Lecture 14: Digital Signatures Flashcards by Hayley Krippner

What do MACs allow? What data security does this provide?

only allow an entity with shared secrete to generate a valid tag

–> providing data integrity and data authentication

How well did you know this?

Not at all

Perfectly

What do digital signatures use to provide properties of MAC and more?

public key cryptography

How well did you know this?

Not at all

Perfectly

What is the general idea of how digital signatures ensure data integrity and authenthication?

only the owner of the private signing key can generate a valid digital signature

How well did you know this?

Not at all

Perfectly

What security service do digital signatures provide?

1) non-repudiation

2) a judge can decide which party has formed the signature

How well did you know this?

Not at all

Perfectly

What is non-repudiation?

Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information

How well did you know this?

Not at all

Perfectly

Compare physical and digital signatures

<strong>Physical Signatures</strong>

1) produced by a human
2) same on all docs
3) easy to recognise

<strong>Digital Signatures</strong>

1) produced by a machine
2) function of the message
3) requiring a computer to check

Both signature types need to be difficult to forge

How well did you know this?

Not at all

Perfectly

What are the relevant algorithms involved in digital signatures

1) key generation
2) signature generation
3) signature verification

How well did you know this?

Not at all

Perfectly

What does the key generation alg ouput?

2 keys:

1) a private signing key Ks
2) a public verification key Kv

How well did you know this?

Not at all

Perfectly

Outline the signature generation alg for digital signatures

See slide 8 in set 14

How well did you know this?

Not at all

Perfectly

What are the inputs to the signature generation alg?

1) Alice’s private signing key Ks

2) Message M

How well did you know this?

Not at all

Perfectly

What is the output of the signature generation algorithm?

Signature s = Sig(M, Ks)

How well did you know this?

Not at all

Perfectly

Who should be able to generate a valid signature?

Only Alice, the owner of Ks

How well did you know this?

Not at all

Perfectly

What must be message M be for the signature generation algorithm?

any bit string

How well did you know this?

Not at all

Perfectly

Comment on the size of the set of all signatures from the signature generation alg

Set of fixed size

How well did you know this?

Not at all

Perfectly

Which of the three security properties is needed for signature generation alg?

only need integrity, not confidentiality –> prove to Bob signature

How well did you know this?

Not at all

Perfectly

Outline the signature verification alg for digital signatures

See slide 9 in set 14

How well did you know this?

Not at all

Perfectly

What are the inputs for the signature verification alg?

1) Alice’s public verification key Kv
2) Message M
3) Claimed signature s

How well did you know this?

Not at all

Perfectly

What is the output for the signature verification alg?

Boolean value Ver(M, s, Kv) = true/false

How well did you know this?

Not at all

Perfectly

Who should be able to verify a signature?

anyone

How well did you know this?

Not at all

Perfectly

What are the properties of digital signatures?

1) correctness

2) unforgeability

How well did you know this?

Not at all

Perfectly

Comment on the correctness property of digital signatures

If s = Sig(M, Ks) then Ver(M, s, Kv) = true for any matching Ks and Kv

How well did you know this?

Not at all

Perfectly

Comment on the unforgeability property of digital signatures

It is computationally infeasible for anyone without Ks to construct the pair (M,s) s.t. Ver(M, s, Kv) = true

How well did you know this?

Not at all

Perfectly

Can the signing algorithm Sig be randomised for digital signatures?

yes

–> since there are many possible signatures for a single message

How well did you know this?

Not at all

Perfectly

Give the stronger security definition for digital signatues

1) an attacker has access to a chosen message oracle

2) Forging a new signature should be difficult even if the attacker can obtain signatures on messages of her choice

How well did you know this?

Not at all

Perfectly

What are the possible security attacks on digital signatures?

1) key recovery 2) selective forgery 3) existential forgery

Explain the key recovery i.t.o for digital signatures

the attacker attempts to recover the private signing key Ks from the public verification key Kv and some known signatures

Explain the selective forgery i.t.o digital signatues

the attacker chooses a message and attempts to obtain a signature on that message

Explain the existential forgery i.t.o digital signatures

The attacker attempts to forge a signature on any message not previously signed It could be a meaningless message

What must modern digital signatures satisfy to be seen as secure?

if they can resist existential forgery under a chosen message attack

What are RSA signature keys generated in the same way as?

RSA encryption keys

Explain the process for generating RSA signature keys **IMPORTANT**

Public verification key: n, e where n = pq for large primes p,q Private signing key: p,q,d s.t. ed mod Φ (n) = 1 see slide 13 in set 14

What else is required for RSA signature keys' generation?

A hash function h is also required as a fixed public parameter Can be a standard hash function e.g. SHA-256

Explain the signature generation process for RSA signatures

1) inputs a message M, modulus n and private exponent d 2) computes s = h(M)^d mod n 3) outputs (M,s) as the signature

Explain the signature verification process for RSA signatures

1) inputs are claimed signature (M,s), modulus n and public exponent e 2) compute h' = h(M) 3) check if s^e mod n = h'? If so, then output true; otherwise output false --> see set 12 for correctness

What do discrete logarithm signatures' security rely on?

difficulty of discrete logarithm problem

What are the three versions of discrete logarithm signatues?

1) Original Elgamal signatures in Z*p (1985) 2) Digital signature algorithm (DSA) standardised by NIST - -> an optimized version of Elgamal signatures 3) DSA based on elliptic curve groups, known as ECDSA

Give the Elgamal elements in Z*p

See slide 17 in set 14

What are the Elgamal operations in Z*p?

1) signature generation | 2) signature verification

Give the process for signature generation for Elgamal in Z*p

See slide 18 in set 14

Give the process for signature verification for Elgamal in Z*p

See slide 19 in set 14

What does DSA stand for?

digital signature algorithm

When was DSA first published?

1994 by NIST

What standard is DSA in?

FIPS PUB 186-4 (2013)

What is DSA based on?

Elgamal signatures

What is DSA used with?

SHA family of hash functions

Comment on DSA's calculations and signature sizes

simpler calculations short signatures --> cals done in a subgroup Z*p or an elliptic curve group

What does DSA prevent?

attacks that Elgamal signatures may be vulnerable to

Explain the idea of DSA

See slide 20 in set 14

What are differences that DSA has with Elgamal signatures?

See slide 21 in set 14

What are the parameters for DSA

See slide 22 in set 14

What are the valid combinations of the length of the prime modulus p and prime divisor q?

L = 1024, N = 160 L = 2048, N = 224 L = 2048, N = 256 L = 3072, N = 256

What is the generator for DSA?

See slide 22 in set 14

What is the parameter H in DSA?

hash function from SHA family variant such that the output is an N-bit digest (N is the length of q, a prime devisor of p - 1 and p is the prime modulus)

Give the key generation process for DSA

See slide 23 in set 14

Give the signature generation process for DSA

See slide 23 in set 14

Give the signature verification process for DSA

See slide 24 in set 14

What are the differences DSA has with Elgamal signatures?

1) verification eqn 2) signature generation requirement 3) signature verification requirement 4) signature size

What is the verification eqn difference between DSA and Elgamal signatures?

DSA's verification eqn is that same, except that all exponents and final result are reduced modulo q

What is the signature generation difference between DSA and Elgamal signatures?

DSA's signature generation mainly requires one exponentiation with a short exponent (224 or 256 bits)

What is the signature verification difference between DSA and Elgamal signatures?

DSA's signature verification requires 1 short exponentiatoins

What is the signature size difference between DSA and Elgamal signatures?

DSA's signature size is only 2N bits: - -> 448 bits when N = 224 - -> 512 bits when N = 256

What are |p|, |q| and the hash function for DSA v1 defined as in the 2013 standard?

|p| --> 1024 |q| --> 160 hash func --> SHA-1

What are |p|, |q| and the hash function for DSA v1 defined as in the 2013 standard?

|p| --> 2048 |q| --> 224 hash func --> SHA-224

What are |p|, |q| and the hash function for DSA v1 defined as in the 2013 standard?

|p| --> 2048 |q| --> 256 hash func --> SHA-256

What are |p|, |q| and the hash function for DSA v1 defined as in the 2013 standard?

|p| --> 3072 |q| --> 256 hash func --> SHA-256

What does ECDSA stand for?

elliptic curve DSA

What standard is ECDSA in?

FIPS PUB 186-4 (2013)

Where are the parameters chosen from for ECDSA?

NIST approved curves

Are signature generation and verification the same for DSA?

Yes, except that: 1) q becomes the order of the elliptic curve group 2) multiplication mod p is replaced by the elliptic curve group operation 3) after operations on group elements, only the x condition is kept (from pair(x, y))

Compare the signature sizes of ECDSA and DSA for the same security level

ECDSA signatures are generally not shorter than DSA signatures for the same security level

Compare the variation in signature sizes for ECDSA and DSA

ECDSA signature size varies with the underlying curve --> Between 326 bits and 1142 bits from approved curves

Compare the public key sizes for ECDSA and DSA

ECDSA public keys are shorter than DSA public keys