1

Digital SignaturesA primer

2

Why public key cryptography?

• With secret key algorithms• Number of key pairs to be generated is extremely large• If there is a conflict between Alice and Bob, it is hard to

resolve it• Non-repudiation

• Why not public key algorithms?• Slow, computationally intensive

3

Public key encryption revisited

• What security services does it provide?• Confidentiality/Privacy• Authentication• Integrity• Non-repudiation

Encrypt DecryptInsecure channelAlice Bobyx x

kubobkrbob

4

What happens if we use the keys of both sender and receiver?

Alice Bob

e e

KRA KUB

d d

KRB KUA

x u y y u x

What security services does this provide?Can Oscar generate u?Can Bob generate u?

5

Digital Signatures

• Recap• Message authentication provides security services of

authentication and integrity• It does not provide non-repudiation

• Digital signatures• Should provide us the same functionality as regular

signatures• Must depend on the message

• “Binding” the signature to the message• Must be information unique to the signer that cannot be

forged

Digital Signature• Anyone can “verify” the signature with the public key

• No one else can “generate” a signature since the private key is known only to the owner

6

Alice Bob

x Sig(x)

Sig

KRA

x

Compare

xKUA

Ver

Sig(x)

7

How does a signature differ from a MAC or simple encryption?

• A MAC is used to ensure message authentication• The attack is to successfully change the message or create a

false message without detection

• A signature is used to “sign” a digital document• Goals of a successful attack

• Total Break• Oscar can determine Alice’s private key

• Selective Forgery• With some probability, create a forged signature for a

message that Alice has not previously signed• Existential Forgery

• Change the document but enable the signature to be verified

• Create a false document and signature pair such that the signature is verified

8

Attacks against Digital Signatures

• Key only attack• Similar to ciphertext-only attack, but Oscar knows the

public key

• Known message attack• Similar to known plaintext attack• Oscar has pairs of messages and signatures

• Chosen message attack• Oscar can choose the messages that Alice will sign

9

RSA Digital Signature

• Setup:• Public key: KU ={n, b}• Private key: KR = {p, q, a}• Here a b = 1 mod (n)• (n) = (p – 1)(q – 1)

AliceBob

x eKRA(x)x

Compare

xKUA

d

Sig(x)

e

KRA

Sig(x)

10

RSA Signature Protocol• Alice computes sigKRA(x) = xa mod n = u

• Alice sends Bob x || u

• Bob verifies the signature as follows:• He decrypts the signature first

• Compute verKUA(u) = ub mod n = x*

• Compare x and x*

• Remarks:• Only Alice can sign her documents• Anyone can verify it• Bob is assured the message is from Alice• If the message is altered, the signature will

reveal this• Signature provides authentication, integrity, and non-

repudiation

11

Drawbacks

• Long message => long signature• Solution: Hash the message before signing it

• Oscar can “choose” a signature and compute a plaintext from it• Choose signature u• Compute plaintext x = eKUA(u) = ub mod n• Send x||u to Bob• The message may be meaningless, but it will appear to

have come from Alice

• RSA signature is used in the ISO/IEC 9796 standard

12

How Digital Signatures are generated using Hash functions

Alice

Bob

x x

hHashOr MAC

e d

eKR[ h(x) ]

h

Verify

y

x || eKR[ h(x) ]

x

kABkAB

e

krA

dkuA

13

ElGamal Signature Scheme

• Different from ElGamal Encryption Scheme

• Published in 1985

• A variation of this forms the Digital Signature Standard (DSS)

• Not useful for encryption, but only for signatures

14

Setup

• Choose a large prime number p

• Choose a generator Zp*

• Choose a private key KR = a {2,3,4,…,p – 2}

• Compute the public key KU = b = a mod p

• Keys:• Public: KU ={p, , b}• Private: KR = {a}

15

Signing with private key

• Choose a random number k Zp-1*• This means

• k < p-1• GCD(k, p-1) = 1

• Compute the signature of the message x as

sigKR(x) = (,) whereg = k mod p

= (x - a )k-1 mod (p-1)

Make use of private key here

16

Public Verification

• The verification function is:

VerKU(x, (,) )

Check if b = x mod p

If true, the signature is valid

If false, the signature is invalid

17

Why does it work?

• What is b ?• What is b?

• b = a • b = a

• What is ?•

• Verification gives• a x - a = x

18

Example

• Parameters• p = 467, = 2, a = 127• Compute b = a mod p

• Alice wants to sign the plaintext message x = 108

• She chooses a random quantity k = 211

• Compute signature

• Verify signature

19

Security of ElGamal Signature Scheme

• What is an attack on signatures?• Oscar can generate a fake signature• Oscar can break the signing scheme to get a

knowledge of the private key

• Oscar can choose and then try to find • DL Problem

• Oscar can choose and try to find • Generally considered infeasible

• Oscar can choose and and try to come up with a random plaintext x as with the RSA signature scheme• DL Problem

20

Drawbacks

• Long message => long signature

• If the value of k is used repeatedly, the signature scheme becomes insecure

21

The Digital Signature Standard

• Based on the Digital Signature Algorithm (DSA)• A variation of the ElGamal signature scheme• See Textbook, page 294-297

• Sign the hash value of a signature to keep it small

• The 160 bit SHA based hash value is signed with a 320 bit signature

• The value of p is around 2512 to 21024

• Published in 1993 as a NIST FIPS PUBS 186 standard

22

Modular Roots• Definition

• Let m,n be natural numbers, c be an integer and gcd(c,n) = 1

• Let xm = c mod n for some integer x• Then x is called the m-th root of c modulo n• And c is called an m-th power residue modulo n

• Example: x2 = c mod n• x is called a square root mod n• c is called a quadratic residue mod n

• If the prime factors of n are known, then• We can use CRT to find the m-th roots modulo n• Otherwise, it is considered to be a hard problem, as

hard as integer factorization for large nYou can also have the m-th root modulo a prime number

23

Schnorr Signature Scheme

• Setup• Choose a large prime number p• Choose a prime number q that divides p -1• Choose a number Zp* that is the q-th root of 1 mod p

• What is the order of ? • Choose a private key KR = a {2,3,4,…,q – 1}• Compute the public key KU = b = a mod p• Keys:

• Public: KU ={p, q, , b}• Private: KR = {a}

• Let h(.) be a secure hash function (e.g., SHA-1 or RIPE-MD)

24

Signing with private key

• Choose a random number k Zq*• This means

• 0 < k < q

• Compute the signature of the message x as

sigKR(x, k) = (,) where

= h (x || k )

= k + a mod q

Make use of private key here

g is 160 bits is log2q bits

25

Public Verification

• The verification function is:

VerKU(x, (,) )Check if

h(x || b- ) = If true, the signature is valid

If false, the signature is invalid

• Why does this work?• What is b- mod p ?

26

Digital Signature Algorithm

• Setup• Choose a prime number p that is L bits long where L is a

multiple of 64 bits, larger than 512 bits and smaller than 1024 bits

• Choose a prime number q that divides p -1 and is 160 bits long

• Choose a number Zp* that is the q-th root of 1 mod p• What is the order of ?

• Choose a private key KR = a {2,3,4,…,q – 1}• Compute the public key KU = b = a mod p• Keys:

• Public: KU ={p, q, , b}• Private: KR = {a}

• Let h(.) be the secure hash algorithm (SHA-1)

27

Signing with private key

• Choose a random number k Zq*• This means

• 0 < k < q

• Compute the signature of the message x as

sigKR(x, k) = (,) where

= (k mod p) mod q

= (SHA-1(x) + a)k-1 mod q

Make use of private key

here

g is 160 bitsd is log2q bits They CANNOT

be zero

28

Public Verification

• The verification function is: VerKU(x, (,) )Compute

e1 = SHA-1(x) -1 mod q

e2 = -1 mod q

Check if: (e1 be2 mod p) mod q = If true, the signature is valid

If false, the signature is invalid

• Why does this work?

29

ECDSA

• ECDSA = Elliptic Curve Digital Signature Algorithm

• It is identical to DSA, but uses Elliptic Curves instead

• The notation is a little bit different, but the procedure is identical

30

Blind Signatures

• Two party protocol between Alice and Bob• Alice sends Bob a piece of information• Bob signs the information and sends it

back to Alice• Alice can now compute Bob’s signature

over another message m of her choice• After this is done, Bob does not know

either the message m or the signature associated with it

31

Other signature schemes

• Undeniable signatures• Requires the cooperation of the signer to verify the

signature

• One-time signature• A new public key is required for verification for each

signature

32

Other References

• http://www.epic.org/crypto/dss/

• http://www.itl.nist.gov/fipspubs/fip186.htm