BCSE309L – Cryptography and Network

Security
M ODULE -5

2
Digital Signature

3
 Digital Signature
• Digital Signature: a data string which associates a message
with some originating entity.
• Digital Signature Scheme: for each key, there is a SECRET
signature generation algorithm and a PUBLIC verification
algorithm.
• Services provided:
• Authentication
• Data integrity
• Non-Repudiation (MAC does not provide this.)

Non-repudiation means a user cannot deny (repudiate) having

performed a transaction. It combines authentication and integrity:
non-repudiation authenticates the identity of a user who performs a
transaction, and ensures the integrity of that transaction 4
 Digital Signature
Goals:
• Total break: adversary is able to find the secret for signing, so
he can forge then any signature on any message.
• Selective forgery: adversary is able to create valid signatures on
a message chosen by someone else, with a significant probability.
• Existential forgery: adversary can create a pair (message,
signature), s.t. the signature of the message is valid.
• A signature scheme can not be perfectly secure; it can only be
computationally secure.
• Given enough time and adversary can always forge Alice’s
signature on any message.

5
 Digital Signature
Attacks:
• Key-only attack: Adversary knows only the
verification function (which is supposed to be public).
• Known message attack: Adversary knows a list of
messages previously signed by Alice.
• Chosen message attack: Adversary can choose what
messages wants Alice to sign, and he knows both the
messages and the corresponding signatures

6
 Digital Signature
• Very often digital signatures are used with hash
functions, hash of a message is signed, instead of the
message.
• Hash function must be:
– Pre-image resistant
– Weak collision resistant
– Strong collision resistant

7
 Digital Signature Standard (DSS)

• The Federal Information Processing Standard for digital

signatures gives DSA. The NIST proposed DSA in
August 1991.
• DSA uses public key and private key for generation and
verification of digital signatures.
• Steps:
1. Generation of public key and private key for User A
2. Creation of digital signature by user A for a message M
3. User B verifying the digital signature

8
 IDIGTAL SIGNATURE

• The digital signature

must have the following
properties:
– It must verify the
author and the date
and time of the
signature.
– It must authenticate
the contents at the
time of the signature.
– It must be verifiable
by third parties, to
resolve disputes. 9
Digital Signature Model
 Digital
Signature
Model

11
 Digital Signature Standard (DSS)

p,q,g

Signature {r,s}

Random integer

12
 Digital Signature Standard (DSS)

• Steps:
1. Generation of global public components

2. Generation of public key and private key for User A

3. Creation of digital signature by user A for a message M

4. User B verifying the digital signature

13
 1. Generation of Global public components
({p, q, g}
• The following global public key components are chosen in
the key generation process:
• p  prime number, where 2L-1 < p < 2L. A random L-bit
prime, 512 ≤ L ≤ 1024, L = a multiple of 64 (64t). Bit length
of between 512 and 1024 bits in increments of 64bits.
• q  Prime divisor of (p-1), where 2159 < q < 2160, a bit
length of 160 bits. That is (p – 1) mod q = 0.
• g = h (p – 1)/q mod p, where h is any integer with 1 < h < (p-1)
such that h(p-1)/q mod p > 1
 2. Public key(y) & Private key(x) Generation
• User’s private key components are:
• Private Key:
– x is a private key which is a random integer, 0 < x < q
• Public Key:
– Public key y = gx mod p.
– Therefore, the Key = (p, q, g, x, y)
• After computing the key, User A publishes the
public key (p, q, g, y)
in the public directory
 3. Signature {r,s} Generation
• k = random or pseudorandom integer with 0<k<q such that gcd(k,q)=1
• r = (gk mod p) mod q
• s = [k-1 (H(M) + xr)] mod q where kk-1 ≡ 1 (mod q)

Signature = {r,s}
Then plaintext message concatenated with signature and then send to
receiver
 4. Verifying Signature

• The global parameters are { p, q, g}

• Let the message received is H(M’)
• Signature received is { r’ and s’}

Compute
• w = (s’)-1 mod q
• u1 = [H(M’)*w] mod q
• u2 = (r’)w mod q
• v = [(gu1 * yu2) mod p] mod q
Test : v = r’
Generation of global
public components

Generation of public key

and private key for User A

Creation of digital
signature by user A for a
message H(M)

User B verifying the digital

signature
 Example
Let p=11, q=5, h=2 x=3. Using Digital Signature
Standard algorithm,
• Generate the public key of User A.
• Generate a digital signature for the plain text
H(M)=54.
• Verify the digital signature of User A.

19
Generation of global
public components

Generation of public key

and private key for User A

Creation of digital
signature by user A for a
message M

User B verifying the digital

signature
Example

21
 1. Generation of Global public components
({p, q, g}
• The following global public key components are chosen in
the key generation process:
• p  prime number, where 2L-1 < p < 2L. A random L-bit
prime, 512 ≤ L ≤ 1024, L = a multiple of 64 (64t). Bit length
of between 512 and 1024 bits in increments of 64bits.
• q  Prime divisor of (p-1), where 2159 < q < 2160, a bit
length of 160 bits. That is (p – 1) mod q = 0.
• g = h (p – 1)/q mod p, where h is any integer with 1 < h < (p-1)
such that h(p-1)/q mod p > 1
 Generation of global public components
p=11
q=5
g=?

g = h (p – 1)/q mod p
Let h = 2 [1 < h < (p-1), so 2 to
10)

g = h (p – 1)/q mod p
= 2 (11 – 1)/5 mod 11
= 2 (10)/5 mod 11
= 2 2 mod 11
= 4 mod 11
g=4 23
 2. Public key & Private key Generation
• User’s private key components are:
• Private Key:
– x is a private key which is a random integer, 0 < x < q
• Public Key:
– Public key y = gx mod p.
– Therefore, the Key = (p, q, g, x, y)
• After computing the key, User A publishes the public key (p, q, g, y)
in the public directory
Public key(y) & Private key(x) Generation

Private key: x=3 [0 < x < q, so 1 to 4]

Public key: y = gx mod p
= 43 mod 11
= 64 mod 11
y=9
Public Key: { p, q, g, y} = {11, 5, 4, 9}

25
 3. Signature {r,s} Generation
User’s per message secret number
• k = random or pseudorandom integer with 0<k<q such that gcd(k,q)=1
• r = (gk mod p) mod q
• s = [ k-1 (H(M )+ xr) ] mod q where kk-1 ≡ 1 (mod q)

Signature = {r,s}
Then plaintext message concatenated with signature and then send to
receiver
Signature {r,s} Generation
Assume random number k = 3 [gcd(3,5)=1]
r = (gk mod p) mod q s = [k-1 (H(M) + xr)] mod q
= (43 mod 11) mod 5 = [3-1 ((54+ (3*4) ] mod 5 kk-1 ≡ (mod q)
= 64 mod 5 = [3-1 ((54+12)] mod 5
= 4 mod 5 = [3-1 (66)] mod 5
r =4 = 3-1 mod 5 * 66 mod 5
= 2 * 66 mod 5
= 132 mod 5
s=2
Signature {r, s} = {4, 2}

27
 4. Verifying Signature

• The global parameters are { p, q, g}

• Let the message received is H(M’)
• Signature received is { r’ and s’}

Compute
• w = (s’)-1 mod q
• u1 = [H(M’)*w] mod q
• u2 = (r’)w mod q
• v = [(gu1 yu2) mod p] mod q
Test : v = r’
29
 u1 = [M’*w] mod q
Verifying Signature = [54*3] mod 5
Public Key: { p, q, g, y} = {11, 5, 4, 9} = 162 mod 5
Received message M’= 54 u1 = 2
Received signature = { r’, s’} u2 = (r’)w mod q
= (4*3) mod 5
= {4, 2}
= 12 mod 5
w= (s’)-1 mod q
u2 = 2
= (2)-1 mod 5
v = [(gu1 * yu2) mod p] mod q
w=3 = [(42 * 92) mod 11] mod 5
= [(16* 81) mod 11] mod 5
= [16 mod 11 * 81 mod 11] mod 5
= [(5 * 4) mod 11] mod 5
= [20 mod 11] mod 5
Test : v = r’
= 9 mod 5
v=4
4=4
 Practice

Let p = 48731 and q = 443, h = 7, x = 242, k = 427

Using Digital Signature Standard algorithm,
• Generate the public key of User A.
• Generate a digital signature for the plain text H(M)=343.
• Verify the digital signature of User A.

31
RSA based digital signature
 RSA
RSA digital signature
algorithm is based on RSA Asymmetric Algorithm
the RSA Asymmetric
Algorithm

Key Generation

Encryption

Decryption
 RSA Digital Signature

1. Key Generation

Private key: d, p and q must also remain secret

2. Signature Generation

3. Signature Verification

34
 RSA Digital Signature
1. Key Generation

Same procedure as RSA algorithm

Private key: d, p and q must also remain secret

35
 RSA Digital Signature
2. Signature Generation
• Use Private key for Signing message M
• M must verify 0 < M < n
• Use private key (d)
Compute S = Md mod n

36
 RSA Digital Signature
3. Signature Verification
• Use Public key for verifying the Signature
• Use public key (e,n)
Compute Se mod n = (Md mod n)e mod n = M

Note: in practice, a hash of the message is signed and not the message itself.

37
 RSA Digital Signature

1. Key Generation

Private key: d, p and q must also remain secret

2. Signature Generation

3. Signature Verification

38
 RSA Digital Signature
Example:

Given a prime number p=7 and q=13. Let User A chooses a

e=5 to generate the private key, Using RSA Digital
Signature algorithm,
Generate the public key of User A.
Generate a digital signature for the plain text H(M)=35.
Verify the digital signature of User A.
39
 RSA Digital Signature

1. Key Generation

Private key: d, p and q must also remain secret

2. Signature Generation

3. Signature Verification

40
 Example

1. Key Generation

Private key: d, p and q must also remain secret

41
2. Signature Generation

M= 35 0<35<91
Signature S = Md mod n
= 3529 mod 91
S = 42

42
2. Signature Verification

Se mod n = (Md mod n)e mod n = M

425 mod 91 = (3529 mod 91)5 mod 91
35 = (42 mod 91)5 mod 91
35 = 425 mod 91
35 = 35 = M

43
 RSA Digital Signature
Example:

Given a prime number p=19 and q=2 Let User A chooses a

private key e=7. Using RSA Digital Signature algorithm,
• Generate the public key of User A.
• Generate a digital signature for the plain text H(M)=17.
• Verify the digital signature of User A.

44
ElGamal Based Digital Signature

45
ElGamal Cryptography Algorithm

46
 ElGamal Digital Signature
Prime number q and α, which is a primitive root of q and
gcd(q,α)=1.
Private/public key 1. Generate a random integer
pair generation XA, such that 2≤XA≤q–2
2. Compute YA = αXA mod q.
3. A’s private key is XA;
A’s pubic key is {q, α, YA}.

m = H(M), 0 ≤m ≤ q - 1.
1. Choose a random integer K such that
1 ≤ K ≤ q - 1 and gcd (K, q - 1) = 1.
Signature Generation 2. Compute S1 = αK mod q.
3. Compute K-1 mod (q - 1).
4. Compute S2 = K-1(m - XAS1) mod (q - 1).
5. The signature consists of the pair (S1, S2).

1. Compute V1 = αm mod q.
Signature verification 2. Compute V2 = (YA)S1(S1)S2 mod q.
Signature is valid if V1 = V2.
q=19
α = 10
XA = 16
H(M)=14
K=5

48
 q=19
α = 10 ElGamal Digital Signature
XA = 16
H(M)=14 Prime number q and α, which is a primitive root of q and
K=5 gcd(q,α)=1.
1. Generate a random integer
XA, such that 2≤XA≤q–2
Private/public key 2. Compute YA = αXA mod q.
pair generation 3. A’s private key is XA;
A’s pubic key is {q, α, YA}.

m = H(M), 0 ≤m ≤ q - 1.
1. Choose a random integer K such that
1 ≤ K ≤ q - 1 and gcd (K, q - 1) = 1.
Signature Generation 2. Compute S1 = αK mod q.
3. Compute K-1 mod (q - 1).
4. Compute S2 = K-1(m - XAS1) mod (q - 1).
5. The signature consists of the pair (S1, S2).

1. Compute V1 = αm mod q.
Signature verification 2. Compute V2 = (YA)S1(S1)S2 mod q.
Signature is valid if V1 = V2.
 ElGamal Digital Signature
• As with Elgamal encryption, the global elements of ElGamal
digital signature are prime number q and α, which is a
primitive root of q and gcd(q,α)=1.
• User A generates a private/public key pair as follows.
1. Generate a random integer XA, such that 2≤XA≤q–2
2. Compute YA = αXA mod q.
3. A’s private key is XA; A’s pubic key is {q, α, YA}.
ElGamal Digital Signature
Example
Private/public key pair
generation:
Prime number q and α, which is
a primitive root of q and
gcd(q,α)=1.
1. Generate a random integer
XA, such that 2≤XA≤q–2
2. Compute YA = αXA mod q.
3. A’s private key is XA;
A’s pubic key is {q, α, YA}.
Very large prime number q=19
Generator α = 10 , 10 is primitive root & gcd(10,19)=1
Private/public key pair generation:
Generate a random integer XA, such that 2≤XA≤q–2
Select XA = 16, 2≤10≤19
Compute YA = αXA mod q
= 1016 mod 19
= 102+4+8+2 mod 19
= 102 mod 19 * 104 mod 19 * 108 mod 19 * 102 mod 19
= 100 mod 19 * 104 mod 19 * 108 mod 19 * 100 mod 19
= 5 mod 19 * (102)2 mod 19 * (104)2 mod 19 * 5 mod 19
= 5 mod 19 * 52 mod 19 * (104)2 mod 19 * 5 mod 19
= 5 mod 19 * 6 mod 19 * (6)2 mod 19 * 5 mod 19
= 5* 6* 17 * 5 mod 19
= 30 * 17 * 5 mod 19
= 11 *5 *17 mod 19
= 55 * 17 mod 19
= 17 * 17 mod 19
= 289 mod 19
= 4 mod 19
=4
 ElGamal Digital Signature
Signature Generation:

To sign a message M, user A first computes the hash m = H(M),

such that m is an integer in the range 0 ≤m ≤ q - 1. A then forms a
digital signature as follows.
1. Choose a random integer K such that
1 ≤ K ≤ q - 1 and gcd (K, q - 1) = 1.
That is, K is relatively prime to q - 1.
2. Compute S1 = αK mod q. Note that this is the same as the
computation of C1
for Elgamal encryption.
3. Compute K-1 mod (q - 1).
4. Compute S2 = K-1(m - XAS1) mod (q - 1).
5. The signature consists of the pair (S1, S2).
 m = H(M), 0 ≤m ≤ q - 1. Compute K-1 mod (q - 1).
1. Choose a random integer K such that
1 ≤ K ≤ q - 1 and gcd (K, q - 1) = 1. = 5-1 mod 18
2. Compute S1 = αK mod q.
3. Compute K-1 mod (q - 1). = 11
4. Compute S2 = K-1(m - XAS1) mod (q - 1).
5. The signature consists of the pair (S1, S2). K-1 mod (q - 1) = 11
Compute S2 = K-1(m - XAS1) mod (q - 1)
Message H(M)=14 , 0 ≤m ≤ q – 1 , 0 ≤14 ≤ 18
= 5-1(14 – (16*3)) mod 18
Choose a random integer K
= 5-1(14 – 48) mod 18
K=5 , 1 ≤ K ≤ q - 1 and gcd (K, q -
1) = 1, 1 ≤ 5 ≤ 18 and gcd (5, 18) = 1 = 5-1(-34) mod 18
Compute S1 = αK mod q = 5-1mod 18 * (-34) mod 18)
= 105 mod 19 = 11 mod 18 * -16 mod 18
= 102 mod 19 * 102 mod 19 * 10 mod 19 = 11 * 2 mod 18
= 5 * 5* 10 mod 19 = 22 mod 18
= 25 *10 mod 19 =4
= 6*10 mod 19 S2 = K-1(m - XAS1) mod (q - 1) = 4
= 60 mod 19
= 3 mod 19
Signature = { s1, s2} = {3, 4}
=3
S1 = αK mod q = 3
54
 ElGamal Digital Signature
• Any user B can verify the signature as follows.
1. Compute V1 = αm mod q.
2. Compute V2 = (YA)S1(S1)S2 mod q.
• The signature is valid if V1 = V2.
Signature verification
Compute V1 = αm mod q 1. Compute V1 = αm mod q.
2. Compute V2 = (YA)S1(S1)S2 mod q.
= 1014 mod 19
Signature is valid if V1 = V2.
= 102 * 104 * 108 * 102 mod 19
= 5 * 6* 17 mod 19
= 510 mod 19
= 16 mod 19
= 16
Test the signature is valid if V1 = V2
V1 = αm mod q = 16
16 = 16
Compute V2 = (YA)S1(S1)S2 mod q
So the signature received is valid
= 43 * 34 mod 19
= 64 * 81 mod 19
= 7 * 5 mod 19
= 35 mod 19
= 16
V2 = (YA)S1(S1)S2 mod q =16
 ElGamal Signature Example
 use field GF(19) q=19 and a=10
 Alice computes her key:
 A chooses xA=16 &
16
 Computes yA=10 mod 19 = 4
 Alice signs message with hash m=14 as s=(3,4):
 choosing random K=5 which has gcd(18,5)=1
5
 computing S1 = 10 mod 19 = 3
 finding K-1 mod (q-1) = 5-1 mod 18 = 11
 computing S2 = 11(14-16.3) mod 18 = 4
 any user B can verify the signature by computing
14
 V1 = 10 mod 19 = 16
 V2 = 43.34 = 5184 = 16 mod 19
 since 16 = 16 signature is valid
 ElGamal Digital Signature
• Assume that the equality is true. Then we have