Cryptography: Theory and Practice

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
COMS W4995 Introduction to Cryptography November 13, 2003 Lecture 21: Multiple Use Signature Schemes Lecturer: Tal Malkin Scribes: M. Niccolai, M. Raibert Summary In this lecture, we use the one time secure signature schemes discussed in lecture 20 to construct multiple use schemes. We describe Merkle signatures (which are provably secure), and Full Domain Hash signatures. Discussion of the security of the Full Domain Hash has two parts: First, we evaluate the security with respect to the normal definition of computationally secure signature schemes; Then, because we are unable to prove security, we introduce the Random Oracle Model (ROM) to support the (unproven) assertion that these schemes is secure. 1 Merkle Signatures A signature scheme for use with multiple messages of arbitrary length; built using Collision Resistant Hash-Functions (CRHF) and one time signatures. For this signature scheme, we must know in advance how many signatures the user will ever plan on sending. Assume that we have a one time signature scheme; generate n pairs ( PK i ,SK i ) and build a tree using a colision resistant hash function, h , by hashing each pair of adjacent nodes recursively up the tree to the root. The root is the public key, r . SK = { ( PK i ,SK i ) } i =1 ...n Note: The public keys { PK i } i are used to sign the messages, and so are formally specified as part of the secret key. However , they need not remain secret (and in fact they are published as part of the signature). We build our tree from the n pairs of (public key, secret key). Let the ( PK i ,SK i ) pairs be the base of the tree ( n leaves). Compute the next level up, and name the elements of the tree, as follows: 1
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Figure 1: Merkle Signature tree s 1 1 = h ( PK 1 ,PK 2 ) , s 1 2 = h ( PK 3 ,PK 4 ) , ... , s 1 n/ 2 = h ( PK n - 1 ,PK n ) For constructing the second level from the first level, we compute: s 2 1 = h ( s 1 1 ,s 1 2 ) , s 2 2 = h ( s 1 3 ,s
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 01/30/2008 for the course ICS 268 taught by Professor Jarecki during the Fall '04 term at UC Irvine.

Page1 / 6

malkin21 - COMS W4995 Introduction to Cryptography November...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online