applied cryptography - protocols, algorithms, and source code in c

1 feige fiat shamir amos fiats and adi shamirs

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ital signature schemes have been put in one coherent framework. In my opinion this finally puts to rest any patent dispute between Schnorr [1398] and DSA [897]: DSA is not a derivative of Schnorr, nor even of ElGamal. All three are examples of this general construction, and this general construction is unpatented. 20.5 Ong-Schnorr-Shamir This signature scheme uses polynomials modulo n [1219,1220]. Choose a large integer n (you need not know the factorization of n). Then choose a random integer, k, such that k and n are relatively prime. Calculate h such that h = –k-2 mod n = -(k-1)2 mod n The public key is h and n; k is the private key. To sign a message, M, first generate a random number, r, such that r and n are relatively prime. Then calculate: S1 = 1/2 * (M/r + r) mod n S2 = k/2 * (M/r – r) mod n The pair, S1 and S2, is the signature. To verify a signature, confirm that S12 + h * S22 a M (mod n) The version of the scheme described here is based on quadratic polynomials. When it was first proposed in [1217], a $100 reward was offered for successful cryptanalysis. It was proved insecure [1255,18], but its authors were not deterred. They proposed a modification of the algorithm based on cubic polynomials, which is also insecure [1255]. The authors then proposed a quartic version, which was also broken [524,1255]. A variant which fixes these problems is in [1134]. 20.6 ESIGN ESIGN is a digital signature scheme from NTT Japan [1205,583]. It is touted as being at least as secure and considerably faster than either RSA or DSA, with similar key and signature lengths. The private key is a pair of large prime numbers, p and q. The public key is n, when n = p 2q H is a hash function that operates on a message, m, such that H(m) is between 0 and n – 1. There is also a security parameter, k, which will be discussed shortly. (1) Alice picks a random number x, where x is less than pq. (2) Alice computes: w, the least integer that is larger than or equal to (H(m) – xk mod n)/pq s = x + ((w/kxk - 1) mod p)pq (3) Alice sends s to Bob. (4) To verif...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online