Digital signatures are authentication mechanisms that ensure the integrity and source of messages by attaching a code derived from the message's hash and the creator's private key. The document discusses various digital signature models, their security requirements, and different algorithms like ElGamal and DSS, highlighting potential attacks and the significance of using a public-private key infrastructure. It emphasizes the importance of properties such as verifiability by third parties, resistance to forgery, and proper key management to prevent disputes.

1. BYBY
FARAHFARAH
Digital SignaturesDigital Signatures

2. A digital signature isA digital signature is
an authentication mechanism that enables thean authentication mechanism that enables the
creator of a message to attach a code that actscreator of a message to attach a code that acts
as a signatureas a signature. Typically the signature is formed by
taking the hash of the message and encryptingthe hash of the message and encrypting
the message with the creator’s private keythe message with the creator’s private key. The
signature guarantees the source and integrity of the
message.
 The digital signature standard (DSS) is andigital signature standard (DSS) is an
NIST standard that uses the secure hashNIST standard that uses the secure hash
algorithm (SHA).algorithm (SHA).

3. Properties
Message authentication protects two partiesMessage authentication protects two parties
who exchange messages from any third partwho exchange messages from any third party.
However, it does not protect the two parties against
each other. Several forms of dispute between the two
are possible.

4. For example, suppose that John sends an
authenticated message to Mary using one of the
schemes of Figure 12.1. Consider the following
disputes that could arise.
1. Mary may forge a different message and claim that it
came from John. Mary would simply have to create a
message and append an authentication code using the key
that John and Mary share.
2. John can deny sending the message. Because it is
possible for Mary to forge a message, there is no way to
prove that John did in fact send the message.

5. In situations where there is not complete trustIn situations where there is not complete trust
between sender and receiver something more thanbetween sender and receiver something more than
authentication is neededauthentication is needed.
The most attractivesolution to this problem is theThe most attractivesolution to this problem is the
digital signature .digital signature . The digital signature must haveThe digital signature must have
the following properties:the following properties:
It must verify the author and the date and time of theIt must verify the author and the date and time of the
signature.signature.
It must authenticate the contents at the time of the signature.It must authenticate the contents at the time of the signature.
It must be verifiable by third parties, to resolve disputes.It must be verifiable by third parties, to resolve disputes.
Thus, the digital signature function includes theThus, the digital signature function includes the
authentication functionauthentication function.

6. Digital Signature Model
• Bob can sign a message
using a digital signature
generation algorithm.
•The inputs to the algorithm
are the message and Bob's
private key.
• Alice, can verify the
signature using a
verification algorithm,
whose inputs are the
message. the signature,
and Bob's public key

7. Digital
Signature
Model

8. Attacks and ForgeriesAttacks and Forgeries
Here A denotes the user whose signature is
being attacked and C denotes the attacker
 key-only attack : C only knows A's public key.
 known message attack: C is given access to a
set of messages and signatures.
 generic chosen message attack:
C chooses a list of messages before attempting to
breaks A's signature scheme, independent of A's public
key. C then obtains from A valid signatures for the
chosen messages. The attack is generic because it
does not depend on A's public key; the same attack is
used against everyone.

9.  directed chosen message attack :
Similar to the generic attack, except that the list of
messages is chosen after C knows A's public key but
before signatures are seen.
 adaptive chosen message attack:
C is allowed to use A as an "oracle." This means the A
may request signatures of messages that depend on
previously obtained message-signature pairs.

10. [GOLD 88] then defines success at breaking a
signature scheme as an outcome in which C can do
any of the following with a non-negligible
probability:
Total break: C determines A’s private key.
 Universal forgery: C finds an efficient signing
algorithm that provides an equivalent way of
constructing signatures on arbitrary messages.
Selective forgery: C forges a signature for a
particular message chosen by C.
Existential forgery: C forges a signature for at least
one message. C has no control over the message.
Consequently, this forgery may only be a minor
nuisance to A.

11. Digital Signature RequirementsDigital Signature Requirements
Must be a bit pattern that depend on the message
being signed
must use information unique to sender
 to prevent both forgery and denial
must be relatively easy to produce
must be relatively easy to recognize & verify
be computationally infeasible to forge
 with new message for existing digital signature
 with fraudulent digital signature for given message
be practical save digital signature in storage

12. Direct Digital SignaturesDirect Digital Signatures
Direct digital signatureDirect digital signature refers to a digital signature
scheme that involves only the communicating parties
(source, destination). It is assumed that the destination
knows the public key of the source.
Confidentiality can be provided by encrypting the entire
message plus signature with a shared secret key (symmetric
encryption).
It is important to perform the signature function first and
then an outer confidentiality function. In case of dispute,
some third party must view the message and its signature

13.  The validity of the scheme just described depends on the security of the
sender’s private key. If a sender later wishes to deny sending a
particular message, the sender can claim that the private key was lost or
stolen and that someone else forged his or her signature Administrative
controls relating to the security of private keys can be employed to
thwart or at least weaken this ploy One example is to require every
signed message to include a timestamp (date and time).
 Another threat is that some private key might actually be stolen from X
at time T. The opponent can then send a message signed with X’s
signature and stamped with a time before or equal to T.
 The universally accepted technique for dealing with these threats is the
use of a digital certificate and certificate authorities

14. ElGamal Digital SignaturesElGamal Digital Signatures
The ElGamal signature schemeThe ElGamal signature scheme involves the use of the
private key for encryption and the public key for decryption
signature variant of ElGamal.
 so uses exponentiation in a finite (Galois)so uses exponentiation in a finite (Galois)
 with security based difficulty of computing discretewith security based difficulty of computing discrete
logarithmslogarithms.
use private key for encryption (signing)
uses public key for decryption (verification)
each user (eg. A) generates their key
 chooses a secret key (number):chooses a secret key (number): 1 <1 < xxAA < q-1< q-1
 compute their public key:compute their public key: yyAA = a= a
xxAA
mod qmod q

15. ElGamal Digital Signature
Alice signs a message M to Bob by computing
 the hashthe hash m = H(M)m = H(M), 0 <= m <= (q-1), 0 <= m <= (q-1)
 chose random integerchose random integer KK withwith 1 <= K <= (q-1)1 <= K <= (q-1)
andand gcd(K,q-1)=1gcd(K,q-1)=1
 compute temporary key:compute temporary key: SS11 = a= a
kk
mod qmod q
 computecompute KK-1-1
the inverse ofthe inverse of K mod (q-1)K mod (q-1)
 compute the value:compute the value: SS22 = K= K-1-1
(m-x(m-xAASS11) mod (q-1)) mod (q-1)
 signature is:signature is:(S(S11,S,S22))
any user B can verify the signature by computing
 VV11 = a= a
mm
mod qmod q
 VV22 = y= yAA
SS11
SS11
SS22
mod qmod q
 signature is valid ifsignature is valid if VV11 = V= V22

16. For example, let us start with the prime field
GF(19); that is, q = 19. It has primitive roots {2, 3,
10, 13, 14, 15}.We choose Alice generates a key pair
as follows: Alice computes her key:
 AA chooseschooses xxAA=16=16 & computes& computes yyAA=10=10
1616
mod 19 = 4mod 19 = 4
Alice signs message with hash m=14 as (3,4):
 choosing randomchoosing random K=5K=5 which haswhich has gcd(18,5)=1gcd(18,5)=1
 computingcomputing SS11 = 10= 10
55
mod 19 = 3mod 19 = 3
 findingfinding KK-1-1
mod (q-1) = 5mod (q-1) = 5-1-1
mod 18 = 11mod 18 = 11
 computingcomputing SS22 = 11(14-16.3) mod 18 = 4= 11(14-16.3) mod 18 = 4
any user B can verify the signature by computing
 VV11 = 10= 10
1414
mod 19 = 16mod 19 = 16
 VV22 = 4= 433
.3.344
= 5184 = 16 mod 19= 5184 = 16 mod 19
 sincesince 1616 = 16= 16 signature is validsignature is valid

17. Schnorr Digital SignaturesSchnorr Digital Signatures
security based on discrete logarithms.
minimizes message dependent computation
 multiplying a 2n-bit integer with an n-bit integer
main work can be done in idle time
have using a prime modulus pp
 p–1p–1 has a prime factorhas a prime factor qq of appropriate sizeof appropriate size
 typicallytypically pp 1024-bit and1024-bit and qq 160-bit numbers160-bit numbers

18. Schnorr Key Setup
choose suitable primeschoose suitable primes pp , q, q
choosechoose aa such thatsuch that aa
qq
= 1 mod p= 1 mod p
(a,p,q)(a,p,q) are global parameters for allare global parameters for all
each user (eg. A) generates a keyeach user (eg. A) generates a key
 chooses a secret key (number):chooses a secret key (number): 0 < s < q0 < s < q
 compute their public key:compute their public key: v = av = a
-s-s
mod qmod q

19. Schnorr SignatureSchnorr Signature
user signs message byuser signs message by
choosing randomchoosing random rr withwith 0<r<q0<r<q and computingand computing x = ax = arr
mod pmod p
concatenate message withconcatenate message with xx and hash result to computing:and hash result to computing: ee
= H(M || x)= H(M || x)
computing:computing: y = (r + se) mod qy = (r + se) mod q
signature is pairsignature is pair (e, y)(e, y)
any other user can verify the signature asany other user can verify the signature as
follows:follows:
computing:computing: x' = ax' = ayy
vvee
mod pmod p
verifying that:verifying that: e = H(M || x’)e = H(M || x’)
x'= ax'= ayy
vvee
= a= ayy
aa
-se-se
=a=ay–sey–se
=a=arr
=x(mod p)=x(mod p)
Hence H(M || x’) = H(M || x)Hence H(M || x’) = H(M || x)

20. Digital Signature Standard (DSS)Digital Signature Standard (DSS)
The National Institute of Standards and
Technology (NIST) has published Federal
Information Processing Standard FIPS 186,
known as the Digital Signature Standard (DSS).
revised in 1993, 1996 & then 2000
uses the SHA hash algorithm
DSS is the standard, DSA is the algorithm
FIPS 186-2 (2000) includes alternative RSA &
elliptic curve signature variants
DSA is digital signature only unlike RSA
is a public-key technique

21. DSS vs RSA SignaturesDSS vs RSA Signatures

22. Digital Signature Algorithm (DSA)Digital Signature Algorithm (DSA)
creates a 320 bit signature
with 512-1024 bit security
smaller and faster than RSA
a digital signature scheme only
security depends on difficulty of computing
discrete logarithms
variant of ElGamal & Schnorr schemes

23. DSA Key GenerationDSA Key Generation
have shared global public key values (p,q,g):
 choose 160-bit prime number qchoose 160-bit prime number q
 choose a large prime p withchoose a large prime p with 22L-1L-1
<< p < 2p < 2LL
 where L= 512 to 1024 bits and is a multiple of 64
 such that q is a 160 bit prime divisor of (p-1)
 choosechoose g = hg = h(p-1)/q(p-1)/q
 where h is an integer 1<h<p-1 and h(p-1)/q
mod p > 1
users choose private & compute public key:
 choose random private key:choose random private key: x<qx<q
 compute public key:compute public key: y = gy = gxx
mod pmod p

24. DSA Signature CreationDSA Signature Creation
to sign a message M the sender:
 generates a random signature keygenerates a random signature key k, k<qk, k<q
 nb.nb. kk must be random, be destroyed after use, andmust be random, be destroyed after use, and
never be reusednever be reused
then computes signature pair:
r = (gr = (gkk
mod p)mod qmod p)mod q
s = [ks = [k-1-1
(H(M)+ xr)] mod q(H(M)+ xr)] mod q
 sends signaturesends signature (r,s)(r,s) with messagewith message MM

25. DSA Signature VerificationDSA Signature Verification
having received M & signature (r,s)
to verify a signature, recipient computes:
w = sw = s-1-1
mod qmod q
u1= [H(M)w ]mod qu1= [H(M)w ]mod q
u2= (rw)mod qu2= (rw)mod q
v = [(gv = [(gu1u1
yyu2u2
)mod p ]mod q)mod p ]mod q
if v = rv = r then signature is verified .

26. DSS OverviewDSS Overview