# 1 Signatures vs. MACs

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures are the public-key version of message authentication codes:anybody can verify. Can be thought of as digital analogue" of handwritten signatures (but are in fact stronger). Unlike MACs signatures are: 1. Publicly veriable - anybody can verify their validity. 2. Transferable - recipient can show the signature to another party who can then verify that the signature is valid (this follows from public veriability). 3. Non-repudiable - If Alice digitally signs a document, then Bob can prove to a third party (e.g. a court) that she signed it, by presenting the document and her signature. By denition, only Alice could have produced a valid signature. Notice that MACs cannot have this property. None of the parties holding the key can claim the other one has signed. This is because it might be the case that the other party has actually signed. MACs are more ecient in practice. 2 Syntax Denition 1 A digital signature scheme consists of three algorithms (G, S, V ) such that: The key generation algorithm G is a randomized algorithm that returns a public key PK and a secret key SK ; we write (PK, SK ) R G(1 n ). The signing algorithm S is a (possibly) randomized algorithm that takes the secret key SK and a message m and outputs a signature σ; we write σ R S SK (m). The verication algorithm V is a deterministic algorithm that takes the public key PK, a message m, and a signature σ, and outputs V PK (m, σ) {accept, reject}. We require V PK (m, S SK (m)) = accept for all (PK, SK ) R G(1 n ) and m {0, 1}. 1

2 2.1 Comments 1. The sender needs secret key, opposite from public-key encryption. Alice will send a message encrypted with Bob's public key but signed with Alice's secret key. However, digital signatures and public key encryption are not duals" of each other (as one might be tempted to think). 2. It is conceivable that the sender keeps state between signatures and we will allow this in some cases. 3. Similarly to MAC, randomization is not necessary. 4. Note that we do not require any formatting on the messages and they could be arbitrary strings. Sometimes it is required that messages obey some pre-specied format" (possibly depending on PK ). In such a case, it is required to explicitly specify how to map arbitrary strings into a string that obeys this format. 3 Security Denition 2 (existential unforgeability under adaptive chosen message attack) A signature scheme (G, S, V ) is secure if for every PPT A, there is a negligible function ε such that Pr [ A S SK ( ) (PK ) forges ] ε(k) k, where the probability is taken over (PK, SK ) R G(1 k ) and the coin tosses of A. A forges A produces a pair (m, σ) for which (a) V PK (m, σ) = accept, and (b) m is dierent from all of A's queries to the S SK -oracle. 3.1 Comments 1. Denition is strong: (a) A gets access to signatures on messages of its choice. (b) A forges even if m it has produced is meaningless." These are indeed strong requirements. However, if we can satisfy them, we can certainly satisfy weaker requirements. Also, this will give us signature schemes which are application independent (in particular, will be suitable for use regardless of the formatting/semantics of the messages being signed). As for Item (1), in practice this can happen. For example, notary would conceivably sign on any document regardless of its contents. 4 Applications Here are some applications of signatures. 1. Can be used for public-key infrastructure (without public directory): One trusted party (certicate authority, e.g. Verisign) has a public key known to everyone, and signs individual's public keys, e.g. signs statement like m = `Verisign certifies that PK Alice is Alice's public key' 2

3 When starting a communication with a new party, Alice sends the certicate (PK Alice, m, S SK Verisign (m)) Many variants: Can be done hierarchically (Verisign signs Harvard's PK, Harvard signs individual students' public keys). 2. Can be used by any trusted organization/individual to certify any property of a document/le, e.g. that a piece of software is safe. 3. Useful for obtaining chosen ciphertext security (for private key encryption MACs are used). 5 Examples Here are some examples of insecure signatures. 1. Let f be a one-way function. (a) y = f(x) for x r {0, 1} n. SK = x, P K = y. (b) S SK (m) = x. (c) V PK (m, σ) = 1 if and only if f(σ) = y. Analog of handwritten signature. Veries that signer is able to sign. Not secure. Can cut and paste". Signature is independent of message. Adversary A can simply take σ an append it to message of its choice. Demonstrates why our denition of security is stronger than handwritten signatures. 2. Let F = {f i : D i D i } i I be a family of trapdoor permutations. (a) PK = i, SK = t (b) S SK (m) = fi 1 (m). (c) V PK (m, σ): check that f i (σ) = m. Not secure. f i might be easy to invert on a particular m, e.g. for RSA, if m = 1 then S N,d (1) = 1. More generally, the adversary can choose σ D i, compute m = f i (σ) and send the forgery (m, σ). 3. A special case of the trapdoor permutation example is textbook RSA" (a) PK = (N, d), SK = (N, e) (b) S SK (m) = m e mod N. (c) V PK (m, σ) = 1 if and only if σ d = m mod N. Not secure. Given any message m and PK = (N, d) can ask for signatures σ 1, σ 2 on messages m 1 and m 2 = m 1 1 m, where m 1 r ZN. Then σ 1 σ 2 mod N is a valid signature on m (why?). In addition m is very likely to be dierent than m 1, m 2. Demonstrates how one can attack signature scheme even without retrieving SK. 3

4 6 Constructions Digital signatures can be constructed from one-way functions (no trapdoors!). Signing is deterministic. This result is beyond the scope of this class. Instead we will outline a provably secure construction from collision-free hash functions: 1. One-time signature for xed-length messages (P k = {0, 1} k ) from any one-way function. 2. Use hash-then-sign to convert this into a one-time signature for unbounded-length messages. 3. Use key refreshing to convert one-time signature into many-use signature. 6.1 One-time signature We start by showing how to construct a one-time signature from any one-way function f. Single bit message. Let f be any one-way function. 1. The secret key is SK = {x 0, x 1 } where x 0 and x 1 are chosen at random in {0, 1} k. The public key is PK = {y 0, y 1 } where y 0 = f(x 0 ) and y 1 = f(x 1 ). 2. The signature of the bit b is S SK (b) = x b. 3. The verication is V PK (b, x) = accept i f(x) = y b. This scheme is not very ecient and gives away half of the secret key. But it is secure if the adversary asks only one query. Assume that he obtains the signature of 0, i.e. x 0. Then the adversary cannot produce the signature of 1, i.e. invert y 1, because x 0 and x 1 are chosen independently so seeing x 0 does not help him to invert y 1. l-bit messages. G(1 k R ): For i = 1,, l, choose x i,0 {0, 1} k R, x i,1 {0, 1} k. Let y i,0 = f(x i,0 ), y i,1 = f(x i,1 ) PK =all y's, SK =all x's. S SK (m) for m {0, 1} l : For i = 1,..., l, let σ i = x i,mi. Output σ = (σ 1,..., σ l ). V PK (m, σ): Check that f(σ i ) = y i,mi for all in{1,, l}. Theorem 3 Above is a secure one-time signature (i.e. adversary can make only one query) for message space {0, 1} l if f is a one-way function. Proof: Reducibility argument. Suppose there is a PPT forger A that succeeds with nonnegligible probability ε. We will build PPT B that inverts f with nonnegligible probability. Intuitively, the query (m, σ) reveals half of the x's. But m m so in at least one position, A has to guess the corresponding x, i.e. invert f on a point y. B will guess the position where A has successfully inverted f. 4

5 Inverter B(y): 1. Choose j R {1,..., l}, c R {0, 1}. Let y j,c = y. R 2. For all (i, b) (j, c), choose x i,b {0, 1} k, let y i,b = f(x i,b ). 3. Let PK = all y i,b 's, and run A(PK ). 4. A asks for signature on some m. If m j c, B can answer correctly A's query, otherwise output fail. 5. A produces forgery (m, σ ). If m j = c, output x = σ j. Otherwise output fail. Whenever A would successfully forge, B will succeed w.p. 1/2l (whenever (j, c) satisfy m j c and m j = c, σ j is an inverse of y under f) Thus B succeeds w.p. ε/2l, still nonnegligible. If the message is of length l, the public key is of length 2kl so this scheme is not very ecient. Also, to construct signatures for multiple messages we will need that the size of PK is shorter than the size of message. How to sign long messages? Sign a short hash of the message. This is called hash-then-sign. See lecture notes on collision-free hashing. 6.2 One-time signatures to many-time signatures How do we obtain a signature scheme for multiple messages? Idea: generate new keys on the y and authenticate them with previous key. Start with a one-time signature scheme (G, S, V ), and construct general signature scheme as follows: Public key PK 0, secret key SK 0 for original scheme. To sign rst message m 1 : Generate (PK 1, SK 1 ) R G(1 k R ). Let σ 1 S SK 0 (m 1, PK 1 ). Output σ 1 = (1, σ 1, m 1, PK 1 ). To sign second message m 2 : Generate (PK 2, SK 2 ) R G(1 k R ). Let σ 2 S SK 1 (m 2, PK 2 ). Output σ 2 = (2, σ 1, σ 2, m 2, PK 2 ). etc. This works, but very inecient. Improvements: Use a tree each key authenticates two new keys signature length, verication time, signing time no longer grow linearly w/ number of signatures. Can also make it stateless. Can construct secure signatures based on any one-way function (very complicated!). See Katz-Lindell. 5

6 7 Digital Signatures in Practice Hash-then-sign with plain RSA PK = (N, e), SK = (N, d) s.t. ed 1 (mod φ(n)). S SK (m) = (H(m)) d mod N where H is SHA-1 or MD5. Intuition: adversary has no control over H(m), so cannot forge by choosing signature rst, or by exploiting special inputs on which RSA is easy to invert. RSA PKCS #1: H(m) = 001F F F F 00 SHA-1(m). No justication. Doesn't seem related to one-wayness of RSA since H(m) is always of very special form. Random Oracle Model If model H as a public truly random function H : {0, 1} Z N, then can justify signature based on one-wayness of RSA. But no H is a truly random function. Heuristically, it is hoped that some cryptographic hash functions (e.g. SHA-1) behave like a truly random function. El Gamal signatures PK = (p, g, ˆx), SK = (p, g, x) where ˆx = g x mod p. S SK (m): 1. Choose y R Z p 1, let ŷ = g y mod p. 2. Find s s.t. g m g xŷ ŷ s (mod p). 3. Output σ = (ŷ, s). How does the signer compute s? We have m xŷ + ys (mod (p 1)) and the signer knows X, y, ŷ, m so he can compute (m xŷ)y 1 modulo (p 1). V PK (m, (y, s)): Check that g m ˆx y y s (mod p). Not secure! (Similar attacks as plain trapdoor functions.) Digital Signature Standard (1991, NIST+NSA): hash-then-sign, using SHA-1 and DSA (variant of El Gamal). Bridging the gap... Heuristic proofs in Random Oracle Model (as mentioned above)., More ecient, truly provable signatures based on specic hard problems: Strong RSA (given N, z, nd y, e > 1 s.t. y e z (mod N)). 6

### 1 Domain Extension for MACs

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

### Digital Signatures. What are Signature Schemes?

Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### DIGITAL SIGNATURES 1/1

DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob \$100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob \$100 scan

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### Introduction to Cryptography CS 355

Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita- Rotaru

### Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

### Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:

### Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

### Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)

### Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian

### Lecture 13. Lecturer: Yevgeniy Dodis Spring 2012

CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography April 18, 2012 Lecture 13 Lecturer: Yevgeniy Dodis Spring 2012 This lecture is dedicated to constructions of digital signature schemes. Assuming

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret

### Communications security

University of Roma Sapienza DIET Communications security Lecturer: Andrea Baiocchi DIET - University of Roma La Sapienza E-mail: andrea.baiocchi@uniroma1.it URL: http://net.infocom.uniroma1.it/corsi/index.htm

### Digital signatures. Informal properties

Digital signatures Informal properties Definition. A digital signature is a number dependent on some secret known only to the signer and, additionally, on the content of the message being signed Property.

### 9 Digital Signatures: Definition and First Constructions. Hashing.

Leo Reyzin. Notes for BU CAS CS 538. 1 9 Digital Signatures: Definition and First Constructions. Hashing. 9.1 Definition First note that encryption provides no guarantee that a message is authentic. For

### Authentication, digital signatures, PRNG

Multimedia Security Authentication, digital signatures, PRNG Mauro Barni University of Siena Beyond confidentiality Up to now, we have been concerned with protecting message content (i.e. confidentiality)

### Part VII. Digital signatures

Part VII Digital signatures CHAPTER 7: Digital signatures Digital signatures are one of the most important inventions/applications of modern cryptography. The problem is how can a user sign a message such

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc

Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane

### Public Key (asymmetric) Cryptography

Public-Key Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,

### Digital Signature. Raj Jain. Washington University in St. Louis

Digital Signature Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/

### Introduction to Computer Security

Introduction to Computer Security Hash Functions and Digital Signatures Pavel Laskov Wilhelm Schickard Institute for Computer Science Integrity objective in a wide sense Reliability Transmission errors

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

### Delegation of Cryptographic Servers for Capture-Resilient Devices

ACM, 2001. This is the authors' version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version is available at http://doi.acm.org/10.1145/501983.501986.

### SECURITY IN NETWORKS

SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond confidentiality Authentication Message integrity Security in practice: Security in application,

### Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝 陽 科 技 大 學 資 工

### Proactive Two-Party Signatures for User Authentication

Proactive Two-Party Signatures for User Authentication Antonio Nicolosi, Maxwell Krohn, Yevgeniy Dodis, and David Mazières NYU Department of Computer Science {nicolosi,max,dodis,dm}@cs.nyu.edu Abstract

### Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Chapter 2: Introduction to Cryptography What is cryptography? It is a process/art of mangling information in such a way so as to make it

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### Cryptography Lecture 8. Digital signatures, hash functions

Cryptography Lecture 8 Digital signatures, hash functions A Message Authentication Code is what you get from symmetric cryptography A MAC is used to prevent Eve from creating a new message and inserting

### CRC Press has granted the following specific permissions for the electronic version of this book:

This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has

### Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Digital signatures are one of the most important inventions/applications of modern cryptography.

CHAPTER 7: DIGITAL SIGNATURES Digital signatures are one of the most important inventions/applications of modern cryptography. Part VII Digital signatures The problem is how can a user sign (electronically)

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### 8th ACM Conference on Computer and Communications Security 2001 5-8 November 2001 Philadelphia - Pennsylvania - USA

8th ACM Conference on Computer and Communications Security 2001 5-8 November 2001 Philadelphia - Pennsylvania - USA Twin Signatures: an Alternative to the Hash-and-Sign Paradigm David Naccache (Gemplus,

### Chapter 7: Network security

Chapter 7: Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure e-mail transport

### Crittografia e sicurezza delle reti. Digital signatures- DSA

Crittografia e sicurezza delle reti Digital signatures- DSA Signatures vs. MACs Suppose parties A and B share the secret key K. Then M, MAC K (M) convinces A that indeed M originated with B. But in case

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Lukasz Pater CMMS Administrator and Developer

Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign

### Cryptography. Jonathan Katz, University of Maryland, College Park, MD 20742.

Cryptography Jonathan Katz, University of Maryland, College Park, MD 20742. 1 Introduction Cryptography is a vast subject, addressing problems as diverse as e-cash, remote authentication, fault-tolerant

### CS549: Cryptography and Network Security

CS549: Cryptography and Network Security by Xiang-Yang Li Department of Computer Science, IIT Cryptography and Network Security 1 Notice This lecture note (Cryptography and Network Security) is prepared

### Symmetric Key cryptosystem

SFWR C03: Computer Networks and Computer Security Mar 8-11 200 Lecturer: Kartik Krishnan Lectures 22-2 Symmetric Key cryptosystem Symmetric encryption, also referred to as conventional encryption or single

### Lecture 7: Hashing III: Open Addressing

Lecture 7: Hashing III: Open Addressing Lecture Overview Open Addressing, Probing Strategies Uniform Hashing, Analysis Cryptographic Hashing Readings CLRS Chapter.4 (and.3.3 and.5 if interested) Open Addressing

### Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,

### Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Network Security (2) CPSC 441 Department of Computer Science University of Calgary 1 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### Certificate Based Signature Schemes without Pairings or Random Oracles

Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Message Authentication Codes. Lecture Outline

Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

### Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Cryptosystems Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K. C= E(M, K), Bob sends C Alice receives C, M=D(C,K) Use the same key to decrypt. Public

### Message authentication and. digital signatures

Message authentication and " Message authentication digital signatures verify that the message is from the right sender, and not modified (incl message sequence) " Digital signatures in addition, non!repudiation

### 2. Cryptography 2.4 Digital Signatures

DI-FCT-UNL Computer and Network Systems Security Segurança de Sistemas e Redes de Computadores 2010-2011 2. Cryptography 2.4 Digital Signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures

### Computer Security: Principles and Practice

Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography

### On-Line/Off-Line Digital Signatures

J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

### Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

### A New Generic Digital Signature Algorithm

Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

### Public-Key Cryptanalysis

To appear in Recent Trends in Cryptography, I. Luengo (Ed.), Contemporary Mathematics series, AMS-RSME, 2008. Public-Key Cryptanalysis Phong Q. Nguyen Abstract. In 1976, Diffie and Hellman introduced the

### Cryptography & Network Security

Cryptography & Network Security Lecture 1: Introduction & Overview 2002. 3. 27 chlim@sejong.ac.kr Common Terms(1) Cryptography: The study of mathematical techniques related to aspects of information security

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### Digital Signatures. Nicolas T. Courtois - University College of London

Nicolas T. Courtois - University College of London Roadmap Legal aspects What are Digital Signatures? How Secure they are? Main realizations known Applications 2 1. What is a [Digital] Signature? Legal

### Digital Signatures. Nicolas T. Courtois - University College London

Nicolas T. Courtois - University College London Roadmap Legal aspects What are Digital Signatures? How Secure they are? Main realizations known Applications 2 1. What is a [Digital] Signature? Legal Aspects

### The Exact Security of Digital Signatures How to Sign with RSA and Rabin

Appears in Advances in Cryptology Eurocrypt 96 Proceedings, Lecture Notes in Computer Science Vol. 1070, U. Maurer ed., Springer-Verlag, 1996. The Exact Security of Digital Signatures How to Sign with

### Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Implementation and Comparison of Various Digital Signature Algorithms -Nazia Sarang Boise State University What is a Digital Signature? A digital signature is used as a tool to authenticate the information

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

### What is network security?

Network security Network Security Srinidhi Varadarajan Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application

Group Blind Digital Signatures: Theory and Applications by Zulækar Amin Ramzan Submitted to the Department of Electrical Engineering and Computer Science in partial fulællment of the requirements for the

### Lecture 9: Application of Cryptography

Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that

### Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar

Privacy-Providing Signatures and Their Applications PhD Thesis Author: Somayeh Heidarvand Advisor: Jorge L. Villar Privacy-Providing Signatures and Their Applications by Somayeh Heidarvand In fulfillment

### Authentication requirement Authentication function MAC Hash function Security of

UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

### Application Layer (1)

Application Layer (1) Functionality: providing applications (e-mail, www, USENET etc) providing support protocols to allow the real applications to function properly security comprising a large number

### Message Authentication

Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the

### CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure Email

CS 393 Network Security Nasir Memon Polytechnic University Module 11 Secure Email Course Logistics HW 5 due Thursday Graded exams returned and discussed. Read Chapter 5 of text 4/2/02 Module 11 - Secure