Sie sind auf Seite 1von 34

Digital Signature Scheme

Mohammad. Amir 2010JCA2207 Computer Application, IIT DELHI aamir329@gmail.com Guidance: Prof.R.K. Sharma Department of Mathematics IIT DELHI hodmaths@maths.iitd.ac.in

November 29, 2011


Mohammad. Amir,2010JCA2207 Prof.R.K.Sharma 29 November 2011 1of 25

Presentation Outline

Introduction Digital signature A classication of digital Signature schemes ELGamal Digital Signature Scheme The Schnorr Signature Scheme Directed Signature Scheme Proposed Directed Signature Scheme Security Discussion References

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

2of 25

Introduction

Condential communication is one of the necessities of the social life. in this context, some question that need attention are.. How one can transmit secretly, so that no unauthorized person gets knowledge of the message?

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

3of 25

Introduction

Condential communication is one of the necessities of the social life. in this context, some question that need attention are.. How one can transmit secretly, so that no unauthorized person gets knowledge of the message? How can the receiver ensure himself that the message is coming from the right person exactly as it was transmitted?

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

3of 25

Introduction

Condential communication is one of the necessities of the social life. in this context, some question that need attention are.. How one can transmit secretly, so that no unauthorized person gets knowledge of the message? How can the receiver ensure himself that the message is coming from the right person exactly as it was transmitted? A scientic approach to solve these problem is cryptography. cryptography is a art or science of keeping secrets secret.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

3of 25

Digital Signature

A digital signature scheme is a mathematical scheme for demonstrating the authenticity of a message, essential in various security services. A digital signature scheme consists of the followings: A signature generation algorithm, which is a method for producing a digital signature.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

4of 25

Digital Signature

A digital signature scheme is a mathematical scheme for demonstrating the authenticity of a message, essential in various security services. A digital signature scheme consists of the followings: A signature generation algorithm, which is a method for producing a digital signature. A signature verication algorithm, which is a method for verifying a digital signature.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

4of 25

A Classication of Digital Signature Schemes

There are two classes of digital signature schemes digital signature schemes with appendix require the original message as input to the verication algorithm and this scheme rely on cryptographic hash function . Ex. DSA, ElGamal and Schnorr signature schemes.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

5of 25

A Classication of Digital Signature Schemes

There are two classes of digital signature schemes digital signature schemes with appendix require the original message as input to the verication algorithm and this scheme rely on cryptographic hash function . Ex. DSA, ElGamal and Schnorr signature schemes. digital signature schemes with message recovery do not require the original message as input to the verication algorithm and this scheme have the feature that the message can be recovered from the signature itself. Ex. RSA, Rabin and Nyberg-Ruppel.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

5of 25

Hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a xed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The ideal cryptographic hash function has four main or signicant properties: it is easy (but not necessarily quick) to compute the hash value for any given message.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

6of 25

Hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a xed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The ideal cryptographic hash function has four main or signicant properties: it is easy (but not necessarily quick) to compute the hash value for any given message. it is infeasible to generate a message that has a given hash

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

6of 25

Hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a xed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The ideal cryptographic hash function has four main or signicant properties: it is easy (but not necessarily quick) to compute the hash value for any given message. it is infeasible to generate a message that has a given hash it is infeasible to modify a message without changing the hash

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

6of 25

Hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a xed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The ideal cryptographic hash function has four main or signicant properties: it is easy (but not necessarily quick) to compute the hash value for any given message. it is infeasible to generate a message that has a given hash it is infeasible to modify a message without changing the hash it is infeasible to nd two dierent messages with the same hash

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

6of 25

Hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a xed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value. The ideal cryptographic hash function has four main or signicant properties: it is easy (but not necessarily quick) to compute the hash value for any given message. it is infeasible to generate a message that has a given hash it is infeasible to modify a message without changing the hash it is infeasible to nd two dierent messages with the same hash Some hash function: SHA-0, SHA-1, SHA-2, MD5, SSL.
Mohammad. Amir,2010JCA2207 Prof.R.K.Sharma 29 November 2011 6of 25

Pictorial Representation of Digital Signature Scheme

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

7of 25

Studied Signature Schemes

1 2 3 4 5 6 7 8

The RSA Signature Scheme ELGamal Digital Signature Scheme The Digital Signature Algorithm (DSA) The Schnorr Signature Scheme Nyberg-Rueppel Digital Signature Scheme Group Signature Scheme Multi-Signature Scheme Directed Signature Scheme

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

8of 25

The ELGamal Signature Scheme


A selects a secret integer xA , 1 xA p 2 and computes yA = g xA modp. Signature Generation by A: select a random secret integer k, 1 k p 2, with (k, p-1) = 1. computes r = g k modp and k 1 mod(p 1). computes s = k 1 {h(m) xA .r } mod(p 1). As signature for the message m is (r , s, m). Signature Verication by B: computes v1 = yA r .r s modp. computes h(m) and v2 = g h(m) modp. accepts the signature if and only if v1 = v2 .
Mohammad. Amir,2010JCA2207 Prof.R.K.Sharma 29 November 2011 9of 25

The Schonorr Signature Scheme


The Schnorr signature scheme is a well-known variant of the ELGamal signature scheme. This signature also requires a hash function h, In this scheme, to signs a binary message m of any length, the user A, chooses at random secret intger kA Zq . computes rA = h(g kA modp, m) and SA = kA xA .rA modp. The pair (rA , SA ) is the signature of the user A for the message m. To Verify the signature: the recipients B checks the equality rA = h(g SA .y rA modp, m).

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

10of 25

Directed Signature Scheme:

Consider when a user A wants to generate a signature on a message m , sensitive for B and the message is also of concern to other users. For this situation, the form of the signature should be such that only B can directly verify the signature and that B can prove its validity to any third party C, whenever necessary. Such signature are called Directed signatures . Proposed a directed signature scheme. Discuss the security of the proposed directed signature scheme.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

11of 25

Proposed a directed signature scheme.

In this Scheme , To generate the signature , the signer uses the public key of the signature receiver in such a way that at time of signature verication , the secret key of the signature receiver is requires.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

12of 25

Proposed a directed signature scheme.

In this Scheme , To generate the signature , the signer uses the public key of the signature receiver in such a way that at time of signature verication , the secret key of the signature receiver is requires. Suppose that user A wants to generate a signature on the message m so that only receiver B can directed verify the signature and B can prove the validity of signature to any third party C, whenever necessary.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

12of 25

Proposed a directed signature scheme.


To increase the security we use two dierent hash function h1 and h2 . where h1 private hash function of A. The signing and verication processes are as fallows : Signature Generation by A: A picks random K ZP and computes = g K modp and = g h1 (m) .(yB )K modp. Here yB is the public key of the signature receiver B. and h1 private of A. Using a one way hash function h2 , A computes a secret value SA = h2 (g h1 (m) , m). A computes Z = h1 (m) + xA .SA modp. Here xA is the private key of the signer. {Z , , , m} is the signature of the signature of A on the message m.
Mohammad. Amir,2010JCA2207 Prof.R.K.Sharma 29 November 2011 13of 25

Signature Verication by B: Using his private key xB , B computes N = ()XB modp and recovers SA = h2 (N, m) S B checks the congruence g Z N.yAA modp. for a valid signature. If hold then {Z , , , m} is a valid signature.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

14of 25

Signature Verication by B: Using his private key xB , B computes N = ()XB modp and recovers SA = h2 (N, m) S B checks the congruence g Z N.yAA modp. for a valid signature. If hold then {Z , , , m} is a valid signature. Signature Validation: Since
K N = ()XB = g h1 (m) .yB .(g K )XB = g h1 (m) .(g XB )K .(g K )XB = g h1 (m) . h1 (m) , m) So SA = h2 (g = h2 (N, m). S g Z N.yAA modp L.H.S = g Z = g h1 (m)+xA .SA = g h1 (m) .g xA SA . S R.H.S = N.yAA = g h1 (m) .g xA SA .
Mohammad. Amir,2010JCA2207 Prof.R.K.Sharma 29 November 2011 14of 25

Proof of Validity by B to C: B picks random K Zp and computes C = g K modp , K C = N.yC modp and sends to C.

C uses (C , C ) in place (, ) to checks the validity of signature by using his secret key. The signature verication process will remain same as above verication.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

15of 25

Security Discussion.

Security aspects of this Directed Signature Scheme. security Can one retrieve the secret key xA , hash value h1 (m) and secret value SA from the equation Z = h1 (m) + xA .SA modp? Here the numbers of unknown parameters are three. The number of Equation is one , and hash function h1 is private of A so it is computationally infeasible for a forger to collect the secret key xA , hash value h1 (m) and secret value SA from the equation.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

16of 25

security Can one forge a signature {Z , , , m} by the equation, S g Z N.yAA modp? A forger may randomly select an integer N and then computes the hash value SA such that SA = h2 (N, m)modp. Obviously, to compute the integer SA is equivalent to solving the discrete logarithm problem. Thus these attacks will not be successful.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

17of 25

Illustration
To illustrate the scheme, taking p = 23, and g = 3. The secret and public key of users is as follows User Secret key A 2 B 3 C 6 public key 9 4 16

To generate the signature, A picks random K = 3 , and h1 (m) = 5(let) and computes = 6, = 4. Using a one function hash function h2 , A computes SA = 7(let) , Z = 19 sends {19, 6, 4, m} to B as his/her signature on the message m.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

18of 25

B computes N = 13, recovers SA = h2 (13, m) = 7(Let). B checks the congruence 319 13.97 mod23 for a valid signature. This holds. To prove the validity of the signature to C, the signature receiver B picks random K = 8 and computesC = 4, C = 9 and sends to C. C computes N = 9.46 mod23 = 18. C veries the signature in the similar fashion as signature receiver.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

19of 25

Used For

Digital signatures are commonly used for Software distribution Financial transactions
Smart card Online Income tex lling Buisness transactions

Signature on medical records

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

20of 25

Allocation of registration number


Registrations of various kinds are a common practice in our society, like that of vehicle, shop and factory etc. We all are familiar with the present status of our registration system. A hand written signature is used for the allocation of registration number by the authority. Every signature is followed a lot of formalities and records. Unfortunately the present system is not much secure and is liable. My idea I want to implement a registration scheme in which the registration number cannot be forged and misused. For the practical implementation of this idea, I will use directed signature scheme.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

21of 25

References
Papers Damgard I.B. (1987). Collision free hash function and public key signature scheme Advance in Cryptology - Euro crypt -87 , Springer Verlag, p.p. 203-216. Die W. and Hellman M. (1976 ). New directions in Cryptography, IEEE Trans. Information Theory -31 , p.p. 644 - 654. Lal S. and Kumar M. (2003). A directed signature scheme and its application, Proceedings, National Conference on Information Security, New Delhi -2003, p.p. 124 132. Yen S.M. and Laih C.S. (1993). New digital signature scheme based on discrete logarithm, Electronic letters - 29, p.p. 1120-1121.
Mohammad. Amir,2010JCA2207 Prof.R.K.Sharma 29 November 2011 22of 25

References

Lim C.H. and Lee P.J. (1993). Modied Maurer-Yacobi, scheme and its applications. Advance in cryptology Auscrypt, p.p. 308 323. Books Brassard G.(1988).Modern cryptology. Springer-Verlag, New York. Koblitz N.(1988).Algebric aspects of cryptography ,Springer-Verlag,New York. Schneier B.(1996).Applied Cryptography. John Wiley and Sons, New York.

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

23of 25

Mohammad. Amir,2010JCA2207

Prof.R.K.Sharma

29 November 2011

24of 25

Das könnte Ihnen auch gefallen