Elements of applied cryptography

Digital Signatures

! Digital Signatures with appendix

! Digital signatures with message recovery
! Digital signatures based on RSA

!"#$%&'()*%$*+%,-+.

! !"#$%$&'(")$%*'&+,-"$)"'"*+./-,"#-0-*#-*&"1*"!"#$%!$&'$(%
)*"+*%"*,-%("%(.$%!/0*$' '*#2"'##$&$1*'((32"1*"(.$%&"*($*(%"1%
(.$%#$!!20$%3$/*0%!/0*$4
! !"#$%$&'(")$%*'&+,-".+)&"/-"5$'/1/23,$2"$4-42"$5"'"#$)0+&-"',$)-)"
'*"6*3/2!$4%(./'4%72'(- .+)&"/-"'/(-"&1")1(6-"&7-"#$)0+&-"
$86/(23,-9%+/(."6(%'$86/'/*0%2&&$!!%("%(.$%!/0*$':!%!$&'$(

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

/('..-#-0',-$"
! ;/0/(2,%!/0*2(6'$!%+/(.%277$*4/<
! ,-8+$,-"&7-"1,$%$*'(".-))'%-"')"$*0+&"&1"&7-"6-,$5$9'&$1*"'(%1,$&7.:
! +)-"7')7"5+*9&$1*)
! ;<'.0(-)="=,>2#2,9%;?@9%;??2">97*1,,

! ;/0/(2,%!/0*2(6'$!%+/(.%#$!!20$%'$&"5$'! #1"*1&",-8+$,-"&7-"1,$%$*'(".-))'%-"')"$*0+&"&1"&7-"6-,$5$9'&$1*"
'(%1,$&7.:"

! &7-"1,$%$*'(".-))'%-"$)",-916-,-#"5,1."&7-")$%*'&+,-"$&)-(5:
! ;<'.0(-)="A?@2"?'/$*2"@3/-,%A?+-00-(

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

1-2-,'().-2"',3%+.)4-,5)'**+"6-7
;$1/*/(/"*!
!

! $)"&7-".-))'%-")0'9-

" $)"'"7')7"5+*9&$1*"B$&7"#1.'$*"!

!" $)"&7-"$.'%-"15""

# $)"&7-")$%*'&+,-")0'9-

B$-%0$*$'2(/"*
!

!($9-")-(-9&)"'"0,$6'&-"C-3"B7$97"#-5$*-)"'"$%&'%'&()*&+,%-". #/ B7$97"$)"'"1*-A&1A1*-"
.'00$*%"#/0(!" ! #

!($9-"#-5$*-)"&7-"91,,-)01*#$*%"0+/($9"C-3"#-5$*$*%"&7-"12,%3%4)-%+'()*&+,%-".(D! )+97"&7'&"
D!E.F2")G"H"&,+-"$5">!E.FG"H")"'*#"5'()-"1&7-,B$)-2"51,"'((".F I7 '*#") >2"B7-,-".F"H"
7E.G"51,"." I4"D! $)"91*)&,+9&-#")+97"&7'&"$&".'3"/-"91.0+&-#"B$&71+&"C*1B(-#%-"15"
"#$%&'()$*+&%,*'-."$%/$0

>! $)"&7-"0,$6'&-"C-3:"D! $)"&7-"0+/($9"C-3

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

1-2-,'().-2"',3%+.)4-,5)'**+"6-7
The signing process
M

Mh

SA

m*

!"#$%&'()*#)$)(%&"+$*,(+-)..
! J1.0+&-"#C%D%.E#F2"!%D%?@E#CF
! >-*#"E#9%!F
+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

1-2-,'().-2"',3%+.)4-,5)'**+"6-7

(m*,s)

VA

true
false
Boolean

Mh S

!"#$%&'()*/)("0"-%&"+$*,(+-)..
! 12".')%3+&%,425'6%/$0%G@
! J1.0+&-"#C%D%.E#F2"6%D%G@E#C9%!F

! !99-0&"&7-")$%*'&+,-"$55"6%D%('6$

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

1-2-,'().-2"',3%+.)4-,5)'**+"6-7
1(+,)(&").*+0*!2 %$3*42
! >! )71+(#"/-"-55$9$-*&"&1"91.0+&! D! )71+(#"/-"-55$9$-*&"&1"91.0+&-

! K&")71+(#"/-"&"#76(2(/"*2,,-%/*1$2!/3,$ 51,"'*"-*&$&3"1&7-,"
&7'*"!"&1"5$*#"'*". I"'*#"'*") >")+97"&7'&"

D!E.F2")G"H"&,+-2"B7-,-".F"H"7E.G

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

1-2-,'().-2"',3%+)4-,5)&+..'2+)%+0$8+%9
Definitions
!

M is the message space

MS is the signing space

S is the signature space

Key generation
!

A selects a private key defining a signing algorithm SA which is a

one-to-one mapping SA: MS ! S

A defines the corresponding public key defining the verification

algorithm VA such that VA SA is identity map on MS.
!

VA is constructed such that it may be computed without

"#$%&'()'*$+*,-'*./)#'01.*20/34,'*"'5

SA /.*61.*20/34,'*"'57*8A /.*61.*29:&/;*"'5

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

1-2-,'().-2"',3%+)4-,5)&+..'2+)%+0$8+%9
The signing process
MR

R
m

SA
m*

MS
!Compute 5C%D%6E5F, 6 is a redundancy function (invertible)
!Compute .*7*!2859:

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

1-2-,'().-2"',3%+)4-,5)&+..'2+)%+0$8+%9
The signing process
MR

R
m

SA
m*
MS

!
!
!
!

L/&'$*"'+&7-*&$9"0+/($9"C-3"5/
J1.0+&-".F"H"5E$G"
D-,$53"$5".6( !# E$5"*1&2",-M-9&"&7-")$%*'&+,-G
?-916-,"&7-".-))'%-". H"789E.FG

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

1-2-,'().-2"',3%+.)4-,5)&+..'2+)%+0$8+%9
1(+,)(&").*+0*!2 %$3*42
! >! )71+(#"/-"-55$9$-*&"&1"91.0+&! D! )71+(#"/-"-55$9$-*&"&1"91.0+&! K&")71+(#"/-"91.0+&'&$1*'((3"$*5-')$/(-"51,"'*"-*&$&3"1&7-,"
&7'*"!"&1"5$*#"'*")" >")+97"&7'&"D!E)G" I?

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

::

1-2-,'().-2"',3%+.)4-,5)&+..'2+)%+0$8+%9
H.$%'$46*42*&-%16*&(/"*
! ?"'*#"?AN ',-"0+/($9(3"C*1B*
! >-(-9&$*%"'*"'00,10,$'&-"?"$)"4,%-%4)* &1"&7-")-9+,$&3"15"&7-")3)&-.

2*;%3*()3'$3%$-<*0'$-&"+$
! O-&"+)")+001)-"&7'&"I?

I>

! ?"'*#">! ',-"/$M-9&$1*)2"&7-,-51,-"I"'*#">"7'6-"&7-")'.-"*+./-,"15"
-(-.-*&)
! P7-,-51,-2"51,"'((")" >2"D!E)G" I?7%8#$*$9:*$;%'"%'&%<$.&0=%":%9')>%.)%?%
51,"B7$97")"$)"&7-")$%*'&+,-2"."H"?ANED!E)GG
! )"$)"'"6'($#")$%*'&+,-"51,"."E2:%$-2'-%)*(3+,&2,;G
+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

:4

1-2-,'().-2"',3%+.)4-,5)&+..'2+)%+0$8+%9
2*#++3*()3'$3%$-<*0'$-&"+$
! ;<'.0(! I"H"Q."="." QR2"NS*S2"I> H"Q."="." QR2"NST*S
! ?="I"! I>2"?E.G"H".!.
! I?

I>

! U7-*"*"$)"(',%-2" I? V I> H"ENVTG* $)").'((4"P7-,-51,-2"51,"'*"

'#6-,)',3"$&"$)"+*($C-(3"&1"9711)-"'*")"&7'&"3$-(#)"D!E)G I?
! I?JKI=L%MNNO%$)"'*"$*&-,*'&$1*'(")&'*#',#"&7'&"#-5$*-)"'",-#+*#'*93"
5+*9&$1*"51,"A?@ '*#"A23/*
+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

:5

1-2:).-2":)4-,5)'**+"6-7)#%$&)&+..'2+)%+0$8+%9
! ?/0*2(6'$%0$*$'2(/"*
! J1.0+&-"#C%D%6E=E5FF9%. D%!2E5CF

! 3+&%>'('".5%&'()."4*$%9:*%5 $)".
59%. ',-".'#-"'6'$('/(-"&1"'*31*-"B71".'3"B$)7"&1"6-,$53"&7-")$%*'&+,-

! ?/0*2(6'$%5$'/1/&2(/"*
! 12".')%3+&%,425'6%/$0%42
! J1.0+&-"5F"H"6E=E5FF2"5 H"42E.F2"'*#"' D%E5 DD%5CF
! !99-0&"&7-")$%*'&+,-"$55"'*D%('6$

! L"##$*(
! 6 $)"*1&")-9+,$&3"9,$&$9'("'*3.1,-"'*#"9'*"/-")';(+'28-+8+'2(.)<<%'&
+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

:6

;9*+.)$#)',,'0<.
BREAKING A SIGNATURE
1. Total break < 4(3'0.405*/.*4:&'*,$*;$=29,'*,-'*./)#'01.*
private key
2. Selective forgery < adversary controls the messages
whose signature is forged
3. Existential forgery < adversary has no control on the
messages whose signature is forged

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

:;

;9*+.)$#)',,'0<.
BASIC ATTACKS
!
!

KEY-ONLY ATTACKS < 4(3'0.405*"#$%.*$#&5*,-'*./)#'01.*

public key
MESSAGE ATTACKS
a. known-message attack < adversary has signatures for
a set of messages which are known by the adversary but
not chosen by him
b. chosen-message attack < in this case messages are
chosen by the adversary
c. adaptive chosen-message attack < in this case
messages are adaptively chosen by the adversary

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

:7

=,,'0<.>)0$".-6+%',-$".
! @427(/5$%&."!$*P#$!!20$%2((2&)
! K&"$)"&7-".1)&"#$55$9+(&"'&&'9C"&1"0,-6-*&

! !(&71+%7"'*"'#'0&$6-"971)-*A.-))'%-"'&&'9C".'3"/-"$*5-')$/(-"&1".1+*&"$*"0,'9&$9-2"'"
B-((A#-)$%*-#")$%*'&+,-")97-.-")71+(#"*1*-&7-(-))"/-"#-)$%*-#"&1"0,1&-9&"'%'$*)&"&7-"
01))$/$($&3

! H.$%,$5$,%"1%!$&6'/(-%#2-%52'-%2&&"'4/*0%("%(.$%277,/&2(/"*%
! =<2#7,$%QR U7-*"'*"'#6-,)',3"$)"1*(3"9'0'/(-"15".1+*&$*%"'"C-3A1*(3"'&&'9C2"$&".'3"
)+55$9-"&1"#-)$%*"&7-")97-.-"&1"0,-6-*&"&7-"'#6-,)',3"5,1."/-$*%")+99-))5+("'&")-(-9&$6-"
51,%-,34"
! =<2#7,$%S4"U7-*"&7-"'#6-,)',3"$)"9'0'/(-"15"'".-))'%-"'&&'9C2"$&"$)"($C-(3"*-9-))',3"&1"
%+',#"'%'$*)&"&7-"01))$/$($&3"15"-<$)&-*&$'("51,%-,34

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

:8

=,,'0<.>)0$".-6+%',-$".
! >%.=*0'$-&"+$.*%$3*3"#"&%?*."#$%&'()*,(+-)..).
! U7-*"'"7')7"5+*9&$1*"= $)"+)-#"$*"'"#$%$&'(")$%*'&+,-")97-.-"E')"$)"15&-*"
&7-"9')-G2"= !."6,4%3$%2%1/<$4%72'(%"1%(.$%!/0*2(6'$%7'"&$!!
)1"&7'&"'*"'#6-,)',3"$)"+*'/(-"&1"&'C-"'"6'($#")$%*'&+,-2",-0('9-"= B$&7"'"
B-'C"7')7"5+*9&$1*2"'*#"&7-*".1+*&"'")-(-9&$6-"51,%-,3"'&&'9C4

! ;<'.0(-4"O-&" 59%. B7-,-". D%!2E=E5FF 4"

O-&"'#6-,)',3"/-"'/(-"&1",-0('9-"= B$&7"'"B-'C-,"7')7"5+*9&$1*"# &7'&"$)"
6+(*-,'/(-"&1")-(-9&$6-"51,%-,34
P7-*"&7-"'#6-,)',3"9'*
N4 #-&-,.$*-"5 )+97"&7'&"#E5 F%D%=E5F:"'*#
T4 ,-0('9-"5 B$&7"5

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

:9

@"#"&%?*."#$%&'().*;%.)3*+$*6!2

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

:<

Introductory comments
! >$*9-"&7-"-*9,30&$1*"&,'*)51,.'&$1*"$)"'"/$M-9&$1*2"#$%$&'("
)$%*'&+,-)"9'*"/-"9,-'&-#"/3",-6-,)$*%"&7-",1(-)"15"
-*9,30&$1*"'*#"#-9,30&$1*
! W$%$&'(")$%*'&+,-"B$&7"#$!!20$%'$&"5$'! I>

>" !*

! !",-#+*#'*93"5+*9&$1*"?="I"! !* $)"971)-*"'*#"$)"0+/($9"
C*1B(-#%-

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

4=

?+9)2+"+%',-$"
1. Generate two large, distinct primes p, q (100 200
decimal digits)
2. Compute n = p q and

= (p-1) (q-1)

3. Select a random number 1 < e <

such that gcd(e, ) = 1

4. Compute the unique integer 1 < d <

ed 1 mod

such that

5. (d, n) is the private key

6. (e, n) is the public key

At the end of key generation, p and q must be destroyed

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

4:

@-2"',3%+)2+"+%',-$")'"6)8+%-#-0',-$"
Signature generation. In order to sign a message m, A does
the following
1. Compute m* = R(m) an integer in [0, n<1]

2. Compute s = m*d mod n

3. 61.*./)#4,90'*+$0*=*/.*.

Signature verification>*?#*$0('0*,$*3'0/+5*61.*./)#4,90'*.*4#(*
recover message m, B does the following
1. @:,4/#*61.*49,-'#,/;*29:&/;*"'5*Ae, n)
2. Compute m* = se mod n
3. Verify that m* is in MR; if not reject the signature
4. Recover m = R-1(m*)
+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

44

A%$$#),5',)8+%-#-0',-$")4$%<.
! If s is a signature for a message m, then s = m*d mod n
where m* = R(m).
! Since ed = 1 (mod ), se = m*ed = m* (mod n). Finally,
R-1(m*) = R-1(R(m)) = m.

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

45

A$..-B(+)',,'0<.
! I*($0$'%12&("'/T2(/"*
! X'9&1,$Y'&$1*"15"$ (-'#"&1"&1&'("/,-'C4"

! !")71+(#"9711)-", '*#"A )1"&7'&"5'9&1,$*%"$ $)"'"

91.0+&'&$1*'((3"$*5-')$/(-"&')C

! U6,(/7,/&2(/5$%7'"7$'(-%"1%A?@V%'$86/'$#$*(%"*%A
! !"*-9-))',3"91*#$&$1*"51,"'61$#$*%"-<$)&-*&$'("51,%-,3"$)"&7'&"6
.+)&"*1&")'&$)53"&7-".+(&$0($9'&$6-"0,10-,&34"

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

46

C@=).-2"',3%+)-")*%'0,-0+
6);?+-B"$#*,(+;?)54"K5"!($9-"B'*&)"&1")-*#"Z1/"'")-9,-&"'*#")$%*-#"
.-))'%-"&1"Z1/"&7-*"$&".+)&"/-"*! ["*Z

! P7-,-"',-"6',$1+)"B'3)"&1")1(6-"&7-"0,1/(-.
! '$"'4$'/*0="&7-"10-,'&$1*"B$&7"&7-").'((-,".1#+(+)"$)"
0-,51,.-#"5$,)&:""+=212,(-"2(<,232,,2>(+,>2,(%$()*=);$(-+($%&'(
3%,$-()'>(2'4,;<-(*)-2,
! (+"%#"46,/%1"'%$*(/(-="-'97"-*&$&3"7')"&B1".1#+($:".1#+($"51,"
)$%*$*%"E-4%42"&A/$&)G"',-"'(B'3)").'((-,"15"'(("01))$/(-".1#+($"
51,"-*9,30&$1*"E-4%42"&\NA/$&)G
! 24P."&%1"'#2(%"1%(.$%#"46,/
+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

4;

C@=).-2"',3%+)-")*%'0,-0+
! Redundancy function
! A suitable redundancy function is necessary in order to avoid
existential forgery

! IOS/IEC 9796 (1991) defines a mapping that takes a k-bit

integer and maps it into a 2k-bits integer

! The RSA digital signature scheme with appendix

! MD5 (128 bit)
! PKCS#1 specifies a redundancy function mapping 128-bit
integer to a k-bit integer, where k is the modulus size (k 512,
k = 768, 1024)

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

47

C@=).-2"',3%+)-")*%'0,-0+
! Performance characteristics
! Let

p = q = k then

! signature generation requires O(k3) bit operations

! signature verification, in the case of small public exponent,
requires O(k2) bit operations

! Suggested value for e in practice are 3 and 216+1. Of course, p and q

must be chosen so that gcd(e, (p < 1)(q < 1)) = 1.
! The RSA signature scheme is ideally suited to situations where
signature verification is the predominant operation being
performed.
! Example. A trusted third party creates a public-key certificate for an entity
A. This requires only one signature generation, and this signature may be
verified many times by various other entities

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

48

C@=).-2"',3%+)-")*%'0,-0+
! Parameter selection
! bitsize of the modulus: miminum 768; at least 1024 for signatures of
longer lifetime or critical for overall security of a large network (i.e.,
the private key of a certification authority)
! No weaknesses have been reported when the public exponent e is
chosen to be a small number such as 3 or 216+1.
! It is not recommended to restrict the size of the private exponent d in
order to improve the efficiency of signature generation

! Bandwidth efficiency
! By definition, BWE = log2 ( MS ) / log2 ( MR )
! For (RSA, ISO/IEC 9796), BWE = 0.5, that is, with a 1024-bits
modulus can be signed 512-bits messages

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

49

C@=).-2"',3%+)-")*%'0,-0+
! System wide parameters
! Each entity must have a distinct RSA modulus; it is insecure to
use a system-wide modulus
! The public exponent e can be a system-wide parameter, and is
in many applications. In this case, the low exponent attack must
be considered

! Short vs. long messages

! Suppose n is a 2k-bit RSA modulus which is used to sign k-bit
messages (i.e., BWE is 0.5)
! Suppose entity A wishes to sign a kt-bit message m
! For t = 1 RSA with message recovery is more efficient;
! For t > 1, RSA with appendix is more efficient

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

*>#>?@A"2>#+@?BCD2"
E@2D*"F+"DA#@G@A
+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

4<

!"#$%$"&'()*+*,$"('*+-$,./0

;/!&'$($%W"02'/(.#%?-!($#!
! O-&"< /-"'"0,$.-2"? '"0,$.-"#$6$)1,"15"<!N"'*#"& ]N2"<@N^"
7')"1,#-,"8
! O-&": /-"&7-"<,%1)-2(@2; )-(-9&-#"'&",'*#1."5,1."]N2"?@N^
! O-&"; /-"&7-"91,,-)01*#$*%"<AB*%4(@2; ; H"&: .1#"<

;/!&'$($%W"02'/(.#%X'"3,$#%E;WXF
! _$6-*"E<2"?2"&G"'*#";2"#-&-,.$*-":

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

5:

!"#$%$"&'()*+*,$"('*+-$,./0
! Signature
! select k

Zp<1* randomly

! r = gk mod p, s = (h(m)!xr)k!1 mod (p<1)

! The pair (r, s) is the digital signature for m
! Verification

! Verify that 1

p<1; if not reject the signature

! Compute v1 = yrrs mod p

! Compute h(m) and v2 = gh(m) mod p
! Accept the signature only if v1 = v2.

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

54

!"#$%$"&'()*+*,$"('*+-$,./0
Proof
! If the digital signature (r, s) has been produced by Alice
then s = (h(m)!xr)k!1 mod (p<1).

! Multiplying both sides by k gives ks = (h(m)!xr) mod (p<

1). Rearranging yields h(m) ks+xr mod (p<1).
! This implies that gh(m)

gar+ks

(gx)rrs mod p

! Thus v1 = v2 as required.

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

55

!"#$%$"&'()*+*,$"('*+-$,./0
?$&6'/(! K*"1,#-,"&1"51,%-"'")$%*'&+,-2"'*"'#6-,)',3""9'*")-(-9&"B '&",'*#1.2"
91.0+&-",(H &@ .1#"<4"P7'*"7-"7')"&1"91.0+&-")"H"E"E.G!:,G@!9 .1#"E0@
NG4"K5"&7-"WO`"$)"91.0+&'&$1*'((3"$*5-')$/(-2"&7-"'#6-,)',3"9'*"#1"*1"/-&&-,"
&7'*"&1"9711)-"'*"$ '&",'*#1.:"&7-")+99-))"0,1/'/$($&3"$)"NV< B7$97"$)"
*-%($%$/(-"51,"(',%-"<C

! !"#$55-,-*&"@ .+)&"/-")-(-9&-#"51,"#$55-,-*&".-))'%-)"1&7-,B$)-"&7-")-9,-&"
C-3": 9'*"/-",-6-'(-#
! K5"*1"7')7"5+*9&$1*"" $)"+)-#2"'*"'#6-,)',3"9'*"-')$(3".1+*&"'*"-<$)&-*&$'("
51,%-,3"'&&'9C4
! K5"&7-"97-9C"1*", $)"*1&"#1*-2"'*"'#6-,)',3"9'*")$%*".-))'%-)"15"$&)"
971$9-"0,16$#-#"$&"7')"1*-"6'($#")$%*'&+,-"0,1#+9-#"/3"!($9+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

56

@B?HD+?>I@?>F+"J2
+F+KCDLB*>@?>F+
+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

D$"E%+*36-',-$"
! @1*A,-0+#$'&$1*"0,-6-*&)"'")$%*-,"5,1.")$%*$*%"'"#19+.-*&"'*#"
)+/)-8+-*&(3"/-$*%"'/(-"&1")+99-))5+((3"#-*3"7'6$*%"#1*-")14
! C+$D(),'3"%&"+$*/.*%'&=)$&"-%&"+$*+0*+("#"$
! !+&7-*&$9'&$1*"E/')-#"1*")3..-&,$9"930&1%,'073G"'((1B)"'"0',&3"&1"
91*6$*9-"/(!$,1%1,"'"#6(62,,-%('6!($4%72'(- 15"&7-"$*&-%,$&3V'+&7-*&$9$&3"
15"'"%$6-*".-))'%-"'&"'"%$6-*"&$.-"-R
! @1*A,-0+#$'&$1*"E/')-#"1*"0+/($9AC-3"930&1%,'073G""'((1B)"'"0',&3"&1"
91*6$*9-""(.$'! '&"'*3"&$.-"-N -R 15"&7-"$*&-%,$&3V'+&7-*&$9$&3"15"'"%$6-*"
.-))'%- '&"&$.-"-R

35'6$+&%>'('".5%&'()."4*$%9:*%.%('-$)%?$&&.($%>$,$)>&%:)%"#$%?$&&.($%.)>%
'")-9,-&")*"+*%("%@,/&$%"*,-%E(.$%7'/52($%)$-F

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

57

D$"E%+*36-',-$"
! W'&'"1,$%$*"'+&7-*&$9'&$1*"')"0,16$#-#"/3"'"#$%$&'(")$%*'&+,-"$)"6'($#"1*(3"
B7$(-"&7-"$24,24; :9%"#$%&'()$*+&%<,%1)-2(@2; $)".'$*&'$*-#"
! !"&7,-'&"&7'&".+)&"/-"'##,-))-#"$)"'")$%*-,"B71"%'-2'-%+')**; #$)9(1)-)"
7$)"0,$6'&-"C-32"'*#"&7-,-'5&-,"9('$.)"&7'&"'"<,21%+A$*; 6'($#")$%*'&+,-"
B')"51,%-#
! P7$)"&7,-'&".'3"/-"'##,-))-#"/3

! ,()/)$&"$#*3"()-&*%--)..*&+*&=)*B)<
! '.)*+0*%*&('.&)3*&"5).&%5,*%#)$&
! '.)*+0*%*&('.&)3*$+&%(<*%#)$&

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

58

Thanks for attention!

+,-./01"2,)(0$-3

!"#$%&'()%"*$&$

59