Cryptography Lecture 8: Digital Signatures and Hash Functions, Study Guides, Projects, Research of Cryptography and System Security

An in-depth explanation of Message Authentication Codes (MAC) and digital signatures using asymmetric cryptography. It covers the concepts of RSA, ElGamal, and DSA signatures, their attacks, and the need for hashing. The document also discusses the importance of hash functions in cryptography and their applications.

Typology: Study Guides, Projects, Research

2020/2021

Uploaded on 02/02/2021

sammiecalypso
sammiecalypso 🇳🇬

4 documents

1 / 54

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Cryptography Lecture 8
Digital signatures, hash functions
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36

Partial preview of the text

Download Cryptography Lecture 8: Digital Signatures and Hash Functions and more Study Guides, Projects, Research Cryptography and System Security in PDF only on Docsity!

Cryptography Lecture 8

Digital signatures, hash functions

A Message Authentication Code is what you get from symmetric

cryptography

A MAC is used to prevent Eve from creating a new message and inserting it instead of Alice’s message

Key Key

Alice Bob

Eve

Create MAC Verify MAC

Digital signatures

  • (^) In asymmetric ciphers, one single individual holds the private key, while everyone can get the public key
  • (^) So if you encrypt with the private key, and send both cryptogram and message, anyone can check that “decryption” with the public key does indeed create the message
  • (^) Note that some public key systems do not allow “encryption” with the private key
  • (^) Most systems can be modified to generate and verify signatures

A digital signature can be created using asymmetric

cryptography

Used to prevent Eve from creating messages and present them as written by of Alice

Private signing key

Public verification key

Alice Anyone

Eve

Create signature

Verify signature

RSA signatures

  • (^) Alice sets up RSA as usual
  • (^) In order to sign a message m, Alice uses her private key d (and not Bob’s public key) to create the signature

s = md^ mod n

  • (^) Alice now gives both m and s to Bob
  • (^) He uses Alice’s public key to verify the signature by comparing

m and se^ mod n

Attacks on RSA signatures

  • (^) Eve wants to sign another message mE so that it seems to be from Alice
  • (^) Eve cannot generate a signature directly because she does not have the secret key d
  • (^) She could try to choose signature sE first and calculate

mE = se E mod n

but it is unlikely that s Ee is a meaningful message

  • (^) Note that two message-signature pairs gives away a third since

(m 1 m 2 )d^ = md 1 md 2 mod n

Do not use the same key pairs for signing and encryption!

  • (^) If Alice allows using the same e for encryption and verification, Eve can intercept c = me^ mod n. To decrypt c, Eve should create

x = r e^ c mod n

for some r which yields a reasonable message x, where “reasonable” means that Eve can get Alice to sign x

  • (^) If Alice does this, the return value is

s = xd^ = (r e^ c)d^ = rm mod n

  • (^) Eve can now divide by r (why is this possible?) and find

m = sr −^1 mod n

ElGamal signatures

  • (^) Choose a large prime p, and a primitive root α mod p. Also, take a random integer a and calculate β = αa^ mod p
  • (^) The public key is the values of p, α, and β, while the secret key is the value a
  • (^) Signing uses a random integer k with gcd(k, p − 1) = 1, and the signature is the pair (r , s) where { r = αk^ mod p s = k−^1 (m − ar ) mod (p − 1)

(encryption: (αk^ , βk^ m))

  • (^) Verification is done comparing βr^ r s^ and αm^ mod p, since

βr^ r s^ = αar^ αk(m−ar^ )/k^ = αm^ mod p

Digital Signature Algorithm (∼ElGamal)

  • (^) This is a modification to the ElGamal signature scheme adopted as standard by NIST in 1994
  • (^) Some debate followed, comparing DSA and RSA signatures
  • (^) The most serious problem was parameter size, which is better in later versions
  • (^) The main change from ElGamal is to choose p so that p − 1 has a 160-bit prime factor q, and exponents are mod q

DSA signatures

  • (^) Choose a 160-bit prime q, a large prime p so that q is a factor in p − 1 , and a primitive root g mod p. Set α = g (p−1)/q^ mod p so that αq^ = 1 mod p, take a random integer a < q − 1 and calculate β = αa^ mod p
  • (^) The public key is the values of p, q, α, and β, while the secret key is the value a
  • (^) Signing uses a random integer k < q − 1 , and the signature is the pair (r , s) where { r = (αk^ mod p) mod q s = k−^1 (m − ar ) mod q
  • (^) To verify, compute t = s−^1 m mod q and u = s−^1 r mod q. Verification is done comparing (αt^ βu^ mod p) and r mod q, since (αt^ βu^ mod p) = (αkm/(m+ar^ )αar^ /(m+ar^ )^ mod p) = (αk^ mod p) = r mod q

DSA signatures

  • (^) Choose a 160-bit prime q, a large prime p so that q is a factor in p − 1 , and a primitive root g mod p. Set α = g (p−1)/q^ mod p so that αq^ = 1 mod p, take a random integer a < q − 1 and calculate β = αa^ mod p
  • (^) The public key is the values of p, q, α, and β, while the secret key is the value a
  • (^) Signing uses a random integer k < q − 1 , and the signature is the pair (r , s) where { r = (αk^ mod p) mod q s = k−^1 (m − ar ) mod q
  • (^) To verify, compute t = s−^1 m mod q and u = s−^1 r mod q. Verification is done comparing (αt^ βu^ mod p) and r mod q, since (αt^ βu^ mod p) = (αkm/(m+ar^ )αar^ /(m+ar^ )^ mod p) = (αk^ mod p) = r mod q

DSA (and ElGamal) security requirement

  • (^) The parameter k must be chosen completely at random for every signature
  • (^) Otherwise, the first half of a DSA signature r = (αk^ mod p) mod q will tell Eve that k is reused
  • (^) The second halfs are s 1 = k−^1 (m 1 + ar ) and s 2 = k−^1 (m 2 + ar ), both mod q

k = m 1 + ar s 1

m 2 + ar s 2 s 2 (m 1 + ar ) = s 1 (m 2 + ar )

a =

s 1 m 2 − s 2 m 1 (s 2 − s 1 )r

Key length

From “ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)”

Key length

Table 7.4: Security levels (symmetric equivalent) Security Protection Comment (bits) 32 Real-time, individuals Only auth. tag size 64 Very short-term, small org Not for confidentiality in new systems 72 Short-term, medium org Medium-term, small org 80 Very short-term, agencies Smallest general-purpose Long-term, small org < 4 years protection (E.g., use of 2-key 3DES, < 240 plaintext/ciphertexts) 96 Legacy standard level 2-key 3DES restricted to 106 plain- text/ciphertexts, ≈ 10 years protection 112 Medium-term protection ≈ 20 years protection (E.g., 3-key 3DES) 128 Long-term protection Good, generic application-indep. Recommendation, ≈ 30 years 256 ”Foreseeable future” Good protection against quantum computers unless Shor’s algorithm applies. From “ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)”