Category: RSASSA-PSS algorithms
Algorithms for solving special cases of ECDLP – Elliptic Curves
8.4.2 Algorithms for solving special cases of ECDLP Because of their mathematical properties, some elliptic curves allow you to take shortcuts when solving ECDLP. In 1991, mathematicians Alfred Menezes, Scott Vanstone, and Tatsuaki Okamoto published an algorithm that reduces ECDLP to a DLP in the multiplicative group of a finite field. They showed that for…
Explore MoreCurve secp256r1 – Elliptic Curves
8.5.1 Curve secp256r1 Digital Signature Standard FIPS-186 [128] specifies 15 elliptic curves that the National Institute of Standards and Technology (NIST) recommends for use by the US federal government. All 15 curves were generated using a method described in the IEEE 1363-2000 and the ANS X9.62 standards. Curve secp256r1 is one of the elliptic curves…
Explore MoreElliptic curve Diffie-Hellman in TLS 1.3 – Elliptic Curves
8.5.6 Elliptic curve Diffie-Hellman in TLS 1.3 If Alice and Bob use the ECDH key agreement with elliptic curves secp256r1, secp384r1, or secp521r1, they follow the ECKAS-DH1 scheme defined in the IEEE 1363-2000 standard illustrated in Figure 8.5.6. When using the ECKAS-DH1 scheme, Alice and Bob first agree on the secret value derivation primitive. IEEE…
Explore MoreGeneral considerations – Digital Signatures
9.1 General considerations Assume Alice has generated herself a key pair (PKAlice,SKAlice) within some asymmetric cryptosystem. If Alice uses her private key SKAlice to compute some output s = sigAlice(x) based on an input x, this is an operation that can, at least in principle, only be performed by Alice because she is the only…
Explore MoreDigital signatures based on discrete logarithms 2 – Digital Signatures
To generate her signing key, Alice performs the following steps: To sign a message m, Alice takes the following steps: 3. Finally, Alice finds an integer s such that or equivalently, Her signature is the pair sigAlice(m) = (r,s). She sends (m,sigAlice(m)) = (m,(r,s)) to Bob. To verify Alice’s signature, Bob first obtains an authentic…
Explore MoreElliptic Curve Digital Signature Algorithm (ECDSA) – Digital Signatures
9.3.2 Elliptic Curve Digital Signature Algorithm (ECDSA) When transferring the DSA algorithm to an elliptic curve E, we just switch the group from 𝔽p∗ to E, so the basic steps will stay the same. We just have to ensure that we switch the objects correctly: Bearing this in mind, formulating the ECDSA is not very…
Explore MoreRSASSA-PKCS1-v1_5 algorithms 2 – Digital Signatures
These attacks illustrate why the input to the RSA signature generation function must be constructed in a secure manner and why the EMSA-PKCS1-v1_5 encoding uses a cryptographically secure hash function. More precisely, the EMSA-PKCS1-v1_5 encoding is computed as follows: 5. Output m. With the EMSA-PKCS1-v1_5 encoding function and the RSASP1 function in place, Alice can…
Explore MoreRSASSA-PSS algorithms – Digital Signatures
9.4.2 RSASSA-PSS algorithms The TLS 1.3 SignatureScheme data structure defines two types of RSASSA-PSS algorithms: algorithms with public key OID rsaEncryption and algorithms with public key OID RSASSA-PSS. An Object Identifier (OID) is a unique number standardized by the International Telecommunication Union (ITU) and ISO/IEC to globally and unambiguously identify an object, attribute, or concept.…
Explore MoreEdDSA algorithms 2 – Digital Signatures
The points on the elliptic curve form a group under addition, that is: The neutral element for this group is (0,1). The explicit formulas for computing the points x3 and y3 are and Unlike with many other elliptic curves, these formulas have the advantage of being complete. That means they are valid for all points…
Explore MoreEdDSA algorithms – Digital Signatures
9.4.4 EdDSA algorithms The ed25519 and ed448 algorithms are instantiations of the Edwards-Curve Digital Signature Algorithm (EdDSA) with the elliptic curves edwards25519 and edwards448, respectively. The algorithms are defined in RFC 8032 Edwards-Curve Digital Signature Algorithm (EdDSA). The ed25519 algorithm offers roughly 128-bit security. This is in line with the security level recommended by common…
Explore More