Schemes which provide this functionality are called ** Digital Signature Schemes**. A Digital Signature Scheme will have two components, a private

There are many Digital Signature Schemes which meet these conditions, but we shall only investigate a few of the most popular ones.

Forgeries of Bob's signature are easy to construct. The requirement for a valid signature is that raising the second coordinate to Bob's public encryption exponent e gives the first coordinate. Frank the "forger" can take any number y, calculate x = y^{e} mod n and send the pair (x,y). This will be verified as Bob signing the message x. Frank's problem is that he has no control over the "message" x, which will normally be just random nonsense. Without breaking the RSA cryptosytem, Frank has only a negligible chance of finding a meaningful message, let alone a desired message.

The verification algorithm compares ^{r}r^{s} mod p and ^{m} mod p. Noting that from the definition of s, we have m = sk + ar mod (p-1), we see that:

Unlike the RSA signature scheme, Frank can not forge Alice's signature on "random messages" by randomly picking r and s and calculating a message m so that (m,r,s) is a valid Alice signature [to do this would require solving the discrete log problem]. However, Frank can create valid Alice signatures by selecting r,s and m simultaneously. To do this, Frank picks two integers, i and j (less than p-1) such that gcd(j,p-1) = 1. Then Frank calculates:

s = -rj

m = is mod (p-1)

=

=

=

- The message digest h(m) should be calculated very quickly.
- The hash function h should be a one-way function, that is, given a message digest h(m), it should be computationally infeasible to obtain the message m.
- The hash function h should be
, meaning that it should be computationally infeasible to find two messages m*strongly collision free*_{1}and m_{2}so that h(m_{1}) = h(m_{2}).

We shall examine the *discrete log hash function* due to Chaum, van Heijst and Pfitzmann. Unfortunately, the calculation of this function is too slow to be of practical use, but it is simple enough to permit an analysis of its cryptographic security.

Select a large prime p such that q = (p-1)/2 is also prime. Choose two primitive roots and of **Z**_{p}. For a message m with m < q^{2} we can write m = b + cq with 0b,c < q. We then set h(m) = ^{b}^{c} mod p.

In this set up, since is a primitive element, there exists an exponent a such that = ^{a} mod p. Of course finding this exponent involves solving the discrete log problem in this field. If, however, we can find a collision for this hash function, i.e., different messages m_{1} = r + sq and m_{2} = t + uq with h(m_{1}) = h(m_{2}), then we can easily calculate the exponent a. This follows since,

a(u-s) = (r-t) mod (p-1).

In the digital signature application, a cryptographic hash function is made public. The signature algorithm is then applied to the message digest obtained from this hash function. The message and this signature are then sent. The verification algorithm is applied to the signed message digest and compared with the message digest that is recomputed from the message. Signatures in this version are much shorter than the messages that they sign. The cryptographic properties of the hash function prevent forgeries. However, since the message digests are of fixed size, there are not as many of them as there are possible messages. This leads to another type of attack which can be launched against digital signature schemes which employ hash functions.

Consider a set Z with n elements (think of this as the set of hash digests). We wish to calculate the probability that k randomly selected elements of Z will contain no equal elements (no collisions). As the probability of selecting a particular element is 1/n, we calculate this probability as follows: The first choice is arbitrary. The probability that the second choice is distinct from the first is 1-1/n, while the probability that the third is distinct from the first two is 1 - 2/n, etc. Thus, the probability that k elements are selected with no collisions is

-k(k-1)/2n ~ ln(1-p)

k(k-1)/2n ~ ln(1/(1-p))

k

In the Birthday Paradox, n = 365 and our approximation gives k ~ 22.3. In the Birthday attack, if the message digests were of x-bit length, there would be n = 2^{x} digests, and by selecting 2^{x/2} arbitrary messages and applying the hash function to them, there will be a 50% chance of obtaining a collision. Thus, for 40-bit message digests, just over 2^{20} (about a million) random messages would be needed to find a collision with 50% probability. It is usually suggested that the minimum acceptable size of a message digest is 128-bits to avoid a Birthday attack. The 160-bit message digest of DSS is even more secure against this attack.

The user of this scheme, say Alice, first finds a prime q which is 160 bits long and then chooses a prime p so that q|p-1. The discrete log problem should be hard for this prime p. (The initial version of the scheme had p chosen as a 512 bit number, but later versions permitted the size of p to be larger, up to 1024 bits.). Now, Alice chooses a qth root of unity mod p, that is an such that ^{q} = 1 mod p (this can be done by finding a primitive root mod p, say g, and calculating = g^{(p-1)/q} mod p.) Alice then chooses a secret exponent a, with 0 < a < q-1, and calculates = ^{a} mod p. The values of p, q, , and are made public and the exponent a is kept secret.

To sign a message m, Alice first selects a random secret integer k, with 0 < k < q-1. She then computes, r = (^{k} mod p) mod q and s = k^{-1}(m + ar) mod q. Her signature is then (m,r,s). In order for Bob to verify this signature, he computes u = s^{-1}m mod q and v = s^{-1}r mod q. He then computes w = (^{u}^{v})mod q) mod p and accepts the signature if and only if w = r.

To see why this works, from the definition of s it follows that

k = s-1m + s-1ar = u + av mod q.

As in the El-Gamal scheme, the exponent a must be kept secret, and the secret numbers k should never be used twice. DSS is considered to be stronger than El-Gamal, since in this scheme the secret number k is harder to obtain from r because of the reduction mod q. The verification step in DSS is also faster than the corresponding step in El-Gamal, since there are fewer modular exponentiations to perform, and this is an important practical consideration.