Digital SignaturesCampbell R. Harvey

Duke University and NBER

January 26, 2019

Innovation and Cryptoventures

Campbell R. Harvey 2019 2

DefinitionCryptography is the science of communication in the presence of an adversary. Part of the field of cryptology.

3Campbell R. Harvey 2019

Goals of Adversary• Alice sends message to Bob• Eve is the adversary

4Campbell R. Harvey 2019

Goals of Adversary

Eve’s goals could be:1. Eavesdrop2. Steal secret key so that all future messages can be intercepted3. Change Alice’s message to Bob4. Masquerade as Alice in communicating to Bob

5Campbell R. Harvey 2019

Symmetric Keys

Early algorithms were based on symmetric keys.• This meant a common key encrypted and decrypted the message• You needed to share the common key and this proved difficult

6Campbell R. Harvey 2019

Secret Keys

Symmetric key• DES (Data Encryption Standard)

was a popular symmetric key method, initially used in SET (first on-line credit card protocol)

• DES has been replaced by AES (Advanced Encryption Standard)

11Campbell R. Harvey 2019

Diffie-Hellman Key Exchange

• Breakthrough in 1976 with Diffie-Hellman-Merkle key exchange• There is public information that everyone can see. Each person, say Alice and

Bob, have secret information.• The public and secret information is combined in a way to reveal a single

secret key that only they know

12https://www.youtube.com/watch?v=YEBfamv-_do

Campbell R. Harvey 2019

Diffie-Hellman Key Exchange

• Will use prime numbers and modulo arithmetic• We already encountered one example of modular arithmetic simple ciphers

(also the SHA-256 which uses mod=232 or 4,294,967,296)

13https://www.youtube.com/watch?v=YEBfamv-_do

Campbell R. Harvey 2019

Symmetric Key Exchange

Numerical example• “5 mod 2” = 1• Divide 5 by 2 the maximum number of times (2) • 2 is the modulus• The remainder is 1• Remainders never larger than (mod-1) so for mod 12 (clock) you would

never see remainders greater than 11.• EXCEL function = mod(number, divisor) e.g., mod(329, 17) = 6

14

“mod”

Campbell R. Harvey 2019

Symmetric Key Exchange

Alice and Bob decide on two public pieces for information• A modulus (say 17)• A generator (or the base for an exponent) (say 3)

• Alice has a private key (15)• Bob has a private key (13)

• Is it possible for them to share a common secret that is unlikely to be intercepted?

15https://www.khanacademy.org/computing/computer-science/cryptography/modern-crypt/v/diffie-hellman-key-exchange-part-2

Campbell R. Harvey 2019

Symmetric Key Exchange

Alice: Calculates 315 mod 17 = 6 (i.e., =mod(3^(15), 17))

• Alice send the message “6” to Bob

16Campbell R. Harvey 2019

Symmetric Key Exchange

Alice: Calculates 315 mod 17 = 6 (i.e., =mod(3^(15), 17))

• Alice send the message “6” to Bob• Eve intercepts the message!

17Campbell R. Harvey 2019

Symmetric Key Exchange

Bob: Calculates 313 mod 17 = 12 (i.e., =mod(3^(13), 17))

• Bob send the message “12” to Alice

18Campbell R. Harvey 2019

Symmetric Key Exchange

Bob: Calculates 313 mod 17 = 12 (i.e., =mod(3^(13), 17))

• Bob send the message “12” to Alice• Eve intercepts the message! Now Eve has the 6 and the 12.

19Campbell R. Harvey 2019

Symmetric Key Exchange

Alice: She takes Bob’s message of 12 and raises it to the power of her private key. Calculates 1215 mod 17 = 10 (i.e., =mod(12^(15), 17))*

• This is their common secret

20*EXCEL only does 15 digits so this will not work Campbell R. Harvey 2019

Symmetric Key Exchange

Bob: He takes Alice’s message of 6 and raises it to the power of his private key. Calculates 613 mod 17 = 10 (i.e., =mod(6^(13), 17))

• This is their common secret

21Campbell R. Harvey 2019

Symmetric Key Exchange

Eve She has intercepted their message. However, without the common secret key, there is little chance she can recover the shared secret.

22Campbell R. Harvey 2019

Symmetric Key Exchange

Common secret• Alice can now encrypt a message with the common secret and Bob can

decrypt it with the common secret. • Notice this is a common secret. • Next we will talk private/public keys. That is, both and Alice have separate

public keys and separate private keys.

23Campbell R. Harvey 2019

Asymmetric Keys: RSA - High Level Overview

RSA • RSA stands for Rivest, Shamir and Adleman. Discovered earlier by UK

Communications-Electronics Security Group (CESG) – but kept secret.• Receiver generates two public pieces of information and a private key

• One piece of public information is just the product of two prime numbers, N=p*q(called “max”)

• The other is the public key, e, is just another prime that is greater than 2 and less than the product, N

• The prime numbers, p and q, that are used are huge. The private key is mathematically linked to public keys.

• Sender encrypts with the two public keys, e and N• Receiver can easily decrypt

28Campbell R. Harvey 2019

Asymmetric Keys: RSA - High Level Overview

See my Cryptography 101 (linked) deck for much more detail.• Two prime numbers are chosen and they are secret (say 7 and 13, p, q).• Multiply them together. The product (N=91) is public but people don’t know

the prime numbers used to get it.• A public key, e, is chosen (say 5).• Given the two prime numbers, 7 and 13, and the public key, 5, we can derive

the private key, which is 29.

29Campbell R. Harvey 2019

Asymmetric Keys: RSA - High Level OverviewIssues with RSA• RSA relies on factoring• N is public (our example was 91) as is e• If you can guess the factors, p, q, then you

can discover the private key

30Campbell R. Harvey 2019

Asymmetric Keys: RSA - High Level OverviewIssues with RSA• Factoring algorithms have become very efficient• To make things worse, the algorithms become more efficient as the size of

the N increases• Hence, larger and larger numbers are needed for N (moving to 2,048 bits)• This creates issues for mobile and low power devices that lack the

computational power

31http://www.slate.com/articles/health_and_science/science/2016/01/the_world_s_largest_prime_number_has_22_338_618_digits_here_s_why_you_should.html

Campbell R. Harvey 2019

Elliptic Curve Cryptography

Mathematics of elliptic curves• Does not rely on factoring• Curve takes the form of

y2 = x3 + ax + b

32

Note: 4a3 + 27b2 ≠ 0

Campbell R. Harvey 2019

Bitcoin uses a=0 and b=7

Note that diagram is “continuous” but wewill be using discrete versions of this arithmetic

Elliptic Curve Cryptography

Properties• Symmetric in x-axis• Any non-vertical line between two points intersects in three points• Algebraic representation

33Campbell R. Harvey 2019

Elliptic Curve Cryptography

Properties: Addition

34

P Q

R

P+Q

Define a system of “addition”. To add “P” and“Q” pass a line through and intersect at third point“R”. Drop a vertical line down to symmetric part.This defines P+Q (usually denoted 𝑃𝑃 ⊕𝑄𝑄)

Denote Elliptic Curveas E Campbell R. Harvey 2019

Elliptic Curve Cryptography Properties: Doubling

35

P

2P

Define a system of “addition”. To add “P” and“P” use a tangent line and intersect at third point.Drop a vertical line down to symmetric part. This definite 2P (usually denoted 𝑃𝑃 ⊕ 𝑃𝑃)

Denote Elliptic Curveas E Campbell R. Harvey 2019

Elliptic Curve Cryptography (Optional slide)

Properties: Other

36

(a) P + O = O + P = P for all P ∈ E.(existence of identity)

(b) P + (−P) = O for all P ∈ E.(existence of inverse)

(c) P + (Q + R) = (P + Q) + R for all P, Q, R ∈ E.(associative)

(d) P + Q = Q + P for all P, Q ∈ E(communativity)

Denote Elliptic Curveas E Campbell R. Harvey 2019

Elliptic Curve Cryptography

Why use in cryptography?• Suggested by Koblitz and Miller in 1985• Implemented in 2005• Key insight:

• Adding and doubling on the elliptic curve is easy but undoing the adding is very difficult• 256 bit ECC public key provides about the same security as 3,072 bit RSA public key

• Bitcoin uses a particular type of ECC known as secp256k1

37Campbell R. Harvey 2019http://www.nicolascourtois.com/bitcoin/groups_ECC_7B.pdf

ECDSA

• Private key is a number called “signing key” (SK). It is secret.• Public key is the “verification key” and is mathematically linked to

the private key

49Campbell R. Harvey 2019

SK EC VK

Private key:(number)

Elliptic curve operations: Need base point, modulus, order

Public key:coordinate (x, y)

Note: Easy to generate a public key with a private key. Not easy to go the other way.

ECDSA• Digital signature

50Campbell R. Harvey 2019

SK

EC DS

Private key:(number)

Elliptic curve operations: Need base point, modulus, order (n)

Digital signature:coordinate (r, s)

Message

Nonce

Nonce:(random number)

ECDSA• Verification

51Campbell R. Harvey 2019

VK

EC (x’, y’)

Public key:(x, y)

Elliptic curve operations: Need base point, order (n)

Derive new pointon elliptic curve

Message

r

DScoordinates

sr = x’ mod n ?

Yes (verified)

No(rejected)

Check x coordinateof new point and DS

Note r not used until verification step

How DSAs Work

Notice• Proves that the person with the private key (that generated the public

key) signed the message. • Interestingly, digital signature is different from a usual signature in that

it depends on the message, i.e., the signature is different for each different message.

• In practice, we do not sign the message, we sign a cryptographic hash of the message. This means that the size of the input is the same no matter how long the message is.

52Campbell R. Harvey 2019

ECDSA in Action

53Campbell R. Harvey 2019https://kjur.github.io/jsrsasign/sample/sample-ecdsa.html

ECDSA in Action

54Campbell R. Harvey 2019

OP_CHECKSIG uses Public Key + Digital Signature + Hash of Transaction

Verifies whether this transaction has been signed by the owner of the Private Key

https://www.youtube.com/watch?v=ir4dDCJhdB4 (advanced by Matt Thomas)

Application: PGP EmailMy public key for secure email• You can encrypt an email

to me with my public key and only I can decrypt with my private key.

55Campbell R. Harvey 2019

Application: PGP Email

Steps1. Message compressed2. Random session key (based on mouse

movements and keystrokes) is generated.3. Message encrypted with session key4. Session key is encrypted with receiver’s public key5. Encrypted message + encrypted session key sent via email6. Recipient uses their private key to decrypt the session key7. Session key is used to decrypt the message8. Message decompressed

56Campbell R. Harvey 2019http://www.pgpi.org/doc/pgpintro/

References

• The Math Behind Bitcoin [recommended]

• Elliptic Curve Digital Signature Algorithm (Bitcoin)

• What does the curve used in Bitcoin, secp256k1, look like?

• Elliptic Curve Digital Signature Algorithm (Wikipedia)

• Elliptic Curve Cryptography (UCSB)

• Elliptic Curve Cryptography and Digital Rights Management (Purdue)

• Zero to ECC in 30 minutes (Entrust)

• The Elliptic Curve Cryptosystem

• Goldwasser, Shaffi and Mihir Bellare, 2008, Lecture Notes on Cryptography

• Dan Boneh, Stanford University, Introduction to Cryptography

• Dan Boneh, Stanford University, Cryptography II

• https://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

57Campbell R. Harvey 2019