Sie sind auf Seite 1von 33

Introduction to

digital
signatures
Benedictine University
MATH 390: Cryptography
2 April 2008

Robert Talbert, PhD


Associate Professor of Mathematics and
Computing Science
Franklin College, Franklin, IN

1
Menu
The problem of authentication

Non-solutions to the authentication problem; the


concept of the digital signature and required
parameters

Digital signatures using public-key encryption


algorithms

The Digital Signature Algorithm (DSA)

Further applications and issues

2
PROBLEM: AUTHENTICATION

HOW DO WE DO THIS IF THE


DOCUMENT IS DIGITAL AND
NOT PAPER?

3
HAS THIS EMAIL BEEN SIGNED?

4
HOW ABOUT NOW?

5
6
A TRUE SIGNATURE:
• IS AUTHENTIC
• CANNOT BE FORGED
• CANNOT BE REUSED
• PROVES DOCUMENT HAS NOT BEEN ALTERED
• CANNOT BE REPUDIATED
GOAL: DIGITAL SIGNATURES WHICH DO THIS FOR ELECTRONIC
DOCUMENTS.
7
Implementation

Public-key encryption “in reverse”


Specialized signature-only algorithms:
the Digital Signature Algorithm

8
PUBLIC-KEY CRYPTOGRAPHY

Decryption
Encryption
function

function
Original
Plaintext Ciphertext
plaintext
Dear Bob - The Qrne Obo - Gur
meeting will be at zrrgvat jvyy or ng Dear Bob - The
the embassy. gur rzonffl. meeting will be
at the embassy.

Alice Bob
Eve
No secret key is ever
exchanged
Alice does not need
her own key to use the Public Private
system (e,n) d

9
KID CRYPTO
Choose positive integers A, B, a, and b.

M = ab − 1
e = AM + a
d = BM + b
ed − 1
n =
M
Public key: (e, n)
Private key: d
10
H E L P 07 04 11 15
TALBERT’S PUBLIC KEY: (E = 3242, N = 19723)
Encryption: Compute y = (ex) mod n for each number.

Plaintext Numerical (ex) mod n = Cipher “text”

H 7 (3242 × 7) mod 19723 = 2971

E 4 12698

L 11 15939

P 15 9184

11
2971 12698 15939 9184
TALBERT’S PRIVATE KEY: D = 1965
Decryption: Compute z = (dy) mod n for each number.

Ciphertext (dy) mod n Alpha

2971 7 H

12698 4 E

15939 11 L

9184 15 P

12
WHY KID CRYPTO WORKS
X = PLAINTEXT “CHARACTER”

y = (ex) mod n z = d(ex) mod n = (ed)x mod n

ed − 1
n=
M

ed = (M n + 1) mod n z = (ed)x mod n


= M n mod n + 1 mod n = x mod n
= 0 mod n + 1 mod n = x.
= 1 mod n

13
DIGITAL SIGNATURE = MESSAGE
ENCRYPTED WITH PRIVATE KEY
I HEREBY GIVE YOU I HEREBY GIVE YOU A
I HEREBY GIVE RAISE.
A RAISE.
YOU A RAISE. I HEREBY GIVE YOU A
192 2343 9102 ... RAISE.

ENCRYPT WITH THE PRIVATE KEY


ATTACH TO END OF ORIGINAL
BOB MESSAGE ALICE

DECRYPT WITH THE PUBLIC KEY


AUTHENTICATE BY COMPARING
TO PLAINTEXT MESSAGE
PUBLIC PRIVATE
(E,N) D
14
WHY KID CRYPTO WORKS FOR SIGNATURES
X = PLAINTEXT “CHARACTER”

s = dx mod n
BOB

s = edx mod n = x mod n = x.


!
ALICE

15
I HEREBY GIVE YOU I HEREBY GIVE YOU A
I HEREBY GIVE RAISE.
A RAISE.
YOU A RAISE. X FLBRUG YTEX BIP Q
228 1893 189 ... XETIA.

SIGNATURE DOES NOT


MATCH MESSAGE
BOB ALICE
MESSAGE NOT
AUTHENTICATED

PUBLIC PRIVATE
EVIL
(E,N) FAKE
D D
16
A TRUE SIGNATURE:
• IS AUTHENTIC
• CANNOT BE FORGED
• CANNOT BE REUSED
• PROVES DOCUMENT HAS NOT BEEN ALTERED
• CANNOT BE REPUDIATED

17
Public-key system as
signature system
Sender encrypts the message with his private key,
attaches “ciphertext” to the plaintext message.

Recipient decrypts the ciphertext with the sender’s


public key; compares to plaintext message.
Equality authentication.

Example using RSA

18
A national standard?
1977: RSA INVENTED 1994: DSA APPROVED

1982: NIST SOLICITS 1991: NIST 1992: PUBLIC


CANDIDATES FOR PROPOSES DIGITAL COMMENTS ON DSA;
FEDERAL DIGITAL SIGNATURE CRITICISM FROM
SIGNATURE ALGORITHM (DSA) TO RSA, INC. AND
STANDARD (DSS) BE USED IN DSS CLIENT COMPANIES

19
227 = 2 × 10 + 2 × 10 + 7 × 10
2 1 0

227 = 1×2 +1×2 +1×2 +0×2


7 6 5 4

+0 × 2 + 0 × 2 + 1 × 2 + 1 × 2
3 2 1 0

= 11100011
BINARY FORM OF 227 5 = 101
227 IS AN 8-BIT INTEGER 1967 =11110101111
! "
ln N
Bit length of N = +1
ln 2

Decimal length of k-bit integer = !(k − 1) log10 2# + 1

20
HI, BOB. HOW’S IT GOING?
(SIGNATURE ATTACHED)

Alice Bob

AUTHENTICATED

STAGE 1: SYSTEM-WIDE PARAMETER GENERATION.


STAGE 2: KEY GENERATION (ALICE; ONE-TIME ONLY).
STAGE 3: SIGNING (ALICE).
STAGE 4: AUTHENTICATING (BOB).

21
1: SYSTEM-WIDE PARAMETERS

Name Description

Prime number, bit length


p between 512 and 1024 and a
multiple of 64.

q 160-bit prime factor of p.

α = h(p-1)/q mod p
α Where h is any number ≤ p-1
such that h(p-1)/q is > 1

22
2: KEY GENERATION

PRIVATE KEY
Random integer x such that
1 ≤ x ≤ q-1

Alice
PUBLIC KEY
y = α mod p
x

23
3: SIGNING

Has:
Message m
Public key y, Private key x
System parameters p, q, α
Alice

Choose random (secret) integer k with 0 < k < q.


Compute r = (αk mod p) mod q.
Compute k −1 mod q.
Compute s = k −1 (H(m) + xr) mod q.

SIGNATURE: (R,S).

24
4: AUTHENTICATING

Receives:
Message m
Signature (r,s)
Has:
Public key y; System parameters p, q, α BOB
Verify 0 < r, s < q. Reject if not.
Compute H(m) and w = s−1 mod q.
u1 = (w · H(m)) mod q u2 = (rw) mod q

v = (α y u1 u 2
mod p) mod q
IF V = R AUTHENTICATED.
25
v = (α yu1 u 2
mod p) mod q
s = k (H(m) + xr) mod q
−1
!
s−1
= k H(m) + xr) mod q
−1

α u1
=α wH(m) mod q y u2 = (αx )u2 mod p
= α xrw mod q
mod p

α u 1 y u2 = αwH(m) αxrw mod p


= α w(H(m)+xr) mod q
mod p
s−1 (H(m)+xr) mod q
= α mod p
k(H(m)+xr)−1 (H(m)+xr) mod q
= α mod p
= α mod p
k

26
v = (α y mod p) mod q
u1 u 2
! k
= α mod p) mod q

r = (α mod p) mod q
k

IF V = R AUTHENTICATED.
IF V ≠ R NO AUTHENTICATION.

27
I HEREBY GIVE YOU I HEREBY GIVE YOU A
I HEREBY GIVE RAISE.
A RAISE.
YOU A RAISE. I HEREBY GIVE YOU A
(R,S) RAISE.

SYSTEM: P, Q

Alice Bob

PUBLIC
y=αx
mod p HOW TO PRODUCE A FORGED (R,S) ON A
NEW MESSAGE?

28
FORGERY METHOD 1: RECOVER ALICE’S
PRIVATE KEY FROM AVAILABLE
INFORMATION.

y = α mod px
SOLVE FOR X

DISCRETE LOGARITHM PROBLEM


O(√p)! Too expensive!

29
FORGERY METHOD 2: USE R TO RECOVER K.

r = (α mod p) mod q
k

DISCRETE LOGARITHM PROBLEM

s = k (H(m) + xr) mod q


−1

x = r−1 (sk − H(m)) mod q


Everything on the
RHS except k is public info or easy to
compute... but I still have to solve
DLP! Curses!

30
FORGERY METHOD 3: HOPE FOR LAZINESS.

I don’t feel like


generating a new value for k.

s1 = k −1 (H(m1 ) + xr) mod q


s2 = k (H(m2 ) + xr) mod q
−1
Alice

Gotcha!
s1 k − H(m1 ) = xr mod q
s2 k − H(m2 ) = xr mod q

k(s1 − s2 ) = H(m1 ) − H(m2 ) mod q

k = (s1 − s2 ) −1
(H(m1 ) − H(m2 )) mod q
31
Further issues
One-way hash functions and their security (SHA-1,
MD5)

Faster/less expensive algorithms for solving DLP

Uses of secure authentication

Electronic currency

Electronic notarization

Identification in social networking/blogging

32
Contact
Robert Talbert, PhD
Department of Mathematics and Computing
Franklin College
101 Branigin Blvd.
Franklin, IN 46131

rtalbert@franklincollege.edu

33