HASH FUNCTIONS AND DIGITAL SIGNATURES
Authentication requirement – Authentication function – MAC – Hash function – Security of hash function and MAC –MD5 – SHA – HMAC – CMAC – Digital signature and authentication protocols – DSS – EI Gamal – Schnorr.
1. CS6701 CRYPTOGRAPHY AND
NETWORK SECURITY
UNIT – III
Dr.A.Kathirvel, Professor, Dept of CSE
M N M Jain Engineering College, Chennai
1
2. Unit - III
HASH FUNCTIONS & DIGITAL SIGNATURES
Authentication requirement – Authentication function
– MAC – Hash function – Security of hash function
and MAC –MD5 – SHA – HMAC – CMAC – Digital
signature and authentication protocols – DSS – EI
Gamal – Schnorr.
2
3. Message Authentication and Hash
Functions
• Authentication Requirements
• Authentication Functions
• Message Authentication Codes
• Hash Functions
• Security of Hash Functions and MACs
3
4. Authentication Requirements
• Kind of attacks (threats) in the context of communications across
a network
1. Disclosure
2. Traffic analysis
3. Masquerade
4. Content modification
5. Sequence modification
6. Timing modification
7. Repudiation
• Measures to deal with first two attacks:
– In the realm of message confidentiality, and are addressed with encryption
• Measures to deal with items 3 thru 6
– Message authentication
• Measures to deal with items 7
– Digital signature
4
5. • Message authentication
–A procedure to verify that messages come from
the alleged source and have not been altered
–Message authentication may also verify
sequencing and timeliness
• Digital signature
–An authentication technique that also includes
measures to counter repudiation by either source
or destination
Authentication Requirements
5
6. Authentication Functions
• Message authentication or digital
signature mechanism can be viewed as
having two levels
–At lower level: there must be some sort
of functions producing an authenticator
– a value to be used to authenticate a
message
–This lower level functions is used as
primitive in a higher level authentication
protocol
6
7. Authentication Functions
• Three classes of functions that may be used to produce
an authenticator
–Message encryption
• Ciphertext itself serves as authenticator
–Message authentication code (MAC)
• A public function of the message and a secret key
that produces a fixed-length value that serves as the
authenticator
–Hash function
• A public function that maps a message of any length
into a fixed-length hash value, which serves as the
authenticator
7
8. Message Encryption
• Conventional encryption can serve as
authenticator
–Conventional encryption provides
authentication as well as confidentiality
–Requires recognizable plaintext or other
structure to distinguish between well-formed
legitimate plaintext and meaningless random
bits
• e.g., ASCII text, an appended checksum, or use of
layered protocols
8
10. Ways of Providing Structure
• Append an error-detecting code (frame check sequence
(FCS)) to each message
10
11. Ways of Providing Structure - 2
• Suppose all the
datagrams except the
IP header is encrypted.
• If an opponent
substituted some
arbitrary bit pattern for
the encrypted TCP
segment, the resulting
plaintext would not
include a meaningful
header
11
13. Message Authentication Code
• Uses a shared secret key to generate a fixed-size
block of data (known as a cryptographic checksum
or MAC) that is appended to the message: MAC =
CK(M)
• Assurances:
– Message has not been altered
– Message is from alleged sender
– Message sequence is unaltered (requires internal
sequencing)
• Similar to encryption but MAC algorithm needs not
be reversible 13
16. Why Use MACs?
–i.e., why not just use encryption?
• Cleartext stays clear
• MAC might be cheaper
• Broadcast
• Authentication of executable codes
• Architectural flexibility
• Separation of authentication check from
message use
16
17. Hash Function
• Converts a variable size message M into fixed size
hash code H(M) (Sometimes called a message
digest)
• Can be used with encryption for authentication
– E(M || H)
– M || E(H)
– M || signed H
– E( M || signed H ) gives confidentiality
– M || H( M || K )
– E( M || H( M || K ) )
17
21. Message Authentication Codes
• MAC= CK(M)
• Key length requirements
–Sufficient key length to
thwart brute force attack
21
22. Hash Functions
• h = H(M)
• M is a variable-length message, h is a fixed-
length hash value, H is a hash function
• The hash value is appended at the source
• The receiver authenticates the message by
recomputing the hash value
• Because the hash function itself is not
considered to be secret, some means is
required to protect the hash value
22
23. Hash Function Requirements
1. H can be applied to any size data block
2. H produces fixed-length output
3. H(x) is relatively easy to compute for any given x
4. H is one-way, i.e., given h, it is computationally
infeasible to find any x s.t. h = H(x)
5. H is weakly collision resistant: given x, it is
computationally infeasible to find any y x s.t. H(x) =
H(y)
6. H is strongly collision resistant: it is computationally
infeasible to find any x and y s.t. H(x) = H(y)
23
24. Hash Function Requirements
• One-way property is essential for
authentication
• Weak collision resistance is necessary
to prevent forgery
• Strong collision resistance is important
for resistance to birthday attack
24
25. Simple Hash Functions
• Operation of hash functions
– The input is viewed as a sequence of n-bit blocks
– The input is processed one block at a time in an
iterative fashion to produce an n-bit hash function
• Simplest hash function: Bitwise XOR of every
block
– Ci = bi1 bi2 … bim
• Ci = i-th bit of the hash code, 1 i n
• m = number of n-bit blocks in the input
• bij = i-th bit in j-th block
– Known as longitudinal redundancy check
25
26. Simple Hash Functions
• Improvement over the
simple bitwise XOR
– Initially set the n-bit hash value to
zero
– Process each successive n-bit
block of data as follows
» Rotate the current hash value
to the left by one bit
» XOR the block into the hash
value
26
27. Birthday Attack
• If the adversary can generate 2m/2 variants of a valid
message and an equal number of fraudulent messages
• The two sets are compared to find one message from each
set with a common hash value
• The valid message is offered for signature
• The fraudulent message with the same hash value is
inserted in its place
• If a 64-bit hash code is used, the level of effort is only on
the order of 232
• Conclusion: the length of the hash code must be substantial
27
28. 28
BIRTHDAY ATTACKS
Birthday paradox
In a group of 23 randomly chosen people, at
least two will share a birthday with probability
at least 50%. If there are 30, the probability is
around 70%.
Finding two people with the same birthday is
the same thing as finding a collision for this
particular hash function.
29. 29
BIRTHDAY ATTACKS
The probability that all 23 people have
different birthdays is
Therefore, the probability of at least two
having the
same birthday is 1- 0.493=0.507
More generally, suppose we have N objects,
where N is large. There are r people, and
each chooses an object. Then
493.0)
365
22
1)...(
365
2
1)(
365
1
1(1
Nr
eP 2/2
1)matchaisthere(
30. 30
BIRTHDAY ATTACKS
Choosing r2/2N = ln2, we find that if r≈1.177 ,
then the probability is 50% that at least two
people choose the same object.
If there are N possibilities and we have a list of
length , then there is a good chance of a
match.
If we want to increase the chance of a match,
we can make a list of length of a constant times
N
N
N
31. 31
BIRTHDAY ATTACKS
(Example) We have 40 license plates, each
ending in a 3-digit number. What is the
probability that two of the license plates end
in the same 3 digits?
(Solution) N=1000, r=40
1. Approximation:
2. The exact answer:
551.01 10002/402
e
546.0)
1000
39
1)...(
1000
2
1)(
1000
1
1(1
32. 32
BIRTHDAY ATTACKS
What is the probability that none of these 40
license plates ends in the same 3 digits as
yours?
The reason the birthday paradox works is
that we are not just looking for matches
between one fixed plate and the other plates.
We are looking for matches between any two
plates in the set, so there are more
opportunities for matches.
961.0)
1000
1
1( 40
33. 33
BIRTHDAY ATTACKS
The birthday attack can be used to find collisions
for hash functions if the output of the hash
function is not sufficiently large.
Suppose h is an n-bit hash function. Then there
are N = 2n possible outputs. We have the
situation of list of length r≈ “people” with N
possible “birthdays,” so there is a good chance
of having two values with the same hash value.
If the hash function outputs 128-bit values, then
the lists have length around 264 ≈1019, which is
too large, both in time and in memory.
N
34. 34
BIRTHDAY ATTACKS
Suppose there are N objects and there are
two groups of r people. Each person from
each group selects an object. What is the
probability that someone from the first group
choose the same object as someone from
the second group?
Eg. If we take N=365 and r=30, then
Nr
e
P
/2
1
)groupsobetween twmatchaisthere(
915.01
groups)obetween twmatchaisthere(
365/302
e
P
35. Generating 2m/2 Variants of Valid Messages
• Insert a number of
“space-backspace-space”
character pairs between
words throughout the
document.
Variations could then be
generated by substituting
“space-backspace-space”
in selected instances
• Alternatively, simply
reword the message but
retain the meaning
35
36. Brute-Force Attack of Hash Functions
• Three desirable properties of hash functions
– One-way: For any given code h, it is computationally infeasible to find x s.t.
H(x) = h
– Weak collision resistance: For any given block x, it is computationally
infeasible to find y x s.t. H(y) = H(x)
– Strong collision resistance: It is computationally infeasible to find any pair
(x, y) s.t. H(y) = H(x)
• Brute-force attack on n-bit hash code
– One-way and weak collision require 2n effort
– Strong collision requires 2n/2 effort
– If strong collision resistance is required (and this is desirable for a
general-purpose secure hash code), 2n/2 determines the strength of hash
code against brute-force attack
– Currently, two most popular hash codes, SHA-1 and RIPEMD-160, provide a
160-bit hash code length
36
37. MD5
• designed by Ronald Rivest (the R in RSA)
• latest in a series of MD2, MD4
• produces a 128-bit hash value
• until recently was the most widely used hash
algorithm
–in recent times have both brute-force &
cryptanalytic concerns
• specified as Internet standard RFC1321
37
38. MD5 OVERVIEW
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. process message in 16-word (512-bit) blocks:
– using 4 rounds of 16 bit operations on message block &
buffer
– add output to buffer input to form new buffer value
5. output hash value is the final buffer value
38
40. MD5 COMPRESSION FUNCTION
• each round has 16 steps of the form:
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
• a,b,c,d refer to the 4 words of the buffer, but used in
varying permutations
– note this updates 1 word only of the buffer
– after 16 steps each word is updated 4 times
• where g(b,c,d) is a different nonlinear function in
each round (F,G,H,I)
• T[i] is a constant value derived from sin
40
42. MD4
• precursor to MD5
• also produces a 128-bit hash of message
• has 3 rounds of 16 steps vs 4 in MD5
• design goals:
–collision resistant (hard to find collisions)
–direct security (no dependence on "hard"
problems)
–fast, simple, compact
–favours little-endian systems (eg PCs)
42
43. STRENGTH OF MD5
• MD5 hash is dependent on all message bits
• Rivest claims security is good as can be
• known attacks are:
– Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
– Boer & Bosselaers 93 found a pseudo collision
(again unable to extend)
– Dobbertin 96 created collisions on MD
compression function (but initial constants
prevent exploit)
• conclusion is that MD5 looks vulnerable soon 43
44. SECURE HASH ALGORITHM (SHA-1)
• SHA was designed by NIST & NSA in 1993, revised
1995 as SHA-1
• US standard for use with DSA signature scheme
– standard is FIPS 180-1 1995, also Internet
RFC3174
– nb. the algorithm is SHA, the standard is SHS
• produces 160-bit hash values
• now the generally preferred hash algorithm
• based on design of MD4 with key differences
44
45. SHA OVERVIEW
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4. process message in 16-word (512-bit) chunks:
– expand 16 words into 80 words by mixing &
shifting
– use 4 rounds of 20 bit operations on message
block & buffer
– add output to input to form new buffer value
5. output hash value is the final buffer value 45
46. SHA-1 Compression Function
• each round has 20 steps which replaces the 5
buffer words thus:
(A,B,C,D,E) <-
(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<30),C,D)
• a,b,c,d refer to the 4 words of the buffer
• t is the step number
• f(t,B,C,D) is nonlinear function for round
• Wt is derived from the message block
• Kt is a constant value derived from sin
46
48. SHA-1 VERSES MD5
• brute force attack is harder (160 vs 128 bits
for MD5)
• not vulnerable to any known attacks
(compared to MD4/5)
• a little slower than MD5 (80 vs 64 steps)
• both designed as simple and compact
• optimised for big endian CPU's (vs MD5 which
is optimised for little endian CPU’s)
48
49. REVISED SECURE HASH STANDARD
• NIST have issued a revision FIPS 180-2
• adds 3 additional hash algorithms
• SHA-256, SHA-384, SHA-512
• designed for compatibility with increased
security provided by the AES cipher
• structure & detail is similar to SHA-1
• hence analysis should be similar
49
50. Bob receives a message from Alice, he wants to know
(Data origin authentication) whether the message was
really sent by Alice;
(Data integrity) whether th
Message Authentication
m
message authentication code
e message has been modified.
Solutions:
Alice attaches a (MAC)
to the message.
Or she attach digital signatures a to the message.e
50
51. Message authentication protocol:
1. Alice and Bob share a secret key .
2. Alice sends MAC ( ) to Bob.
3. Bob authenticates the received MAC
by checking if MAC MAC ( )?
MAC
k
k
k
m m
m
m
MAC ( ) is called a .
Security requirement: infeasible to produce a valid pair
( , MA
message auth
C ( )) w
entication
ithout knowing the key
e
.
c dok
k
m
x x k
51
52. A common way to construct a MAC is to incorporate a
secret key into a fixed hash function (e.g. SH
Insecure:
A-1).
MAC ( ) ( ) ( ) wit IVh
Constructing MAC from a hash
k k
k h
m h m h m k
MAC ( ) ( ) ( )k km h m h k m
52
53. m = m1 m2 m3 ms
f f fIV … f h(m)
k X X hk(m)
fhk(m) hk(m||ms+1)
ms+1
1
( ) ( ) with IV .
(For simplicity, without
Insecure:
Easy to forge:
( , ( )),
padd
where
ing)
k
s
k
m
M
h m
AC m h
m m
m k
m
53
54. 2 1
1 2
A FIPS standard for constructing MAC from a hash
function . Conceptually,
HMAC ( ) ( )
where and are two keys generated from .
Various
HMAC (Hash-based MAC)
k m k k m
k
h
k k
h h
hash functions (e.g., SHA-1, MD5) may be used for .
If we use , then HMAC is as follows:
HMAC ( ) ( )
where
is padded with 0's to 512
SHA-1
SHA-1 SHA
bits
1-k
h
m k opad k ipad m
k
3636 36 (x036 repeated 64 times)
5c5c 5c (x05c repeated 64 times)
ipad
opad
54
55. A FIPS and ISO standard.
One of the most popular MACs in use.
Use a block cipher in CBC mode with a fixed, public IV.
Called DES CBC-MAC if the block cipher is DES.
Let :{0,1} {0,1
CBC-MAC
n
E
1 2
0
1
} be a block cipher.
CBC-MAC( , )
, where | | .
IV (typically 0 )
for 1 to do
( )
return( )
n
l i
n
i k i i
l
m k
m m m m m n
c
i l
c E c m
c
55
57. A refined version of CBC-MAC.
Adopted by NIST for use with AES and 3DES.
Use two keys: , (assuming is a multiple of ).
Let :{0,1} {0,1} be a block cipher.
CM
CMAC (Cipher-based MAC)
n n
k k m n
E
1 2
0
1
1
AC( , )
, where | | .
IV (typically 0 )
for 1 to 1 do
( )
( )
return( )
l i
n
i k i i
l k l l
l
m k
k
m m m m m n
c
i l
c E c m
c E c m
c
57
58. RSA can be used for digital signatures.
A digital signature is the same as a MAC except that
the tag (signature) is produced using a public-key
cryptosystem.
Digital
Digital Signatures
signatures are used to provide message
authentication an non-repudiatd ion.
Message m MACk(m)
Message m Sigpr(m)
58
59. Digital signature protocol:
1. Bob has a key pair ( , ).
2. Bob sends Sig ( ) to Alice.
3. Alice verifies the received
by checking if Verify ( ).
Sig ( ) is calle
pr
pu
pr
pr pu
m m
m s
s m
m d a .
Security requirement: infeasible to forge a valid
pair ( , S
signatu
ig ( )) without knowing
re for
.prm m pr
m
59
60. MCE D
PUBob PRBob
Alice Bob
M
MSE D
PUBob PRBob
Alice Bob
Verify Sign
Encryption (using RSA):
Digital signature (using RSA-1):
E(S)
=M?
60
61. *
are generated as for RSA encryption:
Public key: . Private key: .
a message : ( ) mod .
That is,
Keys
Signin
( , ) ( , )
g
RSA Signature
d
n PR
PU n e PR n d
m Z D m m n
1
RSA ( ).
a signature ( , ) :
check if ( ) mod , or RSA( ).
Only the key's owner can sign,
Ver
but anybody can ver
ify
ify.
ing
e
PU
m
m
m E n m
61
62. *
RSA
1. Every message is a valid signature for
its ciphertext : RSA( ).
Encryption (using Bob's public key):
Existential forgeries
Sig
:
Security of RSA Signature
nm Z
c m
m c
1
RSA
1 2 1 2
1 2 1 2
n ( using Bob's private key):
2. If Bob signed and , then the signature for
can be easily forged
if
hash a
: ( ) ( ) ( ).
Counterme nd siasure gn: :
m c
m m m m
m m m m
Sign ( ( )),
using some collision resistant hash function .
PR h m
h
62
63. Does hash-then-sign make RSA signature secure
against chosen-message attacks?
Question:
Answer:
random oracleYes, is a i.e.,
is a
all
if full-
random or
d
a
,
cle mapping {0
omainh
h *
,1}
( is the full domain of RSA)
n
n
Z
Z
63
64. 160
In practice, is full-domain.
For instance, the range of SHA-1 is {0,1} ,
while 0,1,...,2 1 , wi
Problem with full-
th 1024.
domain hash:
Desired: a sec
no
ure signature scheme
t
n
n
h
Z n
that does not
require a full-domain hash.
64
65. *
pad
Hash function :{0,1} {0,1} (not full domain).
| |. (E.g., SHA-1, 160; RSA, 1024.)
Idea:
Probabilistic signature scheme
l
Nh Z
l n N l n
m m r *
hash
expand 1
si
1
gn 1
{0,1}
( ) {0,1}
( ) {0,1}
RSA ( )
( )0n l
l
nk
r
w h m r
y w G w
y
1
where {0,1}
:{0,1} {0,1} (pseudorandom generator)
N
k
l n l
Z
r
G
65
66. *
11 2 2
1
a message {0,1} :
1. choose a random {0,1} ; compute ( );
2. compute ;( ) ( ) // //
3. The signatu
Signing
re is RSA ( ).
k
m
r w h m r
G G Gw
y
y w r G G w
66
67. PSS is secure against chosen-message attacks in the
random oracle model (i.e., if and are random oracles).
PSS is adopted in PKCS #1 v.2.1.
Hash functions such as SHA-1
Remarks
are used f
h G
1 2
or and .
For instance,
let 1024, and 160
let = SHA-1
( , )( ) ( ) ( 0) ( 1) ( 2), ...
h G
n l k
h
G G w G w h w h w h w
67
68. Digital Signatures
• have looked at message authentication
–but does not address issues of lack of trust
• digital signatures provide the ability to:
–verify author, date & time of signature
–authenticate message contents
–be verified by third parties to resolve disputes
• hence include authentication function with
additional capabilities
68
72. Digital Signature Requirements
must depend on the message signed
must use information unique to sender
to prevent both forgery and denial
must be relatively easy to produce
must be relatively easy to recognize & verify
be computationally infeasible to forge
with new message for existing digital signature
with fraudulent digital signature for given message
be practical save digital signature in storage
72
73. Direct Digital Signatures
• involve only sender & receiver
• assumed receiver has sender’s public-key
• digital signature made by sender signing
entire message or hash with private-key
• can encrypt using receivers public-key
• important that sign first then encrypt
message & signature
• security depends on sender’s private-key
73
74. 74
ELGAMAL
• To show that RSA is not the only public key
system
• To exhibit a public key system based on a
different one way function
• ElGamal is the basis for several well-known
cryptographic primitives
We will also take a look at the ElGamal public
key cipher system for a number of reasons:
75. 75
SETTING UP ELGAMAL
• Let p be a large prime
– By “large” we mean here a prime rather typical
in length to that of an RSA modulus
• Select a special number g
– The number g must be a primitive element
modulo p.
• Choose a private key x
– This can be any number bigger than 1 and
smaller than p-1
• Compute public key y from x, p and g
– The public key y is g raised to the power of the
private key x modulo p. In other words:
y = gx mod p 75
76. 76
SETTING UP ELGAMAL: EXAMPLE
Step 1: Let p = 23
Step 2: Select a primitive element g = 11
Step 3: Choose a private key x = 6
Step 4: Compute y = 116 (mod 23)
= 9
Public key is 9
Private key is 6
77. 77
ELGAMAL ENCRYPTION
The first job is to represent the plaintext as a
series of numbers modulo p. Then:
1. Generate a random number k
2. Compute two values C1 and C2, where
C1 = gk mod p and C2 = Myk mod
p
3. Send the ciphertext C, which consists of
the two separate values C1 and C2.
78. 78
ELGAMAL ENCRYPTION: EXAMPLE
To encrypt M = 10 using Public key 9
1 - Generate a random number k = 3
2 - Compute C1= 113 mod 23 = 20
C2= 10 x 93 mod 23
= 10 x 16 = 160 mod 23 = 22
3 - Ciphertext C = (20 , 22 )
79. 79
ELGAMAL DECRYPTION
C1 = gk mod p C2 = Myk mod p
1 - The receiver begins by using their private key x to
transform C1 into something more useful:
C1
x = (gk)x mod p
NOTE: C1
x = (gk)x = (gx)k = (y)k = yk mod p
2 - This is a very useful quantity because if you divide
C2 by it you get M. In other words:
C2 / yk = (Myk) / yk = M mod p
80. 80
ELGAMAL DECRYPTION: EXAMPLE
To decrypt C = (20 , 22 )
1 - Compute 206 = 16 mod 23
2 - Compute 22 / 16 = 10 mod 23
3 - Plaintext = 10
81. 81
SECURITY OF ELGAMAL
1. Trying to decrypt a ciphertext without
knowledge of the private key
2. Trying to determine the private key
Recall the two different strategies for trying to
“break” RSA:
What hard problems do you come across if you try to follow
these two different strategies to break ElGamal?
85. ELGAMAL CRYPTOGRAPHY
• public-key cryptosystem related to D-H
• so uses exponentiation in a finite (Galois)
• with security based difficulty of computing discrete
logarithms, as in D-H
• each user (eg. A) generates their key
–chooses a secret key (number): 1 < xA < q-1
–compute their public key: yA = a
xA
mod q
85
86. ELGAMAL MESSAGE EXCHANGE
• Bob encrypt a message to send to A computing
– represent message M in range 0 <= M <= q-1
• longer messages must be sent as blocks
– chose random integer k with 1 <= k <= q-1
– compute one-time key K = yA
k
mod q
– encrypt M as a pair of integers (C1,C2) where
• C1 = a
k
mod q ; C2 = KM mod q
• A then recovers message by
– recovering key K as K = C1
xA mod q
– computing M as M = C2 K-1 mod q
• a unique k must be used each time
– otherwise result is insecure 86
87. ELGAMAL EXAMPLE
• use field GF(19) q=19 and a=10
• Alice computes her key:
– A chooses xA=5 & computes yA=10
5
mod 19 = 3
• Bob send message m=17 as (11,5) by
– chosing random k=6
– computing K = yA
k
mod q = 3
6
mod 19 = 7
– computing C1 = a
k
mod q = 10
6
mod 19= 11;
C2 = KM mod q = 7.17 mod 19 = 5
• Alice recovers original message by computing:
– recover K = C1
xA mod q = 11
5
mod 19 = 7
– compute inverse K-1 = 7-1 = 11
– recover M = C2 K-1 mod q = 5.11 mod 19=17
87
88. ElGamal Digital Signatures
• signature variant of ElGamal, related to D-H
– so uses exponentiation in a finite (Galois)
– with security based difficulty of computing discrete
logarithms, as in D-H
• use private key for encryption (signing)
• uses public key for decryption (verification)
• each user (eg. A) generates their key
– chooses a secret key (number): 1 < xA < q-1
– compute their public key: yA = a
xA
mod q
88
89. ElGamal Digital Signature
• Alice signs a message M to Bob by computing
– the hash m = H(M), 0 <= m <= (q-1)
– chose random integer K with 1 <= K <= (q-1) and
gcd(K,q-1)=1
– compute temporary key: S1 = a
k
mod q
– compute K-1 the inverse of K mod (q-1)
– compute the value: S2 = K-1(m-xAS1) mod (q-1)
– signature is:(S1,S2)
• any user B can verify the signature by computing
– V1 = a
m
mod q
– V2 = yA
S1 S1
S2 mod q
– signature is valid if V1 = V2
89
90. ElGamal Signature Example
• use field GF(19) q=19 and a=10
• Alice computes her key:
– A chooses xA=16 & computes yA=10
16
mod 19 = 4
• Alice signs message with hash m=14 as (3,4):
– choosing random K=5 which has gcd(18,5)=1
– computing S1 = 10
5
mod 19 = 3
– finding K-1 mod (q-1) = 5-1 mod 18 = 11
– computing S2 = 11(14-16.3) mod 18 = 4
• any user B can verify the signature by computing
– V1 = 10
14
mod 19 = 16
– V2 = 43.34 = 5184 = 16 mod 19
– since 16 = 16 signature is valid
90
91. Schnorr Digital Signatures
• also uses exponentiation in a finite (Galois)
– security based on discrete logarithms, as in D-H
• minimizes message dependent computation
– multiplying a 2n-bit integer with an n-bit integer
• main work can be done in idle time
• have using a prime modulus p
– p–1 has a prime factor q of appropriate size
– typically p 1024-bit and q 160-bit numbers
91
92. Schnorr Key Setup
• choose suitable primes p , q
• choose a such that a
q
= 1 mod p
• (a,p,q) are global parameters for all
• each user (eg. A) generates a key
–chooses a secret key (number): 0 < sA <
q
–compute their public key: vA=a
-sA
mod q
92
93. Schnorr Signature
• user signs message by
– choosing random r with 0<r<q and computing x
= ar mod p
– concatenate message with x and hash result to
computing: e = H(M || x)
– computing: y = (r + se) mod q
– signature is pair (e, y)
• any other user can verify the signature as follows:
– computing: x' = ayve mod p
– verifying that: e = H(M || x’)
93
94. Digital Signature Standard (DSS)
• US Govt approved signature scheme
• designed by NIST & NSA in early 90's
• published as FIPS-186 in 1991
• revised in 1993, 1996 & then 2000
• uses the SHA hash algorithm
• DSS is the standard, DSA is the algorithm
• FIPS 186-2 (2000) includes alternative RSA &
elliptic curve signature variants
• DSA is digital signature only unlike RSA
• is a public-key technique
94
96. Digital Signature Algorithm (DSA)
• creates a 320 bit signature
• with 512-1024 bit security
• smaller and faster than RSA
• a digital signature scheme only
• security depends on difficulty of
computing discrete logarithms
• variant of ElGamal & Schnorr schemes
96
97. DSA Key Generation
• have shared global public key values (p,q,g):
– choose 160-bit prime number q
– choose a large prime p with 2L-1 < p < 2L
• where L= 512 to 1024 bits and is a multiple of 64
• such that q is a 160 bit prime divisor of (p-1)
– choose g = h(p-1)/q
• where 1<h<p-1 and h(p-1)/q mod p > 1
• users choose private & compute public key:
– choose random private key: x<q
– compute public key: y = gx mod p
97
98. DSA Signature Creation
• to sign a message M the sender:
• generates a random signature key k, k<q
• nb. k must be random, be destroyed after
use, and never be reused
• then computes signature pair:
• r = (gk mod p)mod q
• s = [k-1(H(M)+ xr)] mod q
• sends signature (r,s) with message M
98
99. DSA Signature Verification
• having received M & signature (r,s)
• to verify a signature, recipient computes:
w = s-1 mod q
u1= [H(M)w ]mod q
u2= (rw)mod q
v = [(gu1 yu2)mod p ]mod q
• if v=r then signature is verified
• see Appendix A for details of proof why
99