Lecture 14: Digital Signatures Flashcards
What do MACs allow? What data security does this provide?
only allow an entity with shared secrete to generate a valid tag
–> providing data integrity and data authentication
What do digital signatures use to provide properties of MAC and more?
public key cryptography
What is the general idea of how digital signatures ensure data integrity and authenthication?
only the owner of the private signing key can generate a valid digital signature
What security service do digital signatures provide?
1) non-repudiation
2) a judge can decide which party has formed the signature
What is non-repudiation?
Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information
Compare physical and digital signatures
<strong>Physical Signatures</strong>
1) produced by a human
2) same on all docs
3) easy to recognise
<strong>Digital Signatures</strong>
1) produced by a machine
2) function of the message
3) requiring a computer to check
Both signature types need to be difficult to forge
What are the relevant algorithms involved in digital signatures
1) key generation
2) signature generation
3) signature verification
What does the key generation alg ouput?
2 keys:
1) a private signing key Ks
2) a public verification key Kv
Outline the signature generation alg for digital signatures
See slide 8 in set 14
What are the inputs to the signature generation alg?
1) Alice’s private signing key Ks
2) Message M
What is the output of the signature generation algorithm?
Signature s = Sig(M, Ks)
Who should be able to generate a valid signature?
Only Alice, the owner of Ks
What must be message M be for the signature generation algorithm?
any bit string
Comment on the size of the set of all signatures from the signature generation alg
Set of fixed size
Which of the three security properties is needed for signature generation alg?
only need integrity, not confidentiality –> prove to Bob signature
Outline the signature verification alg for digital signatures
See slide 9 in set 14
What are the inputs for the signature verification alg?
1) Alice’s public verification key Kv
2) Message M
3) Claimed signature s
What is the output for the signature verification alg?
Boolean value Ver(M, s, Kv) = true/false
Who should be able to verify a signature?
anyone
What are the properties of digital signatures?
1) correctness
2) unforgeability
Comment on the correctness property of digital signatures
If s = Sig(M, Ks) then Ver(M, s, Kv) = true for any matching Ks and Kv
Comment on the unforgeability property of digital signatures
It is computationally infeasible for anyone without Ks to construct the pair (M,s) s.t. Ver(M, s, Kv) = true
Can the signing algorithm Sig be randomised for digital signatures?
yes
–> since there are many possible signatures for a single message
Give the stronger security definition for digital signatues
1) an attacker has access to a chosen message oracle
2) Forging a new signature should be difficult even if the attacker can obtain signatures on messages of her choice
What are the possible security attacks on digital signatures?
1) key recovery
2) selective forgery
3) existential forgery
Explain the key recovery i.t.o for digital signatures
the attacker attempts to recover the private signing key Ks from the public verification key Kv and some known signatures
Explain the selective forgery i.t.o digital signatues
the attacker chooses a message and attempts to obtain a signature on that message
Explain the existential forgery i.t.o digital signatures
The attacker attempts to forge a signature on any message not previously signed
It could be a meaningless message
What must modern digital signatures satisfy to be seen as secure?
if they can resist existential forgery under a chosen message attack
What are RSA signature keys generated in the same way as?
RSA encryption keys
Explain the process for generating RSA signature keys
IMPORTANT
<strong>Public verification key</strong>: n, e where n = pq for large primes p,q
<strong>Private signing key</strong>: p,q,d s.t. ed mod Φ (n) = 1
see slide 13 in set 14
What else is required for RSA signature keys’ generation?
A hash function h is also required as a fixed public parameter
Can be a standard hash function e.g. SHA-256
Explain the signature generation process for RSA signatures
1) inputs a message M, modulus n and private exponent d
2) computes s = h(M)^d mod n
3) outputs (M,s) as the signature
Explain the signature verification process for RSA signatures
1) inputs are claimed signature (M,s), modulus n and public exponent e
2) compute h’ = h(M)
3) check if s^e mod n = h’?
If so, then output true; otherwise output false
–> see set 12 for correctness
What do discrete logarithm signatures’ security rely on?
difficulty of discrete logarithm problem
What are the three versions of discrete logarithm signatues?
1) Original Elgamal signatures in Z*p (1985)
2) Digital signature algorithm (DSA) standardised by NIST
- -> an optimized version of Elgamal signatures
3) DSA based on elliptic curve groups, known as ECDSA
Give the Elgamal elements in Z*p
See slide 17 in set 14
What are the Elgamal operations in Z*p?
1) signature generation
2) signature verification
Give the process for signature generation for Elgamal in Z*p
See slide 18 in set 14
Give the process for signature verification for Elgamal in Z*p
See slide 19 in set 14
What does DSA stand for?
digital signature algorithm
When was DSA first published?
1994 by NIST
What standard is DSA in?
FIPS PUB 186-4 (2013)
What is DSA based on?
Elgamal signatures
What is DSA used with?
SHA family of hash functions
Comment on DSA’s calculations and signature sizes
simpler calculations
short signatures
–> cals done in a subgroup Z*p or an elliptic curve group
What does DSA prevent?
attacks that Elgamal signatures may be vulnerable to
Explain the idea of DSA
See slide 20 in set 14
What are differences that DSA has with Elgamal signatures?
See slide 21 in set 14
What are the parameters for DSA
See slide 22 in set 14
What are the valid combinations of the length of the prime modulus p and prime divisor q?
L = 1024, N = 160
L = 2048, N = 224
L = 2048, N = 256
L = 3072, N = 256
What is the generator for DSA?
See slide 22 in set 14
What is the parameter H in DSA?
hash function from SHA family variant such that the output is an N-bit digest
(N is the length of q, a prime devisor of p - 1 and p is the prime modulus)
Give the key generation process for DSA
See slide 23 in set 14
Give the signature generation process for DSA
See slide 23 in set 14
Give the signature verification process for DSA
See slide 24 in set 14
What are the differences DSA has with Elgamal signatures?
1) verification eqn
2) signature generation requirement
3) signature verification requirement
4) signature size
What is the verification eqn difference between DSA and Elgamal signatures?
DSA’s verification eqn is that same, except that all exponents and final result are reduced modulo q
What is the signature generation difference between DSA and Elgamal signatures?
DSA’s signature generation mainly requires one exponentiation with a short exponent (224 or 256 bits)
What is the signature verification difference between DSA and Elgamal signatures?
DSA’s signature verification requires 1 short exponentiatoins
What is the signature size difference between DSA and Elgamal signatures?
DSA’s signature size is only 2N bits:
- -> 448 bits when N = 224
- -> 512 bits when N = 256
What are |p|, |q| and the hash function for DSA v1 defined as in the 2013 standard?
|p| –> 1024
|q| –> 160
hash func –> SHA-1
What are |p|, |q| and the hash function for DSA v1 defined as in the 2013 standard?
|p| –> 2048
|q| –> 224
hash func –> SHA-224
What are |p|, |q| and the hash function for DSA v1 defined as in the 2013 standard?
|p| –> 2048
|q| –> 256
hash func –> SHA-256
What are |p|, |q| and the hash function for DSA v1 defined as in the 2013 standard?
|p| –> 3072
|q| –> 256
hash func –> SHA-256
What does ECDSA stand for?
elliptic curve DSA
What standard is ECDSA in?
FIPS PUB 186-4 (2013)
Where are the parameters chosen from for ECDSA?
NIST approved curves
Are signature generation and verification the same for DSA?
Yes, except that:
1) q becomes the order of the elliptic curve group
2) multiplication mod p is replaced by the elliptic curve group operation
3) after operations on group elements, only the x condition is kept (from pair(x, y))
Compare the signature sizes of ECDSA and DSA for the same security level
ECDSA signatures are generally not shorter than DSA signatures for the same security level
Compare the variation in signature sizes for ECDSA and DSA
ECDSA signature size varies with the underlying curve
–> Between 326 bits and 1142 bits from approved curves
Compare the public key sizes for ECDSA and DSA
ECDSA public keys are shorter than DSA public keys
