CHAPTER 1

AN INTRODUCTION

1.1 AN INTRODUCTION TO CRYPTOGRAPHY AND DIGITAL SIGNATURES

The fundamental objective of cryptography is information security. Simply put, it is to ensure the following: Confidentiality is used to keep the content of information secret from unauthorized persons. This is achieved through symmetric and asymmetric encryption. Data integrity addresses the unauthorized alteration of data. This is addressed by hash functions. Authentication is related to identification. This function applies to both entities and information itself. This is achieved through digital signature certificates and digital signatures. Non-repudiation prevents someone from denying previous commitments or actions. This is achieved through digital signature certificates and digital signatures. The concept of securing messages through cryptography has a long history. Indeed, Julius Caesar is credited with creating one of the earliest cryptographic systems to send military messages to his generals. Throughout history, however, there has been one central problem limiting widespread use of cryptography. That problem is key management. In cryptographic systems, the term key refers to a numerical value used by an algorithm to alter information, making that information secure and visible only to individuals who have the corresponding key to recover the information. Consequently, the term key management refers to the secure administration of keys to provide them to users where and when they are required. Historically, encryption systems used what is known as symmetric cryptography. Symmetric cryptography uses the same key for both encryption and decryption. Using symmetric cryptography, it is safe to send encrypted messages without fear of interception (because an interceptor is unlikely to be able to decipher the message); however, there always remains the difficult problem of how to securely transfer the key to the recipients of a message so that they can decrypt the message. A major advance in cryptography occurred with the invention of public-key cryptography. The primary feature of public-key cryptography is that it removes the need to use the same key for encryption and decryption. With public-key cryptography, keys come in pairs of matched public and private keys. Thepublic portion of the key pair can be distributed in a public manner without compromising the private portion, which must be kept secret by its owner. An operation (for example, encryption) done with the public key can only be undone with the corresponding private key.
1

Prior to the invention of public-key cryptography, it was essentially impossible to provide key management for large-scale networks. With symmetric cryptography, as the number of users increases on a network, the number of keys required to provide secure communications among those users increases rapidly. For example, a network of 100 users would require almost 5000 keys if it used only symmetric cryptography. Doubling such a network to 200 users increases the number of keys to almost 20,000. Thus, with using only symmetric cryptography, key management quickly becomes unwieldy even for relatively small-scale networks. The invention of public-key cryptography was of central importance to the field of cryptography and provided answers to many key management problems for large scale networks. For all its benefits, however, public-key cryptography did not provide a comprehensive solution to the key management problem. Indeed, the possibilities brought forth by public-key cryptography heightened the need for sophisticated key management systems to answer questions such as the following: "How can I easily encrypt a file once for a number of different people using public-key cryptography?" "If I lose my keys, how can I decrypt all of my files that were encrypted with those keys?" "How do I know that I really have Alice's public key and not the public key of someone pretending to be Alice?" (Or any Mr. X for that matter!!) "How can I know that a public key is still trustworthy?" These are some of the issues that have led us to a full discussion of Digital Signatures in this project. Now, to understand what is Digital Signature and understand how cryptography is used to secure electronic communications, lets look at a process we are all familiar with: writing and sending a check. SECURING THE ELECTRONIC VERSION The simplest electronic version of the check can be a text file, created with a word processor, asking where bank to pay someone a specific sum. However, sending this check over an electronic network poses several security problems: since anyone could intercept and read the file, we need confidentiality. since someone else could create a similar counterfeit file, the bank needs to authenticate that it was actually we who created the file. since we could deny creating the file, the bank needs non-repudiation. since someone could alter the file, both we and the bank need data integrity.
2

To overcome these issues, modern cryptography (i.e. Digital Signatures) performs a number of steps hidden behind a simple user interface. The first step is to sign the check with a digital signature. DIGITAL SIGNATURE The process of digitally signing starts by taking a mathematical summary (called a hash code) of the check. This hash code is a uniquely-identifying digital fingerprint of the check. If even a single bit of the check changes, the hash code will dramatically change. The next step in creating a digital signature is to sign the hash code with our private key. This signed hash code is then appended to the check. How is this a signature? Well, the recipient of our check can verify the hash code sent by we, using our public key. At the same time, a new hash code can be created from the received check and compared with the original signed hash code. If the hash codes match, then the recipient has verified that the check has not been altered. The recipient also knows that only we could have sent the check because only we have the private key that signed the original hash code. Confidentiality and encryption Once the electronic check is digitally signed, it can be encrypted using a high-speed mathematical transformation with a key that will be used later to decrypt the document. This is often referred to as a symmetric key system because the same key is used at both ends of the process. As the check is sent over the network, it is unreadable without the key. The next challenge is to securely deliver the symmetric key to the bank. Public-key cryptography for delivering symmetric keys Public-key encryption is used to solve the problem of delivering the symmetric encryption key to the bank in a secure manner. To do so, we would encrypt the symmetric key using the banks public key. Since only the bank has the corresponding private key, only the bank will be able to recover the symmetric key and decrypt the check. Why use this combination of public-key and symmetric cryptography? The reason is simple. Public-key cryptography is relatively slow and is only suitable for encrypting small amounts of information such as symmetric keys. Symmetric cryptography is much faster and is suitable for encrypting large amounts of information. The following illustration describes what is usually done behind the scenes to deliver the secure electronic messages.

Fig 1.1 Demonstration of Digital Signature Process

Here, in this project, we will discussing at lengths about Digital Signatures, Various techniques used and then, we will do comparative analysis of two widely used, one of them relatively new standards and provide an improved model for the same. This project will also lay certain platform for future work on the same. We will also provide an interesting, but easy way to implement the existing ECC digital signatures. During the course of the project, we implemented and tried to compare the performance characteristics of RSA and elliptic curve digital signature algorithms by implementing each algorithm and comparing their experimental running-times in an effort to gauge the experimental time efficiencies of each. In addition to that, we have to tried to propose a new standard, a mathematical technique which can be used for efficient implementation of the present techniques and, indeed, may be presented as a completely new technique with some more work. However, we will present our idea after the full discussion of what we have done. Digital signatures are used in message transmission to verify the identity of the sender of the message and to ensure that the message has not been modified after signing. They are essential for verifying the authenticity of a message. The application of digital signatures is widespread in digital computing, taking the place of an ordinary hand-written signature. Because digital signatures are akin to hand-written signatures, they are used in many of the applications of signatures on the Internet (e.g. e-voting, online banking, online college applications, etc.). The importance of digital signatures in digital communications merits the research into relatively new cryptosystems such as elliptic curve cryptography (ECC), especially as the need for more efficient algorithms grows with the growing number of memory-limited mobile electronic devices. The increasing key sizes needed by RSA for security against brute force attacks by powerful computers or distributed computing also makes ECC more appealing, with its smaller secure key sizes [8]. After implementing and running ECC and RSA digital signatures with various key sizes on several test cases, we concluded that the results are mostly consistent with current academic knowledge comparing the two systems. RSA key generation is quite costly in terms of time, both cryptographic schemes are Performance Comparison of Elliptic Curves and RSA Signatures comparative (up to 7680 bit RSA signing) for message signing, and RSA scales better than ECC in signature verification.

1.2 PRELIMINARY BACKGROUND

Public key cryptography is used in digital signatures to verify the identity of the sender of a message and the contents of the message. This must be done in such a way that the private key of the sender remains secret and an unknown adversary is not able to potentially forge the signature. Given a public key cryptosystem in which it is reasonably hard to obtain a users private key, and public key exchange can take place with a high level of confidence of used identity, digital signatures can be created and used in the following manner: Alice wants to send a message to Bob and Bob wants to ensure Alice is the actual sender of the message and that the messages contents have not been modified in transit. 1. Alice can generate a private key and public key and send her public key to Bob. 2. Alice then creates a hash of the message she wishes to send to Bob. She then encrypts this hash using her private key. She appends this signature to the message she sends to Bob. 3. Bob can then verify that Alice sent the message by decrypting the signature using Alices public key. The result of the decryption will be the hash of the message Alice originally sent. Bob can then hash the message in the same way Alice did and compare the two hashes. Using this method, Bob can prove whether Alice sent the message or not because only Alices private key could encrypt the signature. He can also prove that the message is the original unmodified message Alice sent, for as long as hashing is relatively unique, any changes in the message would change the message hash (also called the message digest). The underlying public key system used to generate digital signatures can make a considerable difference in the performance of the digital signature process. The two public key cryptosystems we compare in this paper are RSA and ECDSA. But before we move to them, it's imperative that we understand the mathematics going behind them. Keeping this in mind, we present the required mathematical background for understanding this work in the next chapter.

1.3. VARIOUS TECHNIQUES OF DIGITAL SIGNATURES

Here, we give a very brief introduction of various techniques used for implementing Digital Signatures. A digital signature or digital signature scheme, as we now know, is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery and tampering. A digital signature scheme typically consists of three algorithms:

A key generation algorithm that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key. A signing algorithm that, given a message and a private key, produces a signature. A signature verifying algorithm that, given a message, public key and a signature, either accepts or rejects the message's claim to authenticity.

Two main properties are required. First, a signature generated from a fixed message and fixed private key should verify the authenticity of that message by using the corresponding public key. Secondly, it should be computationally infeasible to generate a valid signature for a party who does not possess the private key. The first widely marketed software package to offer digital signature was Lotus Notes 1.0, released in 1989, which used the RSA algorithm. To create RSA signature keys, we generate an RSA key pair containing a modulus N that is the product of two large primes, along with integers e and d such that e d 1 (mod (N)), where is the Euler phi-function. The signer's public key consists of N and e, and the signer's secret key contains d.

Fig 1.2 Signing and Verification

1.3.1 RSA KEY PAIR EXAMPLE

[2048 bit] Private Key 3082 010a 0282 0101 00b1 d311 e079 5543 0708 4ccb 0542 00e2 0d83 463d e493 bab6 06d3 0d59 bd3e c1ce 4367 018a 21a8 efbc ccd0 a2cc b055 9653 8466 0500 da44 4980 d854 0aa5 2586 94ed 6356 ff70 6ca3 a119 d278 be68 2a44 5e2f cfcc 185e 47bc 3ab1 463d 1ef0 b92c 345f 8c7c 4c08 299d 4055 eb3c 7d83 deb5 f0f7 8a83 0ea1 4cb4 3aa5 b35f 5a22 97ec 199b c105 68fd e6b7 a991 942c e478 4824 1a25 193a eb95 9c39 0a8a cf42 b2f0 1cd5 5ffb 6bed 6856 7b39 2c72 38b0 ee93 a9d3 7b77 3ceb 7103 a938 4a16 6c89 2aca da33 1379 c255 8ced 9cbb f2cb 5b10 f82e 6135 c629 4c2a d02a 63d1 6559 b4f8 cdf9 f400 84b6 5742 859d 32a8 f92a 54fb ff78 41bc bd71 28f4 bb90 bcff 9634 04e3 459e a146 2840 8102 0301 0001 Public Key 3082 01e4 f267 0142 0f61 dd12 e089 5547 0f08 4ccb 0542 00e2 0d83 463d e493 bab6 0673 0d59 bf3e c1ce 4367 012a 11a8 efbc ccd0 a2cc b055 9653 8466 0500 da44 4980 d8b4 0aa5 2586 94ed 6356 ff70 6ca3 a119 d278 be68 2a44 5e2f cfcc 185e 47bc 3ab1 463d 1df0 b92c 345f 8c7c 4c08 299d 4055 eb3c 7d83 deb5 f0f7 8a83 0ea1 4cb4 3aa5 b35f 5a22 97ec 199b c105 68fd e6b7 a991 942c e478 4824 1a25 193a eb95 9c39 0a8a cf42 b250 1cd5 5ffb 6bed 6856 7b39 2c72 38b0 ee93 a9d3 7b77 3ceb 7103 a938 4a16 6c89 2aca da33 1379 c255 8ced 9cbb f2cb 5b10 f82e 6135 c629 4c2a d02a 63d1 6559 b4f8 cdf9 f400 84b6 5742 859d 32a8 f92a 54fb ff78 41bc bd71 28f4 bb90 bcff 9634 04de 45de af46 2240 8410 02f1 0001

To sign a message m, the signer computes md (mod N). To verify, the receiver checks that e m (mod N). But as we noted, this system is not so secure. To prevent attacks, one can first apply a cryptographic hash function to the message m and then apply the RSA algorithm described above to the result. This approach can be proven secure in the so-called random oracle model. Other digital signature schemes were soon developed after RSA, the earliest being Lamport signatures, Merkle signatures (also known as "Merkle trees" or simply "Hash trees"),and Rabin signatures.(All Described Later in the Report) In 1988, ShafiGoldwasser, Silvio Micali, and Ronald Rivest became the first to rigorously define the security requirements of digital signature schemes. They described a hierarchy of attack models for signature schemes, and also present the GMR signature scheme, the first that can be proven to prevent even an existential forgery against a chosen message attack.
9

Most early signature schemes were of a similar type: they involve the use of a trapdoor permutation, such as the RSA function, or in the case of the Rabin signature scheme, computing square modulo composite n. A trapdoor permutation family is a family of permutations, specified by a parameter, that is easy to compute in the forward direction, but is difficult to compute in the reverse direction without already knowing the private key. However, for every parameter there is a "trapdoor" (private key) which when known, easily decrypts the message. Trapdoor permutations can be viewed as public-key encryption systems, where the parameter is the public key and the trapdoor is the secret key, and where encrypting corresponds to computing the forward direction of the permutation, while decrypting corresponds to the reverse direction. Trapdoor permutations can also be viewed as digital signature schemes, where computing the reverse direction with the secret key is thought of as signing, and computing the forward direction is done to verify signatures. Because of this correspondence, digital signatures are often described as based on public-key cryptosystems, where signing is equivalent to decryption and verification is equivalent to encryption, but this is not the only way digital signatures are computed. Used directly, this type of signature scheme is vulnerable to a key-only existential forgery attack. To create a forgery, the attacker picks a random signature and uses the verification procedure to determine the message m corresponding to that signature. In practice, however, this type of signature is not used directly, but rather, the message to be signed is first hashed to produce a short digest that is then signed. This forgery attack, then, only produces the hash function output that corresponds to , but not a message that leads to that value, which does not lead to an attack. In the random oracle model, this hash-and-decrypt form of signature is existentially unforgeable, even against a chosen-message attack. There are several reasons to sign such a hash (or message digest) instead of the whole document.

For efficiency: The signature will be much shorter and thus save time since hashing is generally much faster than signing in practice. For compatibility: Messages are typically bit strings, but some signature schemes operate on other domains (such as, in the case of RSA, numbers modulo a composite number N). A hash function can be used to convert an arbitrary input into the proper format. For integrity: Without the hash function, the text "to be signed" may have to be split (separated) in blocks small enough for the signature scheme to act on them directly. However, the receiver of the signed blocks is not able to recognize if all the blocks are present and in the appropriate order.

10

1.3.2 USES OF DIGITAL SIGNATURES

As organizations move away from paper documents with ink signatures or authenticity stamps, digital signatures can provide added assurances of the evidence to provenance, identity, and status of an electronic document as well as acknowledging informed consent and approval by a signatory. The United States Government Printing Office (GPO) publishes electronic versions of the budget, public and private laws, and congressional bills with digital signatures. Universities including Penn State, University of Chicago, and Stanford are publishing electronic student transcripts with digital signatures. Below are some common reasons for applying a digital signature to communications:

AUTHENTICATION
Although messages may often include information about the entity sending a message, that information may not be accurate. Digital signatures can be used to authenticate the source of messages. When ownership of a digital signature secret key is bound to a specific user, a valid signature shows that the message was sent by that user. The importance of high confidence in sender authenticity is especially obvious in a financial context. For example, suppose a bank's branch office sends instructions to the central office requesting a change in the balance of an account. If the central office is not convinced that such a message is truly sent from an authorized source, acting on such a request could be a grave mistake.

INTEGRITY
In many scenarios, the sender and receiver of a message may have a need for confidence that the message has not been altered during transmission. Although encryption hides the contents of a message, it may be possible to change an encrypted message without understanding it. (Some encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a message is digitally signed, any change in the message after signature will invalidate the signature. Furthermore, there is no efficient way to modify a message and its signature to produce a new message with a valid signature, because this is still considered to be computationally infeasible by most cryptographic hash functions. NON-REPUDIATION Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of digital signatures. By this property an entity that has signed some information cannot at a later time deny having signed it. Similarly, access to the public key only does not enable a fraudulent party to fake a valid signature. This is in contrast to symmetric systems, where both sender and receiver share the same secret key, and thus in a dispute a third party cannot determine which entity was the true source of the information.

11

1.3.3 PRESENT SIGNATURE SCHEMES

1.3.3.1 ELGAMAL SIGNATURE SCHEME
The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by TaherElGamal in 1984. The ElGamal signature algorithm described in this article is rarely used in practice. A variant developed at NSA and known as the Digital Signature Algorithm is much more widely used. There are several other variants. The ElGamal signature scheme must not be confused with ElGamal encryption which was also invented by TaherElGamal. The ElGamal signature scheme allows that a verifier can confirm the authenticity of a message m sent by the signer sent to him over an insecure channel.

12

Fig 1.3 Setup of Signatures

13

1.3.3.2 SCHNORR SIGNATURE

In cryptography, a Schnorr signature is a digital signature produced by the Schnorr signature algorithm. Its security is based on the intractability of certain discrete logarithm problems. It is considered the simplest digital signature scheme to be provably secure in a random oracle model. It is efficient and generates short signatures. It is covered by U.S. Patent 4,995,082, which expired in February 2008.

1.3.3.3 PROXY SIGNATURES

Proxy signature is a signature scheme that an original signer delegates his/her signing capability to a proxy signer, and then the proxy signer creates a signature on behalf of the original signer. When a receiver verifies a proxy signature, he verifies the signature itself and original signers delegation together. The basic methodology of proxy signature is that the original signer creates a signature on delegation information (ID of the proxy signer, or any warrant information) and gives it secretly to the proxy signer, and then the proxy signer uses it as a proxy private key or uses it to generate a proxy private key. Because the proxy key pair is generated from original signers signature on delegation information, any verifier can check original signers agreement from a proxy signature. Mambo et. al. [13] firstly introduced the concept of proxy signature. They classified proxy signatures based on delegation type as full delegation, partial delegation, and delegation by warrant. Partial delegation is further classified as proxy-unprotected and proxy-protected according to protection of proxy signer. They gave various constructions of proxy signature schemes and their security analysis. Kim et. al. [14] extended them by using Schnorr signature and including warrant information in partial delegation schemes. Petersen and Horster [14] proposed to use weak blind signature to get proxy-protected proxy signature scheme. Some security requirements of proxy signatures can be listed as follows [14]. (i) Strong unforgeabilityA designated signer, called proxy signer, can create a valid proxy signature for the original signer. But the original signer and third parties who are not designated as a proxy signer cannot create a valid proxy signature. (ii) Verifiability From proxy signature a verifier can be convinced of the original signers agreement on the signed message either by a self-authenticating form or by an interactive form. (iii) Strong identifiabilityAnyone can determine the identity of the corresponding proxy signer from a proxy signature. (iv) Strong undeniabilityOnce a proxy signer creates a valid proxy signature for an original signer, the proxy signer cannot repudiate his signature creation against anyone.

1.3.3.4 BLS
In cryptography, the BonehLynnShacham signature scheme allows a user to verify that a signer is authentic. The scheme uses a pairing function for verification and signatures are group elements in some elliptic curve. Working in an elliptic curve provides defense against index calculus attacks against allowing shorter signatures than FDH signatures. Signatures are often referred to as short signatures, BLS short signatures, or simply BLS signatures. The signature scheme is provably secure (that is, the scheme is existentially unforgeable under adaptive
14

chosen-message attacks) assuming both the existence of random oracles and the intractability of the computational DiffieHellman problem.

1.3.3.4 UNDENIABLE SIGNATURE

Undeniable signatures are a form of digital signature invented by David Chaum and Hans van Antwerpen in 1989. They have two distinctive features, 1. The verification process is interactive, so that the signatory can limit who can verify the signature. 2. A disavowal protocol, which is a cryptographic protocol that allows them to determine whether a given signature is a forgery. The first means that a signatory can allow only others who are authorized to access the document to verify their signature. If the document were to be leaked to a third party, the third party would be unable to verify that the signature is genuine. This is a designated verifier signature. However, because of this property it means that the signatory may deny a signature which was valid. To prevent this, there is the second property, a method to prove that a given signature is a forgery.

1.3.3.5 DIGITAL SIGNATURE STANDARD

The National Institute of Standards and Technology (NIST) has published Federal Information Processing Standard FIPS 186, known as the Digital Signature Standard (DSS). The DSS makes use of the Secure Hash Algorithm (SHA) and presents a new digital signature technique, the Digital Signature Algorithm (DSA). The DSS was originally proposed in 1991 and revised in 1993 in response to public feedback concerning the security of the scheme. There was a further minor revision in 1996. In 2000, an expanded version of the standard was issued as FIPS 186-2. This latest version also incorporates digital signature algorithms based on RSA and on elliptic curve cryptography. In this section, we discuss the original DSS algorithm.

1.3.3.5.1 THE DSS APPROACH

The DSS uses an algorithm that is designed to provide only the digital signature function. Unlike RSA, it cannot be used for encryption or key exchange. Nevertheless, it is a public-key technique. The Following contrasts the DSS approach for generating digital signatures to that used with RSA. In the RSA approach, the message to be signed is input to a hash function that produces a secure hash code of fixed length. This hash code is then encrypted using the sender's private key to form the signature. Both the message and the signature are then transmitted. The recipient takes the message and produces a hash code. The recipient also decrypts the signature using the sender's public key. If the calculated hash code matches the decrypted signature, the signature is accepted as valid. Because only the sender knows the private key, only the sender could have
15

produced a valid signature.The DSS approach also makes use of a hash function. The hash code is provided as input to a signature function along with a random number k generated for this particular signature. The signature function also depends on the sender's private key (PRa)and a set of parameters known to a group of communicating principals. We can consider this set to constitute a global public key (PUG). The result is a signature consisting of two components, labeled s and r.

16

Fig 1.4 DSS Approach

Fig1.5 DSS Signing and Verifying

17

1.3.3.6 ELLIPTIC CURVE DSA

The Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which uses Elliptic curve cryptography. As with elliptic curve cryptography in general, the bit size of the public key believed to be needed for ECDSA is about twice the size of the security level, in bits. By comparison, at a security level of 80 bits, meaning an attacker requires about the equivalent of about 280 signature generations to find the private key, the size of a DSA public key is at least 1024 bits, whereas the size of an ECDSA public key would be 160 bits. On the other hand, the signature size is the same for both DSA and ECDSA: 4t bits, where t is the security level measured in bits, that is, about 320 bits for a security level of 80 bits.

1.3.3.7 RABIN SIGNATURE ALGORITHM

Rabin Signature Scheme is a method of Digital signature originally proposed by Michael O. Rabin in 1979. The Rabin Signature Scheme was one of the first digital signature schemes proposed, and it was the first to relate the hardness of forgery directly to the problem of integer factorization. Because of its simplicity and prominent role in early public key cryptography, the Rabin Signature Scheme is covered in most introductory courses on cryptography. The Rabin Signature Scheme is existentially unforgeable in the random oracle model assuming the integer factorization problem is intractable. The Rabin Signature Scheme is also closely related to the Rabin cryptosystem.

1.3.3.8 GROUP SIGNATURE

A Group signature scheme is a method for allowing a member of a group to anonymously sign a message on behalf of the group. The concept was first introduced by David Chaum and Eugene van Heyst in 1991. For example, a group signature scheme could be used by an employee of a large company where it is sufficient for a verifier to know a message was signed by an employee, but not the particular employee who signed it. Another application is for keycard access to restricted areas where it is inappropriate to track individual employee's movements, but necessary to secure areas to only employees in the group. Essential to a group signature scheme is a group manager, who is in charge of adding group members and has the ability to reveal the original signer in the event of disputes. In some systems the responsibilities of adding members and revoking signature anonymity are separated and given to a membership manager and revocation manager respectively. Many schemes have been proposed, however all should follow these basic requirements:

18

Soundness and Completeness: Valid signatures by group members always verify correctly, and invalid signatures always fail verification. Unforgeable: Only members of the group can create valid group signatures. Anonymity: Given a message and its signature, the identity of the individual signer cannot be determined without the group manager's secret key. Traceability: Given any valid signature, the group manager should be able to trace which user issued the signature. (This and the previous requirement imply that only the group manager can break users' anonymity.) Unlinkability: Given two messages and their signatures, we cannot tell if the signatures were from the same signer or not. No Framing: Even if all other group members (and the managers) collude, they cannot forge a signature for a non-participating group member. Unforgeable tracing verification: The revocation manager cannot falsely accuse a signer of creating a signature he did not create.

The ACJT 2000, BBS04 (in Crypto), BS04 (in CCS) group signature schemes are the state of the art. BBS04: Boneh, Boyen and Shacham published in 2004 (Crypto04) a novel group signature scheme based on bilinear maps. Signatures in this scheme are approximately the size of a standard RSA signature (around 200 bytes). The security of the scheme is proven in the random oracle model and relies on the Strong Diffie Hellman assumption (SDH) and a new assumption in bilinear groups called the Decision linear assumption (DLin).

1.3.3.9 RING SIGNATURE

A similar system that excludes the requirement of a group manager and provides true anonymity for signers.

1.3.3.10 THRESHOLD SIGNATURE

A threshold signature involves a fixed-size quorum (threshold) of signers. Each signer must be a genuine group member with a share of a group secret signing key. A (t,n) threshold signature scheme supports n potential signers, any t of which can on behalf of the group. Threshold signatures reveal nothing about the t signers; no one can trace the identity of the signers (not even a trusted center who have set up the system).

1.3.3.11 MULTISIGNATURE
A multisignature represents a certain number of signers signing a given message. Number of signers is not fixed and signers identities are evident from a given multi-signature. A multisignature is much shorter (sometimes constant) than the simple collection of individual signatures.

19

1.3.3.12PROXY SIGNATURE
A proxy signature allows a delegator to give partial signing rights to other parties called proxy signers. Proxy signatures do not offer Anonymity

1.3.3.13AGGREGATE SIGNATURE
An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all thesesignatures into a single short signature. This single signature (and the n original messages)will convince the verifier that the n users did indeed sign the n original messages (i.e., user I signed message Mi for i = 1; : : : ; n). In this paper we introduce the concept of an aggregate signature, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M. Verifiably encrypted signatures are used in contract-signing protocols. These are more or less, what have been used and what is being used today. We take up RSA and ECCDSA for analysis, because of the reasons described in the next section.

20

1.4 CONTEMPORARY ISSUES

ADDRESSED

IN THE

DIGITAL SIGNATURES

THAT WE HAVE

In the contemporary world, devices are getting smaller, compact and even more powerful. With the advent of palm-held devices and desktops getting reduced in size day-by-day, the need for providing security while consuming comparatively lesser resources and even lesser time is increasing every now and then, demanding better algorithms each day. With the advent of ad-hoc networks and ever increasing wireless networks, the devices that are being used have constrained capabilities concerning CPU power ,battery power and transmission bandwidth, where as all security mechanisms being used are resource consuming.ECC is still in its infancy, and thus has not received as much scientific analysis as the much older RSA scheme. The smaller key sizes of ECC potentially allow for less computationally able devices such as smart cards and embedded systems to use cryptography for secure data transmissions, message verification and other means. Keeping in view, the rapidly constrained reports and ever increasing demands for security along with the efficient consumption of resources, we suggest RSA is comparable to ECC for digital signature creation in terms of time, and is faster than ECC for digital signature verification. Thus, for applications requiring Signature generation more often than message verification, ECC may be the better choice but for applications requiring message verification more often than signature generation, RSA is a better choice. Compared to traditional crypto systems like RSA, ECC provide equivalent security with smaller key sizes, which results in faster computations, lower power consumption, as well as memory and bandwidth savings. This is especially useful for mobile devices which are typically limited in terms of their CPU, power and network connectivity.

Keeping in view the above issues, we have in this project compared the performance characteristics of two public key cryptosystems (RSA and ECC) used in digital signatures to determine the applicability of each in modern technological devices and protocols that use such signatures. Digital signatures are used in message transmission to verify the identity of the sender and to ensure that a message has not been modified after signing. The space and time efficiency of digital signature algorithms is essential to their widespread adoption in message transport systems.

21