lecture 8 digital signatures. this lecture considers techniques designed to provide the digital...
TRANSCRIPT
Lecture 8 Digital Signatures
This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature of a message is a number dependent on some secret known only to the signer, and, additionally, on the content of the message being signed. Signatures must be verifiable: if a dispute arises as to whether a party signed a document (caused by either a lying signer trying to repudiate a signature it did create, or a fraudulent claimant), an unbiased third party should be able to resolve the matter equitably, without requiring access to the signer’s secret information (private key).
Digital signatures have many applications in information security, including authentication, data integrity, and non-repudiation. One of the most significant applications of digital signatures is the certification of public keys in large networks. Certification is a means for a trusted third party (TTP) to bind the identity of a user to a public key, so that at some later time, other entities can authenticate a public key without assistance from a trusted third party.
The concept and utility of a digital signature was recognized several years before any practical realization was available. The first method discovered was the RSA signature scheme, which remains today one of the most practical and versatile techniques available. Subsequent research has resulted in many alternative digital signature techniques. Some offer significant advantages in terms of functionality and implementation.
Outline The RSA Signature Scheme The ElGamal Family Signature Schemes Birthday Attacks
1 The RSA Signature Scheme1.1 Description
. iskey private s' ); ,( iskey public sA' (5)
). 1(mod such that ,1 ,integer unique
thecompute toalgorithmEuclidean extended the Use(4)
1.) ,gcd(such that ,1 ,integer random aSelect (3)
1).1)(( and Compute (2)
size. same eroughly th
each , and primes randomdistinct large twoGenerate (1)
:following thedo should entity Each
key. private ingcorrespond
a andkey publicRSA an createsentity each :SUMMARY
scheme signatureRSA for the generationKey
dAen
φdeφdd
φeφee
qpφ qpn
qp
A
1 Algorithm
1.1 Description (Continued)
).( = Recover (4)
signature. reject the not, if ;t Verify tha (3)
.) (mod Compute (2)
). ,(key public authentic s'Obtain (1)
:should ,
message erecover th and signature s' verify To .
. is for signature s' (3)
).(mod Compute (2)
1]. [0, range in theinteger an ),( Compute (1)
:following thedo should Entity .
signature. thefrom message erecover th and signature s'
can verify entity Any . message a signs entity :SUMMARY
ion verificatand generation signatureRSA
1 mRm
m
nsm
enA
Bm
sAonVerificati
smA
nms
nmRm
AgenerationSignature
mA
BmA
e
d
2 Algorithm
1.1 Description (Continued)
. ))((
= )( Finally, ).(mod ), (mod 1
Since ).( where), (mod then , message a
for signature a is Ifion works. verificatsignature that Proof
signature. valida yielding ofy probabilit
negligible-non a have willadversary an ofpart on thenumber
random a of choice judicious no that provided suitable
isfunction redundancy This knowledge. public andchosen
are inverse its and function redundancyA
1
1
1
mmRR
mR nmmsφde
mRmnmsm
s
RRComment.
dee
d
1.2 Example
31229978. )(
recovers and ,redundancy required thehas since signature
theaccepts Finally, 31229978. 55465219) (mod 307294355
) (mod computes
30729435. 55465219) (mod 3602373122997844
) (mod signature thecomputes
and 31229978, )( computes 31229978, message
asign To . )( mapidentity theis function redundancy
that theassume ,simplicity of sake For the .
44360237. iskey
private s' 5); 55465219, ( iskey public s' 44360237.
yielding 55450296), 1(mod5 solves and 5 chooses
55450296. 6996 7926 = and 55465219 computes
and ,6997 ,7927 primes selects Entity
1
mRm
m
B
nsmBon.verificatiSignature
nms
mRmAm
mmRR
generationSignature
d
AenAd
ddeeA
φqpn
qpAtion.Key genera
e
d
1 Example
1.3 Possible Attacks on RSA Signatures
1.3.1 Integer Factorization
task.
infeasiblenally computatio a is factoring that so and
select must is,against th guard To system. theof
break totala sconstitute This ). (mod 1 solving
by exponent public theand from key private the
deduce algorithm,Euclidean extended theusing then,
and computecan adversary then the,entity some
of modulus public factor the toable isadversary an If
nq
pA
φde
eφd
φ A
n
1.3.2 Multiplicative Property of RSA
security.for sufficient
not but necessary is on condition This ).()(
)( , , pairs ally essentiallfor i.e., tive,multiplica
not is function redundancy that theimportant isit Hence,
it.for signature valida be will then redundancyproper
thehas If ).(mod )(hat property t the
has ) (mod then ,ly respective , and messages
on signatures are )(mod and )(modIf
property. chomomorphi theas toreferred sometimes property,
tivemultiplica following thehas scheme signatureRSA The
2121
2121
2211
RbRaR
baRba
R
s
mmm nmms
nsssmm
nms nm s
d
dd
1.3.2 Multiplicative Property of RSA (Continued)
property. tivemultiplica the
havenot will , of choicesmost For s).'0 are )( of
tion representabinary theof bits t significanleast (the
2 = )( be taken tois function redundancy The
].12 [1, interval in the integers be messageslet
and 2Let /2. such that integer positive fixed
a be let and , ofbitlength thebe lg Let key.
private the and modulusRSA an be Let
RnmR
t
mmR R
nm
wkt
tnnk
dn
t
t
t
2 Example
1.3.2 Multiplicative Property of RSA (Continued)
.) (mod )(
compute 0, If
;) (mod compute ,0 If
:follows as for signature
a computecan adversary then thesigner, legitimate thefrom
obtained are ) (mod and ) (mod signatures If
.redundancy required thehave and case,either In .
and integers form ,0 If . and
integers form ,0 If . and ||such that and
a exists therestage someat shown that becan It .
such that computed are and , , integers algorithm,Euclidean
extended theof stageeach At . 2)( and to
algorithmEuclidean extended Apply the . message aon signature a
forge towishesadversary an that Suppose )(Continued
3
2
3
2
3
2
3
2
3322
323
232
nmy
r
wy
wr
m
m
s
sy
nmy
r
wy
wr
m
m
s
sy
m
nmsnms
mmwym
wrmywymwrm
yn/wrn/wyry
rmn + yx
ryx
wmmmRmn
m
ddd
d
d
ddd
d
d
dd
t
2 Example
1.4 Implementation of RSA Signatures
1.4.1 Reblocking Problem
.by recovered becannot
message that thechance a is e then ther, If ly.respective
keys, public s’ and s’ are ) ,( and ) ,( that Suppose
.for message aencrypt then andsign to wishes that Suppose
procedure. thisngimplementi when involved moduli theof sizes
relative about the concerned bemust One signature. resulting the
encrypt then and message asign toisRSA of use suggested One
B
nn
BAenen
BA
BA
BBAA
1.4.1 Reblocking Problem (Continued)
. modulus n thelarger tha is that is for thisreason The .ˆ that Observe
54383568. 62894113) (mod4382681 )(modˆˆ (2)
4382681. 55465219) (mod 38842235 )(modˆ (1)
:following thecomputes signature, e verify thand message erecover th To
38842235. 55465219) (mod 59847900 ) (mod (2)
59847900.62894113) (mod 1368797 ) (mod (1)
:following thecomputes key. public s' using encrypted then andkey
private s'under signed be toredundancy with message a is 1368797
Suppose . that Notice 44360237. = 5, 55465219, and
37726937; and 5, 62894113, 74998387Let
5
44360237
5
37726937
B
Ae
Bd
Be
Ad
BABBB
AAA
nsmm
nsm
ncs
B
nsc
nms
AB
Am
nnden
den
A
B
B
A
3 Example
1.4.1 Reblocking Problem (Continued)
solution.prudent anot is reordering
Thus, adversary. the tousadvantageo is this wheresituations
bemay theresigned, being is what knownot willadversary the
h Even thoug signature.own itsit with replace and signature the
remove couldadversary an signs, then andfirst encrypts iffor
signature; eencrypt th then andfirst message sign the toalways
is however, ,operations oforder preferred The key. private s'
using ciphertext resulting sign the then and key, public s’ using
message eencrypt thfirst should entity then , if is,That
first. performed is modulussmaller theusingoperation theifoccur
never willdecryptionincorrect of problem The .Reordering (1)
problem. reblocking theovercome to ways variousare There
A
A
B
Ann BA
1.4.1 Reblocking Problem (Continued)
numbers.bit - moduli signing
and numbersbit -1) +( be tomoduli encrypting requiringby
guaranteed becan This occurs.never decryptionincorrect then
moduli, encrypting possible theof allan smaller th is modulus
signing suser'each If signing.for and encryptingfor moduli
separate generateentity each Have entity.per moduli Two (2)
t
t
1.4.1 Reblocking Problem (Continued)
01.1000110100tion representabinary having 2257, 61 37
then selected, is 61 If 11.1000100001tion representabinary
having 2183, 59 37 then selected, is 59 = If 61. and 59 are
for iespossibilit The 62.)22( and 56 /2between
interval in the prime aSelect .37 primebit -6 a selecting
by Begin s.0' are bits 3next theand 1 a isbit order high that the
such modulusbit -12 aconstruct to wantsone Suppose
type.required theof modulus a is then ;/2 +2
and /2between interval in the prime afor search and ,
primebit -2 random aSelect .2 +2 2 form, required
thehave toFor follows. as found becan form thisof modulus
bit-A s.0' all are bits following theand 1 a isbit order -highest
the:form special a has modulus that theso and primes the
selects one method, In this modulus. theof form thegPrescribin (3)
81111
11
1
111
n
q
nqq
/p + p
qp
k
n
qpnp
pqp
t/n
nn
tk
nqp
ktt
t
kttt
4 Example
1.4.1 Reblocking Problem (Continued)
100. around be toselected is if
small negligibly is which ,)21( than less is highest, theother than
positions,bit 1order -high in the s1'any havenot does that
yprobabilit The form.similar a of modulusother any an smaller th
y necessaril is so andposition bit order -highest in the 0 a havemust
,an smaller th isit since ,Then highest. theother than positions,
bit 1order -high theof onein 1 a has at further th Suppose
.on signature a is ) (mod and modulus asuch is that
Suppose number. small negligibly a tooccurrence its ofy probabilit
thereducecan it but problem, decryptionincorrect eprevent th
completelynot does modulus for the choice This )(Continued (3)
k
/
k+ s
ns
k +s
mnm sn
n
k
A
Ad
AA
1.4.2 Short vs. Long Messages
The signature is at least as long as the message. This is a disadvantage when the message is long. To remedy the situation, a hash function is used. The signature scheme is the applied to the hash of the message, rather than to the message itself. The redundancy function R is no longer critical to the security of the signature scheme.
1.4.2 Short vs. Long Messages (Continued)
preferred. isfunction
hash t RSA withou bits,-mostat size of message aFor function.
hash with signatures digitalRSA use tois methodefficient bandwidth
most that thefollowsit 2, whenever2 2 Since
. message thesending from comes term the where,2 is
signature for thist requiremenbandwidth The .hash value sign the and
length of bitstring a to messagehash could ely,Alternativ
bits. 2 is for thist requiremenbandwidth The d.recommendenot
is but this ly,individualblock each sign and || ||||that
such blocksbit - into partition toisapproach One . message
bit - asign to wishesentity Suppose messages.bit -sign to
in used is which modulusRSA bit -2 a is Suppose
21
k
ttkkt+k
mt kkt+k
k lmA
tk
mmmm
kmm
tkAk
kn
t
2 Algorithm
1.4.3 Performance Characteristics of Signature Generation and Verification
entities.other by various many times verifiedbemay signature
thisand,generation signature oneonly requires this,entity an for
ecertificatkey -public a createsparty third trusteda when example,For
performed. beingoperation t predominan theision verificatsignature
wheresituations tosuitedideally thusis scheme signatureRSA The
1. + 2or 3 are practicein
for values.Suggestedoperationsbit )(requireson verificati
done, is thisIf number. small a be chosen to isexponent public
theif signingn faster thatly significan is signatures ofon Verificati
. operationsbit )(requires
message afor )mod( signature a Computing primes.bit -
each are and wheremodulusRSA bit -2 a be Let
16
2
3
A
ek O
k Om
n msk
q pkqpnd
1.4.4 Parameter Selection A modulus of at least 1024 bits is recommended
for signatures which require much longer lifetimes or which are critical to the overall security of a large network. It is prudent to remain aware of progress in integer factorization, and to be prepared to adjust parameters accordingly.
No weaknesses in the RSA signature scheme have been reported when the public exponent e is chosen to be a small number such as 3 or 216+1. It is not recommended to restrict the size of the private exponent d in order to improve the efficiency of signature generation.
1.4.5 System-Wide Parameters
Each entity must have a distinct RSA modulus; it is insecure to use a system-wide modulus. The public exponent e can be a system-wide parameter, and is in many applications.
2 The ElGamal Family Signature Schemes
Most of signature schemes are presented over (mod p) for some large prime p, but all of these mechanisms can be generalized to any finite cyclic group. All of the methods discussed in this part are randomized digital signature schemes. A necessary condition for the security of all of the signature schemes is that computing logarithms in (mod p) should be computationally infeasible. This condition, however, is not necessarily sufficient for the security of these schemes.
2.1 The Digital Signature Algorithm
In August of 1991, the U.S. National Institute of Standards and Technology (NIST) proposed a digital signature algorithm (DSA). The DSA has become a U.S. Federal Information Processing Standard (FIPS 186) called the Digital Signature Standard (DSS), and is the first digital signature scheme recognized by any government. The algorithm is a variant of the ElGamal scheme.
2.1.1 Description
. iskey private s' ); , , ,( iskey public s' (6)
.)(mod Compute (5)
.11such that integer random aSelect (4)
(3.1). step togo then 1 If (3.2)
). (mod compute and element an Select (3.1)
.)in order with element an (Select (3)
.1 divideshat property t with the,2 2
wherenumber prime aselect and ,80 that soChoose (2)
.22such that number prime aSelect (1)
:following thedo should entity Each
key. private
ingcorrespond andkey public a createsentity each :SUMMARY
DSA for the generationKey
)1(
6451264511
160159
aAyqpA
p y
qa a
pgg
pq
pq p
pt t
A
a
/qp
t+t+
3 Algorithm
2.1.1 Description (Continued)
. ifonly and if signature Accept the (6)
.)(mod )) (mod ( Compute (5)
.) (mod and ) (mod )( Compute (4)
).( and )(mod Compute (3)
signature. reject the then not, if ;0and 0tVerify tha (2)
). , , ,(key public authentic sA'Obtain (1)
:following thedo should ,on ) ,( signature s' verify To
). ,(pair theis for signature s' (4)
.)(mod))(( Compute (3)
.) (mod ))(mod( Compute (2)
.0 ,integersecret random aSelect (1)
:following thedo should Entity .
key. public s' usingby signature thiscan verify entity
Any length.arbitrary of messagebinary a signs entity :SUMMARY
ion verificatand generation signatureDSA
21
21
1
1
rv
qpyv
qwruqmhwu
mh qsw
qs qr
yqp
BmsrAon.Verificati
srmA
qr+amhks
q pαr
qk k
AgenerationSignature
AB
mA
uu
k
4 Algorithm
2.1.1 Description (Continued)
required. as , Hence, .)(mod )) (mod (
)(mod )) (mod ( yieldsequation
thisof sidesboth to Raising ). (mod
simply is But this ). (mod )( gives
grearrangin and by congruence thisof sidesboth
gMultiplyin hold.must ) (mod + )(
then, messageon entity of signature legitimate
a is ) ,( If ion works. verificatsignature that Proof
21
21
rv qp
qpy
qku+au
qkwr +amhw
w
qskramh
mA
sr
k
uu
2.1.1 Description (Continued)
signature. theaccepts , Since 34. 17389) (mod 2703992917389) (mod
)124540019) (mod119946265(10083255) (mod )) (mod (
computes then 8999.) (mod and 12716,
) )(mod( ,1799)(mod computes
13049). 34,(pair theis for
signature The 13049. )(mod )+)(( finally and , 5246 )(
7631, ) mod( computes then 34. ) (mod )) (mod( computes
and ,9557integer random a selects ,sign To .
12496. iskey private s' while,119946265) 10083255,
17389, 124540019, ( iskey public s' 119946265. ) (mod
computes and ,11 satisfying 12496integer random a selectsnext
.th element wian is 1, Since 10083255. ) mod( computes
and 110217528 element random a selects 7162. )/1( here, 1);(
dividessuch that 17389and124540019 primes selects
899912716
2
11
1
1
)/1(
21
Brv
qpyα
vBqwru
qmhwu qswBon.verificatiSignature
srm
qramhksmh
qkAqpr
kA mgenerationSignature
a Ay
qpApy
qaaA
qpg
gAqpp
q q pAtion.Key genera
uu
k
a
qp
5 Example
2.1.2 Security and Implementations of DSA
bits. 1024n larger tha primes
permit not does 186 FIPS attack. concerted aagainst security
marginal provides primebit -512A inclusive. bits 1024 and
512between 64 of multipleany becan of size the whilebits,
160at 186) FIPS (as by fixed is of size The (2)
.order with subgroup
cyclic in the problem logarithm theisother the; modulo
problem logarithm theis One problems. logarithm discrete
relatedbut distinct on two reliesDSA theofsecurity The (1)
p
p
p
q
q
p
3 Algorithm
2.1.2 Security and Implementations of DSA (Continued)
tions.multiplicamodular 280 then is average,
on cost, theusly;simultaneo tionsexponentia two thedoing
by realized becan savings Some in total. 480or tionsmultiplica
modular 240 requireeach theseaverage,On exponents.bit -160
each to , modulo tionsexponentia twoision verificatsignature
for work theofportion major The scheme. signatureRSA the
with possible istion precomputa no ,comparisonBy .generation
signature of timeat the done benot need and dprecompute
becan tion exponentia that theadvantage thehasDSA The
tions.multiplicamodular 240 averageon takingtion,exponentia
modular one requiresmainly generation Signature (3)
p
2.1.2 Security and Implementations of DSA (Continued)
generated. be
should of valuenew a ,0or 0either that detects
signer theIf 0. check that alsomay signer The occur.
ever tounlikely extremely is thispractice,In .) 2(1/
is 0y that probabilit then theelement, random a
be toassumed is ifbut 0; check thatmay signer the
situation, thisavoid To exist.not does then 0, If
). (mod ofn computatio therequireson Verificati (5)
adversary.an for target attractive more a
present however, does, This .parameters wide-system
be to and , , permits DSS The . and primes
own itsselect entity toeach for necessary not isIt (4)
160
1
1
ks r
r
s
ss
s s
qs
qpqp
2.2 The ElGamal Signature Scheme
2.2.1 Description
. iskey private s’ ); , ,( iskey public s' (4)
. )(modCompute (3)
.21 ,integer random aSelect (2)
.generator a and prime random large a Generate (1)
:following thedo should entity Each
key. private
ingcorrespond andkey public a createsentity each :SUMMARY
scheme signature ElGamal for the generationKey
aAypA
pα y
paa
p
A
a
5 Algorithm
2.2.1 Description (Continued)
. ifonly and if signature Accept the (5)
.) (mod and )(Compute (4)
.) (mod Compute (3)
signature. reject the then not, if ;11t Verify tha (2)
). , ,(key public authentic s'Obtain (1)
:following
thedo should ,on ) ,( signature s' verify To .
). ,(pair theis for signature s' (4)
).1( mod ))(( Compute (3)
.) (mod Compute (2)
1. )1 ,gcd( with ,2 1 ,integer secret random aSelect (1)
:following thedo should Entity .
key. public s' usingby signature thiscan verify entityAny
length.arbitrary of messagebinary a signs entity :SUMMARY
ion verificatand generation signature ElGamal
21
)(2
1
1
vv
pvm h
pryv
pr
ypA
BmsrAonVerificati
srmA
pramhks
pr
pkpkk
AgenerationSignature
A B
mA
mh
sr
k
6 Algorithm
2.2.1 Description (Continued)
required. as
, Thus, ). (mod)()(
implies This ).1( )mod + ()( yields grearrangin and
),1( mod ) )(( gives by sidesboth gMultiplyin
).1( mod ))(( then ,by generated
wassignature theIf ion works. verificatsignature that Proof
21+ )(
1
vvpry
pskramh
pramhs kk
pramhksA
srskraskramh
2.2.2 Example
. since signature the
accepts 1072. 2357 mod 2 and 1463,)( 1072,
2357) (mod 1490 · 1185 computes .
1777). 1490, (pair
theis 1463 for signature s' 1777. 2356) (mod )14901751
1463(245 computes Finally, 245. )1( mod and
1490, ) 2357 (mod 2) (mod computes 1529,
integer random a selects 1463, message sign the To function).
identity thebe to takeonly, example for this (i.e., )( and
integers be willmessages ,simplicityFor .
1185). 2, 2357, ( is
key public s' 1185. 2357) (mod 2 )(mod
computes and 1751 key private thechooses 2. generator
a and 2357 prime theselects .
21
14632
177714901
1
1529
1751
vv
Bvmh
vBonverificatiSignature
sr
mA
sApk
prk
Am
hmmh
generationSignature
yp
A py
aA
pAtionKey genera
k
a
6 Example
2.2.3 Security of ElGamal Signatures
y.probabilit
high with determined becan key private theotherwise,
signed; messageeach for selected bemust differentA (2)
. largefor
negligible is which , /1only isy probabilit success the
random;at an choose n tobetter tha no docan adversary
the,infeasiblenally computatio is problem logarithm
discrete theIf ).1mod( ))((
determinemust then adversary The .) (mod
computing and integer random a selectingby on
signature s' forge attempt tomight adversary An (1)
1
k
p
p
s
pramhks
pαr
km
A
k
2.2.3 Security of ElGamal Signatures (Continued)
). (mod)(
since ),1( mod message for the signature valida
is ) ,(pair The ).1( mod and ) (mod
) (modCompute 1. = )1 ,gcd( with ) ,( integers
ofpair any Select follows. asattack forgery an mount to
adversary an for easy then isIt ).1( mod)(
isequation signing theused, is function hash no If (3)
1
1
1
pααyαyyαyry
pusm
srp vrspα
pyα r pvvu
p ram ks
h
musrvrursvursr
vu+a
vu
2.2.3 Security of ElGamal Signatures (Continued)
.) (mod)()(
i.e. algorithm,ion verificatby the accepted
be ld which wou messagefor signature a is ) ,(pair The Theorem.
Remainder Chinese by the possible always islatter The ).mod(
and )1(modsuch that and )1( mod
computesIt then exists). )1( mod)( (assuming
)1( mod)()( and )( computes and choice its of
message a selectsadversary The .by produced messagefor
signature a is ) ,( that Suppose follows. as ,entity by created
signature validone hasit provided choice its of messagessign can
adversary an then done,not ischeck thisIf .0check that to
verifier therequiresin (2) Step ofon Verificati (4)
)()()()(
1
1
1
pry
ryry
msr
pr
rp u rrr pu s
s pmh
pmhmhumh
mAm
srA
pr
mhmhmhmhusr
usursr
6 Algorithm
2.2.3 Security of ElGamal Signatures (Continued)
attack.
logarithm discreteHellman -Pohlig aprevent tolarge
ly sufficient number prime aby divisible be should
)1( and methods, calculus-index theof useefficient
prevent tolargely sufficient be should prime The (5)
q
p
p
2.2.4 Performance Issues of ElGamal Signatures
before. asefficient cost as times2.5almost tions,multiplica
modular /8lg15about now iscost total theusly;simultaneo
tionsexponentia three thedoingby y efficientl more computed
becan Now, 1. ifonly and if validas signature accept the
and ,)(mod Compute slightly.ion verificatthe
modifyingby reduced becan costs computing The tions.multiplica
/2lg 9 ofcost totalafor average,on tions,multiplicamodular
/2lg 3 requires s) techniquenaive (usingtion exponentiaEach
tions.exponentia threerequiring costly, more ision verificatSignature
tions.multiplicamodular line)-(on only two requires
possible) istion precomputa whereinstances(in generation
signature casein which line,-off done becan tion exponentia The
).) (mod (tion exponentiamodular one requiringmainly
fast, relatively is by generation Signature (1)
11
)(1
p
vv
pryv
p
p
p
srmh
k
6 Algorithm
2.2.4 Performance issues of ElGamal Signatures (Continued)
.parameters wide-system i.e. key, public theofpart be to
requirednot are and casein which ,generator and
number prime same theuse select tomay entities All (3)
used. be should modulilarger or bit -2048 security,
term-longFor attack. concerted fromsecurity marginal
only provides modulusbit -1024 a , modulo problem
logarithm discrete on the progresslatest Given the (2)
p
p
pp
2.2.5 Variations of the ElGamal Scheme
2.3 The Schnorr Signature Scheme
2.3.1 Description
. and of sizes on the sconstraint no
are t thereexcept tha ),( generationkey DSA as
same theis scheme signatureSchnorr for the generationKey
.function hash a requires also method The number. prime large
some is where, moduloin order of subgroup a employs
technique thisDSA, with theAs scheme. signatureSchnorr
theis scheme ElGamal theofant known vari-llAnother we
qp
h
ppq
3 Algorithm
2.3.1 Description (Continued)
. Hence, ).(mod then ,by
created wassignature theIf ion works. verificatsignature that Proof
. ifonly and if signature Accept the (3)
).||( and ) (mod Compute (2)
). , , ,(key public authentic sA'Obtain (1)
:following the
do should ,on ) ,( signature s' verify To .
). ,(pair theis for signature s' (3)
. mod )+ (and ),||( ,) (mod Compute (2)
1. 1 ,integer secret random aSelect (1)
:following thedo should Entity .
key. public s' usingby signature thiscan verify entity Any
length.arbitrary of messagebinary a signs entity :SUMMARY
ion verificatand generation signatureSchnorr
+ ee pryvA
ee
vmhepyv
yqp
BmesAonVerificati
esmA
qkea srmhepr
qkk
AgenerationSignature
AB
mA
eakeaes
es
k
7 Algorithm
2.3.2 Example
. since signature theaccepts 155. )||(and 49375
) (mod 11591726 computes .
155). 431, ( is for
signature The 431. 541) (mod 327) + 155(423 computes
Finally, example). for this contrivedbeen has hash value
(the 155 = )||(= and 49375 )(mod26 computes
and ,540 1such that 327 number random a selects
11101101, = message sign the To .
115917). = 26, = 541, = 129841, = ( iskey public s'
115917.) (mod 26 computes and 423key private
theselects then 541.order with subgroup cyclic unique the
generates 1, Since 26.) (mod26346 computes
and 26346 integer random a selects then 240. 1)/(
here, 541; and 129841 primes selects .
155431
327
423
240
eeBvmhe
pvBonverificatiSignature
esm
s
A
rmhe pr
kk
AmgenerationSignature
yqpA
pya
A
p
g Aqp
qpAtionKey genera
7 Example
2.3.3 Performance Issues
method. ElGamal by the generated those
than security) of level same (for the signaturessmaller
provide doesbut scheme, ElGamal over the efficiency
nalcomputatio enhancetly significannot does order of
subgroup the Usingtions.exponentia 1.17about ofcost aat
uslysimultaneo computed becan tionsexponentia twoThese
. modulo tionsexponentia tworequireson Verificati small.
relatively be should )||(compute to time theused,
algorithmhash on the Depending line.-off done be could
modulotion exponentia This . modulotion exponentia
one requiresin generation Signature
q
p
rm h
pp
7 Algorithm
2.4 Message Recovery Vs Appendix
recovery. message with schemes
er tocan transfappendix with schemes signature Digital #
schemes. signatureSchnorr and ElGamal, DSA, theareappendix
with signatures digital providing mechanisms of Examples
appendix. with schemes signature digital
called are algorithmion verificat theinput to as message
therequire which schemes signature Digital
schemes. signaturekey -publicRSA isrecovery message
with signatures digital providing mechanism of exampleAn
algorithm.ion verificatfor the requirednot is message the
of knowledge priori afor which scheme signature digital a is
recovery message with scheme signature digitalA
2 Definition
1 Definition
3 Birthday Attacks3.1 Birthday Problems
paradox.
birthday or surprisebirthday theas toreferred is This
people. 40
amongmatch a is thereif 89% isy probabilit thefact,In
.507.0365
221
365
21
365
111
is,That
birthday. same thehave themof that two50% than more
slightly isy probabilit theroom, ain people 23 are thereIf
3.1 Birthday Problems (Continued)
match. a is e that ther1 isy probabilit then the, if
Again, object.an selects groupeach fromperson Each people.
of groups twoare thereand objects are thereSuppose
match. a is e that ther1 isy probabilit
then the, 2 If object.an chooseseach and people,
are There large. is whereobjects, have weSuppose
enr
r
n
e
nr
rnn
2Fact
1Fact
3.2 Birthday Attacks on Signature Schemes
change.slight a make document, electronican signing Before (2)
necessary. be tobelieveyou
whatas long as ceoutput twiith function whash a Use(1)
version.good sign the
toasks andmatch thefindsadversary The contract. fraudulent of version as
hash same thehasdocument good theof version a that 11around
isy probabilit theTherefore, .2 have We.2 and 2with
problembirthday heConsider t hashes. their stores andcontract fraudulent
theof versions2 makes he Similary, them.stores and versions2
makes he So, etc. slightly. wordinga changing line, a of end at the space a
adding :document in the changslight a makecan he whereplaces 30 finds
adversary The bits. 50 ofoutput an producesfunction hash theSuppose
1024
105030
3030
sure.Countermea
e
nr
3.3 Birthday Attacks on Discrete Logarithms
).1mod()( ),(mod have wematch, a find If
. of ueschosen val
randomlyfor )(mod numbers containslist second The (2)
. of ueschosen val
randomlyfor )(mod numbers containslist first The (1)
. around
length ofboth lists, twoMake attack.birthday aby y probabilit
high with thisdocan We).(mod solve want toWe
plkxpαα
l
pα
k
pα
p
pα
lk
l
k
x
3.4 Meet-in-the-Middle Attacks on Double Encryption
remains.pair oneonly until continues he , one
thanmore still is thereIf one.right thedetermines ciphertext
-plaintextanother takeshe matches, several are thereIf (3)
match. oneleast at is There lists. two theCompares )2(
. keys
possible allfor )( and )( stores and Computes (1)
. )))(( ,(pair a obtained hasadversary
theAssume memory. oflot aith computer w a have weas
long as case, really thenot is that thisshowsattack following
theHowever, security. of levelhigher much aoffer toseem
might AES DES, assuch )),(( encryption Double
12
12
k
cDmE
mEEcm
mEEc
kk
kk
kk
3.4 Meet-in-the-Middle Attacks on Double Encryption (Continued)
.encryption double fromexpect
naivelymight onemost what at down tosecurity of level
thehave and encryption tripleuse could weSimilarly, (2)
.encryption
singlefor keys allough search thr exhaustive n thelonger tha
slightly It takes ns.computatio than thelessmuch are
nscomputatio 2 thesekeys, possible are thereIf (1)
2N
N N Comment.
Thank You!