lecture 8 digital signatures. this lecture considers techniques designed to provide the digital...

Lecture 8 Digital Signatures

This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature of a message is a number dependent on some secret known only to the signer, and, additionally, on the content of the message being signed. Signatures must be verifiable: if a dispute arises as to whether a party signed a document (caused by either a lying signer trying to repudiate a signature it did create, or a fraudulent claimant), an unbiased third party should be able to resolve the matter equitably, without requiring access to the signer’s secret information (private key).

Digital signatures have many applications in information security, including authentication, data integrity, and non-repudiation. One of the most significant applications of digital signatures is the certification of public keys in large networks. Certification is a means for a trusted third party (TTP) to bind the identity of a user to a public key, so that at some later time, other entities can authenticate a public key without assistance from a trusted third party.

The concept and utility of a digital signature was recognized several years before any practical realization was available. The first method discovered was the RSA signature scheme, which remains today one of the most practical and versatile techniques available. Subsequent research has resulted in many alternative digital signature techniques. Some offer significant advantages in terms of functionality and implementation.

Outline The RSA Signature Scheme The ElGamal Family Signature Schemes Birthday Attacks

1 The RSA Signature Scheme1.1 Description

. iskey private s' ); ,( iskey public sA' (5)

). 1(mod such that ,1 ,integer unique

thecompute toalgorithmEuclidean extended the Use(4)

1.) ,gcd(such that ,1 ,integer random aSelect (3)

1).1)(( and Compute (2)

size. same eroughly th

each , and primes randomdistinct large twoGenerate (1)

:following thedo should entity Each

key. private ingcorrespond

a andkey publicRSA an createsentity each :SUMMARY

scheme signatureRSA for the generationKey

dAen

φdeφdd

φeφee

qpφ qpn

qp

A

1 Algorithm

1.1 Description (Continued)

).( = Recover (4)

signature. reject the not, if ;t Verify tha (3)

.) (mod Compute (2)

). ,(key public authentic s'Obtain (1)

:should ,

message erecover th and signature s' verify To .

. is for signature s' (3)

).(mod Compute (2)

1]. [0, range in theinteger an ),( Compute (1)

:following thedo should Entity .

signature. thefrom message erecover th and signature s'

can verify entity Any . message a signs entity :SUMMARY

ion verificatand generation signatureRSA

1 mRm

m

nsm

enA

Bm

sAonVerificati

smA

nms

nmRm

AgenerationSignature

mA

BmA

e

d

2 Algorithm

1.1 Description (Continued)

. ))((

= )( Finally, ).(mod ), (mod 1

Since ).( where), (mod then , message a

for signature a is Ifion works. verificatsignature that Proof

signature. valida yielding ofy probabilit

negligible-non a have willadversary an ofpart on thenumber

random a of choice judicious no that provided suitable

isfunction redundancy This knowledge. public andchosen

are inverse its and function redundancyA

1

1

1

mmRR

mR nmmsφde

mRmnmsm

s

RRComment.

dee

d

1.2 Example

31229978. )(

recovers and ,redundancy required thehas since signature

theaccepts Finally, 31229978. 55465219) (mod 307294355

) (mod computes

30729435. 55465219) (mod 3602373122997844

) (mod signature thecomputes

and 31229978, )( computes 31229978, message

asign To . )( mapidentity theis function redundancy

that theassume ,simplicity of sake For the .

44360237. iskey

private s' 5); 55465219, ( iskey public s' 44360237.

yielding 55450296), 1(mod5 solves and 5 chooses

55450296. 6996 7926 = and 55465219 computes

and ,6997 ,7927 primes selects Entity

1

mRm

m

B

nsmBon.verificatiSignature

nms

mRmAm

mmRR

generationSignature

d

AenAd

ddeeA

φqpn

qpAtion.Key genera

e

d

1 Example

1.3 Possible Attacks on RSA Signatures

1.3.1 Integer Factorization

task.

infeasiblenally computatio a is factoring that so and

select must is,against th guard To system. theof

break totala sconstitute This ). (mod 1 solving

by exponent public theand from key private the

deduce algorithm,Euclidean extended theusing then,

and computecan adversary then the,entity some

of modulus public factor the toable isadversary an If

nq

pA

φde

eφd

φ A

n

1.3.2 Multiplicative Property of RSA

security.for sufficient

not but necessary is on condition This ).()(

)( , , pairs ally essentiallfor i.e., tive,multiplica

not is function redundancy that theimportant isit Hence,

it.for signature valida be will then redundancyproper

thehas If ).(mod )(hat property t the

has ) (mod then ,ly respective , and messages

on signatures are )(mod and )(modIf

property. chomomorphi theas toreferred sometimes property,

tivemultiplica following thehas scheme signatureRSA The

2121

2121

2211

RbRaR

baRba

R

s

mmm nmms

nsssmm

nms nm s

d

dd

1.3.2 Multiplicative Property of RSA (Continued)

property. tivemultiplica the

havenot will , of choicesmost For s).'0 are )( of

tion representabinary theof bits t significanleast (the

2 = )( be taken tois function redundancy The

].12 [1, interval in the integers be messageslet

and 2Let /2. such that integer positive fixed

a be let and , ofbitlength thebe lg Let key.

private the and modulusRSA an be Let

RnmR

t

mmR R

nm

wkt

tnnk

dn

t

t

t

2 Example

1.3.2 Multiplicative Property of RSA (Continued)

.) (mod )(

compute 0, If

;) (mod compute ,0 If

:follows as for signature

a computecan adversary then thesigner, legitimate thefrom

obtained are ) (mod and ) (mod signatures If

.redundancy required thehave and case,either In .

and integers form ,0 If . and

integers form ,0 If . and ||such that and

a exists therestage someat shown that becan It .

such that computed are and , , integers algorithm,Euclidean

extended theof stageeach At . 2)( and to

algorithmEuclidean extended Apply the . message aon signature a

forge towishesadversary an that Suppose )(Continued

3

2

3

2

3

2

3

2

3322

323

232

nmy

r

wy

wr

m

m

s

sy

nmy

r

wy

wr

m

m

s

sy

m

nmsnms

mmwym

wrmywymwrm

yn/wrn/wyry

rmn + yx

ryx

wmmmRmn

m

ddd

d

d

ddd

d

d

dd

t

2 Example

1.4 Implementation of RSA Signatures

1.4.1 Reblocking Problem

.by recovered becannot

message that thechance a is e then ther, If ly.respective

keys, public s’ and s’ are ) ,( and ) ,( that Suppose

.for message aencrypt then andsign to wishes that Suppose

procedure. thisngimplementi when involved moduli theof sizes

relative about the concerned bemust One signature. resulting the

encrypt then and message asign toisRSA of use suggested One

B

nn

BAenen

BA

BA

BBAA

1.4.1 Reblocking Problem (Continued)

. modulus n thelarger tha is that is for thisreason The .ˆ that Observe

54383568. 62894113) (mod4382681 )(modˆˆ (2)

4382681. 55465219) (mod 38842235 )(modˆ (1)

:following thecomputes signature, e verify thand message erecover th To

38842235. 55465219) (mod 59847900 ) (mod (2)

59847900.62894113) (mod 1368797 ) (mod (1)

:following thecomputes key. public s' using encrypted then andkey

private s'under signed be toredundancy with message a is 1368797

Suppose . that Notice 44360237. = 5, 55465219, and

37726937; and 5, 62894113, 74998387Let

5

44360237

5

37726937

B

Ae

Bd

Be

Ad

BABBB

AAA

nsmm

nsm

ncs

B

nsc

nms

AB

Am

nnden

den

A

B

B

A

3 Example


solution.prudent anot is reordering

Thus, adversary. the tousadvantageo is this wheresituations

bemay theresigned, being is what knownot willadversary the

h Even thoug signature.own itsit with replace and signature the

remove couldadversary an signs, then andfirst encrypts iffor

signature; eencrypt th then andfirst message sign the toalways

is however, ,operations oforder preferred The key. private s'

using ciphertext resulting sign the then and key, public s’ using

message eencrypt thfirst should entity then , if is,That

first. performed is modulussmaller theusingoperation theifoccur

never willdecryptionincorrect of problem The .Reordering (1)

problem. reblocking theovercome to ways variousare There

A

A

B

Ann BA


numbers.bit - moduli signing

and numbersbit -1) +( be tomoduli encrypting requiringby

guaranteed becan This occurs.never decryptionincorrect then

moduli, encrypting possible theof allan smaller th is modulus

signing suser'each If signing.for and encryptingfor moduli

separate generateentity each Have entity.per moduli Two (2)

t

t


01.1000110100tion representabinary having 2257, 61 37

then selected, is 61 If 11.1000100001tion representabinary

having 2183, 59 37 then selected, is 59 = If 61. and 59 are

for iespossibilit The 62.)22( and 56 /2between

interval in the prime aSelect .37 primebit -6 a selecting

by Begin s.0' are bits 3next theand 1 a isbit order high that the

such modulusbit -12 aconstruct to wantsone Suppose

type.required theof modulus a is then ;/2 +2

and /2between interval in the prime afor search and ,

primebit -2 random aSelect .2 +2 2 form, required

thehave toFor follows. as found becan form thisof modulus

bit-A s.0' all are bits following theand 1 a isbit order -highest

the:form special a has modulus that theso and primes the

selects one method, In this modulus. theof form thegPrescribin (3)

81111

11

1

111

n

q

nqq

/p + p

qp

k

n

qpnp

pqp

t/n

nn

tk

nqp

ktt

t

kttt

4 Example


100. around be toselected is if

small negligibly is which ,)21( than less is highest, theother than

positions,bit 1order -high in the s1'any havenot does that

yprobabilit The form.similar a of modulusother any an smaller th

y necessaril is so andposition bit order -highest in the 0 a havemust

,an smaller th isit since ,Then highest. theother than positions,

bit 1order -high theof onein 1 a has at further th Suppose

.on signature a is ) (mod and modulus asuch is that

Suppose number. small negligibly a tooccurrence its ofy probabilit

thereducecan it but problem, decryptionincorrect eprevent th

completelynot does modulus for the choice This )(Continued (3)

k

/

k+ s

ns

k +s

mnm sn

n

k

A

Ad

AA

1.4.2 Short vs. Long Messages

The signature is at least as long as the message. This is a disadvantage when the message is long. To remedy the situation, a hash function is used. The signature scheme is the applied to the hash of the message, rather than to the message itself. The redundancy function R is no longer critical to the security of the signature scheme.

1.4.2 Short vs. Long Messages (Continued)

preferred. isfunction

hash t RSA withou bits,-mostat size of message aFor function.

hash with signatures digitalRSA use tois methodefficient bandwidth

most that thefollowsit 2, whenever2 2 Since

. message thesending from comes term the where,2 is

signature for thist requiremenbandwidth The .hash value sign the and

length of bitstring a to messagehash could ely,Alternativ

bits. 2 is for thist requiremenbandwidth The d.recommendenot

is but this ly,individualblock each sign and || ||||that

such blocksbit - into partition toisapproach One . message

bit - asign to wishesentity Suppose messages.bit -sign to

in used is which modulusRSA bit -2 a is Suppose

21

k

ttkkt+k

mt kkt+k

k lmA

tk

mmmm

kmm

tkAk

kn

t

2 Algorithm

1.4.3 Performance Characteristics of Signature Generation and Verification

entities.other by various many times verifiedbemay signature

thisand,generation signature oneonly requires this,entity an for

ecertificatkey -public a createsparty third trusteda when example,For

performed. beingoperation t predominan theision verificatsignature

wheresituations tosuitedideally thusis scheme signatureRSA The

1. + 2or 3 are practicein

for values.Suggestedoperationsbit )(requireson verificati

done, is thisIf number. small a be chosen to isexponent public

theif signingn faster thatly significan is signatures ofon Verificati

. operationsbit )(requires

message afor )mod( signature a Computing primes.bit -

each are and wheremodulusRSA bit -2 a be Let

16

2

3

A

ek O

k Om

n msk

q pkqpnd

1.4.4 Parameter Selection A modulus of at least 1024 bits is recommended

for signatures which require much longer lifetimes or which are critical to the overall security of a large network. It is prudent to remain aware of progress in integer factorization, and to be prepared to adjust parameters accordingly.

No weaknesses in the RSA signature scheme have been reported when the public exponent e is chosen to be a small number such as 3 or 216+1. It is not recommended to restrict the size of the private exponent d in order to improve the efficiency of signature generation.

1.4.5 System-Wide Parameters

Each entity must have a distinct RSA modulus; it is insecure to use a system-wide modulus. The public exponent e can be a system-wide parameter, and is in many applications.

2 The ElGamal Family Signature Schemes

Most of signature schemes are presented over (mod p) for some large prime p, but all of these mechanisms can be generalized to any finite cyclic group. All of the methods discussed in this part are randomized digital signature schemes. A necessary condition for the security of all of the signature schemes is that computing logarithms in (mod p) should be computationally infeasible. This condition, however, is not necessarily sufficient for the security of these schemes.

2.1 The Digital Signature Algorithm

In August of 1991, the U.S. National Institute of Standards and Technology (NIST) proposed a digital signature algorithm (DSA). The DSA has become a U.S. Federal Information Processing Standard (FIPS 186) called the Digital Signature Standard (DSS), and is the first digital signature scheme recognized by any government. The algorithm is a variant of the ElGamal scheme.

2.1.1 Description

. iskey private s' ); , , ,( iskey public s' (6)

.)(mod Compute (5)

.11such that integer random aSelect (4)

(3.1). step togo then 1 If (3.2)

). (mod compute and element an Select (3.1)

.)in order with element an (Select (3)

.1 divideshat property t with the,2 2

wherenumber prime aselect and ,80 that soChoose (2)

.22such that number prime aSelect (1)


key. private

ingcorrespond andkey public a createsentity each :SUMMARY

DSA for the generationKey

)1(

6451264511

160159

aAyqpA

p y

qa a

pgg

pq

pq p

pt t

qq

A

a

/qp

t+t+

3 Algorithm

2.1.1 Description (Continued)

. ifonly and if signature Accept the (6)

.)(mod )) (mod ( Compute (5)

.) (mod and ) (mod )( Compute (4)

).( and )(mod Compute (3)

signature. reject the then not, if ;0and 0tVerify tha (2)

). , , ,(key public authentic sA'Obtain (1)

:following thedo should ,on ) ,( signature s' verify To

). ,(pair theis for signature s' (4)

.)(mod))(( Compute (3)

.) (mod ))(mod( Compute (2)

.0 ,integersecret random aSelect (1)


key. public s' usingby signature thiscan verify entity

Any length.arbitrary of messagebinary a signs entity :SUMMARY

ion verificatand generation signatureDSA

21

21

1

1

rv

qpyv

qwruqmhwu

mh qsw

qs qr

yqp

BmsrAon.Verificati

srmA

qr+amhks

q pαr

qk k


AB

mA

uu

k

4 Algorithm


required. as , Hence, .)(mod )) (mod (

)(mod )) (mod ( yieldsequation

thisof sidesboth to Raising ). (mod

simply is But this ). (mod )( gives

grearrangin and by congruence thisof sidesboth

gMultiplyin hold.must ) (mod + )(

then, messageon entity of signature legitimate

a is ) ,( If ion works. verificatsignature that Proof

21

21

rv qp

qpy

qku+au

qkwr +amhw

w

qskramh

mA

sr

k

uu


signature. theaccepts , Since 34. 17389) (mod 2703992917389) (mod

)124540019) (mod119946265(10083255) (mod )) (mod (

computes then 8999.) (mod and 12716,

) )(mod( ,1799)(mod computes

13049). 34,(pair theis for

signature The 13049. )(mod )+)(( finally and , 5246 )(

7631, ) mod( computes then 34. ) (mod )) (mod( computes

and ,9557integer random a selects ,sign To .

12496. iskey private s' while,119946265) 10083255,

17389, 124540019, ( iskey public s' 119946265. ) (mod

computes and ,11 satisfying 12496integer random a selectsnext

.th element wian is 1, Since 10083255. ) mod( computes

and 110217528 element random a selects 7162. )/1( here, 1);(

dividessuch that 17389and124540019 primes selects

899912716

2

11

1

1

)/1(

21

Brv

qpyα

vBqwru

qmhwu qswBon.verificatiSignature

srm

qramhksmh

qkAqpr

kA mgenerationSignature

a Ay

qpApy

qaaA

qpg

gAqpp

q q pAtion.Key genera

uu

k

a

qp

5 Example

2.1.2 Security and Implementations of DSA

bits. 1024n larger tha primes

permit not does 186 FIPS attack. concerted aagainst security

marginal provides primebit -512A inclusive. bits 1024 and

512between 64 of multipleany becan of size the whilebits,

160at 186) FIPS (as by fixed is of size The (2)

.order with subgroup

cyclic in the problem logarithm theisother the; modulo

problem logarithm theis One problems. logarithm discrete

relatedbut distinct on two reliesDSA theofsecurity The (1)

p

p

p

q

q

p

3 Algorithm

2.1.2 Security and Implementations of DSA (Continued)

tions.multiplicamodular 280 then is average,

on cost, theusly;simultaneo tionsexponentia two thedoing

by realized becan savings Some in total. 480or tionsmultiplica

modular 240 requireeach theseaverage,On exponents.bit -160

each to , modulo tionsexponentia twoision verificatsignature

for work theofportion major The scheme. signatureRSA the

with possible istion precomputa no ,comparisonBy .generation

signature of timeat the done benot need and dprecompute

becan tion exponentia that theadvantage thehasDSA The

tions.multiplicamodular 240 averageon takingtion,exponentia

modular one requiresmainly generation Signature (3)

p

2.1.2 Security and Implementations of DSA (Continued)

generated. be

should of valuenew a ,0or 0either that detects

signer theIf 0. check that alsomay signer The occur.

ever tounlikely extremely is thispractice,In .) 2(1/

is 0y that probabilit then theelement, random a

be toassumed is ifbut 0; check thatmay signer the

situation, thisavoid To exist.not does then 0, If

). (mod ofn computatio therequireson Verificati (5)

adversary.an for target attractive more a

present however, does, This .parameters wide-system

be to and , , permits DSS The . and primes

own itsselect entity toeach for necessary not isIt (4)

160

1

1

ks r

r

s

ss

s s

qs

qpqp

2.2 The ElGamal Signature Scheme

2.2.1 Description

. iskey private s’ ); , ,( iskey public s' (4)

. )(modCompute (3)

.21 ,integer random aSelect (2)

.generator a and prime random large a Generate (1)


key. private

ingcorrespond andkey public a createsentity each :SUMMARY

scheme signature ElGamal for the generationKey

aAypA

pα y

paa

p

A

a

5 Algorithm



.) (mod and )(Compute (4)

.) (mod Compute (3)

signature. reject the then not, if ;11t Verify tha (2)

). , ,(key public authentic s'Obtain (1)

:following

thedo should ,on ) ,( signature s' verify To .


).1( mod ))(( Compute (3)

.) (mod Compute (2)

1. )1 ,gcd( with ,2 1 ,integer secret random aSelect (1)


key. public s' usingby signature thiscan verify entityAny

length.arbitrary of messagebinary a signs entity :SUMMARY

ion verificatand generation signature ElGamal

21

)(2

1

1

vv

pvm h

pryv

pr

ypA

BmsrAonVerificati

srmA

pramhks

pr

pkpkk


A B

mA

mh

sr

k

6 Algorithm


required. as

, Thus, ). (mod)()(

implies This ).1( )mod + ()( yields grearrangin and

),1( mod ) )(( gives by sidesboth gMultiplyin

).1( mod ))(( then ,by generated

wassignature theIf ion works. verificatsignature that Proof

21+ )(

1

vvpry

pskramh

pramhs kk

pramhksA

srskraskramh

2.2.2 Example

. since signature the

accepts 1072. 2357 mod 2 and 1463,)( 1072,

2357) (mod 1490 · 1185 computes .

1777). 1490, (pair

theis 1463 for signature s' 1777. 2356) (mod )14901751

1463(245 computes Finally, 245. )1( mod and

1490, ) 2357 (mod 2) (mod computes 1529,

integer random a selects 1463, message sign the To function).

identity thebe to takeonly, example for this (i.e., )( and

integers be willmessages ,simplicityFor .

1185). 2, 2357, ( is

key public s' 1185. 2357) (mod 2 )(mod

computes and 1751 key private thechooses 2. generator

a and 2357 prime theselects .

21

14632

177714901

1

1529

1751

vv

Bvmh

vBonverificatiSignature

sr

mA

sApk

prk

Am

hmmh

generationSignature

yp

A py

aA

pAtionKey genera

k

a

6 Example

2.2.3 Security of ElGamal Signatures

y.probabilit

high with determined becan key private theotherwise,

signed; messageeach for selected bemust differentA (2)

. largefor

negligible is which , /1only isy probabilit success the

random;at an choose n tobetter tha no docan adversary

the,infeasiblenally computatio is problem logarithm

discrete theIf ).1mod( ))((

determinemust then adversary The .) (mod

computing and integer random a selectingby on

signature s' forge attempt tomight adversary An (1)

1

k

p

p

s

pramhks

pαr

km

A

k

2.2.3 Security of ElGamal Signatures (Continued)

). (mod)(

since ),1( mod message for the signature valida

is ) ,(pair The ).1( mod and ) (mod

) (modCompute 1. = )1 ,gcd( with ) ,( integers

ofpair any Select follows. asattack forgery an mount to

adversary an for easy then isIt ).1( mod)(

isequation signing theused, is function hash no If (3)

1

1

1

pααyαyyαyry

pusm

srp vrspα

pyα r pvvu

p ram ks

h

musrvrursvursr

vu+a

vu


.) (mod)()(

i.e. algorithm,ion verificatby the accepted

be ld which wou messagefor signature a is ) ,(pair The Theorem.

Remainder Chinese by the possible always islatter The ).mod(

and )1(modsuch that and )1( mod

computesIt then exists). )1( mod)( (assuming

)1( mod)()( and )( computes and choice its of

message a selectsadversary The .by produced messagefor

signature a is ) ,( that Suppose follows. as ,entity by created

signature validone hasit provided choice its of messagessign can

adversary an then done,not ischeck thisIf .0check that to

verifier therequiresin (2) Step ofon Verificati (4)

)()()()(

1

1

1

pry

ryry

msr

pr

rp u rrr pu s

s pmh

pmhmhumh

mAm

srA

pr

mhmhmhmhusr

usursr

6 Algorithm


attack.

logarithm discreteHellman -Pohlig aprevent tolarge

ly sufficient number prime aby divisible be should

)1( and methods, calculus-index theof useefficient

prevent tolargely sufficient be should prime The (5)

q

p

p

2.2.4 Performance Issues of ElGamal Signatures

before. asefficient cost as times2.5almost tions,multiplica

modular /8lg15about now iscost total theusly;simultaneo

tionsexponentia three thedoingby y efficientl more computed

becan Now, 1. ifonly and if validas signature accept the

and ,)(mod Compute slightly.ion verificatthe

modifyingby reduced becan costs computing The tions.multiplica

/2lg 9 ofcost totalafor average,on tions,multiplicamodular

/2lg 3 requires s) techniquenaive (usingtion exponentiaEach

tions.exponentia threerequiring costly, more ision verificatSignature

tions.multiplicamodular line)-(on only two requires

possible) istion precomputa whereinstances(in generation

signature casein which line,-off done becan tion exponentia The

).) (mod (tion exponentiamodular one requiringmainly

fast, relatively is by generation Signature (1)

11

)(1

p

vv

pryv

p

p

p

srmh

k

6 Algorithm

2.2.4 Performance issues of ElGamal Signatures (Continued)

.parameters wide-system i.e. key, public theofpart be to

requirednot are and casein which ,generator and

number prime same theuse select tomay entities All (3)

used. be should modulilarger or bit -2048 security,

term-longFor attack. concerted fromsecurity marginal

only provides modulusbit -1024 a , modulo problem

logarithm discrete on the progresslatest Given the (2)

p

p

pp

2.2.5 Variations of the ElGamal Scheme

2.3 The Schnorr Signature Scheme

2.3.1 Description

. and of sizes on the sconstraint no

are t thereexcept tha ),( generationkey DSA as

same theis scheme signatureSchnorr for the generationKey

.function hash a requires also method The number. prime large

some is where, moduloin order of subgroup a employs

technique thisDSA, with theAs scheme. signatureSchnorr

theis scheme ElGamal theofant known vari-llAnother we

qp

h

ppq

3 Algorithm


. Hence, ).(mod then ,by

created wassignature theIf ion works. verificatsignature that Proof


).||( and ) (mod Compute (2)

). , , ,(key public authentic sA'Obtain (1)

:following the

do should ,on ) ,( signature s' verify To .


. mod )+ (and ),||( ,) (mod Compute (2)

1. 1 ,integer secret random aSelect (1)


key. public s' usingby signature thiscan verify entity Any

length.arbitrary of messagebinary a signs entity :SUMMARY

ion verificatand generation signatureSchnorr

+ ee pryvA

ee

vmhepyv

yqp

BmesAonVerificati

esmA

qkea srmhepr

qkk


AB

mA

eakeaes

es

k

7 Algorithm

2.3.2 Example

. since signature theaccepts 155. )||(and 49375

) (mod 11591726 computes .

155). 431, ( is for

signature The 431. 541) (mod 327) + 155(423 computes

Finally, example). for this contrivedbeen has hash value

(the 155 = )||(= and 49375 )(mod26 computes

and ,540 1such that 327 number random a selects

11101101, = message sign the To .

115917). = 26, = 541, = 129841, = ( iskey public s'

115917.) (mod 26 computes and 423key private

theselects then 541.order with subgroup cyclic unique the

generates 1, Since 26.) (mod26346 computes

and 26346 integer random a selects then 240. 1)/(

here, 541; and 129841 primes selects .

155431

327

423

240

eeBvmhe

pvBonverificatiSignature

esm

s

A

rmhe pr

kk

AmgenerationSignature

yqpA

pya

A

p

g Aqp

qpAtionKey genera

7 Example

2.3.3 Performance Issues

method. ElGamal by the generated those

than security) of level same (for the signaturessmaller

provide doesbut scheme, ElGamal over the efficiency

nalcomputatio enhancetly significannot does order of

subgroup the Usingtions.exponentia 1.17about ofcost aat

uslysimultaneo computed becan tionsexponentia twoThese

. modulo tionsexponentia tworequireson Verificati small.

relatively be should )||(compute to time theused,

algorithmhash on the Depending line.-off done be could

modulotion exponentia This . modulotion exponentia

one requiresin generation Signature

q

p

rm h

pp

7 Algorithm

2.4 Message Recovery Vs Appendix

recovery. message with schemes

er tocan transfappendix with schemes signature Digital #

schemes. signatureSchnorr and ElGamal, DSA, theareappendix

with signatures digital providing mechanisms of Examples

appendix. with schemes signature digital

called are algorithmion verificat theinput to as message

therequire which schemes signature Digital

schemes. signaturekey -publicRSA isrecovery message

with signatures digital providing mechanism of exampleAn

algorithm.ion verificatfor the requirednot is message the

of knowledge priori afor which scheme signature digital a is

recovery message with scheme signature digitalA

2 Definition

1 Definition

3 Birthday Attacks3.1 Birthday Problems

paradox.

birthday or surprisebirthday theas toreferred is This

people. 40

amongmatch a is thereif 89% isy probabilit thefact,In

.507.0365

221

365

21

365

111

is,That

birthday. same thehave themof that two50% than more

slightly isy probabilit theroom, ain people 23 are thereIf

3.1 Birthday Problems (Continued)

match. a is e that ther1 isy probabilit then the, if

Again, object.an selects groupeach fromperson Each people.

of groups twoare thereand objects are thereSuppose

match. a is e that ther1 isy probabilit

then the, 2 If object.an chooseseach and people,

are There large. is whereobjects, have weSuppose

enr

r

n

e

nr

rnn

2Fact

1Fact

3.2 Birthday Attacks on Signature Schemes

change.slight a make document, electronican signing Before (2)

necessary. be tobelieveyou

whatas long as ceoutput twiith function whash a Use(1)

version.good sign the

toasks andmatch thefindsadversary The contract. fraudulent of version as

hash same thehasdocument good theof version a that 11around

isy probabilit theTherefore, .2 have We.2 and 2with

problembirthday heConsider t hashes. their stores andcontract fraudulent

theof versions2 makes he Similary, them.stores and versions2

makes he So, etc. slightly. wordinga changing line, a of end at the space a

adding :document in the changslight a makecan he whereplaces 30 finds

adversary The bits. 50 ofoutput an producesfunction hash theSuppose

1024

105030

3030

sure.Countermea

e

nr

3.3 Birthday Attacks on Discrete Logarithms

).1mod()( ),(mod have wematch, a find If

. of ueschosen val

randomlyfor )(mod numbers containslist second The (2)

. of ueschosen val

randomlyfor )(mod numbers containslist first The (1)

. around

length ofboth lists, twoMake attack.birthday aby y probabilit

high with thisdocan We).(mod solve want toWe

plkxpαα

l

pα

k

pα

p

pα

lk

l

k

x

3.4 Meet-in-the-Middle Attacks on Double Encryption

remains.pair oneonly until continues he , one

thanmore still is thereIf one.right thedetermines ciphertext

-plaintextanother takeshe matches, several are thereIf (3)

match. oneleast at is There lists. two theCompares )2(

. keys

possible allfor )( and )( stores and Computes (1)

. )))(( ,(pair a obtained hasadversary

theAssume memory. oflot aith computer w a have weas

long as case, really thenot is that thisshowsattack following

theHowever, security. of levelhigher much aoffer toseem

might AES DES, assuch )),(( encryption Double

12

12

k

cDmE

mEEcm

mEEc

kk

kk

kk

3.4 Meet-in-the-Middle Attacks on Double Encryption (Continued)

.encryption double fromexpect

naivelymight onemost what at down tosecurity of level

thehave and encryption tripleuse could weSimilarly, (2)

.encryption

singlefor keys allough search thr exhaustive n thelonger tha

slightly It takes ns.computatio than thelessmuch are

nscomputatio 2 thesekeys, possible are thereIf (1)

2N

N N Comment.

Thank You!

lecture 8 digital signatures. this lecture considers techniques designed to provide the digital...

Documents