This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: ICS 268: Cryptography and Communication Security 11/21/2004 Homework 5 Due Tuesday , 12/2/2004 1 Insecure Variant of the Schnorr Signature Scheme Consider the following variant of the Schnorr signature scheme (i.e. the discretelog based signature scheme we discussed in class): p,q are prime, g is an element of order q in Z * p , the private key is x Z q , public key is y = g x mod p , and the signature on m is a pair ( r,z ) s.t. r = g k mod p for a random k Z q , and z = k + x ( m r ) mod q . (This is a simplification of the Schnorr scheme where hash H ( m,r ) is replaced with just a product m r mod q .) 1.1 What is the verification equation for this signature scheme? 1.2 Existential Forgery Show that this signature is not secure against an existential forgery even if the adversary sees only the public key, i.e. the adversary does not need to see any message/signature pairs. If you do not see how to do this, show that this signature is not secure against an existential forgery after the adversary sees only one valid (message,signature) pair. 1.3 Extension to Uniformly Generated Forgeries Extend your attack to show an efficient adversary which can actually create (message,signature) pairs where the message is a uniformly distributed element in...
View
Full
Document
 Fall '04
 Jarecki

Click to edit the document details