When, in the

course of…

1976 Diffie-Hellman: dream of digital signatures

 When, in the
course of…

1adh84naf89hq32nvsd8
puwqhevhphvdfp9ufew7u
2rasdfohaqsedhfdasjf;

1976 Diffie-Hellman: dream of digital signatures

1978 Rivest-Shamir-Adleman: first implementation
 Objective
s a digital signature
 To define

 To define security services provided by a digital

signature
 To define attacks on digital signatures
 To discuss some digital signature schemes, including
RSA, ElGamal,DSS
To describe some applications of digital signatures
 Paper Signatures V/s Digital Signatures

Paper Electronic
Signature is a part of Signature is not a part of
physical document physical document. The
algorithm “bind” the
signature to the message.
V/s
Compare it to other authentic Verification algorithm
signatures

McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000

 Paper Signatures V/s Digital Signatures

Parameter Paper Electronic

Authenticity May be forged Can not be copied

Signature Signature depends

V/s Integrity independent of the on the contents of
document the document

a. Handwriting a. Any computer

Non- expert needed user
repudiation b. Error prone b. Error free

McGraw-Hill ©The McGraw-Hill Companies, Inc., 2000

 COMPARISON

Let us begin by looking at the differences between

conventional signatures and digital signatures.
 Inclusion

A conventional signature is included in the document; it

is part of the document. But when we sign a document
digitally, we send the signature as a separate document.
 Verification Method

For a conventional signature, when the recipient receives

a document, she compares the signature on the document
with the signature on file. For a digital signature, the
recipient receives the message and the signature. The
recipient needs to apply a verification technique to the
combination of the message and the signature to verify
the authenticity.
 Relationship

For a conventional signature, there is normally a one-to-

many relationship between a signature and documents.
For a digital signature, there is a one-to-one relationship
between a signature and a message.
 Duplicity

In conventional signature, a copy of the signed document

can be distinguished from the original one on file. In
digital signature, there is no such distinction unless there
is a factor of time on the document.
 PROCESS

Figure shows the digital signature process. The sender

uses a signing algorithm to sign the message. The
message and the signature are sent to the receiver. The
receiver receives the message and the signature and
applies the verifying algorithm to the combination. If
the result is true, the message is accepted; otherwise, it
is rejected.

Topics discussed in this section:

Need for Keys
Signing the Digest
Continued

Figure Digital signature process

 Need for Keys

Figure Adding key to the digital signature process

A digital signature needs a public-key system.

Private Key – Used for making Digital Signature

Public Key – Used to verify the Digital Signature
 Continued

A cryptosystem uses the private and public keys of the

receiver:
a digital signature uses
the private and public keys of the sender.
Signing the Digest

Figure Signing the digest

 SERVICES

We discussed several security services in Chapter 1

including message confidentiality, message authentication,
message integrity, and nonrepudiation. A digital signature
can directly provide the last three; for message
confidentiality we still need encryption/decryption.

Topics discussed in this section:

Message Authentication
Message Integrity
Nonrepudiation
 Message Authentication

When ownership of a digital signature secret key is bound

to a specific user, a valid signature shows that the
message was sent by that user.

A digital signature provides message

authentication.
 Message Integrity

Although encryption hides the contents of a message, it may be

possible to change an encrypted message without understanding it.
However, if a message is digitally signed, any change in the
message will invalidate the signature. Furthermore, there is no
efficient way to modify a message and its signature to produce a
new message with a valid signature, because this is still considered
to be computationally infeasible by most cryptographic hash
functions.

A digital signature provides message integrity.

 Nonrepudiation
A user cannot repudiate a signed message
without repudiating their signature key.

Note

Nonrepudiation can be provided using a trusted

party.
 Confidentiality

Figure Adding confidentiality to a digital signature scheme

A digital signature does not provide privacy.

If there is a need for privacy, another layer of
encryption/decryption must be applied.
 ATTACKS ON DIGITAL SIGNATURE

This section describes some attacks on digital

signatures and defines the types of forgery.

Attack Types
Forgery Types
 Attack Types

Key-Only Attack

the attacker is only given the public verification key.

Known-Message Attack
the attacker is given valid signatures for a variety of messages
known by the attacker but not chosen by the attacker.

Chosen-Message Attack
the attacker first learns signatures on arbitrary messages of the
attacker's choice.
 Forgery Types

Existential Forgery

Existential forgery is the creation (by an adversary) of any

message/signature pair (m,σ), where σ was not produced by
the legitimate signer.

Selective Forgery

Selective forgery is the creation (by an adversary) of a

message/signature pair (m,σ) where m has been chosen
by the adversary prior to the attack.
 must depend on the message signed
 must use information unique to sender
 to prevent both forgery and denial
 must be relatively easy to produce
 must be relatively easy to recognize & verify
 be computationally infeasible to forge
 with new message for existing digital signature
 with fraudulent digital signature for given message
 be practical save digital signature in storage
 DIGITAL SIGNATURE SCHEMES

Several digital signature schemes have evolved during

the last few decades. Some of them have been
implemented.

Topics discussed in this section:

RSA Digital Signature Scheme
ElGamal Digital Signature Scheme
Digital Signature Standard (DSS)
 Continued
Key Generation
Key generation in the RSA digital signature scheme is
exactly the same as key generation in the RSA

In the RSA digital signature scheme, d is private;

e and n are public.
RSA Public Key Cryptosystem and Digital Signature Scheme

 Rivest, Shamir, and Adleman proposed in 1978

 RSA Public Key Cryptosystem
◆ Security Basis: Factorization Problem.
◆ Construction:
1. Choose two large prime numbers P and Q, then
compute
N=P×Q.
2. Select an integer e such that gcd(e, (N))=1.
3. Compute d such that e×d mod (N)=1.
4. Public key = (N, e).
5. Private key = (P, Q, d).

29
 Continued

Signing and Verifying

Figure RSA digital signature scheme

 RSA Digital Signature Scheme

 RSA Digital Signature Scheme

 Sign Function: Signature S=Md mod N.
 Verification Function: M=Se mod N.

 Example
1. P=11,Q=13, N=143, and (143)=120.
2. e=103, then d=7 (for 103×7 mod 120=1 ).
3. Sign for M=3: S=37 mod 143=42.
4. Verification: M= Se mod N = 42103 mod 143=3.

31
 Continued

RSA Signature on the Message Digest

Figure The RSA signature on the message digest
 Continued

When the digest is signed instead of the message

itself, the susceptibility of the RSA digital signature
scheme depends on the strength of the hash
algorithm.
 ElGamal Digital Signature Scheme

Figure General idea behind the ElGamal digital signature scheme

 ElGamal Digital Signature Scheme

 ElGamal proposed in 1985

 ElGamal Public Key Cryptosystem
Construction:
• Choose a large prime number p so that Discrete Logarithm
Problem is intractable in Zp*
• Let e1 be a primitive element in Zp*
• Alice selects her private key d to be less than p-1
• She calculates her public key as e2 = e1d mod p.
Public key : (e1, e2, p)
private key : d

35
 Continued

Key Generation
The key generation procedure here is exactly the same as
the one used in the cryptosystem.
Design of ElGamal digital siganture system: choose: prime p, integers
1 e1  d p, e1 be a primitive element of Zp*;

Compute: e2 = e1 d mod p

Public key : (e1, e2, p)

private key : d

In ElGamal digital signature scheme, (e1, e2, p) is

Alice’s public key; d is her private key.
 ElGamal Digital Signature Scheme

 Sign Function:

1. Alice selects a random integer r in Zp-1* such that

gcd(r, p-1 )=1.
2. She computes the first signature s1 = e1r mod p
She computes the second signature
s2 = (M-d s1) r -1 mod p-1
Alice sends M , s1, s2 to Bob
Verification Function:
1. Bob checks 0< s1 < p and 0< s2 < p-1
2. Bob computes V1 = e1M mod p
V2 = e2 s1 s1s2 mod p.
3.If V1= V2 the message is accepted ; otherwise it is
37
rejected
 Continued

Verifying and Signing

Figure ElGamal digital signature scheme

 ElGamal Digital Signature Scheme
 Example
1. P=23, g=5.
2. x=3, then y=10 (for 53 mod 23=10 ).
3. Sign for the message M=8.
4. Select k=5 between 1 and 22 (P-1).
5. Compute r = gk mod P = 55 mod 23 = 20.
6. Compute s = k-1(M-xr) mod (P-1) = 5-1(8-3×20) mod 22 =
9×14 mod 22 = 16.
7. Verification:
gM= 58 mod 23 =16
(rs)(yr) mod P = 2016 × 1020 mod 23= 13×3 mod 23 = 16.

39
ELGAMAL SIGNATURES
Example choose: p = 11, q = 2, x = 8
 compute: y = 28 mod 11 = 3

 Signing of w = 5,

choose k = 9 - O.K. because gcd(9, 10) = 1

 compute a = 29 mod 11 = 6
 solve equation: 5  8 · 6 + 9b (mod 10)
 that is 7  9b (mod 10)  b=3

 signature: (6, 3)
 Digital signatures 41

SECURITY OF ELGAMAL SIGNATURES

Let us analyze several ways an eavesdropper Eve can try to forge ElGamal signature (with x -
secret; p, q and y = q x mod p - public):
sig(w, r) = (a, b);
where r is random and a = q r mod p; b = (w - xa)r –1 (mod p –1).

1. First suppose Eve tries to forge signature for a new message w , without knowing x.

•If Eve first chooses a value a and tries to find the corresponding b, it has to compute the discrete
logarithm
lg q w y -a,
a

because a b  q r (w - xa) r^(-1)  q w - xa  q w y -a.

• If Eve first chooses b and then tries to find a, she has to solve the equation
y a a b  q xa q rb  q w (mod p).
It is not known whether this equation can be solved for a efficiently.

2. If Eve chooses a and b and tries to determine w, then she has to compute discrete logarithm
lg q y a a b.
Hence, Eve can not sign a “random” message this way.
FORGING AND MISUSING OF ELGAMAL SIGNATURES
There are ways how to produce, using ElGamal signature scheme, validforged signatures, but
they do not allow an opponent to forge signatures on messages of his/her choice.
For example, if 0 Ł i, j Ł p -2 and gcd(j, p -1) = 1, then for

a = q i y j mod p; b = -aj -1 mod (p -1); w = -aij -1 mod (p -1)

the pair

(a, b) is a valid signature of the message w.

This can be easily shown by checking the verification condition.

There are several ways ElGamal signatures can be broken if they are used not carefully enough.

For example, the random r used in the signature should be kept secret. Otherwise the system can
be broken and signatures forged. Indeed, if r is known, then x can be computed by
x = (w - rb) a -1 mod (p -1)

andonce x is known Eve can forge signatures at will.

Another misuse of the ElGamal signature system is to use the same r to sign two messages. In

such a case x can be computed and system can be broken.

 In December 1994, on the proposal of the
National Institute of Standards and Technology,
the following Digital Signature Algorithm (DSA)
was accepted as a standard.
 DSA is a modification of ElGamal digital
signature scheme. It was proposed in August
1991 and adopted in December 1994.
FROM ELGAMAL TO DSA
Any proposal for digital signature standard has to go through a very careful
scrutiny. Why?
Encryption of a message is usually done only once and therefore it usually suffices
to use a cryptosystem that is secure at the time of the encryption.
On the other hand, a signed message could be a contract or a will and it can
happen that it will be needed to verify a signature many years after the message
is signed.
Since ElGamal signature is no more secure than discrete logarithm, it is necessary
to use large p, with at least 512 bits.
However, with ElGamal this would lead to signatures with at least 1024bits what is
too much for such applications as smart cards.
In DSA a 160 bit message is signed using 320-bit signature, but computation is
done modulo with 512-1024 bits.
Observe that y and a are also q-roots of 1. Hence any exponents of r,y and a can
be reduced module q without affecting the verification condition.
This allowed to change ElGamal verification condition: y a a b = q w.
•INPUT: Domain parameters (p=283,q=47,g=60)(p=283,q=47,g=60)
•INPUT: Alice's private key, a=24a=24
•INPUT: Message MM with message digest h=Hash(M)=41h=Hash(M)=41.
1.Alice chooses a random k=15k=15 in the range [1,q−1][1,q−1]
2.Alice computes X=gkmodp=6015mod283=207X=gkmodp=6015mod283=207 and
r=Xmodq=207mod47=19r=Xmodq=207mod47=19.
r≠0r≠0 so continue.
3.Alice computes k−1modq=15−1mod47=22k−1modq=15−1mod47=22.
4.Alice computes h=Hash(M)=41h=Hash(M)=41.
5.Alice
computes s=k−1(h+ar)modq=22(41+24⋅19)mod47=30s=k−1(h+ar)modq=22(41+24⋅1
9)mod47=30.
s≠0s≠0 so continue.
6.Alice issues the message MM and signature (r,s)=(19,30)(r,s)=(19,30).
•INPUT: Domain parameters (p=283,q=47,g=60)(p=283,q=47,g=60)
•INPUT: Alice's private key, a=24a=24
•INPUT: Message MM with message digest h=Hash(M)=41h=Hash(M)=41.
1.Alice chooses a random k=15k=15 in the range [1,q−1][1,q−1]
2.Alice computes X=gkmodp=6015mod283=207X=gkmodp=6015mod283=207 and
r=Xmodq=207mod47=19r=Xmodq=207mod47=19.
r≠0r≠0 so continue.
3.Alice computes k−1modq=15−1mod47=22k−1modq=15−1mod47=22.
4.Alice computes h=Hash(M)=41h=Hash(M)=41.
5.Alice
computes s=k−1(h+ar)modq=22(41+24⋅19)mod47=30s=k−1(h+ar)modq=22(41+24⋅19)mod47
=30.
s≠0s≠0 so continue.
6.Alice issues the message MM and signature (r,s)=(19,30)(r,s)=(19,30).
•INPUT: Domain parameters (p=283,q=47,g=60)(p=283,q=47,g=60)
•INPUT: Alice's public key, A=158A=158
•INPUT: Message MM with message digest h=Hash(M)=41h=Hash(M)=41.
•INPUT: Signature (r,s)=(19,30)(r,s)=(19,30).
1.Bob verifies that 0<r=19<470<r=19<47 and 0<s=30<470<s=30<47 ⇒⇒ OK, so
continue.
2.Bob computes w=s−1modq=30−1mod47=11w=s−1modq=30−1mod47=11.
3.Bob computes h=Hash(M)=41h=Hash(M)=41.
4.Bob computes u1=hwmodq=41⋅11mod47=28u1=hwmodq=41⋅11mod47=28 and
u2=rwmodq=19⋅11mod47=21u2=rwmodq=19⋅11mod47=21.
5.Bob
computes X=gu1Au2modp=6028⋅15821mod283=106⋅42mod283=207X=gu1Au2modp=6
028⋅15821mod283=106⋅42mod283=207 and
v=Xmodq=207mod47=19v=Xmodq=207mod47=19.
6.Bob checks that v=19=rv=19=r, so he accepts the signature.

THANK YOU