SlideShare a Scribd company logo

Asymmetric Key Signatures

Download as PPTX, PDF
David Evans
David Evans

Introduction to Cryptocurrency University of Virginia cs4501 Fall 2015 http://bitcoin-class.org

Engineering
1 of 35
Asymmetric Key Signatures David Evans and Samee Zahur CS4501, Fall 2015
Please pay $1000 to my employee --TheBoss You have money!
Real-life Signatures Easy to verify • Bank has your signature Forging unlikely • Legal consequences of forging • Checkbooks are well-guarded • Copying it requires physical access Hard to repudiate • Bank keeps a copy for few months
Digital Signatures Easy to verify • Everybody has your “verification key”, vk Hard to forge • Nobody but you has the “signing key”, sk Hard to repudiate • Everybody knows only you have signing key 𝑠 = sign 𝑠𝑘 𝑚 true, false = verify 𝑣𝑘(𝑚, 𝑠)
Topics • Asymmetric cryptography • Digital signatures • Elliptic curve cryptography • Implementation pitfalls
Ordinary (or symmetric) crypto Message key key
Whitfield Diffie Martin Hellman New Directions in Cryptography, 1976
Diffie-Hellman Key Exchange 𝑔 𝑎 mod 𝑝 𝑔 𝑏 mod 𝑝 Picks secret a Computes 𝑔 𝑏 𝑎 = 𝑔 𝑎𝑏 Picks secret b Computes 𝑔 𝑎 𝑏 = 𝑔 𝑎𝑏 Public values: 𝑔, 𝑝, 𝑔 𝑎 , 𝑔 𝑏 Shared secret: 𝑔 𝑎𝑏
Discrete Logarithm Problem Given 𝑔, 𝑦, 𝑝 find 𝑥 such that: 𝑔 𝑥 mod 𝑝 = 𝑦
Discrete Logarithm Problem
Random element out of …? 𝑔 𝑎 mod 𝑝 𝑔 𝑏 mod 𝑝 Picks random a Computes 𝑔 𝑏 𝑎 = 𝑔 𝑎𝑏 Picks random b Computes 𝑔 𝑎 𝑏 = 𝑔 𝑎𝑏
Mod 5 Exponentiation 0 1 2 3 4 5 6 … 0 - 0 0 0 0 0 0 … 1 1 1 1 1 1 1 1 … 2 1 2 4 3 1 2 4 … 3 1 3 4 2 1 3 4 … 4 1 4 1 4 1 4 1 … Order 1 Order 2 In mod 𝑝 multiplication, multiplicative order is always a factor of (𝑝 − 1)
Exponent Modulus • Multiplicative order 𝑛 is at most 𝑝 − 1 • Pick random 𝑥 such that 0 ≤ 𝑥 < 𝑝 − 1 • 𝑔 𝑎 𝑔 𝑏 mod 𝑝 = 𝑔 𝑎+𝑏 mod 𝑝 = 𝑔 𝑎+𝑏 mod 𝑛 mod 𝑝
Public-key Cryptography Publicly announces 𝑔 𝑎 𝑔 𝑏 , 𝑔 𝑎𝑏 𝑚 Picks secret a Computes 𝑔 𝑏 𝑎 = 𝑔 𝑎𝑏 Picks random secret b. Computes 𝑔 𝑎 𝑏 = 𝑔 𝑎𝑏 Encrypts message 𝑚: 𝑔 𝑎𝑏 𝑚 Public values: 𝑔, 𝑝, 𝑔 𝑎 , 𝑔 𝑏 Shared secret: 𝑔 𝑎𝑏
Man-in-the-Middle (MITM) 𝑔 𝑎 𝑔 𝑏′, 𝑔 𝑎𝑏′ 𝑚 Picks secret a Computes 𝑔 𝑏 𝑎 = 𝑔 𝑎𝑏 Picks secret b. Computes 𝑔 𝑎′ 𝑏 = 𝑔 𝑎′𝑏 Encrypts message 𝑚: 𝑔 𝑎′𝑏 𝑚 𝑔 𝑎′ 𝑔 𝑏, 𝑔 𝑎′𝑏 𝑚 Picks random 𝑎’, 𝑏’, Reads everything
Digital Signature
Recall Easy to verify • Everybody has your “verification key”, vk Hard to forge • Nobody but you has the “signing key”, sk Hard to repudiate • Everybody knows only you have signing key 𝑠 = sign 𝑠𝑘 𝑚 true, false = verify 𝑣𝑘(𝑚, 𝑠)
Discrete-log based signature
ElGamal Signature Scheme Signing Input: message 𝑚 1. Pick random 𝑘 2. Compute 𝑟 = 𝑔 𝑘 mod 𝑝 ; 𝑠 = 𝑚 − 𝑎𝑟 𝑘−1 mod(𝑝 − 1) 3. Send (𝑟, 𝑠) with message 𝑚 Verification Input: message 𝑚, 𝑟, 𝑠 Check if 𝑟 𝑠 𝑔 𝑎 𝑟 = 𝑔 𝑚(mod 𝑝) Fixed global parameters: 𝑔, 𝑝 Private key: 𝑎 Public key: 𝑔 𝑎 mod 𝑝
Bitcoin Payment Sign it like a check!
Recap 1. We want to sign transactions digitally on the bitcoin network, such that they are: a) Easy to verify b) Hard to forge c) Hard to repudiate 2. Discrete exponentiation is easy, logarithm is hard 3. We used it to make asymmetric (aka. public) key crypto 4. Same principle used for digital signatures
Avoiding (overly) long numbers
Informal Requirements Given 𝑔 and 𝑦, 𝑔 𝑥 = 𝑦 should be hard to solve for 𝑥
Group A group is a set of elements (denoted 𝐺) and an associated binary operation (denoted ∗) that satisfies the following: • Closure: 𝑎 ∗ 𝑏 is also a group element, or ∀𝑎, 𝑏: 𝑎 ∗ 𝑏 ∈ 𝐺 • Associativity: ∀𝑎, 𝑏, 𝑐: 𝑎 ∗ 𝑏 ∗ 𝑐 = 𝑎 ∗ (𝑏 ∗ 𝑐) • Identity element: ∃𝑒∀𝑎: 𝑎 ∗ 𝑒 = 𝑎 = 𝑒 ∗ 𝑎 • Inverse: ∀𝑎∃𝑏: 𝑎 ∗ 𝑏 = 𝑒 = 𝑏 ∗ 𝑎 Not necessary, but okay to have: • Commutativity: ∀𝑎, 𝑏: 𝑎 ∗ 𝑏 = 𝑏 ∗ 𝑎
Additional Cryptographic Properties • Discrete logarithm should be hard • Group operation should be efficient • Implies small key sizes
Elliptic Curve Cryptography (ECC) • Group elements: points on the curve, P, Q, and R • Point “addition”: using “geometry”. P+Q=R 𝑦2 = 𝑥3 + 7 P Q R
Elliptic “Curve” Image from: http://www.coindesk.com/math-behind-bitcoin/
Elliptic Curve Digital Signature Algorithm (ECDSA) ElGamal Signature Inputs: message 𝑚, private key 𝑎 1. Pick random 𝑘 2. Compute a) 𝑟 = 𝑔 𝑘 mod 𝑝 b) 𝑠 = 𝑚 − 𝑎𝑟 𝑘−1 mod 𝑛 3. Send 𝑟, 𝑠 with message 𝑚 Verification Check if 𝑟 𝑠 𝑔 𝑎 𝑟 = 𝑔 𝑚 ECDSA Inputs: message , private key 1. Pick random k 2. Compute a) , let 3. Send with message Verification If , check
Please pay $1000 to my employee --TheBoss You have money! Jason Benjamin
Logistics • Next class: hash functions and Bitcoin consensus • Checkup 1 on Monday. Includes everything till today

Recommended

Becoming More Paranoid
Becoming More ParanoidBecoming More Paranoid
Becoming More ParanoidDavid Evans
 
Cryptography
CryptographyCryptography
CryptographyDavid Evans
 
More mining
More miningMore mining
More miningsameezahur
 
Mining
MiningMining
MiningDavid Evans
 
Class 1: What is Money?
Class 1: What is Money?Class 1: What is Money?
Class 1: What is Money?David Evans
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyDavid Evans
 
Hash functions
Hash functionsHash functions
Hash functionssameezahur
 
Merkle Trees
Merkle TreesMerkle Trees
Merkle TreesDavid Evans
 

Recommended

Becoming More Paranoid
Becoming More ParanoidBecoming More Paranoid
Becoming More ParanoidDavid Evans
 
Cryptography
CryptographyCryptography
CryptographyDavid Evans
 
More mining
More miningMore mining
More miningsameezahur
 
Mining
MiningMining
MiningDavid Evans
 
Class 1: What is Money?
Class 1: What is Money?Class 1: What is Money?
Class 1: What is Money?David Evans
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyDavid Evans
 
Hash functions
Hash functionsHash functions
Hash functionssameezahur
 
Merkle Trees
Merkle TreesMerkle Trees
Merkle TreesDavid Evans
 
Hidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeHidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeDavid Evans
 
Altcoins
AltcoinsAltcoins
Altcoinssameezahur
 
Scripting Transactions
Scripting TransactionsScripting Transactions
Scripting TransactionsDavid Evans
 
Midterm Confirmations
Midterm ConfirmationsMidterm Confirmations
Midterm ConfirmationsDavid Evans
 
Bitcoin Script
Bitcoin ScriptBitcoin Script
Bitcoin ScriptDavid Evans
 
The Blockchain
The BlockchainThe Blockchain
The BlockchainDavid Evans
 
Anonymity in Bitcoin
Anonymity in BitcoinAnonymity in Bitcoin
Anonymity in BitcoinDavid Evans
 
Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!David Evans
 
暗認本読書会11
暗認本読書会11暗認本読書会11
暗認本読書会11MITSUNARI Shigeo
 
digital signatures.pptx
digital signatures.pptxdigital signatures.pptx
digital signatures.pptxAliAshraf68199
 
module_14_digital_signatures (1).pptx
module_14_digital_signatures (1).pptxmodule_14_digital_signatures (1).pptx
module_14_digital_signatures (1).pptxAliAshraf68199
 
digital signatures1.pptx
digital signatures1.pptxdigital signatures1.pptx
digital signatures1.pptxAliAshraf68199
 
digital signatures10.pptx
digital signatures10.pptxdigital signatures10.pptx
digital signatures10.pptxAliAshraf68199
 
module_14_digital_signatures.pptx
module_14_digital_signatures.pptxmodule_14_digital_signatures.pptx
module_14_digital_signatures.pptxMehediHasanShaon1
 
Cs166 mynote
Cs166 mynoteCs166 mynote
Cs166 mynoteKaya Ota
 
digital Information BD.pptx
digital Information BD.pptxdigital Information BD.pptx
digital Information BD.pptxAliAshraf68199
 
digital10.pptx
digital10.pptxdigital10.pptx
digital10.pptxAliAshraf68199
 
Smart City Lecture 5 - Introduction to Encryption
Smart City Lecture 5 - Introduction to EncryptionSmart City Lecture 5 - Introduction to Encryption
Smart City Lecture 5 - Introduction to EncryptionPeter Waher
 
digital Information.pptx
digital Information.pptxdigital Information.pptx
digital Information.pptxAliAshraf68199
 
暗認本読書会5
暗認本読書会5暗認本読書会5
暗認本読書会5MITSUNARI Shigeo
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化MITSUNARI Shigeo
 

More Related Content

Viewers also liked

Hidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeHidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeDavid Evans
 
Scripting Transactions
Scripting TransactionsScripting Transactions
Scripting TransactionsDavid Evans
 
Midterm Confirmations
Midterm ConfirmationsMidterm Confirmations
Midterm ConfirmationsDavid Evans
 
Anonymity in Bitcoin
Anonymity in BitcoinAnonymity in Bitcoin
Anonymity in BitcoinDavid Evans
 
Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!David Evans
 

Viewers also liked (8)

Hidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeHidden Services, Zero Knowledge
Hidden Services, Zero Knowledge
 
Altcoins
AltcoinsAltcoins
Altcoins
 
Scripting Transactions
Scripting TransactionsScripting Transactions
Scripting Transactions
 
Midterm Confirmations
Midterm ConfirmationsMidterm Confirmations
Midterm Confirmations
 
Bitcoin Script
Bitcoin ScriptBitcoin Script
Bitcoin Script
 
The Blockchain
The BlockchainThe Blockchain
The Blockchain
 
Anonymity in Bitcoin
Anonymity in BitcoinAnonymity in Bitcoin
Anonymity in Bitcoin
 
Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!
 

Similar to Asymmetric Key Signatures

digital signatures.pptx
digital signatures.pptxdigital signatures.pptx
digital signatures.pptxAliAshraf68199
 
module_14_digital_signatures (1).pptx
module_14_digital_signatures (1).pptxmodule_14_digital_signatures (1).pptx
module_14_digital_signatures (1).pptxAliAshraf68199
 
digital signatures1.pptx
digital signatures1.pptxdigital signatures1.pptx
digital signatures1.pptxAliAshraf68199
 
digital signatures10.pptx
digital signatures10.pptxdigital signatures10.pptx
digital signatures10.pptxAliAshraf68199
 
module_14_digital_signatures.pptx
module_14_digital_signatures.pptxmodule_14_digital_signatures.pptx
module_14_digital_signatures.pptxMehediHasanShaon1
 
Cs166 mynote
Cs166 mynoteCs166 mynote
Cs166 mynoteKaya Ota
 
digital Information BD.pptx
digital Information BD.pptxdigital Information BD.pptx
digital Information BD.pptxAliAshraf68199
 
Smart City Lecture 5 - Introduction to Encryption
Smart City Lecture 5 - Introduction to EncryptionSmart City Lecture 5 - Introduction to Encryption
Smart City Lecture 5 - Introduction to EncryptionPeter Waher
 
digital Information.pptx
digital Information.pptxdigital Information.pptx
digital Information.pptxAliAshraf68199
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化MITSUNARI Shigeo
 
A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...MITSUNARI Shigeo
 
Threshold Cryptography and Distributed Key Generation
Threshold Cryptography and Distributed Key GenerationThreshold Cryptography and Distributed Key Generation
Threshold Cryptography and Distributed Key GenerationLeonid Beder
 
Number theory and cryptography
Number theory and cryptographyNumber theory and cryptography
Number theory and cryptographyYasser Ali
 

Similar to Asymmetric Key Signatures (20)

暗認本読書会11
暗認本読書会11暗認本読書会11
暗認本読書会11
 
digital signatures.pptx
digital signatures.pptxdigital signatures.pptx
digital signatures.pptx
 
module_14_digital_signatures (1).pptx
module_14_digital_signatures (1).pptxmodule_14_digital_signatures (1).pptx
module_14_digital_signatures (1).pptx
 
digital signatures1.pptx
digital signatures1.pptxdigital signatures1.pptx
digital signatures1.pptx
 
digital signatures10.pptx
digital signatures10.pptxdigital signatures10.pptx
digital signatures10.pptx
 
module_14_digital_signatures.pptx
module_14_digital_signatures.pptxmodule_14_digital_signatures.pptx
module_14_digital_signatures.pptx
 
Cs166 mynote
Cs166 mynoteCs166 mynote
Cs166 mynote
 
digital Information BD.pptx
digital Information BD.pptxdigital Information BD.pptx
digital Information BD.pptx
 
digital10.pptx
digital10.pptxdigital10.pptx
digital10.pptx
 
Smart City Lecture 5 - Introduction to Encryption
Smart City Lecture 5 - Introduction to EncryptionSmart City Lecture 5 - Introduction to Encryption
Smart City Lecture 5 - Introduction to Encryption
 
digital Information.pptx
digital Information.pptxdigital Information.pptx
digital Information.pptx
 
暗認本読書会5
暗認本読書会5暗認本読書会5
暗認本読書会5
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
 
keyex.pptx
keyex.pptxkeyex.pptx
keyex.pptx
 
A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...
 
Threshold Cryptography and Distributed Key Generation
Threshold Cryptography and Distributed Key GenerationThreshold Cryptography and Distributed Key Generation
Threshold Cryptography and Distributed Key Generation
 
Number theory and cryptography
Number theory and cryptographyNumber theory and cryptography
Number theory and cryptography
 
Class3
Class3Class3
Class3
 
暗認本読書会6
暗認本読書会6暗認本読書会6
暗認本読書会6
 

More from David Evans

Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksTrick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksDavid Evans
 
How to Live in Paradise
How to Live in ParadiseHow to Live in Paradise
How to Live in ParadiseDavid Evans
 
Mining Economics
Mining EconomicsMining Economics
Mining EconomicsDavid Evans
 
Multi-Party Computation for the Masses
Multi-Party Computation for the MassesMulti-Party Computation for the Masses
Multi-Party Computation for the MassesDavid Evans
 
Proof of Reserve
Proof of ReserveProof of Reserve
Proof of ReserveDavid Evans
 
Blooming Sidechains!
Blooming Sidechains!Blooming Sidechains!
Blooming Sidechains!David Evans
 
Useful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinUseful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinDavid Evans
 
Alternate Cryptocurrencies
Alternate CryptocurrenciesAlternate Cryptocurrencies
Alternate CryptocurrenciesDavid Evans
 
Quiz 2: Bitcoin Protocol, Mining, Supsersizing
Quiz 2: Bitcoin Protocol, Mining, SupsersizingQuiz 2: Bitcoin Protocol, Mining, Supsersizing
Quiz 2: Bitcoin Protocol, Mining, SupsersizingDavid Evans
 
Mostly About Superfish
Mostly About SuperfishMostly About Superfish
Mostly About SuperfishDavid Evans
 
Mining Pools and Profits
Mining Pools and ProfitsMining Pools and Profits
Mining Pools and ProfitsDavid Evans
 

More from David Evans (18)

Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksTrick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
 
How to Live in Paradise
How to Live in ParadiseHow to Live in Paradise
How to Live in Paradise
 
Mining Economics
Mining EconomicsMining Economics
Mining Economics
 
Multi-Party Computation for the Masses
Multi-Party Computation for the MassesMulti-Party Computation for the Masses
Multi-Party Computation for the Masses
 
Proof of Reserve
Proof of ReserveProof of Reserve
Proof of Reserve
 
Silk Road
Silk RoadSilk Road
Silk Road
 
Blooming Sidechains!
Blooming Sidechains!Blooming Sidechains!
Blooming Sidechains!
 
Useful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinUseful Proofs of Work, Permacoin
Useful Proofs of Work, Permacoin
 
Alternate Cryptocurrencies
Alternate CryptocurrenciesAlternate Cryptocurrencies
Alternate Cryptocurrencies
 
Script
ScriptScript
Script
 
Selfish Mining
Selfish MiningSelfish Mining
Selfish Mining
 
Quiz 2: Bitcoin Protocol, Mining, Supsersizing
Quiz 2: Bitcoin Protocol, Mining, SupsersizingQuiz 2: Bitcoin Protocol, Mining, Supsersizing
Quiz 2: Bitcoin Protocol, Mining, Supsersizing
 
Mostly About Superfish
Mostly About SuperfishMostly About Superfish
Mostly About Superfish
 
Mining Pools and Profits
Mining Pools and ProfitsMining Pools and Profits
Mining Pools and Profits
 
More Mining
More MiningMore Mining
More Mining
 
Mining
MiningMining
Mining
 
Proofs of Work
Proofs of WorkProofs of Work
Proofs of Work
 
DigiCash
DigiCashDigiCash
DigiCash
 

Recently uploaded

Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxbritheesh05
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHC Sai Kiran
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitterShivangiSharma879191
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 

Recently uploaded (20)

young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptx
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECH
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 

Asymmetric Key Signatures

  • 1. Asymmetric Key Signatures David Evans and Samee Zahur CS4501, Fall 2015
  • 2. Please pay $1000 to my employee --TheBoss You have money!
  • 3. Real-life Signatures Easy to verify • Bank has your signature Forging unlikely • Legal consequences of forging • Checkbooks are well-guarded • Copying it requires physical access Hard to repudiate • Bank keeps a copy for few months
  • 4. Digital Signatures Easy to verify • Everybody has your “verification key”, vk Hard to forge • Nobody but you has the “signing key”, sk Hard to repudiate • Everybody knows only you have signing key 𝑠 = sign 𝑠𝑘 𝑚 true, false = verify 𝑣𝑘(𝑚, 𝑠)
  • 5. Topics • Asymmetric cryptography • Digital signatures • Elliptic curve cryptography • Implementation pitfalls
  • 6. Ordinary (or symmetric) crypto Message key key
  • 7. Whitfield Diffie Martin Hellman New Directions in Cryptography, 1976
  • 8. Diffie-Hellman Key Exchange 𝑔 𝑎 mod 𝑝 𝑔 𝑏 mod 𝑝 Picks secret a Computes 𝑔 𝑏 𝑎 = 𝑔 𝑎𝑏 Picks secret b Computes 𝑔 𝑎 𝑏 = 𝑔 𝑎𝑏 Public values: 𝑔, 𝑝, 𝑔 𝑎 , 𝑔 𝑏 Shared secret: 𝑔 𝑎𝑏
  • 9. Discrete Logarithm Problem Given 𝑔, 𝑦, 𝑝 find 𝑥 such that: 𝑔 𝑥 mod 𝑝 = 𝑦
  • 11. Random element out of …? 𝑔 𝑎 mod 𝑝 𝑔 𝑏 mod 𝑝 Picks random a Computes 𝑔 𝑏 𝑎 = 𝑔 𝑎𝑏 Picks random b Computes 𝑔 𝑎 𝑏 = 𝑔 𝑎𝑏
  • 12. Mod 5 Exponentiation 0 1 2 3 4 5 6 … 0 - 0 0 0 0 0 0 … 1 1 1 1 1 1 1 1 … 2 1 2 4 3 1 2 4 … 3 1 3 4 2 1 3 4 … 4 1 4 1 4 1 4 1 … Order 1 Order 2 In mod 𝑝 multiplication, multiplicative order is always a factor of (𝑝 − 1)
  • 13. Exponent Modulus • Multiplicative order 𝑛 is at most 𝑝 − 1 • Pick random 𝑥 such that 0 ≤ 𝑥 < 𝑝 − 1 • 𝑔 𝑎 𝑔 𝑏 mod 𝑝 = 𝑔 𝑎+𝑏 mod 𝑝 = 𝑔 𝑎+𝑏 mod 𝑛 mod 𝑝
  • 14.
  • 15.
  • 16. Public-key Cryptography Publicly announces 𝑔 𝑎 𝑔 𝑏 , 𝑔 𝑎𝑏 𝑚 Picks secret a Computes 𝑔 𝑏 𝑎 = 𝑔 𝑎𝑏 Picks random secret b. Computes 𝑔 𝑎 𝑏 = 𝑔 𝑎𝑏 Encrypts message 𝑚: 𝑔 𝑎𝑏 𝑚 Public values: 𝑔, 𝑝, 𝑔 𝑎 , 𝑔 𝑏 Shared secret: 𝑔 𝑎𝑏
  • 17. Man-in-the-Middle (MITM) 𝑔 𝑎 𝑔 𝑏′, 𝑔 𝑎𝑏′ 𝑚 Picks secret a Computes 𝑔 𝑏 𝑎 = 𝑔 𝑎𝑏 Picks secret b. Computes 𝑔 𝑎′ 𝑏 = 𝑔 𝑎′𝑏 Encrypts message 𝑚: 𝑔 𝑎′𝑏 𝑚 𝑔 𝑎′ 𝑔 𝑏, 𝑔 𝑎′𝑏 𝑚 Picks random 𝑎’, 𝑏’, Reads everything
  • 19. Recall Easy to verify • Everybody has your “verification key”, vk Hard to forge • Nobody but you has the “signing key”, sk Hard to repudiate • Everybody knows only you have signing key 𝑠 = sign 𝑠𝑘 𝑚 true, false = verify 𝑣𝑘(𝑚, 𝑠)
  • 21. ElGamal Signature Scheme Signing Input: message 𝑚 1. Pick random 𝑘 2. Compute 𝑟 = 𝑔 𝑘 mod 𝑝 ; 𝑠 = 𝑚 − 𝑎𝑟 𝑘−1 mod(𝑝 − 1) 3. Send (𝑟, 𝑠) with message 𝑚 Verification Input: message 𝑚, 𝑟, 𝑠 Check if 𝑟 𝑠 𝑔 𝑎 𝑟 = 𝑔 𝑚(mod 𝑝) Fixed global parameters: 𝑔, 𝑝 Private key: 𝑎 Public key: 𝑔 𝑎 mod 𝑝
  • 22. Bitcoin Payment Sign it like a check!
  • 23. Recap 1. We want to sign transactions digitally on the bitcoin network, such that they are: a) Easy to verify b) Hard to forge c) Hard to repudiate 2. Discrete exponentiation is easy, logarithm is hard 3. We used it to make asymmetric (aka. public) key crypto 4. Same principle used for digital signatures
  • 25.
  • 26. Informal Requirements Given 𝑔 and 𝑦, 𝑔 𝑥 = 𝑦 should be hard to solve for 𝑥
  • 27. Group A group is a set of elements (denoted 𝐺) and an associated binary operation (denoted ∗) that satisfies the following: • Closure: 𝑎 ∗ 𝑏 is also a group element, or ∀𝑎, 𝑏: 𝑎 ∗ 𝑏 ∈ 𝐺 • Associativity: ∀𝑎, 𝑏, 𝑐: 𝑎 ∗ 𝑏 ∗ 𝑐 = 𝑎 ∗ (𝑏 ∗ 𝑐) • Identity element: ∃𝑒∀𝑎: 𝑎 ∗ 𝑒 = 𝑎 = 𝑒 ∗ 𝑎 • Inverse: ∀𝑎∃𝑏: 𝑎 ∗ 𝑏 = 𝑒 = 𝑏 ∗ 𝑎 Not necessary, but okay to have: • Commutativity: ∀𝑎, 𝑏: 𝑎 ∗ 𝑏 = 𝑏 ∗ 𝑎
  • 28. Additional Cryptographic Properties • Discrete logarithm should be hard • Group operation should be efficient • Implies small key sizes
  • 29. Elliptic Curve Cryptography (ECC) • Group elements: points on the curve, P, Q, and R • Point “addition”: using “geometry”. P+Q=R 𝑦2 = 𝑥3 + 7 P Q R
  • 30. Elliptic “Curve” Image from: http://www.coindesk.com/math-behind-bitcoin/
  • 31. Elliptic Curve Digital Signature Algorithm (ECDSA) ElGamal Signature Inputs: message 𝑚, private key 𝑎 1. Pick random 𝑘 2. Compute a) 𝑟 = 𝑔 𝑘 mod 𝑝 b) 𝑠 = 𝑚 − 𝑎𝑟 𝑘−1 mod 𝑛 3. Send 𝑟, 𝑠 with message 𝑚 Verification Check if 𝑟 𝑠 𝑔 𝑎 𝑟 = 𝑔 𝑚 ECDSA Inputs: message , private key 1. Pick random k 2. Compute a) , let 3. Send with message Verification If , check
  • 32.
  • 33.
  • 34. Please pay $1000 to my employee --TheBoss You have money! Jason Benjamin
  • 35. Logistics • Next class: hash functions and Bitcoin consensus • Checkup 1 on Monday. Includes everything till today