Digital Signature Preliminary RSA signature scheme ElGamal signature scheme DSA signature scheme - PowerPoint PPT Presentation
1 / 18
Title:
Digital Signature Preliminary RSA signature scheme ElGamal signature scheme DSA signature scheme
Description:
A signature is a commitment (or binding) of a person to a document. Dear John: ... Output yes if and only if gh'yrrs mod p. 2001/12/26. Network Security. 10 ... – PowerPoint PPT presentation
Number of Views:733
Avg rating:3.0/5.0
Title: Digital Signature Preliminary RSA signature scheme ElGamal signature scheme DSA signature scheme
1
Digital Signature Preliminary RSA signature
scheme ElGamal signature scheme DSA
signature scheme
2
Preliminary
- A signature is a commitment (or binding) of a
person to a document
Dear John This is a notice to you about
. Sincerely,
Wen-Guey Tzeng Wen-Guey Tzeng
3
Digital signature
- Goal Use the digital technique to emulate the
hand-written signature - Security requirements
- Unforgeability one cannot create a signature
that is claimed to be anothers - Undeniability the signer cannot later deny the
validity of his signature
4
Requirements
- The signature depends on the signer and the
document to be signed. - Easy to compute it is easy for a signer to sign
a document - Universal verifiability every one can verify
validity of a signature (with respect to the
signer and the document) - Easy to store the signature should be short
enough
5
RSA signature scheme
- Key generation algorithm
- Input k (security parameter)
- Randomly generate two primes p and q of length
k/2 bits - Compute npq (n is k-bit long)
- Randomly select e, 2?e??(n)-1, withgcd(e,
?(n))1 (Note ?(n)(p-1)(q-1)) - Compute de-1 mod ?(n)
- The verification (public) key KU(e, n)
- The signing (private) key KR(d, n)
6
RSA signature scheme (cont.)
- Let H be a hashing algorithm, publicly known
- Signing algorithm Sig
- Input ((d,n), M) (0?M?n-1)
- Compute sH(M)e mod n
- Output(s).
- Verification algorithm Ver
- Input ((e,n), M, s) (0?s?n-1)
- Compute hse mod n
- Output yes if and only if hH(M).
7
RSA example
- Randomly select two primes p7, q17
- Calculate npq717119
- Calculate ?(n)(p-1)(q-1)96
- Randomly select e5, since gcd(e,?(n))1
- Calculate de-1 mod ?(n)77
- Public key KU(5, 119)
- Private key KR(77, 119)
8
ElGamal signature scheme
- Key generation algorithm
- Input k (security parameter)
- Randomly generate a prime 2q1, where q is also
prime - Randomly select h?Zp and compute gh2 mod p?1.
(Note gq1 (mod p)) - Randomly select a number x, 1?x?q-1
- Compute ygx mod p
- The verification (public) key KU(g, p, y)
- The signing (private) key KR(g, p, x)
9
ElGamal signature scheme (cont.)
- Let H be a hashing algorithm, publicly known
- Signing algorithm Sig
- Input ((g,p,x), M) (0?M?p-1)
- Randomly select k, 1?k?q-1 and compute rgk mod p
- Compute sk-1 (H(m)-rx) mod q
- Output((r,s)).
- Note there are many signatures for a message
- Verification algorithm Ver
- Input ((g,p,y), M, (r,s))
- Compute hH(M)
- Output yes if and only if ghyrrs mod p.
10
ElGamal signature scheme (cont.)
- Why ghyrrs (mod p) ?
- yrrs mod p
- (gx)r (gk)s mod p
- gxrks mod p
- gh(M) mod p
11
Digital signature standard (DSS)
- Key generation algorithm
- Input L (security parameter)
- Randomly generate an L-bit prime kq1, where q
is also prime, 2159ltqlt2160 - Randomly select h?Zp and compute gh(p-1)/q mod
p?1. (Note gq1 (mod p)) - Randomly select a number x, 1?x?q-1
- Compute ygx mod p
- The verification (public) key KU(g, p, q, y)
- The signing (private) key KR(g, p, q, x)
12
DSS signature scheme (cont.)
- Let H be a hashing algorithm, publicly known
- Signing algorithm Sig
- Input ((g,p,q,x), M) (0?M?p-1)
- Randomly select k, 1?k?q-1 andcompute r(gk mod
p) mod q - Compute sk-1(H(m)rx) mod q
- Output (r,s).
- Note there are many signatures for a message
13
DSS signature scheme (cont.)
- Verification algorithm Ver
- Input ((g,p,g,y), M, (r,s))
- Compute w s-1 mod q
- Compute u1 H(M)w mod q
- Compute u2 rw mod q
- Compute v (gu1yu2 mod p) mod q
- Output yes if and only if vr
14
DSS signature scheme (cont.)
- Why it works?
- gu1yu2 mod p mod q
- gH(M)w gxrw mod p mod q
- gw(H(M)xr) mod p mod q
- gk mod q mod p mod q
- gk mod p mod q
- r
- Note ordp(g)q.
15
DSS signature scheme example
- Key generation
- p676?111, q11
- g2(p-1)/11 mod p36 mod 6759
- x5, ygx mod p62
- KU(59, 67, 11, 62)
- KR(59, 67, 11, 5)
- Signing
- Let H(M)4, k3
- rgk mod p mod q593 mod 67 mod 112
- sk-1(H(M)rx) mod q3-1(42?5) mod 111
- (r,s)(2,1)
16
DSS signature scheme example
- Verification (r, s)(2, 1)
- ws-1 mod q 1-1 mod 11 1
- u1 H(M)?w mod q 4?1 mod 11 4
- u2 r?w mod q 2?1 mod 11 2
- vgu1 ? yu2 mod p mod q 594?622 mod 67 mod
11 2 - Since vr, (2,1) is a signature to H(M)
17
DSS signature scheme security
- Based on computing discrete logarithm over a
subgroup of size q logg y mod p.Note ordp(g)q - The per-message secret k cannot be used twice.
Otherwise, given two signatures(r1,s1) for M1
and (r2,s2) for M2, we have - s1k-1(H(M1)r1x) mod q
- s2k-1(H(M2))r2x) mod q
- Solve x(s2H(M1)-s1H(M2))/(r2s1-r1s2) mod q
18
Digital signature usage
- Off-line Signing a document for emulating the
hand-written signature - On-line identity authentication (session key
distribution)
challenge c
Bob
Alice
rSig(KRBob, c)
If Ver(KUBob, r, c)true then accept that Bob is
talking to me
