Authentication Methods: From
Authentication Methods: From
Digital Signatures to Hashes
Digital Signatures to Hashes
Lecture Motivation
Lecture Motivation

We have looked at confidentiality services, and also examined
the information theoretic framework for security.

Confidentiality between Alice and Bob only guarantees that Eve
cannot read the message, it does not address:
–
Is Alice really talking to Bob?
–
Is Bob really talking to Alice?

In this lecture, we will look at the following problems:
–
Entity Authentication: Proof of the identity of an individual
–
Message Authentication: (Data origin authentication) Proof that
the source of information really is what it claims to be
–
Message Signing: Binding information to a particular entity
–
Data Integrity: Ensuring that information has not been altered by
unknown entities
Lecture Outline
Lecture Outline


Discrete Logarithms and ElGamal
–
Primitive elements and some more number theory (quickly)
–
DLOG
–
ElGamal, another Public Key Algorithm…

Digital Signatures:
–
The basic idea
–
RSA Signatures and ElGamal Signatures
–
Inefficiencies: Hashing and Signing

Hash Functions:
–
Definitions and terminology
–
CHP Hash
–
SHA-1

Message Authentication Codes
Note: Some attacks will be discussed. More attacks and cryptanalysis will come later in the semester
Primitive Roots
Primitive Roots


Consider the following powers of 3 (mod 7):
Note that we obtain all non-zero numbers mod 7.
When this happens, we call 3 a primitive root (or generator) mod 7.

Is a number always a primitive root? No.

If p is prime there are φ(p-1) primitive roots mod p.

How to find them? Good homework problem… 

Proposition: Let g be a primitive root for the prime p
1. If n is an integer, then g
n
=1 (mod p) if and only if and only if n=0 (mod p-1) .
2. If j and k are integers, then g
j
=g
k
(mod p) if and only if j=k (mod p-1).
Proof: We sketch (1) on the board.
)7(mod13,53,43,63,23,33
654321
======
Discrete Logarithms
Discrete Logarithms

Let p be a prime, and α and β nonzero integers (mod p) with

The problem of finding x is called the discrete logarithm
problem, and is written:


Often α will be a primitive root mod p.

The discrete log behaves like the normal log in many ways:

Generally, finding the discrete log is a hard problem.

f(x) = α
x
(mod p) is an example of a one-way function.
)p(mod
x
α=β
( )
β=
α
Lx
( ) ( ) ( )
2121
LLL β+β=ββ
ααα
ElGamal Public Key Cryptosystem
ElGamal Public Key Cryptosystem

One way functions are often used to construct public key
cryptosystems. We saw one in RSA, we now show an example
using the DLOG problem.

Alice wants to send m to Bob. Bob chooses a large prime p and a
primitive root α. We assume 0 < m < p. Bob also chooses a

secret integer a and computes β=α
a
(mod p).

Bob’s Public key is: (p, α, β)

Alice does:
1. Chooses a secret random integer k and computes r=α
k
(mod p)
2. Computes t=β
k
m (mod p).
3. Sends (r,t) to Bob.

Bob decrypts by:
)p(modmtr
a
=
−
ElGamal Public Key Cryptosystem, pg. 2
ElGamal Public Key Cryptosystem, pg. 2

Important issues…
–
a must be kept secret, else Eve can decrypt
–
Eve sees (r,t): t is the product of two random numbers and is
hence random. Knowing r does not really help as Eve would
need to be able to solve DLOG in order to get k.


Very important: A different random k must be used for each
message!
–
If we have m
1
and m
2
, and use the same k, then the
ciphertexts will be (r,t
1
) and (r,t
2
)
–
If Eve ever finds m
1
then she has m
2
also!!!
( )
pmodt/mtmm/tm/t
112222
k
11
=⇒=β=
Overview of Digital Signatures
Overview of Digital Signatures

Suppose you have an electronic document (e.g. a Word file).

How do you sign the document to prove to someone that it
belongs to you?

You can’t use a scanned signature at the end– this is easy to
forge and use elsewhere.

Conventional signing can’t work in the digital world.

We require a digital signature to satisfy:
1. Digital signatures can’t be separated from the message and
attached to another message.
2. Signature needs to be verified by others.
An Application for Digital Signatures
An Application for Digital Signatures

Suppose we have two countries, A and B, that have agreed not
to test any nuclear bombs (which produce seismic waves when
detonated). How can A monitor B by using seismic sensors?
1. The sensors need to be in country B, but A needs to access
them. There is a conflict here.
2. Country B wants to make sure that the message sent by the
seismic sensor does not contain “other” data (espionage).
3. Country A, however, wants to make sure that the data has not
been altered by country B. (Assumption: the sensor itself is
tamper proof).
How can we solve this problem?
Treaty Verification Example
Treaty Verification Example

RSA provides a solution:

1. Country A makes an RSA public/private key. (n,e) are given to
B but (p,q,d) are kept private in the tamper-proof sensor.
2. Sensor collects data x and uses d to encrypt: y=x
d
(mod n), and
sends x and y to country B.
3. Country B takes x and y and calculates z=y
e
(mod n).
4. If z=x, then B can be sure that the encrypted message
corresponds to x. B then forwards (x,y) to A.
5. Country A checks that y
e
(mod n)=x. If so, then A is sure that x
has not been modified, and A can trust x as being authentic.

In this example, it is hard for B to forge (x,y) and hence if (x,y)
verifies A can be sure that data came unaltered from the sensor.
RSA Signatures
RSA Signatures

The treaty example is an example of RSA signatures. We now
formalize it with Alice and Bob.

Alice publishes (n,e
A
) and keeps private (p,q,d
A
)


Alice signs m by calculating y=m
dA
(mod n). The pair (m,y) is
the signed document.

Bob can check that Alice signed m by:
1. Downloading Alice’s (n,e
A
) from a trusted third party.
Guaranteeing that he gets the right (n,e
A
) is another problem
(we’ll talk about this in a later lecture).
2. Calculate z=y
eA
(mod n). If z=m then Bob (or anyone else) can
be guaranteed that Alice signed m.
RSA Signatures, pg. 2
RSA Signatures, pg. 2

Suppose Eve wants to attach Alice’s signature to another message m
1
. She
cannot simply use (m1, y) since

Therefore, she needs y
1
with y
1
eA

=m
1
(mod n).

m
1
looks like a ciphertext and y
1
like a plaintext. In order for Eve to make a
fake y
1
she needs to be able to decrypt m
1
to get y
1
!!! She can’t due to
hardness of RSA.

Existential Forgery: Eve could choose y
1
first and then calculate an m
1
using
(n,e
A
) via m
1
=y
1
eA

(mod n). Now (m1, y1) will look like a valid message and
signature that Alice created since m
1
=y
1
eA
(mod n).

Problem with existential forgery: Eve has made an m
1
that has a signature,
but m1 might be gibberish!

Usefulness of existential forgery depends on whether there is an underlying
“language” structure.
( )
nmodmy
1
e
A
≠
Blind RSA Signatures
Blind RSA Signatures

Sometimes we might want Alice to sign a document without knowing its
contents (e.g. privacy concerns: purchaser does not want Bank to know what
is being purchased, but wants Bank to authorize purchase).

We can accomplish this with RSA signatures (Bob wants Alice to sign a
document m):

1. Alice generates an RSA public and private key pair.
2. Bob generates a random k mod n with gcd (k,n)=1.
3. Bob computes t=k
eA
m (mod n), and sends t to Alice.
4. Alice signs t as following the normal RSA signature procedure by calculating
s=t
dA
(mod n). Alice sends Bob s.
5. Bob computes k
-1
s (mod n). This is the signed message m
dA
(mod n).
Verification:
Does Alice learn anything about m from t?
( )
( )
( )
( )
nmodmmkkmkktknmodsk
AAAA
A
AA
ddde
1
d
e
1
d

11
====
−−−−
ElGamal Signatures
ElGamal Signatures

We may modify the ElGamal public key procedure to become a
signature scheme.

Alice wants to sign m. Alice chooses a large prime p and a
primitive root α. Alice also chooses a secret integer a and
computes β=α
a
(mod p).

Alice’s Public key is: (p, α, β). Security of the signature depends
on the fact a is private.

Alice does:
1. Chooses a secret random integer k with gcd(k,p-1)=1, and
computes r=α
k
(mod p)
2. Computes s=k
-1
(m-ar) (mod p).
3. The signed message is the triple (m,r,s).
ElGamal Signatures, pg. 2
ElGamal Signatures, pg. 2


Bob can verify by:
1. Downloading Alice’s public key (p, α, β).
2. Computes v
1
=β
r
r
s
(mod p) and v
2
=α
m
(mod n)
3. The signature is valid if and only if v
1
=v
2
(mod p)

Verification: We have
Therefore

This scheme is believed to be secure, as long as DLOG is hard
to solve.

Don’t: Choose a p with (p-1) the product of small primes and
don’t reuse k.
( ) ( )
1pmodarskm1pmodarmsk −+=⇒−−=
( ) ( )

( )
pmodvrv
1
sr
s
k
r
aarskm
2
=β=αα=α=α=
+
Wastefulness of plain signatures
Wastefulness of plain signatures

In signature schemes with appendix, where we attach the
signature to the end of the document, we increase the
communication overhead.

If we have a long message m=[m
1
,m
2
,…,m
N
], then our signed
document is {[m
1
,m
2
,…,m

N
],[sig
A
(m
1
),…,sig
A
(m
N
)]}.

This doubles the overhead!

We don’t want to do this when communication resources are
precious (which is always!).

Solution: We need to shrink the message into a smaller
representation and sign that.

Enter: Hash functions
Hash Functions
Hash Functions

Straight-forward application of digital signatures can be
expensive when the message is large

In general, many security protocols benefit from using a
“digested” or “compressed” representative of a message
–
We typically need additional cryptographic properties in order for

the compression operation to be useful

This “compression function” is a hash function:
Domain Range
h(m)
Hash Functions, pg. 2
Hash Functions, pg. 2

Formally, a cryptographic hash function h takes an input
message of arbitrary length and produces a message digest of
fixed length, and satisfies:
1. Given a message m, h(m) is quick to calculate
2. One-Way (preimage resistance): Given a digest y, it is
computationally infeasible to find an m with h(m)=y.
3. Strongly Collision Free: It is computationally infeasible to
find messages m
1
and m
2
with h(m
1
)=h(m
2
).

Can we ever have h(m
1
)=h(m
2
)? Yes. Why?


We will look at a couple examples.
Chaum, vanHeijst, Pfitzman Hash
Chaum, vanHeijst, Pfitzman Hash

We may use the DLOG problem to construct a hash function

Choose a prime p such that q=(p-1)/2 is also prime. (There’s an
algorithm for doing this, but that’s not our goal today). Choose
two primitive roots α and β.

The hash function h(m) will take integers (mod q
2
) to integers
(mod p). Hence, producing half the bits.

Write m=x
0
+x
1
q with .

Define the hash by:
1qx,x0
10
−≤≤
( ) ( )
pmodmh
1
0

x
x
βα=
CHP Hash is strongly collision-free
CHP Hash is strongly collision-free

Proposition: If we know with , then
we can solve the discrete logarithm .

Proof: Will be given on the board after we cover all of the slides.
mm
′
≠
( )
β=
α
La
)m(h)m(h
′
=
SHA-1
SHA-1

In order to get fast hash functions, we need to operate at the bit-
level. SHA-1 is one such algorithm.

Many of the popular hash functions (e.g. MD5, SHA-1) use an
iterative design:
–
Start with a message m of arbitrary length and break it into n-

bit blocks, m=[m
1
,m
2
,…,m
l
]. The last block is padded to fill
out a full block size.
–
Message blocks are processed via a sequence of rounds using
a compression function h’ which combines current block and
the result of the previous round
–
X
0
is an initial value, and X
l
is the message digest.
( )
j1jj
m,XhX
−
′
=
SHA-1, pg. 2
SHA-1, pg. 2

In SHA-1, we pad according to the rule:
–
Start with a message m of arbitrary length and break it into n-

bit blocks.
–
The last block is padded with a 1 followed by enough 0 bits
to make the new message 64 bits short of a multiple of 512
bits in length.
–
Into the 64 unfilled bits of the last block, we append the 64-
bit representation of the length T of the message.
–
Overall, we have blocks of 512 bits.
–
The appended message becomes m=[m
1
,m
2
,…,m
L
].
 
1512/TL
+=
SHA-1, pg. 3 (Basic Operations)
SHA-1, pg. 3 (Basic Operations)

We will need the following bit operations:
SHA-1, pg. 4 (Basic Algorithm)
SHA-1, pg. 4 (Basic Algorithm)
SHA-1, pg. 5 (Inside the Alg.)
SHA-1, pg. 5 (Inside the Alg.)
Initial 160-bit register

X
0
=[H
0
,H
1
,H
2
,H
3
,H
4
]