introduction to digital signatures

Introduction to digital signaturesBenedictine UniversityMATH 390: Cryptography2 April 2008

Robert Talbert, PhDAssociate Professor of Mathematics and Computing ScienceFranklin College, Franklin, IN

1

Menu

2

MenuThe problem of authentication

2


Non-solutions to the authentication problem; the concept of the digital signature and required parameters

2



Digital signatures using public-key encryption algorithms

2




The Digital Signature Algorithm (DSA)

2




The Digital Signature Algorithm (DSA)

Further applications and issues

2

PROBLEM: AUTHENTICATION

3

PROBLEM: AUTHENTICATION

HOW DO WE DO THIS IF THE DOCUMENT IS DIGITAL AND

NOT PAPER?

3

HAS THIS EMAIL BEEN SIGNED?

4

HOW ABOUT NOW?

5

A TRUE SIGNATURE: • IS AUTHENTIC• CANNOT BE FORGED• CANNOT BE REUSED• PROVES DOCUMENT HAS NOT BEEN ALTERED • CANNOT BE REPUDIATED

7


GOAL: DIGITAL SIGNATURES WHICH DO THIS FOR ELECTRONIC DOCUMENTS.

7

Implementation

8

Implementation

Public-key encryption “in reverse”

8

Implementation

Public-key encryption “in reverse”

Specialized signature-only algorithms: the Digital Signature Algorithm

8

PUBLIC-KEY CRYPTOGRAPHY

9

Alice


9

Alice Bob


9

Alice Bob

Public(e,n)

Privated


9

Plaintext

Dear Bob - The meeting will be at

the embassy.

Alice Bob

Public(e,n)

Privated


9

Plaintext


the embassy.

Alice Bob

Enc

rypt

ion

func

tion

Public(e,n)

Privated


9

Plaintext


the embassy.

Ciphertext

Qrne Obo - Gur zrrgvat jvyy or ng

gur rzonffl.

Alice Bob

Enc

rypt

ion

func

tion

Public(e,n)

Privated


9

Plaintext


the embassy.

Ciphertext


gur rzonffl.

Alice Bob

Enc

rypt

ion

func

tion

Dec

rypt

ion

func

tion

Public(e,n)

Privated


9

Plaintext


the embassy.

Ciphertext


gur rzonffl.

Original plaintext

Dear Bob - The meeting will be at the embassy.

Alice Bob

Enc

rypt

ion

func

tion

Dec

rypt

ion

func

tion

Public(e,n)

Privated


9

Plaintext


the embassy.

Ciphertext


gur rzonffl.

Original plaintext


Alice Bob

Enc

rypt

ion

func

tion

Dec

rypt

ion

func

tion

Public(e,n)

Privated

No secret key is ever exchanged

Alice does not need her own key to use the system


9

Plaintext


the embassy.

Ciphertext


gur rzonffl.

Original plaintext


Alice Bob

Enc

rypt

ion

func

tion

Dec

rypt

ion

func

tion

Public(e,n)

Privated


9

Plaintext


the embassy.

Ciphertext


gur rzonffl.

Original plaintext


Alice Bob

Enc

rypt

ion

func

tion

Dec

rypt

ion

func

tion

Eve

Public(e,n)

Privated


9

M = ab! 1e = AM + a

d = BM + b

n =ed! 1

M

KID CRYPTOChoose positive integers A, B, a, and b.

Public key: (e, n)Private key: d

10

H E L P 07 04 11 15TALBERT’S PUBLIC KEY: (E = 3242, N = 19723)

11


Encryption: Compute y = (ex) mod n for each number.

11


Plaintext Numerical (ex) mod n = Cipher “text”

H 7 (3242 × 7) mod 19723 = 2971

E 4 12698

L 11 15939

P 15 9184

Encryption: Compute y = (ex) mod n for each number.

11

2971 12698 15939 9184

TALBERT’S PRIVATE KEY: D = 1965

12

2971 12698 15939 9184


Decryption: Compute z = (dy) mod n for each number.

12

2971 12698 15939 9184


Decryption: Compute z = (dy) mod n for each number.

Ciphertext (dy) mod n Alpha

2971 7 H

12698 4 E

15939 11 L

9184 15 P

12

WHY KID CRYPTO WORKS

X = PLAINTEXT “CHARACTER”

13



y = (ex) modn

13



y = (ex) modn z = d(ex) modn = (ed)xmodn

13




n =ed! 1

M

13




n =ed! 1

M

ed = (Mn + 1)modn

= Mn modn + 1 modn

= 0mod n + 1 modn

= 1mod n

13




n =ed! 1

M

ed = (Mn + 1)modn

= Mn modn + 1 modn

= 0mod n + 1 modn

= 1mod n

z = (ed)xmodn

= xmodn

= x.

13

BOB

14

BOB ALICE

14

BOB ALICE

PUBLIC(E,N)

14

BOB ALICE

PUBLIC(E,N)

PRIVATED

14

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

14

BOB ALICE

PUBLIC(E,N)

PRIVATED



192 2343 9102 ...

ENCRYPT WITH THE PRIVATE KEYATTACH TO END OF ORIGINAL

MESSAGE

14

BOB ALICE

PUBLIC(E,N)

PRIVATED



192 2343 9102 ...


MESSAGE

DIGITAL SIGNATURE = MESSAGE ENCRYPTED WITH PRIVATE KEY

14

BOB ALICE

PUBLIC(E,N)

PRIVATED



192 2343 9102 ...


MESSAGE

DECRYPT WITH THE PUBLIC KEYAUTHENTICATE BY COMPARING

TO PLAINTEXT MESSAGE


14

BOB ALICE

PUBLIC(E,N)

PRIVATED





192 2343 9102 ...


MESSAGE

DECRYPT WITH THE PUBLIC KEYAUTHENTICATE BY COMPARING

TO PLAINTEXT MESSAGE


14

WHY KID CRYPTO WORKS FOR SIGNATURES


15



s = dxmodnBOB

15



s = dxmodnBOB

s! = edxmodn = xmodn = x.ALICE

15

BOB

16

BOB ALICE

16

BOB ALICE

PUBLIC(E,N)

16

BOB ALICE

PUBLIC(E,N)

PRIVATED

16

BOB ALICE

PUBLIC(E,N)

PRIVATED

EVIL FAKE D

16

BOB ALICE

PUBLIC(E,N)

PRIVATED


EVIL FAKE D

16

BOB ALICE

PUBLIC(E,N)

PRIVATED



228 1893 189 ...

EVIL FAKE D

16

BOB ALICE

PUBLIC(E,N)

PRIVATED



X FLBRUG YTEX BIP Q XETIA.


228 1893 189 ...

EVIL FAKE D

16

BOB ALICE

PUBLIC(E,N)

PRIVATED



X FLBRUG YTEX BIP Q XETIA.


228 1893 189 ...

SIGNATURE DOES NOT MATCH MESSAGE ⇒

MESSAGE NOT AUTHENTICATED

EVIL FAKE D

16


17

Public-key system as signature system

Sender encrypts the message with his private key, attaches “ciphertext” to the plaintext message.

Recipient decrypts the ciphertext with the sender’s public key; compares to plaintext message. Equality ⇒ authentication.

Example using RSA

18

A national standard?

19

1977: RSA INVENTED


19

1977: RSA INVENTED

1982: NIST SOLICITS CANDIDATES FOR FEDERAL DIGITAL

SIGNATURE STANDARD (DSS)


19

1977: RSA INVENTED



1991: NIST PROPOSES DIGITAL

SIGNATURE ALGORITHM (DSA) TO

BE USED IN DSS


19

1977: RSA INVENTED





BE USED IN DSS

1992: PUBLIC COMMENTS ON DSA;

CRITICISM FROM RSA, INC. AND

CLIENT COMPANIES


19

1977: RSA INVENTED 1994: DSA APPROVED





BE USED IN DSS

1992: PUBLIC COMMENTS ON DSA;

CRITICISM FROM RSA, INC. AND

CLIENT COMPANIES


19

227 = 2! 102 + 2! 101 + 7! 100

20

227 = 2! 102 + 2! 101 + 7! 100

227 = 1! 27 + 1! 26 + 1! 25 + 0! 24

+0! 23 + 0! 22 + 1! 21 + 1! 20

20

227 = 2! 102 + 2! 101 + 7! 100

227 = 1! 27 + 1! 26 + 1! 25 + 0! 24

+0! 23 + 0! 22 + 1! 21 + 1! 20

= 11100011

20

227 = 2! 102 + 2! 101 + 7! 100

227 = 1! 27 + 1! 26 + 1! 25 + 0! 24

+0! 23 + 0! 22 + 1! 21 + 1! 20

= 11100011BINARY FORM OF 227

227 IS AN 8-BIT INTEGER

20

227 = 2! 102 + 2! 101 + 7! 100

227 = 1! 27 + 1! 26 + 1! 25 + 0! 24

+0! 23 + 0! 22 + 1! 21 + 1! 20


227 IS AN 8-BIT INTEGER5 = 101

1967 =11110101111

20

227 = 2! 102 + 2! 101 + 7! 100

227 = 1! 27 + 1! 26 + 1! 25 + 0! 24

+0! 23 + 0! 22 + 1! 21 + 1! 20



1967 =11110101111

Bit length of N =!

lnN

ln 2

"+ 1

20

227 = 2! 102 + 2! 101 + 7! 100

227 = 1! 27 + 1! 26 + 1! 25 + 0! 24

+0! 23 + 0! 22 + 1! 21 + 1! 20



1967 =11110101111

Bit length of N =!

lnN

ln 2

"+ 1

Decimal length of k-bit integer = !(k " 1) log10 2# + 1

20

Alice

21

Alice Bob

21

Alice Bob

HI, BOB. HOW’S IT GOING?(SIGNATURE ATTACHED)

21

Alice BobHI, BOB. HOW’S IT GOING?

(SIGNATURE ATTACHED)

21



AUTHENTICATED

21



AUTHENTICATED

STAGE 1: SYSTEM-WIDE PARAMETER GENERATION.

21



AUTHENTICATED

STAGE 1: SYSTEM-WIDE PARAMETER GENERATION.STAGE 2: KEY GENERATION (ALICE; ONE-TIME ONLY).

21



AUTHENTICATED


STAGE 3: SIGNING (ALICE).

21



AUTHENTICATED


STAGE 3: SIGNING (ALICE).STAGE 4: AUTHENTICATING (BOB).

21

1: SYSTEM-WIDE PARAMETERS

Name Description

pPrime number, bit length

between 512 and 1024 and a multiple of 64.

q 160-bit prime factor of p.

αα = h(p-1)/q mod p

Where h is any number ≤ p-1 such that h(p-1)/q is > 1

22

2: KEY GENERATION

23

2: KEY GENERATION

Alice

23

2: KEY GENERATION

Alice

PRIVATE KEYRandom integer x such that

1 ≤ x ≤ q-1

23

2: KEY GENERATION

Alice

PRIVATE KEYRandom integer x such that

1 ≤ x ≤ q-1

PUBLIC KEYy = αx mod p

23

3: SIGNING

Alice

Has: Message m

Public key y, Private key xSystem parameters p, q, α

24

3: SIGNING

Alice

Has: Message m


Choose random (secret) integer k with 0 < k < q.

24

3: SIGNING

Alice

Has: Message m



Compute r = (!k mod p) mod q.

24

3: SIGNING

Alice

Has: Message m




Compute k!1 mod q.

24

3: SIGNING

Alice

Has: Message m




Compute k!1 mod q.

Compute s = k!1(H(m) + xr)mod q.

24

3: SIGNING

Alice

Has: Message m




Compute k!1 mod q.

Compute s = k!1(H(m) + xr)mod q.

SIGNATURE: (R,S).

24

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:

Public key y; System parameters p, q, α

25

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:


Verify 0 < r, s < q. Reject if not.

25

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:



Compute H(m) and w = s!1 mod q.

25

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:




u1 = (w · H(m))mod q

25

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:




u1 = (w · H(m))mod q u2 = (rw) mod q

25

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:





v = (!u1yu2 mod p) mod q

25

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:






IF V = R ⇒ AUTHENTICATED.

25


26


s = k!1 (H(m) + xr)mod q

s!1 = k!H(m) + xr)!1 mod q

26



s!1 = k!H(m) + xr)!1 mod q

!u1 = !wH(m) mod q

26



s!1 = k!H(m) + xr)!1 mod q

!u1 = !wH(m) mod q yu2 = (!x)u2 mod p

= !xrw mod q mod p

26



s!1 = k!H(m) + xr)!1 mod q

!u1 = !wH(m) mod q yu2 = (!x)u2 mod p

= !xrw mod q mod p

!u1yu2 = !wH(m)!xrw mod p

= !w(H(m)+xr) mod q mod p

= !s!1(H(m)+xr) mod q mod p

= !k(H(m)+xr)!1(H(m)+xr) mod q mod p

= !k mod p

26


=!!k mod p) mod q

27


=!!k mod p) mod q

r = (!k mod p) mod q

27


=!!k mod p) mod q


IF V = R ⇒ AUTHENTICATED.

IF V ≠ R ⇒ NO AUTHENTICATION.

27

Alice

28

Alice Bob

28

Alice Bob

PUBLICy=αx

mod p

28

Alice Bob

PUBLICy=αx

mod p

SYSTEM: P, Q

28

Alice Bob


PUBLICy=αx

mod p

SYSTEM: P, Q

28

Alice Bob



(R,S)

PUBLICy=αx

mod p

SYSTEM: P, Q

28

Alice Bob





(R,S)

PUBLICy=αx

mod p

SYSTEM: P, Q

28

Alice Bob





(R,S)

PUBLICy=αx

mod p

SYSTEM: P, Q

HOW TO PRODUCE A FORGED (R,S) ON A NEW MESSAGE?

28

FORGERY METHOD 1: RECOVER ALICE’S PRIVATE KEY FROM AVAILABLE

INFORMATION.

29


INFORMATION.

y = !x mod pSOLVE FOR X

29


INFORMATION.


DISCRETE LOGARITHM PROBLEM

29


INFORMATION.



O(√p)! Too expensive!

29

FORGERY METHOD 2: USE R TO RECOVER K.

30



30




s = k!1(H(m) + xr) mod q

x = r!1(sk !H(m))mod q

30




s = k!1(H(m) + xr) mod q

x = r!1(sk !H(m))mod q

Everything on the RHS except k is public info or easy to

compute... but I still have to solve DLP! Curses!

30

FORGERY METHOD 3: HOPE FOR LAZINESS.

31


Alice

31


Alice

I don’t feel like generating a new value for k.

31


Alice


s1 = k!1(H(m1) + xr) mod q

s2 = k!1(H(m2) + xr) mod q

31


Alice


s1 = k!1(H(m1) + xr) mod q

s2 = k!1(H(m2) + xr) mod q

s1k !H(m1) = xr mod q


31


Alice


s1 = k!1(H(m1) + xr) mod q

s2 = k!1(H(m2) + xr) mod q



k(s1 ! s2) = H(m1)!H(m2) mod q

31


Alice


s1 = k!1(H(m1) + xr) mod q

s2 = k!1(H(m2) + xr) mod q



k(s1 ! s2) = H(m1)!H(m2) mod q

k = (s1 ! s2)!1(H(m1)!H(m2))mod q

31


Alice


s1 = k!1(H(m1) + xr) mod q

s2 = k!1(H(m2) + xr) mod q



k(s1 ! s2) = H(m1)!H(m2) mod q

k = (s1 ! s2)!1(H(m1)!H(m2))mod q

Gotcha!

31

Further issues

32

Further issuesOne-way hash functions and their security (SHA-1, MD5)

32


Faster/less expensive algorithms for solving DLP

32



Uses of secure authentication

32




Electronic currency

32




Electronic currency

Electronic notarization

32




Electronic currency

Electronic notarization

Identification in social networking/blogging

32

Contact

Robert Talbert, PhDDepartment of Mathematics and Computing

Franklin College101 Branigin Blvd.Franklin, IN 46131

[email protected]

33

mailto:[email protected]

mailto:[email protected]

introduction to digital signatures

Technology

authentication problem

problem of authenticationnon

parametersdigital signatures

robert talbert