# Cryptography: Theory and Practice

• Notes
• davidvictor
• 6

This preview shows pages 1–3. Sign up to view the full content.

COMS W4995 Introduction to Cryptography November 13, 2003 Lecture 21: Multiple Use Signature Schemes Lecturer: Tal Malkin Scribes: M. Niccolai, M. Raibert Summary In this lecture, we use the one time secure signature schemes discussed in lecture 20 to construct multiple use schemes. We describe Merkle signatures (which are provably secure), and Full Domain Hash signatures. Discussion of the security of the Full Domain Hash has two parts: First, we evaluate the security with respect to the normal definition of computationally secure signature schemes; Then, because we are unable to prove security, we introduce the Random Oracle Model (ROM) to support the (unproven) assertion that these schemes is secure. 1 Merkle Signatures A signature scheme for use with multiple messages of arbitrary length; built using Collision Resistant Hash-Functions (CRHF) and one time signatures. For this signature scheme, we must know in advance how many signatures the user will ever plan on sending. Assume that we have a one time signature scheme; generate n pairs ( PK i , SK i ) and build a tree using a colision resistant hash function, h , by hashing each pair of adjacent nodes recursively up the tree to the root. The root is the public key, r . SK = { ( PK i , SK i ) } i =1 ...n Note: The public keys { PK i } i are used to sign the messages, and so are formally specified as part of the secret key. However , they need not remain secret (and in fact they are published as part of the signature). We build our tree from the n pairs of (public key, secret key). Let the ( PK i , SK i ) pairs be the base of the tree ( n leaves). Compute the next level up, and name the elements of the tree, as follows: 1

This preview has intentionally blurred sections. Sign up to view the full version.

Figure 1: Merkle Signature tree s 1 1 = h ( PK 1 , PK 2 ) , s 1 2 = h ( PK 3 , PK 4 ) , . . . , s 1 n/ 2 = h ( PK n - 1 , PK n ) For constructing the second level from the first level, we compute: s 2 1 = h ( s 1 1 , s 1 2 ) , s 2 2 = h ( s 1 3 , s 1 4 ) , . . . , s 2 n/ 4 = h ( s 1 n/ 2 - 1 , s 1 n/ 2 )
This is the end of the preview. Sign up to access the rest of the document.
• Fall '04
• Jarecki
• Cryptography, Cryptographic hash function, signature scheme, random oracle model, P Kn

{[ snackBarMessage ]}

### What students are saying

• As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

Kiran Temple University Fox School of Business ‘17, Course Hero Intern

• I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

Dana University of Pennsylvania ‘17, Course Hero Intern

• The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

Jill Tulane University ‘16, Course Hero Intern