Download Cryptography Lecture 8: Digital Signatures and Hash Functions and more Study Guides, Projects, Research Cryptography and System Security in PDF only on Docsity!
Cryptography Lecture 8
Digital signatures, hash functions
A Message Authentication Code is what you get from symmetric
cryptography
A MAC is used to prevent Eve from creating a new message and inserting it instead of Alice’s message
Key Key
Alice Bob
Eve
Create MAC Verify MAC
Digital signatures
- (^) In asymmetric ciphers, one single individual holds the private key, while everyone can get the public key
- (^) So if you encrypt with the private key, and send both cryptogram and message, anyone can check that “decryption” with the public key does indeed create the message
- (^) Note that some public key systems do not allow “encryption” with the private key
- (^) Most systems can be modified to generate and verify signatures
A digital signature can be created using asymmetric
cryptography
Used to prevent Eve from creating messages and present them as written by of Alice
Private signing key
Public verification key
Alice Anyone
Eve
Create signature
Verify signature
RSA signatures
- (^) Alice sets up RSA as usual
- (^) In order to sign a message m, Alice uses her private key d (and not Bob’s public key) to create the signature
s = md^ mod n
- (^) Alice now gives both m and s to Bob
- (^) He uses Alice’s public key to verify the signature by comparing
m and se^ mod n
Attacks on RSA signatures
- (^) Eve wants to sign another message mE so that it seems to be from Alice
- (^) Eve cannot generate a signature directly because she does not have the secret key d
- (^) She could try to choose signature sE first and calculate
mE = se E mod n
but it is unlikely that s Ee is a meaningful message
- (^) Note that two message-signature pairs gives away a third since
(m 1 m 2 )d^ = md 1 md 2 mod n
Do not use the same key pairs for signing and encryption!
- (^) If Alice allows using the same e for encryption and verification, Eve can intercept c = me^ mod n. To decrypt c, Eve should create
x = r e^ c mod n
for some r which yields a reasonable message x, where “reasonable” means that Eve can get Alice to sign x
- (^) If Alice does this, the return value is
s = xd^ = (r e^ c)d^ = rm mod n
- (^) Eve can now divide by r (why is this possible?) and find
m = sr −^1 mod n
ElGamal signatures
- (^) Choose a large prime p, and a primitive root α mod p. Also, take a random integer a and calculate β = αa^ mod p
- (^) The public key is the values of p, α, and β, while the secret key is the value a
- (^) Signing uses a random integer k with gcd(k, p − 1) = 1, and the signature is the pair (r , s) where { r = αk^ mod p s = k−^1 (m − ar ) mod (p − 1)
(encryption: (αk^ , βk^ m))
- (^) Verification is done comparing βr^ r s^ and αm^ mod p, since
βr^ r s^ = αar^ αk(m−ar^ )/k^ = αm^ mod p
Digital Signature Algorithm (∼ElGamal)
- (^) This is a modification to the ElGamal signature scheme adopted as standard by NIST in 1994
- (^) Some debate followed, comparing DSA and RSA signatures
- (^) The most serious problem was parameter size, which is better in later versions
- (^) The main change from ElGamal is to choose p so that p − 1 has a 160-bit prime factor q, and exponents are mod q
DSA signatures
- (^) Choose a 160-bit prime q, a large prime p so that q is a factor in p − 1 , and a primitive root g mod p. Set α = g (p−1)/q^ mod p so that αq^ = 1 mod p, take a random integer a < q − 1 and calculate β = αa^ mod p
- (^) The public key is the values of p, q, α, and β, while the secret key is the value a
- (^) Signing uses a random integer k < q − 1 , and the signature is the pair (r , s) where { r = (αk^ mod p) mod q s = k−^1 (m − ar ) mod q
- (^) To verify, compute t = s−^1 m mod q and u = s−^1 r mod q. Verification is done comparing (αt^ βu^ mod p) and r mod q, since (αt^ βu^ mod p) = (αkm/(m+ar^ )αar^ /(m+ar^ )^ mod p) = (αk^ mod p) = r mod q
DSA signatures
- (^) Choose a 160-bit prime q, a large prime p so that q is a factor in p − 1 , and a primitive root g mod p. Set α = g (p−1)/q^ mod p so that αq^ = 1 mod p, take a random integer a < q − 1 and calculate β = αa^ mod p
- (^) The public key is the values of p, q, α, and β, while the secret key is the value a
- (^) Signing uses a random integer k < q − 1 , and the signature is the pair (r , s) where { r = (αk^ mod p) mod q s = k−^1 (m − ar ) mod q
- (^) To verify, compute t = s−^1 m mod q and u = s−^1 r mod q. Verification is done comparing (αt^ βu^ mod p) and r mod q, since (αt^ βu^ mod p) = (αkm/(m+ar^ )αar^ /(m+ar^ )^ mod p) = (αk^ mod p) = r mod q
DSA (and ElGamal) security requirement
- (^) The parameter k must be chosen completely at random for every signature
- (^) Otherwise, the first half of a DSA signature r = (αk^ mod p) mod q will tell Eve that k is reused
- (^) The second halfs are s 1 = k−^1 (m 1 + ar ) and s 2 = k−^1 (m 2 + ar ), both mod q
k = m 1 + ar s 1
m 2 + ar s 2 s 2 (m 1 + ar ) = s 1 (m 2 + ar )
a =
s 1 m 2 − s 2 m 1 (s 2 − s 1 )r
Key length
From “ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)”
Key length
Table 7.4: Security levels (symmetric equivalent) Security Protection Comment (bits) 32 Real-time, individuals Only auth. tag size 64 Very short-term, small org Not for confidentiality in new systems 72 Short-term, medium org Medium-term, small org 80 Very short-term, agencies Smallest general-purpose Long-term, small org < 4 years protection (E.g., use of 2-key 3DES, < 240 plaintext/ciphertexts) 96 Legacy standard level 2-key 3DES restricted to 106 plain- text/ciphertexts, ≈ 10 years protection 112 Medium-term protection ≈ 20 years protection (E.g., 3-key 3DES) 128 Long-term protection Good, generic application-indep. Recommendation, ≈ 30 years 256 ”Foreseeable future” Good protection against quantum computers unless Shor’s algorithm applies. From “ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)”