Uploaded byAliAshraf68199
PPTX, PDF6 views

digital Information BD.pptx

- A digital signature allows the holder of a secret key to sign a document, and anyone with the public verification key can verify the signature is valid and correct. It is not possible to forge a signature even with the verification key. - A digital signature scheme (DSS) involves key generation, signing messages with the secret key, and verifying signatures with the public key. It satisfies correctness, meaning signatures can be verified, and unforgeability, meaning signatures cannot be forged. - While message authentication codes (MACs) also provide signature functionality by signing with a secret key, they are not considered true signatures because verification may not be possible without the secret key. Signatures use public/private key pairs to

Embed presentation

Download to read offline
Motijheel Dhaka bangladesh
What is a digital signature • A digital signature allows the holder of the secret key (the signing key) to sign a document • Everyone who knows the verification key can verify that the signature is valid (correctness) • No one can forge a signature even given the verification key even though he is given a signature
Structure of digital signature • 𝐺𝑒𝑛 1𝑛 → (𝑠𝑘, 𝑣𝑘) • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 → 𝑠𝑖𝑔 • 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑠𝑖𝑔 → {0,1}
Structure of digital signature scheme (DSS) • 𝐺𝑒𝑛 1𝑛 → (𝑠𝑘, 𝑣𝑘) • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 → 𝑠𝑖𝑔 • 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑠𝑖𝑔 → {0,1} • Correctness • 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘(𝑚) = 1 • Unforgeability • To be continued
DSS VS MAC • 𝐺𝑒𝑛 1𝑛 → (𝑠𝑘, 𝑣𝑘) • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 → 𝑠𝑖𝑔 • 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑠𝑖𝑔 → {0,1} • 𝐺𝑒𝑛 1𝑛 → 𝑘 • 𝑚𝑎𝑐𝑘 𝑚 → 𝑡 • v𝑒𝑟𝑘 𝑚, 𝑡 → {0,1}
Mac forgery game M ← {} 𝑚′ 𝑡′ k ∈𝑅 0,1 𝑠 (𝑚, 𝑡) Wins if • 𝑚 ∉ 𝑀 • 𝑣𝑒𝑟𝑖𝑓𝑦 𝑚, 𝑡 = 1 𝑡′ ← 𝑚𝑎𝑐𝑘(𝑚′) M ← 𝑀 ∪ {𝑚′} Repeat as many times as the adversary wants
Signature forgery game M ← {} 𝑚′ 𝑠𝑖𝑔′ 𝑠𝑘, 𝑣𝑘 ← 𝐺𝑒𝑛(1𝑠 ) (𝑚, 𝑠𝑖𝑔) Wins if • 𝑚 ∉ 𝑀 • 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑠𝑖𝑔 = 1 𝑠𝑖𝑔′ ← 𝑆𝑖𝑔𝑛𝑠𝑘(𝑚′) M ← 𝑀 ∪ {𝑚′} Repeat as many times as the adversary wants 𝑣𝑘
Definition of signature scheme • Correctness: • Pr 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 = 1 𝑠𝑘, 𝑣𝑘 ← 𝐺𝑒𝑛 1𝑠 = 1 • Unforgeability • For all PPT adversary 𝐴, there exists negligible function 𝜇, • Pr 𝐴 𝑤𝑖𝑛𝑠 𝑡ℎ𝑒 𝑠𝑖𝑔𝑛𝑎𝑡𝑢𝑟𝑒 𝑓𝑜𝑟𝑔𝑒𝑟𝑦 𝑔𝑎𝑚𝑒 ≤ 𝜇(𝑛)
Relation between macs and signatures • Every signature scheme is a message authentication code. • A mac scheme is not necessarily a signature. • Without the key, it may be impossible to verify a mac.
Signatures are expensive • They require public-key operations for each signature you wish to do. • Hash functions are relatively cheap
Hash and sign • Let (𝐺𝑒𝑛′, 𝑆𝑖𝑔𝑛′, 𝑉𝑒𝑟𝑖𝑓𝑦′) be a signature scheme and let 𝐻 be a collision resistant hash function, then the following • 𝐺𝑒𝑛 1𝑠 ≔ 𝐺𝑒𝑛′ 1𝑠 • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝑆𝑖𝑔𝑛𝑠𝑘 ′ (𝐻 𝑚 ) • 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑠𝑖𝑔 ≔ 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 ′ 𝐻 𝑚 , 𝑠𝑖𝑔 = 1
Security of hash and sign • Let (𝐺𝑒𝑛′, 𝑆𝑖𝑔𝑛′, 𝑉𝑒𝑟𝑖𝑓𝑦′) be a signature scheme and let 𝐻 be a collision resistant hash function, then the following • 𝐺𝑒𝑛 1𝑠 ≔ 𝐺𝑒𝑛′ 1𝑠 • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝑆𝑖𝑔𝑛𝑠𝑘 ′ (𝐻 𝑚 ) • 𝑉𝑒𝑟𝑖𝑓𝑦𝑠𝑘 𝑚, 𝑠𝑖𝑔 ≔ 𝑉𝑒𝑟𝑖𝑓𝑦′ 𝐻 𝑚 , 𝑠𝑖𝑔 = 1 • Essentially the same proof as hash and mac • Breaking security of this scheme means • Finding a collision • Finding a signature on an unsigned message
Interesting property of plaintext RSA • 𝑠𝑘, 𝑝𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛 1𝑠 ⇒ 𝐸𝑛𝑐𝑝𝑘 𝐷𝑒𝑐𝑠𝑘 𝑚 = 𝑚 • Due to the fact that 𝑚𝑒 𝑑 = 𝑚𝑑 𝑒 = 𝑚𝑒𝑑
RSA signature scheme • Let (𝐾𝑒𝑦𝑔𝑒𝑛, 𝐸𝑛𝑐, 𝐷𝑒𝑐) denote the RSA encryption scheme • 𝐺𝑒𝑛 1𝑠 ≔ {𝑠𝑘 ← 𝑠𝑘′, 𝑣𝑘 ← 𝑝𝑘 ∣ 𝑠𝑘′, 𝑝𝑘′ ← 𝐾𝑒𝑦𝑔𝑒𝑛 1𝑠 } • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝑚 • 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑠𝑖𝑔 ≔ 𝐸𝑛𝑐𝑣𝑘 𝑠𝑖𝑔 = 𝑚
Insecure RSA signature scheme • 𝐺𝑒𝑛 1𝑠 ≔ { 𝑣𝑘 ← 𝑝𝑘, 𝑠𝑘 ← 𝑠𝑘′ ∣ 𝑠𝑘′, 𝑝𝑘′ ← 𝐾𝑒𝑦𝑔𝑒𝑛 1𝑠 } • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝑚 • 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 = 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝑚 • 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝑚 = 𝑚𝑑 𝑒 = 𝑚𝑒⋅𝑑 = 𝑚
Secure RSA signature scheme • Assumptions • Random oracle 𝐻 (Hash function modeled as a random oracle • 𝑛 = 𝑝𝑞 where 𝑝, 𝑞 are prime • 𝐺𝑒𝑛 1𝑠 ≔ { 𝑣𝑘 ← 𝑝𝑘, 𝑠𝑘 ← 𝑠𝑘′ ∣ 𝑠𝑘′ , 𝑝𝑘′ ← 𝐾𝑒𝑦𝑔𝑒𝑛 1𝑠 } • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝐻(𝑚) • 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐻 𝑚 = 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝐻(𝑚) • 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝐻(𝑚) = (𝐻(𝑚))𝑑 𝑒 𝑚𝑜𝑑 𝑛 • (𝐻(𝑚))𝑑 𝑒 𝑚𝑜𝑑 𝑛 = 𝐻(𝑚)𝑒⋅𝑑 𝑚𝑜𝑑 𝜙(𝑛) (𝑚𝑜𝑑 𝑛) = 𝐻(𝑚)
Schnorr signature scheme • Based on • Group G • Generator 𝑔 for G • Random oracle 𝐻 • Discrete logarithm
Schnorr signature scheme • Requirement: Group 𝐺, 𝐺 = 𝑞, generator 𝑔, random oracle 𝐻 • 𝐺𝑒𝑛 1𝑠 • 𝑠𝑘 ∈𝑅 𝐺 • 𝑣𝑘 ← 𝑔𝑠𝑘 • 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘(𝑚, 𝑠𝑖𝑔) • 𝑎, 𝑠 ← 𝑠𝑖𝑔 • u ← 𝑔𝑠 ⋅ 𝑣𝑘−𝑎 • Output 𝐻 𝑢, 𝑚 = 𝑎 • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 • 𝑏 ∈𝑅 𝑍|𝐺| • 𝑢 ← 𝑔𝑏 • 𝑎 ← 𝐻(𝑢, 𝑚) • 𝑠 ← 𝑎 ⋅ 𝑠𝑘 + 𝑏 (𝑚𝑜𝑑 𝑞) • Output (𝑎, 𝑠)

More Related Content

PPTX
digital Information.pptx
byAliAshraf68199
 
PPTX
digital10.pptx
byAliAshraf68199
 
PPTX
module_14_digital_signatures.pptx
byMehediHasanShaon1
 
PPTX
digital signatures10.pptx
byAliAshraf68199
 
PPTX
digital signatures.pptx
byAliAshraf68199
 
PPTX
digital signatures1.pptx
byAliAshraf68199
 
PPTX
module_14_digital_signatures (1).pptx
byAliAshraf68199
 
PPSX
Digital signature
byNisha Menon K
 
digital Information.pptx
byAliAshraf68199
 
digital10.pptx
byAliAshraf68199
 
module_14_digital_signatures.pptx
byMehediHasanShaon1
 
digital signatures10.pptx
byAliAshraf68199
 
digital signatures.pptx
byAliAshraf68199
 
digital signatures1.pptx
byAliAshraf68199
 
module_14_digital_signatures (1).pptx
byAliAshraf68199
 
Digital signature
byNisha Menon K
 

Similar to digital Information BD.pptx

PPT
Introduction to Digital signatures
byRohit Bhat
 
PPTX
Elgamal & schnorr digital signature scheme copy
byNorth Cap University (NCU) Formely ITM University
 
PPT
Information and data security digital signatures
byMazin Alwaaly
 
PPTX
Information and network security 45 digital signature standard
byVaibhav Khanna
 
PPT
Digital Signature.ppt
bySABITHARASSISTANTPRO
 
PPT
Digital Signature in CryptographyElgammal
byJPrince9
 
PPT
CHAPTER 09 - Digital signatures.ppt
bySAJADESKANDARI1
 
PDF
chap13-digitalsignature.pdf
byShilpachaudhari10
 
PPTX
DxcvbnfghjkyuiuhgfxsertyhjnbvcdertyuSS.pptx
byShreya253063
 
PPT
cryptographyyyyyy bookk william stalling
byseemamehlalockdown
 
PPTX
Digital signatures Algoirthm - Elgamal, RSA, DSS
bybhuvanakdu
 
PPTX
DSIGnatures in advanced cryptography.pptx
byRameezMRz
 
PPT
CHAPTER 09 - Digital signatures cryptography note
bySherin Wilson
 
PPT
various Digital signatures algorithms.ppt
byhodai16
 
PPT
Key Digital Signatures
byphanleson
 
PPTX
Information and network security 44 direct digital signatures
byVaibhav Khanna
 
PPTX
Digital signature and it's real time app
byJenishLavji
 
PPT
Digital signature
bySadhana28
 
PPT
Elgamal Digital Signature
bySou Jana
 
PPT
digital_sign_interview.ppt
byjayarao21
 
Introduction to Digital signatures
byRohit Bhat
 
Elgamal & schnorr digital signature scheme copy
byNorth Cap University (NCU) Formely ITM University
 
Information and data security digital signatures
byMazin Alwaaly
 
Information and network security 45 digital signature standard
byVaibhav Khanna
 
Digital Signature.ppt
bySABITHARASSISTANTPRO
 
Digital Signature in CryptographyElgammal
byJPrince9
 
CHAPTER 09 - Digital signatures.ppt
bySAJADESKANDARI1
 
chap13-digitalsignature.pdf
byShilpachaudhari10
 
DxcvbnfghjkyuiuhgfxsertyhjnbvcdertyuSS.pptx
byShreya253063
 
cryptographyyyyyy bookk william stalling
byseemamehlalockdown
 
Digital signatures Algoirthm - Elgamal, RSA, DSS
bybhuvanakdu
 
DSIGnatures in advanced cryptography.pptx
byRameezMRz
 
CHAPTER 09 - Digital signatures cryptography note
bySherin Wilson
 
various Digital signatures algorithms.ppt
byhodai16
 
Key Digital Signatures
byphanleson
 
Information and network security 44 direct digital signatures
byVaibhav Khanna
 
Digital signature and it's real time app
byJenishLavji
 
Digital signature
bySadhana28
 
Elgamal Digital Signature
bySou Jana
 
digital_sign_interview.ppt
byjayarao21
 

Recently uploaded

PPTX
SQL - Basics of Databases 101 Learning.pdf
byJainnS
 
PDF
CodeMate_Autonomous_Engineering_Documents.pdf
byssuserc287c9
 
PPTX
Population & Sample in Bio-Statistics for Allied Health Science
byEzhumalaiG3
 
PDF
Documenting Architectural Styles using CIDOC- CRM
bymagas4
 
PDF
Machine learning genrative AI and agents
bysakingul
 
PDF
Doctoral of Philosophy Thesis Defense Slides
bysuchanadatta3
 
PDF
Data Processing (2026)
byOptymyze
 
PPTX
PPT sidang disertasi terbuka terbaru.pptx
byRifaiteguhSaputra
 
PDF
SFBA Splunk Usergroup meeting Jan 21, 2026
byBecky Burwell
 
PDF
Let's build machine learning CNN in RUST + bonus_ ML in water meter with ESP...
byMarcin Bielak
 
PDF
Real Estate Data Analytics: Unlock Smarter Investment Decisions with Leni
byLeni Analyst
 
PDF
Trends and Predictions 2026_Reuters Institute
bydominikamizerska1
 
PDF
Powering_AI-Ready_MySQL_MyVector_ProxySQL_v3.pptx.pdf
byAlkin Tezuysal
 
PDF
Introduction to R Programming for Data Analysis and Statistics
byNusrat Gulbarga
 
PDF
MedGard - OBGYN for SMLE Exam presentation
bydrpreehaaslam
 
PDF
Probability and random process project report
bydatomaf343
 
PPTX
normal labor normal labor normal labor normal labor normal labor normal labor...
bymeksbaba1
 
PPTX
[DSC Europe 25] Josip Saban - Career building for data professionals.pptx
byDataScienceConferenc1
 
PPTX
gas chromatograohy by Rasha Ibrahim.pptx
byri7061584
 
PDF
Modeling Styles of Vernacular Architecture using CIDOC CRM
bymagas4
 
SQL - Basics of Databases 101 Learning.pdf
byJainnS
 
CodeMate_Autonomous_Engineering_Documents.pdf
byssuserc287c9
 
Population & Sample in Bio-Statistics for Allied Health Science
byEzhumalaiG3
 
Documenting Architectural Styles using CIDOC- CRM
bymagas4
 
Machine learning genrative AI and agents
bysakingul
 
Doctoral of Philosophy Thesis Defense Slides
bysuchanadatta3
 
Data Processing (2026)
byOptymyze
 
PPT sidang disertasi terbuka terbaru.pptx
byRifaiteguhSaputra
 
SFBA Splunk Usergroup meeting Jan 21, 2026
byBecky Burwell
 
Let's build machine learning CNN in RUST + bonus_ ML in water meter with ESP...
byMarcin Bielak
 
Real Estate Data Analytics: Unlock Smarter Investment Decisions with Leni
byLeni Analyst
 
Trends and Predictions 2026_Reuters Institute
bydominikamizerska1
 
Powering_AI-Ready_MySQL_MyVector_ProxySQL_v3.pptx.pdf
byAlkin Tezuysal
 
Introduction to R Programming for Data Analysis and Statistics
byNusrat Gulbarga
 
MedGard - OBGYN for SMLE Exam presentation
bydrpreehaaslam
 
Probability and random process project report
bydatomaf343
 
normal labor normal labor normal labor normal labor normal labor normal labor...
bymeksbaba1
 
[DSC Europe 25] Josip Saban - Career building for data professionals.pptx
byDataScienceConferenc1
 
gas chromatograohy by Rasha Ibrahim.pptx
byri7061584
 
Modeling Styles of Vernacular Architecture using CIDOC CRM
bymagas4
 

digital Information BD.pptx

  • 1.
  • 2.
    What is adigital signature • A digital signature allows the holder of the secret key (the signing key) to sign a document • Everyone who knows the verification key can verify that the signature is valid (correctness) • No one can forge a signature even given the verification key even though he is given a signature
  • 3.
    Structure of digitalsignature • 𝐺𝑒𝑛 1𝑛 → (𝑠𝑘, 𝑣𝑘) • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 → 𝑠𝑖𝑔 • 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑠𝑖𝑔 → {0,1}
  • 4.
    Structure of digitalsignature scheme (DSS) • 𝐺𝑒𝑛 1𝑛 → (𝑠𝑘, 𝑣𝑘) • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 → 𝑠𝑖𝑔 • 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑠𝑖𝑔 → {0,1} • Correctness • 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘(𝑚) = 1 • Unforgeability • To be continued
  • 5.
    DSS VS MAC •𝐺𝑒𝑛 1𝑛 → (𝑠𝑘, 𝑣𝑘) • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 → 𝑠𝑖𝑔 • 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑠𝑖𝑔 → {0,1} • 𝐺𝑒𝑛 1𝑛 → 𝑘 • 𝑚𝑎𝑐𝑘 𝑚 → 𝑡 • v𝑒𝑟𝑘 𝑚, 𝑡 → {0,1}
  • 6.
    Mac forgery game M← {} 𝑚′ 𝑡′ k ∈𝑅 0,1 𝑠 (𝑚, 𝑡) Wins if • 𝑚 ∉ 𝑀 • 𝑣𝑒𝑟𝑖𝑓𝑦 𝑚, 𝑡 = 1 𝑡′ ← 𝑚𝑎𝑐𝑘(𝑚′) M ← 𝑀 ∪ {𝑚′} Repeat as many times as the adversary wants
  • 7.
    Signature forgery game M← {} 𝑚′ 𝑠𝑖𝑔′ 𝑠𝑘, 𝑣𝑘 ← 𝐺𝑒𝑛(1𝑠 ) (𝑚, 𝑠𝑖𝑔) Wins if • 𝑚 ∉ 𝑀 • 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑠𝑖𝑔 = 1 𝑠𝑖𝑔′ ← 𝑆𝑖𝑔𝑛𝑠𝑘(𝑚′) M ← 𝑀 ∪ {𝑚′} Repeat as many times as the adversary wants 𝑣𝑘
  • 8.
    Definition of signaturescheme • Correctness: • Pr 𝑉𝑒𝑟𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 = 1 𝑠𝑘, 𝑣𝑘 ← 𝐺𝑒𝑛 1𝑠 = 1 • Unforgeability • For all PPT adversary 𝐴, there exists negligible function 𝜇, • Pr 𝐴 𝑤𝑖𝑛𝑠 𝑡ℎ𝑒 𝑠𝑖𝑔𝑛𝑎𝑡𝑢𝑟𝑒 𝑓𝑜𝑟𝑔𝑒𝑟𝑦 𝑔𝑎𝑚𝑒 ≤ 𝜇(𝑛)
  • 9.
    Relation between macsand signatures • Every signature scheme is a message authentication code. • A mac scheme is not necessarily a signature. • Without the key, it may be impossible to verify a mac.
  • 10.
    Signatures are expensive •They require public-key operations for each signature you wish to do. • Hash functions are relatively cheap
  • 11.
    Hash and sign •Let (𝐺𝑒𝑛′, 𝑆𝑖𝑔𝑛′, 𝑉𝑒𝑟𝑖𝑓𝑦′) be a signature scheme and let 𝐻 be a collision resistant hash function, then the following • 𝐺𝑒𝑛 1𝑠 ≔ 𝐺𝑒𝑛′ 1𝑠 • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝑆𝑖𝑔𝑛𝑠𝑘 ′ (𝐻 𝑚 ) • 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑠𝑖𝑔 ≔ 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 ′ 𝐻 𝑚 , 𝑠𝑖𝑔 = 1
  • 12.
    Security of hashand sign • Let (𝐺𝑒𝑛′, 𝑆𝑖𝑔𝑛′, 𝑉𝑒𝑟𝑖𝑓𝑦′) be a signature scheme and let 𝐻 be a collision resistant hash function, then the following • 𝐺𝑒𝑛 1𝑠 ≔ 𝐺𝑒𝑛′ 1𝑠 • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝑆𝑖𝑔𝑛𝑠𝑘 ′ (𝐻 𝑚 ) • 𝑉𝑒𝑟𝑖𝑓𝑦𝑠𝑘 𝑚, 𝑠𝑖𝑔 ≔ 𝑉𝑒𝑟𝑖𝑓𝑦′ 𝐻 𝑚 , 𝑠𝑖𝑔 = 1 • Essentially the same proof as hash and mac • Breaking security of this scheme means • Finding a collision • Finding a signature on an unsigned message
  • 13.
    Interesting property ofplaintext RSA • 𝑠𝑘, 𝑝𝑘 ← 𝐾𝑒𝑦𝐺𝑒𝑛 1𝑠 ⇒ 𝐸𝑛𝑐𝑝𝑘 𝐷𝑒𝑐𝑠𝑘 𝑚 = 𝑚 • Due to the fact that 𝑚𝑒 𝑑 = 𝑚𝑑 𝑒 = 𝑚𝑒𝑑
  • 14.
    RSA signature scheme •Let (𝐾𝑒𝑦𝑔𝑒𝑛, 𝐸𝑛𝑐, 𝐷𝑒𝑐) denote the RSA encryption scheme • 𝐺𝑒𝑛 1𝑠 ≔ {𝑠𝑘 ← 𝑠𝑘′, 𝑣𝑘 ← 𝑝𝑘 ∣ 𝑠𝑘′, 𝑝𝑘′ ← 𝐾𝑒𝑦𝑔𝑒𝑛 1𝑠 } • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝑚 • 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑠𝑖𝑔 ≔ 𝐸𝑛𝑐𝑣𝑘 𝑠𝑖𝑔 = 𝑚
  • 15.
    Insecure RSA signaturescheme • 𝐺𝑒𝑛 1𝑠 ≔ { 𝑣𝑘 ← 𝑝𝑘, 𝑠𝑘 ← 𝑠𝑘′ ∣ 𝑠𝑘′, 𝑝𝑘′ ← 𝐾𝑒𝑦𝑔𝑒𝑛 1𝑠 } • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝑚 • 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 = 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝑚 • 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝑚 = 𝑚𝑑 𝑒 = 𝑚𝑒⋅𝑑 = 𝑚
  • 16.
    Secure RSA signaturescheme • Assumptions • Random oracle 𝐻 (Hash function modeled as a random oracle • 𝑛 = 𝑝𝑞 where 𝑝, 𝑞 are prime • 𝐺𝑒𝑛 1𝑠 ≔ { 𝑣𝑘 ← 𝑝𝑘, 𝑠𝑘 ← 𝑠𝑘′ ∣ 𝑠𝑘′ , 𝑝𝑘′ ← 𝐾𝑒𝑦𝑔𝑒𝑛 1𝑠 } • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐷𝑒𝑐𝑠𝑘 𝐻(𝑚) • 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘 𝑚, 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 ≔ 𝐻 𝑚 = 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝐻(𝑚) • 𝐸𝑛𝑐𝑣𝑘 𝐷𝑒𝑐𝑠𝑘 𝐻(𝑚) = (𝐻(𝑚))𝑑 𝑒 𝑚𝑜𝑑 𝑛 • (𝐻(𝑚))𝑑 𝑒 𝑚𝑜𝑑 𝑛 = 𝐻(𝑚)𝑒⋅𝑑 𝑚𝑜𝑑 𝜙(𝑛) (𝑚𝑜𝑑 𝑛) = 𝐻(𝑚)
  • 17.
    Schnorr signature scheme •Based on • Group G • Generator 𝑔 for G • Random oracle 𝐻 • Discrete logarithm
  • 18.
    Schnorr signature scheme •Requirement: Group 𝐺, 𝐺 = 𝑞, generator 𝑔, random oracle 𝐻 • 𝐺𝑒𝑛 1𝑠 • 𝑠𝑘 ∈𝑅 𝐺 • 𝑣𝑘 ← 𝑔𝑠𝑘 • 𝑉𝑒𝑟𝑖𝑓𝑦𝑣𝑘(𝑚, 𝑠𝑖𝑔) • 𝑎, 𝑠 ← 𝑠𝑖𝑔 • u ← 𝑔𝑠 ⋅ 𝑣𝑘−𝑎 • Output 𝐻 𝑢, 𝑚 = 𝑎 • 𝑆𝑖𝑔𝑛𝑠𝑘 𝑚 • 𝑏 ∈𝑅 𝑍|𝐺| • 𝑢 ← 𝑔𝑏 • 𝑎 ← 𝐻(𝑢, 𝑚) • 𝑠 ← 𝑎 ⋅ 𝑠𝑘 + 𝑏 (𝑚𝑜𝑑 𝑞) • Output (𝑎, 𝑠)