homework 5

Cryptography: Theory and Practice

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ICS 268: Cryptography and Communication Security 11/21/2004 Homework 5 Due Tuesday , 12/2/2004 1 Insecure Variant of the Schnorr Signature Scheme Consider the following variant of the Schnorr signature scheme (i.e. the discrete-log based signature scheme we discussed in class): p,q are prime, g is an element of order q in Z * p , the private key is x Z q , public key is y = g x mod p , and the signature on m is a pair ( r,z ) s.t. r = g k mod p for a random k Z q , and z = k + x ( m r ) mod q . (This is a simplification of the Schnorr scheme where hash H ( m,r ) is replaced with just a product m r mod q .) 1.1 What is the verification equation for this signature scheme? 1.2 Existential Forgery Show that this signature is not secure against an existential forgery even if the adversary sees only the public key, i.e. the adversary does not need to see any message/signature pairs. If you do not see how to do this, show that this signature is not secure against an existential forgery after the adversary sees only one valid (message,signature) pair. 1.3 Extension to Uniformly Generated Forgeries Extend your attack to show an efficient adversary which can actually create (message,signature) pairs where the message is a uniformly distributed element in...
View Full Document

Page1 / 2

homework 5 - ICS 268: Cryptography and Communication...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online