DOCSLIB.ORG

RSA Digital Signature Scheme 527

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

KI194-Tilborg May 24, 2005 14:37 RSA digital signature scheme 527 result and chaining variable of 256 bits (eight 32- et al. to RIPEMD-128 (as plug-in substitute for bit words) is used and that there are only 64 steps. RIPEMD) and RIPEMD-160 [2]. At the same time, Eight 32-bit chaining variables h0, h1, h2, h3, h4, the variants RIPEMD-256 and RIPEMD-320 were h5, h6, h7 are either initialized to the fixed values introduced as well. An additional reason for the IV0 through IV3 and IV5 through IV8 for the first introduction of RIPEMD-160 are brute force col- 512-bit message block or to the intermediate hash lision search attacks. In [4], van Oorschot and value for the following message blocks. Then the Wiener estimate that with a 10 million US$ ma- compression function works as follows: chine collisions of MD5 can be found in 21 days in 1994, which corresponds to 4 hours in 2004. ′ To counter such collision search attacks, hash val- A ← h0, A ← h4 ′ ues of at least 160 bits are required. RIPEMD- B ← h1, B ← h5 ′ 128 and RIPEMD-160 are included in ISO/IEC C ← h2, C ← h6 ′ 10118-3 [5]. D ← h3, D ← h7 for i = 0to63do Antoon Bosselaers ≪si (r(i)) T ← (A + f i (B, C, D) + Wr(i) + Ki ) ′ ′ ′ ′ ′ T ← (A + f 63−i (B , C , D ) + Wr ′(i) References ′ ′ ≪si (r (i)) +Ki ) A ← D, A′ ← D′ [1] RIPE (1995). “Integrity primitives for secure infor- D ← C, D′ ← C′ mation systems.” Final Report of RACE Integrity C ← B, C′ ← B′ Primitives Evaluation (RIPE-RACE 1040), Lecture B ← T, B′ ← T′ Notes in Computer Science, vol. 1007, eds. A. if i = 15 then Bosselaers, and B. Preneel. Springer-Verlag, Berlin. T ← A, A ← A′, A′ ← T [2] Dobbertin, H., A. Bosselaers, and B. Preneel (1996). “RIPEMD-160: A strengthened version of else if i = 31 then RIPEMD.” Fast Software Encryption, Lecture Notes ← ← ′ ′ ← T B, B B , B T in Computer Science, vol. 1039, ed. D. Goll- else if i = 47 then mann, Springer-Verlag, Berlin, 71–82. Final ver- ′ ′ T ← C, C ← C , C ← T sion available at http://www.esat.kuleuven.ac.be/ else if i = 63 then ∼cosicart/pdf/AB-9601/. More information on all T ← D, D ← D′, D′ ← T aspects of RIPEMD-xxx can be found at http:// ′ h0 ← h0 + A, h4 ← h4 + A www.esat.kuleuven.ac.be/∼bosselae/ripemd160/ ′ h1 ← h1 + B, h5 ← h5 + B [3] Dobbertin, H. (1992). “RIPEMD with two-round ′ compress function is not collisionfree.” Journal of h2 ← h2 + C, h6 ← h6 + C ′ Cryptology, 10 (1), 51–69. h3 ← h3 + D, h7 ← h7 + D [4] van Oorschot, P.C. and M. Wiener (1999). “Paral- lel collision search with cryptanalytic applications.” ′ where the ordering of message words r(i) and r (i), Journal of cryptology, 12 (1), 1–28. the non-linear functions f i , the shifts si , and the [5] ISO/IEC 10118-3 (2003). “Information technology— ′ constants Ki and Ki are defined as in RIPEMD- security techniques—hash-functions—Part 3: Ded- ′ 00000000 icated hash-functions.” 160, except that Ki = x for 48 ≤ i ≤ 63. RIPEMD: The original RIPEMD consists of es- sentially two parallel versions of MD4, with some RSA DIGITAL improvements to the shifts and the order of the SIGNATURE SCHEME message words; the two parallel instances differ only in the round constants. At the end of the In the basic formula for the RSA cryptosys- compression function, the words of left and right tem [30] (see also RSA Problem, RSA public-key halves are added to each other and to the initial encryption), a digital signature s is computed on a values of the chaining variable. message m according to the equation (see modular arithmetic) SECURITY CONSIDERATIONS: The RIPEMD d Family has been designed to provide collision s = m mod n, (1) resistance. RIPEMD was developed in 1992 in the where (n, d) is the signer’s RSA private key. The framework of the EC-RACE project RIPE [1]. In signature is verified by recovering the message m 1995, Dobbertin found collisions for reduced ver- with the signer’s RSA public key (n, e): sions of RIPEMD [3]. Due to these partial attacks, RIPEMD was upgraded in 1996 by Dobbertin m = se mod n. (2) KI194-Tilborg May 24, 2005 14:37 528 RSA digital signature scheme Though the meaning of the value m that is some way from the result of applying a hash signed with this formula has changed over the function to the actual message to be signed. years, the basic formula has remained the same r Nontrivial message representative: Message since it was introduced in 1977. The purpose representatives such as 0 and 1 should be of this entry is to survey the main approaches avoided, or should be very unlikely. In some based on that formula, each of which can be re- schemes, this is accomplished by giving m a ferred to as an RSA digital signature scheme “random” appearance; in others, just by some (see also digital signature schemes for general padding. definitions). r Sparse message representative space: Only a In the definition just given, the value m is itself small fraction of values of m should be valid the message. This is helpful for illustration, but message representatives; this makes it un- introduces a few challenges: likely for that a random signature s will cor- 1. The set of messages that can be signed with the respond to a valid m. For this reason, the value basic formula is limited to the set of integers in m generally has some structure that can be ver- the range [0, n − 1]. A larger value of m could be ified, and which is unlikely to occur at random. signed, but the value m mod n is all that would Alternatively, if many values of m are valid, be protected. then it should be difficult to find a message with 2. Some messages are quite easy to sign: for in- a given message representative. stance, m = 0 always has the signature 0 re- r Non-multiplicativity: Multiplicative relation- gardless of the signer’s private key, and simi- ships between signatures should be avoided. larly for m = 1 and m = n − 1. Randomness or padding, and structure, both 3. Every signature value s corresponds to some help in this regard. message m by Equation (2). It is easy there- One of the earliest and simplest improvements fore to construct valid message-signature pairs over the basic formula is to define the message given only the signer’s public key by starting representative m as the hash of the message M with the signature value s (though the mes- being signed, m = Hash(M). This meets the first sages so obtained might not be anything mean- three design goals: messages of any length can be ingful). signed; hash values such as 0 and 1 are very un- 4. Finally, the signer’s willingness to provide sig- likely; and, assuming the hash values are suffi- natures on some messages can be exploited by ciently shorter than the modulus n, only a small an opponent to obtain signatures on additional fraction of values of m will be valid hash values. messages. As one example, if the opponent However, multiplicative relationships are still a wants a signature on a message m but does not potential problem. In particular, if the hash output want the signer to see m, the opponent can in- is significantly shorter than the modulus (e.g., 160 stead ask to have the message m′ = mr e mod n bits vs. 1024 bits with today’s parameter sizes), signed, where r is a random value. Let s′ be the then it is possible to attack the signature scheme signature on m′, and let s = s′r −1 mod n. Then s by methods from index calculus. Although the op- is the signature on m. Though this property has ponent cannot factor the modulus, the attacker the benefit of enabling blind signatures, it also can readily factor the much shorter hash values. presents an avenue for attack. More generally, From a sufficiently large set of signatures, the at- RSA signatures have a multiplicative property tacker can thereby solve for the signatures on all that can be an advantage or a disadvantage de- values m in a factor base by index calculus—and pending on the situation: given signatures on from those construct the signature on any message messages m1 and m2, it is straightforward to M for which Hash(M) is smooth with respect to determine the signatures on any combination that factor base (see smoothness). (This approach, i j observed in the design of the PKCS #1 specification of products of the form m1m2. Due to the various concerns just described, RSA [14] discussed below, is an extension of an early digital signature schemes in practice are typically attack on the RSA cryptosystem by Desmedt and constructed so that the value m is not the mes- Odlyzko [7].) sage itself, but rather a message representative de- On the other hand, if the hash value is as long as rived from the message. This approach employs the modulus n, then factoring the hash value is as four design principles that address the concerns hard as factoring the modulus, so the attack just just noted: described is not a concern. This is the basis for the r Large message space: The set of messages that Full Domain Hash (FDH) scheme of Bellare and can be signed should be as large as possible.
Recommended publications
  • Public Key Cryptography And

    Public Key Cryptography And

    PublicPublic KeyKey CryptographyCryptography andand RSARSA Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/ Washington University in St. Louis CSE571S ©2011 Raj Jain 9-1 OverviewOverview 1. Public Key Encryption 2. Symmetric vs. Public-Key 3. RSA Public Key Encryption 4. RSA Key Construction 5. Optimizing Private Key Operations 6. RSA Security These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011. Washington University in St. Louis CSE571S ©2011 Raj Jain 9-2 PublicPublic KeyKey EncryptionEncryption Invented in 1975 by Diffie and Hellman at Stanford Encrypted_Message = Encrypt(Key1, Message) Message = Decrypt(Key2, Encrypted_Message) Key1 Key2 Text Ciphertext Text Keys are interchangeable: Key2 Key1 Text Ciphertext Text One key is made public while the other is kept private Sender knows only public key of the receiver Asymmetric Washington University in St. Louis CSE571S ©2011 Raj Jain 9-3 PublicPublic KeyKey EncryptionEncryption ExampleExample Rivest, Shamir, and Adleman at MIT RSA: Encrypted_Message = m3 mod 187 Message = Encrypted_Message107 mod 187 Key1 = <3,187>, Key2 = <107,187> Message = 5 Encrypted Message = 53 = 125 Message = 125107 mod 187 = 5 = 125(64+32+8+2+1) mod 187 = {(12564 mod 187)(12532 mod 187)... (1252 mod 187)(125 mod 187)} mod 187 Washington University in
  • Protecting Public Keys and Signature Keys

    Protecting Public Keys and Signature Keys

    Public-key cryptography offers certain advantages, providing the keys can be 3 adequately protected. For every security threat there must be an appropriate j countermeasure. Protecting Public Keys and Signature Keys Dorothy E. Denning, Purdue University With conventional one-key cryptography, the sender Consider an application environment in which each and receiver of a message share a secret encryption/ user has an intelligent terminal or personal workstation decryption key that allows both parties to encipher (en- where his private key is stored and all cryptographic crypt) and decipher (decrypt) secret messages transmitted operations are performed. This terminal is connected to between them. By separating the encryption and decryp- a nationwide network through a shared host, as shown in tion keys, public-key (two-key) cryptography has two at- Figure 1. The public-key directory is managed by a net- tractive properties that conventional cryptography lacks: work key server. Users communicate with each other or the ability to transmit messages in secrecy without any prior exchange of a secret key, and the ability to imple- ment digital signatures that are legally binding. Public- key encryption alone, however, does not guarantee either message secrecy or signatures. Unless the keys are ade- quately protected, a penetrator may be able to read en- crypted messages or forge signatures. This article discusses the problem ofprotecting keys in a nationwide network using public-key cryptography for secrecy and digital signatures. Particular attention is given to detecting and recovering from key compromises, especially when a high level of security is required. Public-key cryptosystems The concept of public-key cryptography was intro- duced by Diffie and Hellman in 1976.1 The basic idea is that each user A has a public key EA, which is registered in a public directory, and a private key DA, which is known only to the user.
  • Secure Remote Password (SRP) Authentication

    Secure Remote Password (SRP) Authentication

    Secure Remote Password (SRP) Authentication Tom Wu Stanford University [email protected] Authentication in General ◆ What you are – Fingerprints, retinal scans, voiceprints ◆ What you have – Token cards, smart cards ◆ What you know – Passwords, PINs 2 Password Authentication ◆ Concentrates on “what you know” ◆ No long-term client-side storage ◆ Advantages – Convenience and portability – Low cost ◆ Disadvantages – People pick “bad” passwords – Most password methods are weak 3 Problems and Issues ◆ Dictionary attacks ◆ Plaintext-equivalence ◆ Forward secrecy 4 Dictionary Attacks ◆ An off-line, brute force guessing attack conducted by an attacker on the network ◆ Attacker usually has a “dictionary” of commonly-used passwords to try ◆ People pick easily remembered passwords ◆ “Easy-to-remember” is also “easy-to-guess” ◆ Can be either passive or active 5 Passwords in the Real World ◆ Entropy is less than most people think ◆ Dictionary words, e.g. “pudding”, “plan9” – Entropy: 20 bits or less ◆ Word pairs or phrases, e.g. “hate2die” – Represents average password quality – Entropy: around 30 bits ◆ Random printable text, e.g. “nDz2\u>O” – Entropy: slightly over 50 bits 6 Plaintext-equivalence ◆ Any piece of data that can be used in place of the actual password is “plaintext- equivalent” ◆ Applies to: – Password databases and files – Authentication servers (Kerberos KDC) ◆ One compromise brings entire system down 7 Forward Secrecy ◆ Prevents one compromise from causing further damage Compromising Should Not Compromise Current password Future passwords Old password Current password Current password Current or past session keys Current session key Current password 8 In The Beginning... ◆ Plaintext passwords – e.g. unauthenticated Telnet, rlogin, ftp – Still most common method in use ◆ “Encoded” passwords – e.g.
  • NSS: an NTRU Lattice –Based Signature Scheme

    NSS: an NTRU Lattice –Based Signature Scheme

    ISSN(Online) : 2319 - 8753 ISSN (Print) : 2347 - 6710 International Journal of Innovative Research in Science, Engineering and Technology (An ISO 3297: 2007 Certified Organization) Vol. 4, Issue 4, April 2015 NSS: An NTRU Lattice –Based Signature Scheme S.Esther Sukila Department of Mathematics, Bharath University, Chennai, Tamil Nadu, India ABSTRACT: Whenever a PKC is designed, it is also analyzed whether it could be used as a signature scheme. In this paper, how the NTRU concept can be used to form a digital signature scheme [1] is described. I. INTRODUCTION Digital Signature Schemes The notion of a digital signature may prove to be one of the most fundamental and useful inventions of modern cryptography. A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. The creator of a message can attach a code, the signature, which guarantees the source and integrity of the message. A valid digital signature gives a recipient reason to believe that the message was created by a known sender and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions etc. Digital signatures are equivalent to traditional handwritten signatures. Properly implemented digital signatures are more difficult to forge than the handwritten type. 1.1A digital signature scheme typically consists of three algorithms A key generationalgorithm, that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key. A signing algorithm, that given a message and a private key produces a signature.
  • Ch 13 Digital Signature

    Ch 13 Digital Signature

    1 CH 13 DIGITAL SIGNATURE Cryptography and Network Security HanJung Mason Yun 2 Index 13.1 Digital Signatures 13.2 Elgamal Digital Signature Scheme 13.3 Schnorr Digital Signature Scheme 13.4 NIST Digital Signature Algorithm 13.6 RSA-PSS Digital Signature Algorithm 3 13.1 Digital Signature - Properties • It must verify the author and the date and time of the signature. • It must authenticate the contents at the time of the signature. • It must be verifiable by third parties, to resolve disputes. • The digital signature function includes authentication. 4 5 6 Attacks and Forgeries • Key-Only attack • Known message attack • Generic chosen message attack • Directed chosen message attack • Adaptive chosen message attack 7 Attacks and Forgeries • Total break • Universal forgery • Selective forgery • Existential forgery 8 Digital Signature Requirements • It must be a bit pattern that depends on the message. • It must use some information unique to the sender to prevent both forgery and denial. • It must be relatively easy to produce the digital signature. • It must be relatively easy to recognize and verify the digital signature. • It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message. • It must be practical to retain a copy of the digital signature in storage. 9 Direct Digital Signature • Digital signature scheme that involves only the communication parties. • It must authenticate the contents at the time of the signature. • It must be verifiable by third parties, to resolve disputes. • Thus, the digital signature function includes the authentication function.
  • Implementation and Performance Evaluation of XTR Over Wireless Network

    Implementation and Performance Evaluation of XTR Over Wireless Network

    Implementation and Performance Evaluation of XTR over Wireless Network By Basem Shihada [email protected] Dept. of Computer Science 200 University Avenue West Waterloo, Ontario, Canada (519) 888-4567 ext. 6238 CS 887 Final Project 19th of April 2002 Implementation and Performance Evaluation of XTR over Wireless Network 1. Abstract Wireless systems require reliable data transmission, large bandwidth and maximum data security. Most current implementations of wireless security algorithms perform lots of operations on the wireless device. This result in a large number of computation overhead, thus reducing the device performance. Furthermore, many current implementations do not provide a fast level of security measures such as client authentication, authorization, data validation and data encryption. XTR is an abbreviation of Efficient and Compact Subgroup Trace Representation (ECSTR). Developed by Arjen Lenstra & Eric Verheul and considered a new public key cryptographic security system that merges high level of security GF(p6) with less number of computation GF(p2). The claim here is that XTR has less communication requirements, and significant computation advantages, which indicate that XTR is suitable for the small computing devices such as, wireless devices, wireless internet, and general wireless applications. The hoping result is a more flexible and powerful secure wireless network that can be easily used for application deployment. This project presents an implementation and performance evaluation to XTR public key cryptographic system over wireless network. The goal of this project is to develop an efficient and portable secure wireless network, which perform a variety of wireless applications in a secure manner. The project literately surveys XTR mathematical and theoretical background as well as system implementation and deployment over wireless network.
  • Basics of Digital Signatures &

    Basics of Digital Signatures &

    > DOCUMENT SIGNING > eID VALIDATION > SIGNATURE VERIFICATION > TIMESTAMPING & ARCHIVING > APPROVAL WORKFLOW Basics of Digital Signatures & PKI This document provides a quick background to PKI-based digital signatures and an overview of how the signature creation and verification processes work. It also describes how the cryptographic keys used for creating and verifying digital signatures are managed. 1. Background to Digital Signatures Digital signatures are essentially “enciphered data” created using cryptographic algorithms. The algorithms define how the enciphered data is created for a particular document or message. Standard digital signature algorithms exist so that no one needs to create these from scratch. Digital signature algorithms were first invented in the 1970’s and are based on a type of cryptography referred to as “Public Key Cryptography”. By far the most common digital signature algorithm is RSA (named after the inventors Rivest, Shamir and Adelman in 1978), by our estimates it is used in over 80% of the digital signatures being used around the world. This algorithm has been standardised (ISO, ANSI, IETF etc.) and been extensively analysed by the cryptographic research community and you can say with confidence that it has withstood the test of time, i.e. no one has been able to find an efficient way of cracking the RSA algorithm. Another more recent algorithm is ECDSA (Elliptic Curve Digital Signature Algorithm), which is likely to become popular over time. Digital signatures are used everywhere even when we are not actually aware, example uses include: Retail payment systems like MasterCard/Visa chip and pin, High-value interbank payment systems (CHAPS, BACS, SWIFT etc), e-Passports and e-ID cards, Logging on to SSL-enabled websites or connecting with corporate VPNs.
  • Key Improvements to XTR

    Key Improvements to XTR

    To appear in Advances in Cryptology|Asiacrypt 2000, Lecture Notes in Computer Science 1976, Springer-Verlag 2000, 220-223. Key improvements to XTR Arjen K. Lenstra1, Eric R. Verheul2 1 Citibank, N.A., Technical University Eindhoven, 1 North Gate Road, Mendham, NJ 07945-3104, U.S.A., [email protected] 2 PricewaterhouseCoopers, GRMS Crypto Group, Goudsbloemstraat 14, 5644 KE Eindhoven, The Netherlands, Eric.Verheul@[nl.pwcglobal.com, pobox.com] Abstract. This paper describes improved methods for XTR key rep- resentation and parameter generation (cf. [4]). If the ¯eld characteristic is properly chosen, the size of the XTR public key for signature appli- cations can be reduced by a factor of three at the cost of a small one time computation for the recipient of the key. Furthermore, the para- meter set-up for an XTR system can be simpli¯ed because the trace of a proper subgroup generator can, with very high probability, be com- puted directly, thus avoiding the probabilistic approach from [4]. These non-trivial extensions further enhance the practical potential of XTR. 1 Introduction In [1] it was shown that conjugates of elements of a subgroup of GF(p6)¤ of order 2 dividing Á6(p) = p ¡ p + 1 can be represented using 2 log2(p) bits, as opposed to the 6 log2(p) bits that would be required for their traditional representation. In [4] an improved version of the method from [1] was introduced that achieves the same communication advantage at a much lower computational cost. The resulting representation method is referred to as XTR, which stands for E±cient and Compact Subgroup Trace Representation.
  • Efficient Encryption on Limited Devices

    Efficient Encryption on Limited Devices

    Rochester Institute of Technology RIT Scholar Works Theses 2006 Efficient encryption on limited devices Roderic Campbell Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Campbell, Roderic, "Efficient encryption on limited devices" (2006). Thesis. Rochester Institute of Technology. Accessed from This Master's Project is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. Masters Project Proposal: Efficient Encryption on Limited Devices Roderic Campbell Department of Computer Science Rochester Institute of Technology Rochester, NY, USA [email protected] June 24, 2004 ________________________________________ Chair: Prof. Alan Kaminsky Date ________________________________________ Reader: Prof. Hans-Peter Bischof Date ________________________________________ Observer: Prof. Leonid Reznik Date 1 1 Summary As the capstone of my Master’s education, I intend to perform a comparison of Elliptic Curve Cryptography(ECC) and The XTR Public Key System to the well known RSA encryption algorithm. The purpose of such a project is to provide a further understanding of such types of encryption, as well as present an analysis and recommendation for the appropriate technique for given circumstances. This comparison will be done by developing a series of tests on which to run identical tasks using each of the previously mentioned algorithms. Metrics such as running time, maximum and average memory usage will be measured as applicable. There are four main goals of Crypto-systems: Confidentiality, Data Integrity, Authentication and Non-repudiation[5]. This implementation deals only with confidentiality of symmetric key exchange.
  • The RSA Algorithm

    The RSA Algorithm

    The RSA Algorithm Evgeny Milanov 3 June 2009 In 1978, Ron Rivest, Adi Shamir, and Leonard Adleman introduced a cryptographic algorithm, which was essentially to replace the less secure National Bureau of Standards (NBS) algorithm. Most impor- tantly, RSA implements a public-key cryptosystem, as well as digital signatures. RSA is motivated by the published works of Diffie and Hellman from several years before, who described the idea of such an algorithm, but never truly developed it. Introduced at the time when the era of electronic email was expected to soon arise, RSA implemented two important ideas: 1. Public-key encryption. This idea omits the need for a \courier" to deliver keys to recipients over another secure channel before transmitting the originally-intended message. In RSA, encryption keys are public, while the decryption keys are not, so only the person with the correct decryption key can decipher an encrypted message. Everyone has their own encryption and decryption keys. The keys must be made in such a way that the decryption key may not be easily deduced from the public encryption key. 2. Digital signatures. The receiver may need to verify that a transmitted message actually origi- nated from the sender (signature), and didn't just come from there (authentication). This is done using the sender's decryption key, and the signature can later be verified by anyone, using the corresponding public encryption key. Signatures therefore cannot be forged. Also, no signer can later deny having signed the message. This is not only useful for electronic mail, but for other electronic transactions and transmissions, such as fund transfers.
  • A Study on the Security of Ntrusign Digital Signature Scheme

    A Study on the Security of Ntrusign Digital Signature Scheme

    A Thesis for the Degree of Master of Science A Study on the Security of NTRUSign digital signature scheme SungJun Min School of Engineering Information and Communications University 2004 A Study on the Security of NTRUSign digital signature scheme A Study on the Security of NTRUSign digital signature scheme Advisor : Professor Kwangjo Kim by SungJun Min School of Engineering Information and Communications University A thesis submitted to the faculty of Information and Commu- nications University in partial fulfillment of the requirements for the degree of Master of Science in the School of Engineering Daejeon, Korea Jan. 03. 2004 Approved by (signed) Professor Kwangjo Kim Major Advisor A Study on the Security of NTRUSign digital signature scheme SungJun Min We certify that this work has passed the scholastic standards required by Information and Communications University as a thesis for the degree of Master of Science Jan. 03. 2004 Approved: Chairman of the Committee Kwangjo Kim, Professor School of Engineering Committee Member Jae Choon Cha, Assistant Professor School of Engineering Committee Member Dae Sung Kwon, Ph.D NSRI M.S. SungJun Min 20022052 A Study on the Security of NTRUSign digital signature scheme School of Engineering, 2004, 43p. Major Advisor : Prof. Kwangjo Kim. Text in English Abstract The lattices have been studied by cryptographers for last decades, both in the field of cryptanalysis and as a source of hard problems on which to build encryption schemes. Interestingly, though, research about building secure and efficient
  • Hash, DH and RSA

    Hash, DH and RSA

    CSE468/598 Computer Network Security Hash, DH and RSA Short Version Chun-Jen Chung Arizona State University CSE468/598 Computer Network Security Outline . Background . Hash Functions . Public key cryptography (PKC) • DH • RSA . Summary 2 CSE468/598 Computer Network Security Background CSE468/598 Computer Network Security Crypto algorithms review Encryption Authentication Hash functions Symmetric Asymmetric SHA-1 MD5 MAC Secret key: Public key: (message authentication code) DES, 3DES, AES RSA, ECC HMAC Digital Signature (secret key) (public key) Key management Manual Secret key Exchange: Public key Exchange: operation Diffie-Hellman Certificate Authority on PKI CSE468/598 Computer Network Security Introduction to Hash Functions CSE468/598 Computer Network Security Hash Algorithms Message of hash H A fixed-length arbitrary length Math transformation short message . Also known as • (Cryptographic) Hash functions • Message digests • One-way transformations • One-way functions . Length of H(m) much shorter than length of m . Usually fixed lengths: 128 or 160 bits . Example algorithms • MD5 (Message-Digest) – 128 bits output • SHA-1 (secure hash algorithm) : 160 bits output • SHA-2: 256/224, 512/384 CSE468/598 Computer Network Security Hash Algorithms (cont’d) Image from scanner All files of a floppy disk All files of a hard disk User password 8 bytes 512 K bytes 1.4 M bytes 80Giga bytes One way hash One way hash One way hash One way hash (SHA-1) (SHA-1) (SHA-1) (SHA-1) 43 B0 4C 54 3B 73 BF 4C 34 3B 54 3B 4C 34 3B 32 2B 23 70 7A 67 A2 23 3F 7D 67 A2 45 23 76 62 3C D3 AF A2 2B 4F 43 B0 4C 36 2B 7A 2B 49 3F 76 D2 37 F6 45 67 A2 23 3F 54 3B 49 28 67 3C D3 AF 27 4A 44 47 8F 93 D2 7D 43 B0 4C 19 A2 23 8F 7D 36 Hash value 20 bytes Hash value 20 bytes Hash value 20 bytes Hash value 20 bytes (160 bits) CSE468/598 Computer Network Security Applications of Hash Functions .