Cryptography and Network Security Chapter 13 Digital Signatures

Chapter 13 – Digital Signatures Cryptography and Network Security To guard against the baneful influence exerted by strangers is Chapter 13 therefore an elementary dictate of savage prudence. Hence before strangers are allowed to enter a district, or at least before they are permitted to mingle ffyreely with the inhabitants, certain ceremonies are often performed by the Fifth Edition natives of the country for the purpose of disarming the strangers of their magical powers, or of disinfecting, so to by William Stallings speak, the tainted atmosphere by which they are supposed to be surrounded. —The Golden Bough, Sir James George Frazer Lecture slides by Lawrie Brown

Digital Signatures Digital Signature Model

• have looked at message authentication – but does not address issues of lack of trust • digital signatures provide the ability to: – verify author, date & time of signature – authenticate message contents – be verified by third parties to resolve disputes • hence include authentication function with additional capabilities

Attacks and Forgeries • attacks – key‐only attack – known message attack Digital – generic chosen message attack Signature – directe d chosen message attack Model – adaptive chosen message attack • break success levels – total break – selective forgery – existential forgery

1 Digital Signature Requirements Direct Digital Signatures

 must depend on the message signed • involve only sender & receiver  must use information unique to sender • assumed receiver has sender’s public‐key  to prevent both forgery and denial • digital signature made by sender signing  must be relatively easy to produce entire message or hash with private‐key  must be relatively easy to recognize & verify • can encrypt using receivers public‐key  be computationally infeasible to forge • important that sign first then encrypt message  with new message for existing digital signature & signature  with fraudulent digital signature for given message • security depends on sender’s private‐key  be practical save digital signature in storage

ElGamal Digital Signatures ElGamal Digital Signature • Alice signs a message M to Bob by computing • signature variant of ElGamal, related to D‐H – the hash m = H(M), 0 <= m <= (q-1) – so uses exponentiation in a finite (Galois) – chose random integer K with 1 <= K <= (q-1) and – with security based difficulty of computing discrete gcd(K,q-1)=1 – compute temporary key: k logg,arithms, as in D‐H S1 = a mod q – compute K-1 the inverse of K mod (q-1) • use private key for encryption (signing) -1 – compute the value: S2 = K (m-xAS1) mod (q-1) • uses public key for decryption (verification) – signature is:(S1,S2) • each user (eg. A) generates their key • any user B can verify the signature by computing – m – V1 = a mod q chooses a secret key (number): 1 < xA < q-1 S1 S2 x – V2 = yA S1 mod q – compute their public key: y = a A mod q A – signature is valid if V1 = V2

ElGamal Signature Example Schnorr Digital Signatures • use field GF(19) q=19 and a=10 • also uses exponentiation in a finite (Galois) • Alice computes her key: – security based on discrete logarithms, as in D‐H – A chooses & computes 16 xA=16 yA=10 mod 19 = 4 • minimizes message dependent computation • Alice signs message with hash as : m=14 (3,4) – multiplying a 2n‐bit integer with an n‐bit integer – choosing random KK5=5 which has gcd(18,5)= 1 5 • main work can be done in idle time – computing S1 = 10 mod 19 = 3 – finding K-1 mod (q-1) = 5-1 mod 18 = 11 • have using a prime modulus p – computing S = 11(14-16.3) mod 18 = 4 2 – p–1 has a prime factor q of appropriate size • any user B can verify the signature by computing 14 – typically p 1024‐bit and q 160‐bit numbers – V1 = 10 mod 19 = 16 3 4 – V2 = 4 .3 = 5184 = 16 mod 19 – since 16 = 16 signature is valid

2 Schnorr Key Setup Schnorr Signature • choose suitable primes p, q • user signs message by q – choosing random with and computing • choose a such that a = 1 mod p r 0

– chooses a secret key (number): 0 < sA < q – computing: y = (r + se) mod q -sA – compute their public key: vA = a mod q – signature is pair (e, y) • any other user can verify the signature as follows: – computing: x' = ayve mod p – verifying that: e = H(M || x’)

Digital Signature Standard (DSS) DSS vs RSA Signatures

• US Govt approved signature scheme • designed by NIST & NSA in early 90's • published as FIPS‐186 in 1991 • revised in 1993, 1996 & then 2000 • uses the SHA hash algorithm • DSS is the standard, DSA is the algorithm • FIPS 186‐2 (2000) includes alternative RSA & elliptic curve signature variants • DSA is digital signature only unlike RSA • is a public‐key technique

Digital Signature Algorithm (DSA) DSA Key Generation

creates a 320 bit signature • have shared global public key values (p,q,g): with 512‐1024 bit security – choose 160‐bit prime number q – choose a large prime p with 2L-1

1 discrete logarithms • users choose private & compute public key: variant of ElGamal & Schnorr schemes – choose random private key: x

3 DSA Signature Creation DSA Signature Verification

to sign a message M the sender: • having received M & signature (r,s) generates a random signature key k, k

DSS Overview Summary

• have discussed: – digital signatures – ElGamal & Schnorr signature schemes – digital signature algorithm and standard