Chapter 7-2

Signature Schemes

1
 Outline
 [1] Introduction
 [2] Security Requirements for Signature Schemes
 [3] The ElGamal Signature Scheme
 [4] Variants of the ElGamal Signature Scheme
 The Schnorr Signature Scheme
 The Digital Signature Algorithm
 The Elliptic Curve DSA
 [5] Signatures with additional functionality
 Blind Signatures
 Undeniable Signatures
 Fail-stop Signatures
2
[4] Variants of the ElGamal Signature
Scheme
 Schnorr Signature Scheme
 Proposed in 1989
 Greatly reduced the signature size

 Digital Signature Algorithm (DSA)

 Proposed in 1991
 Was adopted as a standard on December 1, 1994

 Elliptic Curve DSA (ECDSA)

 FIPS 186-2 in 2000
3
Schnorr Signature Scheme

Let p be a prime such that the DL

problem in Zp* is intractable, and let q
be a prime that divides p-1. Let α be a
qth root of 1 modulo p.
Define K={ (p,q,α,a,β):β=αa mod p }

p,q,α,β are the public key, a is private

4
 For a (secret) random number k, define
sig(x,k)=(γ,δ), where
γ=hash(x||αk ) andδ=k+aγ mod q

 For a message (x,(γ,δ)), verification is done

by performing the following computations:

ver(x,(γ,δ))=true iff. hash(x||αδβ-γ)=γ

5
 If the signature was construct correctly, the
verification will succeed since

αδβ-γ=αk+aγα-aγ=αk

6
Schnorr Signature Scheme Example

 We take q=101, p=78q+1=7879, α=170, a=75, then

β=17075 mod 7879=4567
 To sign the message m=15, Alice selects k=50;
Then γ=hash(15||17050),
δ=5+75*γ mod 101

(15,(γ,δ)) is the signed message

7
 L=0 mod 64,
512≤L≤1024
Digital Signature Algorithm

 Let p be a L-bit prime such that the DL

problem in Zp* is intractable, and let q be a
160-bit prime that divides p-1. Let α be a qth
root of 1 modulo p.
Define K={ (p,q,α,a,β): β=αa mod p }

p,q,α,β are the public key, a is private

8
 For a (secret) random number k, define
sig (x,k)=(γ,δ), where
γ=(αk mod p) mod q and
δ=(SHA-1(x)+aγ)k-1 mod q

 For a message (x,(γ,δ)), verification is done by

performing the following computations:

e1=SHA-1(x)*δ-1 mod q
e2=γ*δ-1 mod q

ver(x,(γ,δ))=true iff. (αe1βe2 mod p) mod q=γ

9
 Notice that the verification requires to
compute:

e1=SHA-1(x)*δ-1 mod q
e2=γ*δ-1 mod q

when δ=0 (it is possible!), Alice should re-

construct a new signature with a new k
10
 DSA Example
 Take q=101, p=78q+1=7879, α=170, a=75;
then β=4567

 To sign the message SHA-1(x)=22, Alice selects

k=50;
Then γ=(17050 mod 7879) mod 101=94,
δ=(22+75*94)50-1 mod 101=97

(x, (94,97)) is the signed message

11
 The signature (94,97) on the message digest 22
can be verify by the following computations:

δ-1=97-1 mod 101=25

e1=22*25 mod 101=45
e2=94*25 mod 101=27

(17045*456727 mod 7879) mod 101 = 94 =γ

12
 Elliptic Curve DSA

 Let p be a prime or a power of two, and let E

be an elliptic curve defined over Fp. Let A be a
point on E having prime order q, such that DL
problem in <A> is infeasible.

Define K={ (p,q,E,A,m,B): B=mA }

p,q,E,A,B are the public key, m is private

13
 For a (secret) random number k, define sigk(x,k)=(r,s),
where rA=(u,v), r=u mod q and
s=k-1(SHA-1(x)+mr) mod q

 For a message (x,(r,s)), verification is done by

performing the following computations:

i=SHA-1(x)*s-1 mod q
j=r*s-1 mod q
(u,v)=iA+jB

ver(x,(r,s))=true if and only if u mod q=r

14
[5] Signatures with additional
functionality

 Blind signature schemes (1983)

 Undeniable signature schemes (1989)
 Fail-stop signature schemes (1992)

15
Blind signature schemes
 A sends a piece of information to B
which B signs and returns to A. From
this signature, A can compute B’s
signature on an a priori message x of
A’s choice (B is a signer here!)

 B knows neither the message x nor the

signature associated with it

16
Chaum’s blind signature protocol (1983)
(A is a verifier and B is a signer, (n,e) is RSA public key
of B and d is RSA private key of B)
1. A randomly select a secret integer k
2. A computes x*=xke mod n and sends it to B
3. B computes y*=(x*)d mod n and sends it to A
4. A computes y=k-1y* mod n, which is B’s signature on x
(Note the signer B does not know (x,y) but (x,y) is a B’s
signed message.)
17
Undeniable Signatures
 A signature can not be verified without the
cooperation of the signer

 First introduced by Chaum and van

Antwerpen in 1989

 Protects Alice against the possibility that

documents signed by her are duplicated and
distributed electronically without her approval

18
 Since a signature should be verified with the
cooperation of the signer, it is possible for a signer
to evilly disavow a signature which signed by him
previously

 An undeniable signature scheme should consists of a

disavowal protocol between the verifier B and the
signer A, such that:

 For a signature which is not signed by A, B will recognize it

as a forgery
 For a signature which is signed by A, A can fool B to
recognized it as a forgery with very low probability
19
An application of the undeniable signature
 A large corporation A creates a software

package. A signs the package and sells

it to B, who decides to make copies of
this package and resell it to a third
party C. C is unable to verify the
authenticity of the software without the
cooperation of A
20
Chaum-van Antwerpen undenial signature scheme
 Let p=2q+1 be a prime such that q is prime

And the DL problem in Zp is intractable.

Let α be an element of order q. Define:
K={ (p,α,a,β) :β=αa mod p }
1. Signing algorithm
 To sign a message x, Alice computes

y=sig(x)=xa mod p
21
2. Verification protocol
 Bob chooses e ,e from Z * randomly
1 2 q
 Bob computes c=ye1βe2 mod p and sends it
to Alice
 Alice computes d=ca-1 mod q mod p and sends
it to Bob
 Bob accepts s as a valid signature if and
only if
d = xe1αe2 mod p
22
Verifier Signer
message x, signature y

c=ye1βe2 mod p

d=ca-1 mod q
mod p

d ≠ xe1αe2 mod p
Two possibilities:
• y is not a valid signature of x
• y is the signature of x, she is
fooling me by sending garbled
d to me
23
(Correctness of the signature protocol)

 Bob will accept a valid signature, since if s is valid:

y=xa mod p,
then
c = ye1βe2 = xae1αae2 mod p
Hence
d = xe1αe2 mod p
as desired

24
 I doubt that you are fooling me
to disavow your signature on x
Verifier Signer

c=ye1βe2
d=(c)a-1
c’=ye1’βe2’
d’=(c’)a-1

(dα-e2)e1’=(d’α-e2’)e1
I blame her wrongly, y is not signed by her

Fact: if y≠xa, (dα-e2)e1’=(d’α-e2’)e1

25
 Verifier Signer

c=ye1βe2
d=(c)a-1
c’=ye1’βe2’
d’=(c’)a-1

Fact: if y=xa, she can make (dα-e2)e1’=(d’α-e2’)e1

holds with a very small probability 1/q 26
3. Disavowal protocol (1/3)

B selects random secret integers e1,e2 and

computes c=ye1βe2 mod p, and sends c to A

A computes d=(c)a-1 mod p and sends d to B

B checks if d=xe1αe2, then he concludes that

y is a valid signature of x, otherwise go to next
step
27
Disavowal protocol (2/3)

B selects random secret integers e1’,e2’ and

computes c’=ye1’βe2’ mod p, and sends c’ to A

A computes d’=(c’)a-1 mod p and sends d’ to B

B checks if d’=xe1’αe2’, then he concludes that

y is a valid signature of x, otherwise go to next
step
28
Disavowal protocol (3/3)

B checks (dα-e2)e1’=(d’α-e2’)e1 if it holds,

he concludes that y is a forgery

Otherwise, he concludes that A is trying

to disavow the signature

29
Fact Let x be a message and suppose that y is
A’s (purported) signature on x

 If y is a forgery, i.e., y≠xa mod p, then

(dα-e2)e1’=(d’α-e2’)e1 holds

 Suppose that y is indeed A’s signature for x, i.e.,

y=xa mod p, then
(dα-e2)e1’=(d’α-e2’)e1 holds with probability 1/q

30
Fail-stop Signatures

 In a fail-stop signature scheme, when Oscar is able

to forge Alice’s signature on a message, Alice will
(with high probability) be able to prove that Oscar’s
signature is a forgery

 A fail-stop signature scheme consists of a singing

algorithm, a verification algorithm and a “proof of
forgery” algorithm

31
Van Heyst and Pedersen scheme (1992)

 Let p=2q+1 be a prime such that q is prime and the

DL problem in Zp is intractable. Let α be an element
of order q. Let 1≤a0≤q-1 and define β=αa0 mod p.

 The value of a0 is kept secret from everyone

 The values p,q,α,β and a0 are chosen by a trusted

central authority

32
 A key has the form
K=(γ1,γ2,a1,a2,b1,b2)
where
γ1=αa1βa2 mod p
γ2=αb1βb2 mod p

(γ1,γ2) is the public key and (a1,a2,b1,b2) is

private

33
 To sign a message x,
sig(x)=(y1,y2)
where
y1=a1+xb1 mod q
y2=a2+xb2 mod q

 To verify a signed message (x,(y1,y2))

ver(x,(y1,y2))=true iff. γ1γ2x =αy1βy2 mod p

34
Proof of forgery – the argument

 If there is a signature (y1’’,y2’’) on a message x’ which

can be verified as signing by Alice, but actually it is
not signed by Alice, i.e.
(y1’’,y2’’)≠sig(x’)
then Alice can calculate the secret a0 which was not
given to her

 Alice shows a0 to prove that she is innocent

35
Proof of forgery – calculation of a0

 Since (y1’’,y2’’) is a valid signature on x’

γ1γ2x’ =αy1’’βy2’’ mod p
 Alice can compute her own signature (y1’,y2’) on x’
γ1γ2x’ =αy1’βy2’ mod p

Hence
αy1’’βy2’’=αy1’βy2’ mod p
αy1’’αa0y2’’=αy1’αa0y2’ mod p

36
Thus
y1’’+a0y2’’=y1’+a0y2’ (mod q)

a0=(y1’’-y1’)(y2’-y2’’)-1 (mod q)

It is computable by Alice!

37