Add to collection(s) Add to saved
  1. Math
  2. Statistics And Probability

Digital Signatures (DSs)

advertisement 
Digital Signatures (DSs)
• The digital signatures cannot be separated
from the message and attached to another
• The signature is not only tied to signer but
also to the message that is being signed
• The digital signature needs to be easily
verified by other parties
• Digital signature schemes therefore
consist of two distinct steps: the signing
process and the verification process
RSA Signatures
• Bob has a document m that Alice agrees
to sign. Alice does the following.
• Alice chooses two primes: p, q and n=pq,
makes (e,n) public with gcd(e,(p-1)(q-1))=1
de≡1 (mod φ(n)), she keeps p,q,d secret
。Alice’s signature is y≡md (mod n)
。Alice then makes the pair (y,m) public
How does Bob verify Alice’s
Signature
• Download Alice’s (e,n)
• Compute z≡ye (mod n)
• If z=m, then Bob accepts the signature as
valid; otherwise the signature is not valid
Blind Signatures (1/2)
• Alice chooses n=pq, find e, and solve d as
required in RSA scheme,i.e., ed≡1(mod n)
• Bod chooses a random k with gcd(k,n)=1,
computes t≡kem (mod n) for message m,
and sends t to Alice
• Alice signs t by computing s≡td (mod n).
She returns s to Bob
• Bob computes sk-1 (mod n) to get the
signed message md
Blind Signatures (2/2)
•
•
•
•
sk-1 ≡tdk-1≡(kem)dk-1≡md(ked) k-1≡ md
Alice has never seen the message m
t≡kem and s≡td, then sk-1 ≡ md (mod n)
The choice of k is random, therefore,
t≡kem (mod n) gives essentially no
information about m. In this way, Alice
knows nothing about the message m she
is signing.
ElGamal Signature Scheme
• One feature that is different from RSA is that,
with this method, there are many different
signatures that are valid for a given message
• Suppose Alice wants to sign a message m. To
start, Alice chooses a large prime p and a
primitive root α. Alice next chooses a secret
integer (key) a, 1≤a≤p-2, and computes β≡αa
(mod p), (p,α,β) are made public.
Alice signs the message m via
• Select a secret random k such that
gcd(k,p-1)=1
• Computes r≡αk (mod p)
• Computes s≡k-1(m-ar) (mod p-1)
• The signed message is the triple (m,r,s)
Bob verifies the signature via
• Download Alice’s public key (p,α,β)
• Computes u≡βrrs and w≡αm (mod p)
• The signature is declared valid iff
u≡w (mod p)
Proof:
w≡αm≡αsk+ar≡(αa)r(αk)s ≡βrrs≡u (mod p)
More details from p.246~248
ElGamal Signature for one
Alice wants to sign m1=151405 (one). She
chooses p=225119; a primitive root α=11.
She chooses a secret number a, computes
β≡αa ≡18191 (mod p).
To sign the message, she picks up a random k
and keeps it secret. She computes r≡αk ≡164130
(mod p), and s1≡k-1(m1-ar)≡130777 (mod p-1)
The signed message is (151405, 164130, 130777)
ElGamal Signature for two
Alice then signs m2=202315 (two) with the same k,
where (p,α)=(225119,11), hence r has the same
value and the signed message is
(202315, 164130, 164899). Then we have
-34122k ≡ (s1-s2)k ≡ m1-m2 ≡ -50910 (mod p-1)
Since gcd(-34122,p-1)=2, so there are two k’s:
k=239 and k=112798 (mod p-1)
Since α239 ≡164130, α112789 ≡59924 (mod p),
k=239 leads to the correct value r=164130
Dangerous for the same key to
different documents
Rewrite s1k≡m1-ar (mod p-1) to obtain
164130a≡ar≡ m1- s1k≡187104 (mod p-1)
Since gcd(164130, p-1)=2, there are two
solutions for a’s: a=28862 and a=141421
Since α=11, β=18191, and
α28862 ≡206928, α141421 ≡18191 (mod p)
Therefore the key a=141421 is revealed.
Hash Functions
•
A cryptographic hash function h takes as input a
message of arbitrary length and produces as output a
message digest of fixed length. Certain properties
should be satisfied.
(1) Given a message m, the message digest h(m) can be
calculated very quickly.
(2) Given a digest message y, it is computationally
infeasible to find an m with h(m)=y. In other words, h is
a one-way, or preimage resistant, function.
(3) It is computationally infeasible to find messages x, y
such that h(x)=h(y), i.e., h is strongly collision-free.
Examples
• Let n=bkbk-1…b1b0 , define h(n)=bk⊕…⊕b0 ,
Thus, this h does not satisfy (2)
• The discrete log hash function due to Chaum,
van Heijst, and Pfitzmann
Select a large prime p such that q=(p-1)/2 is prime, let
α,βbe two primitive roots mod p which satisfyαa ≡β
(mod p) and a is a secret number, let m=x+yq, with
0≤x,y ≤q-1, Define a hash function
h(m)≡αx βy (mod p)
Proposition (p.184)
• If we know messages m≠n with h(m)=h(n), then
we can determine the discrete logarithm
a=Lα(β).
(Proof) Write m=x+yq, n=r+sq. Suppose
h(m)=h(n) i.e., αxβy ≡ αrβs (mod p), since
αa ≡β (mod p), hence αa(y-s)-(x-r) ≡1 (mod p)
Therefore a(y-s)≡(x-r) (mod p-1). Since p-1=2q
has only 4 divisors: 1,2,q,p-1, so d=gcd(y-s,p-1)=1
or 2. Thus, we can get the secret a.
Other Hash Functions
☺MD family: MD4, MD5 due to Rivest
☺NIST’s Secure Hash Algorithm (SHA)
which yields a 160-bit message digest
[Stinson] [Schneier] [Menezes et al.]
Hashing, Signing, and Applications
• Sending (m,sig(h(m))) instead of (m,sig(m))
could significantly reduce the size of digital
signatures.
• An appropriate hash function should be
chosen. In particular, in electronic
exchanges in E-commerce.
Birthday Attacks
• If there are 23 people in a room, the
probability 50.7% that two of them have
the same birthday. If there are 30 people,
the probability is increasing up to 70%.
• The probability of 23 people do not have
the same birthday is
(1-1/365)(1-2/365)…(1-22/365) = 0.493
A Birthday Attack on Discrete Log
•
Suppose we want to evaluate La(b) with a large p. We
can do by a birthday attack in the following procedures:
1. The first list contains numbers ak (mod p) for
approximately p1/2 randomly chosen values of k.
2. The first list contains numbers ba-j (mod p) for
approximately p1/2 randomly chosen values of j.
There is a good chance that there is a match between
some element on the 1st list and one on the 2nd list. If
so, ak ≡ba-j (mod p) and hence ak+j ≡b (mod p)
x≡k+j (mod p-1) is the discrete log solution
Digital Signature Algorithm (DSA)
• The NIST proposed the DSA in 1991 and
adopted it as a standard in 1994. The
message digest is a 160-bit output of a
hash function. The generate keys for DSA
proceeds as follows. First, there is an
initialization phase:
Initialization Phase
• Alice finds a prime q that is 160 bits long and
chooses a prime p that satisfies q|p-1. The
discrete log problem should be hard for this
choice of p (e.g., p is 512-bit long).
• Let g be a primitive root mod p and let α≡g(p-1)/q
(mod p). Then αq ≡1 (mod p).
• Alice chooses a secret a such that 1≤a<q-1 and
calculates β≡αa (mod p)
• Alice publishes (p,q, α, β) and keeps a secret
The signing process
•
1.
2.
3.
4.
Alice signs a message m by the following
procedure:
Select a random, secret integer k, such
that 0<k<q-1
Compute r≡(αk (mod p)) (mod q)
Compute s≡k-1(m+ar) (mod q)
Alice’s signature for m is (r,s), which she
sends to Bob along with m.
Verification
• For Bob to verify, he must
1. Download Alice’s public information
(p,q,α,β)
2. Compute u≡s-1m , v≡s-1r (mod q)
3. Compute w≡( αuβv (mod p)) (mod q)
4. Accept the signature iff w=r
Simple Exercises from p.252-255
• Exercises 1,2,3,4
• Computer Problem 1
Related documents
CMPSYSENG 1&2 PC PRO LESSON PLAN 6TH PER WEEK OF
CMPSYSENG 1&2 PC PRO LESSON PLAN 6TH PER WEEK OF
MOONEY N66ET SPECS
MOONEY N66ET SPECS
Variables Assessment
Variables Assessment
RSA – An Example
RSA – An Example
Numerical/Alphabetic Lookup Table Multiplicative Functions
Numerical/Alphabetic Lookup Table Multiplicative Functions
Day10-ClassNotes - Rose
Day10-ClassNotes - Rose
INSTRUCTIONAL POLICY - Tennessee School for the Blind
INSTRUCTIONAL POLICY - Tennessee School for the Blind
Download
advertisement