Professional Documents
Culture Documents
Digital Signatures
have looked at
message authentication
but does not address issues of lack of trust verify author, date & time of signature authenticate message contents be verified by third parties to resolve disputes
Alice can deny sending a message to !ob since !ob can also produce A"s for different messages#
!ob can produce a A" for another message $ and can claim that it came from Alice#
!ob
Key Generation
!ob$s
PublicKey
Alice
PrivateKey
*oldwaser, icali and +ivest in %,-- identified several attack scenarios on digital signature schemes
.ey/only attack:
0 Attacker knows only the public key
*oldwaser, icali and +ivest also defined success of breaking a signature scheme
1otal break:
0 Attacker finds the signer$s private key
3niversal forgery:
0 Attacker finds an efficient signing algorithm that provides an e2uivalent way of constructing signatures on arbitrary messages#
Selective forgery:
0 Attacker forges a signature for a particular message chosen by him#
E4istential forgery:
0 Attacker can forge a signature for at least one message# 5owever he does not have control over the message 6so can not harm much the signer7#
must depend on the message signed must use information uni2ue to sender
must be relatively easy to produce must be relatively easy to recogni8e & verify be computationally infeasible to forge
with new message for e4isting digital signature with fraudulent digital signature for given message
entire message or hash with private/key can encrypt using receivers public/key important that sign first then encrypt message & signature security depends on sender$s private/key
re2uires suitable level of trust in arbiter can be implemented with either private or
use of public/key encryption need to ensure have correct public keys for other parties using a central Authentication Server 6AS7 various protocols e4ist using timestamps or nonces
)u'lic*+ey "pproaches
have seen some public/key approaches if confidentiality is ma9or concern, can use:
)rime number 2, and generator Generate a random integer XA such that 1<XA<q-1 Compute YA=
X A
)roduce a hash m?56 7 "hose a random integer . such that %&' &q-1 and gcd#'$ q-1% = 1 Compute (1= ' mod 2 Compute '-1 mod 62/%7 Compute ()= '-16m / XA (17 mod 62/%7 1he signature is #(1, ()%
#(1, ()%
)roduce a hash m?56 7 Compute *1= m mod 2 Compute *)= #YA% (1 6(17 () mod 2 >f *1 ?? *) return +,-.$ e"se return /A0(.
3S *ovt approved signature scheme designed by A>S1 & ASA in early ,BCs published as F>)S/%-D in %,,% revised in %,,&, %,,D & then 'BBB uses the S5A hash algorithm (SS is the standard, (SA is the algorithm F>)S %-D/' 6'BBB7 includes alternative +SA & elliptic curve signature variants
choose g = h(p-1)/q
0 where h<p-1, h(p-1)/q (mod p) > 1
M the sender:
generates a random signature key k, k<q nb# k must be random, be destroyed after use, and never be reused
if v=r then signature is verified see book web site for details of proof why
Security level parameter of the signature scheme, key generation speed, signing and verification speed the speed of the used hash function si8e of the private key si8e of the public key, si8e of the produced signatures, the underlying mathematical problem on which the scheme is based 1he period of stability of the scheme since its last tweak or update, patent issues connected with the scheme, )art of any standard "ertified software libraries and availability of open source libraries#
0>n most use case scenarios we need the generated publicIprivate keys to be valid for a certain period which is much longer than the period spent on key generation# 0From that point of view, the key generation speed, although an important attribute in the digital signatures metric, has not so big weight as a crucial operational attribute# 0Jn the other hand, the key exposure problem produces case scenarios where we need to generate 9ust short lived publicIprivate pairs# 0>f the user plan to employ the public key cryptography in such cases, then the key generation speed should be given a higher weight# 0(ifferent algorithms and techni2ues for faster generation of provable or probable prime numbers, and other parameters for the standardi8ed digital signatures schemes#
c#
1he efficiency of digital signature schemes is mostly perceived via the signing and the verification speed# )oor performances compared with symmetric encryption techni2ues# Which signature scheme to use should be taken depending of what kind of signature processes will be performed in the system# >f the process is such that the company server receives a lot of signed transactions from individual clients and have to verify every signature, +SA signatures with small public e4ponent should be chosen# >f a company needs to send a bulk of signed invoices to hundreds of thousands 6or millions7 of users, then elliptical curve signature schemes should be chosen
c#
c#
c#
c#
1he message hashing 6for long messages7 can have similar or even much higher computational cost then the operations of signing and verification#
1he message hashing 6for long messages7 can have similar or even much higher computational cost then the operations of signing and verification#
1he message hashing 6for long messages7 can have similar or even much higher computational cost then the operations of signing and verification#
Si8e of the private key >f the private key is too big, that scheme might be not so appropriate for implementing in smart cards or +F>(s since the hardware resources are scarce in those technologies# Specifics of the signature scheme: For e4ample the si8e of the private key in +SA is of the same order as the si8e of the public key, but in all practical implementations 6like in the popular JpenSSG7 the si8e of the private key is actually - times bigger than the bit si8e of the public key 6due to the use of the "hinese +emainder 1heorem for speeding up the signature process7#
Si8e of the public key 1radeoffs between security levels and the properties of the scheme E4ample: if we need to design a digital signature scheme that has 'ED bits of security, then choosing +SA would be totally unpractical since the public key would need %E&DB bits, and the operational speed would be low# >n such a case, a natural choice would be a signature scheme based on elliptical curves with parameters long around E%' bits#
Si8e of the produced signatures Num'er of e4pected signed documents that the system will handle during the whole operational period 6and much far beyond that / as a legal re2uirements for archiving the signed documents7# 5ave to take into consideration the si8e of the produced signatures# For e4ample, if we model a digital signature system that will be used by %BB million bank customers, during a period of &B years, and if we assume that every customer during a period of &B years will produce K%B,BBB signed transactions then we have to plan for the storage of trillions signed documents# >n that case, any difference in the si8e of the signatures have big implications#
Summary
have discussed:
digital signatures authentication protocols 6mutual & one/way7 digital signature algorithm and standard