UNIT 2 IS

Di erence Between Conventional and Digital Signature

Process of Digital Signature:

Initial process:
• The sender uses a signing algorithm to sign the message.
• The message and the signature are sent to the receiver.
• The receiver receives the message and the signature and applies the verifying
algorithm to the combination. If the result is true, the message is accepted; otherwise,
it is rejected.

Adding Keys Concept :

• In a digital signature, the signer uses her private key, applied to a signing algorithm, to
sign the document.
• The veri er, on the other hand, uses the public key of the signer, applied to the
verifying algorithm, to verify the document.
ff
fi
 Reasons why we can’t use secrete(symmetric) key to both sign and verify a signature:
• a secret key is known by only two entities (Alice and Bob, for example). So if Alice
needs to sign another document and send it to Ted, she needs to use another secret key.
• creating a secret key for a session involves authentication, which uses a digital signature.
We have a vicious cycle.
• Bob could use the secret key between himself and Alice, sign a document, send it to Ted,
and pretend that it came from Alice.

Need for Signing the Digest:

• Inef ciency of Asymmetric-Key Cryptosystems: Asymmetric-key cryptosystems,

such as RSA or ECC, are inef cient for long messages due to their computational
complexity.
• Computational Overhead Reduction: Signing the entire message with asymmetric
encryption is time-consuming. Signing a digest, which is shorter, reduces computational
overhead.
• Message Integrity: A digest, derived from the entire message using a cryptographic
hash function, ensures message integrity.
• Security: Signing a digest helps prevent attacks like message tampering during transit.
Attackers cannot produce a valid signature for altered content without the private key
used for signing.
• Veri cation Ef ciency: Verifying the signature of a digest is faster and requires fewer
resources than verifying the signature of the entire message.

Process with signing message digest:

1. Message Digest Creation:

- Alice generates a digest of the message at her site using a hash function. This digest is a
xed-size representation of the message data.

2. Signing the Digest:

- Using her private key, Alice performs cryptographic operations on the message digest,
creating a signature unique to her private key and the message.

3. Sending Message and Signature:

- Alice sends both the original message and the generated signature to Bob.

4. Digest Creation at Receiver's Site:

- Upon receiving the message and signature, Bob generates a digest of the received
message using the same hash function that Alice used.

5. Veri cation Process:

- Bob applies the verifying algorithm, which involves calculations on the received digest,
the signature, and possibly additional factors depending on the system.
fi
fi
fi
fi
fi
fi
6. Authenticity Check:
- The veri cation process assesses the result of the calculations to determine the
authenticity of the signature. If the signature is authentic, the message is accepted;
otherwise, it is rejected.

Services Provided by Digital Signature:

• Message Authentication:
- A secure digital signature scheme, like a secure conventional signature (one that cannot be
easily copied) can provide message authentication (also referred to as data-origin
authentication). Bob can verify that the message is sent by Alice because Alice’s public key
is used in veri cation. Alice’s public key cannot verify the signature signed by Eve’s private
key.

• Message Integrity:
- The integrity of the message is preserved even if we sign the whole message because we
cannot get the same signature if the message is changed. The digital signature schemes
today use a hash function in the signing and verifying algorithms that preserve the integrity
of the message.

• Nonrepudiation:

1. Role of a Trusted Third Party:

- Bob relies on a trusted third party (referred to as "the center" in the text) to
validate the authenticity of Alice's signature.
- This trusted third party acts as an intermediary between Alice and Bob to ensure
the integrity of the communication.

2. Process:
- Alice creates a signature (SA) from her message and sends the message, along
with her identity, Bob's identity, and the signature, to the trusted center.
fi
fi
 - The trusted center veri es Alice's identity and the validity of her public key. It then
veri es the message using Alice's public key to con rm that it indeed came from
her.
- After verifying the message's authenticity, the trusted center saves a copy of the
message, including sender and recipient identities, along with a timestamp, in its
archive.
- The trusted center then uses its private key to create another signature (ST) from
the message and sends the message, the new signature, Alice's identity, and Bob's
identity to Bob.

3. Future Dispute Resolution:

- If Alice later denies sending the message, the trusted center can provide a copy of
the saved message from its archive.
- Bob can compare the message received from Alice with the one saved at the
trusted center. If they match, Alice's denial can be refuted, and she will lose the
dispute.

• Con dentiality:

- A digital signature does not provide con dential communication. If con dentiality is
required, the message and the signature must be encrypted using either a secret-key or
public-key cryptosystem. Figure 13.5 shows how this extra level can be added to a simple
digital signature scheme.
fi
fi
fi
fi
fi
fi
 Attacks on Digital Signature:

• Attack Types:
• Key-Only Attack:
- In the key-only attack, Eve has access only to the public information released by Alice. To
forge a message, Eve needs to create Alice’s signature to convince Bob that the message is
coming from Alice.

• Known-Message Attack:
- In the known-message attack, Eve has access to one or more message-signature pairs. In
other words, she has access to some documents previously signed by Alice. Eve tries to
create another message and forge Alice’s signature on it.

• Chosen-Message Attack:
- In the chosen-message attack, Eve somehow makes Alice sign one or more messages for
her. Eve now has a chosen-message/signature pair. Eve later creates another message, with
the content she wants, and forges Alice’s signature on it.

• Forgery Types:
- If the attack is successful, the result is a forgery.
• Existential Forgery:
- In an existential forgery, Eve may be able to create a valid message-signature pair, but not
one that she can really use. In other words, a document has been forged, but the content is
randomly calculated. This type of forgery is probable, but fortunately Eve cannot bene t
from it very much. Her message could be syntactically or semantically unintelligible.

• Selective Forgery:
- In selective forgery, Eve may be able to forge Alice’s signature on a message with the
content selectively chosen by Eve. Although this is bene cial to Eve, and may be very
detrimental to Alice, the probability of such forgery is low, but not negligible.
fi
fi
 DIGITAL SIGNATURE SCHEMES

1. RSA Digital Signature Scheme:

A. Key Generation:
• Alice chooses two primes p and q
• calculates n = p × q.
• φ(n) = (p − 1) (q − 1).
• chooses e, the public exponent, and calculates d, the private exponent such that
e × d = 1 mod φ(n).
• Private Key of Alice(sender) is d.
• Public Key of Alice(sender) is n and e.

B. Signing Algorithm:
• Alice creates a signature out of the message using her private exponent
S = Md mod n and sends the message and the signature to Bob.

C. Veri cation Algorithm:

• Bob receives M and S. Bob applies Alice’s public exponent to the signature to create
a copy of the message M = Se mod n.
• Bob compares the value of M with the value of M. If the two values are congruent,
Bob accepts the message.
• Proof:
fi
′
′
Attacks on RSA Signature:

• Key-Only Attack:
- Eve has access only to Alice’s public key. Eve intercepts the pair (M, S) and tries to create
another message M such that M ≡ Se (mod n). This problem is as dif cult to solve as the
discrete logarithm problem we saw in Chapter 9. Besides, this is an existential forgery and
normally is useless to Eve.

• Known-Message Attack:
- Assume that Eve has intercepted two message-signature pairs (M1, S1) and (M2, S2) that have
been created using the same private key.Eve can create M = (M1 × M2) mod n, and she can
create S = (S1 × S2) mod n, and fool Bob into believing that S is Alice’s signature on the
message M. This attack, which is sometimes referred to as multiplicative attack, is easy to
launch. However, this is an existential forgery as the message M is a multiplication of two
previous messages created by Alice, not Eve; M is normally useless.
- Proof:

• Chosen-Message Attack:
- This attack also uses the multiplicative property of RSA. Eve can somehow ask Alice to sign
two legitimate messages, M1 and M2, for her and later creates a new message M = M1 × M2.
Eve can later claim that Alice has signed M. The attack is also referred to as multiplicative
attack. This is a very serious attack on the RSA digital signature scheme because it is a
selective forgery (Eve can manipulate M1 and M2 to get a useful M).

RSA Signature on the Message Digest:

A. Signing:
• Alice, the signer, rst uses an agreed-upon hash function to create a digest from the
message, D = h(M).
fi
′
′
fi
 • She then signs the digest, S = Dd mod n.
• The message and the signature are sent to Bob.

B. Veri cation:
• Bob, the veri er, receives the message and the signature.
• He rst uses Alice’s public exponent to retrieve the digest, D = Se mod n.
• He then applies the hash algorithm to the message received to obtain D = h(M).
• Bob now compares the two digests, D and D . If they are congruent to modulo n, he accepts
the message.

Attacks on RSA Signed Digests:

We can have three cases of this attack:
• Key-Only Attack:
- Eve intercepts the pair (S, M) and tries to nd another message M that creates the same digest,
h(M) = h(M ). As we learned in Chapter 11, if the hash algorithm is second preimage resistant,
this attack is very dif cult.

- Eve nds two messages M and M such that h(M) = h(M ). She lures Alice to sign h(M) to nd
S. Now Eve has a pair (M , S) which passes the verifying test, but it is the forgery. We learned
in Chapter 11 that if the hash algorithm is collision resistant, this attack is very dif cult.

- Eve may randomly nd message digest D, which may match with a random signature S. She
then nds a message M such that D = h(M). As we learned in Chapter 11, if the hash function
is preimage resistant, this attack is very dif cult to launch.

• Known-Message Attack:
- Let us assume Eve has two message-signature pairs (M1, S1) and (M2, S2) which have been
created using the same private key. Eve calculates S ≡ S1 × S2. If she can nd a message M
such that h(M) ≡ h(M1) × h(M2), she has forged a new message. However, nding M given
h(M) is very dif cult if the hash algorithm is preimage resistant.

• Chosen-Message Attack:
- Eve can ask Alice to sign two legitimate messages M1 and M2 for her. Eve then creates a new
signature S ≡ S1 × S2. Since Eve can calculate h(M) ≡ h(M1) × h(M2), if she can nd a
message M given h(M), the new message is a forgery. However, nding M given h(M) is very
dif cult if the hash algorithm is preimage resistant.
fi
fi
fi
fi
fi
′
fi
fi
fi
fi
′
′
fi
fi
′
′
′
fi
′
fi
fi
fi
fi
fi
 2. ElGamal Digital Signature Scheme

A. Key Generation:
• Let p be a prime number large enough that the discrete log problem is intractable in Zp*.
• Let e1 be a primitive element in Zp*.
• Alice selects her private key d to be less than p − 1.
• She calculates e2 = e1d
• Public Key is tuple (e1,e2,p).
• Private key is d.

B. Signing Algo:
Alice can sign the digest of a message to any entity, including Bob:
• Alice chooses a secret random number r. Note that although public and private keys can be
used repeatedly, Alice needs a new r each time she signs a new message.
• Alice calculates the rst signature S1 = e1r mod p.
• Alice calculates the second signature S2 = (M − d × S1) × r-1 mod (p − 1), where r-1 is the
multiplicative inverse of r modulo p.
• Alice sends M, S1, and S2 to Bob.

C. Veri cation Algo:

An entity, such as Bob, receives M, S1, and S2, which can be veri ed as follows:
• Bob checks to see if 0 < S1 < p
• Bob checks to see if 0 < S2 < p − 1
• Bob calculates V1 = e1M mod p
• Bob calculates V2 = e2S1 × S1S2 mod p
• If V1 is congruent to V2, the message is accepted; otherwise, it is rejected.
fi
fi
fi
 • Proof:

Forgery in the ElGamal Digital Signature Scheme:

3. Schnorr Digital Signature Scheme
- The problem with the ElGamal digital signature scheme is that p needs to be very large to
guarantee that the discrete log problem is intractable in Zp*. The recommendation is a p of
at least 1024 bits. This could make the signature as large as 2048 bits.

A. Key Generation:
• Alice selects a prime p, which is usually 1024 bits in length.
• Alice selects another prime q, which is the same size as the digest created by the
cryptographic hash function (currently 160 bits, but it many change in the future). The
prime q needs to divide (p − 1). In other words, (p − 1) = 0 mod q.
• Alice chooses e1 to be the qth root of 1 modulo p. To do so, Alice chooses a primitive
element in Zp, e0, and calculates e1 = e0(p-1)/q mod p.
• Alice chooses an integer, d, as her private key
• Alice calculates e2 = e1d mod p.
• Alice’s public key is (e1, e2, p, q);
• Her private key is (d);

B. Signing Algo:
• Alice chooses a random number r. Note that although public and private keys can be
used to sign multiple messages, Alice needs to change r each time she sends a new
message. Note also that r needs to be between 1 and q.
• Alice calculates the rst signature S1 = h(M|e1r mod p). The message is prepended to
the value of e1r mod p; then the hash function is applied to create a digest. Note that
the hash function is not directly applied to the message, but instead is applied to the
concatenation of M and e1r mod p.
• Alice calculates the second signature S2 = r + d × S1 mod q. Note that part of the
calculation of S2 is done in modulo q arithmetic.
• Alice sends M, S1, and S2.
fi
 C. Ver cation Algo:
• Bob calculates V = h (M | e1 S2 e2 −S1 mod p).
• If S1 is congruent to V modulo p, the message is accepted; otherwise, it is rejected.

4. Digital Signature Standard (DSS)

A. Key Generation:
• Alice chooses a prime p, between 512 and 1024 bits in length. The number of bits in p
must be a multiple of 64.
• Alice chooses a 160-bit prime q in such a way that q divides (p − 1).
• Alice uses two multiplication groups <ZP*,x> and <Zq*,x> ; the second is a subgroup
of the rst.
• Alice creates e1 to be the qth root of 1 modulo p (e1p = 1 mod p). To do so, Alice
chooses a primitive element in Zp, e0, and calculates e1 = e0(p-1)/q mod p.
• Alice chooses d as the private key and calculates e2 = e1d mod p.
• Alice’s public key is (e1, e2, p, q)
• Her private key is (d).

B. Signing Algo:
fi
fi
 • Alice chooses a random number r (1 ≤ r ≤ q). Note that although public and private
keys can be chosen once and used to sign many messages, Alice needs to select a new
r each time she needs to sign a new message.
• Alice calculates the rst signature S1 = (e1r mod p) mod q. Note that the value of the
rst signature does not depend on M, the message.
• Alice creates a digest of message h(M).
• Alice calculates the second signature S2 = (h(M) + d S1)r-1 1mod q. Note that the
calculation of S2 is done in modulo q arithmetic.
• Alice sends M, S1, and S2 to Bob.

C. Veri cation Algo:

• Bob checks to see if 0 < S1 < q.
• Bob checks to see if 0 < S2 < q.
• Bob calculates a digest of M using the same hash algorithm used by Alice.
• Bob calculates

• If S1 is congruent to V, the message is accepted; otherwise, it is rejected.

fi
fi
fi
 5. Elliptic Curve Digital Signature Scheme

A. Key Generation:
• Alice chooses an elliptic curve Ep(a, b) with p a prime number.
• Alice chooses another prime number q to be used in the calculation.
• Alice chooses the private key d, an integer.
• Alice chooses e1(…, …), a point on the curve.
• Alice calculates e2(…, …) = d × e1(…, …), another point on the curve.
• Alice’s public key is (a, b, p, q, e1, e2)
• Her private key is d.

B. Signing Algo:
• Alice chooses a secret random number r, between 1 and q − 1.
• Alice selects a third point on the curve, P(u, v) = r × e1 (…, …).
• Alice uses the rst coordinates of P(u, v) to calculate the rst signature S1. This
means S1 = u mod q.
• Alice uses the digest of the message, her private key, and the secret random number
r, and the S1 to calculate the second signature S2 = (h(M) + d × S1) r-1 mod q.
• Alice sends M, S1, and S2.

C. Veri cation Algo:

fi
fi
fi
Variations to Digital Signatures:

1. Time Stamped Signatures:

• Sometimes a signed document needs to be timestamped to prevent it from being replayed by
an adversary. This is called timestamped digital signature scheme.

• For example, if Alice signs a request to her bank, Bob, to transfer some money to Eve, the
document can be intercepted and replayed by Eve if there is no timestamp on the document.

• Including the actual date and time on the documents may create a problem if the clocks are
not synchronized and a universal time is not used.

• One solution is to use a nonce (a one-time random number). A nonce is a number that can be
used only once. When the receiver receives a document with a nonce, he makes a note that
the number is now used by the sender and cannot be used again

2. Blind Signatures:
• Sometimes we have a document that we want to get signed without revealing the
contents of the document to the signer.
• David Chaum has developed some patented blind digital signature schemes for this
purpose.
• The main idea is as follows:
- Bob creates a message and blinds it. Bob sends the blinded message to Alice.
- Alice signs the blinded message and returns the signature on the blinded
message.
- Bob unblinds the signature to obtain a signature on the original message.

• Blind Signatures on RSA Scheme:

- Bob selects a random number, b, and calculates the blinded message B = M × be
mod n. e=Alice Public key and n=modulus and b=blinding factor.
- Alice signs the blinded message using the signing algorithm de ned in the RSA
digital signature Sb = Bd mod n, d=private key of Alice. Sb=signature on blinded
message.
- Bob simply uses the multiplicative inverse of his random number b to remove the
blind from the signature. The signature is S = Sb b-1 mod n.
- Proof:
fi
 3. Undeniable Digital Signatures:
• An undeniable digital signature scheme has three components: a signing algorithm, a
veri cation protocol, and a disavowal protocol.
• The signing algorithm allows Alice to sign a message.
• The veri cation protocol uses the challenge-response mechanism (discussed in
Chapter 14) to involve Alice for verifying the signature.This prevents the duplication
and distribution of the signed message without Alice’s approval.
• The disavowal protocol helps Alice deny a forged signature. To prove that the
signature is a forgery, Alice needs to take part in the disavowal protocol.
fi
fi