Digital Signature Schemes

• Public key signature schemes

• the private-key signs (creates) signatures, and the public-key verifies signatures

• only the owner (of the private-key) can create the digital signature,
hence it can be used to verify who created a message

• anyone knowing the public key can verify the signature (provided they
are confident of the identity of the owner of the public key - the key distribution
problem)

• usually don't sign the whole message (doubling the size of information
exchanged), but just a hash of the message

• digital signatures can provide non-repudiation of message origin, since

an asymmetric algorithm is used in their creation, provided suitable timestamps
and redundancies are incorporated in the signature

RSA

• RSA encryption and decryption are commutative, hence it may be used

directly as a digital signature scheme

o given an RSA scheme {(e,R), (d,p,q)}

• to sign a message, compute:

o S = Md(mod R)

• to verify a signature, compute:

o M = Se(mod R) = Me.d(mod R) = M(mod R)

• thus know the message was signed by the owner of the public-key

• would seem obvious that a message may be encrypted, then signed using
RSA without increasing it size

o but have blocking problem, since it is encrypted using the

receivers modulus, but signed using the senders modulus (which may be
smaller)
o several approaches possible to overcome this

• more commonly use a hash function to create a separate MDC which is then
signed

El Gamal Signature Scheme

• whilst the ElGamal encryption algorithm is not commutative, a closely

related signature scheme exists

• El Gamal Signature scheme

• given prime p, public random number g, private (key) random number x,

compute

o y = gx(mod p)

• public key is (y,g,p)

o nb (g,p) may be shared by many users

o p must be large enough so discrete log is hard

• private key is (x)

• to sign a message M

o choose a random number k, GCD(k,p-1)=1

o compute a = gk(mod p)

o use extended Euclidean (inverse) algorithm to solve

o M = x.a + k.b (mod p-1)

o the signature is (a,b), k must be kept secret

o (like ElGamal encryption is double the message size)

• to verify a signature (a,b) confirm:

o ya.ab(mod p) = gM(mod p)

Example of ElGamal Signature Scheme

• given p=11, g=2

• choose private key x=8

• compute

o y = gx(mod p) = 28(mod 11) = 3

• public key is y=3,g=2,p=11)

• to sign a message M=5

o choose random k=9

o confirm gcd(10,9)=1

o compute

▪ a = gk(mod p) = 29(mod 11) = 6

o solve

▪ M = x.a+k.b(mod p-1)

▪ 5 = 8.6+9.b(mod 10)

▪ giving b = 3

o signature is (a=6,b=3)

• to verify the signature, confirm the following are correct:

o ya.ab(mod p) = gM(mod p)

o 36.63(mod 11) = 25(mod 11)

DSA (Digital Signature Algorithm)

• DSA was designed by NIST & NSA and is the US federal standard
signature scheme (used with SHA hash alg)

o DSA is the algorithm, DSS is the standard

o There was considerable reaction to its announcement!

▪ debate over whether RSA should have been used

▪ debate over the provision of a signature only alg

• DSA is a variant on the ElGamal and Schnorr algorithms

• description of DSA

o p = 2L a prime number, where L= 512 to 1024 bits and is a multiple of

64

o q a 160 bit prime factor of p-1

o g = h(p-1)/q where h is any number less than p-1 with h(p-1)/q(mod p)> 1

o x a number less than q

o y = gx(mod p)

• to sign a message M

o generate random k, k<q

o compute

▪ r = (gk(mod p))(mod q)

▪ s = k-1.SHA(M)+ x.r (mod q)

o the signature is (r,s)

• to verify a signature:

o w = s-1(mod q)

o u1= (SHA(M).w)(mod q)

o u2= r.w(mod q)

o v = (gu1.yu2(mod p))(mod q)

o if v=r then the signature is verified

• comments on DSA

o was originally a suggestion to use a common modulus, this

would make a tempting target, discouraged
o it is possible to do both ElGamal and RSA encryption using
DSA routines, this was probably not intended :-)

o DSA is patented with royalty free use, but this patent has been
contested, situation unclear

o Gus Simmons has found a subliminal channel in DSA, could

be used to leak the private key from a library - make sure you trust your library
implementer