Digital Signature Algorithm

Similar documents
On the Big Gap Between p and q in DSA

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Groups in Cryptography. Çetin Kaya Koç Winter / 13

Chinese Remainder Theorem

Elliptic Curve DRNGs. Çetin Kaya Koç Winter / 19

Introduction to Elliptic Curve Cryptography

Digital Signatures. p1.

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

5199/IOC5063 Theory of Cryptology, 2014 Fall

Discrete Logarithm Problem

New Variant of ElGamal Signature Scheme

Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco

Digital Signature Scheme Based on a New Hard Problem

Public Key Cryptography

ElGamal type signature schemes for n-dimensional vector spaces

Overview. Public Key Algorithms II

True & Deterministic Random Number Generators

Digital Signatures. Adam O Neill based on

Blind Collective Signature Protocol

Stream Ciphers. Çetin Kaya Koç Winter / 20

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Cryptographic Hash Functions

Elliptic Curve DRNGs. Çetin Kaya Koç Winter / 21

Week : Public Key Cryptosystem and Digital Signatures

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Numbers. Çetin Kaya Koç Winter / 18

Katz, Lindell Introduction to Modern Cryptrography

Some Security Comparisons of GOST R and ECDSA Signature Schemes

Week 12: Hash Functions and MAC

Asymmetric Encryption

Chinese Remainder Algorithms. Çetin Kaya Koç Spring / 22

CRYPTANALYSIS OF ELGAMAL TYPE DIGITAL SIGNATURE SCHEMES USING INTEGER DECOMPOSITION

Lecture V : Public Key Cryptography

Pseudo-random Number Generation. Qiuliang Tang

Digital signature schemes

Security II: Cryptography exercises

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Threshold Cryptography

Question: Total Points: Score:

EE 418: Network Security and Cryptography

CPSC 467: Cryptography and Computer Security

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Arithmétique et Cryptographie Asymétrique

On the Elliptic Curve Digital Signature Algorithm

A Security Proof of KCDSA using an extended Random Oracle Model

A message recovery signature scheme equivalent to DSA over elliptic curves

Schnorr Signature. Schnorr Signature. October 31, 2012

Other Public-Key Cryptosystems

Fields in Cryptography. Çetin Kaya Koç Winter / 30

Winter 2011 Josh Benaloh Brian LaMacchia

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

March 19: Zero-Knowledge (cont.) and Signatures

Introduction to Information Security

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Elliptic Curve Cryptography

GOST A Brief Overview of Russia s DSA

Design Validations for Discrete Logarithm Based Signature Schemes

Lecture 1: Introduction to Public key cryptography

CPSC 467b: Cryptography and Computer Security

Lecture 10: HMAC and Number Theory

Lecture Notes, Week 6

MATH 158 FINAL EXAM 20 DECEMBER 2016

Elliptic Curves and Cryptography

Public Key Algorithms

NAVAL POSTGRADUATE SCHOOL THESIS

Secret Sharing for General Access Structures

CPSC 467: Cryptography and Computer Security

MATH UN Midterm 2 November 10, 2016 (75 minutes)

Some Lattice Attacks on DSA and ECDSA

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Information Security

Cryptography IV: Asymmetric Ciphers

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

CPSC 467b: Cryptography and Computer Security

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract

CS 355: Topics in Cryptography Spring Problem Set 5.

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

The Elliptic Curve Digital Signature Algorithm (ECDSA) 1 2. Alfred Menezes. August 23, Updated: February 24, 2000

International Journal of Advanced Research in Computer Science and Software Engineering

Algorithmic Number Theory and Public-key Cryptography

Discrete logarithm and related schemes

Bitcoin Elliptic Curve Digital Signature Algorithm (ECDSA)

CPSC 467: Cryptography and Computer Security

Exam Security January 19, :30 11:30

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

A Small Subgroup Attack on Arazi s Key Agreement Protocol

Ti Secured communications

Two Efficient RSA Multisignature Schemes

Other Public-Key Cryptosystems

Provable Security Proofs and their Interpretation in the Real World

Evaluation Report on the ECDSA signature scheme

Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Transcription:

Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 11

DSA: The is a US standard, proposed in 1991 by the NIST Along with the DSA, the hash function SHA-1 was also specified and made a standard The original DSA was based on the SHA-1 size of 160 bits The DSA was covered by a patent, attributed to David Kravitz, a former NSA employee Claus Schnorr also claimed one of his patents covers the DSA The DSA is a variant of the ElGamal signature algorithm Çetin Kaya Koç http://koclab.org Winter 2017 2 / 11

DSA Parameters Two size parameters: L and N L is the size of the first prime number p The original DSA defined L to be a multiple of 64 and in the range 512 L 1024 The security of the DSA is based on the difficulty of the DLP in the group Z p, therefore, L 1024, perhaps 2048 or 3072 bits The second prime number is q, whose size is N The size of q should also match the hash function used In the original DSA, the hash function was SHA-1, and N = 160 Considering the new hash functions, we may take N = 256 or higher Çetin Kaya Koç http://koclab.org Winter 2017 3 / 11

DSA Parameters The prime q divides p 1 The primes p and q are generated together, by first generating the prime q (which is of size N bits), and checking to see if p = I q + 1 is prime for different I values (which are of size L N bits), until a prime p is found Compute g 1 whose multiplicative order is equal to q modulo p, that is, we want g q = 1 (mod p), which is computed as g = h p 1 q (mod p) such that h is an arbitrary integer in the range 1 < h < p 1 The domain parameters are (p, q, g), the same for all users Çetin Kaya Koç http://koclab.org Winter 2017 4 / 11

DSA Key Generation Given the domain parameters are (p, q, g), User A selects a random integer x < q as the private key The public key of the User A is y such that y = g x (mod p) User A publishes y in the director and keeps x secret Çetin Kaya Koç http://koclab.org Winter 2017 5 / 11

DSA Signing Domain parameters are (p, q, g) and the private key is x The hash function h( ) comes with the DSA and generates the hash values of size N bits, which is the size of the prime q Given the message m, User A generates a random number rm and computes the signature (s 1, s 2 ) using s 1 = (g r mod p) mod q s 2 = (h(m) + x s 1 ) r 1 mod q The size of s 1 and s 2 are N bits each Therefore, the signature size is 2N bits The size of the message is unlimited, due to hashing Çetin Kaya Koç http://koclab.org Winter 2017 6 / 11

DSA Verifying Domain parameters are (p, q, g) and the public key is y The verifier also has access to the hash function h( ) The verifier receives the message and signature [m, s 1, s 2 ] and performs the following operations: w = s2 1 mod q u 1 = h(m) w mod q u 2 = s 1 w mod q If v = s 1, the signature is valid v = ((g u1 y u 2 ) mod p) mod q Çetin Kaya Koç http://koclab.org Winter 2017 7 / 11

DSA Correctness The signer computes s 2 = (h(m) + x s 1 ) r 1 mod q, which gives We now calculate g r using r = s2 1 (h(m) + x s 1 ) mod q = h(m) s2 1 + x s 1 s2 1 mod q = h(m) w + x s 1 w mod q g r = g h(m)w g xs 1w = g h(m)w y s 1w = g u1 y u 2 (mod p) By taking modulo q both sides above, we find s 1 = g r (mod q) (mod p) (mod p) = (g u1 y u 2 (mod p)) (mod q) = v Çetin Kaya Koç http://koclab.org Winter 2017 8 / 11

DSA Domain Parameters Example Select q = 101 and p 1 = 6 101 = 606, we find p = 607 Select h = 2, and compute g = h (p 1)/q = 2 6 = 64 The multiplicative order of 64 mod 607 is equal to 101, indeed 64 101 = 1 (mod 607) 64 i 1 (mod 607) for 1 i 100 The domain parameters: (p, q, g) = (607, 101, 64) The private key x = 50 < q, the public key y = g x (mod q) = 64 50 (mod 607) = 76 Çetin Kaya Koç http://koclab.org Winter 2017 9 / 11

DSA Signing Example For h(m) = 10 and r = 75, we generate the signature (s 1, s 2 ) using s 1 = (g r mod p) mod q = (64 75 mod 607) mod 101 = 44 mod 101 = 44 s 2 = (h(m) + x s 1 ) r 1 mod q = (10 + 50 44) 75 1 mod 101 = 89 66 mod 101 = 16 The signature is (s 1, s 1 ) = (44, 16) Çetin Kaya Koç http://koclab.org Winter 2017 10 / 11

DSA Signing Example Given the parameters (p, q, g, y) = (607, 101, 64, 76) and the message/signature (h(m), s 1, s 2 ) = (10, 44, 16), the verifier performs: w = s 1 2 mod q = 16 1 = 19 mod 101 u 1 = h(m) w mod q = 10 19 = 89 mod 101 u 2 = s 1 w mod q = 44 19 = 28 mod 101 v = ((g u1 y u 2 ) mod p) mod q = ((64 89 76 28 mod 607) mod 101 = (376 549 mod 607) mod 101 = 44 Since v = s 1, the signature is valid Çetin Kaya Koç http://koclab.org Winter 2017 11 / 11

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback