm (mod p)• The signature is declared valid iff u≡w (mod p) Proof: w≡αm≡αsk+ar≡(αa)r(αk)s ≡βrrs≡u (mod p) More details from p.246~248

ElGamal Signature for one

Alice wants to sign m1=151405 (one). She

chooses p=225119; a primitive root α=11.

She chooses a secret number a, computes

β≡αa ≡18191 (mod p).

To sign the message, she picks up a random k and keeps it secret. She computes r≡αk ≡164130 (mod p), and s1≡k-1(m1-ar)≡130777 (mod p-1)

The signed message is (151405, 164130, 130777)

ElGamal Signature for two

Alice then signs m2=202315 (two) with the same k, where (p,α)=(225119,11), hence r has the same value and the signed message is

(202315, 164130, 164899). Then we have

-34122k ≡ (s1-s2)k ≡ m1-m2 ≡ -50910 (mod p-1)

Since gcd(-34122,p-1)=2, so there are two k’s:

k=239 and k=112798 (mod p-1)

Since α239 ≡164130, α112789 ≡59924 (mod p),

k=239 leads to the correct value r=164130

Dangerous for the same key to different documents

Rewrite s1k≡m1-ar (mod p-1) to obtain

164130a≡ar≡ m1- s1k≡187104 (mod p-1)

Since gcd(164130, p-1)=2, there are two solutions for a’s: a=28862 and a=141421

Since α=11, β=18191, and

α28862 ≡206928, α141421 ≡18191 (mod p)

Therefore the key a=141421 is revealed.

Hash Functions

• A cryptographic hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. Certain properties should be satisfied.

(1) Given a message m, the message digest h(m) can be calculated very quickly.

(2) Given a digest message y, it is computationally infeasible to find an m with h(m)=y. In other words, h is a one-way, or preimage resistant, function.

(3) It is computationally infeasible to find messages x, y such that h(x)=h(y), i.e., h is strongly collision-free.

Examples

• Let n=bkbk-1…b1b0 , define h(n)=bk⊕…⊕b0 , Thus, this h does not satisfy (2)

• The discrete log hash function due to Chaum, van Heijst, and Pfitzmann

Select a large prime p such that q=(p-1)/2 is prime, let

α,βbe two primitive roots mod p which satisfyαa ≡ β (mod p) and a is a secret number, let m=x+yq, with 0≤x,y ≤q-1, Define a hash function h(m)≡αx βy (mod p)

Proposition (p.184)

• If we know messages m≠n with h(m)=h(n), then we can determine the discrete logarithm a=Lα(β).

(Proof) Write m=x+yq, n=r+sq. Suppose h(m)=h(n) i.e., αxβy ≡ αrβs (mod p), since αa ≡ β (mod p), hence αa(y-s)-(x-r) ≡1 (mod p)Therefore a(y-s)≡(x-r) (mod p-1). Since p-1=2qhas only 4 divisors: 1,2,q,p-1, so d=gcd(y-s,p-1)=1 or 2. Thus, we can get the secret a.

Other Hash Functions

☺MD family: MD4, MD5 due to Rivest

☺NIST’s Secure Hash Algorithm (SHA) which yields a 160-bit message digest

[Stinson] [Schneier] [Menezes et al.]

Hashing, Signing, and Applications

• Sending (m,sig(h(m))) instead of (m,sig(m)) could significantly reduce the size of digital signatures.

• An appropriate hash function should be chosen. In particular, in electronic exchanges in E-commerce.

Birthday Attacks

• If there are 23 people in a room, the probability 50.7% that two of them have the same birthday. If there are 30 people, the probability is increasing up to 70%.

• The probability of 23 people do not have the same birthday is

(1-1/365)(1-2/365)…(1-22/365) = 0.493

A Birthday Attack on Discrete Log

• Suppose we want to evaluate La(b) with a large p. We can do by a birthday attack in the following procedures:

1. The first list contains numbers ak (mod p) for approximately p1/2 randomly chosen values of k.

2. The first list contains numbers ba-j (mod p) for approximately p1/2 randomly chosen values of j.

There is a good chance that there is a match between some element on the 1st list and one on the 2nd list. If so, ak ≡ba-j (mod p) and hence ak+j ≡b (mod p)

x≡k+j (mod p-1) is the discrete log solution

Digital Signature Algorithm (DSA)

• The NIST proposed the DSA in 1991 and adopted it as a standard in 1994. The message digest is a 160-bit output of a hash function. The generate keys for DSA proceeds as follows. First, there is an initialization phase:

Initialization Phase

• Alice finds a prime q that is 160 bits long and chooses a prime p that satisfies q|p-1. The discrete log problem should be hard for this choice of p (e.g., p is 512-bit long).

• Let g be a primitive root mod p and let α≡g(p-1)/q

(mod p). Then αq ≡1 (mod p).• Alice chooses a secret a such that 1≤a<q-1 and

calculates β≡αa (mod p)• Alice publishes (p,q, α, β) and keeps a secret

The signing process

• Alice signs a message m by the following procedure:

1. Select a random, secret integer k, such that 0<k<q-1

2. Compute r≡(αk (mod p)) (mod q)

3. Compute s≡k-1(m+ar) (mod q)

4. Alice’s signature for m is (r,s), which she sends to Bob along with m.

Verification

• For Bob to verify, he must

1. Download Alice’s public information (p,q,α,β)

2. Compute u≡s-1m , v≡s-1r (mod q)

3. Compute w≡( αuβv (mod p)) (mod q)

4. Accept the signature iff w=r

Simple Exercises from p.252-255

• Exercises 1,2,3,4

• Computer Problem 1