This preview shows page 1. Sign up to view the full content.
Unformatted text preview: free. Others will have to trust his certification; Bob cannot prove this fact to a third party with a transcript of the protocol. A surprising result is that if Bob wants to, he can use this protocol to create his own subliminal channel. Bob can embed a subliminal message in one of Alice’s signatures by choosing k" with certain characteristics. When Simmons discovered this, he dubbed it the “Cuckoo’s Channel.” Details on how the Cuckoo’s Channel works, and a threepass protocol for generating k that prevents it, are discussed in [1471,1473]. Other Schemes
Any signature scheme can be converted into a subliminal channel [1458,1460,1406]. A protocol for embedding a subliminal channel in the FiatShamir and FeigeFiatShamir protocols, as well as possible abuses of the subliminal channel, can be found in [485]. 23.4 Undeniable Digital Signatures
This undeniable signature algorithm (see Section 4.3) is by David Chaum [343,327]. First, a large prime, p, and a primitive element, g, are made public, and used by a group of signers. Alice has a private key, x, and a public key, gx mod p. To sign a message, Alice computes z =mx mod p.That’s all she has to do. Verification is a little more complicated. (1) Bob chooses two random numbers, a and b, both less than p, and sends Alice: c = za(gx)b mod p (2) Alice computes t=x–1 mod (p  1), and sends Bob: d = ct mod p (3) Bob confirms that d a magb (mod p) If it is, he accepts the signature as genuine. Imagine that Alice and Bob went through this protocol, and Bob is now convinced that Alice signed the message. Bob wants to convince Carol, so he shows her a transcript of the protocol. Dave, however, wants to convince Carol that some other person signed the document. He creates a fake transcript of the protocol. First he generates the message in step (1). Then in step (3) he generates d and the fake transmission from this other person in step (2). Finally, he creates the message in step (2). To Carol, both Bob’s and Dave’s transcripts are identical. She cannot be convinced of the signature’s validity unless she goes throu...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details