# A New Generic Digital Signature Algorithm

Save this PDF as:

Size: px
Start display at page:

Download "A New Generic Digital Signature Algorithm"

## Transcription

1 Groups Complex. Cryptol.? (????), 1 16 DOI /GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study two digital signature algorithms, the DSA and ECDSA, which have became NIST standard and have been widely used in almost all commercial applications. We will show that the two algorithms are actually the same algebraically and propose a generic algorithm such that both DSA and ECDSA are instances of it. By looking at this special angle through the generic algorithm, we gain a new insight into the two algorithms DSA and ECDSA. Our new proposed digital signature algorithm is described generically using a group G and a map tonumber : G Z. As an illustration, we choose G to be a group of non-singular circulant matrices over finite field and describe a totally new concrete digital signature algorithm. Keywords. digital signature, discrete log problem, circulant matrices group Mathematics Subject Classification. 94A60, 68Q17, 12Y05. 1 Introduction A digital signature algorithm is a public key cryptographic algorithm designed to protect the authenticity of a digital message or document. A message is signed by a secret key to produce a signature and the signature is verified against the message by a public key. Thus any party can verify the signatures but only one party with the secret key can sign the messages. A valid digital signature gives a recipient reason to believe that the message was created by a known sender who possesses the secret key, and that it was not altered in transit. Digital signatures are used widely in e-commerce applications, in banking applications, in software distribution, and in other cases where jurisdiction is involved and it is important to detect forgery or tampering. Thus it is crucial to use algorithms that have been standardized by government organizations. Even though there are a numerous number of digital signature algorithms in research literature, only three algorithms have been standardized by the National Institute of Standards and Technology (NIST) and have been widely used in almost all commercial applications. These are the RSA, the DSA and the ECDSA [3, 5]. The RSA was invented by Rivest, Shamir and Adleman, and the security of the algorithm is based on the hardness of factoring a product of two large prime numbers. The DSA was proposed by NIST and attributed to Kravitz, a former

2 2 J. Seberry, V. To and D. Tonien NSA employee. The security of the DSA is based on the hardness of the discrete log problem on the multiplicative group of units on the finite field F p. The ECDSA is the elliptic curve analogous of the DSA and its security is based on the discrete log problem on the group of points on elliptic curve over a finite field. In this paper, we study the DSA and ECDSA. Our goal is to find a common algebraic structure between the two algorithms. We show that the two algorithms are actually the same algebraically. We will propose a generic algorithm that captures the common algebraic structure of these two algorithms. DSA and ECDSA have been standardized and widely used in real world applications. Their securities have been attested by cryptographic community for almost two decades. It is reasonable to believe that our new DSA-based generic algorithm is secure. We will give a proof of the correctness of the generic algorithm and show that the security of the algorithm is based on the hardness of the discrete log problem in the underlined group. The rest of the paper is organised as follows. In section 2, we give some mathematical preliminaries and notations. In section 3, we compare the two algorithms DSA and ECDSA and derive their algebraic similarity. The new generic algorithm will be described in section 4 and an example is given in section 6. In this example, we will use a group of circulant matrices and describe a concrete digital signature algorithm. 2 Preliminaries 2.1 Groups We recall that a group is a special algebraic structure that consists of a set G with a binary operation : G G G, (a, b) a b, that satisfies three conditions: (1) there is a special element e called the identity such that a e = e a = a for any group element a, (2) for each group element a, there is a group element a 1, called the inverse of a, such that a a 1 = a 1 a = e, and (3) the operation is associative, that is a (b c) = (a b) c for any group elements a, b and c. For an integer n and a group element a, we define the power a n as a n = a a a (n times). If the group is commutative, people often use + for the group operation and 0 for the identity element. In this additive notation, the power function is a+a+ +a = na. In this paper, we will discuss algebraic properties generically, we are going to prototype group operations as in modern programming language as follows GroupElement multiply(groupelement a, GroupElement b); GroupElement inverse(groupelement a); GroupElement pow(groupelement a, Integer n);

3 A New Generic Digital Signature Algorithm 3 The correctness proofs of the DSA, ECDSA and our new algorithm are based on the following classical theorem. Theorem 2.1. (Lagrange s Theorem) In a finite group G, for any group element a, pow(a, G ) is equal to the identity element. The discrete log problem in a group G is stated as follows: given two group elements a and b = pow(a, x), find the number x. In DSA and ECDSA, we need to use groups such that the discrete log problem is hard. This is because in these algorithms, the attacker knows the two group elements g and y. The element g is the group generator and is specified in the group parameters. The element y is the public key. Both g and y are made public and anyone will know these values. The secret key is the number x and we have y = pow(g, x). If the discrete log problem is not hard then from g and y, anyone can solve the discrete log problem to obtain the secret key x. 2.2 Fiber sets and fiber-skew functions For a function f : A B and y B, the fiber set F y is defined as follows F y = {x A : f(x) = y}. F y is the set of all elements of A that are mapped to y in B. The domain A is partitioned into the fiber sets F y. If A and B are finite sets then the size of the fiber set F y reflects the probability P r[x : f(x) = y]. Indeed, P r[x : f(x) = y] = F y A. If f : A B is a random function then each y B will have an equal probability for f(x) = y. It means that all the fiber sets F y have approximately the same size and F y A / B. On the other hand, if there is a fiber set F y that has a relatively larger size then with this particular value of y, there is a larger

4 4 J. Seberry, V. To and D. Tonien probability that f(x) = y. In this case, we call the function f as a skew-fiber function. To measure how skew a function is, we may use the quantity α = max( F y ) A = max(p r[x : f(x) = y]). y B then α [1/ B, 1] and the larger the α value the more skew a function is. In this sense, a random function is a least skew function with α = 1/ B. A constant function is a most skew function with α = 1. In a constant function, one fiber set is equal to the whole set B whereas other fiber sets are empty. We will see later that in our new generic algorithm, one of our security requirements is that the function tonumber n : G Z n is not a skew-fiber function. This requirement means that for each i Z n, the probability that tonumber n (g) = i is negligible, or equivalently, all the fiber sets have roughly similar size and no fiber set has a larger size. 3 Comparison between DSA and ECDSA In this section, we will compare the two algorithms DSA and ECDSA. We will look at DSA and ECDSA step by step in details. Domain parameters setup. DSA Setup ECDSA Setup p is a prime, q is a prime divisor of p 1 E(F q ) is an elliptic curve over the field F q g is an element of order q in (Fp, ) G is an element of prime order n in (E(F q ), +) Domain parameters: p, q, g Domain parameters: E(F q ), n, G We can see that in the setup phase, the aim in both DSA and ECDSA is to set up a group (G, ) such that the discrete log problem is hard. In DSA, G is the subgroup of (F p, ) generated by the element g of order q: G = g = {1, g, g 2,..., g q 1 }, and the group operation is the multiplication modulo p. In ECDSA, G is the subgroup of (E(F q ), +) generated by the element G of order n: G = G = {O, G, 2G,..., (n 1)G}, and the group operation is the elliptic curve point addition +. Let us use the following prototyped function in programming language to denote the function that returns the order of the group G.

5 A New Generic Digital Signature Algorithm 5 Integer getorder(); In DSA, getorder() = q, and in ECDSA, getorder() = n. Key generation. DSA Key generation ECDSA Key generation Select a random integer x [1, q 1] Select a random integer d [1, n 1] Compute y = g x (mod p) The private key is x The public key is y Compute Q = dg The private key is d The public key is Q The key generation of both DSA and ECDSA can be re-written generically as follows Select a random integer x [1, getorder() 1]. Compute y = pow(g, x). The private key is x Z. The public key is y G. Signature generation and verification DSA Signature generation ECDSA Signature generation 1. Compute e = H(M) 1. Compute e = H(M) 2. Select a random integer k [1, q 1] 2. Select a random integer k [1, n 1] 3. Compute w = g k (mod p) 3. Compute W = kg = (x 1, y 1 ) 4. Compute r = w (mod q) 4. Compute r = x 1 (mod n) 5. Compute s = k 1 (e + xr) (mod q) 5. Compute s = k 1 (e + dr) (mod n) 6. The signature for M is (r, s) 6. The signature for M is (r, s) DSA Signature verification ECDSA Signature verification 1. Compute e = H(M) 1. Compute e = H(M) 2. Compute z = s 1 (mod q) 2. Compute z = s 1 (mod n) 3. Compute u 1 = ez (mod q) 3. Compute u 1 = ez (mod n) 4. Compute u 2 = rz (mod q) 4. Compute u 2 = rz (mod n) 5. Compute v = g u 1y u 2 (mod p) 5. Compute V = u 1 G + u 2 Q = (x 1, y 1 ) 6. Compute r = v (mod q) 6. Compute r = x 1 (mod n) 7. Accept the signature if r = r 7. Accept the signature if r = r

6 6 J. Seberry, V. To and D. Tonien We can see that DSA and ECDSA are different in the signature generation and verification. In signature generation, the difference is in the step 4 and in signature verification, the difference is in the step 6. In order to resolve these differences, we propose to rewrite the step 4 in signature generation into two steps 4A and 4B. Also in signature verification, we will rewrite the step 6 into two steps 6A and 6B as follows. Rewriting signature generation and verification DSA Signature generation ECDSA Signature generation 1. Compute e = H(M) 1. Compute e = H(M) 2. Select a random integer k [1, q 1] 2. Select a random integer k [1, n 1] 3. Compute w = g k (mod p) 3. Compute W = kg = (x 1, y 1 ) 4A. Compute t = w 4A. Compute t = x 1 4B. Compute r = t (mod q) 4B. Compute r = t (mod n) 5. Compute s = k 1 (e + xr) (mod q) 5. Compute s = k 1 (e + dr) (mod n) 6. The signature for M is (r, s) 6. The signature for M is (r, s) DSA Signature verification ECDSA Signature verification 1. Compute e = H(M) 1. Compute e = H(M) 2. Compute z = s 1 (mod q) 2. Compute z = s 1 (mod n) 3. Compute u 1 = ez (mod q) 3. Compute u 1 = ez (mod n) 4. Compute u 2 = rz (mod q) 4. Compute u 2 = rz (mod n) 5. Compute v = g u 1y u 2 (mod p) 5. Compute V = u 1 G + u 2 Q = (x 1, y 1 ) 6A. Compute t = v 6A. Compute t = x 1 6B. Compute r = t (mod q) 6B. Compute r = t (mod n) 7. Accept the signature if r = r 7. Accept the signature if r = r We can see that the step 4A of the DSA signature generation and the step 6A of the DSA signature verification seem redundant. However, this is the crucial step of our proposed generic algorithm. An important fact that we want to point out is that in step 4A of DSA, even t and w have the same value but they are of different types. The variable w is a group element of G, but the variable t is an integer. Therefore, step 4A seems redundant but it is not. To make this point clear, we will introduce the following function Integer tonumber(groupelement a);

7 A New Generic Digital Signature Algorithm 7 The function tonumber : G Z is a function maps a group element to an integer. In DSA, the function tonumber : G Z is the trivial identity function that map each group element a F p to the number a [1, p 1] Integer tonumber(groupelement a){ return a; } In ECDSA, the function tonumber : G Z is the function that map each group element a E(F q ) to the x-coordinate of a Integer tonumber(groupelement a){ write the point as a = (x 1, y 1 ) return x 1 ; } With the introduction of the function tonumber : G Z, we can see that the two algorithms DSA and ECDSA are now exactly the same algebraically. 4 Generic algorithm In this section, we will describe our new generic digital signature algorithm which is motivated from the two algorithm DSA and ECDSA. This generic algorithm will use a group (G, ) such that the discrete log problem is hard. We will use a function tonumber : G Z that maps a group element a G to an integer: Integer tonumber(groupelement a); We will later show that our generic algorithm is correct and its correctness is independent of the choice of the group G and the function tonumber : G Z. Below is the description of the generic algorithm Setup. (G, ) is a cyclic group g is a generator of (G, ) n is the order of the group (G, ) Domain parameters: description of (G, ), g, n Key generation. Select a random integer x [1, n 1] Compute y = pow(g, x) The private key is x Z

8 8 J. Seberry, V. To and D. Tonien The public key is y G Signature generation. 1. Compute e = H(M) 2. Select a random integer k [1, n 1] 3. Compute w = pow(g, k) G 4A. Compute t = tonumber(w) Z 4B. Compute r = t (mod n) 5. Compute s = k 1 (e + xr) (mod n) 6. The signature for M is (r, s) Signature verification. 1. Compute e = H(M) 2. Compute z = s 1 (mod n) 3. Compute u 1 = ez (mod n) 4. Compute u 2 = rz (mod n) 5. Compute v = multiply(pow(g, u 1 ), pow(y, u 2 )) G 6A. Compute t = tonumber(v) Z 6B. Compute r = t (mod n) 7. Accept the signature if r = r 5 Security analysis of the generic algorithm 5.1 Proof of correctness We now prove the correctness of the generic algorithm. We show that if (r, s) is a signature of a message M generated by the signature generation algorithm then the signature verification algorithm must accept this signature as valid. This correctness of the algorithm is independent of the choice of the group G and the function tonumber : G Z. Theorem 5.1. If (r, s) is a signature generated by the signature generation algorithm of a message M then there must exist a number k such that where e = H(M) Z. r = tonumber(pow(g, k)) (mod n) s = k 1 (e + xr) (mod n),

9 A New Generic Digital Signature Algorithm 9 Theorem 5.2. A valid signature (r, s) that passes the signature verification algorithm for a message M must satisfy r = tonumber(pow(g, z(e + xr)) (mod n) where e = H(M) Z and z = s 1 (mod n). Proof. From the signature verification algorithm, we have r = t (mod n) = tonumber(v) (mod n) = tonumber(pow(g, u 1 ), pow(y, u 2 )) (mod n) = tonumber(pow(g, u 1 + xu 2 )) (mod n) = tonumber(pow(g, z(e + xr))) (mod n). The correctness of the digital signature algorithm now follows from Theorem 5.1 and Theorem 5.2. Indeed, by Theorem 5.1, if r and s are generated by the signature generation algorithm then s = k 1 (e + xr) (mod n). Therefore, z(e + xr) = k (mod n), so k = z(e + xr) + nj for some j Z. Thus, r = tonumber(pow(g, k)) (mod n) = tonumber(pow(g, z(e + xr) + nj)) (mod n) = tonumber(pow(g, z(e + xr))) (mod n). The last equality is derived from the Lagrange s theorem which asserts that for any element g of a finite group G of order n, pow(g, n) is the identity element of the group. This shows that (r, s) is a valid signature for M and the generic algorithm is correct. 5.2 Secretcy of the private key The generator g of the group G is specified in the group parameters. The element y is the public key. So both g and y are made public and anyone knows these values. The secret key is the number x and we have y = pow(g, x). Therefore, in order to keep x secret, the discrete log problem in G must be hard. If the discrete log problem is not hard then from g and y, anyone can solve the discrete log problem to obtain the secret key x and subsequently can forge a valid signature of any message.

10 10 J. Seberry, V. To and D. Tonien 5.3 Protection against forgery attack In order for an attacker to forge a valid signature (r, s) that passes the signature verification algorithm, the attacker must generate M, r and s that satisfy the following condition r = tonumber(pow(g, z(e + xr)) (mod n) where e = H(M) Z and z = s 1 (mod n). Since n is a public information, the ability to generate s is equivalent to the ability to generate z. Therefore, in order to forge a valid signature, the attacker must be able to generate M, r and z that satisfy the following condition r = tonumber((g H(M) y r ) z ) (mod n). (1) Consider the function tonumber modulo n, which we will denoted by tonumber n tonumber n : G Z n a tonumber(a) (mod n) For each i Z n, let F i denote the fiber set of i, that is F i = {a G : tonumber n (a) = i}. Then the condition (1) is equivalent to (g H(M) y r ) z F r. Theorem 5.3. If an attacker can forge a valid signature then it can generate M, r and z such that (g H(M) y r ) z F r. (2) The following theorem states four requirements for the group G, the function tonumber : G Z and the hash function H so that the generic algorithm is secure against forgery attack. Note that our first three requirements are similar to the ones stated in [2] but they are a bit stronger because we consider them in Z n instead of in Z as in [2]. Theorem 5.4. The following conditions are necessary security conditions for the generic algorithm (i) The discrete log problem in the group G is hard; (ii) The hash function modulo n (i.e. M H(M) (mod n)) is a one-way function;

11 A New Generic Digital Signature Algorithm 11 (iii) The hash function modulo n is a collision-resistant function; (iv) The function tonumber n is not a fiber-skew function. Proof. The first condition is the crucial one. If the discrete log problem in the group G is not hard then the attacker can recover the secret key from the public key and forge signature on any message. Alternatively, for any message M, the attacker can choose a random group element a and calculate tonumber(a) (mod n) = r. This gives a F r. The attacker then solves the discrete log problem to find z such that (g H(M) y r ) z = a and so (g H(M) y r ) z F r. By Theorem 5.3, this gives a valid signature on M. The second condition requires that given a number t, it is hard to find M such that H(M) (mod n) = t. If this is not hard then the attacker can formulate a valid signature as follows. The attacker will choose random u and v and try to find M, r, z such that (g H(M) y r ) z = g u y v F r. First, the attacker calculates tonumber(g u y v ) (mod n) = r, this gives g u y v F r. Then the attacker calculates z = vr 1 (mod n), this gives y v = y rz. Next, the attacker calculates t = uz 1 (mod n), this gives g u = g tz. Finally the attacker calculates M by inverting the hash function modulo n from the equation H(M) = t (mod n) and so (g H(M) y r ) z = g u y v F r. The third condition requires that it is hard to find two different messages M 1 and M 2 such that H(M 1 ) = H(M 2 ) (mod n) because if two such messages can be found easily then a valid signature for one message will become a valid signature for the other. The last condition requires that no fiber set F i has a large size. If for example, there is a number i Z n such that the fiber set F i is large, then the attacker can forge a signature as follows. First the attacker will choose a number r Z n such that F r is a large set. Then the attacker choose random M and z, this makes (g H(M) y r ) z a random element of the group G. Since F r is a large set, the probability that (g H(M) y r ) z belongs to the fiber set F r is not negligible. Therefore, the probability that the attacker can form a valid signature is not negligible. The condition (4) in Theorem 5.4 is a reasonable condition. In DSA, tonumber is the identity function so this condition is satisfied. In ECDSA, the function tonumber returns the x-coordinate of the elliptic point so this condition is likely to be satisfied. Since this condition requires that no fiber set F r have large size, for a random group element a, the probability for a F r is negligible. From the first three conditions, (g H(M) y r ) z is a random group element so the condition (g H(M) y r ) z F r in Theorem 5.3 will be satisfied with a negligible probability.

12 12 J. Seberry, V. To and D. Tonien 6 DSA based on circulant matrices over finite field In the previous section, we propose a generic algorithm that defined over a group G and a function tonumber : G Z. The security requirement is that the discrete log problem in G is hard. In this chapter, we choose G to be the group of nonsingular circulant matrices over a finite field. This group is recently studied by Mahalanobis [1] and it is believed that in this group the discrete log problem is hard. With this specific choice of the underlined group, the generic algorithm gives us a totally new concrete digital signature algorithm. 6.1 Circulant matrices The group of non-singular circulant matrices over finite field is recently studied by Mahalanobis [1]. A d d matrix over a field F is called circulant, if every row except the first row, is a right circular shift of the row above that. An example of a circulant 5 5 matrix is: c 0 c 1 c 2 c 3 c 4 c 4 c 0 c 1 c 2 c 3 c 3 c 4 c 0 c 1 c 2 c 2 c 3 c 4 c 0 c 1 c 1 c 2 c 3 c 4 c 0 So a circulant matrix is defined by its first row. We will denote a circulant matrix C with first row c 0, c 1,..., c d 1 by C = circ(c 0, c 1,..., c d 1 ). The row-sum of the matrix C is defined as rowsum(c) = c 0 + c c d 1. Let W = circ(0, 1, 0,..., 0) be a d d circulant matrix then clearly W d = I the identity matrix and any circulant matrix C = circ(c 0, c 1,..., c d 1 ) can be written as a linear sum of W i as follows C = c 0 I + c 1 W + c 2 W c d 1 W d 1. Since W d = I, the set C of all circulant matrices with matrix addition and multiplication is isomorphic to the ring of all polynomials F [x] modulo x d 1. The isomorphism is ı : C F [x]/(x d 1) C = circ(c 0, c 1,..., c d 1 ) c 0 + c 1 x + c 2 x c d 1 x d 1.

13 A New Generic Digital Signature Algorithm 13 Example: Consider 5 5 circulant matrices over the field F 17. Let A = circ(2, 7, 3, 4, 2) and B = circ(5, 1, 6, 4, 1). The corresponding polynomials are and We have ı(a) = 2 + 7x + 3x 2 + 4x 3 + 2x 4 ı(b) = 5 + x + 6x 2 + 4x 3 + x 4. ı(a) + ı(b) = 7 + 8x + 9x 2 + 8x 3 + 3x 4, ı(a) ı(b) = x + 34x x x x x x 7 + 2x 8 and We will verify that = x + 34x x x x + 12x 2 + 2x 3 = x + 46x x x 4 = x 2 + 7x x 4. A + B = circ(7, 8, 9, 8, 3), A B = circ(4, 0, 12, 7, 11). Indeed, A+B = = , and A B =

14 14 J. Seberry, V. To and D. Tonien = = Discrete log problem for circular matrices The discrete log problem for circular matrices is stated as follows: given a circular matrix A of size d d over the field F q and a circular matrix B = A x, find the exponent x. Mahalanobis [1] showed that the discrete log problem for circular matrices is as hard as the discrete log problem in the finite field F q d 1 if the matrix A is chosen to satisfy the following five conditions Determinant of A is equal to 1, rowsum(a) = 1, The polynomial χ A x 1 is irreducible where χ A is the characteristic polynomial of A, d is a prime number, q is primitive modulo d. 6.3 DSA based on group of circulant matrices In this section, we will apply the generic algorithm for a group of circulant matrices. What we obtain is a totally new digital signature algorithm. The underlined group G is the multiplicative group generated by a circulant matrix A defined over a field F q that satisfies a number of conditions described in section 6.2. Suppose that n is the multiplicative order of the matrix A, that is A n = I, then the group G is G = {I, A, A 2,..., A n 1 }. Note that matrices in G are all circulant matrices. We will chose an encoding function that maps each field element of F q to an integer encode : F q Z. For example, when q = p is a prime number then encode(a) = a (mod p). When q = p m then each field element a of F p m is a polynomial over F p of degree < m,

15 A New Generic Digital Signature Algorithm 15 that is, a = a 0 + a 1 x + + a m 1 x m 1, where a 0, a 1,..., a m 1 F p. In this case, we can define encode(a) to be the mn-bit number a 0 a 1... a m 1 where N is the bit length of p. Here each a i is represented as a N-bit number. We need to define a function tonumber : G Z to use in the generic algorithm. We will use the encoding function to define the function tonumber. There are many choices for this function tonumber. To illustrate, let define the function tonumber as follows tonumber : G Z C = circ(c 0, c 1,..., c d 1 ) encode(c 0 + c 2 + c c d 1 ). Note that the above definition makes sense because c 0 + c 2 + c c d 1 is a field element of F q and so encode(c 0 + c 2 + c c d 1 ) is an integer. Below is the description of the DSA algorithm based on circulant matrices. Set up. Choose a circulant matrix A = circ(a 0, a 1,..., a d 1 ) of size d d over F q n is the multiplicative order of A Domain parameters: description of a 0, a 1,..., a d 1, n Key generation. Select a random integer x [1, n 1] Compute B = A x = circ(b 0, b 1,..., b d 1 ) The private key is x Z The public key is b 0, b 1,..., b d 1 Signature generation. Compute e = H(M) Select a random integer k [1, n 1] Compute C = A k = circ(c 0, c 1,..., c d 1 ) Compute t = encode(c 0 + c 2 + c c d 1 ) Z Compute r = t (mod n) Compute s = k 1 (e + xr) (mod n) The signature for M is (r, s) Signature verification. Compute e = H(M) Compute z = s 1 (mod n)

16 16 J. Seberry, V. To and D. Tonien Compute u 1 = ez (mod n) Compute u 2 = rz (mod n) Compute V = A u 1B u 2 = circ(v 0, v 1,..., v d 1 ) Compute t = encode(v 0 + v 2 + v v d 1 ) Z Compute r = t (mod n) Accept the signature if r = r Bibliography [1] A. Mahalanobis, The discrete logarithm problem in the group of non-singular circulant matrices, Groups Complexity Cryptology 2 (2010), [2] S. Vaudenay, The security of DSA and ECDSA, in: Public Key Cryptography PKC 2003, Lecture Notes in Computer Science 2567, Springer, Berlin (2002), [3] National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards [4] National Institute of Standards and Technology, Secure Hash Standard (SHS), Federal Information Processing Standards [5] American National Standards Institute, Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), American National Standards Institute X9.62. Received???. Author information Jennifer Seberry, School of Computer Science and Software Engineering, University of Wollongong, Australia. Vinhbuu To, School of Computer Science and Software Engineering, University of Wollongong, Australia. Dongvu Tonien, Mathematical Sciences Institute, Australian National University, Australia.

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Digital Signatures. Meka N.L.Sneha. Indiana State University. nmeka@sycamores.indstate.edu. October 2015

Digital Signatures Meka N.L.Sneha Indiana State University nmeka@sycamores.indstate.edu October 2015 1 Introduction Digital Signatures are the most trusted way to get documents signed online. A digital

### Digital Signature. Raj Jain. Washington University in St. Louis

Digital Signature Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/

### NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,

### Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

### Math 313 Lecture #10 2.2: The Inverse of a Matrix

Math 1 Lecture #10 2.2: The Inverse of a Matrix Matrix algebra provides tools for creating many useful formulas just like real number algebra does. For example, a real number a is invertible if there is

### Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis by Susana Sin A thesis presented to the University of Waterloo in fulfilment of the thesis requirement for the degree of Master

### Public Key (asymmetric) Cryptography

Public-Key Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,

### Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)

### Implementation of Elliptic Curve Digital Signature Algorithm

Implementation of Elliptic Curve Digital Signature Algorithm Aqeel Khalique Kuldip Singh Sandeep Sood Department of Electronics & Computer Engineering, Indian Institute of Technology Roorkee Roorkee, India

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### Digital Signature Standard (DSS)

FIPS PUB 186-4 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Digital Signature Standard (DSS) CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information Technology Laboratory National Institute

### Lukasz Pater CMMS Administrator and Developer

Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign

### Notes on Network Security Prof. Hemant K. Soni

Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications

### U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

### The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

### An Approach to Shorten Digital Signature Length

Computer Science Journal of Moldova, vol.14, no.342, 2006 An Approach to Shorten Digital Signature Length Nikolay A. Moldovyan Abstract A new method is proposed to design short signature schemes based

### Authentication requirement Authentication function MAC Hash function Security of

UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Kommunikationssysteme (KSy) - Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 2000-2001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem

### ARCHIVED PUBLICATION

ARCHIVED PUBLICATION The attached publication, FIPS Publication 186-3 (dated June 2009), was superseded on July 19, 2013 and is provided here only for historical purposes. For the most current revision

### Cryptography and Network Security

Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared

### Introduction to Finite Fields (cont.)

Chapter 6 Introduction to Finite Fields (cont.) 6.1 Recall Theorem. Z m is a field m is a prime number. Theorem (Subfield Isomorphic to Z p ). Every finite field has the order of a power of a prime number

### SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

### Cryptography: RSA and the discrete logarithm problem

Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:

### ACTA UNIVERSITATIS APULENSIS No 13/2007 MATHEMATICAL FOUNDATION OF DIGITAL SIGNATURES. Daniela Bojan and Sidonia Vultur

ACTA UNIVERSITATIS APULENSIS No 13/2007 MATHEMATICAL FOUNDATION OF DIGITAL SIGNATURES Daniela Bojan and Sidonia Vultur Abstract.The new services available on the Internet have born the necessity of a permanent

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

### In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc

Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane

### Computer Security: Principles and Practice

Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography

### Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Principles of Public Key Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter : Security on Network and Transport

### Blinding Self-Certified Key Issuing Protocols Using Elliptic Curves

Blinding Self-Certified Key Issuing Protocols Using Elliptic Curves Billy Bob Brumley Helsinki University of Technology Laboratory for Theoretical Computer Science billy.brumley@hut.fi Abstract Self-Certified

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:

### Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles

### Study of algorithms for factoring integers and computing discrete logarithms

Study of algorithms for factoring integers and computing discrete logarithms First Indo-French Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department

### Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,

### 5.1 Commutative rings; Integral Domains

5.1 J.A.Beachy 1 5.1 Commutative rings; Integral Domains from A Study Guide for Beginner s by J.A.Beachy, a supplement to Abstract Algebra by Beachy / Blair 23. Let R be a commutative ring. Prove the following

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 12 Block Cipher Standards

### 3. Applications of Number Theory

3. APPLICATIONS OF NUMBER THEORY 163 3. Applications of Number Theory 3.1. Representation of Integers. Theorem 3.1.1. Given an integer b > 1, every positive integer n can be expresses uniquely as n = a

### A Factoring and Discrete Logarithm based Cryptosystem

Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

### MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

MATH 168: FINAL PROJECT Troels Eriksen 1 Introduction In the later years cryptosystems using elliptic curves have shown up and are claimed to be just as secure as a system like RSA with much smaller key

### CRYPTOGRAPHY IN NETWORK SECURITY

ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can

### UNIT 2 MATRICES - I 2.0 INTRODUCTION. Structure

UNIT 2 MATRICES - I Matrices - I Structure 2.0 Introduction 2.1 Objectives 2.2 Matrices 2.3 Operation on Matrices 2.4 Invertible Matrices 2.5 Systems of Linear Equations 2.6 Answers to Check Your Progress

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Modern/Public-key cryptography started in 1976 with the publication of the following paper. W. Diffie

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

### Embedding more security in digital signature system by using combination of public key cryptography and secret sharing scheme

International Journal of Computer Sciences and Engineering Open Access Research Paper Volume-4, Issue-3 E-ISSN: 2347-2693 Embedding more security in digital signature system by using combination of public

### Factorization Algorithms for Polynomials over Finite Fields

Degree Project Factorization Algorithms for Polynomials over Finite Fields Sajid Hanif, Muhammad Imran 2011-05-03 Subject: Mathematics Level: Master Course code: 4MA11E Abstract Integer factorization is

### = 2 + 1 2 2 = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

Instructions. Answer each of the questions on your own paper, and be sure to show your work so that partial credit can be adequately assessed. Credit will not be given for answers (even correct ones) without

### ELECTRONIC POWER OF ATTORNEY PROTOCOL BY USING DIGITAL SIGNATURE ALGORITHM

ELECTRONIC POWER OF ATTORNEY PROTOCOL BY USING DIGITAL SIGNATURE ALGORITHM 1,3 WALIDATUSH SHOLIHAH, 2 SUGI GURITMAN, 3 HERU SUKOCO 1 Diploma Programme, Bogor Agricultural University 2 Mathematics Department,

### Communications security

University of Roma Sapienza DIET Communications security Lecturer: Andrea Baiocchi DIET - University of Roma La Sapienza E-mail: andrea.baiocchi@uniroma1.it URL: http://net.infocom.uniroma1.it/corsi/index.htm

### Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Encryption/Decryption using Public Key Cryptography Network Security Chapter 2 Basics 2.2 Public Key Cryptography

1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### LUC: A New Public Key System

LUC: A New Public Key System Peter J. Smith a and Michael J. J. Lennon b a LUC Partners, Auckland UniServices Ltd, The University of Auckland, Private Bag 92019, Auckland, New Zealand. b Department of

### The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm

The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm Maria D. Kelly December 7, 2009 Abstract The RSA algorithm, developed in 1977 by Rivest, Shamir, and Adlemen, is an algorithm

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### A New Efficient Digital Signature Scheme Algorithm based on Block cipher

IOSR Journal of Computer Engineering (IOSRJCE) ISSN: 2278-0661, ISBN: 2278-8727Volume 7, Issue 1 (Nov. - Dec. 2012), PP 47-52 A New Efficient Digital Signature Scheme Algorithm based on Block cipher 1

### Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility

### Basic Algorithms In Computer Algebra

Basic Algorithms In Computer Algebra Kaiserslautern SS 2011 Prof. Dr. Wolfram Decker 2. Mai 2011 References Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, 1993. Cox, D.; Little,

### Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Arithmetic algorithms for cryptology 5 October 2015, Paris Sieves Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Sieves 0 / 28 Starting point Notations q prime g a generator of (F q ) X a (secret) integer

### Public Key Cryptography. Performance Comparison and Benchmarking

Public Key Cryptography Performance Comparison and Benchmarking Tanja Lange Department of Mathematics Technical University of Denmark tanja@hyperelliptic.org 28.08.2006 Tanja Lange Benchmarking p. 1 What

### Elements of Applied Cryptography Public key encryption

Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let

### Digital signatures. Informal properties

Digital signatures Informal properties Definition. A digital signature is a number dependent on some secret known only to the signer and, additionally, on the content of the message being signed Property.

### Elementary Number Theory We begin with a bit of elementary number theory, which is concerned

CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,

### An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC

An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC Laxminath Tripathy 1 Nayan Ranjan Paul 2 1Department of Information technology, Eastern Academy of Science and

### I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

I GROUPS: BASIC DEFINITIONS AND EXAMPLES Definition 1: An operation on a set G is a function : G G G Definition 2: A group is a set G which is equipped with an operation and a special element e G, called

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### 2. Cryptography 2.4 Digital Signatures

DI-FCT-UNL Computer and Network Systems Security Segurança de Sistemas e Redes de Computadores 2010-2011 2. Cryptography 2.4 Digital Signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures

### EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH COMPLEX MULTIPLICATION

EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH COMPLEX MULTIPLICATION CHRISTIAN ROBENHAGEN RAVNSHØJ Abstract. Consider the Jacobian of a genus two curve defined over a finite field and with complex multiplication.

### Cryptography and Network Security Chapter 10

Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 10 Other Public Key Cryptosystems Amongst the tribes of Central

### Randomized Hashing for Digital Signatures

NIST Special Publication 800-106 Randomized Hashing for Digital Signatures Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department

### Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝 陽 科 技 大 學 資 工

### Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

### Galois Fields and Hardware Design

Galois Fields and Hardware Design Construction of Galois Fields, Basic Properties, Uniqueness, Containment, Closure, Polynomial Functions over Galois Fields Priyank Kalla Associate Professor Electrical

### Mathematics Course 111: Algebra I Part IV: Vector Spaces

Mathematics Course 111: Algebra I Part IV: Vector Spaces D. R. Wilkins Academic Year 1996-7 9 Vector Spaces A vector space over some field K is an algebraic structure consisting of a set V on which are

### Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

Proceedings of the 8th ACM Conference on Computer and Communications Security. Pages 20 27. (november 5 8, 2001, Philadelphia, Pennsylvania, USA) Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

### 1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?

### Finite Fields and Error-Correcting Codes

Lecture Notes in Mathematics Finite Fields and Error-Correcting Codes Karl-Gustav Andersson (Lund University) (version 1.013-16 September 2015) Translated from Swedish by Sigmundur Gudmundsson Contents

### Public Key Cryptography Overview

Ch.20 Public-Key Cryptography and Message Authentication I will talk about it later in this class Final: Wen (5/13) 1630-1830 HOLM 248» give you a sample exam» Mostly similar to homeworks» no electronic

### Elliptic Curve Hash (and Sign)

Elliptic Curve Hash (and Sign) (and the 1-up problem for ECDSA) Daniel R. L. Brown Certicom Research ECC 2008, Utrecht, Sep 22-24 2008 Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 1 / 43

### Cryptography Lecture 8. Digital signatures, hash functions

Cryptography Lecture 8 Digital signatures, hash functions A Message Authentication Code is what you get from symmetric cryptography A MAC is used to prevent Eve from creating a new message and inserting

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

### Evaluation of Digital Signature Process

Evaluation of Digital Signature Process Emil SIMION, Ph. D. email: esimion@fmi.unibuc.ro Agenda Evaluation of digital signatures schemes: evaluation criteria; security evaluation; security of hash functions;

### Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian

### Computer Science 308-547A Cryptography and Data Security. Claude Crépeau

Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)

### Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography

Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt

### A SOFTWARE COMPARISON OF RSA AND ECC

International Journal Of Computer Science And Applications Vol. 2, No. 1, April / May 29 ISSN: 974-13 A SOFTWARE COMPARISON OF RSA AND ECC Vivek B. Kute Lecturer. CSE Department, SVPCET, Nagpur 9975549138

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z DANIEL BIRMAJER, JUAN B GIL, AND MICHAEL WEINER Abstract We consider polynomials with integer coefficients and discuss their factorization

### Index Calculation Attacks on RSA Signature and Encryption

Index Calculation Attacks on RSA Signature and Encryption Jean-Sébastien Coron 1, Yvo Desmedt 2, David Naccache 1, Andrew Odlyzko 3, and Julien P. Stern 4 1 Gemplus Card International {jean-sebastien.coron,david.naccache}@gemplus.com

### 7. Some irreducible polynomials

7. Some irreducible polynomials 7.1 Irreducibles over a finite field 7.2 Worked examples Linear factors x α of a polynomial P (x) with coefficients in a field k correspond precisely to roots α k [1] of

### The finite field with 2 elements The simplest finite field is

The finite field with 2 elements The simplest finite field is GF (2) = F 2 = {0, 1} = Z/2 It has addition and multiplication + and defined to be 0 + 0 = 0 0 + 1 = 1 1 + 0 = 1 1 + 1 = 0 0 0 = 0 0 1 = 0

### MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins

MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins The RSA encryption scheme works as follows. In order to establish the necessary public

### some algebra prelim solutions

some algebra prelim solutions David Morawski August 19, 2012 Problem (Spring 2008, #5). Show that f(x) = x p x + a is irreducible over F p whenever a F p is not zero. Proof. First, note that f(x) has no