Chapter 13

Digital Signature
 Requirements
• Message authentication protects two parties who
exchange messages from any third party. However, it
does not protect the two parties against each other.
Several forms of dispute between the two are
possible.

• For example, suppose that ABC sends an

authenticated message to XYZ, using one of the
schemes of figure. Consider the following disputes
that could arise:
1. ABC may forge a different message and claim that it
came from XYZ. Mary would simply have to create a
message and append an authentication code using the
key that ABC and XYZ share.

2. ABC can deny sending the message. Because it is

possible for XYZ to forge a message, there is no way to
prove that XYZ did in fact send the message.

Both scenarios are of legitimate concern.

• Here is an example of the first scenario: An electronic
funds transfer takes place, and the receiver increases
the amount of funds transferred and claims that the
larger amount had arrived from the sender.

• An example of the second scenario is that an electronic

mail message contains instructions to a stockbroker for a
transaction that subsequently turns out badly. The
sender pretends that the message was never sent.
• In situations where there is not complete trust between sender and
receiver, something more than authentication is needed.
• The most attractive solution to this problem is the digital signature.

• The digital signature must have the following properties:

– It must verify the author and the date and time of the signature.
– It must authenticate the contents at the time of the signature.
– It must be verifiable by third parties, to resolve disputes.

• Thus, the digital signature function includes the authentication

function.
Digital Signature Model
 Digital
Signature
Model
 Digital Signatures
• have looked at message authentication
– but does not address issues of lack of trust
• digital signatures provide the ability to:
– verify author, date & time of signature
– authenticate message contents
– be verified by third parties to resolve disputes
• hence include authentication function with
additional capabilities
 Attacks and Forgeries
• Attacks ( A user signature is being attacked, and C
denotes attacker )

– key-only attack – C only knows A’s public key

– known message attack – C is given access to set of

messages and its signatures

– generic chosen message attack - C chooses a list of

messages before attempting to breaks A’s signature
scheme, independent of A’s public key. C then obtains from
A valid signatures for the chosen messages.
 Attacks and Forgeries
• Attacks ( A user signature is being attacked, and C
denotes attacker
– directed chosen message attack - Similar to the generic
attack, except that the list of messages to be signed is
chosen after C knows A’s public key but before any
signatures are seen.

– adaptive chosen message attack – C is allowed to use A as

an “oracle.” This means the A may request signatures of
messages that depend on previously obtained message–
signature pairs.
 Attacks and Forgeries
• Attacks ( A user signature is being attacked, and C
denotes attacker
• break success levels
– total break - C determines A’s private key
– Universal forgery: C finds an efficient signing algorithm
that provides an equivalent way of constructing signatures
on arbitrary messages.
– selective forgery – C forges a signature for a particular
message chosen by C.
– existential forgery - C forges a signature for at least one
message. C has no control over the message.
Consequently, this forgery may only be a minor nuisance
to A.
 Digital Signature Requirements
On the basis of the properties and attacks just discussed, we can formulate
the following requirements for a digital signature
• Bit pattern -must depend on the message signed
• must use information unique to sender
– to prevent both forgery and denial
• must be relatively easy to produce
• must be relatively easy to recognize & verify
• be computationally infeasible to forge
– with new message for existing digital signature
– with fraudulent digital signature for given message
• be practical save digital signature in storage
• A secure hash function, embedded in a scheme such as that of previous
Figure, provides a basis for satisfying these requirements.
 Direct Digital Signatures
• involve only sender & receiver
• assumed receiver has sender’s public-key
• digital signature made by sender signing
entire message or hash with private-key
• can encrypt using receivers public-key
• important that sign first then encrypt message
& signature
• security depends on sender’s private-key
 Direct Digital Signatures
• The validity of the scheme just described depends on the security
of the sender’s private key.
• If a sender later wishes to deny sending a particular message, the
sender can claim that the private key was lost or stolen and that
someone else forged his or her signature.
• Administrative controls relating to the security of private keys can
be employed to thwart or at least weaken this ploy, but the threat
is still there, at least to some degree.
• One example is to require every signed message to include a
timestamp (date and time) and to require prompt reporting of
compromised keys to a central authority.
• Another threat is that some private key might actually be stolen
from X at time T. The opponent can then send a message signed
with X’s signature and stamped with a time before or equal to T.
• The universally accepted technique for dealing with these threats
is the use of a digital certificate and certificate authorities.
 Arbitrated Digital Signatures
• involves use of arbiter A
– validates any signed message
– then dated and sent to recipient
• requires suitable level of trust in arbiter
• can be implemented with either private or
public-key algorithms
• arbiter may or may not see message
 ElGamal Digital Signatures
• signature variant of ElGamal, related to D-H
– so uses exponentiation in a finite (Galois)
– with security based difficulty of computing discrete
logarithms, as in D-H

• use private key for encryption (signing)

• uses public key for decryption (verification)

 ElGamal Digital Signatures
• Elgamal encryption scheme is designed to enable encryption by a
user’s public key with decryption by the user’s private key.
• The Elgamal signature scheme involves the use of the private key
for encryption and the public key for decryption.
• Before proceeding, we need a result from number theory. Recall
from Chapter 8 that for a prime number q, if α is a primitive root of
q, then
α, α2, . . . , αq-1
• are distinct (mod q). It can be shown that, if α is a primitive root of
q, then
1) For any integer m, αm Ξ 1 (mod q) if and only if m Ξ 0(mod q – 1).
2) For any integers, i, j, αiΞαj (mod q) if and only if i Ξ j (mod q -
1).
 ElGamal Digital Signatures
• As with Elgamal encryption, the global elements of Elgamal
digital signature are a prime number q and α, which is a
primitive root of q. User A generates a private/public key pair as
follows.

• To sign a message M, user A first computes the hash m = H(M),

such that m is an integer in the range 0 <= m <= q - 1. A then
forms a digital signature as follows.
ElGamal Digital Signatures
ElGamal Digital Signatures
 ElGamal Digital Signatures
• fd
ElGamal Signature Example
ElGamal Signature Example
 Schnorr Digital Signatures
• Elgamal digital signature scheme, the Schnorr signature scheme is
based on discrete logarithms.
• The Schnorr scheme minimizes the message-dependent amount of
computation required to generate a signature.
• The main work for signature generation does not depend on the
message and can be done during the idle time of the processor.
• The message-dependent part of the signature generation requires
multiplying a 2n-bit integer with an n-bit integer.
• The scheme is based on using a prime modulus p, with p - 1 having
a prime factor q of appropriate size; that is, p - 1 Ξ (mod q).
• Typically, we use p ≈ 21024 and q ≈ 2160. Thus, p is a 1024-bit
number, and q is a 160-bit number, which is also the length of the
SHA-1 hash value.
 Schnorr Key Setup
• The first part of this scheme is the generation of
a private/public key pair, which consists of the
following steps.
Schnorr Signature
 Digital Signature Standard (DSS)
• US Govt approved signature scheme
• designed by NIST & NSA in early 90's
• published as FIPS-186 in 1991
• revised in 1993, 1996 & then 2000
• uses the SHA hash algorithm
• DSS is the standard, DSA is the algorithm
• FIPS 186-2 (2000) includes alternative RSA & elliptic
curve signature variants
• DSA is digital signature only unlike RSA
• is a public-key technique
DSS vs RSA Signatures
 Digital Signature Algorithm (DSA)

• creates a 320 bit signature

• with 512-1024 bit security
• smaller and faster than RSA
• a digital signature scheme only
• security depends on difficulty of computing
discrete logarithms
• variant of ElGamal & Schnorr schemes
 DSA Key Generation
• have shared global public key values (p,q,g):
– choose 160-bit prime number q
– choose a large prime p with 2L-1 < p < 2L
• where L= 512 to 1024 bits and is a multiple of 64
• such that q is a 160 bit prime divisor of (p-1)
– choose g = h(p-1)/q
• where 1<h<p-1 and h(p-1)/q mod p > 1
• users choose private & compute public key:
– choose random private key: x<q
– compute public key: y = gx mod p
 DSA Signature Creation
• to sign a message M the sender:
• generates a random signature key k, k<q
• nb. k must be random, be destroyed after use,
and never be reused
• then computes signature pair:
• r = (gk mod p)mod q
• s = [k-1(H(M)+ xr)] mod q
• sends signature (r,s) with message M
 DSA Signature Verification
• having received M & signature (r,s)
• to verify a signature, recipient computes:
w = (s’)-1 mod q
u1= [H(M’)w ]mod q
u2= (r’)wmod q
v = [(gu1 yu2)mod p ]mod q
• if v=r then signature is verified
• see Appendix A for details of proof why
DSS Overview
 Summary
• have discussed:
– digital signatures
– authentication protocols (mutual & one-way)
– digital signature algorithm and standard