Digital Signature CHAPTER 13. Review Questions. (Solution to Odd-Numbered Problems)



Similar documents
Digital Signature. Raj Jain. Washington University in St. Louis

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Signature Schemes. CSG 252 Fall Riccardo Pucella

Introduction to Cryptography CS 355

Digital signatures. Informal properties

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Application of Digital Signature for Securing Communication Using RSA Scheme based on MD5

Cryptography: RSA and Factoring; Digital Signatures; Ssh

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

DIGITAL SIGNATURES 1/1

Overview of Public-Key Cryptography

Computer Security: Principles and Practice

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

Authentication requirement Authentication function MAC Hash function Security of

Introduction to Computer Security

CRC Press has granted the following specific permissions for the electronic version of this book:

Public Key Cryptography. Performance Comparison and Benchmarking

Crittografia e sicurezza delle reti. Digital signatures- DSA

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Notes on Network Security Prof. Hemant K. Soni

Computer Science A Cryptography and Data Security. Claude Crépeau

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

An Approach to Shorten Digital Signature Length

Digital signatures are one of the most important inventions/applications of modern cryptography.

CRYPTOGRAPHY IN NETWORK SECURITY

Cryptography and Network Security

1 Signatures vs. MACs

Digital Signatures. Prof. Zeph Grunschlag

Elements of Applied Cryptography Public key encryption

Public-Key Cryptanalysis

Introduction. Digital Signature

2. Cryptography 2.4 Digital Signatures

Discrete logarithms within computer and network security Prof Bill Buchanan, Edinburgh Napier

7! Cryptographic Techniques! A Brief Introduction

Chapter 37. Secure Networks

Efficient construction of vote-tags to allow open objection to the tally in electronic elections

SECURITY IN NETWORKS

Digital Signatures. What are Signature Schemes?

Public Key (asymmetric) Cryptography

Cryptography and Network Security

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

A novel deniable authentication protocol using generalized ElGamal signature scheme

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

CS549: Cryptography and Network Security

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

Chapter 10. Network Security

Cryptographic Hash Functions Message Authentication Digital Signatures

Table of Contents. Bibliografische Informationen digitalisiert durch

Hash Function Firewalls in Signature Schemes

Security and Authentication Primer

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Cryptography and Network Security Chapter 10

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

1 Message Authentication

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

A New Generic Digital Signature Algorithm

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Public Key Cryptography of Digital Signatures

Information & Communication Security (SS 15)

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

CIS 5371 Cryptography. 8. Encryption --

Chapter 7: Network security

Capture Resilient ElGamal Signature Protocols

Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Practice Questions. CS161 Computer Security, Fall 2008

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

RESEARCH ON DIGITAL SIGNATURE Aanchal Chanana, Akash Sharma, Amit Yadav

Cryptography and Network Security Digital Signature

Message authentication and. digital signatures

Introduction to Cryptography

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

CS 758: Cryptography / Network Security

Public Key Cryptography Overview

Randomized Hashing for Digital Signatures

The Mathematics of the RSA Public-Key Cryptosystem

Cryptography: Authentication, Blind Signatures, and Digital Cash

A New secure scheme Using Digital Signature with S/MIME

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Cryptographic Services Guide

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

Evaluation of Digital Signature Process

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Elliptic Curve Cryptography

Transcription:

CHAPTER 13 Digital Signature (Solution to Odd-Numbered Problems) Review Questions 1. We mentioned four areas in which there is a differences between a conventional and a digital signature: inclusion, verification, document-signature relation, and duplicity. a. Inclusion: a conventional signature is included in the document; a digital signature is a separate document. b. Verification: A conventional signature is verified by comparing with the signature on file. The verifier of a digital signature needs to create a new signature. c. Relation: A document and a conventional signature has a one-to-many relation; a message and a digital signature has one-to-one relation. d. Duplicity: In conventional signature, a copy of the signed document can be distinguished from the original one on file. In digital signature, there is no such distinction unless there is a factor of time (such as a timestamp) on the document. 3. The following table shows the relationship between attacks on a cryptosystem and attacks on a digital signature. Cryptosystem attacks Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext Digital signature Attacks Key-only Known-message Chosen-message 5. The idea behind the RSA digital signature scheme is the same as the RSA cryptosystem, but the roles of the private and public keys are changed. First, the private and public keys of the sender, not the receiver, are used. Second, the sender uses her own private key to sign the document; the receiver uses the sender s public key to verify it. 1

2 7. The Schnorr digital signature scheme is similar the ElGamal digital signature but the size of the signatures are smaller. 9. The elliptic curve digital signature scheme is based on DSA, but uses elliptic curves. The scheme is similar to the elliptic curve cryptosystem in which the signer and verifiers manipulate points on an elliptic curve. Exercise 11. We have n = 809 751 = 607559 φ(n) = (809 1) (751 1) = 606000. Since d = 23, we have e = d 1 mod φ(n) = 158087. a. We have S 1 = M 1 d mod n = 100 23 mod 607559 = 223388 M 1 = S 1 e mod n = 223388 158087 mod 607559 = 100 b. We have S 2 = M 2 d mod n = 50 23 mod 607559 = 5627 M 2 = S 2 e mod n = 5627 158087 mod 607559 = 50 c. If M = M 1 M 2 = 5000, we have S = Md mod n = 5000 23 mod 607559 = 572264 S = (S 1 S 2 ) mod n = (223388 5627) mod 607559 = 572264 13. We have q = 83, p = 997, and d = 23. We choose e 0 = 7. Then e 1 = e 0 (p 1)/q mod p = 9 e 2 = e 1 d mod p = 521. We calculate S 1 and S 2 in mod q. We let h(40067) = 81 (The actual value does not matter here). S 1 = h(m e 1 r mod p) = h(400 9 11 mod p) = h(400 67) = h(40067) = 81 S 2 = r + ds 1 mod q = 11 + 23 81 mod 83 = 48 We can verify the signature assuming that h(40067) = 81. S V = h(m e 2 S 1 e 1 2 mod p) = h(400 9 48 521 81 mod 997) = V = h(400 9 48 521 2 mod 997) = h(400 877 257 mod 997) = V = h(400 67) = h(40067) = 81 15. a. In RSA scheme S = M d mod n. This means that the value of S can be as large as (n 1). In other words the size of S n 1024 bits.

3 b. In ElGamal scheme S 1 = ( ) mod p and S 2 = ( ) mod (p 1). This means that the value of S 1 can be as large as (p 1) and the value of S 2 can be as large as (p 2) In other words the size of S 1 p 1024 bits and the size of S 2 p 1024 bits. This means the sign of the signature is 2048 bits. c. In Schnorr scheme S 1 = h (...) and S 2 = ( ) mod (q). This means that the value of S 1 is exactly equals h (...) and the value of S 2 can be as large as (q 1). Since q is required to be the same size as q. The size of S 1 q 160 bits and the size of S 2 q 160 bits. This means the sign of the signature is 320 bits. The signature in Schnorr is much smaller than signature in ElGamal. d. In DSS scheme S 1 = ( ) mod q S 2 = ( ) mod q. This means that the value of S 1 and S 2 can be as large as (q 1). The size of S 1 = S 2 q 160 bits and the This means the sign of the signature is 320 bits. The signature in DSS is the same size as the signature in the Schnorr scheme. 17. In all of these schemes, Eve can calculate the value of d if she intercept a message and its signature. She can then forge a message from Alice to Bob. Each case is described separately in Exercises 23, 24, and 25. 19. If p = 19 and q = 3, n = 57. Eve can easily calculate φ(n) = φ(57) = 36. Since e is public, Eve can find d = e 1 mod n. Eve can now choose a message of her own M, calculate S = M d mod n. Eve then sends M and S to Bob and pretends that they are coming from Alice. 21. If p = 29 and q = 7, then the value of d is between 2 and 7 (it should be less than q 1). Since e 2 = e d 1 mod p and the values of e 1, e 2, p, and q are public, Eve can find the value of d using exhaustive search. Eve can now choose a message of her own M, calculates S 1 and S 2. Eve then sends M, S 1, and S 2 to Bob and pretends that they are coming from Alice. 23. In ElGamal scheme, if Eve can somehow finds out what value of r is used by Alice to calculate the signature for a particular message, the whole system is broken. Eve knows the value of M, S 1, S 2 and r. She can calculate the value of d as shown below: d = (M rs 2 )S 1 1 mod (p 1) This is possible if gcd(s 1, p 1) = 1, which is very probable. When d is found, Eve can choose a message of her own (selective forgery), calculate the signature and send them to Bob fooling him that the message is coming from Alice. 25. In DSS scheme, if the value of r revealed, the whole system is broken. Eve knows the value of M, S 1, S 2 and r. She can calculate the value of d as shown below: d = (rs 2 h(m))s 1 1 mod q This is possible if gcd(s 1, q) = 1, which is very probable. When d is found, Eve can choose a message of her own (selective forgery), calculate the signature and send them to Bob fooling him that the message is coming from Alice.

4 27. This is done to make the calculation possible because if a x a y mod p, then x y mod (p 1). 29. In the DSS scheme, we need to make both S 1 and S 2 smaller than q. However, to make it more difficult for Eve to find the value of r, we first do exponentiation in modulo p (which is much larger than q), but we apply another modulo operation to reduce the size of S 1. In case of S 2, since there is no exponentiation and the size of the digest is smaller than q, we need to apply only a modulo q operation to make the size of S 2 smaller than q. 31. We start with V and show that it is congruent to S 1. Let h(m) = x. xs 2 1 e 2 S 1 S 2 1 = (e 1 x e 2 S 1 ) S2 1 x e 1 ds1 ) S2 1 // Since e 2 = e 1 d mod p x + ds1 ) S2 1 rs 2 ) S2 1 // Since S 2 = (x + ds) r 1 mod q r ) S2S2 1 = (e 1 r ) = S 1 33. RSA_Signing (M, d, n) S M d mod n return (M, S) RSA_Verifying (M, e, n, S) M S e mod n if (M = M) Accept M else Reject M

5 35. Schnorr_Signing (M, r, e 1, d, p, q) S 1 h (M e 1 r mod p) S 2 (r + d S 1 ) mod q return (M, S 1, S 2 ) Schnorr_Verifying (M, e 1, e 2, p, q, S 1, S 2 ) V h (M e 1 S 1 e2 S 2 mod p) if (S 1 = V) Accept M else Reject M 37. EllipticCurve_Signing (M, a, b, r, e 1 (, ), d, p, q) P(u, v) r e 1 (, ) S 1 u mod q S 2 (h (M) + d S 1 ) r 1 mod q return (M, S 1, S 2 ) EllipticCurve_Verifying (M, a, b, e 1 (, ), e 1 (, ), p, q, S 1, S 2 ) A (h (M) S 2 1 ) mod q B (S 1 S 2 1 ) mod q T(x, y) A e 1 (, ) + B e 1 (, ) V x mod q if (S 1 = V) Accept M else Reject M

6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information