Beruflich Dokumente
Kultur Dokumente
la Seguridad de la Información
Sesión 8
Digital Signatures
Yoan Pinzón
c 2014
Session 8
• Digital Signatures
⊲ How it works?
⊲ RSA Signature Scheme
— In Practice
— Example
⊲ ElGamal Signature Scheme
— In Practice
— Example
— Forging a Signature
— Remarks
⊲ Digital Signature Standard (DSS)
— Remarks
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 198
How it works?
Assume you were going to send the draft of a contract to your lawyer in
another town. You want to give your lawyer the assurance that it was
unchanged from what you sent and that it is really from you.
• You then use a private key that you have previously obtained from a
public-private key authority to encrypt the hash. The encrypted hash
becomes your digital signature of the message.
At the other end, your lawyer receives the message. To make sure it’s
intact and from you, your lawyer makes a hash of the received message.
Your lawyer then uses your public key to decrypt the message hash or
summary. If the hashes match, the received message is valid.
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 199
The value (e, n) is the public key, and (d, n) is the private key.
and
verk (x, y) = true ⇔ x ≡ y e(mod n)
(x, y ∈ Zn).
Clearly, the security level of the RSA signature scheme is exactly the
same as for the RSA cryptosystem.
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 200
In Practice
(a) Setup:
1) Generate two large random primes p and q (p 6= q and |p| ≈ |q|)
2) Compute n = pq and φ = (p − 1)(q − 1)
3) Select a random integer e, 1 < e < φ such that GCD(e, φ)=1
4) Use EEA(φ, e) algorithm to find d such that ed ≡ 1(mod φ)
5) Publish (e, n) as verification (public) key
6) Keep (d, n) as signing (secret) key
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 201
Example
(a) Setup:
1) Let p=47, q=71
2) Let n = pq =3337, φ = 46 × 70 = 3220
3) Choose e (at random) to be 79
4) Compute EEA(3220, 79) to find d
φ e q gcd(φ, e) x y
3220 79 40 1 -25 1019 ⊲ d = 1019
79 60 1 1 19 -25
60 19 3 1 -6 19
19 3 6 1 1 -6
3 1 3 1 0 1
1 0 – 1 1 0
5) Verification key = (79, 3337)
6) Signing key = (1019, 3337)
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 202
Message x =999
i 9 8 7 6 5 4 3 2 1 0
bi 1 1 1 1 1 1 1 0 1 1
x 999 835 2439 2415 786 54 3220 341 412 1264 =y
i 6 5 4 3 2 1 0
bi 1 0 0 1 1 1 1
y 1264 2610 1283 289 1212 1709 999
PowerMod(1264, 79, 3337) = 999 = x ⇒ ver(79,3337)(1264, 999) = 1(true)
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 203
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 204
In Practice
(a) Setup:
1) Generate a large random prime p and a generator α of Z∗p
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 205
In Practice (cont.)
(c) Signature Verification:
1) Verify that 1 ≤ γ ≤ p − 1; if not, then reject the signature
2) Compute v1′ = PowerMod(β, γ, p)
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 206
Example
(a) Setup:
1) Let p=2579, α=2
2) Let a=765
i 9 8 7 6 5 4 3 2 1 0
bi 1 0 1 1 1 1 1 1 0 1
α 2 4 32 2048 1700 461 2086 1246 2537 949 = β
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 207
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 208
(c) Signature Verification:
1) 1 ≤ 435 ≤ 2578
2) v1′ = PowerMod(949, 435, 2579)b = 43510 = h110110011i2
i 9 8 7 6 5 4 3 2 1 0
bi 1 1 0 1 1 0 0 1 1
β 949 65 1646 1676 1928 845 2221 1996 1710 =v1′
3) Compute v1′′ = PowerMod(435, 690, 2579)
b = 69010 = h1010110010i2
i 9 8 7 6 5 4 3 2 1 0
bi 1 0 1 0 1 1 0 0 1 0
γ 435 958 719 1161 2248 1694 1788 1563 1670 1001 =v1′′
4) Compute v1 = 1710 × 1001 mod 2579 = 1833
5) Compute v2 = PowerMod(2, 999, 2579)
b = 99910 = h1111100111i2
i 9 8 7 6 5 4 3 2 1 0
bi 1 1 1 1 1 0 0 1 1 1
α 2 8 128 1820 1928 845 2221 1007 1004 1833 =v2
6) We Accept the signature since v1 = v2
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 209
Forging a Signature
⊲ Try answering this question by using p=467, α=2, β=132, i=99, j=179.
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 210
Remarks
• As for the ElGamal cryptosystem, the security of the ElGamal sig-
nature scheme is based on the discrete logarithm problem modulo
p
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 211
where
γ = (αk mod p) mod q and
δ = (SHA–1(x) + aγ)k−1 mod q.
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 212
Digital Signature Standard (cont.)
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 213
Remarks
• ElGamal scheme is a pair (γ, δ), where γ and δ are integers modulo
p and p − 1, respectively. In 1994 it was already necessary to choose
p as a 512-bit prime in order to make the ElGamal scheme secure.
Thus, an ElGamal signature can be expected to have 1024 bits. This
is too long for typical applications such as smart cards. Nowadays it
would be preferable to choose a 1024-bit prime p, leading to 2048-bit
ElGamal signatures.
• DSS signs 160-bit messages with a 320-bit signature, but the com-
putations are done using a prime modulus p that has between 512
and 1024 bits.
Introdu
i
on a la Criptograf
a y a la Seguridad de la Informa
i
on 214