DIGITAL SIGNATURES

LESSON 08

RGC UPEKSHA
Digital
Signatures
• A digital signature is an authentication mechanism that enables
the creator of a message to attach a code that acts as a signature.
• Typically, the signature is formed by taking the hash of the message
and encrypting the message with the creator’s private key.
• The signature guarantees the source and integrity of the message.
• The digital signature standard (DSS) is an NIST standard that uses the
secure hash algorithm (SHA).
• Following is a generic model of the process of making and
using digital signatures.
• Bob can sign a message using a digital signature
generation algorithm.
• The inputs to the algorithm are the message and Bob’s
private key.
• Any other user, say Alice, can verify the signature using a
verification algorithm, whose inputs are the message, the
signature, and Bob’s public key.
• Message authentication protects two parties who
exchange messages from any third party.
• However, it does not protect the two parties against each
other.
• Several forms of dispute between the two are
possible.
• Simplified Depiction of Essential Elements of Digital
Signature Process
• In situations where there is not complete trust between sender
and receiver, something more than authentication is needed.

• The most attractive solution to this problem is the digital

signature.

• The digital signature must have the following properties:

• It must verify the author and the date and time of the signature.
• It must authenticate the contents at the time of the signature.
• It must be verifiable by third parties, to resolve disputes.

• Thus, the digital signature function includes the

authentication function.
 Attacks and Forgeries
• Here A denotes the user whose signature method is being
attacked, and C denotes the attacker.
• Key-only attack: C only knows A’s public key.
• Known message attack: C is given access to a set of
messages and their signatures.
• Generic chosen message attack: C chooses a list of
messages before attempting to breaks A’s signature scheme,
independent of A’s public key. C then obtains valid signatures
from A for the chosen messages. The attack is generic,
because it does not depend on A’s public key; the same attack
is used against everyone.
• Directed chosen message attack: Similar to the
generic attack, except that the list of messages to be
signed is chosen after C knows A’s public key but before
any signatures are seen.

• Adaptive chosen message attack: C is allowed to use A

as an “oracle.” This means the A may request signatures
of messages that depend on previously obtained
message–signature pairs.

• Then defines success at breaking a signature scheme

as an outcome in which C can do any of the following
with a non-negligible probability:

• Total break: C determines A’s private key.

• Universal forgery: C finds an efficient signing
algorithm that provides an equivalent way of
constructing signatures on arbitrary messages.

• Selective forgery: C forges a signature for a

particular message chosen by C.

• Existential forgery: C forges a signature for at

least one message. C has no control over the
message. Consequently, this forgery may only be
a minor nuisance to A.
 Digital Signature Requirements
On the basis of the properties and attacks just discussed, we can formulate the
following requirements for a digital signature.
• The signature must be a bit pattern that depends on the
message being signed.
• The signature must use some information unique to the sender to
prevent both forgery and denial.
• It must be relatively easy to produce the digital signature.
• It must be relatively easy to recognize and verify the digital
signature.
• It must be computationally infeasible to forge a digital signature, either by
constructing a new message for an existing digital signature or by
constructing a fraudulent digital signature for a given message.
• It must be practical to retain a copy of the digital signature in storage.
Direct Digital Signature
• The term direct digital signature refers to a digital
signature scheme that involves only the
communicating parties (source, destination).
• It is assumed that the destination knows the public key of
the source.
• Confidentiality can be provided by encrypting the entire
message plus signature with a shared secret key
(symmetric encryption).
• Note that it is important to perform the signature
function first and then an outer confidentiality function.
Elgamal Digital Signature Scheme
• Before examining the NIST Digital Signature standard,
it will be helpful to understand the ElGamal and
Schnorr signature schemes.
• ElGamal encryption scheme is designed to enable
encryption by a user’s public key with decryption by
the user’s private key.
• The ElGamal signature scheme involves the use of
the private key for encryption and the public key for
decryption.
• As with ElGamal encryption, the global elements of ElGamal
digital signature are a prime number q and α, which is a primitive
root of q.
• User A generates a private/public key pair as follows.
• An Example
• For example, let us start with the prime field GF(19); that
is, q = 19. It has primitive roots {2, 3, 10, 13, 14, 15}.We
choose α= 10.
• Alice generates a key pair as follows:
Schnorr Digital Signature Scheme
As with the ElGamal digital signature scheme, the Schnorr signature
scheme is based on discrete logarithms.
The Schnorr scheme minimizes the message-dependent amount of
computation required to generate a signature.
The scheme is based on using a prime modulus p, with p-1 having a prime
factor q of appropriate size; that is,
q-1 ≡ (mod q).
Thus, is a 1024-bit number, and is a 160-bit number, which is also the
length of the SHA-1 hash value.
The first part of this scheme is the generation of a private/public key pair,
which consists of the following steps.
 Digital Signature Standard
• The National Institute of Standards and Technology (NIST)
has published Federal Information Processing Standard FIPS
186, known as the Digital Signature Standard (DSS).
• The DSS makes use of the Secure Hash Algorithm (SHA) and
presents a new digital signature technique, the Digital
Signature Algorithm (DSA).
• The DSS was originally proposed in 1991 and revised in 1993 in
response to public feedback concerning the security of the
scheme.
• The latest version also incorporates digital signature
algorithms based on RSA and on elliptic curve
cryptography..
• The DSS uses an algorithm that is designed to provide only
the digital signature function.
• Unlike RSA, it cannot be used for encryption or key exchange.
• Nevertheless, it is a public-key technique.
• The previous figure contrasts the DSS approach for
generating digital signatures to that used with RSA.
• In the RSA approach, the message to be signed is input to a
hash function that produces a secure hash code of fixed length.
• This hash code is then encrypted using the sender’s private key
to form the signature.
• Both the message and the signature are then transmitted.
• The recipient takes the message and produces a hash code.
• The recipient also decrypts the signature using the sender’s
public key.
• If the calculated hash code matches the decrypted signature, the
signature is accepted as valid.
• Because only the sender knows the private key, only the
sender could have produced a valid signature.
• The DSS approach also makes use of a hash function.
• The hash code is provided as input to a signature function
along with a random number k generated for this particular
signature.
• The signature function also depends on the sender’s private
key (PRa) and a set of parameters known to a group of
communicating principals.
• We can consider this set to constitute a global public key
(PUG)The result is a signature consisting of two
components, labeled s and r.
• At the receiving end, the hash code of the incoming
message is generated.
• This plus the signature is input to a verification
function.
• The verification function also depends on the
global public key as well as the sender’s public
key (PUa), which is paired with the sender’s
private key.
• The output of the verification function is a value
that is equal to the signature component if the
signature is valid.
• The signature function is such that only the
sender, with knowledge of the private key, could
have produced the valid signature.
The Digital SignatureAlgorithm
• The DSA is based on the difficulty of computing
discrete logarithms and is based on schemes
originally presented by ElGamal and Schnorr.
• Following figure summarizes the algorithm.
• There are three parameters that are public and can
be common to a group of users.
• A 160-bit prime number q is chosen. Next, a prime
number p is selected with a length between 512
and 1024 bits such that q divides (p-1).
• To create a signature, a user calculates two
quantities, and , that are functions of the public
key components (p,q,g), the user’s private key (x),
the hash code of the message H(M), and an
additional integer k that should be generated
randomly or pseudo randomly and be unique for
each signing.
• The receiver generates a quantity that is a function
of the public key components, the sender’s public
key, and the hash code of the incoming message.
• If this quantity matches the component of the
signature, then the signature is validated.
• Note that the test at the end is on the value r,
which does not depend on the message at all.
• Instead, r is a function of k and the three global
public-key components.
• The multiplicative inverse of k (mod q) is passed
to a function that also has as inputs the message
hash code and the user’s private key.
• The structure of this function is such that the
receiver can recover r using the incoming
message and signature, the public key of the
user, and the global public key.