Cryptographic Algorithms Unit-Iii Digital Signatures-UNIT-V CSE 3112

Digital Signature
The RSA Signature Scheme

Digital Signature Algorithm
ElGamal Signature Algorithm
Schnorr signature scheme
Cryptographic Algorithms
UNIT-III
Digital Signatures-UNIT-V
CSE 3112
Jayaprakash Kar
Digital Signature
Table of contents
1 Digital Signature
Type of attacks on signature scheme
2 The RSA Signature Scheme

Attacks on RSA Signature
3 Digital Signature Algorithm
4 ElGamal Signature Algorithm

Security of ElGamal Signature
5 Schnorr signature scheme

Digital Signature
Digital Signature Algorithm Type of attacks on signature scheme
Basic definitions
1 A digital signature is a data string which associates a

message (in digital form) with some originating entity.
2 A digital signature generation algorithm is a
method for producing digital signature.
3 A digital signature verification algorithm is a
method for verifying that a digital signature is authentic. (In
fact it was created by the specified entity).
4 A digital signature scheme consists of a signature
generation algorithm and an associated verification
algorithm.
Digital Signature
Type of attacks on signature scheme
The goal of an adversary is to forge signatures i.e to produce

signatures which will be accepted as those of some other entity.
1 total break: An adversary is either able to compute the

private key information of the signer or find an efficient
signing algorithm functionally equivalent to the valid
signing algorithm.
2 selective forgery: An adversary is able to create a valid
signature for a particular message or a class of messages
chosen a priori.
3 existential forgery: An adversary is able to forge a
signature for at least one message.
Digital Signature
Two basic attacks against public-key digital signature

schemes
1 Key-only attacks: In this attack, the adversary knows

only signer’s public key.
2 message attacks: Here the adversary is able to examines
signatures corresponding either to known or chosen
messages. This attack is non-adaptive in the sense that
messages are chosen before any signature are seen.
Digital Signature
Message attack
Message attack can be subdivided into three classes:

1 known-message attack: An adversary has signatures for a
set of messages which are known to the adversary but not
chosen by him.
2 chosen message attack: An adversary obtains a valid
signatures from a chosen list of messages before
attempting to break the signature scheme.
3 adaptive chosen-message attack: An adversary is
allowed to use the signer as an oracle; the adversary may
request signature of messages which depend on
previously obtained signatures or message.
Digital Signature
Notations and meaning
Table: Notations for digital signature mechanisms
Notation Meaning
M a set of elements called message space
MS a set of elements called Signing space
S a set of elements called signature space
R a 1-1 mapping from M to MS , called redundancy func
MR the image of R
R −1 the inverse of R
R a set of element called indexing set for string
h a one-way function with domain M
Mh image of h i.e h : M → Mh
Digital Signature
Digital Signature Algorithm Attacks on RSA Signature
Key generation for the RSA scheme

Each entity creates an RSA public key and corresponding
private key. Entity A performs the following
Algorithm 1 Key generation for RSA signature scheme

1: Generate two large distinct random prime p and q roughly
same size.
2: Compute n = pq and φ(n) = (p − 1)(q − 1).
3: Select a random integer e, 1 < e < φ(n), such that
gcd(e, φ(n)) = 1.
4: Compute the unique integer d, 1 < d < φ(n), such that
ed ≡ 1 mod φ(n).
5: A ’s public key is (n, e) and A ’s private key is d.
Digital Signature
RSA signature generation and verification

A signs a message m ∈ M, any entity B can verify A ’s
signature and recover the message from the signature.
Signature generation
Algorithm 2 Signature generation

1: Computer m̃ = R(m), an integer in the range [0, n − 1].
2: Compute s = m̃ d mod n.
3: A ’s signature for m is s
Signature verification
Algorithm 3 Signature verification

1: Obtain A ’s authentic public key (n, e)
2: Compute m̃ = s e mod n.
Digital Signature
Proof-Signature verification works
If s is a signature for message m, then s ≡ m̃d mod n, where

m̃ = R(m). Since ed ≡ 1(modφ(n))
s e ≡ m̃ed ≡ m̃(modn). Finally, R −1 (m̃) = R −1 (R(m)) = m.
Digital Signature
Key-Only Attack
Let Alice generates her own signature using her private key.
The adversary Eve only access to Alice’s public key. Eve
intercepts the pair (m, s) and tries to create another message
0
m ≡ s e mod n. Thus Eve has to solve discrete logarithm
problem.
Digital Signature
Known-Message Attack
Since RSA scheme satisfies multiplicative properties, the

adversary Eve uses this. Assume that Eve has intercepted two
message, signature pairs as (m1 , s1 ) and (m2 , s2 ) that have
been generated using same private key d. If
m = (m1 × m2 ) mod n, then s = (s1 × s2 ) mod n. This can be
proved as
s = (s1 × s2 ) mod n = (m1d × m2d ) mod n
= (m1 × m2 )d mod n
= md mod n.
Eve can create m = (m1 × m2 ) mod n and generate
s = (s1 × s2 ) mod n and fool Bob into believing that s is Alice’s
signature on message m.
Digital Signature
Chosen-Message Attack(CMA)
This attack also uses the multiplicative property of RSA.

Let the adversary ask to Alice to sign on two legitimate
messages m1 and m2 for her. Later she create a new message
m = m1 × m2 . Eve can later claim that Alice has signed m
Digital Signature

Each entity creates a public key and corresponding private key.
Each entity A should do the following:
Algorithm 4 Key generation for the DSA

1: Select a prime q such that 2159 < q < 2160 .
2: Choose t so that 0 ≤ t ≤ 8 and select a prime p where
2511+64t < p < 2512+64t with property q divides (p − 1).
3: Select a generator α of the unique cyclic group of order q in
Z∗p .
4: Select an element g ∈ Z∗p and compute α = g (p−1)/q mod p
5: if α = 1 then
6: goto 4
7: end if
8: Select random integer a such that 1 ≤ a ≤ q − 1
9: Compute y = αa mod p
Digital Signature
Digital Signature generation and verification
Algorithm 5 Signature generation

1: Select a random integer k , 0 < k < q.
2: Choose Compute r = (αk mod p) mod q
3: Compute k −1 mod q
4: Compute s = k −1 {h(m) + ar} mod q
5: A ’s signature for m is the pair (r, s).
Digital Signature
Signature verification
Algorithm 6 Signature verification

To verify A ’s signature pair (r, s) on m, B should do the follow-
ing
1: Obtain A ’s authentic public key (p, q, α, y)
2: Verify that 0 < r < q and 0 < s < q; if not reject the signature.
3: Compute w = s −1 mod q and h(m)
4: Compute u1 = w · h(m) mod q and u2 = rw mod q.
5: v = (αu1 y u2 mod p) mod q.
6: Accept the signature if and only if v = r.
Digital Signature
Proof of correctness
If (r, s) is the legitimate signature of entity A on message m.

We have
sk ≡ (h(m) + ar) mod q
h(m) ≡ (−ar + sk ) mod q
Multiplying both sides by w, we obtain
wh(m) ≡ w(−ar + sk ) mod q
wsk ≡ (wh(m) + war) mod q
⇒ k ≡ (wh(m) + war) mod q = (u1 + au2 ) mod q
Raising α to both sides of this equation yields
αk mod p = (αu1 · y u2 mod p) mod q
⇒v= r
Digital Signature
Digital Signature Algorithm Security of ElGamal Signature
Key generation Algorithm
Each entity creates a public key and corresponding private key.

Entity A should do the following
Algorithm 7 Key generation for the ElGamal signature scheme

1: Generate a large random prime p and a generator α of the
multiplicative group Z∗p .
2: Select a random integer a, 1 ≤ a ≤ p − 2
3: Compute y = αa mod p
4: A ’s public key is (p, α, y), A ’s privatge key is a.
Digital Signature
ElGamal Signature generation and verification
Entity A signs a binary message m of arbitrary length. Any

entity B can verify this signature by using A ’s public key.
Algorithm 8 signature generation

1: Select a random secret integer k , 1 ≤ k ≤ p − 2, with
gcd(k , p − 1) = 1
2: Compute r = αk mod p
3: Compute k −1 mod (p − 1)
4: Compute s = k −1 {h(m) − ar} mod (p − 1).
5: A ’s signature for m is the pair (r, s).
Digital Signature
ElGamal Signature verification
To verify A ’s signature (r, s) on message m , B should do the

following
Algorithm 9 signature verification

1: Obtain A ’s authentic public key (p, α, y)
2: Verify that 1 ≤ r ≤ p − 1; if not then reject the signature.
3: Compute v1 = y r r s mod p
4: Compute h(m) and v2 = αh(m) mod p.
5: Accept the signature if and only if v1 = v2
Digital Signature
proof of correctness
If the signature was generated by A , then

s ≡ k −1 {h(m) − ar}(modp − 1)
Multiplying both sides by k gives ks ≡ h(m) − ar(modp − 1)
and rearranging yields h(m) ≡ ar + ks(modp − 1).
⇒ αh(m) ≡ αar+ks ≡ (αa )r r s (modp).
Thus v1 = v2
Digital Signature
Security of ElGamal Signature
Key-only Attack
Let assume that the adversary Eve has predefined message m.
She needs to forge Alice’s signatures (r, s) for this message.
This is an selective forgery.
Eve can choose r and compute s. She needs to have
y r r s ≡ αh(m) mod p
⇒ αar r s ≡ αh(m) mod p
⇒ r s ≡ α−ar · αh(m) mod p
⇒ s = logr αh(m)−ar mod p
This implies to solve discrete logarithm problem.
Digital Signature
Known-message forgery
If Eve intercepted a message m and the signature (r, s), she

0
can find another message m with same pair of signature (r, s)
Digital Signature
Total forgery
The private key can be determined with high probability if the

same value of random exponent k to be chosen to sign two
different messages. Let the messages are m1 and m2 to be
signed. So
s1 = k −1 {h(m1 ) − ar} mod (p − 1)

s2 = k −1 {h(m2 ) − ar} mod (p − 1)
⇒ (s1 − s2 )k ≡ (h(m1 ) − h(m2 ))(mod(p − 1))

If (s1 − s2 ) . 0 mod (p − 1) then
k = (s1 − s2 )−1 (h(m1 ) − h(m2 )) mod (p − 1)
Once k is known a is easily found.
Digital Signature
Existential forgery
If no hash function h is used. The signing equation is

s = k −1 {m − ar} mod (p − 1)
It is then easy for an adversary to mount existential forgery as
follows
Select any pair of integers (u, v) with gcd(v, p − 1) = 1.
Compute r = αu y v mod p = αu+av mod p
s = −rv −1 mod (p − 1)
The pair (r, s) is a valid signature for the message
m = su mod (p − 1), since (αm α−ar )s −1 = αu y v = r
Digital Signature
Schnorr Signature Scheme
This is an variant of ElGamal Signature scheme. Here a

subgroup of order q in Z∗p is to be chosen, where p is a large
prime. H is a collision resistant hash function. H : {0, 1}∗ → Zq .
Key generation is the same as DSA key generation.
Digital Signature
Entity performs the following steps
Algorithm 10 signature generation

1: Select the random secret integer k , 1 ≤ k ≤ q − 1
2: Compute r = αk mod p
3: Compute e = H(mkr) and s = ae + k mod q
4: A ’s signature for m is pair (s, e)
Digital Signature
Schnorr signature verification
To verify A ’s signature (s, e) on m, B should perform the

following
Algorithm 11 signature verification

1: Obtain A ’s authentic public key (p, q, α, y)
0
2: Compute v = αs y −e mod p and e = H(mkv)
0
3: Accept the signature if and only if e = e.
Digital Signature
Proof of Correctness
If the signature was created by A , then

v ≡ αs y −e ≡ αs α−ae ≡ αk ≡ r mod p
0
Hence H(mkv) = H(mkr) and e = e.

Cryptographic Algorithms Unit-Iii Digital Signatures-UNIT-V CSE 3112

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Cryptographic Algorithms Unit-Iii Digital Signatures-UNIT-V CSE 3112

Hochgeladen von

Copyright:

Verfügbare Formate

Digital Signature

The RSA Signature Scheme

2 The RSA Signature Scheme

3 Digital Signature Algorithm

4 ElGamal Signature Algorithm

5 Schnorr signature scheme

1 A digital signature is a data string which associates a

Type of attacks on signature scheme

The goal of an adversary is to forge signatures i.e to produce

1 total break: An adversary is either able to compute the

Two basic attacks against public-key digital signature

1 Key-only attacks: In this attack, the adversary knows

Message attack can be subdivided into three classes:

Notations and meaning

Table: Notations for digital signature mechanisms

Key generation for the RSA scheme

Algorithm 1 Key generation for RSA signature scheme

RSA signature generation and verification

Algorithm 2 Signature generation

Algorithm 3 Signature verification

Proof-Signature verification works

If s is a signature for message m, then s ≡ m̃d mod n, where

Since RSA scheme satisfies multiplicative properties, the

This attack also uses the multiplicative property of RSA.

Digital Signature Algorithm

Algorithm 4 Key generation for the DSA

Digital Signature generation and verification

Algorithm 5 Signature generation

Algorithm 6 Signature verification

If (r, s) is the legitimate signature of entity A on message m.

Key generation Algorithm

Each entity creates a public key and corresponding private key.

Algorithm 7 Key generation for the ElGamal signature scheme

ElGamal Signature generation and verification

Entity A signs a binary message m of arbitrary length. Any

Algorithm 8 signature generation

ElGamal Signature verification

To verify A ’s signature (r, s) on message m , B should do the

Algorithm 9 signature verification

If the signature was generated by A , then

Security of ElGamal Signature

If Eve intercepted a message m and the signature (r, s), she

The private key can be determined with high probability if the

s1 = k −1 {h(m1 ) − ar} mod (p − 1)

⇒ (s1 − s2 )k ≡ (h(m1 ) − h(m2 ))(mod(p − 1))

If no hash function h is used. The signing equation is

Schnorr Signature Scheme

This is an variant of ElGamal Signature scheme. Here a

Schnorr signature scheme

Entity performs the following steps

Algorithm 10 signature generation

Schnorr signature verification

To verify A ’s signature (s, e) on m, B should perform the

Algorithm 11 signature verification

If the signature was created by A , then

Das könnte Ihnen auch gefallen