A digital signature allows one to verify the identity of the sender of a message and that the message content has not been altered. It involves a key generation algorithm that produces a private key and public key pair. The signing algorithm uses the private key to generate a signature for a message. The signature verification algorithm uses the public key to verify the signature and authenticity of the message. Digital signatures provide security as long as the private key remains confidential to the owner.

1. NISHA MENON K
ROLL NO:16
FISAT
28 July 2014

2. A digital signature is an electronic signature
that can be used to authenticate the identity
of the sender of a message or the signer of a
document, and possibly to ensure that the
original content of the message or document
that has been sent is unchanged.
28 July 2014 2

3. Each individual generates his own key pair
Public key known to everyone
&
Private key only to the owner
Private Key – Used for making Digital
Signature
Public Key – Used to verify the Digital
Signature
28 July 2014 3

4. Digital signatures consists of three Algorithms
 A key generation algorithm that selects a private key uniformly
at random from a set of possible private keys. The algorithm
outputs the private key and a corresponding public key.
 A signing algorithm that, given a message and a private key,
produces a signature.
 A signature verifying algorithm that, given a message, public key
and a signature, either accepts or rejects the message's claim to
authenticity
28 July 2014 4

5. Private key remains confidential with its owner.
28 July 2014 5
Soft token
Smart cards Hardware
tokens

6. 28 July 2014 6

7. It must verify
the author and
the date and
time of the
signature
It must
authenticate
the contents at
the time of the
signature
It must be
verifiable by
third parties,
to resolve
disputes
28 July 2014 7

8. 28 July 2014 8
• C only
knows A’s
public key
Key-only
attack
• C is given
access to a
set of
messages
and their
signatures
Known
message
attack
• C chooses a list
of messages
before
attempting to
break A’s
signature
scheme,
independent of
A’s public key;
C then obtains
from A valid
signatures for
the chosen
messages
Generic
chosen
message attack
• Similar to the
generic attack,
except that the
list of messages
to be signed is
chosen after C
knows A’s public
key but before
any signatures
are seen
Directed chosen
message attack
• C may
request
from A
signatures
of
messages
that
depend on
previously
obtained
message-
signature
pairs
Adaptive
chosen
message
attack
C=Attacker, A=Victim

9. 28 July 2014 9
Total
break
• C
determines
A’s private
key
Universal
forgery
• C finds an
efficient
signing
algorithm
that provides
an equivalent
way of
constructing
signatures
• The attacker
receives a
message m
and produces
a signature s
of m.
Selective
forgery
• C forges a
signature
for a
particular
message
chosen by C
Existenti
al forgery
• C forges a
signature
for at least
one
message; C
has no
control over
the message

10. 28 July 2014 10
The signature must be a bit pattern that depends on the message
being signed
The signature must use some information unique to the
sender to prevent both forgery and denial
It must be relatively easy to produce the digital signature
It must be relatively easy to recognize and verify the digital
signature
It must be computationally infeasible to forge a digital
signature
It must be practical to retain a copy of the digital signature in
storage

11. Refers to a digital signature scheme that involves only the
communicating parties
It is assumed that the destination knows the public key of the
source
Confidentiality can be provided by encrypting the
entire message plus signature with a shared secret key
The validity of the scheme depends on the security of
the sender’s private key
If a sender later wishes to deny sending a particular
message, the sender can claim that the private key was lost
or stolen and that someone else forged his or her signature
One way to thwart or at least weaken this is to require
every signed message to include a timestamp and to
require prompt reporting of compromised keys to a central
authority
28 July 2014 11

12. Use private key for encryption (signing)
Uses public key for decryption (verification)
Global elements are a prime number q and a,
which is a primitive root of q
Each user generates their key
Chooses a secret key (number): 1 < xA < q-1
Compute their public key: yA = axA mod q
28 July 2014 12

13. Alice signs a message M to Bob by computing
the hash m = H(M), 0 <= m <= (q-1)
choose random integer K with 1 <= K <= (q-1)
and gcd(K,q-1)=1
compute temporary key: S1 = a
k
mod q
compute K-1mod (q-1)
compute the value: S2 = K-1(m-xAS1) mod (q-1)
signature is:(S1,S2)
any user B can verify the signature by computing
V1 = a
m
mod q
V2 = yA
S1 S1
S2 mod q
signature is valid if V1 = V2
28 July 2014 13

14. Scheme is based on discrete logarithms
Minimizes the message-dependent amount of
computation required to generate a signature
Main work for signature can be done during the
idle time of the processor
Based on using a prime modulus p, with p – 1
having a prime factor q of appropriate size
Typically p is a 1024-bit number, and q is a 160-bit
number
28 July 2014 14

15. choose suitable primes p , q
choose a such that a
q
= 1 mod p
(a,p,q) are global parameters for all
each user generates a key
chooses a secret key (number): 0 < s < q
compute their public key: v = a
-s
mod q
28 July 2014 15

16. user signs message by
choosing random r with 0<r<q and computing
x = ar mod p(preprocessing)
concatenate message with x and hash result to computing:
e = H(M || x)
computing: y = (r + se) mod q
signature is pair (e, y)
Receiver can verify the signature as follows:
computing: x' = ayve mod p
verifying that: e = H(M || x’)
28 July 2014 16

17. US Govt approved signature scheme
designed by NIST & NSA in early 90's
uses the SHA hash algorithm
DSS is the standard, DSA is the algorithm
DSA can only be used for digital signature

18.  creates a 320 bit signature
 with 512-1024 bit security
 smaller and faster than RSA
 a digital signature scheme only
 security depends on difficulty of computing discrete
logarithms
 variant of ElGamal & Schnorr schemes

19. 28 July 2014 19

20. have shared global public key values (p,q,g):
choose 160-bit prime number q
choose a large prime p with 2L-1 < p < 2L
where L= 512 to 1024 bits and is a multiple of 64
such that q is a 160 bit prime divisor of (p-1)
choose g = h(p-1)/q
where 1<h<p-1 and h(p-1)/q mod p > 1
users choose private & compute public key:
choose random private key: x<q
compute public key: y = gx mod p

21.  to sign a message M the sender:
 generates a random signature key k, k<q
 k must be random, be destroyed after use, and never be
reused
 then computes signature pair:
r = (gk mod p)mod q
s = [k-1(H(M)+ xr)] mod q
 sends signature (r,s) with message M

22. having received M & signature (r,s)
to verify a signature, recipient computes:
w = s-1 mod q
u1= [H(M)w ]mod q
u2= (rw)mod q
v = [(gu1 yu2)mod p ]mod q
if v=r then signature is verified.

24. A
gning
d
rifying
28 July 2014 24

25. All those participating in the
digital signature scheme use the
same global domain parameters,
which define an elliptic curve and
a point of origin on the curve
A signer must first generate a
public, private key pair
A hash value is generated for the
message to be signed; using the
private key, the domain
parameters, and the hash value, a
signature is generated
To verify the signature, the verifier
uses as input the signer’s public
key, the domain parameters, and
the integer s , the output is a value
v that is compared to r ; the
signature is verified if the v = r
Four elements are
involved:

26. ECDSA Signing and Verifying

27. RSA Probabilistic Signature Scheme
Latest of the RSA schemes and the one that RSA
Laboratories recommends as the most secure of the
RSA schemes
The PSS approach was first proposed by Bellare and
Rogaway
This approach, unlike the other RSA-based schemes,
introduces a randomization process that enables the
security of the method to be shown to be closely
related to the security of the RSA algorithm itself
28 July 2014 27

28. MGF is the building block of RSA PSS
It is a pseudorandom function that has input parameters as a
bit string and desired length L.
Based on SHA-1
Randomization means that some part of an algorithm has a
random input, which causes the output to be different for
equivalent inputs.
Randomization in a protocol is usually done with a so called
salt.
28 July 2014 28

29. The salt usually then has to be shipped along or in
some encoded form within the protocol.
PSS takes the input message and a salt (a random
number) and runs them through a hash function.
This hash H is used as the beginning part of the
output.
28 July 2014 29

30. Then, a mask of H is calculated, which has the length
of the RSA modulus minus the length of H.
This mask is then XOR-ed with the salt (and some
zero padding) and the output will be called
maskedDB.
Then, maskedDB is appended to H to generate the
input for the RSA function
28 July 2014 30

31. 28 July 2014 31
RSA encoding

32. 28 July 2014 32
RSA PSS Verification

33. 28 July 2014 33
Digital signatures
Elgamal digital signature scheme
The DSA approach
• Elliptic curve digital signature algorithm
• Schnorr digital signature scheme
• RSA-PSS