Lecture 3 Introduction to Cryptography

1
Lecture 3Introduction to Cryptography
2
Outline

• basics of cryptology
• private key cryptography
• public key cryptography
• digital signatures

3
Why Study cryptology(1)
A
B
Intruder
Communications security
4
Why Study cryptology(2)
Customer
Merchant
TTP
Electronic Commerce Security
5
Why Study cryptology(3)
A
B
LEA
Law enforcement
6
The Basic Problem

• We consider the confidentiality goal
• Alice and Bob are Friends
• Marvin is a rival
• Alice wants to send secret messages (M1,M2,) to
  Bob over a network such as Internet
• Rival Marvin wants to read the messages (M1,M2,)
  - Alice and Bob want to prevent this!
• Assumption The network is OPEN Marvin is able
  to eavesdrop and read all data sent from Alice to
  Bob.
• Consequence Alice must not send messages
  (M1,M2,) directly they must be scrambled or
  encrypted using a secret code unknown to Marvin
  but known to Bob.

7
Basic terms

• cryptology (to be very precise)
• cryptography --- designing
• cryptanalysis --- code breaking
• cryptologist
• cryptographer
• cryptanalyst
• encryption/encipherment
• scrambling data into unintelligible to
  unauthorised parties

8
Basic terms (2)

• decryption/decipherment
• un-scrambling
• cipher/cryptosystem

9
A short history

• dividing line is 1976/77
• classic 1976/77
• 1976 Diffie Hellman discovered public key
  cryptography
• 1977 National Bureau of Standards published DES
  (Data Encryption Standard)
• modern 1976/77 today

10
History (2)

• the word of cipher--- from Greek (secret
  writing)
• ancient Egypt, Julius Caesar, ...
• WWII
• Enigma cipher machine
• broken by British team including Alan Turing
• Purple cipher
• broken by US, led to the death of Yamamoto
• Mainly for war, diplomacy politics

11
Types of ciphers

• private key cryptosystems/ciphers
• public key cryptosystems/ciphers

12
Examples of Messages

• Types of secret Messages Alice might want to
  send Bob (in increasing length)
• Decision (yes/no), eg as answer to the question
  Are we meeting tomorrow?
• Numerical Value, eg as answer to the question at
  what hour are we meeting?
• Document
• Software,
• Images etc.

13
Representation of Data (1)

• Before encryption, messages must be represented
  in a standard way.
• A representation code for a set of messages is
• A code which associates each possible message to
  a unique representing string of symbols
• The symbols are elements of an alphabet
• English Letter alphabet A,B,C,,X,Y,Z (26
  elements)
• Decimal digit alphabet 0,1,,9 (10 elements)
• Binary digit (bit) alphabet 0,1 (2 elements)
• Assumption The message representation code is
  NOT secret and is known to everyone, including
  Marvin!

14
Representation of Data (2)

• Example 1
• Set of Messages yes, no (Decisions)
• Symbol Alphabet 0,1 (bit alphabet)
• Representation Code
• 0 yes, 1 no
• Example 2
• Set of messages English text
• Symbol alphabet A,B,,Y,Z (letters)
• Representation code Leave as is.

15
Representation of Data (3)

• Example 3
• Set of Messages English text
• Symbol Alphabet 0,1 (bits)
• Representation Code
• Convert each English letter in text to an 8-bit
  ASCII code, and concatenate the 8-bit codes.
• Example 4
• Set of Messages 0,1,,1000
• Symbol Alphabet 0,1 (bits)
• Representation code binary base system
• Represent number x as string of 10 bits
  where
• Eg x 734 is encoded as 1011011110

16

Private key cipher
Encryption
Decryption
Encrypted message (ciphertext)
Encrypted message (ciphertext)
E
Alice
D
Bob
key
Message (cleartext, plaintext)
Message (cleartext,plaintext)
17
Concepts

• a private key cipher is composed of two
  algorithms
• encryption algorithm E
• decryption algorithm D
• the same key K is used for encryption
  decryption
• K has to be distributed beforehand

18
Notations

• encrypt a plaintext P using a key K an
  encryption algorithm E C E(K,P)
• decrypt a ciphertext C using the same key K and
  the matching decryption algorithm D P D(K,C)
• Note P D(K,C) D(K, E(K,P))

19
Classic ciphers

• substitution ciphers
• monoalphabetic ciphers
• polyalphabetic ciphers
• transposition (permutation) ciphers
• product ciphers
• using both
• substitution, and
• transposition

20
The Caesar cipher

• The Caesar cipher is a substitution cipher, named
  after Julius Caesar.
• Operation principleeach letter is translated
  into the letter a fixed number of positions after
  it in the alphabet table.
• the fixed number of positions is a key both for
  encryption and decryption.

21
The Caesar cipher (cntd)
Outer plaintext
Inner ciphertext
22
The Caesar cipher (cntd)
K3
23
An example

• for a key K3,plaintext letter
  ABCDEF...UVWXYZciphtertext letter
  DEF...UVWXYZABC
• Hence TREATY IMPOSSIBLEis translated
  into WUHDWB LPSRVVLEOH

24
An exercise

• Using the Caesar cipher to encode the following
  message under a key K5WAR STARTS TOMORROW

25
Breaking the Caesar cipher

• by trial-and error
• by using statistics on letters
• frequency distributions of lettersletter percent
  A 7.49B 1.29C 3.54D 3.62E 14.00...
  ...............................

26
4 types of cryptanalysis

• depending on what a cryptanalyst has to work
  with, attacks can be classified into
• ciphertext only attack
• known plaintext attack
• chosen plaintext attack
• chosen ciphertext attack (most severe)

27
4 types of attacks (2)

• ciphertext only attack
• the only data available is a target ciphertext
• known plaintext attack
• a target ciphertext
• pairs of other ciphertext and plaintext (say,
  previously broken)

28
4 types of attacks (3)

• chosen plaintext attacks
• a target ciphertext
• can feed encryption algorithm with plaintexts and
  obtain the matching ciphertexts
• chosen ciphertext attack
• a target ciphertext
• can feed decryption algorithm with ciphertexts
  and obtain the matching plaintexts

29
Two Main Types of Secrecy

• Types of secrecy a cipher can offer
• Perfect Secrecy For these ciphers Marvin cannot
  determine the message M even with unlimited
  computation time
• Decrypting C with all possible keys K gives many
  possible messages, all reasonable candidates for
  the actual message M
• One of the decrypted messages is M, but Marvin
  has no way to tell which one is the actual
  message encrypted by Alice!
• Example Caesar cipher with all 26 possible keys
  equally likely and message being just ONE letter
  (26 possible messages).
• Eg Given ciphertext A, corresponding plaintexts
  under keys 0,1,2,,25 are A,B,C,,X,Y,Z.

30
Two Main Types of Secrecy (2)

• Unfortunately, ciphers achieving perfect secrecy
  are not practical in most cases
• May require very long keys (eg as long as
  message)
• Cannot withstand known plaintext attacks (or
  stronger)
• Instead, most common are ciphers aiming to
  achieve
• Computational Secrecy Marvin cannot determine
  the message M unless he performs an unfeasible
  amount of computation (eg it would take 10,000
  years for Marving to determine M using the
  fastest supercomputer!)
• This can be achieved under all 4 possible attack
  scenarios, and using quite short keys!

31
Breaking classic ciphers

• with the help of fast computers, 99.99 ciphers
  used before 1976 are breakable by using one of
  the 4 types of attacks.
• The first computer designed by Alan Turing was
  used to break the Enigma cipher in WWII.

32
Modern private key ciphers

• DES (US, 1977)
• key -- 56 bits, plaint/ciphertext -- 64 bits
• IDEA (Lai Massey, Swiss, 1991)
• key -- 128 bits, plaint/ciphertext -- 64 bits
• LOKI (ADFA, Australia, 1989)
• key, plaint/ciphertext -- 64 bits
• FEAL (NTT, Japan, 1990)
• key -- 128 bits, plaint/ciphertext -- 64 bits

33
The SPEED Cipher

• designed by Y Zheng in 1996
• SPEED stands for Secure Package for Encrypting
  Electronic Data
• length of a Key
• 48,64,80,,256 bits
• length of a plaintext/ciphertext
• 64 bits, or
• 128 bits, or
• 256 bits

34
DES Encryption (Pfleeger, P.114)
35
Bit-wise exclusive-or (XOR)
101010111
110000010
011010101
36
Encryption using DES

• a 56-bit key K is expanded into 16 subkeys, each
  48 bits (K1, K2, ..., K16)
• Encryption consists of 16 rounds, each using a
  different 48-bit subkey
• Both a plaintext a ciphertext are 64 bits long

37
DES as an iterative cipher
plaintext
0101101010111011
0101101010111011
after round 1
0101101010111011
after round 2
after round 3
0101101010111011
after round 4
0101101010111011
after round 16
0101101010111011
ciphertext
0101101010111011
38
Decryption using DES

• Similar to encryption, except that the order in
  which the subkeys are used is reversed,
  namely, (K16, K15, ..., K2, K1)

39
DES Decryption
40
DES decryption illustrated
plaintext
0101101010111011
0101101010111011
after round 16
0101101010111011
after round 15
0101101010111011
after round 14
0101101010111011
after round 13
after round 1
0101101010111011
ciphertext
0101101010111011
41
Public Key Cryptosystems Digital Signatures
42
Outline

• Why public key cryptography ?
• general principles of public key cryptography
• the RSA public key cryptosystem
• examples of RSA

43

Private key cipher
Encryption
Decryption
Encrypted message (ciphertext)
Encrypted message (ciphertext)
E
Alice
D
Bob
key
Message (cleartext, plaintext)
Message (cleartext,plaintext)
44
Problems with private key ciphers

• In order for Alice Bob to be able to
  communicate securely using a private key cipher,
  such as DES, they have to have a shared key in
  the first place.
• Question What if they have never met before ?
• Alice needs to keep 100 different keys if she
  wishes to communicate with 100 different people

45
A question

• Consider a group of n people, each wishing to
  communicate securely with all other members in
  the group, by using a private key cipher, say
  DES.
• How many different secret keys does each member
  of the group have to keep ?
• Whats the total number of different secret keys
  that have to be kept by all members of the group ?

46
Motivation of Diffie Hellman

• Is it possible for Alice Bob, who have no
  shared secret key, to communicate securely ?
• This led to the SINGLE MOST IMPORTANT discovery
  in the history of secure communicationsW.
  Diffie M. Hellman New Directions in
  Cryptography, IEEE Transactions on Information
  Theory, Vol. IT-22, No.6, Nov. 1976, pp.644-654.

47
Main ideas

• Bob
• publishes, say in Yellow/White pages, his
• public (encryption) key, and
• encryption algorithm.
• keeps to himself
• the matching secret (decryption) key.

48
Main ideas (2)

• Alice
• Looks up the phone book, and finds out Bobs
• public (encryption) key, and
• encryption algorithm.
• Encrypts a message using Bobs public key and
  encryption algorithm.
• sends the ciphertext to Bob.

49
Main ideas (3)

• Bob
• Receives the ciphertext from Alice
• Decrypts the ciphertext using his secret
  decryption key, together with the decryption
  algorithm

50
Public Key Cryptosystem
Key Directory (Yellow/White Pages)
Bob
Cipher Text
Cipher Text
Plain Text
Plain Text
D
E
Secret Key
Alice
Bob
51
Main differences with DES

• The public encryption key is different from the
  secret decryption key.
• Infeasible for an attacker to find out the secret
  decryption key from the public encryption key.
• no need for Alice Bob to distribute a shared
  secret key beforehand !
• only one pair of public and secret keys is
  required for each user !

52
Realising public key ciphers

• The most famous system that implements Diffie
  Hellmans ideas on public key ciphers is due to
• Ronald Rivest
• Adi Shamir
• Leonard Adleman
• This concrete public key cryptosystem is called
  RSA.

53
Prime composite

• Prime and composite numbers
• a prime number is an integer that can divided
  only by 1 and itself
• E.g. 2, 3, 5, 7, 11, 13, 101, 103, ......
• all other integers are composite
• E.g. 4, 6, 8, 9, 10, 12, 523743960876432, 800164
  386535

54
Modular operations

• remainder
• 13 3 (mod 5), 1 1 (mod 7)
• 20 0 (mod 5), 32 4 (mod 7)
• modular exponentiation
• 22 1 (mod 3), 32 0 (mod 3)
• 22 4 (mod 5), 102 8 (mod 92)
• 46 6 (mod 10), 311 7 (mod 10)

55
RSA Public Key Cryptosystem
Public Key Directory (Yellow/White Pages)
Bob (e, n)
public key e n
Plain Text
Cipher Text
Cipher Text
Plain Text
c m e mod n
m c d mod n
Alice
secret key d
Bob
56
RSA (1)

• Bob
• chooses 2 large primes (each at least 100
  digits) p, qmultiplies p and q n pq
• finds out two numbers e d such that e d 1
  (mod (p-1)(q-1))
• public key (published in the phone book)
• 2 numbers (e, n)
• encryption alg modular exponentiation
• secret key d

57
RSA (2)

• Alice has a message m to be sent to Bob
• finds out Bobs public encryption key (e, n)
• calculates c me (mod n)
• sends the ciphertext c to Bob

58
RSA (3)

• Bob
• receives the ciphertext c from Alice
• uses his matching secret decryption key d to
  calculate m cd (mod n)

59
RSA --- 1st small example (1)

• Bob
• chooses 2 primes p5, q11multiplies p and q n
  pq 55
• finds out two numbers e3 d27 which
  satisfy 3 27 1 (mod 40)
• Bobs public key
• 2 numbers (3, 55)
• encryption alg modular exponentiation
• secret key 27

60
RSA --- 1st small example (2)

• Alice has a message m13 to be sent to Bob
• finds out Bobs public encryption key (3, 55)
• calculates c me (mod n) 133 (mod
  55) 2197 (mod 55) 52
• sends the ciphertext c52 to Bob

61
RSA --- 1st small example (3)

• Bob
• receives the ciphertext c52 from Alice
• uses his matching secret decryption key 27 to
  calculate m 5227 (mod 55) 13 (Alices
  message)

62
RSA --- 2nd small example (1)

• Bob
• chooses 2 primes p101, q113multiplies p and
  q n pq 11413
• finds out two numbers e3533 d6597 which
  satisfy 3533 6597 1 (mod 11200)
• Bobs public key
• 2 numbers (3533, 11413)
• encryption alg modular exponentiation
• secret key 6597

63
RSA --- 2nd small example (2)

• Alice has a message m9726 to be sent to Bob
• finds out Bobs public encryption key (3533,
  11413)
• calculates c me (mod n) 97263533 (mod
  11413) 5761
• sends the ciphertext c5761 to Bob

64
RSA --- 2nd small example (3)

• Bob
• receives the ciphertext c5761 from Alice
• uses his matching secret decryption key 6597 to
  calculate m cd (mod n) 57616597 (mod
  11413) 9726 (Alices message)

65
Remarks on RSA

• The message m has to be an integer between in the
  range 1, n.
• To encrypt long messages we can use modes of
  operation as for private key ciphers, or a hybrid
  cryptosystem (see later).

66
Why RSA is Secure

• Attack Scenario
• Marvin wants to read Alices private message (m)
  intended to be read only by Bob.
• However, Alice used RSA to encrypt m using Bobs
  public key (e, n), into the ciphertext c me
  (mod n).
• Marvin is a determined attacker and managed to
  intercept the ciphertext c on its way from
  Alices to Bobs computer.
• Marvin also looked up Bobs public key (e,n) to
  help him in his attack.

67
Why RSA is Secure

• Marvin now has (c,e,n) and wants to find out m.
• How can Marvin proceed to find m?
• Approach 1 If Marvin could also find out Bobs
  secret key d, he could decrypt c into m in the
  same way as Bob does.
• Suppose Bob guards his secret key d very well,
  what can Marvin do then?
• Approach 2 Marvin knows that c me (mod n). He
  knows that m is a number between 0 and n-1. So he
  could use exhaustive search through all n
  possible messages m.
• But if n is large this takes a long time!
• Exercise If m is known to be one of X possible
  messages, how long does this attack take? (Assume
  it takes time T to encrypt m into c)

68
Why RSA is Secure

• Marvins Attack options (cont)
• Approach 3 Marvin can try to compute Bobs
  secret key d from (e,n) and then use Approach 1.
• Remember that e d 1 ( mod (p-1)(q-1) )
• Marvin found in a Number Theory book a very
  fast algorithm called EUCLID to solve the
  following problem Given two numbers (r,s), the
  algorithm outputs a number x such that
• r x 1 (mod s).
• Exercise Explain how Marvin can use algorithm
  EUCLID to find Bobs secret key d very quickly
  from (e,n) once he manages to factorize n pq
  into the prime factors p and q.

69
Why RSA is Secure

• Approach 3 is the most efficient known method
  Marvin can use to attack RSA!
• The time taken for Marvin to execute the attack
  in Approach 3 is essentially the time to
  factorize npq into the prime factors p and q.
• Therefore, we say that RSA is based on the
  factorization problem While it is easy to
  multiply large primes together, it is
  computationally infeasible to factorize or split
  a large composite into its prime factors !

70
Why RSA is Secure

• The current state of the art in factorization
• Largest RSA number factored so far 155 decimal
  digits, as at August 1999
• It took several months of computing time on many
  computers around the world
• Exercise How long was the binary representation
  of the above number (bit length)?
• (hint log2(10) 3.32 approximately)
• The length of n in an RSA key should therefore be
  sufficiently longer than 155 decimal digits to be
  secure against attackers with access to many fast
  computers.

71
Why RSA is Secure

• How many digits should n have to be secure?
• Approximate Factoring Time For the fastest known
  factoring algorithm (Number Field Sieve)
• If it takes time to factorize number of
  length n digits (or bits),
• Then it takes time to factorize
  a number of length k n digits (bits), where
  (with n in bits)
• Assuming it takes T 1 day to factorize n of
  length 155 decimal digits, it would take
• M(2)T 222 days 20,000 years to factor n of
  length n 2155 310 digits
• M(3)T 239 days 2 billion (!!) years to
  factor n of length n 3155 465 digits

72
Why RSA is Secure

• Therefore, when both p and q in RSA are of at
  least 155 digits, the product npq is 310
  digits.
• Then no one can factorize n in less time than a
  few thousand years, not even Marvin!!
• Thus the only person who can extract the
  plaintext m from the ciphertext c is Bob, as only
  he knows the secret decryption key d !

73
Marvins New Attack Idea

• Instead of just eavesdropping, Marvin can try a
  more active attack!
• Outline of the New Attack
• Marvin generates an RSA key pair
• Public key Kpub_ (N_, e_)
• Secret key Ksec_ d_
• Marvin sends the following email to Alice,
  pretending to be Bob
• Hi Alice,
• Please use my new public key from now on to
  encrypt messages to me. My new public key is
  Kpub_.
• Yours sincerely, Bob.
• Marvin decrypts any messages Alice sends to Bob
  (encrypted with Kpub_), using Ksec_.

74
Preventing Marvins Active Attack

• The active attack works because
• Alice was tricked by Marvin into encrypting a
  message intended for Bob using a fake public
  key which is NOT Bobs public key (in fact it was
  Marvins).
• To prevent the attack
• Before Alice encrypts a message for Bob, she must
  make sure she has Bobs CORRECT public key (and
  not a fake one).
• Alice needs a way of testing the truth of any
  Bobs key message informing Alice of Bobs
  Public Key.
• No one besides Bob should be able to produce such
  a message so that it will pass Alices Test.

75
Preventing Marvins Active Attack (2)

• This is a setting where Alice and Bob have a
  message integrity security requirement!
• Ie. Alice and Bob want to prevent fabrication
  and/or modification of a Bobs key message (a
  message informing Alice of Bobs public key) by
  unautorised parties (like Marvin).
• The main cryptographic tool used to achieve
  message integrity is Digital Signatures.
• In a later lecture (after we have covered
  Digital Signatures), we will come back to this
  topic and see how Digital Signatures can be used
  to prevent Marvins Attack!

76
Private key ciphers

• Good points
• in-expensive to use
• fast
• low cost VLSI chips available
• bad points
• key distribution is a problem

77
Public key ciphers

• good points
• key distribution is NOT a problem
• bad points
• relatively expensive to use
• relatively slow
• VLSI chips not available or relatively high cost

78
Combining 2 type of ciphers

• In practice, we
• use a public key cipher (such as RSA) to
  distribute keys
• use a private key cipher (such as DES) to encrypt
  and decrypt messages

79
The need of digital signature

• social business activities and their associated
  documents are becoming digital
• digital conferences
• digital contract signing
• digital cash payments, ......
• hand-written signatures are not applicable to
  digital data

80
Digital Signature (based on RSA)
Public Key Directory (Yellow/White Pages)
Bob
Plain Text
Plain Text
Accept if equal

D
Signature
Signature
Secret Key
Bob
Cathy
Public Key
81
Digital Signature (for short doc)
Public Key Directory (Yellow/White Pages)
Bob (e, n)
Plain Text
Plain Text
Accept if equal

s md mod n
t se mod n
Signature
Signature
Secret Key d
Cathy
Bob
Public Key (e, n)
82
RSA signature --- an eg (1)

• Bob
• chooses 2 primes p5, q11multiplies p and q n
  pq 55
• finds out two numbers e3 d27 which
  satisfy 3 27 1 (mod 40)
• Bobs public key
• 2 numbers (3, 55)
• encryption alg modular exponentiation
• secret key 27

83
RSA signature --- an eg (2)

• Bob has a document m19 to sign
• uses his secret key d27 to calculate the digital
  signature of m19 s md (mod n) 1927
  (mod 55) 24
• appends 24 to 19. Now (m, s) (19, 24) indicates
  that the doc is 19, and Bobs signature on the
  doc is 24.

84
RSA signature --- an eg. (3)

• Cathy, a verifier
• receives a pair (m,s)(19, 24)
• looks up the phone book and finds out Bobs
  public key (e, n)(3, 55)
• calculates t se (mod n) 243 (mod 55)
  19
• checks whether tm
• confirms that (19,24) is a genuinely signed
  document of Bob if tm.

85
How about long documents ?

• In the previous example, a document has to be an
  integer in 0,...,n
• to sign a very long document, we need a so called
  one-way hash algorithm
• instead of signing directly on a doc, we hash the
  doc first, and sign the hashed data which is
  normally short.

86
One-Way Hash Algorithm

• A one-way hash algorithm hashes an input document
  into a condensed short output (say of 100 bits)
• Denoting a one-way hash algorithm by H(.), we
  have
• Input m - a binary string of any length
• Output H(m) - a binary string of L bits, called
  the hash of m under H.
• The output length parameter L is fixed for a
  given one-way hash function H,
• eg
• The one-way hash function MD5 has L 128 bits
• The one-way hash function SHA-1 hash L 160
  bits

87
One-Way Hash Algorithm
A document (of any length)
88
Properties of One-Way Hash Algorithm

• A good one-way hash algorithm H needs to have
  these properties
• 1. Easy to Evaluate
• The hashing algorithm should be fast
• I.e. given any document m, the hashed value h
  H(m) can be computed quickly.
• 2. Hard to Reverse
• There is no feasible algorithm to reverse a
  hashed value,
• I.e. given any hashed value h, it is
  computationally infeasible to find any document m
  such that H(m) h.
• NOTE An algorithm is called One-Way if it has
  BOTH properties 1 and 2.
• 3. Hard to find Collisions
• There is no feasible algorithm to find two or
  more input documents which are hashed into the
  same condensed output,
• I.e it is computationally infeasible to find any
  two documents m1, m2 such that H(m1) H(m2).

89
The One-way Property
But this direction is infeasible to compute!
Document m (any length)

Document m (any length)
This direction is easy to compute!
H
H
Hash value h (length L bits)
Hash value h (length L bits)
90
Finding collision is infeasible
I, Bob, will pay 1,000 to Alice.
I, Bob, will pay 10,000 to Alice.
Document m1
Document m2
H
H
(same condensed output)
91
Good one-way hashing algorithms

• MD5 (R. Rivest, 1992)
• SHS (secure hashing standard, USA, 1992, modified
  in 1995)
• HAVAL (Y. Zheng, 1992)

92
Digital Signature (for long doc)
Public Key Directory (Yellow/White Pages)
Bob
Plain Text
Plain Text
1-way hash
Accept if equal

D
Signature
Signature
Secret Key
Bob
Public Key
Cathy
93
Why Digital Signature ?

• Unforgeable
• takes 1 billion years to forge !
• Un-deniable by the signatory
• Universally verifiable
• Differs from doc to doc
• Easily implementable by
• software or
• hardware or
• software hardware

94
Unforgeable digital signature
I, Bob, will pay 1,000 to Alice.
I, Bob, will pay 10,000 to Alice.
101001010
001001101
a valid signature
also a valid signature
95
Important digital signatures

• RSA
• strongly supported by industries
• a de facto industrial standard
• Schnorr digital signature
• derived from ElGamal digital signature
• based on infeasibility of discrete logarithm
• DSS (digital signature standard, USA)
• derived from ElGamal digital signature
• based on infeasibility of discrete logarithm
• strongly pushed forward by US government
• Signature schemes using elliptic curves

96
Digital signature -- summary

• three (3) steps are involved in digital signature
  
• Setting up public and secret keys
• Signing a document
• Verifying a signature

97
Setting up publicsecret keys

• Bob does the following
• prepares a pair of public and secret keys
• publishes his public key in the public key file
  (such as an on-line phone book)
• keeps the secret key to himself
• Note
• Setting up needs only to be done once !

98
Signing a document

• Once setting up is completed, Bob can sign a
  document (such as a contract, a cheque, a
  certificate, ...) using the secret key
• The pair of document signature is a proof that
  Bob has signed the document.

99
Verifying a signature

• Any party, say Cathy, can verify the pair of
  document and signature, by using Bobs public key
  in the public key file.
• Important !
• Cathy does NOT have to have public or secret key !