AM

CHAPTER 1

TR
Digital Signatures and Hash Functions

In this chapter, we discuss cryptographic hash functions. They are used, for example, in digital
signatures. Throughout this chapter, we assume that is an alphabet.
P

1. Hash Functions and Compression Functions

P∗
Let be the set of all finite strings (called words) of the letters (characters) from the set .
P

, II
Definition 1.1.1. By a hash function , we mean a map h : ∗ → n for some n ∈ N. Thus, hash
P P

functions map arbitrarily long strings to strings of fixed length. They are never injective.
Example 1.1.2. The map that sends b1 b2 . . . bk ∈ {0, 1}∗ to b1 ⊕ b2 ⊕ · · · ⊕ bk is a hash function. It
maps, for example, 01101 to 1. In general, it sends a string b to 1 if the number of ones in b is odd
and to 0 otherwise.
I
Definition 1.1.3. Let m, n ∈ N, and let m > n. Then any function h : m → n is called a
P P
BH
compression function.
Observe that a compression function maps strings of fixed length to strings of shorter length. Hash
functions can be generated using compression functions.
Example 1.1.4. Let m > 1. Let h : {0, 1}m → {0, 1} be defined as h(b1 b2 . . . bm ) = b1 ⊕b2 ⊕· · ·⊕bm .
Then h is a compression function.
Hash functions and compression functions are used in many contexts (e.g., for making dictionaries).
DA

In cryptography, they also play an important role. Cryptographic hash and compression functions
must have properties that guarantee their security. We now describe these properties informally.
Let h : ∗ → n be a hash function or h : m → n a compression function . We denote the
P P P P

set ∗ or m of arguments of h by D. If h is a hash function, then D = ∗ . If h is a compression

P P P

function, then D = m .
P

If h is used in cryptography, then h(x) must be easy to compute for all x ∈ D. We will assume that
this is the case.
The function h is called a one-way function if it is infeasible to invert h; that is, given s in the codomain
of h it is infeasible to find x ∈ D such that h(x) = s. What does “infeasible” mean? It is complicated
PA

to describe this in a precise mathematical way. To do so, we would need the language of complexity
theory, which is beyond the scope of this course. Therefore, we only give an intuitive description.
1
 AM
2 1. DIGITAL SIGNATURES AND HASH FUNCTIONS

Any algorithm that on input of s ∈ n tries to compute x with h(x) = s almost always fails because
P

it uses too much space or time. It is not known whether one-way functions exist. There are functions,
however, that are easy to evaluate but for which no efficient inversion algorithms are known and that
therefore can be used as one-way functions.

Example 1.1.5. If p is a randomly chosen 1024-bit prime and g a primitive root mod p, then the function

TR
f : {1, 2, . . . , p − 1} → {1, 2, . . . , p − 1} given by f (x) = g x (mod p) is easy to compute by fast
exponentiation, but an efficient inversion function is not known because it is difficult to compute
discrete logarithms. Therefore, f can be used as a one-way function.

A collision of h is a pair (x, x′ ) ∈ D2 for which x ̸= x′ and h(x) = h(x′ ). There are collisions of all
hash functions and compression functions because they are not injective.

, II
Example 1.1.6. A collision of the hash function from Example 1.1.4 is a pair of distinct strings, both of
which have an odd number of ones, such as (111, 101).

The function h is called weak collision resistant if it is infeasible to compute a collision (x, x′ ) for a
given x ∈ D.
I
Example 1.1.7. Alice wants to protect an encryption algorithm on her hard disk from unauthorized
BH
P∗
changes. She uses a hash function h : to compute the hash value y = h(x) of this
Pn
→
program x, and she stores this hash value y on her personal smart card . After work, Alice goes home
and takes her smart card with her. On the next morning, Alice goes to her office. Before she uses the
encryption program again, she checks whether the program is unchanged that is, whether the hash
value of the program is the same as the hash value stored on her smart card.
This test is only secure if the hash function h is weak collision resistant. If not, then an adversary can
compute another pre-image x′ of the hash value h(x) and can change the program x to x′ without
DA

Alice noticing.

The above example shows a typical use of collision resistant hash functions. They permit reducing
the integrity of a document to the integrity of a much smaller string, which, for example, can be stored
on a smart card.
The function h is called (strong) collision resistant if it is infeasible to compute any collision (x, x′ ) of
h. In some applications, it is even necessary to use strong collision resistant hash functions (e.g., for
electronic signatures). It can be shown that collision resistant hash functions are one-way functions.
The idea is the following . Suppose that there is an inversion algorithm for h. Then one randomly
PA

chooses a string x′ . Using the inversion algorithm, an inverse image x of y = h(x′ ) is computed.
Then (x, x′ ) is a collision of h, unless x = x′ .
 AM
3. Introduction - Digital Signatures 3

2. Hash Functions from Compression Functions

Collision resistant compression functions can be used to construct collision resistant hash functions.
This was shown by R. Merkle, and we now describe his idea. Let
g : {0, 1}m → {0, 1}n
be a be a compression function and let r = m − n. Since g is a compression function, we have r > 0.

TR
A typical choice for n and r is n = 128 and r = 512. From g, we want to construct a hash function
h : {0, 1}∗ → {0, 1}n .
Let x ∈ {0, 1}∗ . We explain the computation of h(x) in the case r > 1. We append a minimum
number of zeros to x such that the length of the new string is divisible by r. To this string we
append r zeros. Now we determine the binary representation of the length of the original string
x. We append zeros to that representation such that its length is divisible by r − 1. In front of the

I
starts with the symbol 1.
, II
normalized representation string and in front of each (r − 1)jth, j = 1, 2, 3, . . ., symbol of that string
we insert a one. The resulting representation string is appended to the previously normalized string.
The complete string is written as a sequence
x = x1 x2 . . . xt , xi ∈ {0, 1}∗ , 1 ≤ i ≤ t,
of words of length r. Note that each word in the part which represents the length of the original x
BH
Example 1.2.1. Let r = 4, x = 111011. First, we transform x into 00111011. Then we append 0000
to that string. We obtain 001110110000. The length of the original x is 6. The binary expansion of
6 is 110. It is written as 1110. So we finally obtain the string 0011101100001110. The hash value
h(x) is computed iteratively. We set
H0 = 0n .
This string consists of n zeros. Then we determine
Hi = g(Hi−1 ◦ xi ), 1 ≤ i ≤ t.
DA

Finally, set
h(x) = Ht .
If g is collision resistant, then h is collision resistant.

3. Introduction - Digital Signatures

Digital signatures are one of the most important and practical uses of modern cryptography. So
much so, that digital signatures have been described as the “killer app” of cryptography. As well
as the obvious application of signing documents, digital signatures can also be used elsewhere, for
PA

example, for digital cash. Before starting to discuss digital signatures, it is helpful to first review the
concept of signatures. Suppose Alice has decided to sell Bob her car, and she sends him a letter which
 AM
4 1. DIGITAL SIGNATURES AND HASH FUNCTIONS

tells him that he can buy her car for $15,000. To make sure he knows that her offer is genuine, she
signs her letter with her name:

TR
I , II
BH
Now when Bob reads the letter he knows that it is indeed from Alice, that is, as long as it is not
somebody else forging Alice’s signature. How can Bob be absolutely sure that this is the genuine
Alice signing her name, and not a forgery? Maybe she really wants to sell her car for $25,000 and
this is a forged letter. And suppose this is the genuine letter - what is to stop the bad Mallory from
opening the letter in transit, and carefully copying Alice’s signature onto other documents? Here’s
what might happen. Mallory copies Alice’s signature onto another document, say a letter to Charlie
saying that he can have her house very cheaply. When Charlie comes to see her with the letter, Alice
DA

denies ever signing such a letter. Charlie gets very cross, and demands that Alice fulfill her promise
to him, and may even threaten legal action. This leads to the following requirements for a signature:
(i) authentic - it convinces the receiver that the message is indeed from Alice;
(ii) unforgeable - nobody else but Alice could have signed the message;
(iii) not reusable - even if the message is sent on to a third party, the signature can’t travel with
it.
(iv) The signed message is unalterable.
(v) The signature can’t be repudiated - Alice can’t later deny that she signed the document.
PA

As discussed above, these really aren’t satisfied by a pen-and-ink signature. Look at requirement 4:
suppose Alice comes to visit Bob about selling her car, and while Bob’s back is turned, Alice quickly
 AM
4. Security 5

changes the “5” in $15,000 to “8.” She then claims that Bob must have poor eyesight: misreading
$18,000 as $15,000. Or suppose, after sending Bob the letter, Alice changes her mind about either
selling her car, or its price. So when Bob comes to see her with the letter, she claims that it must be a
forgery: she never signed such a letter. The use of cryptography allows for some signature schemes
that do indeed satisfy the above requirements. One of the consequences of the above requirements is
that a signature will in fact change with each message: it will be a function both of the message and of

TR
the sender. This is different from pen - and - ink signatures, where a signature (such as Alice’s above)
does not depend in any way on the message itself. This is what makes forgery possible: a signature
can be copied from one message to another.

Definition 1.3.1. A digital signature is data that is associated both with a given message and with the
sender or originator of the message. The process of creating such a digital signature of a message is
called signing. The signature may be a number, or a string of bits. To verify a signature is to determine

, II
that the signature is authentic: that it belongs to both the message and the sender. A digital signature
algorithm is a formal method for producing a digital signature.

4. Security
In this section we discuss the security of digital signature schemes.
I
BH
4.1. Security of the private key. A digital signature scheme can only be secure if the problem
of constructing the secret signature key from publicly available information, in particular, from the
public verification key, is intractable. The signature schemes that are used today have this property.
It is based on the intractability of certain computational problems from number theory. However,
there is no proof for the intractability of those problems.

4.2. No-message attacks. Finding the secret signature key is not the only possible goal of an at-
DA

tacker. He can also try to generate new valid signatures without the knowledge of the secret signature
key . This is called an existential forgery. To be more precise, the attacker proceeds as follows.
(i) The attacker obtains Alice’s public verification key.
(ii) The attacker computes a message m and a signature for m that can be verified with Alice’s
verification key .
The attacker can compute the document m as a function of the public verification key . We shall
see an attack that also uses knowledge of valid signatures of other documents. Here the situation
is simpler. No valid signatures of other documents are used. Therefore, this attack is called a no-
PA

message attack. Clearly, the attacker can simply guess a signature. Then this signature has a small
probability of being valid.
 AM
6 1. DIGITAL SIGNATURES AND HASH FUNCTIONS

4.3. Chosen message attacks. It is not sufficient that a signature scheme is secure against no-
message attacks. It is possible that an attacker knows valid signatures and uses them to construct
new signatures. Such attacks are described later. It is even possible that an attacker can obtain
signatures of his choice before he generates a new signature. We illustrate this in an example.

Example 1.4.1. A Web server grants access only to legitimate users. To verify the identity of a user,

TR
the Web server asks the user to sign challenge messages. If an attacker impersonates the Web server,
then he can obtain signatures of documents of his choice. Here is the abstract description of the
attack.
(i) The attacker obtains Alice’s public verification key.
(ii) The attacker computes a message m and a signature for m that can be verified with Alice’s
verification key . During the computation, the attacker can always obtain signatures of
documents of his choice.

, II
The attack is called the chosen message attack.

5. RSA signature scheme

Many digital signature algorithms are based on public - key cryptosystems. And in fact any public -
I
key system can be used as the basis of a signature scheme. In particular, the RSA scheme can be used
for a very simple signature system.
BH
Suppose Alice wants to sign a message m to be sent to Bob. She has set up all the necessary in-
formation for the RSA cryptosystem: two primes p and q and their product n = pq, an integer
e < φ(n) = (p − 1)(q − 1), and the corresponding d = e−1 (mod φ(n)). So Alice’s public key is
(n, e), and her private key is d.
Signing the message. Alice computes s = md (mod n) and sends the pair (m, s) to Bob. Note that
the message m itself is not encrypted (although it can be if need be). Then the value s is Alice’s
signature for the message.
DA

Verifying the signature. Bob receives the pair (m, s). He uses Alice’s public key to compute m′ =
se (mod n) and then compares m with m′ . If they are equal, he accepts the signature. This works
because

se ≡ (md )e (mod n)
≡ mde (mod n)
≡ m(mod n).

Note that this signature scheme is really RSA “in reverse”: Alice uses her private key to form the
PA

signature, and Bob uses her public key to verify it. If Alice wanted to encrypt the message to Bob, she
would use Bob’s public key to send him the message, and he would use his private key to decrypt it.
 AM
5. RSA signature scheme 7

Example 1.5.1. Suppose Alice’s primes are p = 853 and q = 929, with n = pq = 792437. She
chooses e = 17 and so d = 511601. To sign the message m = 500000 she computes
s ≡ md (mod n)
= 500000511601 (mod 792437)
≡ 659911.

TR
This will be the signature of the message. She sends (500000, 659911) to Bob. Bob now computes
m′ ≡ se (mod n)
≡ 65991117 (mod 792437)
≡ 500000.
Since this is equal to the message, Bob accepts the signature and concludes that the message is indeed

, II
from Alice.
Example 1.5.2. Alice chooses p = 11 , q = 23, e = 3. She obtains n = 253, d = 147. Alice’s
public key is (253, 3). Her private key is 147. Alice wants to obtain $111 from an automated teller
machine. She signs 111. She computes s = 111147 ≡ 89(mod 253). The cash dispenser computes
m ≡ s3 ≡ 893 ≡ 111(mod 253). The machine knows that Alice wants to withdraw $111 and it can
also prove it to third parties .
I
Exercises 1.5.3.
BH
(i) Suppose that an RSA system is used for which p = 11 and q = 13. Alice chooses e = 7
as her public key, so that d = 103 is her private key. Verify that the following are valid
message and signature pairs: (a) (99, 44), (b) (50, 106), (c) (75, 36), (d) (2, 63), (e) (120, 120),
(f) (15, 141).
(ii) Suppose now that the values are p = 41, q = 47, and Alice’s public key is e = 3, so that her
private key is d = 1227. Verify that the following are valid message and signature pairs: (a)
(1000, 10), (b) (750, 1577), (c) (2, 538), (d) (1500, 546), (e) (33, 1638), (f) (972, 1211).
DA

5.1. Attacks. If the RSA signature is implemented as described thus far, then there are a number
of possible attacks.
In order to verify a signature from Alice, Bob gets Alice’s public key. If the attacker, Eve, is able
to replace Alice’s public key with her own public key without Bob noticing this, then she can sign
in Alice’s name. Therefore, it is important that Bob be able to convince himself that he has Alice’s
authentic public key.
Another attack works as follows. Eve chooses an integer s ∈ {0, 1, . . . , n − 1}. Then she claims that
s is an RSA signature of Alice. Bob wants to verify this signature. He computes m = se (mod n and
PA

believes that Alice has signed m. If m is a meaningful text, then Eve was able to fake a signature of
Alice. This is a no-message attack.
 AM
8 1. DIGITAL SIGNATURES AND HASH FUNCTIONS

Example 1.5.4. Alice chooses p = 11, q = 23, e = 3. She obtains n = 253, d = 147. Alice’s public key
is (253, 3). Her private key is 147. Eve wants to withdraw money from Alice’s account. She sends the
signature s = 123 to the cash dispenser. The cash dispenser computes m = 1233 ≡ 52(mod 253).
It believes that Alice wants to withdraw $52, but this is not true. Alice has never signed the $52. She
was the victim of an existential forgery.

TR
Another danger comes from the fact that RSA is multiplicative. If m1 , m2 ∈ {0, 1, ldots, n − 1} and
s1 ≡ md1 (mod n) and s2 ≡ md2 (mod n) are the signatures of m1 and m2 , then
s ≡ s1 s2 ≡ (m1 m2 )d (mod n)
is the signature of m = m1 m2 . From two valid RSA signatures, a third one can be computed. An
attacker can use the multiplicativity of RSA signatures to forge a valid signature for any document.
The attacker proceeds as follows. Let m ∈ {0, 1, . . . , n − 1} be a message. The attacker selects a

, II
message m1 ∈ {0, 1, . . . , n − 1} that is different from m with gcd(m1 , n) = 1. Then he calculates
m2 ≡ mm−1
1 (mod n),

where m−1 1 is the inverse of m1 mod [Link] attacker obtains valid RSA signatures s1 and s2 form1
and m2 . Then he computes the signature s ≡ s1 s2 (mod n) of m. Hence, the RSA signature scheme
as described so far is not secure against chosen message attacks.
I
In the following sections, we explain how the attacks from this section can be prevented
BH
5.2. Signature with redundancy. Two of the attacks of the previous section are impossible if
only integers m ∈ {0, 1, . . . , n − 1} having a binary expansion of the form w ◦ w with w ∈ {0, 1}∗
can be signed, where {0, 1}∗ is the set of all words over {0, 1} including the empty string. Thus, the
binary expansion has two identical halves. The text that is really signed is, of course, w, but the string
w ◦ w is technically signed. When verifying a signature, Bob computes m = se (mod n). He checks
whether the binary expansion of m is of the form w ◦ w. If not, then the signature is rejected.
If only documents of the form w ◦ w are signed, then the existential forgery of the previous section
DA

no longer works . Eve would need to come up with a false signature s ∈ {0, 1, . . . , n − 1} such that
the binary expansion of m ≡ se (mod n) is of the form w ◦ w. It is not known how such an s can
be constructed without the knowledge of the private key . The multiplicativity of RSA can no longer
be used because it is extremely unlikely that m ≡ m1 m2 (mod n) is a binary expansion of the form
w ◦ w if this is true for the two factors.
The function R : {0, 1}∗ → {0, 1}∗ defined by R(w) = w ◦ w, which is used for the generation of
the special structure of the documents that can be signed, is called a redundancy function. Clearly,
other redundancy functions can also be used.
PA

5.3. Signature with hash functions. Thus far, we have explained how documents m that are
integers in {0, 1, . . . , n − 1} are signed. By verifying the signature, Bob also obtains the document
 AM
5. RSA signature scheme 9

that has been signed. If Alice wants to sign an arbitrarily long document x, then she uses a publicly
known collision resistant hash function
h : {0, 1}∗ → {0, 1, . . . , n − 1}.
Since h is collision resistant, h is also a one-way function. In practice, h is constructed using a standard
collision resistant hash function whose values are, for example, 160 bitstrings.

TR
The signature of the document x is
s ≡ h(x)d (mod n).
From this signature, only the hash value h(x) but not the document x can be reconstructed. Therefore,
Bob can only verify the signature of x if he also knows the document x. After Alice computes the
signature s of x, she sends s together with the document x to Bob. Bob computes m ≡ se (mod n) and
compares this number with the hash value of x. Since the hash function is public, Bob can compute
this hash value. If m and x are equal, Bob accepts the signature. Otherwise, he rejects it.

, II
This procedure makes the existential forgery impossible. Suppose that Eve chooses the signature s.
Because she must send a document x together with s to Bob, she must come up with x such that
h(x) ≡ se (mod n). This is exactly what Bob checks when he tries to verify the signature, so x is
an inverse image of m ≡ se (mod n) under h. Because the hash function h is one way, Eve cannot
compute such an x.
The multiplicativity attack can no longer be applied while using hash functions. Let (m1 , s1 ) and
I
(m2 , s2 ) be documents with signatures in an RSA signature scheme with the secret exponent d and
BH
the public exponent e. Then s1 ≡ h(m1 )d (mod n) and s2 ≡ h(m2 )d (mod n). This gives h(m1 ) ≡
se1 (mod n) and h(m2 ) ≡ se2 (mod n). Eve wants to construct a document m with the signature s1 s2 .
But then
h(m) ≡ (s1 s2 )e ≡ se1 se2 ≡ h(m1 )h(m2 )(mod n).
Since h is one way, it is impossible to find m such that h(m) ≡ h(m1 )h(m2 )(mod n).
Finally, Eve cannot replace the document m signed by Alice by another document m′ since the pair
(m, m′ ) is a collision of h and h is collision resistant.
DA

Question 1.5.5. Explain how the use of hash functions in RSA signature scheme prevents multiplica-
tivity attack.
5.4. Signatures from Public-Key Systems. Consider another public-key cryptosystem. For a pair
(e, d) of public key and corresponding private key, let Ee be the encryption function and let Dd be
the decryption function. Suppose that for any such pair (e, d) and any plaintext m, we have

m = E(D(m, d), e). ([Link])

Then a signature scheme can be constructed from this public-key system. The signature of the doc-
PA

ument m is s = D(h(m), d), where h is a publicly known collision resistant hash function. This
signature is verified by computing h(m) = E(s, e). The verification works because of ([Link]). It
 AM
10 1. DIGITAL SIGNATURES AND HASH FUNCTIONS

is also possible to use a redundancy function instead of the hash function. Note that RSA satisfies
([Link]) since for any public RSA key (n, e) with corresponding private key d.

6. El Gamal Digital Signatures

An El Gamal style digital signature scheme was put forward in 1985, and a modified version called

TR
the Digital Signature Algorithm (DSA), which allows shorter signatures, was proposed in 1991 and
officially published as a national Digital Signature Standard (DSS) in 1994. We start with the El Gamal
scheme, which is easier to understand, and then explain how DSA works.
Samantha, or some trusted third party, chooses a large prime p and a primitive root g modulo p.
Samantha next chooses a secret signing exponent a and computes A ≡ g a (mod p). The quantity a,
together with the public parameters p and g, form Samantha’s public verification key. Suppose now
that Samantha wants to sign a digital document D, where D is an integer satisfying 1 < D < p. She

, II
chooses a random element 1 < k < p satisfying gcd(k, p − 1) = 1 and computes the two quantities
S1 ≡ g k (mod p) and S2 ≡ (D − aS1 )k −1 (mod p − 1).
Notice that S2 is computed modulo p−1, not modulo p. Samantha’s digital signature on the document
D is the pair (S1 , S2 ).
Victor verifies the signature by checking that
AS1 S1S2 mod p is equal to g D mod p.
I
Why does El Gamal work? When Victor computes AS1 S1S2 , he is actually computing
BH
−1
AS1 S1S2 ≡ (g a )S1 g kS2 ≡ g aS1 +kS2 ≡ g aS1 +k(D−aS1 )k ≡ g aS1 +(D−aS1 ) ≡ g D (mod p),
so verification returns TRUE for a valid signature.
Notice the significance of choosing S2 modulo p − 1. The quantity S2 appears as an exponent of g,
and we know that g p−1 ≡ 1(mod p), so in the expression g S2 mod p, we may replace S2 by any
quantity that is congruent to S2 modulo p − 1.
DA

Question 1.6.1. Describe El Gamal signature scheme. Also, explain how to verify this signature.

If Eve knows how to solve the discrete logarithm problem, then she can solve g a ≡ A(mod p) for
Samantha’s private signing key a, and thence can forge Samantha’s signature. However, it is not at
all clear that this is the only way to forge an El Gamal signature. Eve’s task is as follows. Given the
values of A and g D , Eve must find integers x and y satisfying
Ax xy ≡ g D (mod p).
The above congruence is a rather curious one, because the variable x appears as both a base and an
exponent. Using discrete logarithms to the base g, we can rewrite it as
PA

x logg (A) + y logg (x) ≡ D(mod p − 1).

 AM
6. El Gamal Digital Signatures 11

If Eve can solve the discrete logarithm problem, she can take an arbitrary value for x, compute logg (A)
and logg (x), and then solve the last equation for y. At present, this is the only known method for
finding a solution to the last equation.

Question 1.6.2. How can a solution to DLP may break the El Gamal signature scheme? Also, explain
some other way to break this signature scheme.

TR
As we know, key generation is the same as for the El Gamal encryption system. Alice generates a large
random prime p and a primitive root g mod p. She also chooses a randomly in the set {1, 2, . . . , p−1}
and computes A ≡ g a (mod p). Her private key is a. Her public key is (p, g, A).

6.1. Signature generation. Alice signs a document x ∈ {0, 1}∗ . She uses the publicly known
collision resistant hash function h : {0, 1}∗ → {1, 2, . . . , p − 1}. Alice chooses a random number
k ∈ {1, 2, . . . , p − 2} which is prime to p − 1. She computes
S1 = g k (mod p),

, II
S2 ≡ k −1 (h(x) − aS1 )(mod p − 1),
where k −1 is the inverse of k modulo p − 1. The signature of x is the pair (S1 , S2 ). Since a hash
function has been used, the verifier cannot recover the document x from the signature. Alice has to
give it to him.
I
6.2. Verification. Bob, the verifier, uses Alice’s public key (p, g, A). As in the RSA signature
scheme, he has to convince himself of the authenticity of this public key. He verifies that 1 ≤ S1 ≤ p−
BH
1. If this condition is not satisfied, then he rejects the signature; otherwise, he checks the congruence
AS1 S1S2 ≡ g h(x) (mod p). ([Link])
He accepts the signature if this congruence holds; otherwise, he rejects it.
We show that the verification works. If S2 is computed as above, then
−1 (h(x)−aS )
AS1 S1S2 ≡ g aS1 g kk 1
≡ g h(x) (mod p)
DA

as asserted. Conversely, if ([Link]) is satisfied for a pair (S1 , S2 ), and if k is the discrete logarithm of
S1 to the base g, then
g aS1 +kS2 ≡ g h(x) (mod p).
Since g is a primitive root mod p, we have aS1 + kS2 ≡ h(x)(mod p − 1). If k and p − 1 are coprime,
then
S1 = g k (mod p), S2 = k −1 (h(x) − aS1 )(mod p − 1).
There is no other way to construct the signature.
PA

Question 1.6.3. Explain the El Gamal signature scheme using hash functions. Also, explain the veri-
fication of this signature.
 AM
12 1. DIGITAL SIGNATURES AND HASH FUNCTIONS

Example 1.6.4. Alice chooses p = 23, g = 7, a = 6 and computes A = g a ≡ 4(mod 23). Her public
key is (p = 23, g = 7, A = 4). Her private key is a = 6. Alice wants to sign the document x, which
has value h(x) = 7. She chooses k = 5 and obtains S1 = 17. The inverse of k mod p − 1 = 22 is
k −1 = 9. Therefore, S2 = k −1 (h(x)−aS1 )(mod (p−1) ≡ 9(7−6·17) ≡ 3(mod 22). The signature
is (17, 3). Bob wants to verify this signature. He computes AS1 S1S2 ≡ 417 · 173 ≡ 5(mod 23). He
also computes g h(x) ≡ 77 ≡ 5(mod 23, so the signature is verified.

TR
Example 1.6.5. For an El Gamal system, the prime p = 71 is chosen with primitive root g = 7. Alice
chooses a = 10 as her private key, so that A = 45 = g a mod p is her public key. Using k = 3 each
time, show that the following triples (m, S1 , S2 ) are valid messages and signatures: (a) (20, 59, 20)
(b) (50, 59, 30) (c) (2, 59, 14). Repeat the above question, but with values p = 1009, g = 11, a = 500,
A = 96 and k = 5: (a) (2, 620, 698), (b) (1000, 620, 696), (c) (591, 620, 211).

6.3. The choice of p. If the attacker, Eve, can compute discrete logarithms mod p, then she can

, II
determine Alice’s secret key and can generate signatures in Alice’s name. This remains the only
known general method of generating El Gamal signatures. Therefore, p must be chosen such that
computing discrete logarithms mod p is infeasible. Given the discrete logarithm algorithms known
today, this means that p should be at least a 768-bit number.

Question 1.6.6. Which type or how large prime p should be chosen for secure El Gamal signature
scheme?
I
BH
6.4. The choice of k. We show that for every new signature a new exponent k must be chosen.
This is guaranteed if k is a random number. Suppose that the signatures S2 and S2′ of the documents
x1 and x2 are generated with the same k. Then the number S1 ≡ g k (mod p) is the same for both
signatures. Therefore
S2 − S2′ ≡ k −1 (h(x1 ) − h(x2 ))(mod p − 1).
From this congruence, k can be determined if h(x1 ) − h(x2 ) is invertible modulo p − 1. From k, x1 ,
S1 , h(x1 ), Alice’s secret key a can be determined since
DA

S2 ≡ k −1 (h(x1 ) − aS1 )(mod p − 1)

⇒ S2 ≡ (k −1 h(x1 ) − k −1 aS1 )(mod p − 1)
⇒ k −1 aS1 ≡ (k −1 h(x1 ) − S2 )(mod p − 1)
⇒ aS1 ≡ (h(x1 ) − kS2 )(mod p − 1)
⇒ a ≡ S1−1 (h(x1 ) − kS2 )(mod p − 1).
Thus we may determine the secret exponent a.
PA

Question 1.6.7. Explain why one should not use the same exponent k for signing more than one
document in the El Gamal signature scheme.
 AM
6. El Gamal Digital Signatures 13

6.5. Existential forgery. If no hash function is used in the El Gamal signature system, then exis-
tential forgery is possible. Without a hash function, the verification congruence is
AS1 S1S2 ≡ g x (mod p).
We show how S1 , S2 , x can be chosen such that this congruence is satisfied. To mount the existential
forgery, Eve chooses two integers u, v with gcd(v, p − 1) = 1. Then she sets

TR
S1 ≡ g u Av (mod p), S2 ≡ −S1 v −1 (mod p − 1), x ≡ S2 u(mod p − 1).
With these values of S1 and S2 , we have
−1 −1
AS1 S1S2 ≡ AS1 S1−S1 v ≡ AS1 (g u Av )−S1 v
−1 −1
≡ AS1 g −uS1 v A−vS1 v [∵ S1 ≡ g u Av (mod p)]
−1
≡ AS1 g −uS1 v A−S1

I ≡ g −uS1 v
≡ g uS2
≡ gx.
−1

, II
[∵ −S1 v −1 ≡ S2 (mod p − 1)]
[∵ uS2 ≡ x(mod p − 1)]
This procedure also works if a collision resistant hash function is used. But since the hash function is
a one-way function, it is impossible for Eve to find a document x such that the signature generated is
the signature of x.
BH
As for the RSA signature scheme, the existential forgery described can also be prevented by using
redundancy in the documents to be signed.
The condition 1 ≤ S1 ≤ p − 1 is also crucial. If it is not required, then it is possible to generate
new signatures from old signatures, as we now explain. Let (S1 , S2 ) be the El Gamal signature of the
document x. Let x′ be another document. To sign x′ , Eve computes
u ≡ h(x′ )h(x)−1 (mod (p − 1)).
DA

Here we assume that h(x) is invertible mod p − 1. Eve also computes

s′ = S2 u(mod (p − 1)
and, using the Chinese remainder theorem, she determines r′ with
r′ ≡ S1 u(mod (p − 1)), r′ ≡ S1 (mod p).
The signature of x′ is (r′ , s′ ). The verification of this signature works because
′ ′
Ar (r′ )s ≡ AS1 u (S1 )S2 u ≡ (g a )S1 u (g k )S2 u ≡ g u(aS1 +kS2 )
PA

′ −1 (aS +kS )
≡ g h(x )h(x) 1 2
[∵ u ≡ h(x′ )h(x)−1 (mod p − 1)]
′
≡ g h(x ) (mod p). [∵ S2 ≡ (h(x) − aS1 )k −1 (mod p − 1)]
 AM
14 1. DIGITAL SIGNATURES AND HASH FUNCTIONS

We also show that r′ ≥ p and therefore the condition 1 ≤ S1 ≤ p − 1 is violated. On the one hand,
we have
1 ≤ S1 ≤ p − 1, S1 ≡ r′ (mod p), ([Link])
and on the other hand
r′ ≡ S1 u ̸≡ S1 (mod p − 1). ([Link])

TR
This follows from u ≡ h(x )h(x) (mod p − 1) and from the fact that h is collision resistant. Now
′ −1

([Link]) implies S1 ̸= r′ and ([Link]) implies r′ ≥ p.

6.6. Efficiency. The generation of an El Gamal signature requires one application of the extended
Euclidean algorithm for the computation of k −1 mod p−1 and one modular exponentiation mod p for
the computation of S1 = g k (mod p). These are possible precomputations. They do not depend on
the document to be signed. However, the result of the precomputation must be securely stored. The

, II
actual signature only requires two modular multiplications . It is extremely fast. The verification of
an El Gamal signature requires three modular exponentiations. This is considerably more expensive
than an RSA signature verification. The verification can be sped up by using the congruence. The
exponentiation on the left-hand side can be carried out simultaneously. The verification requires at
most 5 + t multiplications and t − 1 squarings mod p , where t is the binary length of p. This is only
slightly more expensive than one modular exponentiation.
I
Exercise 1.6.8.
BH
(i) Compute the RSA signature (without hash function) of m = 11111 with the RSA modulus
n = 28829 and the smallest possible public exponent e.
(ii) Let p = 131. Compute a valid private key a and public key (p, g, A) for the El Gamal
signature system.
(iii) Let p = 2237 and g = 2. Assume that Alice’s secret key is a = 1234. Let h(x) = 111
be the hash value of the document x. Compute the El Gamal signature with k = 2323 and
verify this signature.
(iv) What is the verification congruence if in the El Gamal signature scheme s is computed as
DA

s = (ar + kh(x)) mod p?

(v) Is the low exponent or the common modulus attack on RSA a problem for RSA signatures?
Example 1.6.9. There are many variations to the El Gamal digital signature scheme that can be ob-
tained by altering the signing equation S2 ≡ k −1 (m − aS1 )(mod p − 1). Here are some variations.
(i) Consider the signing equation S2 ≡ a−1 (m − kS1 )(mod p − 1). Show that the verification
g m ≡ (A)S2 S1S1 (mod p) is a valid verification procedure.
We have
PA

−1 (m−kS )
AS2 S1S1 ≡ (g a )a 1
(g k )S1 [∵ S2 ≡ a−1 (m − kS1 )(mod p − 1) and S1 ≡ g k (mod p)]
≡ g m−kS1 g kS1
 AM
7. The Digital Signature Algorithm (DSA) 15

≡ g m (mod p).
(ii) Consider the signing equation S2 ≡ am + kS1 (mod p − 1). Show that the verification
g S2 ≡ Am S1S1 (mod p) is a valid verification procedure. Observe that
Am S1S1 ≡ (g a )m (g k )S1

TR
≡ g am+kS1
≡ g S2 (mod p). [∵ S2 ≡ am + kS1 (mod p − 1)]
(iii) Consider the signing equation S2 ≡ aS1 + km(mod p − 1). Show that the verification
g S2 ≡ AS1 S1m (mod p) is a valid verification procedure.
Note that
AS1 S1m ≡ (g a )S1 (g k )m
≡ g aS1 +km

, II
≡ g S2 (mod p). [∵ S2 ≡ aS1 + km(mod p − 1)]

Example 1.6.10. Consider the following variant of the El Gamal Signature Scheme: Alice chooses
a large prime p, a primitive root g, and a secret integer a. She computes A ≡ g a (mod p). The
numbers p, A, g are made public and a is kept secret. If m < p − 1, Alice signs m as follows:
I
She chooses a random integer k and computes S1 ≡ g k (mod p), with 0 < r < p − 1, and S1 ≡
am − kS1 (mod p − 1). The signed message is (m, S1 , S2 ). Bob verifies the signature by checking
BH
that g S2 S1S1 ≡ g m (mod p). If m ≥ p − 1, she breaks m into blocks and signs each block. Show that
if Alice signs correctly then the verification congruence is satisfied.

7. The Digital Signature Algorithm (DSA)

The Digital Signature Algorithm (DSA) has been suggested and standardized by the National Institute
of Standards and Technology (NIST) of the U.S. It is an efficient variant of the El Gamal signature
scheme. The number of modular exponentiations in the verification is reduced from three to two
DA

and, more importantly, the number of digits in the exponents is 160 while in the El Gamal signature
scheme the exponents have as many bits as the prime p (i.e., at least 768 bits) .

7.1. Key generation. Alice chooses a prime number q with 2159 < q < 2160 . Hence, q has binary
length 160. Alice chooses a large prime p with the following properties:
(i) 2511+64t < p < 2512+64t for some t ∈ {0, 1, . . . , 8},
(ii) the prime number q, which was chosen first, divides p − 1.
The binary length of p is between 512 and 1024 and is a multiple of 64. Therefore, the binary
PA

expansion of p is a sequence of 8 to 16 bitstrings of length 64. The condition q|(p − 1) implies that
the group Z∗p contains elements of order q.
 AM
16 1. DIGITAL SIGNATURES AND HASH FUNCTIONS

Next, Alice chooses a primitive root h mod p and computes

g = h(p−1)/q (mod p).
Then g has order q in Z∗p , it means that g q ≡ 1(mod p) and g s ̸= 1(mod p) if 1 ≤ s ≤ q − 1. Finally,
Alice chooses a random number a in the set {1, 2, . . . , q − 1} and computes

TR
A = g a (mod p).
Alice’s public key is (p, q, g, A). Her private key is a. Computing the secret key a from A requires
the solution of a discrete logarithm problem.

7.2. Signature generation. Alice wants to sign the document x. She uses the publicly known
collision resistant hash function h : {0, 1}∗ → {1, 2, . . . , q − 1}. She chooses a random number
k ∈ {1, 2, . . . , q − 1}, computes

, II
r = (g k mod p)mod q, ([Link])
and sets
s = k −1 (h(x) + ar)mod q. ([Link])
Here, k −1 is the inverse of k modulo q. The signature is (r, s).

7.3. Verification. Bob wants to verify the signature (r, s) of the document x. He gets Alice’s
I
authentic public key (p, q, g, A) and the public hash function. Then he verifies that
1 ≤ r ≤ q − 1 and 1 ≤ s ≤ q − 1.
BH
If this condition is violated, then Bob rejects the signature. Otherwise, Bob verifies that
−1 h(x)mod −1 mod
r = ((g s q
Ars q
)mod p)mod q.
If the signature is constructed as above, then the last equation holds. In fact , the construction implies
−1 h(x)mod −1 mod −1 (h(x)+ra)
gs q
Ars q
≡ gs ≡ g k (mod p).
DA

OR
Bob computes x ≡ s−1 m(mod q), y ≡ s−1 r(mod q), v ≡ (g x Ay (mod p))(mod q). If v = r, then
he accepts the signature.
Why it works? From the definition of s: m ≡ (−ar + ks)(mod q). Multiplying through by s−1 pro-
duces s−1 m ≡ (−ars−1 +k)(mod q). This last equation can be written k ≡ s−1 m+ars−1 (mod q) ≡
x + Ay(mod q). Then
r ≡ (g k (mod p))(mod q)
≡ (g x+ay (mod p))(mod q)
PA

≡ (g x (g a )y (mod p))(mod q)
≡ (g x Ay (mod p))(mod q)
 AM
7. The Digital Signature Algorithm (DSA) 17

≡ v(mod q).

Example 1.7.1.
(i) Suppose p = 1031 and q = 103. The smallest primitive root of p is h = 14, from which
g ≡ a(p−1)/q ≡ 320(mod p). Choose a = 70 so A ≡ g a ≡ 48(mod p). Suppose the
message is m = 500, and k = 25 is chosen at random. Then

TR
r ≡ (g k (mod p))(mod q) ≡ (32025 (mod 1031))(mod 103) ≡ 198 ≡ 95(mod 103),

s ≡ k −1 (m + ar)(mod q) ≡ 25−1 (500 + 70(95)) ≡ 80(mod 103).

So the triple (500, 95, 80) is sent to Bob.

, II
Bob now computes

x ≡ s−1 m(mod q) ≡ 80−1 500 ≡ 32(mod103),

y ≡ s−1 r(mod q) ≡ 80−1 95 ≡ 72(mod 103),

I
and
BH
v ≡ (g x Ay (mod p))(mod q) ≡ (32032 4872 (mod 1031))(mod 103) ≡ 198(mod 103) ≡ 95(mod 103).

Since v = r, he accepts the signature

(ii) Suppose the DSA is to be applied with the same parameters as in the example above. Sign
the message m = 1000.
(iii) Using the values of r and s from the previous question, verify the signature.
(iv) Using the same parameters, verify the following messages and signatures: (a) (2, 95, 23), (b)
DA

(750, 95, 90), (c) (591, 95, 96).

(v) Let p = 11, q = 5, g = 3, and k = 3. Show that (g k (mod p))(mod q) ̸= (g k (mod q))(mod p).
This shows that the order of operations in the DSA is important.

7.4. Efficiency. The DSA is very similar to the El Gamal signature scheme. As in the El Gamal
scheme, precomputation makes the signature generation much faster. DSA verification is more ef-
ficient than El Gamal verification. On the one hand, only two exponentiations mod p are required,
whereas El Gamal verification requires two exponentiations mod p. But this is not that important be-
cause El Gamal verification can be hastened if simultaneous exponentiation is used. More important
PA

is the fact that the exponents in DSA are 160-bit numbers, whereas El Gamal exponents are as large
as p (i.e., at least 768-bit numbers). This saves more than 700 squarings and multiplications mod p.
 AM
18 1. DIGITAL SIGNATURES AND HASH FUNCTIONS

8. Rabin Encryption
It is considered advantageous if the security of a cryptosystem is based on the difficulty of a math-
ematical problem that is also of interest outside of cryptography. The security of the RSA system,
for example, is related to the difficulty of factoring integers. It is, however, not known if RSA is as
difficult as factoring integers (i.e., if being able to break RSA implies the ability of factoring integers).

TR
The security of the Rabin system, which is explained in this section, is also based on the difficulty
of factoring integers. But in contrast to RSA, it can be shown that anyone who can break the Rabin
system efficiently can also efficiently factor integers.

8.1. Key generation. Alice chooses randomly two large prime numbers p and q with p ≡ q ≡
3(mod 4). But the Rabin system also works without it. Alice computes n = pq . Her public key is n.
Her private key is the pair (p, q).

I , II
8.2. Encryption. As in the RSA system, the plaintext space is the set {0, 1, . . . , n−1}. To encrypt
the plaintext m ∈ {0, 1, . . . , n − 1}, Bob uses the public key n of Alice and computes

c ≡ m2 (mod n).

The ciphertext is c. Like RSA, the Rabin system can be used to implement a kind of block cipher.

8.3. Decryption. Alice computes the plaintext m from the ciphertext c by extracting square roots.
BH
She proceeds as follows. She computes

mp ≡ c(p+1)/4 (mod p), mq = c(q+1)/4 (mod q).

Then ±mp are the two square roots of c modulo p, and ±mq are the two square roots of c modulo
p. This method of computing the square roots of c mod p and q only works because p and q are
both congruent to 3 mod 4. If this is not true, then computing those square roots is more difficult,
DA

although still possible in polynomial time. Now Alice can compute the four square roots of c modulo
n using the Chinese remainder theorem. This is analogous to the RSA decryption using the Chinese
remainder theorem. Using the extended Euclidean algorithm, Alice determines coefficients yp , yq ∈ Z
with
yp p + yq q = 1.
Then she computes

r = (yp pmq + yq qmp )(mod n), s = (yp pmq − yq qmp )(mod n).
PA

Then ±r, ±s are the four square roots of c mod n in the set {0, 1, . . . , n − 1}. One of those square
roots must be the original message m.
 AM
8. Rabin Encryption 19

Example 1.8.1. Alice uses the prime numbers p = 11 and q = 23. Then n = 253. Bob encrypts the
message m = 158. He computes c ≡ m2 (mod 170). Alice determines yp = −2 and yq = 1. She
obtains the square roots
mp ≡ c(p+1)/4 ≡ c3 ≡ 4(mod p), mq ≡ c(q+1)/4 ≡ c6 ≡ 3(mod q).
She determines

TR
r ≡ (yp pmq + yq qmp ) ≡ (−2) · 11 · 3 + 23 · 4 ≡ 26(mod n),
and
s ≡ (yp pmq − yq qmp ) ≡ (−2) · 11 · 3 − 23 · 4 ≡ 95(mod n).
The square roots of 170 mod 253 in {1, 2, . . . , 252} are 26, 95, 158, 227. One of those square roots
is the original plaintext.
Example 1.8.2. Suppose Alice chooses p = 31, q = 67, so that n = pq = 2077 (note that both primes

, II
are equal to 3 mod 4). She then makes the product 2077 available as her public key. Then to encrypt a
message block m = 1897, Bob computes c ≡ 18972 ≡ 1245(mod 2077) and sends it to Alice. Now,
Alice does the following computations. 67 = 2(31)+5, 31 = 6(5)+1, so, 1 = 31−6·5 = 31−6(67−
2 · 31) = 13 · 31 + (−6)67 and yp = 13, yq = −6. Also, mp ≡ c(p+1)/4 ≡ 1245(31+1)/4 ≡ 12458 ≡
58 ≡ 25(mod 31) and mq ≡ c(q+1)/4 ≡ 124517 ≡ 3917 ≡ 21(mod 67). Now, she computes
r ≡ (yp pmq + yq qmp ) ≡ (13)(31)(21) + (−6)(67)(25) ≡ 8463 − 10050 ≡ 490(mod 2077) and
I
s ≡ (yp pmq − yq qmp ) ≡ (13)(31)(21) − (−6)(67)(25) ≡ 8463 + 10050 ≡ 1897(mod 2077).
BH
−s ≡ 180(mod 2077), −r ≡ 1587(mod 2077). Thus the possible decryptions are 490, 1587, 1897
and 180.
Exercises 1.8.3.
(i) Your private key for a Rabin cryptosystem is the pair of primes 11 and 19, and your public
key is their product n = 187. (a) Find the encrypted values of the messages 123 and 97. (b)
Now follow through the decryption of the results.
(ii) Repeat the above question for the primes 31 and 43, and the messages 750 and 1000.
DA

(iii) Let n = 713 be a Rabin modulus and let c = 289 be a ciphertext that is obtained by Rabin
encryption using this modulus. Determine all possible plaintexts.
There are various methods of choosing the original plaintext from the four square roots of c mod
n. Alice can choose the message that looks most meaningful, but this might not always work; for
example, if an encryption key for a symmetric system is the encrypted message. It is also possible
to encrypt only messages of a special form. For example, messages are only encrypted if the first
and the last 64 bits are equal. Then it is very unlikely that more than one of the square roots of
the ciphertext has this form, so Alice can choose this particular plaintext. If this method is chosen
PA

for making the plaintext recoverable, however, the proof of the equivalence between factoring and
breaking the Rabin system no longer works.
 AM
20 1. DIGITAL SIGNATURES AND HASH FUNCTIONS

8.4. Efficiency. In the Rabin system, encryption only requires one squaring, so Rabin encryption
is more efficient than RSA encryption, even with the smallest possible RSA encryption exponent 3.
Decryption in the Rabin system is as expensive as RSA decryption with the Chinese remainder theo-
rem. It requires one exponentiation mod p, one mod q, and one application of the Chinese remainder
theorem.

TR
8.5. Security against ciphertext-only attacks. We show that breaking the Rabin system with a
ciphertext-only attack is as difficult as factoring the Rabin modulus. Clearly, everyone who can factor
the Rabin modulus can also break the Rabin system. The converse is also true.

9. Rabin digital signatures

The Rabin signature scheme starts with similar parameters as in the RSA scheme: two primes p
and q, and their product n = pq. Like the RSA scheme, the Rabin scheme is encryption “worked

, II
backwards.”
Signing the message. Alice computes a square root s of the message m (recall that this is easiest if
both p and q are congruent to 3 mod 4): s2 = m(mod n) and sends the pair (m, s) to Bob.
Verifying the signature. Bob receives the pair (m, s). He squares s to compute m′ = s2 (mod n)
and then compares m with m′ . If they are equal, he accepts the signature.
Bob may be sure that the message is indeed from Alice, as a square root of n is computationally
I
infeasible to compute unless the factorization n = pq is known. But the factorization is Alice’s private
key.
BH
As with the RSA scheme, the signature s is the same size as the message. This size can be reduced by
signing a hash of the message, and if necessary using smaller parameters.
Remark 1.9.1. The Rabin signature is applied to only those documents m which has a square root
modulo n = pq. Not all integer have square root modulo n = pq.
Example 1.9.2. Alice chooses primes p = 859 and q = 947 (both of which are congruent to 3 mod 4),
and so n = pq = 813473 is her public key. Given the message m = 500001 she computes a square
DA

root by the following steps.

(i) Using the extended Euclidean algorithm she finds x and y such that xp + yq = 1. These
values are x = −226 and y = 205.
(ii) She then computes mp = m(p+1)/4 (mod p) ≡ 500001215 ≡ 731(mod 859), mq ≡ m(q+1)/4 ≡
500001237 ≡ 224(mod 947).
(iii) Then a square root is given by s = xpmq + yqmp ≡ 809909(mod n).
Bob verifies this by computing s2 ≡ 8099092 ≡ 500001(mod 813473).
Example 1.9.3. Compute the Rabin signature (without hash function) of m = 11111 with the Rabin
PA

modulus n = 28829.