# Introduction to cryptography

AI and Robotics

Nov 21, 2013 (4 years and 7 months ago)

72 views

1
Introduction to cryptography
Basic concepts
Classical techniqes
Modern conventional techniques
Cryptography – Basic concepts
 Cryptography - the art or science encompassing the
principles and methods of transforming an intelligible
message into one that is unintelligible, and then
retransforming that message back to its original form
 Plaintext - the original intelligible message
 Ciphertext - the transformed message
 Cipher- an algorithm for transforming an intelligible
message into one that is unintelligible by transposition
and/or substitution methods
 Key - some critical information used by the cipher,
known only to the sender & receiver
2
Cyptography – Basic concepts
 Encipher (encode) - the process of converting
plaintext to ciphertext using a cipher and a key
 Decipher (decode) - the process of converting
ciphertext back into plaintext using a cipher and
a key
 Cryptanalysis - the study of principles and
methods of transforming an unintelligible
message back into an intelligible message
without knowledge of the key. Also called
codebreaking
Conventional encryption model
• Plaintext X=[X
1
,X
2
,...,X
M
],length M
– Melements are letters in a finite alphabet
• Secret key K=[K
1
,K
2
,...,K
j
],length J
• Ciphertext Y=[Y
1
,Y
2
,...,Y
n
],length N
• With message X and encryption key K the
encryption algorithm forms the ciphertext
– Y=E
K
(X)
• The receiver can invert the transformation
– X=D
K
(Y)
3
Conventional cryptosystem model
Conventional encryption model
• Security of conventional encryption depends on several
factors
– (entropy of) the algorithm: it must be impractical to decrypt a
message on the basis of the cyphertext and knowledge of the
encryption/decryption algorithm (Kerckhoffs principle)
– the key
• secrecy of the key
• length of the key (in fact entropy OF the key)
• Note: the algorithm is public
– manufactures can develope low-cost chip implementations of the
algorithm
• The principal security problem is maintaining the secrecy
of the key
4
Cryptographic systems - classification
Cryptographic systems are classified along three
dimensions
1.The type of operations used for transforming
plaintext to cyphertext
- substitution
- transposition
2.The number of keys used
- single key, symmetric, secret key, conventional
- two keys, asymmetric, public key
3.The way in which plaintext is processed
- block cipher
- stream cipher
Cryptanalysis
• Cryptanalysis = the process of trying to discover X or K or
both
• Brute force
– the entropy of a key is important, random number generation
– e.g. 10 letter english word has about 13 bits of entropy even thow the
”key” is 80 bits long
• Windows NT: 128-bit key based on users password
– Distributed internet key search 1999: 250 billion keys/sec
• analysis of the ciphertext
– statistical tests
– traces of structure and pattern of plaintext may survive the encryption
process and be discernible in the ciphertext
– generally not feasible with modern ciphers
• Differential and linear cryptanalysis
5
Exhaustive key search
Cryptanalytic attacks
• Ciphertext only
– only acces to some enciphered messages
– use statistical attacks only
• Known plaintext
– know some plaintext-ciphertext pairs
– use this knowledge in attackin the cipher
• Chosen plaintext
– can select plaintext and obtain corresponding ciphertext
– use knowledge of algorithm structure in the attack
• Chosen plaintext-ciphertext
– can select plaintext and obtain corresponding ciphertext,
or vice versa
– allows further knowledge on algorithm structure to be
used
6
Security models
– intuitive feeling of security
• Computationally secure
– the cost of breaking the cipher exceeds the value of the
encrypted information
– the time required the the cipher exceeds the useful
• Provably secure
– the breaking is provably as difficult as some known
difficult problem, i.e. factorization
• Unconditionally secure
– the ciphertext does not contain enough information to
determine uniquely the corresponding plaintext, no
matter how much ciphertext is available
• The only cipher that has been proved to be
unconditionally secure
• Invented by. G. Vernam in 1917
• Key is a random bit-stream of same length as the
message
• Encryption simple – just XOR the message with
the key
• A key must not be reused
• Not very practical
• Used on the ”Moscow-Washington” hot line
7
Conventional encryption -
algorithms
Principles
S-DES
Other block ciphers
Modern block ciphers
• Based on the principles of Feistel ciphers
• Block ciphers seem to be applicaple to a broader
range of applications than stream ciphers
• A block cipher can be used in a way to make it
operate as a stream cipher
• The message is broken into blocks of bits, each of
which is encrypted separately.
– Can be viewed as a substitution cipher with a very large
alphabet
• The structure of the algorihtms is generally very
complex
8
Feistel Cipher
• A foundation for many modern block ciphers
• The exact realization of a Feistel Cipher depends on the
following design features
– blokc size: larger block-size increases security but decreases
encryption/decryption speed
– key size: 128 is now considered safe
– number of rounds: a single round offers weak security, but repeating
rounds offer increasing security. Typically 16 rounds are used
– subkey generation algorithm: greater complexity should lead to greater
difficulty of cryptanalysis
– round function: greater complexity generally means greater resistance to
cryptanalysis
– implementation issues: speed and memory requirements in
software/hardware implementation
– ease of analysis: a simple algorithm can be e.g. analysed for
vulnerabilities. (DES is not easy to analyze)
9
Substitution-Permutation Ciphers
• Shannon introduced the idea of substitution-permutation
(S-P) networks, which now form the basis of modern block
ciphers
– An S-P network is the modern form of a substitution-transposition
product cipher (like Enigma)
– S-P networks are based on the two primitive cryptographic
operation, substitution and permutation
– mixing transformations
• Shannons mixing transformations are a special form of
product ciphers where
– S-Boxes provide confusion of input bits
– P-Boxes provide diffusion across S-box inputs
Substitution-Permutation Ciphers cont...
• Avalanche effect
– a small change in either the plaintext or the key produce
a significant change in the ciphertext
– In DES a one bit change in either the key or plaintext
produce on the average 35 changed bits in the
ciphertext
• Completeness effect
– each ciphertext bit is a complex function of all input
bits (in a block)
10
Simplified DES (S-DES)
• An educational rather than secure algorithm
• A block cipher which encrypts an 8-bit block of
plaintext using a 10-bit key and outputs an 8-bit block of
ciphertext
• Has a general structure of Shannons mixing transform
• Encryption involves five functions
– an initial permutation
– f
K
involving both substitution and permutation both depending
on the key
– simple permutation SW
– f
K
again
– an inverse of the initial permutation
• Additionally there is a key generation algorithm to
generate sub-keys
DES vs. S-DES
• DES adopted as NIST FIPS 46 in 1977
– the algorithm is DEA
• DES operates with 64-bit blocks
• 16 rounds:IP
-1
º f
K16
º SW º f
K15
º SW.... º SW º f
K1
º IP
• A 56-bit key is used to form 16 48-bit sub-keys
• F acts on 32-bits
• There are 8 rows corresponding to 8 S-boxes.
Each S-box has 4 rows and 16 columns. First and
last bit of a row picks the row of an S-box, the
four bits in the middle pick the column.
• Basically, DES is a scaled-up
version of S-DES
n
32
n
1
n
2
n
3
n
4
n
5
n
4
n
5
n
6
n
7
n
8
n
9
. ...... .
n
28
n
29
n
30
n
31
n
32
n
1
11
The strength of DES
– most cryptanalyzed algorithm security
– no known efficient cryptanalytic attack
– the design criteria for S-boxes not released, potential
threat
• The key length
– EFF ”DES Cracker”, built for \$250000. Broke DES in
three days.
• DES is not safe any longer
– Recognizing the plaintext may take time making DES
secure
12
13
Overview of Block Ciphers
• An overview of the most important
symmetric ciphers in current use
• DES
• TDEA
• IDEA
• Blowfish
• Cast-128
Triple-DEA
TDEA
• FIPS 46-3 in 1999
• Based on using DES three
times in an encrypt-decrypt-
encrypt secuence with three
different keys
• Much stronger than DES
• Slow compared to some new
block ciphers, fixed 64bit
block size
• Also a two-key version exists
C = EK3[DK2[EK1[P]]]
• Used in eg. PGP and S/MIME
• TDEA and AES will coexist in
FIPS approved algorithms
14
Key distribution
• The problem – ”to estabslish a secret shared by the
two parties and protected from access by others”
– number of communicating pairs can be very large
– keys has to be changed frequently
• Ways of distributing the keys for two parties, A
and B
1. A selects the key and physically delivers it to B
2. A third party selects the key and physically delivers it
to A and B
3. If A and B have previously used a key, one party can
transmit the new key to the other encrypted using the
old key
4. If A and B both have an encrypted connection to a
trusted third party C, C can deliver the key to A and B
Key distribution
• Ways 1. and 2. require manual delivery
– impossible for end-to-end encryption
• N hosts, [N(N-1)]/2 possible pairs of commmunication
• Way 3. can be used in both link and end-to-end
communcation
– if an attacer gets one key, also all subsequent keys are
exposed
• Some variatioon of way 4. is the most commonly
used for end-to-end encryption
– a key distribution center (KDC) is used
– a hierarchy of keys, at least two levels
15
Two hierachies of keys
• Session key:
– Data encrypted with a one-time session key.At
the conclusion of the session the key is
destroyed
• Permanent (master) key:
– Used between entities for the purpose of
distributing session keys
• a unique marster key for each host for
communicating wiht KDC
16
Public Key Cryptography
Principles
RSA Key Management
Diffie-Hellman
Introduction
• The idea of Public key cryptography proposed by
Diffie and Hellman 1976
– Cryptosystems: RSA, Merkle-Hellman, Rabin,
McEliece, El Gamal, Ellliptic curves
• Public key algorithms are based on mathematical
functions rather than subsitution and transtosition
• The Public key cryptgraphy is asymmetric
involving the use of two separate keys
– profound consequencies in the areas of confidentiality,
authentication and key distribution
17
Introduction cont...
• The main problems of conventional encryption
that can be solved with public key cryptography
1.Key distribution
- in a conventional scheme the communicating parties
have to either share a common secret key or use a key
distribution centre
- in a public key scheme it is possible to exchange a
session key securely
2.Authentication
- ”the need for a digital signature”
encryption
• Public key encryption is more secure than secret key
encryption
– the security of any encryption scheme depends on the length of the key
and the and the computational work in breaking the cipher.
– no principal difference between conventional/publik key encryption in this
respect
• Public key encryption is a general purpose technique and
– the computational overhead of current public key shemes compared to
conventional encryption is high
– conventional encryption will be used to foreseeable future
• Key distribution is trivial when using public key
encryption
– the procedures and protocols ar no simpler nor more efficient than those
required for conventional encryption
18
Principles of public-key cryptosystems
• Public key algorithms use one key for encryption
and an other, related key for decryption
– a pair of keys: public key and private key (note: term
secret key refers to a conventional encrytpion key)
– it is not practical to deduce one key from the other
• Everybody has acces to the public key, whereas
the private key is kept secret
– Anybody can encrypt messages, but only the receiver
can decrypt messages
• In some public key cryptosystems (e.g. RSA) it is
possible to use either of the keys for encryption
and the other for decryption.
The basic principle
The message source is A and the destination B.
Confidentiality:
B generates the related keys: a public key KU
b
and a private key
KR
b
.
With the message X and KU
b
as input A can form the ciphertext
Y=E
KUb
(X). The receiver B having the private key KR
b
is able to
decrypt the ciphertext X=E
KRb
(Y).
Authentication:
Also A generates the related keys: a public key KU
a
and a
private key KR
a
. A prepares a message to B and encrypts it with
own private key Y=E
KRa
(X). B can decrypt the message using A’s
public key KU
a
Y=E
KUa
(X). If the message decrypts, only A could
have sent it, since it was encrypted with A’s private key. The
entire encrypted message serves as a digital signature in this
case. Furthermore this offers data integrity since it is impossible
to alter the message without KR
a
.
However this is not a practical authentication sotution, it merely
illustrates the principle.
19
The basic principles cont...
Confidentiality and Authentication at the same time:
The previous authentication scheme did not offer any secrecy,
i.e. the message is safe from alteration but not from
eavesdropping. However it is easy to provide both functions by a
double-use of public key scheme.
Z=E
KUb
[E
KRa
(X)]
X=E
KUa
[E
KRb
(Z)]
In other words the authentication function is hidden inside the
secrecy function. This is computationally a heavy solution, since
the public key algorithm must be executed four times.
1.One of the two keys must be kept secret
2.It must be impractical to decipher the
message a message if no other
information is available
3.Knowledge of the algorithm plus one of
the keys plus samples of the ciphertext
must be insufficient to determine the
other key
1.The key must be kept secret
2.It must be impractical to decipher the
message a message if no other
information is available
3.Knowledge of the algorithm plus
samples of the ciphertext must be
insufficient to determine the key
Needed for Security:
Needed for Security:
1.One algorithm is used for encrytpion
and decryption with a pair of keys, one
for encryption and one for decryption
2.The sender and the receiver must each
have one of the matched pair of keys
1.The same algorithm with the same
key is used for encrytpion and
decryption
2.The sender and the receiver must
share the algorithm and the key
Needed to work:
Needed to work:
Public-key encryption
Conventional Encryption
20
21
One-way function
A one-way function is is one-to-one (every value has a
unique inverse) with the condition that calculation Y=f(X) is
easy and its inverse X=F
-1
(Y) infeasible.
A trap-door one-way function is a one-way function which
is however easy to calculate also in the inverse direction with
A trap-door one-way function is a family of invertible
functions f
k
such that,
Y=f
k
(X) easy if k and X are known
X=f
k
-1
(X) easy if k and Y are known
X=f
k
-1
(X) unfeasible if Y is known but k unknown.
The developement of a practical public key cryptosistem
depends on discovery of a suitable trap-door one-way
function.
22
One-way functions cont...
• It is not known if one-way functions exist or not,
but many functions are believed to be one-way.
• In practice one-way functions are complex to
calculate in both directions. Public key
cryptography could not exist without computers.
– ”Easy to calculate” means in this context that the
problem can be solved in polynomial time as a function
of input length
– ”Infeasible” a fuzzier concept. The problem is said to
be infeasible if the effort needed to solve it grows faster
than polynomial time as a function of input length. An
example is a solving effort of 2
n
for input length n.
• Keyed one-way function produces a conventional
cryptosystem.
One-way functions cont...
Public key cryptosystems are based on the following
trap-door one-way functions:
• Finding the discrete logarihtm
– a
x
mod p = b; find x?
– easy for integers, but difficult with remainder classes
(modulus)
• Finding the prime factors of large numbers
– a = p * q; find p and q when a is known?
• Elliptic curves
• Knapsack problem (historical)
• Generally some NP-complete problem
23
The RSA algorithm
• Developed 1977 Riverst, Shamir, Adelman at
MIT.
• The first real public key cryptosystem capable of
encryption and digital signatures.
• The only widely accepted and implemented
general purpose PKC
• A block coder, blocks are interpreted as integers
• Based on factoring of large numbrers, which is not
known to be NP-complete
• Security is considered equivalent to factoring
• Not pathented since 2000
RSA ...
Encryption and decryption are of the following form for a plaintext
block M and ciphertext block C:
C = M
e
mod n
M = C
d
mod n = (M
e
)
d
mod n = M
ed
mod n
Both the sender and receiver know n and e, but only the receiver
know d. Thus the public key is KU={n,e} and the private key KR
KU={n,d}.
The requrements for this PKC:
1.It is possible to find a value e,d,n s.t. M
ed
= M mod n for all M < n
2. It is (relatively) easy to calculate M
e
and C
d
for all M < n
3. It is infeasible to determine d given e and n.
24
The RSA Algorithm
RSA example – key generation
1. Select two primes p=7 and q= 17.
2. Calculate n = pq = 119.
3. Calculate (n) = (p-1)(q-1) = 96.
4. Select e s.t. e is relatively prime to (n) =96 and less than (n); in this
case select e = 5.
5. Determine d s.t. de = 1 mod 96 and d <96. The correct value is d = 77,
because 77*5 = 385 = 4*96+1.
KU = {5,119} and KR = {77,119}
25
RSA example – encryption
and decryption
Encryption C = M
e
mod n
Decryption M = C
d
mod n
RSA cryptanalysis
• Brute force: number of different keys has to be large,
just like in conventional cryptography
– however large keys slow down the encryption rapidly
making its use impractical
• Mathematical attacs: attacks against the one-way
function
– RSA 129 was broken in 1994
• 1600 used over the internet. took 8 months
– 130 digit number is the longest that has been factorised
– Now recommended the use of 1024 bit keys (300 digits)
• Timing attacks
– an attack from a completely unexpected direction
– monitor the execution times of different parts of the
algorithm and thus gain knowledge of the key
– ciphertext only attack
26
Key management
• One of the major applications of PKCs
• There are two aspects to the use of a PKC in this
regard:
– the distribution of public keys
1.Public announcement
2.Publicly available directory
3.Public-key authority
4.Public key certificates
– the use of public-key encryption to distribute secret
keys.
1.Simple secret key distribution
2.Secret key distribution with confidentiality and authentication
Distribution of public keys –
Public announcement
• Simply publice the public keys of some widely accepted
standard like RSA
– anybody can send his public key to any participant or broadcast it to the
community at large
– eg. many PGP users have adopted a practice of appending their public key to
messages that they send to public forums
 This approach is very
convenient, but it has a
major weakness:
anybody can easily
forge the public
announcement
 thus the forger is able to
messages intended for the
 the forger is also able to
use the forged keys for
authentication
27
Distribution of public keys –
Publicly available directory
• Maintain a publicly available dynamic directory of public
keys
– maintenance and distribution of the public keys in the responsibility of a
trusted entity (TTP)
• The needed elements for this kind of scheme
1.Participants register a
public key using some form
of secure authenticated
communication
2.A participant can raplace
an existing key at any time
3.Periodically the authority
publishes the whole
directory of keys
 There are still
vulnerabilities
 the opponent could tamper
with the records kept by
the authority
Distribution of public keys –
Public key authority
 A central authority maintains a dynamic directory of public keys
of all participants.
 All participants reliably know the public key of the authority
1.The initiator A sends a timestamped message to the authority
requesting for the current public key of B.
2.The authority responds with a message encrypted with the
authoritys private key KR
auth.
The message contains
- KU
b
which A can use to encrypt messages to B
- the original request so that A can verify that it was not
altered by the opponent
- the original timestamp so that A can determine this is not an
old message containing a non valid public key for B (replay-
attack)
3.A sends its identifier ID
A
and a nonce N1 used for identifying the
transaction uniquely. The message is encrypted with KU
B
4.B retrieves the public key of A from the authority in a same
manner that A did.
28
Distribution of public keys –
Public key authority
 New public keys have been securely delivered to A and B.
However two additional steps are needed for mutual
authentication
6.B sends a message to A encrypted with KU
A
and containin A’s
nonce N1 and a new nonce N2. Because only B could have
decrypted N1 B’s authenticity is verified.
7.A returns N2 encrypted with B’s public key to assure A’s identity.
 Note that steps 1-5 need only be taken infrequently because A
and B both save the publick keys.
 The authority could be somewhat a bottleneck in the system
 The directory maintained by the authority is vulnerable to
tampering
29
Distribution of public keys –
Public key Certificates
 Suggested by Kohnfelder in 1978
 In this approach certificates are used to enable
participants to exchange keys without contacting the
authority in a way that is as reliable as if the keys were
obtained from the certificate authority (CA)
 A certificate contains a public key and other information,
is created by the authority, and is given to the participant
with the matching private key.
 A participant conveys its public key to another by
transmitting the certificate. Other participants can verify
that the certificate was created by the authority.
 In a simple PKI architecture, that CA may be the systems
administrator who issues certificates to end users. ’
 In a more complex environment, a CA may be a large
enterprise, a government agency, or a third-party
consortium that acts as a trust agent for a specific
industry.
Distribution of public keys –
Public key Certificates
 The requirements for the scheme
 Any participant must be able to decrypt certificates to
get the public key and other information
 Any participant must be able to verify that the
cerificate has been created by the authority
 Only the authority can create or update certificates
 Any participant must be able to verify the currency of
the certificate
 Trusting a CA assumes that the authority has taken
significant measures to verify the certificate holder's
identity.
 The basic principle
 The certificate of a participant A is
C
A
=E
KRauth
[T,ID
A
,KU
a
]
 Any participant can read the certificate
D
KUauth
[C
A
] = D
KUauth
[ E
KRauth
[T,ID
A
,KU
a
]] = (T,ID
A
,KU
a
)
30
Distribution of public keys –
Public key Certificates
 In practice, the certificate contains also other information
 Version
 validity time
 used algorithms
 issuer
 extensions
 X.509 standard has become universally accepted for
formatting public key certificates.
 used in IPSec, SSL, SET, S/MIME
31
Public key distribution of Secret Keys –
Simple secret key distribution
 It is assumed that A and B have already exchanged public keys
and now they want to exchange secret keys (i.e. conventional
session keys ) for the transmission of the messages
1.The initiator A generates a key pair {KU
a
,KR
a
} and transmits a
message to B consisting of KU
a
and A’s identifier ID
A
2.B generates the secret key K
s
and transmits it to A encrypted
with KU
a
3.A computes D
KRa
[ E
KUa
[K
s
]]. Now both A and B know the secret
key K
s
4.Public and private keys involved are discarded.
 This is an attractive protocol. No keys exist before or after the
key exchange so there is no risk of compromising the keys. Also
the communication is safe from eavesdropping.
 This protocol is however vulnerable to an active attac – so called
”man in the midde” attack.
Public key distribution of Secret Keys –
Man in the middle - attack
 In the previous simple secret key distribution, suppose that an
opponent E has control of the communicating channel
1.The initiator A generates a key pair {KU
a
,KR
a
} and transmits a
message to B consisting of KU
a
and A’s identifier ID
A
2.E intercepts the message, creates its own key pair {KU
e
,KR
e
}
and transmits KU
e
|| ID
A
to B.
3.B generates the secret key K
s
and transmits it to A encrypted
with KU
e
believing that it was A’s public key
4.E intercepts the message and learns K
s
by decrypting the
message with KR
e
5.E transmits K
s
to A encrypted with KU
a
 Neither A nor B noticed anything wrong in the key exchange. A
and B are unaware that E also knows the secret key.
 E no longer actively interferes the communication, but simply
eavesdrops.
32
Secret key distribution with confidentiality and
authentication (countermeasure to man-in-the-middle)
 A scheme profiding protection against passive and active attacks
1.A sends ID
A
and a nonce N1 to identify the transaction uniquely
encrypted with KU
b
2.B replays with N1 and a new nonce N2 encrypted with Ku
a
. The
presence of N1 in the message assures A that the correspondent
is B.
3.A returns N2 encrypted with B’s public key. This assures B that
the correspondent is A.
4.A generates the secret key K
s
and transmits M=E
KUb
[E
KRa
[K
s
]] to
B. Now only B can decrypt M and encryption with A’s private key
proves that A was the sender of M.
5.B computes E
KRb
[E
KUa
[M]] to recover the key.
33
Diffie-Hellman key exchange
 The first published public key algorithm by Diffie and Hellman
1976.
 Not pathented since 1997
 Widely used in commercial products
 The purpose is to enable two users to exchange a key securely
to be used in subsequent encryption of messages.
 both communicating parties can independently get the secret
key without exchangin any secret information.
 allows the construction of a common secret key over an
insecure communication channel
 The algorithm is based on the difficulty of computing discrete
logarithms in remainder-class arithmetic
 it is relatively easy to calculate exponentials modulo a prime,
but it is infeasible to calculate discrete logarithms
34
Diffie-Hellman - example
 Global public elements are chosen as the prime q =97 and
primitive root of q as =5.
 A and B selects the secret keys X
A
= 36 and X
B
= 58.
 Each computes the public key:
 Y
A
= 5
36
= 50 mod 97
 Y
B
= 5
58
= 44 mod 97
 A and B exchange the public keys (encryption is not needed)
 Now each can compute the common secret key
 K = (Y
B
)
X
A
mod 97 = 44
36
= 75 mod 97
 K = (Y
A
)
X
B
mod 97 = 50
58
= 75 mod 97
 An opponent who knows {q, , Y
A
,Y
B
} and cannot compute
K=75 without taking a discrete logarithm.
A simple protocol using Diffie-Hellman – key
exchange
35
Diffie-Hellman - attacks
 The key exchange is vulnerable to ”man in the middle” attack
 the opponent is able to control the communication line
 use digital signatures as a countermeasure
 Mathematical attacks: the algorithm is generally considered
secure
 the security may be compromised by bad choises of the
modoulus and generator
Other public key applications -
blind signature (just an example)
 The purpose is to be able to get a singnature without exposing
anything of the message being signed
 The person who signs does not know what he signed, but he is
able to prove later that the signature is (or is not) his.
 eCash is an example application, others time-stamp services and
anonymous acces services
 A wants B to sign a message M without B knowing anything
about M. We use RSA to implement the blind signature.
 B has a public key (n,e) and a private key (n,d). A generates a
random number r s.t. gcd(r,n) = 1.
 A sends a message M’ = r
e
M mod n. (the message M’ is blinded
with a random number r)
 B responds with S’ = (M’)
d
= (r
e
M)
d
mod n
 Because S’ = rM
d
mod n A can get the signature S as
S = S’ r
-1
mod n = (rM
d
)/r mod n = M
d
mod n (A removes
the blinding)
Thus S has now a signature of B !
Note that only commutative algorithms (like RSA) can be used.