Introduction To Digital Signatures

Post on 16-Nov-2014

6.171 views 3 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

Talk given at Benedictine University on digital signatures and the Digital Signature Algorithm by Robert Talbert, 2 April 2008.

Transcript of Introduction To Digital Signatures

Introduction to digital signaturesBenedictine UniversityMATH 390: Cryptography2 April 2008

Robert Talbert, PhDAssociate Professor of Mathematics and Computing ScienceFranklin College, Franklin, IN

1

Menu

2

MenuThe problem of authentication

2

MenuThe problem of authentication

Non-solutions to the authentication problem; the concept of the digital signature and required parameters

2

MenuThe problem of authentication

Non-solutions to the authentication problem; the concept of the digital signature and required parameters

Digital signatures using public-key encryption algorithms

2

MenuThe problem of authentication

Non-solutions to the authentication problem; the concept of the digital signature and required parameters

Digital signatures using public-key encryption algorithms

The Digital Signature Algorithm (DSA)

2

MenuThe problem of authentication

Non-solutions to the authentication problem; the concept of the digital signature and required parameters

Digital signatures using public-key encryption algorithms

The Digital Signature Algorithm (DSA)

Further applications and issues

2

PROBLEM: AUTHENTICATION

3

PROBLEM: AUTHENTICATION

HOW DO WE DO THIS IF THE DOCUMENT IS DIGITAL AND

NOT PAPER?

3

4

HAS THIS EMAIL BEEN SIGNED?

4

HAS THIS EMAIL BEEN SIGNED?

4

HAS THIS EMAIL BEEN SIGNED?

4

5

HOW ABOUT NOW?

5

6

6

6

7

7

7

A TRUE SIGNATURE: • IS AUTHENTIC• CANNOT BE FORGED• CANNOT BE REUSED• PROVES DOCUMENT HAS NOT BEEN ALTERED • CANNOT BE REPUDIATED

7

A TRUE SIGNATURE: • IS AUTHENTIC• CANNOT BE FORGED• CANNOT BE REUSED• PROVES DOCUMENT HAS NOT BEEN ALTERED • CANNOT BE REPUDIATED

GOAL: DIGITAL SIGNATURES WHICH DO THIS FOR ELECTRONIC DOCUMENTS.

7

Implementation

8

Implementation

Public-key encryption “in reverse”

8

Implementation

Public-key encryption “in reverse”

Specialized signature-only algorithms: the Digital Signature Algorithm

8

9

PUBLIC-KEY CRYPTOGRAPHY

9

Alice

PUBLIC-KEY CRYPTOGRAPHY

9

Alice Bob

PUBLIC-KEY CRYPTOGRAPHY

9

Alice Bob

Public(e,n)

Privated

PUBLIC-KEY CRYPTOGRAPHY

9

Plaintext

Dear Bob - The meeting will be at

the embassy.

Alice Bob

Public(e,n)

Privated

PUBLIC-KEY CRYPTOGRAPHY

9

Plaintext

Dear Bob - The meeting will be at

the embassy.

Alice Bob

Public(e,n)

Privated

PUBLIC-KEY CRYPTOGRAPHY

9

Plaintext

Dear Bob - The meeting will be at

the embassy.

Alice Bob

Enc

rypt

ion

func

tion

Public(e,n)

Privated

PUBLIC-KEY CRYPTOGRAPHY

9

Plaintext

Dear Bob - The meeting will be at

the embassy.

Ciphertext

Qrne Obo - Gur zrrgvat jvyy or ng

gur rzonffl.

Alice Bob

Enc

rypt

ion

func

tion

Public(e,n)

Privated

PUBLIC-KEY CRYPTOGRAPHY

9

Plaintext

Dear Bob - The meeting will be at

the embassy.

Ciphertext

Qrne Obo - Gur zrrgvat jvyy or ng

gur rzonffl.

Alice Bob

Enc

rypt

ion

func

tion

Public(e,n)

Privated

PUBLIC-KEY CRYPTOGRAPHY

9

Plaintext

Dear Bob - The meeting will be at

the embassy.

Ciphertext

Qrne Obo - Gur zrrgvat jvyy or ng

gur rzonffl.

Alice Bob

Enc

rypt

ion

func

tion

Dec

rypt

ion

func

tion

Public(e,n)

Privated

PUBLIC-KEY CRYPTOGRAPHY

9

Plaintext

Dear Bob - The meeting will be at

the embassy.

Ciphertext

Qrne Obo - Gur zrrgvat jvyy or ng

gur rzonffl.

Original plaintext

Dear Bob - The meeting will be at the embassy.

Alice Bob

Enc

rypt

ion

func

tion

Dec

rypt

ion

func

tion

Public(e,n)

Privated

PUBLIC-KEY CRYPTOGRAPHY

9

Plaintext

Dear Bob - The meeting will be at

the embassy.

Ciphertext

Qrne Obo - Gur zrrgvat jvyy or ng

gur rzonffl.

Original plaintext

Dear Bob - The meeting will be at the embassy.

Alice Bob

Enc

rypt

ion

func

tion

Dec

rypt

ion

func

tion

Public(e,n)

Privated

No secret key is ever exchanged

Alice does not need her own key to use the system

PUBLIC-KEY CRYPTOGRAPHY

9

Plaintext

Dear Bob - The meeting will be at

the embassy.

Ciphertext

Qrne Obo - Gur zrrgvat jvyy or ng

gur rzonffl.

Original plaintext

Dear Bob - The meeting will be at the embassy.

Alice Bob

Enc

rypt

ion

func

tion

Dec

rypt

ion

func

tion

Public(e,n)

Privated

PUBLIC-KEY CRYPTOGRAPHY

9

Plaintext

Dear Bob - The meeting will be at

the embassy.

Ciphertext

Qrne Obo - Gur zrrgvat jvyy or ng

gur rzonffl.

Original plaintext

Dear Bob - The meeting will be at the embassy.

Alice Bob

Enc

rypt

ion

func

tion

Dec

rypt

ion

func

tion

Eve

Public(e,n)

Privated

PUBLIC-KEY CRYPTOGRAPHY

9

M = ab! 1e = AM + a

d = BM + b

n =ed! 1

M

KID CRYPTOChoose positive integers A, B, a, and b.

Public key: (e, n)Private key: d

10

H E L P 07 04 11 15TALBERT’S PUBLIC KEY: (E = 3242, N = 19723)

11

H E L P 07 04 11 15TALBERT’S PUBLIC KEY: (E = 3242, N = 19723)

Encryption: Compute y = (ex) mod n for each number.

11

H E L P 07 04 11 15TALBERT’S PUBLIC KEY: (E = 3242, N = 19723)

Plaintext Numerical (ex) mod n = Cipher “text”

H 7 (3242 × 7) mod 19723 = 2971

E 4 12698

L 11 15939

P 15 9184

Encryption: Compute y = (ex) mod n for each number.

11

2971 12698 15939 9184

TALBERT’S PRIVATE KEY: D = 1965

12

2971 12698 15939 9184

TALBERT’S PRIVATE KEY: D = 1965

Decryption: Compute z = (dy) mod n for each number.

12

2971 12698 15939 9184

TALBERT’S PRIVATE KEY: D = 1965

Decryption: Compute z = (dy) mod n for each number.

Ciphertext (dy) mod n Alpha

2971 7 H

12698 4 E

15939 11 L

9184 15 P

12

WHY KID CRYPTO WORKS

X = PLAINTEXT “CHARACTER”

13

WHY KID CRYPTO WORKS

X = PLAINTEXT “CHARACTER”

y = (ex) modn

13

WHY KID CRYPTO WORKS

X = PLAINTEXT “CHARACTER”

y = (ex) modn z = d(ex) modn = (ed)xmodn

13

WHY KID CRYPTO WORKS

X = PLAINTEXT “CHARACTER”

y = (ex) modn z = d(ex) modn = (ed)xmodn

n =ed! 1

M

13

WHY KID CRYPTO WORKS

X = PLAINTEXT “CHARACTER”

y = (ex) modn z = d(ex) modn = (ed)xmodn

n =ed! 1

M

ed = (Mn + 1)modn

= Mn modn + 1 modn

= 0mod n + 1 modn

= 1mod n

13

WHY KID CRYPTO WORKS

X = PLAINTEXT “CHARACTER”

y = (ex) modn z = d(ex) modn = (ed)xmodn

n =ed! 1

M

ed = (Mn + 1)modn

= Mn modn + 1 modn

= 0mod n + 1 modn

= 1mod n

z = (ed)xmodn

= xmodn

= x.

13

14

BOB

14

BOB ALICE

14

BOB ALICE

PUBLIC(E,N)

14

BOB ALICE

PUBLIC(E,N)

PRIVATED

14

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

14

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

14

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

14

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

192 2343 9102 ...

ENCRYPT WITH THE PRIVATE KEYATTACH TO END OF ORIGINAL

MESSAGE

14

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

192 2343 9102 ...

ENCRYPT WITH THE PRIVATE KEYATTACH TO END OF ORIGINAL

MESSAGE

DIGITAL SIGNATURE = MESSAGE ENCRYPTED WITH PRIVATE KEY

14

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

192 2343 9102 ...

ENCRYPT WITH THE PRIVATE KEYATTACH TO END OF ORIGINAL

MESSAGE

DIGITAL SIGNATURE = MESSAGE ENCRYPTED WITH PRIVATE KEY

14

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

192 2343 9102 ...

ENCRYPT WITH THE PRIVATE KEYATTACH TO END OF ORIGINAL

MESSAGE

DECRYPT WITH THE PUBLIC KEYAUTHENTICATE BY COMPARING

TO PLAINTEXT MESSAGE

DIGITAL SIGNATURE = MESSAGE ENCRYPTED WITH PRIVATE KEY

14

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

192 2343 9102 ...

ENCRYPT WITH THE PRIVATE KEYATTACH TO END OF ORIGINAL

MESSAGE

DECRYPT WITH THE PUBLIC KEYAUTHENTICATE BY COMPARING

TO PLAINTEXT MESSAGE

DIGITAL SIGNATURE = MESSAGE ENCRYPTED WITH PRIVATE KEY

14

WHY KID CRYPTO WORKS FOR SIGNATURES

X = PLAINTEXT “CHARACTER”

15

WHY KID CRYPTO WORKS FOR SIGNATURES

X = PLAINTEXT “CHARACTER”

s = dxmodnBOB

15

WHY KID CRYPTO WORKS FOR SIGNATURES

X = PLAINTEXT “CHARACTER”

s = dxmodnBOB

s! = edxmodn = xmodn = x.ALICE

15

16

BOB

16

BOB ALICE

16

BOB ALICE

PUBLIC(E,N)

16

BOB ALICE

PUBLIC(E,N)

PRIVATED

16

BOB ALICE

PUBLIC(E,N)

PRIVATED

16

BOB ALICE

PUBLIC(E,N)

PRIVATED

EVIL FAKE D

16

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

EVIL FAKE D

16

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

EVIL FAKE D

16

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

EVIL FAKE D

16

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

228 1893 189 ...

EVIL FAKE D

16

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

228 1893 189 ...

EVIL FAKE D

16

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

X FLBRUG YTEX BIP Q XETIA.

I HEREBY GIVE YOU A RAISE.

228 1893 189 ...

EVIL FAKE D

16

BOB ALICE

PUBLIC(E,N)

PRIVATED

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

X FLBRUG YTEX BIP Q XETIA.

I HEREBY GIVE YOU A RAISE.

228 1893 189 ...

SIGNATURE DOES NOT MATCH MESSAGE ⇒

MESSAGE NOT AUTHENTICATED

EVIL FAKE D

16

A TRUE SIGNATURE: • IS AUTHENTIC• CANNOT BE FORGED• CANNOT BE REUSED• PROVES DOCUMENT HAS NOT BEEN ALTERED • CANNOT BE REPUDIATED

17

Public-key system as signature system

Sender encrypts the message with his private key, attaches “ciphertext” to the plaintext message.

Recipient decrypts the ciphertext with the sender’s public key; compares to plaintext message. Equality ⇒ authentication.

Example using RSA

18

A national standard?

19

1977: RSA INVENTED

A national standard?

19

1977: RSA INVENTED

1982: NIST SOLICITS CANDIDATES FOR FEDERAL DIGITAL

SIGNATURE STANDARD (DSS)

A national standard?

19

1977: RSA INVENTED

1982: NIST SOLICITS CANDIDATES FOR FEDERAL DIGITAL

SIGNATURE STANDARD (DSS)

1991: NIST PROPOSES DIGITAL

SIGNATURE ALGORITHM (DSA) TO

BE USED IN DSS

A national standard?

19

1977: RSA INVENTED

1982: NIST SOLICITS CANDIDATES FOR FEDERAL DIGITAL

SIGNATURE STANDARD (DSS)

1991: NIST PROPOSES DIGITAL

SIGNATURE ALGORITHM (DSA) TO

BE USED IN DSS

1992: PUBLIC COMMENTS ON DSA;

CRITICISM FROM RSA, INC. AND

CLIENT COMPANIES

A national standard?

19

1977: RSA INVENTED 1994: DSA APPROVED

1982: NIST SOLICITS CANDIDATES FOR FEDERAL DIGITAL

SIGNATURE STANDARD (DSS)

1991: NIST PROPOSES DIGITAL

SIGNATURE ALGORITHM (DSA) TO

BE USED IN DSS

1992: PUBLIC COMMENTS ON DSA;

CRITICISM FROM RSA, INC. AND

CLIENT COMPANIES

A national standard?

19

20

227 = 2! 102 + 2! 101 + 7! 100

20

227 = 2! 102 + 2! 101 + 7! 100

227 = 1! 27 + 1! 26 + 1! 25 + 0! 24

+0! 23 + 0! 22 + 1! 21 + 1! 20

20

227 = 2! 102 + 2! 101 + 7! 100

227 = 1! 27 + 1! 26 + 1! 25 + 0! 24

+0! 23 + 0! 22 + 1! 21 + 1! 20

= 11100011

20

227 = 2! 102 + 2! 101 + 7! 100

227 = 1! 27 + 1! 26 + 1! 25 + 0! 24

+0! 23 + 0! 22 + 1! 21 + 1! 20

= 11100011BINARY FORM OF 227

227 IS AN 8-BIT INTEGER

20

227 = 2! 102 + 2! 101 + 7! 100

227 = 1! 27 + 1! 26 + 1! 25 + 0! 24

+0! 23 + 0! 22 + 1! 21 + 1! 20

= 11100011BINARY FORM OF 227

227 IS AN 8-BIT INTEGER5 = 101

1967 =11110101111

20

227 = 2! 102 + 2! 101 + 7! 100

227 = 1! 27 + 1! 26 + 1! 25 + 0! 24

+0! 23 + 0! 22 + 1! 21 + 1! 20

= 11100011BINARY FORM OF 227

227 IS AN 8-BIT INTEGER5 = 101

1967 =11110101111

Bit length of N =!

lnN

ln 2

"+ 1

20

227 = 2! 102 + 2! 101 + 7! 100

227 = 1! 27 + 1! 26 + 1! 25 + 0! 24

+0! 23 + 0! 22 + 1! 21 + 1! 20

= 11100011BINARY FORM OF 227

227 IS AN 8-BIT INTEGER5 = 101

1967 =11110101111

Bit length of N =!

lnN

ln 2

"+ 1

Decimal length of k-bit integer = !(k " 1) log10 2# + 1

20

21

Alice

21

Alice Bob

21

Alice Bob

HI, BOB. HOW’S IT GOING?(SIGNATURE ATTACHED)

21

Alice BobHI, BOB. HOW’S IT GOING?

(SIGNATURE ATTACHED)

21

Alice BobHI, BOB. HOW’S IT GOING?

(SIGNATURE ATTACHED)

AUTHENTICATED

21

Alice BobHI, BOB. HOW’S IT GOING?

(SIGNATURE ATTACHED)

AUTHENTICATED

STAGE 1: SYSTEM-WIDE PARAMETER GENERATION.

21

Alice BobHI, BOB. HOW’S IT GOING?

(SIGNATURE ATTACHED)

AUTHENTICATED

STAGE 1: SYSTEM-WIDE PARAMETER GENERATION.STAGE 2: KEY GENERATION (ALICE; ONE-TIME ONLY).

21

Alice BobHI, BOB. HOW’S IT GOING?

(SIGNATURE ATTACHED)

AUTHENTICATED

STAGE 1: SYSTEM-WIDE PARAMETER GENERATION.STAGE 2: KEY GENERATION (ALICE; ONE-TIME ONLY).

STAGE 3: SIGNING (ALICE).

21

Alice BobHI, BOB. HOW’S IT GOING?

(SIGNATURE ATTACHED)

AUTHENTICATED

STAGE 1: SYSTEM-WIDE PARAMETER GENERATION.STAGE 2: KEY GENERATION (ALICE; ONE-TIME ONLY).

STAGE 3: SIGNING (ALICE).STAGE 4: AUTHENTICATING (BOB).

21

1: SYSTEM-WIDE PARAMETERS

Name Description

pPrime number, bit length

between 512 and 1024 and a multiple of 64.

q 160-bit prime factor of p.

αα = h(p-1)/q mod p

Where h is any number ≤ p-1 such that h(p-1)/q is > 1

22

2: KEY GENERATION

23

2: KEY GENERATION

Alice

23

2: KEY GENERATION

Alice

PRIVATE KEYRandom integer x such that

1 ≤ x ≤ q-1

23

2: KEY GENERATION

Alice

PRIVATE KEYRandom integer x such that

1 ≤ x ≤ q-1

PUBLIC KEYy = αx mod p

23

3: SIGNING

Alice

Has: Message m

Public key y, Private key xSystem parameters p, q, α

24

3: SIGNING

Alice

Has: Message m

Public key y, Private key xSystem parameters p, q, α

Choose random (secret) integer k with 0 < k < q.

24

3: SIGNING

Alice

Has: Message m

Public key y, Private key xSystem parameters p, q, α

Choose random (secret) integer k with 0 < k < q.

Compute r = (!k mod p) mod q.

24

3: SIGNING

Alice

Has: Message m

Public key y, Private key xSystem parameters p, q, α

Choose random (secret) integer k with 0 < k < q.

Compute r = (!k mod p) mod q.

Compute k!1 mod q.

24

3: SIGNING

Alice

Has: Message m

Public key y, Private key xSystem parameters p, q, α

Choose random (secret) integer k with 0 < k < q.

Compute r = (!k mod p) mod q.

Compute k!1 mod q.

Compute s = k!1(H(m) + xr)mod q.

24

3: SIGNING

Alice

Has: Message m

Public key y, Private key xSystem parameters p, q, α

Choose random (secret) integer k with 0 < k < q.

Compute r = (!k mod p) mod q.

Compute k!1 mod q.

Compute s = k!1(H(m) + xr)mod q.

SIGNATURE: (R,S).

24

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:

Public key y; System parameters p, q, α

25

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:

Public key y; System parameters p, q, α

Verify 0 < r, s < q. Reject if not.

25

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:

Public key y; System parameters p, q, α

Verify 0 < r, s < q. Reject if not.

Compute H(m) and w = s!1 mod q.

25

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:

Public key y; System parameters p, q, α

Verify 0 < r, s < q. Reject if not.

Compute H(m) and w = s!1 mod q.

u1 = (w · H(m))mod q

25

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:

Public key y; System parameters p, q, α

Verify 0 < r, s < q. Reject if not.

Compute H(m) and w = s!1 mod q.

u1 = (w · H(m))mod q u2 = (rw) mod q

25

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:

Public key y; System parameters p, q, α

Verify 0 < r, s < q. Reject if not.

Compute H(m) and w = s!1 mod q.

u1 = (w · H(m))mod q u2 = (rw) mod q

v = (!u1yu2 mod p) mod q

25

4: AUTHENTICATING

BOB

Receives: Message m

Signature (r,s)Has:

Public key y; System parameters p, q, α

Verify 0 < r, s < q. Reject if not.

Compute H(m) and w = s!1 mod q.

u1 = (w · H(m))mod q u2 = (rw) mod q

v = (!u1yu2 mod p) mod q

IF V = R ⇒ AUTHENTICATED.

25

v = (!u1yu2 mod p) mod q

26

v = (!u1yu2 mod p) mod q

s = k!1 (H(m) + xr)mod q

s!1 = k!H(m) + xr)!1 mod q

26

v = (!u1yu2 mod p) mod q

s = k!1 (H(m) + xr)mod q

s!1 = k!H(m) + xr)!1 mod q

!u1 = !wH(m) mod q

26

v = (!u1yu2 mod p) mod q

s = k!1 (H(m) + xr)mod q

s!1 = k!H(m) + xr)!1 mod q

!u1 = !wH(m) mod q yu2 = (!x)u2 mod p

= !xrw mod q mod p

26

v = (!u1yu2 mod p) mod q

s = k!1 (H(m) + xr)mod q

s!1 = k!H(m) + xr)!1 mod q

!u1 = !wH(m) mod q yu2 = (!x)u2 mod p

= !xrw mod q mod p

!u1yu2 = !wH(m)!xrw mod p

= !w(H(m)+xr) mod q mod p

= !s!1(H(m)+xr) mod q mod p

= !k(H(m)+xr)!1(H(m)+xr) mod q mod p

= !k mod p

26

27

v = (!u1yu2 mod p) mod q

=!!k mod p) mod q

27

v = (!u1yu2 mod p) mod q

=!!k mod p) mod q

r = (!k mod p) mod q

27

v = (!u1yu2 mod p) mod q

=!!k mod p) mod q

r = (!k mod p) mod q

IF V = R ⇒ AUTHENTICATED.

IF V ≠ R ⇒ NO AUTHENTICATION.

27

28

Alice

28

Alice Bob

28

Alice Bob

PUBLICy=αx

mod p

28

Alice Bob

PUBLICy=αx

mod p

SYSTEM: P, Q

28

Alice Bob

I HEREBY GIVE YOU A RAISE.

PUBLICy=αx

mod p

SYSTEM: P, Q

28

Alice Bob

I HEREBY GIVE YOU A RAISE.

PUBLICy=αx

mod p

SYSTEM: P, Q

28

Alice Bob

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

(R,S)

PUBLICy=αx

mod p

SYSTEM: P, Q

28

Alice Bob

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

(R,S)

PUBLICy=αx

mod p

SYSTEM: P, Q

28

Alice Bob

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

(R,S)

PUBLICy=αx

mod p

SYSTEM: P, Q

28

Alice Bob

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

(R,S)

PUBLICy=αx

mod p

SYSTEM: P, Q

28

Alice Bob

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

I HEREBY GIVE YOU A RAISE.

(R,S)

PUBLICy=αx

mod p

SYSTEM: P, Q

HOW TO PRODUCE A FORGED (R,S) ON A NEW MESSAGE?

28

FORGERY METHOD 1: RECOVER ALICE’S PRIVATE KEY FROM AVAILABLE

INFORMATION.

29

FORGERY METHOD 1: RECOVER ALICE’S PRIVATE KEY FROM AVAILABLE

INFORMATION.

y = !x mod pSOLVE FOR X

29

FORGERY METHOD 1: RECOVER ALICE’S PRIVATE KEY FROM AVAILABLE

INFORMATION.

y = !x mod pSOLVE FOR X

DISCRETE LOGARITHM PROBLEM

29

FORGERY METHOD 1: RECOVER ALICE’S PRIVATE KEY FROM AVAILABLE

INFORMATION.

y = !x mod pSOLVE FOR X

DISCRETE LOGARITHM PROBLEM

29

FORGERY METHOD 1: RECOVER ALICE’S PRIVATE KEY FROM AVAILABLE

INFORMATION.

y = !x mod pSOLVE FOR X

DISCRETE LOGARITHM PROBLEM

O(√p)! Too expensive!

29

FORGERY METHOD 2: USE R TO RECOVER K.

30

FORGERY METHOD 2: USE R TO RECOVER K.

r = (!k mod p) mod q

30

FORGERY METHOD 2: USE R TO RECOVER K.

r = (!k mod p) mod q

DISCRETE LOGARITHM PROBLEM

30

FORGERY METHOD 2: USE R TO RECOVER K.

r = (!k mod p) mod q

DISCRETE LOGARITHM PROBLEM

s = k!1(H(m) + xr) mod q

x = r!1(sk !H(m))mod q

30

FORGERY METHOD 2: USE R TO RECOVER K.

r = (!k mod p) mod q

DISCRETE LOGARITHM PROBLEM

s = k!1(H(m) + xr) mod q

x = r!1(sk !H(m))mod q

30

FORGERY METHOD 2: USE R TO RECOVER K.

r = (!k mod p) mod q

DISCRETE LOGARITHM PROBLEM

s = k!1(H(m) + xr) mod q

x = r!1(sk !H(m))mod q

Everything on the RHS except k is public info or easy to

compute... but I still have to solve DLP! Curses!

30

FORGERY METHOD 3: HOPE FOR LAZINESS.

31

FORGERY METHOD 3: HOPE FOR LAZINESS.

Alice

31

FORGERY METHOD 3: HOPE FOR LAZINESS.

Alice

I don’t feel like generating a new value for k.

31

FORGERY METHOD 3: HOPE FOR LAZINESS.

Alice

I don’t feel like generating a new value for k.

s1 = k!1(H(m1) + xr) mod q

s2 = k!1(H(m2) + xr) mod q

31

FORGERY METHOD 3: HOPE FOR LAZINESS.

Alice

I don’t feel like generating a new value for k.

s1 = k!1(H(m1) + xr) mod q

s2 = k!1(H(m2) + xr) mod q

s1k !H(m1) = xr mod q

s2k !H(m2) = xr mod q

31

FORGERY METHOD 3: HOPE FOR LAZINESS.

Alice

I don’t feel like generating a new value for k.

s1 = k!1(H(m1) + xr) mod q

s2 = k!1(H(m2) + xr) mod q

s1k !H(m1) = xr mod q

s2k !H(m2) = xr mod q

k(s1 ! s2) = H(m1)!H(m2) mod q

31

FORGERY METHOD 3: HOPE FOR LAZINESS.

Alice

I don’t feel like generating a new value for k.

s1 = k!1(H(m1) + xr) mod q

s2 = k!1(H(m2) + xr) mod q

s1k !H(m1) = xr mod q

s2k !H(m2) = xr mod q

k(s1 ! s2) = H(m1)!H(m2) mod q

k = (s1 ! s2)!1(H(m1)!H(m2))mod q

31

FORGERY METHOD 3: HOPE FOR LAZINESS.

Alice

I don’t feel like generating a new value for k.

s1 = k!1(H(m1) + xr) mod q

s2 = k!1(H(m2) + xr) mod q

s1k !H(m1) = xr mod q

s2k !H(m2) = xr mod q

k(s1 ! s2) = H(m1)!H(m2) mod q

k = (s1 ! s2)!1(H(m1)!H(m2))mod q

Gotcha!

31

Further issues

32

Further issuesOne-way hash functions and their security (SHA-1, MD5)

32

Further issuesOne-way hash functions and their security (SHA-1, MD5)

Faster/less expensive algorithms for solving DLP

32

Further issuesOne-way hash functions and their security (SHA-1, MD5)

Faster/less expensive algorithms for solving DLP

Uses of secure authentication

32

Further issuesOne-way hash functions and their security (SHA-1, MD5)

Faster/less expensive algorithms for solving DLP

Uses of secure authentication

Electronic currency

32

Further issuesOne-way hash functions and their security (SHA-1, MD5)

Faster/less expensive algorithms for solving DLP

Uses of secure authentication

Electronic currency

Electronic notarization

32

Further issuesOne-way hash functions and their security (SHA-1, MD5)

Faster/less expensive algorithms for solving DLP

Uses of secure authentication

Electronic currency

Electronic notarization

Identification in social networking/blogging

32

Contact

Robert Talbert, PhDDepartment of Mathematics and Computing

Franklin College101 Branigin Blvd.Franklin, IN 46131

rtalbert@franklincollege.edu

33

mailto:rtalbert@franklincollege.edu
mailto:rtalbert@franklincollege.edu

Top related

Introduction Overview of security techniques Cryptographic algorithms Digital signatures
 Documents
Digital Signatures 20120823
 Documents
HTML5 and Digital Signatures - vrk.fi · HTML5 AND DIGITAL SIGNATURES 1 Introduction This specification describes a method to generate digital signatures in HTML5 applications [HTML5]
 Documents
Digital Signatures Bearbetet
 Documents
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication Protocols Digital Signature Standard.
 Documents
Introduction to Digital signatures
 Technology
Towards A European Framework for Digital Signatures And ... › crypto › digsin.doc  · Web viewTowards A European Framework for Digital Signatures And Encryption. I. Introduction
 Documents
About Digital Signatures
 Documents
Blind Digital Signatures, Group Digital Signatures and Revocable Anonymity
 Documents
Blind Digital Signatures, Group Digital Signatures and ...web.engr.illinois.edu/~dhekne2/NetsecProjectReport.pdf · Blind Digital Signatures, Group Digital Signatures and Revocable
 Documents
Digital Signatures (DSs)
 Documents
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication.
 Documents
Blind Digital Signatures, Group Digital Signatures and ...
 Documents
L13 - Digital Signatures
 Documents
Introduction to Cybersecurity Digital Signatures · Digital Signatures •Basic Definitions ... - NSA’s Prism Program ... - High Traffic-Analysis Resistance
 Documents
An Introduction to DIGITAL SIGNATURES · 8 AN INTRODUCTION TO DIGITAL SIGNATURES FOR THE AEC INDUSTRY ... BlueBeam, etc.), ... Joe opens the PDF in Adobe Reader and sees the same
 Documents
[Webinar Slides] E-Signatures 101- An Introduction to Digital Transformation with Electronic Signatures
 Technology
Digital Signatures 2
 Documents
1 Digital signatures Chapter 7: Digital signatures Digital signatures are one of the most important inventions/applications of modern cryptography. The.
 Documents
Digital signatures
 Education

Copyright © 2022 FDOCUMENTS