Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 29.

Announcements:Announcements:

Questions? Questions?

This week:This week: Digital signaturesDigital signatures, DSA, DSA

DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 29Day 29

Why are digital signatures Why are digital signatures important?important?

Compare with paper signaturesCompare with paper signaturesDanger: Eve would like to use your Danger: Eve would like to use your signature on other documents!signature on other documents!Solution: Solution: sig = f(m, user)sig = f(m, user) Let m be the message (document)Let m be the message (document)

Algorithms we’ll study:Algorithms we’ll study: RSARSA ElGamalElGamal DSA (Digital Signature Algorithm)DSA (Digital Signature Algorithm)

RSA SignaturesRSA Signatures

Alice chooses: Alice chooses: p,q, n=pq, p,q, n=pq, e: gcd(e, (p-1)(q-1))=1, e: gcd(e, (p-1)(q-1))=1, d: ed ≡ 1(mod ((p-1)(q-1)) [d is the “pen” Alice uses]d: ed ≡ 1(mod ((p-1)(q-1)) [d is the “pen” Alice uses]

Publishes n, e Publishes n, e [“glasses” Bob uses to see the writing][“glasses” Bob uses to see the writing]

Alice’s signature uses the Alice’s signature uses the decryption exponentdecryption exponent:: y ≡ my ≡ mdd(mod n). Delivers (m, y)(mod n). Delivers (m, y)

Bob’s verification:Bob’s verification: Does m ≡ yDoes m ≡ yee (mod n)? (mod n)?

Show the verification works.Show the verification works.Note that given only the signature y, and public info e Note that given only the signature y, and public info e and n, Bob can compute the message, m.and n, Bob can compute the message, m.

1

RSA SignaturesRSA Signatures

Alice chooses: Alice chooses: p,q, n=pq, p,q, n=pq, e: gcd(n, (p-1)(q-1))=1, e: gcd(n, (p-1)(q-1))=1, d: ed ≡ 1(mod ((p-1)(q-1))d: ed ≡ 1(mod ((p-1)(q-1))

Publishes n, ePublishes n, eAlice’s signature:Alice’s signature:

y ≡ my ≡ mdd(mod n). Delivers (m, y)(mod n). Delivers (m, y)

Bob’s verification:Bob’s verification: Does m ≡ yDoes m ≡ yee (mod n)? (mod n)?

Eve’s schemes:Eve’s schemes: Can she use Alice’s signature on Can she use Alice’s signature on

a different document, ma different document, m11??

Can she compute a new yCan she compute a new y11, so , so that mthat m11 = y = y11

ee? ?

Can she choose a new yCan she choose a new y11 first, first, then compute mthen compute m11 = y = y11

ee??

2

Blind SignatureBlind Signature

Alice chooses: Alice chooses: p,q, n=pq, p,q, n=pq, e: gcd(n, (p-1)(q-1))=1, e: gcd(n, (p-1)(q-1))=1, d: ed ≡ 1(mod ((p-1)(q-1))d: ed ≡ 1(mod ((p-1)(q-1))

Publishes n, ePublishes n, eBob wants m signedBob wants m signedBob chooses:Bob chooses:

k: random, gcd(k, n)=1k: random, gcd(k, n)=1

Bob sends: tBob sends: t ≡≡ kkeem (mod n)m (mod n)Alice’s signature:Alice’s signature:

s ≡ ts ≡ tdd(mod n). (mod n).

Bob’s verification:Bob’s verification: Computes skComputes sk-1-1

Bob wants Alice to sign a Bob wants Alice to sign a document as a method of document as a method of time-stamping it, but time-stamping it, but doesn’t want to release doesn’t want to release the contents yet.the contents yet.

Verification: Verification: Find skFind sk-1-1 in terms of m in terms of m What is the significance of What is the significance of

this?this?

Why can’t Alice read m?Why can’t Alice read m?What’s the danger to What’s the danger to Alice of a blind signature?Alice of a blind signature?

3-4

ElGamal SignaturesElGamal Signatures

Many different valid signatures for a given messageMany different valid signatures for a given messageBut verification doesn’t reveal m.But verification doesn’t reveal m.Alice chooses: Alice chooses:

p,primitive root p,primitive root , , ≡ ≡ a a (mod p)(mod p) Publishes (p, Publishes (p, ), keeps a secret), keeps a secret

Alice’s signature:Alice’s signature: Chooses k: random, gcd(k, p-1)=1Chooses k: random, gcd(k, p-1)=1 Sends (m, (r,s)), where:Sends (m, (r,s)), where:

r ≡ r ≡ kk (mod p) (mod p)s ≡ ks ≡ k-1-1(m – ar) (mod p-1)(m – ar) (mod p-1)

Bob’s verification:Bob’s verification: Does Does rrrrss ≡ ≡ mm (mod p)? (mod p)?

ElGamal SignaturesElGamal Signatures

Many different valid signatures Many different valid signatures for a given messagefor a given messageAlice chooses: Alice chooses:

p,primitive root p,primitive root , secret , secret aa, , and and ≡ ≡ a a (mod p)(mod p)

Publishes (p, Publishes (p, ), keeps ), keeps aa secretsecret

Alice’s signature:Alice’s signature: Chooses k: random, Chooses k: random,

gcd(k, p-1)=1gcd(k, p-1)=1 Sends m, (r,s), where:Sends m, (r,s), where:

r ≡ r ≡ kk (mod p) (mod p)s ≡ ks ≡ k-1-1(m – ar) (mod p-1)(m – ar) (mod p-1)

Bob’s verification:Bob’s verification: Does Does rrrrss ≡ ≡ mm (mod p)? (mod p)?

Notice that one can’t compute Notice that one can’t compute m from (r,s).m from (r,s).

Show the verification works.Show the verification works.

Why can’t Eve apply the Why can’t Eve apply the signature to another message?signature to another message?If Eve learns a, she can forge If Eve learns a, she can forge the signaturethe signature

Note: Alice needs to Note: Alice needs to randomize k each time, else randomize k each time, else Eve can recognize this, and Eve can recognize this, and can compute k and a relatively can compute k and a relatively quickly.quickly.

5-7