Department of Computer

Engineering
Digital Signature Schemes
CRYPTOGRAPHY
CS-531

Faculty-
Vivek Kumar Anand
  have looked at message authentication
 but does not address issues of lack of trust
 digital signatures provide the ability to:
Digital  verify author, date & time of signature
 authenticate message contents
Signatures  be verified by third parties to resolve disputes
 hence include authentication function with additional capabilities
 Digital
Signature
Model
 Digital
Signature
Model
Attacks
Forgeries
 ➢must depend on the message signed
➢must use information unique to sender
⚫to prevent both forgery and denial
Digital ➢must be relatively easy to produce
Signature ➢must be relatively easy to recognize & verify
➢be computationally infeasible to forge
Requirements ⚫with new message for existing digital signature
⚫with fraudulent digital signature for given message
➢be practical save digital signature in storage
  involve only sender & receiver
 assumed receiver has sender’s public-key
 digital signature made by sender signing entire message
Direct Digital or hash with private-key

Signatures  can encrypt using receivers public-key

 important that sign first then encrypt message &
signature
 security depends on sender’s private-key
  signature variant of ElGamal, related to D-H
 so uses exponentiation in a finite (Galois)
 with security based difficulty of computing discrete logarithms,
as in D-H
ElGamal  use private key for encryption (signing)
Digital  uses public key for decryption (verification)
Signature  each user (eg. A) generates their key
 chooses a secret key (number): 1 < xA < q-1
xA
 compute their public key: yA = a mod q
  Alice signs a message M to Bob by computing
 the hash m = H(M), 0 <= m <= (q-1)
 chose random integer K with 1 <= K <= (q-1) and gcd(K,q-1)=1
k
 compute temporary key: S1 = a mod q
ElGamal  compute K-1 the inverse of K mod (q-1)
Digital  compute the value: S2 = K-1(m-xAS1) mod (q-1)
 signature is:(S1,S2)
Signature  any user B can verify the signature by computing
m
 V1 = a mod q
 V2 = yAS1 S1S2 mod q
 signature is valid if V1 = V2
  use q=19 and a=10
 Alice computes her key:
16
 A chooses xA=16 & computes yA=10 mod 19 = 4
 Alice signs message with hash m=14 as (3,4):
ElGamal  choosing random K=5 which has gcd(5,18)=1
5
 computing S1 = 10 mod 19 = 3
Signature  finding K-1 mod (q-1) = 5-1 mod 18 = 11
Example  computing S2 = 11(14-16*3) mod 18 = 4
 any user B can verify the signature by computing
14
 V1 = 10 mod 19 = 16
 V2 = 43.34 = 5184 = 16 mod 19
 since 16 = 16 signature is valid
  use q=71 and a=7
 Alice computes her key:
16
 A chooses xA=16 & computes yA=7 mod 71 = 19
 Alice signs message with m=15 :
ElGamal  choosing random K=31 which has gcd(31,70)=1
31
 computing S1 = 7 mod 71 = 11
Signature  finding K-1 mod (q-1) = 31-1 mod 70 = 61
Example  computing S2 = 61(15-16*11) mod 70 = 49
 any user B can verify the signature by computing
15
 V1 = 7 mod 71 = 23
 V2 = 1911.1149 mod 71 = 23
 since 23 = 23 signature is valid
  also uses exponentiation in a finite (Galois)
 security based on discrete logarithms, as in D-H
 minimizes message dependent computation
Schnorr  multiplying a 2n-bit integer with an n-bit integer
Digital  main work can be done in idle time
Signatures  have using a prime modulus p
 p–1 has a prime factor q of appropriate size
 typically p 1024-bit and q 160-bit numbers
  choose suitable primes p , q
q
 choose a such that a = 1 mod p
 (a,p,q) are global parameters for all
Schnorr Key  each user (eg. A) generates a key
Setup  chooses a secret key (number): 0 < s < q
-s
 compute their public key: vA = a mod q
  user signs message by
 choosing random r with 0<r<q and computing x = ar mod p
 concatenate message with x and hash result to computing: e = H(M || x)
 computing: y = (r + se) mod q
Schnorr  signature is pair (e, y)
Signature  any other user can verify the signature as follows:
 computing: x' = ayve mod p
 verifying that: e = H(M || x’)
  US Govt approved signature scheme
 designed by NIST & NSA in early 90's
 published as FIPS-186 in 1991
Digital  revised in 1993, 1996 & then 2000
Signature  uses the SHA hash algorithm

Standard  DSS is the standard, DSA is the algorithm

 FIPS 186-2 (2000) includes alternative RSA & elliptic curve signature
(DSS) variants
 DSA is digital signature only unlike RSA
 is a public-key technique
DSS vs RSA
Signatures
 ➢creates a 320 bit signature
Digital ➢with 512-1024 bit security
➢smaller and faster than RSA
Signature ➢a digital signature scheme only
Algorithm ➢security depends on difficulty of computing discrete logarithms
➢variant of ElGamal & Schnorr schemes
(DSA)
  have shared global public key values (p,q,g):
 choose 160-bit prime number q
 choose a large prime p with 2L-1 < p < 2L
 where L= 512 to 1024 bits and is a multiple of 64
DSA Key  such that q is a 160 bit prime divisor of (p-1)
 choose g = h(p-1)/q
Generation  where 1<h<p-1 and h(p-1)/q mod p > 1
 users choose private & compute public key:
 choose random private key: x<q
 compute public key: y = gx mod p
 ➢to sign a message M the sender:
⚫generates a random signature key k, k<q
⚫Number, k must be random, be destroyed after use,
DSA Signature and never be reused
➢then computes signature pair:
Creation r = (gk mod p)mod q
s = [k-1(H(M)+ xr)] mod q
➢sends signature (r,s) with message M
  having received M & signature (r,s)
 to verify a signature, recipient computes:
DSA w = s-1 mod q
Signature u1= [H(M)w ]mod q
u2= (rw)mod q
Verification v = [(gu1 yu2)mod p ]mod q
 if v=r then signature is verified
 DSS
Overview
  have discussed:
 digital signatures
 ElGamal & Schnorr signature schemes
Summary  digital signature algorithm and standard