1 Review: Message Authentication Codes (Macs)

Home , Digital signature, ElGamal signature scheme, Taher Elgamal

EE 418 Network Security and Cryptography Lecture #15 November 22, 2016

Message Authentication Codes (MACs). Digital Signatures. Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle

Outline:

1. Review: Message Authentication Codes (MACs) – Review: MAC from Block Cipher: CBC-MAC 2. Introduction to Digital Signatures 3. RSA digital signature scheme 4. ElGamal digital signature scheme 5. Schnoor Digital signature scheme 6. The Digital signature algorithm

1 Review: Message Authentication Codes (MACs)

Last time, we started our discussion about message authentication codes (MACs), and we deﬁned a MAC as a code that is appended to a message in order to provide message integrity1. In MACs, communicating parties share a secret key that is used to generate the code, and if a MAC is well-designed, then only a user with the shared key can compute a valid MAC for a given message. Two parties Alice and Bob who share a key K can use a MAC for message integrity as follows (illustrated in Figure 1): 1. Alice computes a MAC for message m as y = MAC(K, m), and sends pair (m, y) through the channel to Bob. 2. Bob receives (m, y). Using the secret key, Bob computes MAC(K, m) and checks y =? MAC(K, m). 3. If y = MAC(K, m), then Bob accepts the message. Otherwise, Bob rejects the message, since the message and MAC are inconsistent.

Alice Bob

MAC Generation Computes y = MAC(K,m) from secret key K and message m [m, y] MAC Verification Extracts m, computes y’=MAC(K,m) If y + y’ =0, accept the message If y + y’≠ 0, discard the message

Fig. 1. Block diagram for message integrity using a message authentication code (MAC).

We said that there are two basic methods for constructing MACs. In the ﬁrst method, the MAC is constructed by incorporating a key K into the hash function computation. In the second method, the MAC is constructed by using block encryption techniques.

1 Unlike a regular hash function, where the hash output needs to be exchanged via a secure side channel.

1 1.1 Review: MAC from Block Cipher: CBC-MAC We then showed another approach for constructing MACs, by using block ciphers. An advantage of using block ciphers to compute a MAC is that the same hardware or software implementation can be used for both encryption and authentication (but the best practice is to use diﬀerent keys for encryption and message authentication). Block ciphers can also be used to develop authenticated encryption mechanisms, which provides both message conﬁdentiality and integrity. The most common MAC construction using block ciphers is CBC-MAC, which is recommended by NIST 800-38B and NIST 800-38C. CBC-MAC computation is illustrated in Figure 2 and as Algorithm 1. CBC- n n MAC uses a symmetric key encryption function EK as a building block, with EK : {0, 1} → {0, 1} (examples are DES with n = 64 or AES with n = 128). The steps in CBC-MAC computation are as follows:

1. The message m is divided into r blocks, each of length n, denoted m1, . . . , mr. The last block is padded with zeros to ensure that the length is n. 2. The ﬁrst iteration is computed as y1 = EK (m1 ⊕ IV ), where IV represents an initialization vector. 3. For each i = 2, . . . , r, compute yi = EK (mi ⊕ yi−1). 4. The MAC value is given by CBC-MAC(K, m) = yr.

Note that, unlike the CBC encryption mode, only the last block yr is transmitted. As in CBC encryption mode, either a ﬁxed value of IV can be used, or a random value of IV can be used and sent along with the message.

Algorithm 1 MAC construction using CBC encryption mode. 1: procedure CBC-MAC(m, h, K, IV ) 2: Input: Message m of length |m| = k, m = m1|| · · · ||mr where |mi| = n. 3: Key K n n 4: Symmetric-key encryption function EK : {0, 1} → {0, 1} . 5: Vector IV used to compute hash function. 6: Output: MAC value CBC-MAC(K, m) 7: y1 ← EK (m1 ⊕ IV ) 8: for i = 1,..., (r − 1) do 9: yi+1 ← EK (mi+1 ⊕ yi) 10: end for 11: CBC-MAC(K, m) ← yr 12: return yr 13: end procedure

2 Digital Signatures

A digital signature is a public-key mechanism for providing message integrity and authentication. Like public-key cryptosystems, a digital signature scheme requires two keys, a private (signing) key and a public (verifying) key. Any digital signature scheme includes the following basic steps, as depicted in Figure 3:

1. A user Alice generates a public key PKA and a private key SKA. Alice publishes the public key, while keeping the private key a secret. 2. A user Bob downloads PKA (later we will discuss methods for Bob to verify that the public key was generated by Alice, instead of a diﬀerent user impersonating Alice).

3. Alice signs a message m using the private key SKA and a signing function sigSKA (m). Alice appends

the σ = sigSKA (m) to message m and transmits it to Bob.

4. Bob receives the message and signature (m, σ). Bob computes a veriﬁcation function verPKA (m, σ) using

Alice’s public key. If verPKA (m, σ) returns true, Bob accepts the message; otherwise, Bob concludes that the message has been modiﬁed and discards it.

2 m1 m2 m3 m4 m5 mr−1 mr

IV ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ··· E E E E E E E Enc. with secret key K

y1 y2 y3 y4 y5 yr−1 yr

CBC-MAC(K, m)

Fig. 2. CBC-MAC computation.

More formally, a digital signature can be defined as follows: Definition 1: A digital signature scheme is a five-tuple (P, A, K, S, V), where: 1. P is a finite set of possible messages. 2. A is a finite set of possible signatures. 3. K is a finite set of possible keys. 4. sigK (m) ∈ S is a signing algorithm that takes as an input key K and message m and outputs a signature σ, often called a tag. 5. verK ∈ V is a verification algorithm that takes as input a message m and a signature σ and outputs true if the signature is accepted, and false if the signature is not accepted. For every message m ∈ P and signature σ ∈ A, the verification algorithm verK (m, σ): P × A → {true, false} satisfies:

verK (m, σ) = true, σ = sigK (m) (1)

verK (m, σ) = false, σ 6= sigK (m) (2)

Alice Bob

True, accept =sigK(m) [m, ] m sigK(.) verK(.) 𝜎𝜎 𝜎𝜎 False, reject

Fig. 3. Providing message integrity using digital signatures.

The advantage of digital signatures is that Alice and Bob do not need to share a secret key K in order for Bob to verify a message sent by Alice. Signing is done with the private key SKA, while anyone can verify the signature using the public key PKA. In what follows, we will deﬁne four digital signature schemes, namely: (i) RSA, (ii) ElGamal, (iii) Schnorr, and (iv) the Digital Signature Algorithm (DSA), but let’s ﬁrst investigate a general security of digital signatures.

3 Security of Digital Signatures

An attacker against digital signature schemes may have diﬀerent capabilities, such as: 1. Key-only attack An attacker mounts the attack using only knowledge of the public key.

3 2. Known message attack An attacker possesses a list of valid (message, signature) pairs (x1, y1), (x2, y2),... . This attacker model is analogous to the known plaintext attacker model. 3. Chosen message attack An attacker requests signatures for a set of messages x1, x2,... , and obtains valid signatures, y1, y2,... . This attacker model is analogous to chosen plaintext attack. An attacker may also have diﬀerent goals, such as:

1. Total break: Recovery of the private key. 2. Selective forgery: An attacker is given a message m, and (s)he is able to ﬁnd a signature σ such that verK (m, ) = true. 3. Existential forgery: An attacker is able to ﬁnd at least one (m, σ) pair such that verK (m, σ)= true.

4 RSA Digital Signature Scheme

The RSA digital signature scheme was proposed in 1978 by Rivest, Shamir, and Adelman in the same paper as the RSA cryptosystem. The RSA is one digital signature that is adopted by NIST in FIPS 186-4. Like RSA encryption, the security of RSA digital signatures relies on the diﬃculty of factoring large integers. The RSA digital signature consists of three components, namely Key Generation, Signature Generation, and Signature Veriﬁcation. These components are described as follows.

4.1 RSA Key Generation

Alice generates keys for the RSA digital signature scheme via the following procedure:

1. Alice generates two distinct large primes p and q. Alice computes n = pq. In FIPS 186-4, NIST recom- mends that p and q be chosen such that n is at least 1024 bits. Alice computes φ(n) = (p − 1)(q − 1). 2. Alice generates a random integer a satisfying gcd (a, n) = 1 and gcd (a, φ(n)) = 1. 3. Alice computes b such that ab ≡ 1 mod φ(n). 4. The public key PKA is given by (b, n), and is published by Alice. The private key is SKA = (a, n) and is kept secret.

Note: The public key and private key for the RSA digital signature are generated in the same way as the public and private keys for RSA encryption.

4.2 RSA Signature Generation

Alice generates a signature on a message m by computing:

a sigSKA (m) = m mod n.

We observe that signature generation in RSA is similar to encryption in the RSA cryptosystem. The only diﬀerence is that Alice signs the message using the private key SKA instead of the public key PKA. RSA signature generation is illustrated in Figure 4.

4.3 RSA Signature Veriﬁcation

A user Bob who receives a (message, signature) pair (m, σ) veriﬁes the message through the following procedure:

1. Compute m0 = σb mod n. 2. If m0 = m, accept the message. Otherwise, reject (discard) the message.

RSA signature verification is analogous to decryption in the RSA cryptosystem, with the main difference that Bob verifies the message using Alice’s public key PKA. RSA verification is illustrated in Figure 5.

4 Alice Bob Alice computes the signature = mod , 𝑎𝑎 𝜎𝜎 𝑚𝑚 𝑛𝑛 𝑚𝑚 𝜎𝜎 Bob computes mod checks𝑏𝑏 if 𝜎𝜎 = 𝑛𝑛mod If 𝑏𝑏equal, accept the𝜎𝜎 message,𝑚𝑚 𝑛𝑛else reject

Fig. 4. RSA signature generation and veriﬁcation.

0, accept 𝑚𝑚 , 𝑚𝑚 + 𝑚𝑚 𝜎𝜎 Not 0, reject Computes mod 𝜎𝜎 𝑏𝑏 𝜎𝜎 𝑛𝑛 Fig. 5. RSA signature veriﬁcation.

4.4 Security Analysis of RSA Digital Signature

The RSA digital signature scheme is vulnerable to the following attack by an adversary Eve:

1. Eve obtains two (message, signature) pairs (m1, σ1) and (m2, σ2). 2. Eve can generates the valid (message, signature) pair (m1m2 mod n, σ1σ2 mod n). Eve transmits the message to Bob. 3. Bob computes b b b (σ1σ2) mod n = σ1σ2 mod n = m1m2 mod n.

n Since (σ1σ2) = m1m2 mod n, Bob will accept the message as being generated by Alice.

Note that, if Eve is allowed to choose m1 and m2, and obtains the corresponding signatures σ1 and σ2, then Eve can generate a signature for any message m by selecting m1 and m2 such that m = m1m2 mod n.

4.5 Combining RSA Digital Signature with Hash

In order to remove the vulnerability described above, implementations of the RSA digital signature scheme typically hash the message before signing it. Let h be a collision-resistant hash function. The RSA signature is given by a sigSKA (m) = h(m) mod n. Bob then accepts (m, σ) if h(m) = σb mod n and rejects the message otherwise. Hashing prevents the attack because h(m1m2) 6= h(m1)h(m2) for a collision-resistant hash function h.

5 5 ElGamal Digital Signature

The ElGamal digital signature scheme was proposed in 1985 by Taher ElGamal, and is described in the same paper as the ElGamal cryptosystem. While the ElGamal signature scheme is not widely used, it forms the basis for common digital signature schemes including the Schnorr, the Digital Signature Algorithm, and the Elliptic Curve Digital Signature Algorithm (EC-DSA). Like the ElGamal cryptosystem, the security of the ElGamal digital signature scheme is based on the diﬃculty of solving the discrete logarithm problem. The ElGamal digital signature scheme consists of Key Generation, Signature Generation, and Signature Veriﬁcation algorithms.

5.1 ElGamal Signature Key Generation

Alice generates the public key PKA and private key SKA for the ElGamal digital signature scheme as follows:

1. Alice generates a large prime p and an integer α satisfying 1 ≤ α < (p − 1). α must be a primitive element, i.e., any integer z with 1 ≤ z ≤ (p − 1) can be written as z = αw mod p for some integer w. 2. Alice generates an integer a with 1 ≤ a < (p − 1). Alice computes β = αa mod p. 3. The public key PKA = (p, α, β). The private key SKA = a. Alice publishes PKA and keeps SKA as a secret.

5.2 ElGamal Signature Generation

A digital signature in ElGamal is a pair (γ, δ), which are computed by Alice through the following steps:

1. Alice generates a random number k such that 1 ≤ k ≤ (p − 2) and gcd (k, p − 1) = 1 2. Alice computes γ = αk mod p and δ = (m − aγ)k−1 mod (p − 1).

Note that the private key a is needed to compute δ. ElGamal signature generation is illustrated in Figure 6.

Alice Bob Chooses a random Knows , , number ∗ 𝑝𝑝 𝛼𝛼 𝛽𝛽 𝑝𝑝−1 Computes𝑘𝑘 ∈ 𝑍𝑍 = mod , = ( )𝑘𝑘 mod 1 , ( , ) 𝛾𝛾 𝛼𝛼 −1 𝑝𝑝 𝛿𝛿 𝑚𝑚 − 𝑎𝑎𝑎𝑎 𝑘𝑘 𝑝𝑝 − 𝑚𝑚 𝛾𝛾 𝛿𝛿 If = mod accept,𝛾𝛾 𝛿𝛿else reject𝑚𝑚 𝛽𝛽 𝛾𝛾 𝛼𝛼 𝑝𝑝

Fig. 6. ElGamal signature generation and veriﬁcation.

5.3 ElGamal Signature Veriﬁcation

A user Bob verifies a message and signature (m, γ, δ) by checking the condition βγ γδ =? αm mod p. If the condition holds, then Bob accepts the message; the message is rejected otherwise. ElGamal verification is illustrated in Figure 7. A proof of the correctness of ElGamal verification is given below.

6 0, accept 𝑚𝑚 ⋅ 𝛼𝛼 , ( , ) + Not 0, reject 𝑚𝑚 𝛾𝛾 𝛿𝛿 𝛾𝛾 ⋅ 𝛽𝛽 X

𝛿𝛿 ⋅ 𝛾𝛾 Fig. 7. ElGamal signature veriﬁcation.

5.4 Proof of ElGamal Veriﬁcation

First, note that aγ + kδ ≡ m mod p − 1 implies that aγ + kδ = m + λ(p − 1) for some integer λ. Then

βγ γδ ≡ αaγ αkδ mod p (3) ≡ αaγ+kδ mod p (4) = αλ(p−1)+m mod p (5) = (αp−1)λαm mod p (6) = αm mod p by Fermat’s Little Theorem (7)

The signing algorithm can also be found constructively. Let αm ≡ βγ γδ (mod p). Then set γ = αk (mod p) and β = αa. We obtain αm ≡ αaγ αkδ (mod p). (8) Since α is a primitive element modulo p the above congruence is true only if the exponents are congruent modulo (p − 1). That is, m ≡ aγ + kδ (mod p − 1). (9) Then we can solve for δ and obtain δ = (m − aγ)k−1 (mod p − 1).

5.5 Example of ElGamal Signature Scheme

An example of the ElGamal signature scheme comes from D. Stinson, Cryptography: Theory and Practice, 3rd Ed., and it is given as follows. Let p = 467, α = 2, and a = 127. We have

β = αa mod p (10) = 2127 mod 467 (11) = 132. (12)

Suppose Alice wants to sign the message m = 100. She ﬁrst chooses a random number k satisfying gcd (k, p − 1) = 1. Let this number be k = 213. Alice then computes

γ = αk mod p = 2213 mod 467 = 29. (13)

and δ = (m − aγ)k−1 mod p − 1 = (100 − 2 × 29)431 mod 466 = 51. (14) Thus (γ, δ) is the signature for message m. Anyone can verify that

βγ γδ ≡ αm (mod p). (15)

7 6 Schnorr Digital Signature Scheme

The Schnorr digital signature scheme was proposed by Schnorr in 1989. Like ElGamal, its security depends on the difficulty of solving the discrete logarithm problem. Schnorr, however, produces shorter signatures than ElGamal by introducing hash functions into the signature generation and verification, making it more efficient in communication bandwidth. Schnorr is covered by U.S. Patent 4,995,082, which expired in 2008. Schnorr is illustrated in Figure 8, and consists of Key Generation, Signature Generation, and Signature Verification algorithms, which are described as follows.

6.1 Schnorr Key Generation

Alice generates a key for the Schnorr signature scheme via the following steps:

1. Generate a large prime number p, and choose a prime q such that q|(p−1). The European Union Network and Information Security Agency (ENISA) recommended key lengths of 3072 bits for p and 256 bits for q in 2013. q a 2. Find α ∈ Zp such that α = 1 mod p. Choose a satisfying 0 ≤ a ≤ (q − 1), and let β = α mod p. 3. Alice’s public key is given by PKA = (p, q, α, β), while Alice’s private key is SKA = a. Alice publishes PKA and keeps SKA a secret.

6.2 Schnorr Signature Generation

Alice signs a message m using the Schnorr signature scheme by the following procedure:

1. Generate a random integer k such that 1 ≤ k ≤ (q − 1). 2. Compute γ = h(m||αk mod p) and δ = (k + aγ) mod q. 3. The signature is given by (γ, δ).

6.3 Schnorr Signature Veriﬁcation

To verify a message and signature (m, γ, δ) generated by the Schnorr scheme, Bob checks whether γ = h(m||αδβ−γ mod p). If so, Bob accepts the message; otherwise the message is rejected. The proof of correctness of the veriﬁcation is given below.

6.4 Proof of Schnorr Veriﬁcation

To demonstrate that the veriﬁcation works, note that

h(m||αδβ−γ mod p) = h(m||αk+aγ β−γ mod p) = h(m||αk(αa)γ β−γ mod p) = h(m||αkβγ β−γ mod p) = h(m||αk mod p) = γ

7 The Digital Signature Algorithm

The Digital Signature Algorithm (DSA) is a variant of the ElGamal and Schnorr signature schemes. It was developed by NIST and adopted as a standard in FIPS 186. DSA is covered by U.S. Patent 5,231,668, but has been made available royalty-free around the world. DSA is illustrated in Figure 9. The DSA consists of Key Generation, Signature Generation, and Signature Veriﬁcation algorithms.

8 Alice Bob

Knows , , , Chooses k in {1…q-1} where = mod and |( 1) 𝑝𝑝 𝑞𝑞 𝛼𝛼 𝛽𝛽 𝑎𝑎 𝛽𝛽 𝛼𝛼 𝑝𝑝 𝑞𝑞 𝑝𝑝 − Computes = ( || mod ), = ( + 𝑘𝑘) mod , ( , ) 𝛾𝛾 ℎ 𝑚𝑚 𝛼𝛼 𝑝𝑝 𝛿𝛿 𝑘𝑘 𝑎𝑎𝑎𝑎 𝑞𝑞 𝑚𝑚 𝛾𝛾 𝛿𝛿 Checks if ( || mod ) = If yes, accept, 𝛿𝛿 −𝛾𝛾 ℎ 𝑚𝑚 𝛼𝛼 𝛽𝛽 𝑝𝑝 𝛾𝛾 else, reject.

Fig. 8. Schnorr digital signature scheme.

7.1 DSA Key Generation

Alice generates the public and private keys for DSA through the following procedure:

1. Generate a prime number p. The current standard is for p to consist of at least 1024 bits (2048 and 3072 bit primes are required for some applications). 2. Pick a prime q with q|(p − 1). Prime q should be of length at least 160 bits (256 and 320 bit primes are required for some applications). Let α be an integer with 1 ≤ α ≤ (p − 1) satisfying αq = 1 mod p. 3. Generate an integer a with 0 ≤ a ≤ (q − 1), and set β = αa mod p. 4. The public key is given by PKA = (p, q, α, β), while the private key is given by SKA = a. Alice publishes the public key PKA and keeps the private key SKA a secret.

7.2 DSA Signature Generation

In what follows, h is a publicly known hash function; NIST has speciﬁed that SHA-2 or SHA-3 should be used for h Alice signs a message m using DSA through the following procedure.

1. Generate a random number K with 1 ≤ k ≤ (q − 1). 2. Compute γ and δ as

γ = (αk mod p) mod q δ = (h(m) + aγ)k−1 mod q

3. If γ = 0 or δ = 0, return to Step 1. Else the signature is given by (γ, δ).

7.3 DSA Signature Veriﬁcation

A user Bob veriﬁes that a signature (γ, δ) for message m was generated by Alice through the following procedure:

1. Compute e1 and e2 as

−1 e1 = h(m)δ mod q −1 e2 = γδ mod q

? 2. Bob checks (αe1 βe2 mod p) mod q = γ. If so, Bob accepts the message. Otherwise, Bob rejects the message.

A proof of correctness for the DSA veriﬁcation is given below.

9 7.4 Proof of DSA Veriﬁcation Assume that the computation of δ in the ElGamal scheme is changed from a “-” to a “+.”

δ = (m + aγ)k−1 (mod p − 1).

The veriﬁcation condition in this case changes to:

αmβγ ≡ γδ (mod p). (16)

Note in this equation that α has an order q (since αq ≡ 1 (mod p)) and β, γ are also of order q since they are powers of α. Hence we can reduce all exponents in (16) by modulo q and the congruence will still hold. So ﬁrst δ is brought down to Zq δ = (m + aγ)k−1 (mod q). Similarly for γ γ0 = γ mod q = (αk mod p) mod q. By replacing γ with γ0 in the expression of δ the congruence remains unchanged (since δ is now considered mod q). Hence one can write: δ = (m + aγ0)k−1 mod q The veriﬁcation equation now becomes 0 αmβγ ≡ γδ mod p We raise both sides to the power of δ−1 mod q and obtain:

−1 0 −1 αmδ βγ δ ≡ γ mod p

Now we reduce both sides modulo q

−1 0 −1 (αmδ βγ δ mod p) mod q ≡ γ mod q = γ0

This yields the ﬁnal veriﬁcation in the DSA scheme.

Alice Bob

Knows , , , Chooses k in {1…q-1} where = mod and |( 1) 𝑝𝑝 𝑞𝑞 𝛼𝛼 𝛽𝛽 𝑎𝑎 𝛽𝛽 𝛼𝛼 𝑝𝑝 𝑞𝑞 𝑝𝑝 − Computes = ( mod ) mod = ( 1𝑘𝑘( ) + ) mod 𝛾𝛾 𝛼𝛼 𝑝𝑝 −1𝑞𝑞 𝛿𝛿 𝑆𝑆𝑆𝑆𝑆𝑆 − 𝑚𝑚 𝑎𝑎𝑎𝑎 𝑘𝑘 𝑞𝑞 if = 0, or = 0 , ( , ) 𝛾𝛾 𝛿𝛿 𝑚𝑚 𝛾𝛾 𝛿𝛿 Computes = 1( ) mod = mod−1 1 𝑒𝑒 𝑆𝑆𝑆𝑆𝑆𝑆 − −𝑚𝑚1 𝛿𝛿 𝑞𝑞 Checks𝑒𝑒 2if ( 𝛾𝛾𝛿𝛿 mod𝑞𝑞 ) mod = If yes, accept,𝑒𝑒1 𝑒𝑒else,2 reject. 𝛼𝛼 𝛽𝛽 𝑝𝑝 𝑞𝑞 𝛾𝛾

Fig. 9. The Digital Signature Algorithm (DSA).

Summary of Digital Signature Schemes: Figure 10 contains algorithmic description of the RSA, ElGa- mal, Schnorr, and DSA digital signature schemes.

10 RSA ALGORITHM ELGAMAL ALGORITHM SCHNORR ALGORITHM DSA ALGORITHM SIGN SIGN SIGN SIGN Input: PK = (b, n) Input: PK = (p, α, β) Input: PK = (p, q, α, β) Input: PK = (p, q, α, β) SK = (a, n) SK = a SK = a SK = a where n = pq, where p is prime where p,q prime, q|(p − 1) p,q prime, q|(p − 1) p, q distinct large primes α primitive element mod p αq ≡ 1 mod p αq ≡ 1 mod p ab ≡ 1 mod n β ≡ αa mod p β ≡ αa mod p β ≡ αa mod p ∗ Message m ∈ Zn Message m ∈ Zp Message m is a binary string Message m is a binary string ∗ Hash function Hash function h : {0, 1} → Zq Hash function SHA-2 ∗ h : {0, 1} → Zn Output: Signature σ Output: Signature (γ, δ) Output: Signature (γ, δ) Output: Signature (γ, δ) a R ∗ R ∗ R ∗ σ ← h(m) mod n k ← Zp−1 k ← Zq k ← Zq return σ γ ← αk mod p γ ← h(m||αk mod p) γ ← (αk mod p) mod q δ ← (m − aγ)k−1 mod (p − 1) δ ← k + aγ mod p δ ← (SHA-2(m) + aγ)k−1 mod q return (γ, δ) return (γ, δ) return (γ, δ)

VERIFY VERIFY VERIFY VERIFY Input: PK = (b, n) Input: PK = (p, α, β) Input: PK = (p, q, α, β) Input: PK = (p, q, α, β) ∗ ∗ ∗ Message m ∈ Zn Message m ∈ Zp Message m ∈ {0, 1} Message m ∈ {0, 1} ∗ Hash function Hash function h : {0, 1} → Zq Hash function SHA-2 ∗ h : {0, 1} → Zn Output: True if valid, Output: Same as RSA Output: Same as RSA Output: Same as RSA false otherwise −1 e1 ← SHA-2(m)δ mod q −1 e2 ← γδ mod q if h(m) = σb mod n if βγ γδ ≡ αm mod p if h(m||αδβ−γ mod p) = γ if (αe1 βe2 mod p) mod q = γ return true return true return true return true else else else else return false return false return false return false

Fig. 10. Algorithmic description of the RSA, ElGamal, Schnorr, and DSA digital signature schemes. PK and SK refer to the public (verifying) key and private (signing) key, respectively.

Sources for Today’s Lecture:

1. Douglas R. Stinson, Cryptography, Theory and Practice, 3rd edition. CRC Press, 2005, p. 119–155 and 393–453. 2. Wade Trappe and Lawrence C. Washington Introduction to Cryptography with Coding Theory. Prentice Hall, 2002, p. 182–186 and 236–246. 3. Charlie Kaufman, Radia Perlman, and Mike Speciner Network Security: Private Communication in Public World, 2nd Edition. Prentice Hall, 2002, p. 117–143 and 147–165 and 307–365 and 371–401.