comppiler

1. Chapter 7
Hashing, Authentication, and
Signature Schemes

2. • Issues addressed 
• Alice receives a message from Bob
• Is it authentic?
• Is it really from Bob?
• How to ‘electronically’ ensure authenticity?
• Authenticity of source
• Authenticity of message
• How to ‘electronically’ sign a message ?

3. • Hash value of a message  unique tag of message
•  its fingerprint
• Alternate terms  message digest / Message Integrity
Check (MIC) / Message Detection Code (MDC)
• widely known as ‘hash value’ of message
• Typically hash value is 160 bits long
• message can be much longer
• ‘hashing function’  function used to generate hash
value
• Hash smaller in length than message
•  hashing function also called a ‘compression
function’

4. • Need for Alice : ‘send a message to Bob  ensure
it is not corrupted’
• Hashing schemes  provide means of
establishing such credibility of message
• Hash value  generated from message itself
• Alice attaches it to message & sends the pair to
Bob
• Bob knows functional scheme used to generate
hash value
• Bob regenerates hash
• Same as hash from Alice?
• Yes  Bob confirms ‘message is authentic’

5. • Causes galore for corruption!
• length of message/ noisy nature of
transmitting / recording media / presence of
ill-intentioned Eve on the way / possible
corruption in archive
• hash  a much shorter stamp (say 160 bits
long)
• More easily preserved & transmitted faithfully
• Facilitates Bob’s check  Bob can regenerate
hash from message stream itself & use it to
verify its genuineness

6. • CD – an archive stores a long message – for later
use
• On retrieval, how to ascertain ‘it is uncorrupted?’
• Generate hash & store separately / more reliable
way
• Use it along with freshly generated hash value
• They tally ?  message remains uncorrupted
• security / confidentiality / integrity of source etc.
. Not involved here
• x  message of i bits
• y  hash value of n bits
•  i >> n  160 bits  representative value for
hash length n

7. • y = f(x)  hashing function
•  function of selected bits of message
(involving AND, OR, INVERT, & XOR
operations)
• x to y relation of many-to-one type
•  multiple values for x lead to same value for
y
• Such identification  defeats purpose of
hashing – namely providing authenticity
•  need to define scope of hashing function
&identify criteria it has to satisfy

8. random oracle model
• abstraction of a black-box type of function.
• Outputs a random number y (x) for every input x
• repetition of a query elicits same answer
• functional relation in I / O process  not
discernible
• random Oracle model  idealization of hashing
function.
• query oracle with a new x
•  It doles out a fresh hash value y
• x1, x2, x3, . . .  sequence of messages
• y1, y2, y3, . . .  corresponding hash values

9. • Knowledge of the pairs (x1, y1), (x2, y2), . . .
•  No clue to hash value for next query
•  independence property
• Let M be the collection of all possible messages and Y the
collection of all possible hash values. Let {x1, x2, . . } be
the set of messages for which the hash values have
already been obtained as {y1, y2, . . }. The hash value for
a new message x which is not in the set is equally likely to
be anyone of the possible hash values. The probability of
it being a specific value yp is 1/│Y│.

10. Pre-image resistance
• Knowing hash value y1 can we find message x1?
• Make q queries to oracle
• oracle returns y1 as hash value to any one of these
queries  ineffective hashing function
• (1- 1/│Y│)q P(failure to return y1 in q successive queries)

• P of success is 1 - (1- 1/│Y│)q
• Probability value, its approximation, & variation with
relative values of q discussed earlier
• q << │Y│  P of success = q/│Y│
•  a reasonable chance of success  q ~│Y│

11. • hashing schemes -- SHA-1 & RIPEMD160 --
use 160-bit hash values
• No. of trials for success ~ 2160  too high to
be computationally feasible
•  A ‘pre-image resistant’ hashing function

12. Second Pre-Image Resistance
• With message x1 we get hash value y1 – given hashing
function f
• Can we identify x2 different from x1 with hash value y1 ?
• Yes  fingerprint not ‘unique’ to x1
• P of success = 1 - (1- 1/│Y│)q-1
• q << │Y│ P of success  (q-1)/│Y│
•  a ‘second pre-image resistant’ hashing function
•  also known as a ‘weak collision resistant’ hashing
function.
• A hashing function with three properties
• ease of computation, pre-image resistant, & second
pre-image resistant  ‘one-way hash function’.

13. • Carefully selected hashing function satisfies
• Easy realisability, pre-image resistance, second pre-
image resistance, & collision resistance
• An attacker may still identify & exploit weakness in
function
• Important criteria for prevention:
• Hash value for any message should be a random bit
sequence  exhibit correlation immunity
• Change in one message bit should affect as many bits
in hash value as possible
•  Ideally all output bits should be affected
•  ‘avalanche’ effect
• If hashing function does not exhibit avalanche effect,
specific bit positions in message affect only a limited
number of bit positions in hash value
•  Can be exploited as a weakness by an attacker

14. • Iterated hashing scheme specifies
• Initial hash value (an initial vector) h0 &
• hashing function
• length of h0  same as final hash value
• output of hashing with first message block M0  h1
• h1  a bit sequence of length h0 itself
• h1  appended to the next message block M1
• The set hashed again
• . . .
• Repeat until all preprocessed message blocks are hashed
• Scheme block diagram  Figure 
• Merkle and Damgard 
• a compression function is collision resistant
•  iterative function using it is also collision resistant
•  justification for iterative hashing using a suitably
selected hashing function

15. Hashing Schemes
• MD5 –upgrade of predecessor MD4
• in wide use over past few years
• Now vulnerable  given way to SHA-1 &RIPEMD-160
• Both are its enhancements
• Both in wide use today
• likely to be in use for next few years
• The respective standards also specify scaled up
versions
• Users expected to migrate to scaled up versions  As
enhanced computing power & analysis techniques
make them vulnerable to attacks

16. pre-processing stage
• Identical for both
• message length  block of i bits with 0  i < 264
• Message segmented into blocks of 512 bits each
•  total number of blocks  N
• Procedure 
• To message of i bits append a 1-bit
• Follow it by k zero bits such that i + 1 + k ≡ 448 (mod 512)
• k smallest number of zeros possible
• Represent i as a 64-bit binary number
• Append it to the i + 1 + k set of bits
•  padded message  512N bits long
• N  total number of message blocks

17. SHA – 1
• SHA-1 (Acronym for ‘Secure Hashing Algorithm’)
• A NIST approved hashing algorithm
• Generates a hash of 160 bits
• message block is a pre-processed
• Then hashing processing stage  An iterative process
• Hashing starts with 160-bit seed as hash value
• A sequence of non-linear operations carried out on first
message block of 512 bits
• Sequence cyclically repeated 80 times
• A 160-bit hash value generated
• Use this as seed & repeat cyclic sequence for second
message block of 512 bits

18. • Continue & hash all N message blocks  160-bit hash value
• The various constants used & steps involved in hashing:
• Initial hash value (‘seed value’) is taken as sequence of five
32-bit words: H[0][0] = 0x67452301; H[1][0] = 0xefcdab89;
H[2][0] = 0x98badcfe;H[3][0] = 0x10325476;
• H[4][0] = 0xc3d2e1f0;
• A set of constants kt for t values from 0 to 79 is defined
• Used successively in 80 rounds of processing done on each
message block
• kt = 0x5a827999: 0  t  19
• = 0x6ed9eba1: 20  t  39
• = 0x8f1bbcdc: 40  t  59
• = 0xca62c1d6: 60  t  79

19. 4. Assign hash value set – {H[0][t-1], H[1][t-1], H[2][t-1],
H[3][t-1], H[4][t-1]} to five working variables – A, B, C, D,
and E as
• A= H[0][t-1]; B = H[1][t-1]; C = H[2][t-1]
• D= H[3][t-1]; E= H[4][t-1]
5. do for 0  t  79
• {
• T = (A << 5) + ft(B, C, D) + E + k[t] + W[t]
• where ft(x, y, z)  function defined #above.
• (A << signifies circular left shift of A by five bit
positions. All additions are to be of mod (232) type.
• E = D; D = C; C = (B <<30); B = A; A = T
• }
• (B << 30) signifies circular left shift of B by thirty bit
positions

20. • 6. Compute the next hash value set as
• H[0][t]= A + H[0][t-1]
• H[1][t]= B + H[1][t-1]
• H[2][t]= C + H[2][t-1]
• H[3][t]= D + H[3][t-1]
• H[4][t]= E + H[4][t-1]
• All additions are to be of mod (232) type.
• 7. After completing sequence N times – (with all N
message blocks) form hash value – i.e., the 160-bit
message digest – as
• {H[0][N] H[1][N] H[2][N] H[3][N] H[4][N]}
• Example  See text

21. SHA Family
• SHA  five sizes specified by NIST
• cyclic scheme  SHA-1 with minor differences
• Sizes & all related info.  Table 
Algorithm Message
size-bits
block size
– bits
word size-
bits
message digest
size-bits
SHA-1 <264 512 32 160
SHA-224 <2^64 512 32 224
SHA-256 <264 512 32 256
SHA-384 <2128 1024 64 384
SHA-512 <2128 1024 64 512

22. RIPEMD-160
• Start hashing with a 160-bit initial hash value (initial vector)
• – { H[0][0], H[1][0], H[2][0], H[3][0], H[4][0]}
• H[0][0] = 0x67452301; H[1][0] = 0xefcdab89;
• H[2][0] = 0x98badcfe; H[3][0] = 0x10325476;
• H[4][0] = 0xc3d2e1f0;
• values same as for SHA-1
• N message blocks are processed in succession from 1 to N
• Hash values after processing ith block 22
• – H[0][i], H[1][i], H[2][i], H[3][i], & H[4][i]
• Hash values after completion of processing with all N blocks
 H[0][N], H[1][N], H[2][N], H[3][N], & H[4][N]
• Final hash value  160-bit concatenated value of these

23. • Each message block of 512 bits  composed of a
sequence of sixteen words
• put through two 80-cycle operational sequences in
parallel  Figure 
• ‘left (80-cycle) sequence’ &
• ‘right (80-cycle) sequence’
• 80-cycles  arranged as a sequence of five rounds
• Each round  a sequence of sixteen cycles
• Each uses one of sixteen words of message block
•  Each message word  used ten times
• once in each round on left sequence &
• once in each round on right sequence

24. • A pre-defined permutation of words in message
block decides instant of use of each word
• Step-by-step hashing procedure follows
1. {M[0][ i], M[1][ i], M[2][ i], . . M[15][ i]}
•  message block  set of sixteen 32-bit words
• Permute conforming to row-1 in Table
• Form the sequence – {zl[0], zl[1], zl[2], . . . ., zl[15]}
• [for this specific case permutation is not done]
• Use permuted word values and complete sixteen
cycles of operation
•  first round for left sequence

25. Index of message word used in the round in the
left sequence
Round 1(t:0 –
15)
0 1 2 3 4 5 6 7 8 9 10 1112 1
3
1415
Round 2(t:16
– 31)
7 4 13 1 10 6 15 3 12 0 9 5 2 1
4
11 8
Round 3(t:32
– 47)
3 10 14 4 9 15 8 1 2 7 0 6 1311 5 12
Round 4(t:48
– 63)
1 9 11 10 0 8 12 4 13 3 7 1514 5 6 2
Round 5(t:64
– 79)
4 0 5 9 7 12 2 10 14 1 3 8 11 6 1513
Permutation details of message words for left sequence

26. 2. {M[0][ i], M[1][ i], M[2][ i], . . M[15][ i]}
•  message block  set of sixteen 32-bit
words
• Permute conforming to row-1 in Table
• Form the sequence – {zr[0], zr[1], zr[2], . . . .,
zr[15]}
• [for this specific case permutation is not done]
• Use permuted word values and complete
sixteen cycles of operation
•  first round for right sequence

27. Index of message word used in the round in the
right sequence
Round 1(t:0
– 15)
5 14 7 0 9 2 11 4 13 6 15 8 1 10 3 12
Round 2(t:16
– 31)
6 11 3 7 0 13 5 10 14 15 8 12 4 9 1 2
Round 3(t:32
– 47)
15 5 1 3 7 14 6 9 11 8 12 2 10 0 4 13
Round 4(t:48
– 63)
8 6 4 1 3 11 15 0 5 12 2 13 9 7 1014
Round 5(t:64
– 79)
12 15 10 4 1 5 8 7 6 2 13 14 0 3 9 11
Permutation details of message words for right sequence

28. 3. Permute– {M[0][ i], M[1][ i], M[2][ i], . . M[15][ i]} –
conforming to row-2 in ‘Left-Table ’
• Form sequence – {zl[16], zl[17], zl[18], . . . ., zl[31]}
• Use permuted word values & complete 16 cycles of
operation of second round for left sequence
4. Permute– {M[0][ i], M[1][ i], M[2][ i], . . M[15][ i]} –
conforming to row-2 in ‘Right-Table ’
• Form sequence – {zr[16], zr[17], zr[18], . . . ., zr[31]}
• Use permuted word values & complete 16 cycles of
operation of second round for left sequence
5. Proceed as above & complete rounds 3, 4, & 5
•  use rows 3, 4, & 5 in ‘left’ & ‘right’ Tables

29. • Operational sequence of eighty cycles completed
• Left word set  {Al, Bl, Cl, Dl, El}
• Right word set  {Ar, Br, Cr, Dr, Er}
• Combine with set – { H[0][i], H[1][i], H[2][i], H[3][i],&
H[4][i]} to form set {H[0][i+1], H[1][i+1], H[2][i+1],
H[3][i+1],& H[4][i+1]}
• Use following algebra 
• H[0][i+1]= H[1][i]+ Cl + Dr
• H[1][i+1]= H[2][i]+ Dl + Er
• H[2][i+1]= H[3][i]+ El + Ar
• H[3][i+1] = H[4][i]+ Al + Br
• H[4][i+1] = H[0][i] + Bl,+ Cr

30. • Assign values afresh
• Al =H[0][i], Bl =H[1][i], Cl =H[2][i] , Dl =H[3][i] , El =H[4][i ]
• Ar =H[0][i], Br =H[1][i], Cr =H[2][i] , Dr =H[3][i] , Er =H[4][i ]
• T 80-cycle operation :
• do for 0  t  79
• {
• T = ((Al + ft(Bl, Cl, Dl) + zl[t] + El ) >> rl[t])+ kl [t]
• where
• ft(x, y, z)  function for left sequence defined in Table 
• (>> rl[t]) signifies circular right shift by rl[t] bit positions as
in Table  

31. Cycles in left
sequence
Function used
– name
Function
description
Cycles in
right
sequence
0  t  15 f1(x, y, z) x  y  z 64  t  79
16  t 31 f2(x, y, z) (x  y) (~ x
z)
48  t  63
32  t  47 f3(x, y, z) (x  ~y)  z) 32  t  47
48  t  63 f4(x, y, z) (x  z) (y
~z)
16  t 31
64  t  79 f5(x, y, z) x  (y  ~z) 0  t  15
Functions used in the different cycles

32. rl[t]: Number of bits by which the specified word is to be
circularly shifted right
Round 1(t:0
– 15)
11 14 15 12 5 8 7 9 11 13 14 15 6 7 9 8
Round 2(t:16
– 31)
7 6 8 13 11 9 7 15 7 12 15 9 11 7 13 12
Round 3(t:32
– 47)
11 13 6 7 14 9 13 15 14 8 13 6 5 12 7 5
Round 4(t:48
– 63)
11 12 14 15 14 15 9 8 9 14 5 6 8 6 5 12
Round 5(t:64
– 79)
9 15 5 11 6 8 13 12 5 12 13 14 11 8 5 6
Details of circular shift for the function in the left sequence

33. kl [t] values are as specified in Table 
All additions to be of mod (232) type
Al = El ; El = Dl ; Dl = (Cl >>10); Cl = Bl; Bl = Tl
>>10signifies circular right shift by ten bit positions
Cycle Left sequence – kl[t] Right sequence– kr[t]
0  t  15 0 50a28be6
16  t  31 5a827999 5c4dd124
32  t  47 6ed9eba1 6d703ef3
48  t  63 8f1bbcdc 7a6d76e9
64  t  79 a953fd4e 0
Additive constants used in different rounds -- Values given
are in hex form

34. • T = ((Ar + ft(Br, Cr, Dl) + zr[t] + Er ) >> rr[t])+ kr [t]
• where
• ft(x, y, z) is the function for right sequence defined in
Table  
• (>> rr[t]) signifies circular right shift by rr[t] bit
positions as specified in Table 
• kr [t] values are as specified in Table 
• All additions are to be of mod (232) type
• Ar = Er ; Er = Dr ; Dr = (Cr >>10) ;Cr = Br ; Br = T
• >>10signifies circular right shift by ten bit positions
• }
• Final hashed output formed after processing all N
message blocks 
• {H[0][N] H[1][N] H[2][N] H[3][N] H[4][N]}.

35. rr[t]: Number of bits by which the specified word
is to be circularly shifted right
Round 1(t:0
– 15)
8 9 9 11 13 15 15 5 7 7 8 11 14 14 12 6
Round
2(t:16 – 31)
9 13 15 7 12 8 9 11 7 7 12 7 6 15 1311
Round
3(t:32 – 47)
9 7 15 11 8 6 6 14 12 13 5 14 13 13 7 5
Round
4(t:48 – 63)
15 5 8 11 14 14 6 14 6 9 12 9 12 5 15 8
Round
5(t:64 – 79)
8 5 12 9 12 5 14 6 8 13 6 5 15 13 1 11
Details of circular shift for function in right sequence

36. Observations
• Modular algebra based hashing schemes
• → prone to easy attacks → no longer in use
• SHA-1 & RIPEMD-160  of comparable security level
• Initial 160-bit hash value is same for SHA-1 & RIPEMD-
160.
• b0  at left end in SHA-1 & at right end in RIPEMD-160
• We use b0 at left end
•  All constants, tabular entries & associated
descriptions changed accordingly
• Other hashing schemes like MD5 in vogue until recently
• Now all of them considered vulnerable
• Not recommended for newer applications

37. • SHA-1 selects a set of previous words in schedule
• → sums up & forms message schedule
• → difficult to restrict effect of change in message to
a ‘local area’ of hash value
• → avalanche effect  an additional deterrent to
attacks
• Both SHA-1 & RIPEMD-160 closely follow structure of
MD5
• Dual sequence scheme in RIPEMD-160 adds to
collision resistance
• Permutation in RIPEMD-160 → two words which are
close in one round are farther apart in the next
• constants used in different rounds in both SHA-1 &
RIPEMD-160 are 32-bit approximations of irrational
numbers derived from simple integers → Table ↓

38. • Similar disparity present between left & right sides in
each round
• → Adds to the strength of scheme
• CRC check ~ hash value
• CRC value  binary number to identify error --
within a specific limit -- data stream
• CRC check not satisfied  data stream definitely in
error
• CRC check satisfied  data stream taken as being
received correctly
•

39. • number of errors > CRC limit but CRC check
satisfied
•  distinct possibility (though remote) exists.
•  data stream erroneously taken as correct
• One can always find a second message having
same CRC check value as original one!
• Add selected bit streams to message for this
• Hashing function  second pre-image resistant
• Identifying a second data stream for given hash
value is difficult
• This adds substantially to authenticity of hashing

40. Applications of hashing functions
• Combine hashing, public key cryptography, & private key
cryptography  various application possibilities
• Scheme in Figure 
• Alice conveys confidential message to Bob
• Alice uses kub – public key of Bob – to encrypt message
• Encrypted message sent to Bob
• Bob uses his private key – krb – to decrypt & recover
message
• Public key cryptography  costly
•  slows down communication rate conspicuously
•  used essentially to share private key (Alice selects it
and sends it to Bob)

41. • Scheme in Figure 
• Alice uses her private key – kra, encrypts message, &
sends Bob
• Bob ( & others ) in the know of public key of Alice – kua –
can decrypt and retrieve message
• Since private key of Alice – kra – is known only to Alice
•  Bob & others  sure of source – that it is Alice
• Scheme establishes authenticity of message & message
source
•  Alice telling Bob (& others who know kua) ‘I am the
author of the message, take it from me’
• Analogous to Alice posting signed document to Bob &
others
•  digital signature by Alice

42. • Scheme prevents Alice disowning message
later
•  She has already ‘signed’ it
• This meets need of ‘non-repudiation’ by Alice
• Public key cryptography  slow & costly
•  Scheme becomes less attractive as
message length increases
• Direct applicability of scheme for digital
signing is of limited scope
• However it forms basis of digital signature
schemes

43. • Combine hashing & cryptography
• Scope of schemes widens
•  A number of other application possibilities
• Hashing provides message authenticity
• Alice prepares hash value
• Encrypts with key – k (private or public)
• Appends encrypted hash value to message,
• Sends the pair to  Figure  

44. • Bob decodes encrypted version of hash value
& recovers hash value proper
• Knowing hashing scheme he generates hash
value locally
• Compares two hash values
•  Two tally  Bob sure of source
authenticity & message authenticity
• Scheme does not offer confidentiality
• If confidentiality is called for,
• Interpose another level of encryption /
decryption with a second key

45. MAC
• Business a store services established customers
• Accept on-line orders & executes
• Process: 
• Use D-H key exchange scheme & share a key
• One key per customer  ‘customer registered’
• Customer prepares order list, hashes, & encrypts hash
• The pair sent to store
• Store decrypts & recovers hash value
• Verifies by local generation & comparison
•  Integrity of order & authenticity of customer 
confirmed
•  Scope of Message Authentication Codes (MACs)

46. • MAC → hashing scheme with a key incorporated
• Attach a key to message
• Hash concatenated combination {kM}
• Eve can corrupt hash value & mislead receiver (Bob)
• → uses an additional message – Me & carries out one
more cycle of hashing
• he = h(h(kM) Me) where h(M) is hash value of M
• Eve sends he to Bob
• Eve can do this even without knowing – k – used by Alice
• Alternative - append key to message as {Mk} & hash
combination → encrypting hash value at final iteration
• Scheme still remains susceptible
• Safer approach → compute key-based hash as in HMAC ↓

47. HMAC
• Hash based Message Authentication Code(HMAC)
• Specified by NIST as FIPS PUB198
• HMAC(K, m) = H((K  opad)  H ((K  ipad )  m))
• K – secret key – (padded with zeros to right to make it B
bytes (say 512 bits) long
• m – text message
• ipad – an inner padding– 0x3636. . 36–repeated B times
•  - XOR operation
•  - Concatenation operation
• opad– outer padding – 0x5c5c. . . 5c – repeated B times
• H –hashing scheme used – typically SHA-1
• HMAC is shown schematically in Figure ↓

48. • Observations:
• (K  opad)  flips half of the bits in key K
• (K  ipad ) flips another selected lot of half the bits in key
• These together → pseudo-random generation of two keys
from K
• Cryptographic strength of HMAC decided by three factors
– Cryptographic strength of underlying hashing scheme
– Size and quality of key
– Size of hash output
• alternatives– like H (K  m), H (m K), H (K  m K) →
vulnerabilities investigated in detail
• Above scheme held as acceptable
• (K  opad) & (K  ipad ) values do not change with the text
document
• pre-compute & store these  once key K is selected
• Use along with message & speed up HMAC generation

49. Block Cipher-Based MAC
• A possible MAC  use private key cryptography
iteratively & generate a MAC value
• Scheme using DES is a NIST standard but not in use any
longer
• Other private key cryptography (like AES) can be used for
necessary security
• Split message → succession of blocks M1, M2, . . , & MN
• Add padding if necessary → aall blocks of same size
• With zero as initial vector encrypt M1 & generate hash
value H1
• Iteratively encrypt M2, . . , & MN → get HN → MAC value
• scheme is conspicuously slower than HMAC

50. Digital SignatureAlgorithm(DSA)
• ElGamel → signature length ~ 2log2p bits
• Security demands underlying DLP to be computationally
infeasible → No. of bits in p > 1000
•  signature will be twice in length
• DSA → ingenious & simplified version of ElGamel
scheme  FIPS standard
• DSA signature -- much smaller in length
• Well suited for implementations in limited sized schemes
• Domain still remains ℤp
• q – with gcd(q, (p-1)) = 1 – a prime of magnitude orders
less than p – selected

51. • Digital signature (DS) satisfies a set of basic needs:
• DS to be identified with Alice who signs it
•  encryption operation  private to Alice.
• Verifiable by Bob / third party (if challenged)
• result of verification process  ‘yes’ or ‘no’ answer
• Verification to be done using public key
•  DS to be implemented using public key
cryptosystem
• Alice signs document – x – using her private key kra
•  generates digital signature
• She sends DS to Bob
• Bob uses public key – kua – of Alice & decrypts
received digital signature
• Verification that ‘it is Alice’s DS’

52. • Similar decryption & verification possible by third party
•  roles of key-pair reversed in contrast to those in
cryptography
• Implicitly assumption  ‘document’ is of restricted size
– typically 160 bits long
• Documents to be signed much longer in practice
•  Adapt public key cryptography scheme for DS
• Suitably tie document to signing & verification
• Attacker should not be able to forge signature
• Neither Bob nor any other party can tamper with it
• Encryption process automatically takes care of this
requirement
•  Only Alice knows private key & without knowledge of
that, such encryption cannot be carried out

53. • Signed cheque used only once & no reuse!
• DS  a similar need
• Incorporate time & date of signing or other
previously agreed nonces in message prior to
signing for DS
• need to make document tamper proof & secure
along with DS
•  Alice encrypts {document: DS}  Figure 
• Bob decrypts -- received encrypted message cum
signature – twice
• First to recover document & digital signature.
• Second to decrypt DS with public key of Alice
• Follow by verification process

54. • tamper-proofing  two possible approaches
• Alice generates DS, append to document, &
encrypt the pair before sending to Bob
• Alternately Alice can encrypt message & send it
along with DS to Bob
• Her Eve can play ‘spoil sport’ once again
• If she gets access to document she can remove
Alice’s DS & replace it with her DS
• Bob believes that document originated from Eve
•  scheme is not recommended for use

55. • Documents to be signed  too long for DS
• Use SHA-1 /RIPEMD-128 & Hash document
•  do DS on hash
• Ensure security of hashing 
• Using hash as token representing document 
• Considered secure for signing purposes
• Adapt public key cryptosystems – RSA / ElGamel
scheme

56. RSA digital signature scheme
• Alice uses her private key & signs
• Her public key–known to Bob & others–is used to verify DS
• Formally  :
• Alice selects primes p & q: Computes product N = pq
• Selects verification exponent v such that gcd(v, (p-1)(q-1))
= 1
• Publishes N & v
• Signing:
• Alice computes exponent s such that sv ≡ 1 (mod (p-1)(q-1))
•  v ≡ s-1(mod (p-1)(q-1))

57. • Using SHA-1 she computes hash value – H – of
document --
• She signs document by computing S ≡ Hs (mod N) &
• Sends pair {document, S} to Bob (/ others)
• Verification:
• Bob (/ others) uses same hashing function as Alice
• Computes hash value – H – of document
• Using received value of S, he computes Sv (mod N)
• verification is successful if H = H’,
• proof already dealt with

58. • Example
• hash value of message to be signed – H = 1000
• Alice selects p = 257 & q = 233
• pq = 59881 & (p-1)(q-1) = 59392
• Alice selects private key  kr = 1957
•  ku ≡ kr
-1(mod 59392) ≡ 57389 (mod 59392)
• DS  10001957≡ 29967(mod 59392)
• Verification:
• 2996757389 ≡ 1000(mod 59392)

59. • Observations:
• Eve can send any bit combination to Bob
• Bob takes extracted version as ‘message’
• This prevented at Alice’s end by ensuring that
only meaningful messages (with enough
redundancy built in) are sent
• The scheme can be used equally effectively
with other hashing functions like RIPEMD-160

60. ElGamel DS scheme
• Scheme differs from corresponding public key
cryptosystem
• Alice selects prime number p & g as its primitive element
• Alice also selects a  ℤp as private key & computes
• b ≡ ga(mod p)
• Set {p, g, b} forms public key of Alice & a is her private key
• Alice selects a random number – k (ephemeral key) – and
computes k-1 (mod p)
• She computes c ≡ gk (mod p)
• H – hash value of document to be signed using SHA-1

61. • Example : hash value of message H = 199
• Alice selects p = 233 & primitive element g ≡ 3 (mod p)
• Alice chooses private key a ≡ 187
• Signing:
• b ≡ ga(mod p) ≡ 77
• Let k ≡ 211  ephemeral key selected by her
• Apply extended Euclidean algorithm
• 211 × 11 – 232 × 10 = 1  211-1 ≡ 11 (mod 232)
• c ≡ 3211 (mod 233) ≡ 94(mod 233)
• d ≡ (199 – 187 × 94)11 (mod 232) ≡ 231(mod 233)
• signature is {94, 231}
• Verification: 7794 ≡ 219(mod 233) & 94231≡ 176(mod 233)
• 219176 ≡ 99(mod 233) & 3199 ≡ 99 (mod 233) → verified

62. Digital SignatureAlgorithm(DSA)
• ElGamel → signature length ~ 2log2p bits
• Security demands underlying DLP to be computationally
infeasible → No. of bits in p > 1000
•  signature will be twice in length
• DSA → ingenious & simplified version of ElGamel
scheme  FIPS standard
• DSA signature -- much smaller in length
• Well suited for implementations in limited sized schemes
• Domain still remains ℤp
• q – with gcd(q, (p-1)) = 1 – a prime of magnitude orders
less than p – selected

63. • Computations done in sub-group ℤq
• g1 with order q in ℤp is used
• signature generation & verification procedure:
• Signing:
• Choose primes p & q such that ql =p-1 where l is an integer
• G → a primitive element of ℤp
• gql ≡ 1 (mod p)  gl has order q in ℤp
• Let g1 = gl
• with a p of 1024 bits, q is selected to be of 160 bits
•  in line with need to generate signature with a 160-bit
hash value (obtained using SHA-1 or RIPEMD-160)
representing document to be signed.
• Select private key – a  ℤq – and compute

64. • Example: p =239 with g = 7 as primitive element in ℤp
• With 119  2 = 238 → q =119 →
• g1 ≡ 49  primitive element in ℤq
• Signing:
• a = 87  ℤq → private key of Alice
• b ≡ 4987 (mod 239) ≡ 144 (mod 239)
• ephemeral key k = 101  ℤq
• Apply extended Euclidean algorithm
• 101  33 – 119  28 =1 → 101-1 ≡ 33 (mod 119)
• c ≡ (49101 (mod 239))(mod 119) ≡ 88
• Let H = 99
• d ≡ (99 + 87  88)  33 (mod 119) ≡ 65 (mod 119)
•  signature is {88, 65}

65. • Verification:
• Applying extended Euclidean algorithm
• 65  11 – 119  6 =1 → 65-1 ≡ 11 (mod 119)
• e1 ≡ 99  11(mod 119) ≡ 18 (mod 119)
• e2 ≡ 88  11(mod 119) ≡ 16 (mod 119)
• 4918 ≡ 220 (mod 239)
• 14416 ≡ 96 (mod 239)
• 4999  14416 ≡ 220  96 (mod 239)
• ≡ 88 (mod 239)
• 88 (mod 119) ≡ 88
• → Signature is verified

66. • Observations:
• In above Example q & p  same order
• In practice order of q much smaller thanthat of p
• (p -- 1024 bits or more ↔ q 160-bit)
• Signing & verification procedures 
• DSA scheme closely follows ElGamel DS scheme
• Computations in DSA scheme in a small sub-group of
ℤp
• level of security provided - practically on par with that
of ElGamel scheme
• Reason → DL problem as infeasible as in ℤp
• DSA scheme directly extended to ECC
• Available as approved Electronic Curve Digital
Signature Algorithm (ECDSA) standard