Announcements: Questions? This week: Digital signatures , DSA Secret sharing
7
Announcements: Announcements: Questions? Questions? This week: This week: Digital signatures Digital signatures , DSA , DSA Secret sharing Secret sharing DTTF/NB479: Dszquphsbqiz DTTF/NB479: Dszquphsbqiz Day Day 29 29
description
DTTF/NB479: Dszquphsbqiz Day 29. Announcements: Questions? This week: Digital signatures , DSA Secret sharing. Why are digital signatures important?. Compare with paper signatures Danger: Eve would like to use your signature on other documents! Solution: sig = f(m, user) - PowerPoint PPT Presentation
Transcript of Announcements: Questions? This week: Digital signatures , DSA Secret sharing
Announcements:Announcements:
Questions? Questions?
This week:This week: Digital signaturesDigital signatures, DSA, DSA Secret sharingSecret sharing
DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 29Day 29
Why are digital signatures Why are digital signatures important?important?
Compare with paper signaturesCompare with paper signaturesDanger: Eve would like to use your Danger: Eve would like to use your signature on other documents!signature on other documents!Solution: Solution: sig = f(m, user)sig = f(m, user) Let m be the message (document)Let m be the message (document)
Algorithms we’ll study:Algorithms we’ll study: RSARSA ElGamalElGamal DSA (Digital Signature Algorithm)DSA (Digital Signature Algorithm)
RSA SignaturesRSA Signatures
Alice chooses: Alice chooses: p,q, n=pq, p,q, n=pq, e: gcd(e, (p-1)(q-1))=1, e: gcd(e, (p-1)(q-1))=1, d: ed ≡ 1(mod ((p-1)(q-1)) [d is the “pen” Alice uses]d: ed ≡ 1(mod ((p-1)(q-1)) [d is the “pen” Alice uses]
Publishes n, e Publishes n, e [“glasses” Bob uses to see the writing][“glasses” Bob uses to see the writing]
Alice’s signature uses the Alice’s signature uses the decryption exponentdecryption exponent:: y ≡ my ≡ mdd(mod n). Delivers (m, y)(mod n). Delivers (m, y)
Bob’s verification:Bob’s verification: Does m ≡ yDoes m ≡ yee (mod n)? (mod n)?
Show the verification works. (Q1)Show the verification works. (Q1)Note that given only the signature y, and public info e Note that given only the signature y, and public info e and n, Bob can compute the message, m.and n, Bob can compute the message, m.
1
RSA SignaturesRSA Signatures
Alice chooses: Alice chooses: p,q, n=pq, p,q, n=pq, e: gcd(n, (p-1)(q-1))=1, e: gcd(n, (p-1)(q-1))=1, d: ed ≡ 1(mod ((p-1)(q-1))d: ed ≡ 1(mod ((p-1)(q-1))
Publishes n, ePublishes n, eAlice’s signature:Alice’s signature:
y ≡ my ≡ mdd(mod n). Delivers (m, y)(mod n). Delivers (m, y)
Bob’s verification:Bob’s verification: Does m ≡ yDoes m ≡ yee (mod n)? (mod n)?
Eve’s schemes:Eve’s schemes: Can she use Alice’s signature on Can she use Alice’s signature on
a different document, ma different document, m11??
Can she compute a new yCan she compute a new y11, so , so that mthat m11 = y = y11
ee? ?
Can she choose a new yCan she choose a new y11 first, first, then compute mthen compute m11 = y = y11
ee??
2
Blind SignatureBlind Signature
Alice chooses: Alice chooses: p,q, n=pq, p,q, n=pq, e: gcd(n, (p-1)(q-1))=1, e: gcd(n, (p-1)(q-1))=1, d: ed ≡ 1(mod ((p-1)(q-1))d: ed ≡ 1(mod ((p-1)(q-1))
Publishes n, ePublishes n, eBob wants m signedBob wants m signedBob chooses:Bob chooses:
k: random, gcd(k, n)=1k: random, gcd(k, n)=1
Bob sends: tBob sends: t ≡≡ kkeem (mod n)m (mod n)Alice’s signature:Alice’s signature:
s ≡ ts ≡ tdd(mod n). (mod n).
Bob’s verification:Bob’s verification: Computes skComputes sk-1-1
Bob wants Alice to sign a Bob wants Alice to sign a document as a method of document as a method of time-stamping it, but time-stamping it, but doesn’t want to release doesn’t want to release the contents yet.*the contents yet.*
Verification: Verification: Find skFind sk-1-1 in terms of m in terms of m What is the significance of What is the significance of
this?this?
Why can’t Alice read m?Why can’t Alice read m?What’s the danger to What’s the danger to Alice of a blind signature?Alice of a blind signature?
3-4
* He can publish her signature, which others can attest to later that he published at a certain time, or he can submit it to an authority to obtain an actual timestamp: http://en.wikipedia.org/wiki/Trusted_timestamping
ElGamal Signatures don’t reveal the message ElGamal Signatures don’t reveal the message during verificationduring verification
Many different valid signatures for a given messageMany different valid signatures for a given messageAlice chooses: Alice chooses:
p,primitive root p,primitive root , , ≡ ≡ a a (mod p)(mod p) Publishes (p, Publishes (p, ), keeps a secret), keeps a secret
Alice’s signature:Alice’s signature: Chooses k: random, gcd(k, p-1)=1Chooses k: random, gcd(k, p-1)=1 Sends (m, (r,s)), where:Sends (m, (r,s)), where:
r ≡ r ≡ kk (mod p) (mod p)s ≡ ks ≡ k-1-1(m – ar) (mod p-1)(m – ar) (mod p-1)
Bob’s verification:Bob’s verification: Does Does rrrrss ≡ ≡ mm (mod p)? (mod p)?
ElGamal SignaturesElGamal Signatures
Many different valid signatures Many different valid signatures for a given messagefor a given messageAlice chooses: Alice chooses:
p,primitive root p,primitive root , secret , secret aa, , and and ≡ ≡ a a (mod p)(mod p)
Publishes (p, Publishes (p, ), keeps ), keeps aa secretsecret
Alice’s signature:Alice’s signature: Chooses k: random, Chooses k: random,
gcd(k, p-1)=1gcd(k, p-1)=1 Sends m, (r,s), where:Sends m, (r,s), where:
r ≡ r ≡ kk (mod p) (mod p)s ≡ ks ≡ k-1-1(m – ar) (mod p-1)(m – ar) (mod p-1)
Bob’s verification:Bob’s verification: Does Does rrrrss ≡ ≡ mm (mod p)? (mod p)?
Notice that one can’t compute Notice that one can’t compute m from (r,s).m from (r,s).
Show the verification works.Show the verification works.
Why can’t Eve apply the Why can’t Eve apply the signature to another message?signature to another message?If Eve learns a, she can forge If Eve learns a, she can forge the signaturethe signature
Note: Alice needs to Note: Alice needs to randomize k each time, else randomize k each time, else Eve can recognize this, and Eve can recognize this, and can compute k and a relatively can compute k and a relatively quickly.quickly.
5-7
