Algebraic Structures 12-1

 Cryptography requires sets of integers and specific operations that are

defined for those sets.
 The combination of the set and the operations that are applied to the
elements of the set is called an algebraic structure.

Common algebraic structure

 Group 12-2

 A group (G) is a set of elements with a binary operation (•) that satisfies
four properties. A commutative group satisfies an extra property,
commutativity.

 Closure: If a and b are elements of G, then c=a•b is also an element of G.

 Associativity: If a.b & c are elements of G, then (a•b) •c=a•(b•c)
 Commutativity: For all a & b in G, a•b=b•a
 Existence of Identity: For all a in G, there exist an identity element e such that
e•a=a•e=a
 Existence of Inverse : For all a in G, there exist an element a’ such that
a•a’=a’•a=e
Group 12-3
 Examples of Group 12-4

 The set of residue integers with the addition operator,

G = < Zn , +>, is a commutative group.

 The set Zn* with the multiplication operator, G = < Zn*,x>, is also an
abelian group.

 Let us define a set G = < {a, b, c, d}, •> and the operation as shown in
Table below.
Ring 12-5
 Ring 12-6

 A ring, R = <{…}, •, □ >, is an algebraic structure with two operations.

 The first operation must satisfy all the five properties of abelian group
and second operation must satisfy only two or three properties for ring &
abelian ring respectively.

 In addition, second operation must be distributed over the first one.

 For all a,b, & c in R, we have

 a □ (b•c)=(a □ b) •(a □ c) & (a•b) □ c=(a □ c) •(a □ b)

 The set Z with two operations, addition and multiplication, is a

commutative ring. We show it by R = <Z, +, ×>. Addition satisfies all of
the five properties; multiplication satisfies only three properties.
 Field 12-7

 A field, denoted by F = <{…}, •, □ > is a commutative ring in which the

second operation satisfies all the five properties defined for the first
operation except that the identity of the first operation has no inverse
with respect to the second operation.
 Finite Fields 12-8

 Galois showed that for a field to be finite, the number of elements should
be pn, where p is a prime and n is a positive integer.

A Galois field, GF(pn), is a finite field with pn elements.

 A very common field in this category is GF(2) with the set {0, 1} and two
operations, addition and multiplication, as shown in Figure below.
 Finite Fields 12-9

 We can define GF(5) on the set Z5 (5 is a prime) with addition and

multiplication operators as shown in fig below.
 Message Authentication & MAC 12-10

 In the context of communication across the network, following attacks

can be identified.

1. Disclosure

2. Traffic Analysis

3. Masquerade

4. Content Modification

5. Sequence Modification

6. Timing Modification

7. Source Repudiation

8. Destination Repudiation
 Authentication Requirements 12-11

 Measures to deal 1 & 2 attacks comes under message privacy.

 Measures to deal with 3 to 6 comes under message authentication.

 Measures to deal with 7 comes under digital signature. However, may

also be used to address attacks from 3 to 6.

 Measures to deal with 8 requires digital signature along with few other
protocols.
 Authentication Functions 12-12

 Any message authentication is fundamentally having two levels.

 At the lower level, some authenticator is generated & at the next level,
generated authenticator is used to authenticate the message.

 Three types of functions that may be used to produce the authenticator.

 Message encryption: Ciphertext of the entire message serves as

authenticator.
 Message authentication Code (MAC) : Function of the message and a
secret key that produces a fixed length value that serves as authenticator.
 Hash function: Function that maps a message to fixed length value that
serves as authenticator.
Message Encryption 12-13
 Message Authentication Code (MAC) 12-14

 Here MAC function C creates a small fixed-sized block depending on

both message M and a shared secret key K.

 MAC is appended to the message M

MAC=CK(M)

M: Message
K: Secret key
C: MAC function
MAC: Message authentication code
Message Authentication Code (MAC) 12-15
 MAC function Analysis 12-16

 Cryptanalysis can be done as follows:

 Suppose k>n where k is the key size and n is the MAC size.
 Given a known M1 and MAC1 with MAC1=CK1(M1).

 The cryptanalysis can perform MACi=CKi(M1) for all possible key values.

 At least one key is guaranteed to produce a match of MACi=MAC1.

 As there are total of 2n MAC with 2n<2k keys i.e. a number of keys will
produce the correct MAC.
 On an average, 2k/2n=2k-n keys will produce a match.
 Requirements of MAC function 12-17

 The MAC function must satisfy the following requirements:

 If an opponent observes M & Ck(M), it is computationally infeasible for

the opponent to construct the message M’ such that C k(M’)=Ck(M).

 Ck(M) should be uniformly distributed such that with randomly chosen

messages M and M’, the probability Ck(M)=Ck(M’) is 2-n where n is the

number of bits in the MAC.
 Hash Functions 12-18

 A variation of the MAC is a one way hash function.

 Here hash function accepts a variable size message M as input and
produces a fixed size output, referred to as H(M).

(a) Encrypt message plus hash code.

(b) Encrypt hash code - shared secret key
 Hash Functions 12-19

(c) Compute hash code of message plus secret value.

(d) Encrypt result of (c).
 Requirements of Hash function 12-20

 H can be applied to block of data of any size.

 H produces fixed-length output.
 H(x) is relatively easy to compute for any given x.
 For any given h, it is computationally infeasible to find x such that H(x)=h.
This is referred to as one-way property.
 For any given block x, it is computationally infeasible to find y≠x with
H(y)=H(x). This is referred to as weak collision resistance.
 It is computationally infeasible to find pair (x,y) such that H(x)=H(y). This
is referred to as strong collision resistance.
 Security of Hash Function & MACs 12-21

 We can group attacks on hash function and MAC’s into two categories:
brute force attacks and cryptanalysis.

 Brute force attack:

 Hash functions:
 For any given h, it is computationally infeasible to find x such that H(x)=h. This is
referred to as one-way property.
 For any given block x, it is computationally infeasible to find y≠x with H(y)=H(x).
This is referred to as weak collision resistance.
 It is computationally infeasible to find pair (x,y) such that H(x)=H(y). This is
referred to as strong collision resistance.
 Security of Hash Function & MACs 12-22

 For a code of length n, the level of effort required is proportional to the

following:

 One way: 2n
 Weak collision resistance: 2n
 Strong Collision resistance: 2n/2
 Security of Hash Function & MACs 12-23

 Brute force attack:

 MAC:
 Given a fixed message x with n-bit MAC code h=H(x), a brute force
method of finding a collision is to pick a random bit string and check if
H(y)=H(x).
 There are two lines of attacks possible: Attack the key space and attack the
MAC values.

 Attack on Key space:

 Suppose the key size is k bits and that the attacker has one known text
MAC pair. Then the attacker can compute the n-bit MAC on the known
text for all possible keys.
 At least, one key is guaranteed to produce the correct match.
 This phase of attack takes a level of effort proportional to 2 k
 Security of Hash Function & MACs 12-24

 Attack on MAC space:

 The objective is to generate a valid MAC value for a given message or
to find a message that matches a given MAC value.
 The level of effort is comparable to that for attacking the one way or
weak collision resistance property of a hash function (2n).

 Finally the level of effort for brute force attack on a MAC algorithm can
be expressed as min(2k,2n ).
 Birthday Problems 12-25

 The four different birthday problems usually there in probability.

 The third problem is refereed to as Birthday paradox.
 Birthday Problems 12-26

 Problem 1: What is the minimum number, k, of students in classroom

such that it is likely that at least one student has a predefined birthday.

 We have a uniformly distributed random variable with N possible values,

then what is the minimum number of instances k such that it is likely that
at least one instance is equal to a predefined value.

 Problem 2: What is the minimum number, k, of students in classroom

such that it is likely that at least one student has the same birthday as
the student selected by the professor.

 We have a uniformly distributed random variable with N possible values,

then what is the minimum number of instances k such that it is likely that
at least one instance is equal to the selected one.
 Birthday Problems 12-27

 Problem 3: What is the minimum number, k, of students in classroom

such that it is likely that at least two students have the same birthday.

 We have a uniformly distributed random variable with N possible values,

then what is the minimum number of instances k such that it is likely that
at least two instances are equal.

 Problem 4: We have two classes, each with k students. What is the

minimum value k so that it is likely that at least one student from the first
classroom has the same birthday as a student from the second
classroom
 We have a uniformly distributed random variable with N possible values.
We generate two sets of random values each with k instances. What is
the minimum number k such that it is likely that at least one instance
from the first set is equal to one instance on the second set.
 Birthday Problems 12-28

 23 is the solution to the classical Birthday paradox problem. If there are

just 23 students in a classroom, it is likely that (with P >1/2) that the two
students have the same birthday (ignoring the year of birth).
 Asymmetric Key cryptosystem 12-29

 Main ingredients of Public Key Cryptosystem:

 Plaintext

 Encryption algorithm

 Public and private key

 Ciphertext

 Decryption algorithm
Public Key Cryptography: Encryption 12-30
Public Key Cryptography: Authentication 12-31
 RSA algorithm 12-32

 Named after inventors Ron Rivest, Adi Shamir and Len Adleman.
 RSA is a block cipher between 0 and n-1 for some n.
 Typical size of n is 1024 bits or 309 digits.
RSA Algorithm 12-33
 RSA Example 12-34

 Select two prime numbers: p=5, q=7.

 n=5*7=35
 ɸ(n)=24
 e=5;d=5; (e*d) mod ɸ(n)=1.
 Take plaintext M=2, then after encryption 2^5 mod35= 32.
 Ciphertext 32^5 mod 35=2. (Hint: 33554432)
 Potential Attacks of RSA 12-35

Figure 10.8 Taxonomy of potential attacks on RSA

 Attacks on RSA 12-36

 Factorization : Eve can factor n to obtain p & q and can calculate

ɸ(n)=(p-1)*(q-1). It can then calculate inverse d such that e*d mod ɸ(n)=
1.

 Chosen Ciphertext Attack:

Assume that A creates ciphertext C=Pe mod n and send C to B. Eve
intercepts C and uses the following to find P.

1. Eve choses a random integer X in Zn*.

2. Eve calculates Y=C * Xe mod n.
3. Eve sends Y to B for decryption and get Z=Yd mod n. (Chosen Cipertext)
4. Eve can find P because
Z=Yd mod n= (C * Xe)d mod n= (Cd * Xed )mod n=
(Cd * X) mod n=(P * X) mod n.
Z= (P * X) mod n → P=(Z * X-1) mod n
 Attacks on RSA 12-37

 Attack on Encryption Exponent:

The broadcast attack can be launched if one entity sends the same
message to a group of recipients with the same low encryption
exponent.

For example: A sends the same message to three recipients with the
same public exponent e=3 and the moduli n1, n2 and n3.
C1=P3 mod n1 C2=P3 mod n2 C3=P3 mod n3

Apply CRT algorithm, to find the values of P3 and thus can calculate
different values for C1, C2 & C3
 Attacks on RSA 12-38

 Attack on Decryption Exponent:

If intruder can find the decryption exponent d, then it can decrypt the
current encrypted message.

However, if Eve knows the value of d, it can use probabilistic algorithm

to factor n and find the values of p and q.

This means that if Bob finds out that the decryption exponent is
compromised, he needs to create new value of n, public key and private
key.
 Attacks on RSA 12-39

 Attacks on the Modulus:

Common modulus attack: This attack can be launched if a community
uses a common modulus like n.

For example: People in a community might let a trusted party select p &
q, calculate n and ɸ(n) and create a pair of exponents for each entity.

Using its own exponents, eve can launch probabilistic attack to factor n
and find B’s private key. (Assumtion Eve is also a part of community).
 Elgamal Cryptosystem 12-40

 Figure 10.11 Key generation, encryption, and decryption in ElGamal

Elgamal Cryptosystem 12-41
Elgamal Cryptosystem 12-42
 Example of Elgamal Cryptosystem 12-43

 Here is a trivial example. Bob chooses p = 11 and e1 = 2.

and d = 3. Alice chooses r = 4 and calculates C1 and C2 for the
plaintext 7.

Inverse calculation : P=[C2x(C1d)-1] mod p P=[C2xC1p-1-d] mod p

 Example of Elgamal Cryptosystem 12-44

 Here is a trivial example. Bob chooses p = 11 and e1 = 2.

and d = 3 e2 = e1d = 8. So the public keys are (2, 8, 11) and the
private key is 3. Alice chooses r = 4 and calculates C1 and C2 for
the plaintext 7.

Bob receives the ciphertexts (5 and 6) and calculates the plaintext.

Inverse calculation : P=[C2x(C1d)-1] mod p P=[C2xC1p-1-d] mod p

 12-45

EXPONENTIATION AND LOGARITHM

 Discrete Logarithm 12-46

Cyclic Group If g is a primitive root in the group, we can

generate the set Zn* as Zn∗ = {g1, g2, g3, …, g(n)}
Example 9.52
The group G = <Z10*, ×> has two primitive roots because (10) = 4
and ((10)) = 2. It can be found that the primitive roots are 3 and 7.
The following shows how we can create the whole set Z 10* using each
primitive root.

9.46
 Discrete Logarithm 12-47

The idea of Discrete Logarithm

Properties of G = <Zp*, ×> :

1. Its elements include all integers from 1 to p − 1.

2. It always has primitive roots.

3. It is cyclic. The elements can be created using g x where

x is an integer from 1 to (n) = p − 1.

4. The primitive roots can be thought as the base of

logarithm.
9.47
 Discrete Logarithm 12-48

5. If the group has k primitive roots, calculations can be

done in k different bases.

6. Given x = logg y for any element y in the set, there is

another element x that is the log of y in base g.

7. This type of logarithm is called discrete logarithm.

 Discrete Logarithm 12-49

Solution to Modular Logarithm Using Discrete Logs

Now let us see how to solve the problem of type
y = ax (mod n) when y is given and we need to find x.

Tabulation of Discrete Logarithm: One way to solve

above mentioned problem is to use a table for each
Zp* and different bases. This type of table can be
precalculated and saved.

9.49
 Discrete Logarithm 12-50

Given the tabulation for other discrete logarithms

for every group and all possible bases, we can
solve any discrete logarithm problem.

This is similar to the past with traditional

logarithms.

Before the era of calculators and computers,

tables were used to calculate logarithms in base
10.
 Discrete Logarithm 12-51

Example 9.53

Find x in each of the following cases:

a. 4 ≡ 3x (mod 7).
b. 6 ≡ 5x (mod 7).

Solution
We can easily use the tabulation of the discrete logarithm in Table
9.6.
a. 4 ≡ 3x mod 7 → x = L34 mod 7 = 4 mod 7

b. 6 ≡ 5x mod 7 → x = L56 mod 7 = 3 mod 7

9.51
SHA Versions
 Secure Hash Algorithm (SHA-1)
• SHA was designed by NIST & NSA in 1993,
revised 1995 as SHA-1
• US standard for use with DSA signature scheme
– standard is FIPS 180-1 1995, also Internet RFC3174
– nb. the algorithm is SHA, the standard is SHS
• produces 160-bit hash values
• now the generally preferred hash algorithm
• based on design of MD4 with key differences
 SHA Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4. process message in 16-word (512-bit) chunks:
– expand 16 words into 80 words by mixing & shifting
– use 4 rounds of 20 bit operations on message block
& buffer
– add output to input to form new buffer value
5. output hash value is the final buffer value
SHA-1 Compression Function
• each round has 20 steps which replaces
the 5 buffer words thus:
(A,B,C,D,E) <-(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,
(B<<30),C,D)
• a,b,c,d refer to the 4 words of the buffer
• t is the step number
• f(t,B,C,D) is nonlinear function for round
• Wt is derived from the message block
• Kt is a constant value derived from sin
SHA-1 Compression Function
 SHA-1 verses MD5
• brute force attack is harder (160 vs 128
bits for MD5)
• not vulnerable to any known attacks
(compared to MD4/5)
• a little slower than MD5 (80 vs 64 steps)
• both designed as simple and compact
• optimised for big endian CPU's (vs MD5
which is optimised for little endian CPU’s)
 Revised Secure Hash
Standard
• NIST have issued a revision FIPS 180-2
• adds 3 additional hash algorithms
• SHA-256, SHA-384, SHA-512
• designed for compatibility with increased
security provided by the AES cipher
• structure & detail is similar to SHA-1
• hence analysis should be similar
SHA-512 Overview
 SHA-512 Logic
 1. Append padding bits : The message is padded, so
that padded message is 128 bits less than an integer
multiple of 1024.

 2. Append length: A 128 bits of message length is

appended to the message. (M mod 2^128)

 3. Initialize hash buffer: A 512 bit buffer is used to hold
intermediate and final results.
 a=6A09E667F3BCC908, b=, c=, d=, e=,f=,g=, h=
 These values are stored in big-endian format.
 4. Processing in multiple of 1024-bit blocks: This
module is the heart of the algorithm and consists of
80 rounds.
 4. SHA Processing
 5. Output: After all N 1024 bit blocks have been
processed, the output from the Nth stage is the 512
bit digest.

SHA-512 Round Function Wn
 SHA-512 Round Function Kt
 Each round makes use of additive constant Kt
where each Kt represents fractional parts of the
cube roots the first 80 prime numbers.
SHA-512 Round Function
Keyed Hash Functions as MACs
• have desire to create a MAC using a hash
function rather than a block cipher
– because hash functions are generally faster
– not limited by export controls unlike block ciphers
• hash includes a key along with the message
• original proposal:
KeyedHash = Hash(Key|Message)
– some weaknesses were found with this
• eventually led to development of HMAC
 HMAC
• specified as Internet standard RFC2104
• uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad)||M)]]
• where K+ is the key padded out to size
• and opad, ipad are specified padding constants
• overhead is just 3 more hash calculations than
the message needs alone
• any of MD5, SHA-1, RIPEMD-160 can be used
HMAC Overview
 HMAC Security
• know that the security of HMAC relates to
that of the underlying hash algorithm
• attacking HMAC requires either:
– brute force attack on key used
– birthday attack (but since keyed would need
to observe a very large number of messages)
• choose hash function used based on
speed verses security constraints
 Security of Hash Function &
MACs
• We can group attacks on hash function and MAC’s
into two categories: brute force attacks and
cryptanalysis.
• Brute force attack:
• Hash functions:
• For any given h, it is computationally infeasible to find x such that H(x)=h. This is referred to
as one-way property.

• For any given block x, it is computationally infeasible to find y≠x with H(y)=H(x). This is
referred to as weak collision resistance.

• It is computationally infeasible to find pair (x,y) such that H(x)=H(y). This is referred to as
strong collision resistance.
 Security of Hash Function &
MACs
• For a code of length n, the level of effort
required is proportional to the following:

• One way: 2n
• Weak collision resistance: 2n
• Strong Collision resistance: 2n/2
 Security of Hash Function &
MACs
• Brute force attack:

• MAC:
• Given a fixed message x with n-bit MAC code h=H(x), a brute force method
of finding a collision is to pick a random bit string and check if H(y)=H(x).
• There are two lines of attacks possible: Attack the key space and attack the MAC values.

• Attack on Key space:

• Suppose the key size is k bits and that the attacker has one known text
MAC pair. Then the attacker can compute the n-bit MAC on the known text
for all possible keys.
• At least, one key is guaranteed to produce the correct match.
• This phase of attack takes a level of effort proportional to 2k
 Security of Hash Function &
MACs
• Attack on MAC space:

• The objective is to generate a valid MAC value for a

given message or to find a message that matches a
given MAC value.
• The level of effort is comparable to that for attacking the
one way or weak collision resistance property of a hash
function (2n).

• Finally the level of effort for brute force attack on a MAC

algorithm can be expressed as min(2k,2n ).
•
Birthday Problems
The four different birthday problems usually there in probability.
• The third problem is refereed to as Birthday paradox.
 Birthday Problems
• Problem 1: What is the minimum number, k, of students in classroom such that
it is likely that at least one student has a predefined birthday.

• We have a uniformly distributed random variable with N possible values, then

what is the minimum number of instances k such that it is likely that at least
one instance is equal to a predefined value.

• Problem 2: What is the minimum number, k, of students in classroom such that

it is likely that at least one student has the same birthday as the student
selected by the professor.

• We have a uniformly distributed random variable with N possible values, then

what is the minimum number of instances k such that it is likely that at least
one instance is equal to the selected one.
 Birthday Problems
• Problem 3: What is the minimum number, k, of students in classroom
such that it is likely that at least two students have the same birthday.
• We have a uniformly distributed random variable with N possible
values, then what is the minimum number of instances k such that it
is likely that at least two instances are equal.
• Problem 4: We have two classes, each with k students. What is the
minimum value k so that it is likely that at least one student from the
first classroom has the same birthday as a student from the second
classroom
• We have a uniformly distributed random variable with N possible
values. We generate two sets of random values each with k
instances. What is the minimum number k such that it is likely that at
least one instance from the first set is equal to one instance on the
second set.
 Chapter 13
Digital Signature

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

13.77
 13-1 COMPARISON

Let us begin by looking at the differences between

conventional signatures and digital signatures.

Topics to be discussed :
13.1.1 Inclusion
13.1.2 Verification Method
13.1.3 Relationship
13.1.4 Duplicity
13.78
 13.1.1 Inclusion

A conventional signature is included in the document; it

is part of the document.

But when we sign a document digitally, we send the

signature as a separate document.

13.79
 13.1.2 Verification Method

For a conventional signature, when the recipient receives

a document, she compares the signature on the document
with the signature on file.

For a digital signature, the recipient receives the message

and the signature. The recipient needs to apply a
verification technique to the combination of the message
and the signature to verify the authenticity.

13.80
 13.1.3 Relationship

For a conventional signature, there is normally a one-to-

many relationship between a signature and documents.

For a digital signature, there is a one-to-one relationship

between a signature and a message.

13.81
 13.1.4 Duplicity

In conventional signature, a copy of the signed document

can be distinguished from the original one on file.

In digital signature, there is no such distinction unless

there is a factor of time on the document.

13.82
 13-2 PROCESS

Figure shows the digital signature process.

The sender uses a signing algorithm to sign the
message.

The message and the signature are sent to the receiver.

The receiver receives the message and the signature
and applies the verifying algorithm to the
combination.

If the result is true, the message is accepted; otherwise,

it is rejected.
13.83
 13-2 Continued

Digital signature process

13.84
 13.2.1 Need for Keys

Adding key to the digital signature process

Note
A digital signature needs a public-key system.
The signer signs with her private key; the verifier
verifies with the signer’s public key.
13.85
 13.2.1 Continued

Note
A cryptosystem uses the private and public keys of
the receiver: a digital signature uses
the private and public keys of the sender.

13.86
 13.2.2 Signing the Digest

Signing the digest

13.87
 13-3 SERVICES

We discussed several security services earlier

including message confidentiality, message
authentication, message integrity, and nonrepudiation.

A digital signature can directly provide the last three;

for message confidentiality we still need
encryption/decryption.

13.88
 13.3.1 Message Authentication

A secure digital signature scheme, like a secure

conventional signature can provide message
authentication. Bob can verify that the message is sent by
Alice because Alice’s public key is used in verification.
Note
A digital signature provides message
authentication.

13.89
 13.3.2 Message Integrity

The integrity of the message is preserved even if we sign

the whole message because we cannot get the same
signature if the message is changed.

Note

A digital signature provides message integrity.

13.90
 13.3.3 Nonrepudiation

Figure 13.4 Using a trusted center for nonrepudiation

Note

Nonrepudiation can be provided using a trusted

party.
13.91
 13.3.4 Confidentiality

Figure 13.5 Adding confidentiality to a digital signature scheme

Note

A digital signature does not provide privacy.

If there is a need for privacy, another layer of
encryption/decryption must be applied.
13.92
 DIGITAL SIGNATURE SCHEMES

Several digital signature schemes have evolved during

the last few decades. Some of them have been
implemented.

RSA Digital Signature Scheme

ElGamal Digital Signature Scheme
Digital Signature Standard (DSS)

13.93
 13.5.1 Continued

Key Generation
Key generation in the RSA digital signature scheme is
exactly the same as key generation in the RSA

Note
In the RSA digital signature scheme, d is private;
e and n are public.

13.94
 13.5.1 Continued

Signing and Verifying

Figure 13.7 RSA digital signature scheme

13.95
 13.5.1 Continued

Example 13.1
As a trivial example, suppose that Alice chooses p = 823 and q = 953,
and calculates n = 784319. The value of (n) is 782544. Now she
chooses e = 313 and calculates d = 160009. At this point key
generation is complete. Now imagine that Alice wants to send a
message with the value of M = 19070 to Bob. She uses her private
exponent, 160009, to sign the message:

Alice sends the message and the signature to Bob. Bob receives the
message and the signature. He calculates

Bob accepts the message because he has verified Alice’s signature.

13.96
 13.5.1 Continued

RSA Signature on the Message Digest

Figure 13.8 The RSA signature on the message digest

13.97
 13.5.1 Continued

Note
When the digest is signed instead of the message itself,
the susceptibility of the RSA digital signature scheme
depends on the strength of the hash algorithm.

13.98
 13.5.2 Continued

Key Generation
The key generation procedure here is exactly the same as
the one used in the cryptosystem.

Note
In ElGamal digital signature scheme, (e1, e2, p) is
Alice’s public key; d is her private key.

13.99
 13.5.2 Continued

Verifying and Signing

Figure 13.10 ElGamal digital signature scheme

13.100
Digital Signature Standard (DSS)
 US Govt approved signature scheme
 designed by NIST & NSA in early 90's
 published as FIPS-186 in 1991
 revised in 1993, 1996 & then 2000
 uses the SHA hash algorithm
 DSS is the standard, DSA is the algorithm
 FIPS 186-2 (2000) includes alternative RSA &
elliptic curve signature variants
 DSA is digital signature only unlike RSA
 is a public-key technique
DSS vs RSA Signatures
Digital Signature Standard (DSS)
 Digital Signature Standard (DSS)

13.104
 Digital Signature Standard (DSS)

13.105