CryptographyandNetwork

Security
Chapter13
FifthEdition
byWilliamStallings
LectureslidesbyLawrieBrown

DigitalSignatures

Chapter13 DigitalSignatures
Toguardagainstthebanefulinfluenceexertedbystrangersis
thereforeanelementarydictateofsavageprudence.Hence
beforestrangersareallowedtoenteradistrict,oratleast
f
y
p
g f
y
beforetheyarepermittedtominglefreelywiththe
inhabitants,certainceremoniesareoftenperformedbythe
nativesofthecountryforthepurposeofdisarmingthe
strangersoftheirmagicalpowers,orofdisinfecting,soto
speak,thetaintedatmospherebywhichtheyaresupposedto
besurrounded.
TheGoldenBough,SirJamesGeorgeFrazer

DigitalSignatureModel

havelookedatmessageauthentication
butdoesnotaddressissuesoflackoftrust

digitalsignaturesprovidetheabilityto:
verifyauthor,date&timeofsignature
verify author date & time of signature
authenticatemessagecontents
beverifiedbythirdpartiestoresolvedisputes

henceincludeauthenticationfunctionwith
additionalcapabilities

AttacksandForgeries
attacks

Digital
Signature
Signature
Model

keyonlyattack
knownmessageattack
genericchosenmessageattack
directedchosenmessageattack
di
d h
k
adaptivechosenmessageattack

breaksuccesslevels
totalbreak
selectiveforgery
existentialforgery

DigitalSignatureRequirements
mustdependonthemessagesigned
mustuseinformationuniquetosender
topreventbothforgeryanddenial

mustberelativelyeasytoproduce
must be relatively easy to produce
mustberelativelyeasytorecognize&verify
becomputationallyinfeasibletoforge
withnewmessageforexistingdigitalsignature
withfraudulentdigitalsignatureforgivenmessage

bepracticalsavedigitalsignatureinstorage

ElGamalDigitalSignatures
signaturevariantofElGamal,relatedtoDH
sousesexponentiationinafinite(Galois)
withsecuritybaseddifficultyofcomputingdiscrete
g
,
logarithms,asinDH

useprivatekeyforencryption(signing)
usespublickeyfordecryption(verification)
eachuser(eg.A)generatestheirkey
choosesasecretkey(number):1 < xA < q-1
x
computetheirpublickey:yA = a A mod q

ElGamal SignatureExample
usefieldGF(19)q=19 anda=10
Alicecomputesherkey:
16

ElGamalDigitalSignature
AlicesignsamessageMtoBobbycomputing
thehashm = H(M), 0 <= m <= (q-1)
choserandomintegerK with1 <= K <= (q-1) and
gcd(K,q-1)=1
k
computetemporarykey:S1 = a mod q
-1
computeK theinverseofK mod (q-1)
computethevalue:S2 = K-1(m-xAS1) mod (q-1)
signatureis:(S1,S2)

anyuserBcanverifythesignaturebycomputing
m

V1 = a mod q
V2 = yAS1 S1S2 mod q
signatureisvalidifV1 = V2

SchnorrDigitalSignatures
securitybasedondiscretelogarithms,asinDH

mod 19 = 4

Alicesignsmessagewithhashm=14 as(3,4):
choosingrandomK
choosing
random K=5
5 whichhasgcd(18,5)
which has gcd(18,5)=1
1
5
computingS1 = 10 mod 19 = 3
findingK-1 mod (q-1) = 5-1 mod 18 = 11
computingS2 = 11(14-16.3) mod 18 = 4

anyuserBcanverifythesignaturebycomputing
14

involveonlysender&receiver
assumedreceiverhassenderspublickey
digitalsignaturemadebysendersigning
entire message or hash with privatekey
entiremessageorhashwithprivate
key
canencryptusingreceiverspublickey
importantthatsignfirstthenencryptmessage
&signature
securitydependsonsendersprivatekey

alsousesexponentiationinafinite(Galois)

AchoosesxA=16 &computesyA=10

DirectDigitalSignatures

V1 = 10 mod 19 = 16
V2 = 43.34 = 5184 = 16 mod 19
since16 = 16 signatureisvalid

minimizesmessagedependentcomputation
multiplyinga2nbitintegerwithannbitinteger

mainworkcanbedoneinidletime
haveusingaprimemodulusp
p1 hasaprimefactorq ofappropriatesize
typically p 1024bitandq 160bitnumbers

SchnorrKeySetup

choosesuitableprimesp , q
q
choosea suchthata = 1 mod p
(a,p,q) areglobalparametersforall
each user (eg A) generates a key
eachuser(eg.A)generatesakey
choosesasecretkey(number):0 < sA < q
-s
computetheirpublickey:vA = a A mod q

DigitalSignatureStandard(DSS)

SchnorrSignature
usersignsmessageby
choosingrandomr with0<r<q andcomputingx
= ar mod p
concatenatemessagewithx andhashresultto
computing: e = H(M || x)
computing:e
computing:y = (r + se) mod q
signatureispair(e, y)
anyotherusercanverifythesignatureasfollows:
computing:x' = ayve mod p
verifyingthat:e = H(M || x)

DSSvsRSASignatures

USGovtapprovedsignaturescheme
designedbyNIST&NSAinearly90's
publishedasFIPS186in1991
revisedin1993,1996&then2000
usestheSHAhashalgorithm
DSSisthestandard,DSAisthealgorithm
FIPS1862(2000)includesalternativeRSA&elliptic
curvesignaturevariants
DSAisdigitalsignatureonlyunlikeRSA
isapublickeytechnique

DigitalSignatureAlgorithm(DSA)
createsa320bitsignature
with5121024bitsecurity
smallerandfasterthanRSA
adigitalsignatureschemeonly
securitydependsondifficultyofcomputing
discretelogarithms
variantofElGamal&Schnorrschemes

DSAKeyGeneration
havesharedglobalpublickeyvalues(p,q,g):
choose160bitprimenumberq
choosealargeprimepwith2L-1 < p < 2L
whereL=512to1024bitsandisamultipleof64
suchthatqisa160bitprimedivisorof(p-1)

chooseg = h(p-1)/q
where1<h<p-1 and h(p-1)/q mod p > 1

userschooseprivate&computepublickey:
chooserandomprivatekey:x<q
computepublickey:y = gx mod p

DSASignatureCreation
tosign amessageM thesender:
generatesarandomsignaturekeyk, k<q
nb.k mustberandom,bedestroyedafteruse,
and never be reused
andneverbereused

thencomputessignaturepair:
r = (gk mod p)mod q
s = [k-1(H(M)+ xr)] mod q

sendssignature(r,s) withmessageM

DSASignatureVerification
havingreceivedM&signature(r,s)
toverify asignature,recipientcomputes:
w =
u1=
1
u2=
v =

s-1 mod q
[H(M)
[H(M)w ]
]mod
d q
(rw)mod q
[(gu1 yu2)mod p ]mod q

ifv=r thensignatureisverified
seeAppendixAfordetailsofproofwhy

DSSOverview

Summary
havediscussed:
digitalsignatures
ElGamal&Schnorrsignatureschemes
digitalsignaturealgorithmandstandard
digital signature algorithm and standard