Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is...
Transcript of Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is...
![Page 1: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/1.jpg)
Cryptography V:Digital Signatures
Computer Security Lecture 12
David Aspinall
School of InformaticsUniversity of Edinburgh
19th February 2009
![Page 2: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/2.jpg)
Outline
Basics
Constructing signature schemes
Security of signature schemes
ElGamal
DSA
Summary
![Page 3: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/3.jpg)
Outline
Basics
Constructing signature schemes
Security of signature schemes
ElGamal
DSA
Summary
![Page 4: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/4.jpg)
Aims
É Digital signatures allow a principal tocryptographically bind (a representation of) itsidentity to a piece of information.
É Signatures can help establish security propertiessuch as:
É authenticationÉ accountability/non-repudiationÉ unforgeabilityÉ integrityÉ verifiability by independent, public or 3rd party
É Digital signatures are the asymmetric analogue ofMACs, with a crucial difference. (Exercise:what?)
É Note: electronic signatures are a more generalnotion.
![Page 5: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/5.jpg)
Aims
É Digital signatures allow a principal tocryptographically bind (a representation of) itsidentity to a piece of information.
É Signatures can help establish security propertiessuch as:
É authenticationÉ accountability/non-repudiationÉ unforgeabilityÉ integrityÉ verifiability by independent, public or 3rd party
É Digital signatures are the asymmetric analogue ofMACs, with a crucial difference. (Exercise:what?)
É Note: electronic signatures are a more generalnotion.
![Page 6: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/6.jpg)
Aims
É Digital signatures allow a principal tocryptographically bind (a representation of) itsidentity to a piece of information.
É Signatures can help establish security propertiessuch as:É authentication
É accountability/non-repudiationÉ unforgeabilityÉ integrityÉ verifiability by independent, public or 3rd party
É Digital signatures are the asymmetric analogue ofMACs, with a crucial difference. (Exercise:what?)
É Note: electronic signatures are a more generalnotion.
![Page 7: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/7.jpg)
Aims
É Digital signatures allow a principal tocryptographically bind (a representation of) itsidentity to a piece of information.
É Signatures can help establish security propertiessuch as:É authenticationÉ accountability/non-repudiation
É unforgeabilityÉ integrityÉ verifiability by independent, public or 3rd party
É Digital signatures are the asymmetric analogue ofMACs, with a crucial difference. (Exercise:what?)
É Note: electronic signatures are a more generalnotion.
![Page 8: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/8.jpg)
Aims
É Digital signatures allow a principal tocryptographically bind (a representation of) itsidentity to a piece of information.
É Signatures can help establish security propertiessuch as:É authenticationÉ accountability/non-repudiationÉ unforgeability
É integrityÉ verifiability by independent, public or 3rd party
É Digital signatures are the asymmetric analogue ofMACs, with a crucial difference. (Exercise:what?)
É Note: electronic signatures are a more generalnotion.
![Page 9: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/9.jpg)
Aims
É Digital signatures allow a principal tocryptographically bind (a representation of) itsidentity to a piece of information.
É Signatures can help establish security propertiessuch as:É authenticationÉ accountability/non-repudiationÉ unforgeabilityÉ integrity
É verifiability by independent, public or 3rd partyÉ Digital signatures are the asymmetric analogue of
MACs, with a crucial difference. (Exercise:what?)É Note: electronic signatures are a more general
notion.
![Page 10: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/10.jpg)
Aims
É Digital signatures allow a principal tocryptographically bind (a representation of) itsidentity to a piece of information.
É Signatures can help establish security propertiessuch as:É authenticationÉ accountability/non-repudiationÉ unforgeabilityÉ integrityÉ verifiability by independent, public or 3rd party
É Digital signatures are the asymmetric analogue ofMACs, with a crucial difference. (Exercise:what?)
É Note: electronic signatures are a more generalnotion.
![Page 11: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/11.jpg)
Aims
É Digital signatures allow a principal tocryptographically bind (a representation of) itsidentity to a piece of information.
É Signatures can help establish security propertiessuch as:É authenticationÉ accountability/non-repudiationÉ unforgeabilityÉ integrityÉ verifiability by independent, public or 3rd party
É Digital signatures are the asymmetric analogue ofMACs, with a crucial difference. (Exercise:what?)
É Note: electronic signatures are a more generalnotion.
![Page 12: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/12.jpg)
Aims
É Digital signatures allow a principal tocryptographically bind (a representation of) itsidentity to a piece of information.
É Signatures can help establish security propertiessuch as:É authenticationÉ accountability/non-repudiationÉ unforgeabilityÉ integrityÉ verifiability by independent, public or 3rd party
É Digital signatures are the asymmetric analogue ofMACs, with a crucial difference. (Exercise:what?)
É Note: electronic signatures are a more generalnotion.
![Page 13: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/13.jpg)
Handwritten versus Digital Signatures
ink binds to paper cryptographically bound to data
verifier needs signature verifier needs public key
signatures always same depends on document
copies apparent copies indistinguishable
signer saw document computer added signature
have legal impact may have legal impact
![Page 14: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/14.jpg)
Handwritten versus Digital Signatures
ink binds to paper cryptographically bound to data
verifier needs signature verifier needs public key
signatures always same depends on document
copies apparent copies indistinguishable
signer saw document computer added signature
have legal impact may have legal impact
![Page 15: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/15.jpg)
Handwritten versus Digital Signatures
ink binds to paper cryptographically bound to data
verifier needs signature verifier needs public key
signatures always same depends on document
copies apparent copies indistinguishable
signer saw document computer added signature
have legal impact may have legal impact
![Page 16: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/16.jpg)
Handwritten versus Digital Signatures
ink binds to paper cryptographically bound to data
verifier needs signature verifier needs public key
signatures always same depends on document
copies apparent copies indistinguishable
signer saw document computer added signature
have legal impact may have legal impact
![Page 17: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/17.jpg)
Handwritten versus Digital Signatures
ink binds to paper cryptographically bound to data
verifier needs signature verifier needs public key
signatures always same depends on document
copies apparent copies indistinguishable
signer saw document computer added signature
have legal impact may have legal impact
![Page 18: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/18.jpg)
Handwritten versus Digital Signatures
ink binds to paper cryptographically bound to data
verifier needs signature verifier needs public key
signatures always same depends on document
copies apparent copies indistinguishable
signer saw document computer added signature
have legal impact may have legal impact
![Page 19: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/19.jpg)
Handwritten versus Digital Signatures
ink binds to paper cryptographically bound to data
verifier needs signature verifier needs public key
signatures always same depends on document
copies apparent copies indistinguishable
signer saw document computer added signature
have legal impact may have legal impact
![Page 20: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/20.jpg)
Signature mechanism
A signature mechanism for principal A is given by:É A message space M of messages for signingÉ A set S of signatures (e.g. strings {0,1}n)É A secret signing function SA :M→ SÉ A public verification function VA :M× S → Bool
satisfying the correctness and security properties:1. VA(m, s) = true if and only if SA(m) = s.2. For any principal other than A, it is computationally
infeasible to find for any m ∈M, an s ∈ S such thatVA(m, s) = true.
Usually use a public algorithm yielding key-indexedfamilies {Ss | s ∈ K} of signing and verification functions{Vv | v ∈ K}. Principal advertises v.Remark: nobody has proved a signature mechanismsatisfying 2 exists, although there are good candidates.
![Page 21: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/21.jpg)
Signature mechanism
A signature mechanism for principal A is given by:É A message space M of messages for signingÉ A set S of signatures (e.g. strings {0,1}n)É A secret signing function SA :M→ SÉ A public verification function VA :M× S → Bool
satisfying the correctness and security properties:1. VA(m, s) = true if and only if SA(m) = s.2. For any principal other than A, it is computationally
infeasible to find for any m ∈M, an s ∈ S such thatVA(m, s) = true.
Usually use a public algorithm yielding key-indexedfamilies {Ss | s ∈ K} of signing and verification functions{Vv | v ∈ K}. Principal advertises v.Remark: nobody has proved a signature mechanismsatisfying 2 exists, although there are good candidates.
![Page 22: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/22.jpg)
Signature mechanism
A signature mechanism for principal A is given by:É A message space M of messages for signingÉ A set S of signatures (e.g. strings {0,1}n)É A secret signing function SA :M→ SÉ A public verification function VA :M× S → Bool
satisfying the correctness and security properties:1. VA(m, s) = true if and only if SA(m) = s.2. For any principal other than A, it is computationally
infeasible to find for any m ∈M, an s ∈ S such thatVA(m, s) = true.
Usually use a public algorithm yielding key-indexedfamilies {Ss | s ∈ K} of signing and verification functions{Vv | v ∈ K}. Principal advertises v.
Remark: nobody has proved a signature mechanismsatisfying 2 exists, although there are good candidates.
![Page 23: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/23.jpg)
Signature mechanism
A signature mechanism for principal A is given by:É A message space M of messages for signingÉ A set S of signatures (e.g. strings {0,1}n)É A secret signing function SA :M→ SÉ A public verification function VA :M× S → Bool
satisfying the correctness and security properties:1. VA(m, s) = true if and only if SA(m) = s.2. For any principal other than A, it is computationally
infeasible to find for any m ∈M, an s ∈ S such thatVA(m, s) = true.
Usually use a public algorithm yielding key-indexedfamilies {Ss | s ∈ K} of signing and verification functions{Vv | v ∈ K}. Principal advertises v.Remark: nobody has proved a signature mechanismsatisfying 2 exists, although there are good candidates.
![Page 24: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/24.jpg)
Using a signature scheme
É To sign a message the signer A
1. Computes s = SA(m).2. Sends the pair (m, s).
É To verify that a signature s on a message m wascreated by A, another principal, the verifier:
1. Obtains the verification function VA for A.2. Computes u = VA(m, s)3. Accepts the signature if u = true, rejects it if
u = false.
![Page 25: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/25.jpg)
Using a signature scheme
É To sign a message the signer A
1. Computes s = SA(m).2. Sends the pair (m, s).
É To verify that a signature s on a message m wascreated by A, another principal, the verifier:
1. Obtains the verification function VA for A.2. Computes u = VA(m, s)3. Accepts the signature if u = true, rejects it if
u = false.
![Page 26: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/26.jpg)
Using a signature scheme
É To sign a message the signer A1. Computes s = SA(m).
2. Sends the pair (m, s).É To verify that a signature s on a message m was
created by A, another principal, the verifier:
1. Obtains the verification function VA for A.2. Computes u = VA(m, s)3. Accepts the signature if u = true, rejects it if
u = false.
![Page 27: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/27.jpg)
Using a signature scheme
É To sign a message the signer A1. Computes s = SA(m).2. Sends the pair (m, s).
É To verify that a signature s on a message m wascreated by A, another principal, the verifier:
1. Obtains the verification function VA for A.2. Computes u = VA(m, s)3. Accepts the signature if u = true, rejects it if
u = false.
![Page 28: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/28.jpg)
Using a signature scheme
É To sign a message the signer A1. Computes s = SA(m).2. Sends the pair (m, s).
É To verify that a signature s on a message m wascreated by A, another principal, the verifier:
1. Obtains the verification function VA for A.2. Computes u = VA(m, s)3. Accepts the signature if u = true, rejects it if
u = false.
![Page 29: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/29.jpg)
Using a signature scheme
É To sign a message the signer A1. Computes s = SA(m).2. Sends the pair (m, s).
É To verify that a signature s on a message m wascreated by A, another principal, the verifier:
1. Obtains the verification function VA for A.
2. Computes u = VA(m, s)3. Accepts the signature if u = true, rejects it if
u = false.
![Page 30: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/30.jpg)
Using a signature scheme
É To sign a message the signer A1. Computes s = SA(m).2. Sends the pair (m, s).
É To verify that a signature s on a message m wascreated by A, another principal, the verifier:
1. Obtains the verification function VA for A.2. Computes u = VA(m, s)
3. Accepts the signature if u = true, rejects it ifu = false.
![Page 31: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/31.jpg)
Using a signature scheme
É To sign a message the signer A1. Computes s = SA(m).2. Sends the pair (m, s).
É To verify that a signature s on a message m wascreated by A, another principal, the verifier:
1. Obtains the verification function VA for A.2. Computes u = VA(m, s)3. Accepts the signature if u = true, rejects it if
u = false.
![Page 32: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/32.jpg)
Outline
Basics
Constructing signature schemes
Security of signature schemes
ElGamal
DSA
Summary
![Page 33: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/33.jpg)
Digital signatures with a TTPÉ Given a trusted third party, it is possible to use
symmetric cryptography techniques.
É Let secure Sam S be the TTP, who shares a key witheach principal.
É For A to send a signed contract M to B, S acts as anintermediary.
Message 1. A→ S: {M}Kas
Message 2. S→ B: {M}Kbs
(like Wide Mouthed Frog key exchange protocol, Mshould include time-stamps and names).
É If A and B disagree about a signature, a judge Judycan verify the contracts also using S:
Message 1. J→ S: {M}Kas ,{M}Kbs
Message 2. S→ J: {yes or no}Kjs
![Page 34: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/34.jpg)
Digital signatures with a TTPÉ Given a trusted third party, it is possible to use
symmetric cryptography techniques.É Let secure Sam S be the TTP, who shares a key with
each principal.
É For A to send a signed contract M to B, S acts as anintermediary.
Message 1. A→ S: {M}Kas
Message 2. S→ B: {M}Kbs
(like Wide Mouthed Frog key exchange protocol, Mshould include time-stamps and names).
É If A and B disagree about a signature, a judge Judycan verify the contracts also using S:
Message 1. J→ S: {M}Kas ,{M}Kbs
Message 2. S→ J: {yes or no}Kjs
![Page 35: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/35.jpg)
Digital signatures with a TTPÉ Given a trusted third party, it is possible to use
symmetric cryptography techniques.É Let secure Sam S be the TTP, who shares a key with
each principal.É For A to send a signed contract M to B, S acts as an
intermediary.
Message 1. A→ S: {M}Kas
Message 2. S→ B: {M}Kbs
(like Wide Mouthed Frog key exchange protocol, Mshould include time-stamps and names).
É If A and B disagree about a signature, a judge Judycan verify the contracts also using S:
Message 1. J→ S: {M}Kas ,{M}Kbs
Message 2. S→ J: {yes or no}Kjs
![Page 36: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/36.jpg)
Digital signatures with a TTPÉ Given a trusted third party, it is possible to use
symmetric cryptography techniques.É Let secure Sam S be the TTP, who shares a key with
each principal.É For A to send a signed contract M to B, S acts as an
intermediary.
Message 1. A→ S: {M}Kas
Message 2. S→ B: {M}Kbs
(like Wide Mouthed Frog key exchange protocol, Mshould include time-stamps and names).
É If A and B disagree about a signature, a judge Judycan verify the contracts also using S:
Message 1. J→ S: {M}Kas ,{M}Kbs
Message 2. S→ J: {yes or no}Kjs
![Page 37: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/37.jpg)
Digital signatures from PK encryptionÉ Suppose we have a public-key encryption scheme
with M = C, and (d,e) a key-pair. Then because Ee
and Dd are both permutations on M, we have that:
Dd(Ee(m)) = Ee(Dd(m)) = m for all m ∈M
A public-key scheme of this type is calledreversible.
É RSA is reversible, but not every PK scheme is.É We can define a digital signature scheme by
reversing encryption and decryption:
É Message space M, signature space C (=M).É the signing function SA = DdÉ the verification function VA is defined by
VA(m, s) =
�
true if Ee(s) = m,false otherwise.
É However, this scheme is somewhat too simple. . .
![Page 38: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/38.jpg)
Digital signatures from PK encryptionÉ Suppose we have a public-key encryption scheme
with M = C, and (d,e) a key-pair. Then because Ee
and Dd are both permutations on M, we have that:
Dd(Ee(m)) = Ee(Dd(m)) = m for all m ∈M
A public-key scheme of this type is calledreversible.
É RSA is reversible, but not every PK scheme is.
É We can define a digital signature scheme byreversing encryption and decryption:
É Message space M, signature space C (=M).É the signing function SA = DdÉ the verification function VA is defined by
VA(m, s) =
�
true if Ee(s) = m,false otherwise.
É However, this scheme is somewhat too simple. . .
![Page 39: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/39.jpg)
Digital signatures from PK encryptionÉ Suppose we have a public-key encryption scheme
with M = C, and (d,e) a key-pair. Then because Ee
and Dd are both permutations on M, we have that:
Dd(Ee(m)) = Ee(Dd(m)) = m for all m ∈M
A public-key scheme of this type is calledreversible.
É RSA is reversible, but not every PK scheme is.É We can define a digital signature scheme by
reversing encryption and decryption:
É Message space M, signature space C (=M).É the signing function SA = DdÉ the verification function VA is defined by
VA(m, s) =
�
true if Ee(s) = m,false otherwise.
É However, this scheme is somewhat too simple. . .
![Page 40: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/40.jpg)
Digital signatures from PK encryptionÉ Suppose we have a public-key encryption scheme
with M = C, and (d,e) a key-pair. Then because Ee
and Dd are both permutations on M, we have that:
Dd(Ee(m)) = Ee(Dd(m)) = m for all m ∈M
A public-key scheme of this type is calledreversible.
É RSA is reversible, but not every PK scheme is.É We can define a digital signature scheme by
reversing encryption and decryption:É Message space M, signature space C (=M).
É the signing function SA = DdÉ the verification function VA is defined by
VA(m, s) =
�
true if Ee(s) = m,false otherwise.
É However, this scheme is somewhat too simple. . .
![Page 41: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/41.jpg)
Digital signatures from PK encryptionÉ Suppose we have a public-key encryption scheme
with M = C, and (d,e) a key-pair. Then because Ee
and Dd are both permutations on M, we have that:
Dd(Ee(m)) = Ee(Dd(m)) = m for all m ∈M
A public-key scheme of this type is calledreversible.
É RSA is reversible, but not every PK scheme is.É We can define a digital signature scheme by
reversing encryption and decryption:É Message space M, signature space C (=M).É the signing function SA = Dd
É the verification function VA is defined by
VA(m, s) =
�
true if Ee(s) = m,false otherwise.
É However, this scheme is somewhat too simple. . .
![Page 42: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/42.jpg)
Digital signatures from PK encryptionÉ Suppose we have a public-key encryption scheme
with M = C, and (d,e) a key-pair. Then because Ee
and Dd are both permutations on M, we have that:
Dd(Ee(m)) = Ee(Dd(m)) = m for all m ∈M
A public-key scheme of this type is calledreversible.
É RSA is reversible, but not every PK scheme is.É We can define a digital signature scheme by
reversing encryption and decryption:É Message space M, signature space C (=M).É the signing function SA = DdÉ the verification function VA is defined by
VA(m, s) =
�
true if Ee(s) = m,false otherwise.
É However, this scheme is somewhat too simple. . .
![Page 43: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/43.jpg)
Digital signatures from PK encryptionÉ Suppose we have a public-key encryption scheme
with M = C, and (d,e) a key-pair. Then because Ee
and Dd are both permutations on M, we have that:
Dd(Ee(m)) = Ee(Dd(m)) = m for all m ∈M
A public-key scheme of this type is calledreversible.
É RSA is reversible, but not every PK scheme is.É We can define a digital signature scheme by
reversing encryption and decryption:É Message space M, signature space C (=M).É the signing function SA = DdÉ the verification function VA is defined by
VA(m, s) =
�
true if Ee(s) = m,false otherwise.
É However, this scheme is somewhat too simple. . .
![Page 44: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/44.jpg)
Existential forgery
É The previous scheme is too simple becausesignatures are forgeable: a principal B can generatea random s ∈ S as a signature, apply the publicencryption function to get a message m = Ee(s),and transmit (m, s).
É Obviously this verifies! It is an example ofexistential forgery.
É The message m is not likely to be of B’s choosing(and probably garbage).
É But this ability violates property 2 given earlier.
![Page 45: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/45.jpg)
Existential forgery
É The previous scheme is too simple becausesignatures are forgeable: a principal B can generatea random s ∈ S as a signature, apply the publicencryption function to get a message m = Ee(s),and transmit (m, s).
É Obviously this verifies! It is an example ofexistential forgery.
É The message m is not likely to be of B’s choosing(and probably garbage).
É But this ability violates property 2 given earlier.
![Page 46: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/46.jpg)
Existential forgery
É The previous scheme is too simple becausesignatures are forgeable: a principal B can generatea random s ∈ S as a signature, apply the publicencryption function to get a message m = Ee(s),and transmit (m, s).
É Obviously this verifies! It is an example ofexistential forgery.
É The message m is not likely to be of B’s choosing(and probably garbage).
É But this ability violates property 2 given earlier.
![Page 47: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/47.jpg)
Existential forgery
É The previous scheme is too simple becausesignatures are forgeable: a principal B can generatea random s ∈ S as a signature, apply the publicencryption function to get a message m = Ee(s),and transmit (m, s).
É Obviously this verifies! It is an example ofexistential forgery.
É The message m is not likely to be of B’s choosing(and probably garbage).
É But this ability violates property 2 given earlier.
![Page 48: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/48.jpg)
Signatures with redundancy
É A fix to reduce likelihood of existential forgery is totake M′ ⊂M to be messages with a specialredundant structure, which is publicly known e.g.,messages padded to an even length, surroundedwith a fixed bit pattern.
É This format is easily recognized by the verifier:
VA(s) =
�
true if Ee(s) ∈M′,false otherwise.
É Now A only transmits the signature s, since themessage m = Ee(s) can be recovered by theverification function.
É This property is message recovery, the scheme iscalled a signature scheme with recovery.
É Existential forgery is less likely.
![Page 49: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/49.jpg)
Signatures with redundancy
É A fix to reduce likelihood of existential forgery is totake M′ ⊂M to be messages with a specialredundant structure, which is publicly known e.g.,messages padded to an even length, surroundedwith a fixed bit pattern.
É This format is easily recognized by the verifier:
VA(s) =
�
true if Ee(s) ∈M′,false otherwise.
É Now A only transmits the signature s, since themessage m = Ee(s) can be recovered by theverification function.
É This property is message recovery, the scheme iscalled a signature scheme with recovery.
É Existential forgery is less likely.
![Page 50: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/50.jpg)
Signatures with redundancy
É A fix to reduce likelihood of existential forgery is totake M′ ⊂M to be messages with a specialredundant structure, which is publicly known e.g.,messages padded to an even length, surroundedwith a fixed bit pattern.
É This format is easily recognized by the verifier:
VA(s) =
�
true if Ee(s) ∈M′,false otherwise.
É Now A only transmits the signature s, since themessage m = Ee(s) can be recovered by theverification function.
É This property is message recovery, the scheme iscalled a signature scheme with recovery.
É Existential forgery is less likely.
![Page 51: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/51.jpg)
Signatures with redundancy
É A fix to reduce likelihood of existential forgery is totake M′ ⊂M to be messages with a specialredundant structure, which is publicly known e.g.,messages padded to an even length, surroundedwith a fixed bit pattern.
É This format is easily recognized by the verifier:
VA(s) =
�
true if Ee(s) ∈M′,false otherwise.
É Now A only transmits the signature s, since themessage m = Ee(s) can be recovered by theverification function.
É This property is message recovery, the scheme iscalled a signature scheme with recovery.
É Existential forgery is less likely.
![Page 52: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/52.jpg)
Signatures with redundancy
É A fix to reduce likelihood of existential forgery is totake M′ ⊂M to be messages with a specialredundant structure, which is publicly known e.g.,messages padded to an even length, surroundedwith a fixed bit pattern.
É This format is easily recognized by the verifier:
VA(s) =
�
true if Ee(s) ∈M′,false otherwise.
É Now A only transmits the signature s, since themessage m = Ee(s) can be recovered by theverification function.
É This property is message recovery, the scheme iscalled a signature scheme with recovery.
É Existential forgery is less likely.
![Page 53: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/53.jpg)
Signatures and hash functions
É In practice, usually the signing function isconstructed by first making a hash of the inputdocument, and signing that. Reasons:
1. efficiency: signature is on smaller text2. avoid attacks on cipher system
É Signer: computes and transmits (m, s) wheres = SA(h(m)).
É Verifier: computes h(m) and verifies VA(h(m), s).É When the original message is required as an input
to the verification function, this is known as adigital signature scheme with appendix.
É The hash function must satisfy appropriateproperties (see Hash Functions lecture).
![Page 54: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/54.jpg)
Signatures and hash functions
É In practice, usually the signing function isconstructed by first making a hash of the inputdocument, and signing that. Reasons:
1. efficiency: signature is on smaller text
2. avoid attacks on cipher systemÉ Signer: computes and transmits (m, s) where
s = SA(h(m)).É Verifier: computes h(m) and verifies VA(h(m), s).É When the original message is required as an input
to the verification function, this is known as adigital signature scheme with appendix.
É The hash function must satisfy appropriateproperties (see Hash Functions lecture).
![Page 55: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/55.jpg)
Signatures and hash functions
É In practice, usually the signing function isconstructed by first making a hash of the inputdocument, and signing that. Reasons:
1. efficiency: signature is on smaller text2. avoid attacks on cipher system
É Signer: computes and transmits (m, s) wheres = SA(h(m)).
É Verifier: computes h(m) and verifies VA(h(m), s).É When the original message is required as an input
to the verification function, this is known as adigital signature scheme with appendix.
É The hash function must satisfy appropriateproperties (see Hash Functions lecture).
![Page 56: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/56.jpg)
Signatures and hash functions
É In practice, usually the signing function isconstructed by first making a hash of the inputdocument, and signing that. Reasons:
1. efficiency: signature is on smaller text2. avoid attacks on cipher system
É Signer: computes and transmits (m, s) wheres = SA(h(m)).
É Verifier: computes h(m) and verifies VA(h(m), s).É When the original message is required as an input
to the verification function, this is known as adigital signature scheme with appendix.
É The hash function must satisfy appropriateproperties (see Hash Functions lecture).
![Page 57: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/57.jpg)
Signatures and hash functions
É In practice, usually the signing function isconstructed by first making a hash of the inputdocument, and signing that. Reasons:
1. efficiency: signature is on smaller text2. avoid attacks on cipher system
É Signer: computes and transmits (m, s) wheres = SA(h(m)).
É Verifier: computes h(m) and verifies VA(h(m), s).
É When the original message is required as an inputto the verification function, this is known as adigital signature scheme with appendix.
É The hash function must satisfy appropriateproperties (see Hash Functions lecture).
![Page 58: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/58.jpg)
Signatures and hash functions
É In practice, usually the signing function isconstructed by first making a hash of the inputdocument, and signing that. Reasons:
1. efficiency: signature is on smaller text2. avoid attacks on cipher system
É Signer: computes and transmits (m, s) wheres = SA(h(m)).
É Verifier: computes h(m) and verifies VA(h(m), s).É When the original message is required as an input
to the verification function, this is known as adigital signature scheme with appendix.
É The hash function must satisfy appropriateproperties (see Hash Functions lecture).
![Page 59: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/59.jpg)
Signatures and hash functions
É In practice, usually the signing function isconstructed by first making a hash of the inputdocument, and signing that. Reasons:
1. efficiency: signature is on smaller text2. avoid attacks on cipher system
É Signer: computes and transmits (m, s) wheres = SA(h(m)).
É Verifier: computes h(m) and verifies VA(h(m), s).É When the original message is required as an input
to the verification function, this is known as adigital signature scheme with appendix.
É The hash function must satisfy appropriateproperties (see Hash Functions lecture).
![Page 60: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/60.jpg)
Outline
Basics
Constructing signature schemes
Security of signature schemes
ElGamal
DSA
Summary
![Page 61: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/61.jpg)
Attacks on signature schemes [HAC]É An adversary seeks to forge signatures.
Possibilities:
1. Total break. Adversary can compute the privatekey or find an equivalent signing function.
2. Selective forgery. Adversary can create a validsignature for some chosen message, without usingthe signer.
3. Existential forgery. Adversary can create a validsignature for at least one message, without explicitchoice of the message. May involve signer.
É The adversary may have different knowledgelevels. For PK schemes:
1. Key-only attack: adversary only knows PK.2. Known-message attack: adversary has
signatures for a known set of messages not chosenby him.
3. Chosen-message attack: adversary can obtainsignatures for messages of his choosing. Messagesmay be determined in advance or in adaptive way,using signer as oracle.
![Page 62: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/62.jpg)
Attacks on signature schemes [HAC]É An adversary seeks to forge signatures.
Possibilities:1. Total break. Adversary can compute the private
key or find an equivalent signing function.
2. Selective forgery. Adversary can create a validsignature for some chosen message, without usingthe signer.
3. Existential forgery. Adversary can create a validsignature for at least one message, without explicitchoice of the message. May involve signer.
É The adversary may have different knowledgelevels. For PK schemes:
1. Key-only attack: adversary only knows PK.2. Known-message attack: adversary has
signatures for a known set of messages not chosenby him.
3. Chosen-message attack: adversary can obtainsignatures for messages of his choosing. Messagesmay be determined in advance or in adaptive way,using signer as oracle.
![Page 63: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/63.jpg)
Attacks on signature schemes [HAC]É An adversary seeks to forge signatures.
Possibilities:1. Total break. Adversary can compute the private
key or find an equivalent signing function.2. Selective forgery. Adversary can create a valid
signature for some chosen message, without usingthe signer.
3. Existential forgery. Adversary can create a validsignature for at least one message, without explicitchoice of the message. May involve signer.
É The adversary may have different knowledgelevels. For PK schemes:
1. Key-only attack: adversary only knows PK.2. Known-message attack: adversary has
signatures for a known set of messages not chosenby him.
3. Chosen-message attack: adversary can obtainsignatures for messages of his choosing. Messagesmay be determined in advance or in adaptive way,using signer as oracle.
![Page 64: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/64.jpg)
Attacks on signature schemes [HAC]É An adversary seeks to forge signatures.
Possibilities:1. Total break. Adversary can compute the private
key or find an equivalent signing function.2. Selective forgery. Adversary can create a valid
signature for some chosen message, without usingthe signer.
3. Existential forgery. Adversary can create a validsignature for at least one message, without explicitchoice of the message. May involve signer.
É The adversary may have different knowledgelevels. For PK schemes:
1. Key-only attack: adversary only knows PK.2. Known-message attack: adversary has
signatures for a known set of messages not chosenby him.
3. Chosen-message attack: adversary can obtainsignatures for messages of his choosing. Messagesmay be determined in advance or in adaptive way,using signer as oracle.
![Page 65: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/65.jpg)
Attacks on signature schemes [HAC]É An adversary seeks to forge signatures.
Possibilities:1. Total break. Adversary can compute the private
key or find an equivalent signing function.2. Selective forgery. Adversary can create a valid
signature for some chosen message, without usingthe signer.
3. Existential forgery. Adversary can create a validsignature for at least one message, without explicitchoice of the message. May involve signer.
É The adversary may have different knowledgelevels. For PK schemes:
1. Key-only attack: adversary only knows PK.2. Known-message attack: adversary has
signatures for a known set of messages not chosenby him.
3. Chosen-message attack: adversary can obtainsignatures for messages of his choosing. Messagesmay be determined in advance or in adaptive way,using signer as oracle.
![Page 66: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/66.jpg)
Attacks on signature schemes [HAC]É An adversary seeks to forge signatures.
Possibilities:1. Total break. Adversary can compute the private
key or find an equivalent signing function.2. Selective forgery. Adversary can create a valid
signature for some chosen message, without usingthe signer.
3. Existential forgery. Adversary can create a validsignature for at least one message, without explicitchoice of the message. May involve signer.
É The adversary may have different knowledgelevels. For PK schemes:
1. Key-only attack: adversary only knows PK.
2. Known-message attack: adversary hassignatures for a known set of messages not chosenby him.
3. Chosen-message attack: adversary can obtainsignatures for messages of his choosing. Messagesmay be determined in advance or in adaptive way,using signer as oracle.
![Page 67: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/67.jpg)
Attacks on signature schemes [HAC]É An adversary seeks to forge signatures.
Possibilities:1. Total break. Adversary can compute the private
key or find an equivalent signing function.2. Selective forgery. Adversary can create a valid
signature for some chosen message, without usingthe signer.
3. Existential forgery. Adversary can create a validsignature for at least one message, without explicitchoice of the message. May involve signer.
É The adversary may have different knowledgelevels. For PK schemes:
1. Key-only attack: adversary only knows PK.2. Known-message attack: adversary has
signatures for a known set of messages not chosenby him.
3. Chosen-message attack: adversary can obtainsignatures for messages of his choosing. Messagesmay be determined in advance or in adaptive way,using signer as oracle.
![Page 68: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/68.jpg)
Attacks on signature schemes [HAC]É An adversary seeks to forge signatures.
Possibilities:1. Total break. Adversary can compute the private
key or find an equivalent signing function.2. Selective forgery. Adversary can create a valid
signature for some chosen message, without usingthe signer.
3. Existential forgery. Adversary can create a validsignature for at least one message, without explicitchoice of the message. May involve signer.
É The adversary may have different knowledgelevels. For PK schemes:
1. Key-only attack: adversary only knows PK.2. Known-message attack: adversary has
signatures for a known set of messages not chosenby him.
3. Chosen-message attack: adversary can obtainsignatures for messages of his choosing. Messagesmay be determined in advance or in adaptive way,using signer as oracle.
![Page 69: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/69.jpg)
Outline
Basics
Constructing signature schemes
Security of signature schemes
ElGamal
DSA
Summary
![Page 70: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/70.jpg)
ElGamal signaturesÉ Setup as encryption: p an appropriate prime, g a
generator of Z∗p
, and the private signing key, d arandom integer with 1 ≤ d ≤ p− 2.
É The public verification key is (p,g,gd mod p).É To sign a message m, 0 ≤m ≤ p, the signer picks a
random secret number r with 1 ≤ r ≤ p− 2 andgcd(r,p− 1) = 1, and computes:
Sd(m) = (e, s) where e = gr mod pde + rs ≡m (mod p− 1).
É The verification function checks that 1 ≤ e ≤ p− 1,and an equation:
V(p,g,gd)(m, (e, s)) =
¨
true if (gd)ees ≡ gm (mod p),
false otherwise.
É Verification works because for a correct signature,
(gd)ees ≡ gde+rs ≡ gm (mod p).
![Page 71: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/71.jpg)
ElGamal signaturesÉ Setup as encryption: p an appropriate prime, g a
generator of Z∗p
, and the private signing key, d arandom integer with 1 ≤ d ≤ p− 2.
É The public verification key is (p,g,gd mod p).
É To sign a message m, 0 ≤m ≤ p, the signer picks arandom secret number r with 1 ≤ r ≤ p− 2 andgcd(r,p− 1) = 1, and computes:
Sd(m) = (e, s) where e = gr mod pde + rs ≡m (mod p− 1).
É The verification function checks that 1 ≤ e ≤ p− 1,and an equation:
V(p,g,gd)(m, (e, s)) =
¨
true if (gd)ees ≡ gm (mod p),
false otherwise.
É Verification works because for a correct signature,
(gd)ees ≡ gde+rs ≡ gm (mod p).
![Page 72: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/72.jpg)
ElGamal signaturesÉ Setup as encryption: p an appropriate prime, g a
generator of Z∗p
, and the private signing key, d arandom integer with 1 ≤ d ≤ p− 2.
É The public verification key is (p,g,gd mod p).É To sign a message m, 0 ≤m ≤ p, the signer picks a
random secret number r with 1 ≤ r ≤ p− 2 andgcd(r,p− 1) = 1, and computes:
Sd(m) = (e, s) where e = gr mod pde + rs ≡m (mod p− 1).
É The verification function checks that 1 ≤ e ≤ p− 1,and an equation:
V(p,g,gd)(m, (e, s)) =
¨
true if (gd)ees ≡ gm (mod p),
false otherwise.
É Verification works because for a correct signature,
(gd)ees ≡ gde+rs ≡ gm (mod p).
![Page 73: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/73.jpg)
ElGamal signaturesÉ Setup as encryption: p an appropriate prime, g a
generator of Z∗p
, and the private signing key, d arandom integer with 1 ≤ d ≤ p− 2.
É The public verification key is (p,g,gd mod p).É To sign a message m, 0 ≤m ≤ p, the signer picks a
random secret number r with 1 ≤ r ≤ p− 2 andgcd(r,p− 1) = 1, and computes:
Sd(m) = (e, s) where e = gr mod pde + rs ≡m (mod p− 1).
É The verification function checks that 1 ≤ e ≤ p− 1,and an equation:
V(p,g,gd)(m, (e, s)) =
¨
true if (gd)ees ≡ gm (mod p),
false otherwise.
É Verification works because for a correct signature,
(gd)ees ≡ gde+rs ≡ gm (mod p).
![Page 74: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/74.jpg)
ElGamal signaturesÉ Setup as encryption: p an appropriate prime, g a
generator of Z∗p
, and the private signing key, d arandom integer with 1 ≤ d ≤ p− 2.
É The public verification key is (p,g,gd mod p).É To sign a message m, 0 ≤m ≤ p, the signer picks a
random secret number r with 1 ≤ r ≤ p− 2 andgcd(r,p− 1) = 1, and computes:
Sd(m) = (e, s) where e = gr mod pde + rs ≡m (mod p− 1).
É The verification function checks that 1 ≤ e ≤ p− 1,and an equation:
V(p,g,gd)(m, (e, s)) =
¨
true if (gd)ees ≡ gm (mod p),
false otherwise.
É Verification works because for a correct signature,
(gd)ees ≡ gde+rs ≡ gm (mod p).
![Page 75: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/75.jpg)
Outline
Basics
Constructing signature schemes
Security of signature schemes
ElGamal
DSA
Summary
![Page 76: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/76.jpg)
From ElGamal to DSAÉ The Digital Signature Algorithm is part of the NIST
Digitial Signature Standard [FIPS-186].
É Based on ElGamal, but with improved efficiency.É The first digital signature scheme to be recognized
by any government.É Based on two primes: p, which is 512–1024 bits
long, and q, which is a 160-bit prime factor of p− 1.A signature signs a SHA-1 hash value of a message.(In fact, ElGamal signing should be used with ahash function to prevent existential forgery)
É Security of both ElGamal and DSA schemes relieson the intractability of the DLP.
É Comparison with RSA signature scheme: keygeneration is faster; signature generation is aboutthe same; DSA verification is slower. Verification isthe most common operation in general.
![Page 77: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/77.jpg)
From ElGamal to DSAÉ The Digital Signature Algorithm is part of the NIST
Digitial Signature Standard [FIPS-186].É Based on ElGamal, but with improved efficiency.
É The first digital signature scheme to be recognizedby any government.
É Based on two primes: p, which is 512–1024 bitslong, and q, which is a 160-bit prime factor of p− 1.A signature signs a SHA-1 hash value of a message.(In fact, ElGamal signing should be used with ahash function to prevent existential forgery)
É Security of both ElGamal and DSA schemes relieson the intractability of the DLP.
É Comparison with RSA signature scheme: keygeneration is faster; signature generation is aboutthe same; DSA verification is slower. Verification isthe most common operation in general.
![Page 78: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/78.jpg)
From ElGamal to DSAÉ The Digital Signature Algorithm is part of the NIST
Digitial Signature Standard [FIPS-186].É Based on ElGamal, but with improved efficiency.É The first digital signature scheme to be recognized
by any government.
É Based on two primes: p, which is 512–1024 bitslong, and q, which is a 160-bit prime factor of p− 1.A signature signs a SHA-1 hash value of a message.(In fact, ElGamal signing should be used with ahash function to prevent existential forgery)
É Security of both ElGamal and DSA schemes relieson the intractability of the DLP.
É Comparison with RSA signature scheme: keygeneration is faster; signature generation is aboutthe same; DSA verification is slower. Verification isthe most common operation in general.
![Page 79: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/79.jpg)
From ElGamal to DSAÉ The Digital Signature Algorithm is part of the NIST
Digitial Signature Standard [FIPS-186].É Based on ElGamal, but with improved efficiency.É The first digital signature scheme to be recognized
by any government.É Based on two primes: p, which is 512–1024 bits
long, and q, which is a 160-bit prime factor of p− 1.A signature signs a SHA-1 hash value of a message.(In fact, ElGamal signing should be used with ahash function to prevent existential forgery)
É Security of both ElGamal and DSA schemes relieson the intractability of the DLP.
É Comparison with RSA signature scheme: keygeneration is faster; signature generation is aboutthe same; DSA verification is slower. Verification isthe most common operation in general.
![Page 80: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/80.jpg)
From ElGamal to DSAÉ The Digital Signature Algorithm is part of the NIST
Digitial Signature Standard [FIPS-186].É Based on ElGamal, but with improved efficiency.É The first digital signature scheme to be recognized
by any government.É Based on two primes: p, which is 512–1024 bits
long, and q, which is a 160-bit prime factor of p− 1.A signature signs a SHA-1 hash value of a message.(In fact, ElGamal signing should be used with ahash function to prevent existential forgery)
É Security of both ElGamal and DSA schemes relieson the intractability of the DLP.
É Comparison with RSA signature scheme: keygeneration is faster; signature generation is aboutthe same; DSA verification is slower. Verification isthe most common operation in general.
![Page 81: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/81.jpg)
From ElGamal to DSAÉ The Digital Signature Algorithm is part of the NIST
Digitial Signature Standard [FIPS-186].É Based on ElGamal, but with improved efficiency.É The first digital signature scheme to be recognized
by any government.É Based on two primes: p, which is 512–1024 bits
long, and q, which is a 160-bit prime factor of p− 1.A signature signs a SHA-1 hash value of a message.(In fact, ElGamal signing should be used with ahash function to prevent existential forgery)
É Security of both ElGamal and DSA schemes relieson the intractability of the DLP.
É Comparison with RSA signature scheme: keygeneration is faster; signature generation is aboutthe same; DSA verification is slower. Verification isthe most common operation in general.
![Page 82: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/82.jpg)
Outline
Basics
Constructing signature schemes
Security of signature schemes
ElGamal
DSA
Summary
![Page 83: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/83.jpg)
Summary: Digital Signature SchemesÉ RSA, ElGamal, DSA already described. There are
several variants of ElGamal, including schemes withmessage recovery.
É Notice difference between randomized anddeterministic schemes.
É Schemes for one-time signatures (e.g., Rabin,Merkle), require a fresh public key for each use.É Typically more efficient than RSA/ElGamal methods.É But tedious for multiple documents
É E-cash protocols use blind signature schemesthat prevent the signer (e.g., a bank) linking asigned message (e.g., the cash) with the user.
É For real world security guarantees:É obtaining correct public key is vital;É non-repudiation supposes that private key has
not been stolen;É we may require secure time stamps.
![Page 84: Cryptography V: Digital Signatures · Signature mechanism A signature mechanism for principal A is given by: É A message space M of messages for signing É A set S of signatures](https://reader034.fdocuments.net/reader034/viewer/2022052007/601c2ac45ce3ac516578da37/html5/thumbnails/84.jpg)
References
Alfred J. Menezes, Paul C. Van Oorschot, and Scott A.Vanstone, editors. Handbook of Applied Cryptography.CRC Press Series on Discrete Mathematics and ItsApplications. CRC Press, 1997.Online version athttp://www.cacr.math.uwaterloo.ca/hac.Digital signatures covered in Section 1.6 and Chapter 11.
Nigel Smart. Cryptography: An Introduction.McGraw-Hill, 2003. Third edition online:http://www.cs.bris.ac.uk/~nigel/Crypto_Book/
Recommended Reading
Chapter 14 (14.2–14.4, 14.7) of Smart (3rd Ed).