applied cryptography - protocols, algorithms, and source code in c

# 8 alice calculates r alice has no way of knowing r so

This preview shows page 1. Sign up to view the full content.

This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: free. Others will have to trust his certification; Bob cannot prove this fact to a third party with a transcript of the protocol. A surprising result is that if Bob wants to, he can use this protocol to create his own subliminal channel. Bob can embed a subliminal message in one of Alice’s signatures by choosing k" with certain characteristics. When Simmons discovered this, he dubbed it the “Cuckoo’s Channel.” Details on how the Cuckoo’s Channel works, and a three-pass protocol for generating k that prevents it, are discussed in [1471,1473]. Other Schemes Any signature scheme can be converted into a subliminal channel [1458,1460,1406]. A protocol for embedding a subliminal channel in the Fiat-Shamir and Feige-Fiat-Shamir protocols, as well as possible abuses of the subliminal channel, can be found in [485]. 23.4 Undeniable Digital Signatures This undeniable signature algorithm (see Section 4.3) is by David Chaum [343,327]. First, a large prime, p, and a primitive element, g, are made public, and used by a group of signers. Alice has a private key, x, and a public key, gx mod p. To sign a message, Alice computes z =mx mod p.That’s all she has to do. Verification is a little more complicated. (1) Bob chooses two random numbers, a and b, both less than p, and sends Alice: c = za(gx)b mod p (2) Alice computes t=x–1 mod (p - 1), and sends Bob: d = ct mod p (3) Bob confirms that d a magb (mod p) If it is, he accepts the signature as genuine. Imagine that Alice and Bob went through this protocol, and Bob is now convinced that Alice signed the message. Bob wants to convince Carol, so he shows her a transcript of the protocol. Dave, however, wants to convince Carol that some other person signed the document. He creates a fake transcript of the protocol. First he generates the message in step (1). Then in step (3) he generates d and the fake transmission from this other person in step (2). Finally, he creates the message in step (2). To Carol, both Bob’s and Dave’s transcripts are identical. She cannot be convinced of the signature’s validity unless she goes throu...
View Full Document

## This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.

Ask a homework question - tutors are online