CLO 2

Lecture#10
Digital Signature Standard- DSS/DSA
Course: Cryptography & Network Security (CE-408)
Course Teacher: Ms. Rukaiya

Contact Info:

Room No: BS-02, CED / AS-09, ORIC

Email: rukaiya@ssuet.edu.pk

1
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Digital Signature Properties

It must verify It must It must be

the author and authenticate verifiable by
the date and the contents at third parties to
time of the the time of the resolve
signature signature disputes

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Attacks

•C chooses a Directed
Known list of chosen •C may
message messages message request
attack before attack from A
attempting to signatures
•C only •Similar to the
•C is given break A’s of messages
knows A’s generic attack,
access to a signature that depend
public except that the
set of scheme, on
key list of
messages independent previously
messages to be
and their of A’s public obtained
signed is
Key-only signatures key; C then message-
chosen after C
attack obtains from signature
knows A’s
A valid pairs
public key but
signatures for before any
the chosen signatures are Adaptive
messages seen chosen
Generic message
chosen attack
message
attack

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Forgeries
Universal
forgery Selective Existential
Total
break forgery forgery
• C finds an
efficient
•C signing • C forges a • C forges a
determine algorithm signature signature
s A’s that for a for at least
private particular one
provides an
key equivalent message message; C
way of chosen by C has no
constructing control over
signatures the message
on arbitrary
messages

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Digital Signature Requirements
• The signature must be a bit pattern that depends on the message
being signed

• The signature must use some information unique to the sender to

prevent both forgery and denial

• It must be relatively easy to produce the digital signature

• It must be relatively easy to recognize and verify the digital

signature

• It must be computationally infeasible to forge a digital signature,

either by constructing a new message for an existing digital
signature or by constructing a fraudulent digital signature for a
given message

• It must be practical to retain a copy of the digital signature in

storage

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Direct Digital Signature

Confidentiality can be
Refers to a digital The validity of the
provided by encrypting
signature scheme that scheme depends on the
the entire message plus
involves only the security of the sender’s
signature with a shared
communicating parties private key
secret key

If a sender later wishes to

deny sending a particular
It is important to perform
It is assumed that the message, the sender can
the signature function
destination knows the claim that the private key
first and then an outer
public key of the source was lost or stolen and
confidentiality function
that someone else forged
his or her signature

One way to thwart or at

In case of dispute some least weaken this ploy is
third party must view the to require every signed
message and its message to include a
signature timestamp and to require
prompt reporting of
compromised keys to a
central authority

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 NIST Digital Signature Algorithm
• Published by NIST (National Institute of Standards and
Technology) as Federal Information Processing Standard
FIPS 186
• Makes use of the Secure Hash Algorithm (SHA) and
presented a new signature technique called Digital
Signature Algorithm (DSA)
• The latest version, FIPS 186-3, also incorporates digital
signature algorithms based on RSA and on elliptic curve
cryptography
• DSS Approach:
• It is designed to provide only the digital signature unlike
RSA, it can not be used for encryption or key exchange.
• Nevertheless, its is a public-key technique

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 H
M || M

PR a PU a Compare

H E D
E(PRa, H(M)]

(a) RSA Approach

M || M H

PU G PR a s PU G PU
a
r

H Sig Ver Compare

(b) DSA Approach

Figure 13.2 Two Approaches to Digital Signatures

PUG = Global Public key Seperate form each user ′ s public key
K =Pearson
© 2020 secret key (per
Education, Inc.,message)-
Hoboken, NJ. random number generated for particular signature
All rights reserved.
 Digital Signature Algorithm
• Parts of Algorithm
 Generation of public and private key
 Generation of Signature
 Verification of Signature

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Digital Signature Algorithm
• Generation of public and private keys (Global
Public Elements)

 There are three parameters that are public and can be common
to a group of users
1. Choose a prime number q (random 160 bits), called a
prime divisor

2. Choose another prime number p (length between 512

and 1024 bits) such that (p-1)/q, is called prime modulus

3. Choose an integer h between 1 and (p-1) with g must be

greater than 1
(𝑝−1)
ൗ𝑞
𝑔= ℎ where, 1 < g< p
or
𝑔𝑞 mod p = 1

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Digital Signature Algorithm
• Generation of User’s Private Key
• Each user chooses (selected randomly/pseudo randomly) an
integer x such that 0 < x < q
• X is the private key, it is believed that x is computationally
infeasible to determine, which is discrete logarithm of p

• Generation of User’s Public Key

• Compute user’s public key
𝐲 = 𝐠 𝐱 𝐦𝐨𝐝 𝐩
• Public key pair (p, q, g, y)
• Private key pair (p, q, g, x)

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Digital Signature Algorithm
• Generation Signature
• To create a signature, user calculates two quantities r and s,
function of public key components (p, q, g)
• Generate a random number k such that 0< k< q
• K must be destroyed after the use and never be reused
• Compute 𝐫 = 𝐠 𝐤 𝐦𝐨𝐝 𝐩 𝐦𝐨𝐝 𝐪
 If r =0, select different k

• Compute i or 𝐊 −𝟏 such that 𝐤 ∗ 𝐢 𝐦𝐨𝐝 𝒒 = 𝟏 is called modular

multiplicative inverse of k modulo q
• Compute s= 𝒌−𝟏 𝐇 𝐌 + 𝐫𝒙 𝐦𝐨𝐝 𝐪, where H(M) computed using
SHA-1
Signature (r,s)

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Digital Signature Algorithm
• Verifying Signature
• Compute w, such that s* w mod q =1, called modular
multiplicative inverse of s modulo q
𝐰 = (𝐒 ′ )−𝟏 𝐦𝐨𝐝 𝐪

• Compute 𝛍𝟏 = 𝐇 𝐌 ′ ∗ 𝐰 𝐦𝐨𝐝 𝐪
• Compute 𝛍𝟐 = 𝒓′ ∗ 𝐰 𝐦𝐨𝐝 𝐪
• Compute 𝛝 = [𝒈𝝁𝟏 𝒚𝝁𝟐 𝐦𝐨𝐝 𝐩] mod q
• If 𝛝 = r then signature is valid

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Global Public Key Components Signing

p prime number where 2L–1 < p < 2L r = (gk mod p) mod q

for 512 ≤ L ≤ 1024 and L a multiple of 64
i.e., bit length of between 512 and 1024 bits in s = éëk -1 (H(M ) + xr ) ùû mod q
increments of 64 bits

q prime divisor of (p – 1), where 2N–1 < q < 2N Signature = (r, s)

i.e., bit length of N bits
Verifying
g = h(p–1)/q mod p
where h is any integer with 1 < h < (p – 1)
w = (s')–1 mod q
such that h(p–1)/q mod p > 1
u1 = éëH(M ¢ )w ùû mod q
User's Private Key
u2 = (r')w mod q
x random or pseudorandom integer with 0 < x < q
v = é( g u1y u 2 ) mod p ù mod q
ë û
User's Public Key TEST: v = r'
y = gx mod p
M = message to be signed
H(M) = hash of M using SHA-1
User's Per-Message Secret Number M', r', s' = received versions of M, r, s

k = random or pseudorandom integer with 0 < k < q

Figure 13.3 The Digital Signature Algorithm (DSS)

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 M

p q g

M
k k
r = (gk mod p) mod q

k
H s = [k–1 (H(M) + xr)] mod q
r
H(M)
x
x x s

(a) Signing

y q g

u1 = [H(M')w)] mod q
H H(M')
u2 = (r')w mod q
v = [(gu1yu2) mod p] mod q
M'
w r' v

r' signature
q verification
r' = v?

r'
w = (s')–1 mod q
s'

(b) Verifying

Figure 13.4 DSS Signing and Verifying

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Digital Signature Algorithm
• Example
• P = 47, q =23, g = 2, h =2
1. Choose x =10
2. Compute 𝐲 = 𝐠 𝐱 𝐦𝐨𝐝 𝐩
= 𝟐𝟏𝟎 𝐦𝐨𝐝 𝟒𝟕
= 1024 mod 47
y = 37
Public key pair (47, 23, 2, 37)
Private key pair (47, 23, 2, 10)
Digital Signature Algorithm
Generate Signature

1. Suppose k =2

2. Compute r= (𝐠 𝒌 𝐦𝐨𝐝 𝐩) mod q

= (𝟐𝟐 𝐦𝐨𝐝 𝟒𝟕) mod 23

= (4 mod 47) mod 23,

r=4

3. Compute i or 𝐊 −𝟏 using Extended Euclidean Algorithm

i = 12, (for k mod q)

3. Compute s= 𝒊 ∗ 𝒉 + 𝒓𝒙 𝒎𝒐𝒅 𝒒

= 12 * (2+(4)(10)) mod 23

= 12 (42) mod 23

S =21

Package digital signature as (r,s) = (4,21)

Digital Signature Algorithm
Verifying Signature

1. Compute w using extended Euclidean, such that s*w mod q =1

W =11

• Compute 𝛍𝟏 = 𝐇 𝐌 ′ ∗ 𝐰 𝐦𝐨𝐝 𝐪

= [𝟐 ∗ 𝟏𝟏] 𝐦𝐨𝐝 𝟐𝟑

𝛍𝟏 = 22

• Compute 𝛍𝟐 = 𝒓′ ∗ 𝐰 𝐦𝐨𝐝 𝐪

= 4*11 mod 23

𝛍𝟐 = 21

• Compute 𝛝 = [𝒈𝝁𝟏 𝒚𝝁𝟐 𝐦𝐨𝐝 𝐩] mod q

= [𝟐𝟐𝟐 𝟑𝟕𝟐𝟏 𝐦𝐨𝐝 𝟒𝟕] mod 23

𝛝 = 4 mod 23